Intel® Endpoint Management Assistant (Intel® EMA)

Web Deployment Guide

Intel® Version 1.3.2

October 2019

Legal Disclaimer No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document.

Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

The products and services described may contain defects or errors known as errata which may cause deviations from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Intel does not assume any liability for lost or stolen data or systems or any damages resulting from such losses. Check with your system manufacturer or retailer or learn more at http://www.intel.com/technology/vpro.

Intel, Intel vPro, Intel EMA, Intel AMT, and the Intel logo, are trademarks of Intel Corporation in the U.S. and/or other countries.

*Other names and brands may be claimed as the property of others.

Copyright © 2019 Intel Corporation.

Contents 1 Introduction ................................................................................................................................................. 1

2 Amazon* Web Services (AWS) Deployment.......................................................................................... 2

2.1 Architecture ......................................................................................................................................................................................... 2 2.2 Components and configuration ................................................................................................................................................. 3

3 Microsoft* Azure* Deployment .............................................................................................................. 19

3.1 Architecture ....................................................................................................................................................................................... 19 3.2 Components and configuration ............................................................................................................................................... 20

4 Google Cloud Platform* (GCP) Deployment ....................................................................................... 30

4.1 Architecture ....................................................................................................................................................................................... 30 4.2 Components and configuration ............................................................................................................................................... 31

Intel® EMA Web Deployment Guide – October 2019 1

1 Introduction This document describes the architecture and components that can be used to deploy Intel® EMA into the public cloud using Google* Cloud Platform, Amazon* Web Services, or Microsoft* Azure.

There are also optional components included in case you want to use your existing on-premises Active Directory to provide user authentication. While there are multiple ways to extend AD to the cloud, we’ve chosen one method for each cloud with the goal of simplicity and using managed services when possible.

Intel® EMA Web Deployment Guide – October 2019 2

2 Amazon* Web Services (AWS) Deployment This section provides information on deploying Intel® EMA in an Amazon* Web Services environment.

2.1 Architecture Figure 2-1 shows the AWS architecture without Active Directory authentication.

Figure 2-1

Figure 2-2 shows the architecture with Active Directory authentication.

Figure 2-2

Intel® EMA Web Deployment Guide – October 2019 3

2.2 Components and configuration 1. Obtain a SSL/TLS certificate for the web server. You can use the AWS Certificate Manager to request a

certificate. Validating ownership of the domain is straightforward if you are hosting your domain in AWS Route 53.

2. Create a resource group to keep your Intel® EMA-related resources organized. We recommended that you define a specific key-value tag for all of your Intel EMA-related resources so that you can track them with a resource group and also use that tag for cost reporting.

3. Create a Virtual Private Cloud network with two subnets located in different availability zones.

Intel® EMA Web Deployment Guide – October 2019 4

Intel® EMA Web Deployment Guide – October 2019 5

4. After the wizard completes, go back to the route table that was created and explicitly associate your second subnet with the route table that has the Internet gateway attached, which you can see from Routes tab of the route table.

5. (For AD integration) Create a VPN to connect to your on-premises network to provide connectivity to your domain controllers. Create a Customer Gateway to represent the remote (on-prem) end of the VPN.

6. Create a Virtual Private Gateway to provide routing between the VPN and your VPC.

Intel® EMA Web Deployment Guide – October 2019 6

7. Attach the Virtual Private Gateway to your VPC.

Intel® EMA Web Deployment Guide – October 2019 7

8. Create a VPN connection, selecting the new Customer Gateway and VPG. Select the Static routing option and enter the networks that are available through the VPN connection. This should include your on-premises domain controllers. You can let Amazon generate your tunnel addresses and keys.

Intel® EMA Web Deployment Guide – October 2019 8

9. Download the VPN connection configuration to help configure the other side. Go to your VPC route table and enable route propagation, so that the routes associate with the VPN connection are available to your VPC network.

Intel® EMA Web Deployment Guide – October 2019 9

10. (For AD integration) Create an AD Connector resource to act as a proxy to your on-prem AD. Select AD Connector as your directory type.

Intel® EMA Web Deployment Guide – October 2019 10

11. Choose the directory size appropriate for the number of objects you need to support.

12. Choose your VPC and the two different subnets.

Intel® EMA Web Deployment Guide – October 2019 11

13. Enter the information for the on-premises directory that you will connect to.

Note: A service account is required. The prerequisites are fully described in the documentation links provided below.

For further information see the documentation for AD Connector and its prerequisites.

• https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_ad_connector.html

• https://aws.amazon.com/blogs/security/how-to-connect-your-on-premises-active-directory-to-aws-using-ad-connector/

• https://docs.aws.amazon.com/directoryservice/latest/admin-guide/prereq_connector.html

• https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ad_connector_best_practices.html

Intel® EMA Web Deployment Guide – October 2019 12

14. (For AD integration) Create a DHCP Options set and associate it with your VPC so that virtual machines will receive the proper DNS servers and domain name.

15. Provide the Active Directory domain name and DNS servers. Other parameters are optional.

Intel® EMA Web Deployment Guide – October 2019 13

16. Go to your VPC and associate the DHCP options set with it.

17. Create a security group for access to the Intel® EMA server.

Intel® EMA Web Deployment Guide – October 2019 14

18. Set your Inbound Rules for the security group:

• TCP/443 (HTTPS), Source: <web traffic source>

• TCP/3389 (RDP), Source: <RDP traffic source>

• TCP/8080 (agent), Source: <agent traffic source>

• TCP/8084 (websocket), Source: <web traffic source>

19. Create a security group for access to the database.

20. Set your Inbound Rules:

• Port 1433, Source: the Intel® EMA server security group ID.

Intel® EMA Web Deployment Guide – October 2019 15

21. Create an EC2 virtual machine instance for the Intel® EMA server.

22. Assign a public IP address unless you have VPN access to your VPC.

23. Attach the Intel® EMA server security group.

Intel® EMA Web Deployment Guide – October 2019 16

24. (For AD integration) When you are configuring the instance, use the Domain join option to have the VM automatically joined to your AD domain.

25. Create a Database Subnet Group associated with both of the subnets you created.

Intel® EMA Web Deployment Guide – October 2019 17

26. Create a Relational Database Service (RDS) instance.

• SQL Server Standard Edition

• Single availability zone deployment

• Select DB engine version: SQL Server 2016 13.00.5216.0.v1

• Set Storage type to General Purpose for better cost since high I/O throughput is not needed.

Intel® EMA Web Deployment Guide – October 2019 18

27. Use the DB subnet group created in the previous step. Attach the database security group.

28. Create a DNS record pointing to the Intel® EMA server’s public IP address.

Intel® EMA Web Deployment Guide – October 2019 19

3 Microsoft* Azure* Deployment This section provides information on deploying Intel® EMA in a Microsoft* Azure* environment.

3.1 Architecture Figure 3-1 shows the Azure architecture without Active Directory authentication.

Figure 3-1

Figure 3-2 shows the architecture with Active Directory authentication.

Figure 3-2

Intel® EMA Web Deployment Guide – October 2019 20

3.2 Components and configuration 1. Obtain a SSL/TLS certificate for the web server. Create a resource group to keep your Intel® EMA

related resources organized.

2. Create a Virtual Network with one subnet, which should have the Microsoft*.SQL endpoint enabled if you are not using a Windows+SQL VM image.

Intel® EMA Web Deployment Guide – October 2019 21

3. (For AD integration) Create an Azure AD Directory Services resource so that you will be able to have your virtual machine(s) join the AD domain. During this process you will need to create a dedicated subnet for AADDS.

Intel® EMA Web Deployment Guide – October 2019 22

4. Add a user from your Azure Active Directory that will have privileges to administer this managed domain.

Intel® EMA Web Deployment Guide – October 2019 23

5. It may take an hour or more to complete setup. Once that is done, you’ll want to update the DNS server settings for your virtual network to use the AD DS server IP addresses.

For further reading on AD DS, see:

• https://docs.microsoft.com/en-us/azure/active-directory-domain-services/

• https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-comparison

6. (For AD integration) Deploy AD Connect to your on-premises environment in order to sync your users and password hashes to your Azure Active Directory.

• Download and install the AD Connect software to a domain-joined server on your network. For our example, we used Express Settings.

Intel® EMA Web Deployment Guide – October 2019 24

• There are other options that may be of interest to you in a custom install, so read the links provided below for a more full understanding of the options that are available.

• Enter your credentials for Azure AD and Azure AD DS.

• Ensure that your domain name matches a custom domain that you have previously added and verified in Azure AD.

7. If you select “Start the synchronization process…” on the Ready to Configure screen, a background sync on a 30 minute timer will be started once configuration completes. Read the Microsoft documentation for more information on how this works.

Intel® EMA Web Deployment Guide – October 2019 25

• Azure AD Connect download location: https://www.microsoft.com/en-us/download/details.aspx?id=47594

• Azure AD Connect prerequisites: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites

• Further reading: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-whatis

8. Create an Application Security Group (ASG) that will be associated to the Intel® EMA server VM.

9. Create a Network Security Group for access to the Intel® EMA server.

Inbound security rules

• TCP/443 (HTTPS), source: <web traffic source>, destination: <EMA server ASG>

• TCP/8084 (websocket), source: <web traffic source>, destination: <EMA server ASG>

• TCP/8080 (agent), source: <agent traffic source>, destination: <EMA server ASG>

• TCP/3389 (RDP), source: <RDP traffic source>, destination: <EMA server ASG>

• A final deny-all rule to with better priority than the default security rules.

Intel® EMA Web Deployment Guide – October 2019 26

10. Attach this security group to the Intel® EMA server subnet after creation.

11. Create a SQL Server (logical server).

Note: This will be reachable as hostname <serverName>.database.windows.net.

12. Create a SQL Database (managed instance)

Notes: • We recommend that you pre-define a blank database so that you can configure

non-default compute and storage options, which would otherwise be set to minimum values if the Intel® EMA database is created dynamically.

• Databases are automatically replicated within the same data center for high availability.

Intel® EMA Web Deployment Guide – October 2019 27

Intel® EMA Web Deployment Guide – October 2019 28

13. Create a Virtual Machine instance for the Intel® EMA server.

Intel® EMA Web Deployment Guide – October 2019 29

14. Create a DNS record pointing to the Intel® EMA server’s public IP address.

Intel® EMA Web Deployment Guide – October 2019 30

4 Google Cloud Platform* (GCP) Deployment This section provides information on deploying Intel® EMA in a Google Cloud Platform* (GCP) environment.

4.1 Architecture Figure 4-1 shows the GCP architecture without Active Directory authentication.

Figure 4-1

Figure 4-2 shows the GCP architecture with Active Directory authentication.

Figure 4-2

Intel® EMA Web Deployment Guide – October 2019 31

4.2 Components and configuration 1. Obtain a SSL/TLS certificate for the web server.

2. Create a Virtual Private Cloud network with one subnet.

3. (For AD integration) Create a VPN to your on-premises network so that you can manually configure your VMs to join the domain. GCP provides no built-in services for AD.

Intel® EMA Web Deployment Guide – October 2019 32

4. Create Firewall rules that will be applied to your VM to allow access.

• TCP/3389, target: <RDP tag>, source: <RDP traffic source>

• TCP/443,8084 target: <EMA server tag>, source: <web traffic source>

• TCP/8080 target: <EMA server tag>, source: <agent traffic source>

Intel® EMA Web Deployment Guide – October 2019 33

Intel® EMA Web Deployment Guide – October 2019 34

Intel® EMA Web Deployment Guide – October 2019 35

5. Create a Compute Engine instance for the server running Intel® EMA and SQL.

Intel® EMA Web Deployment Guide – October 2019 36

6. Use Boot Disk Application Image: SQL Server 2016 Standard on Windows Server 2016 Datacenter.

7. Set Network tags: <RDP tag> <EMA server tag> .

Intel® EMA Web Deployment Guide – October 2019 37

8. Use a reserved IP address.

9. (For AD integration) Log into your VM, change the DNS servers to your remote domain controllers that are reachable across the VPN, and then join the existing domain like you would for any on-premises computer.

10. Create a DNS record pointing to the Intel® EMA server’s public IP address