10
White Paper: The All New 2010 Intel® Core™ vPro™ Processor Family: Intelligence that Adapts to Your Needs
Communication outside the corporate firewall
Laptops and desktop PCs with a new Intel Core vPro processor support
secure communication in an open wired or wireless LAN – outside the
corporate firewall. This capability allows the PC to initiate communica-
tion with a remote management console through a secured tunnel for
inventories, diagnostics, repair, updates, and alert reporting. IT manag-
ers now have critical maintenance and management capabilities for PCs
in satellite offices, outside the corporate firewall, and in locations that
don’t have an onsite proxy server or management appliance, such as at
a small business client’s remote location. Now, IT managers can:
• Securely update and service PCs, via a prescheduled maintenance time
when the PC initiates a secure connection to the IT console. This capa-
bility is available even when the system is outside the corporate firewall.
• Hotkey auto-connection to IT console, so a user can quickly connect
the PC to the IT console for help or system servicing.
The PC-initiated communications capability works through the use of
an Intel vPro technology-enabled gateway in the DMZ (demilitarized
zone) that exists between the corporate and client firewalls (see
Figure 2). System configuration information in the PC includes the
name(s) of appropriate management servers for the company. The
gateway uses that information to help authenticate the PC. The
gateway then mediates communication between the PC and the
company’s management servers during the repair or update session.
Communicate remotely with wired or wireless PCs
Once Intel vPro technology is activated, an authorized IT technician can
communicate with PCs with a new 2010 Intel Core vPro processor:
• Wired AC-powered PC – anytime. Even if hardware (such as a hard
drive) has failed, the OS is unresponsive, the PC is powered off, or
its management agents are missing, the communication channel is
still available. As long as the system is plugged into a wired LAN and
connected to an AC power source, the channel is available to autho-
rized technicians.
• Wireless laptop on battery power – anytime the system is awake and
connected to the corporate network, even if the OS is unresponsive.
17
• Wired, connected to the corporate network over a host OS-based
VPN – anytime the system is awake and working properly.
PC-initiated secure communication
PC-initiated secure communication is a new capability that allows a PC
to initiate its own secure communication tunnel back to an authorized
server. For example, the PC Alarm Clock feature allows IT to schedule
the PC to wake itself – even from a powered down state. The PC can
then use other hardware-based capabilities to call “home” to look for
updates or initiate other maintenance or service tasks. Because of
authentication protocols, this communication capability relies on
collaboration with the industry to establish secure gateways for
client-initiated communication.
Management console
Laptop or desktop PC with a new 2010
Intel® Core™ vPro™ processor initiates
a remote access connection to the Intel
vPro technology-enabled gateway.
Intel vPro technology-
enabled gateway
Intel® vPro™ technology-enabled gateway
authenticates PC and sends the connection
event to the management console.
Management console opens secure tunnel,
mediates communication with the PC for
updates or diagnositics and repair
Secure tunnel for communication outside corporate firewall
1
2
3
DMZ
(demilitarized zone)
Firewall Firewall
Figure 2. Communication to PCs outside the corporate firewall is secured via TLS. An Intel® vPro™ technology-enabled gateway authenticates wired
and wireless PCs, opens a secure TLS tunnel between the management console and PC, and mediates communication.