Mesh Advanced Installation
Meshcentral.com
Mesh Agent
Advanced Installation
Performing advanced installation and configuration of the mesh agents.
Version 0.2.1
Monday, June 25, 2012
Ylian Saint-Hilaire
© 2011 Intel Corporation. All Rights Reserved.
Mesh Agent Advanced Installation MeshCentral.com
Legal Notices and Disclaimers
Disclaimers
INTEL CORPORATION MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. INTEL CORPORATION ASSUMES NO RESPONSIBILITY FOR ANY
ERRORS THAT MAY APPEAR IN THIS DOCUMENT. INTEL CORPORATION MAKES NO COMMITMENT
TO UPDATE NOR TO KEEP CURRENT THE INFORMATION CONTAINED IN THIS DOCUMENT.
THIS SPECIFICATION IS COPYRIGHTED BY AND SHALL REMAIN THE PROPERTY OF INTEL
CORPORATION. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE TO ANY
INTELLECTUAL PROPERTY RIGHTS IS GRANTED HEREIN.
INTEL DISCLAIMS ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY
PROPRIETARY RIGHTS, RELATING TO IMPLEMENTATION OF INFORMATION IN THIS
SPECIFICATION. INTEL DOES NOT WARRANT OR REPRESENT THAT SUCH IMPLEMENTATIONS WILL
NOT INFRINGE SUCH RIGHTS.
NO PART OF THIS DOCUMENT MAY BE COPIED OR REPRODUCED IN ANY FORM OR BY ANY MEANS
WITHOUT PRIOR WRITTEN CONSENT OF INTEL CORPORATION.
INTEL CORPORATION RETAINS THE RIGHT TO MAKE CHANGES TO THESE SPECIFICATIONS AT ANY
TIME, WITHOUT NOTICE.
Legal Notices
Intel software products are copyrighted by and shall remain the property of Intel Corporation. Use, duplication or disclosure is subject to restrictions stated in Intel's Software License Agreement, or in the case of software delivered to the government, in accordance with the software license agreement as defined in FAR 52.227-7013.
The Intel logo is a registered trademark of Intel Corporation.
Other brands and names are the property of their respective owners. i
Mesh Agent Advanced Installation MeshCentral.com
Table of Contents
ii
Mesh Agent Advanced Installation
Document Changes
July 13, 2011 – Version 0.1.0
Initial version.
August 19, 2011 – Version 0.2.0
Many small corrections.
June 21, 2012 – Version 0.2.1
Grammatical corrections.
MeshCentral.com iii
Mesh Agent Advanced Installation MeshCentral.com
1. Abstract
This document covers advanced configuration of the Meshcentral peer-to-peer agent. The advanced settings allow administrators the ability to better tailor the agent and the mesh for a given application. We cover the basics of setting up a mesh with a trusted administrator, how to dynamically change the mesh advanced settings and how these settings propagate throughout the mesh network.
This document is intended for advanced mesh administrators, or developers that wish to have a deeper understanding of the how the mesh software works.
2. Introduction
The Meshcentral peer-to-peer agent allows for the formation of an intranet network mesh for use in a wide array of applications. The mesh is configured with an administrator policy and includes many built-in features including basic management operations and peer-to-peer message routing.
While many usages include the use of a central cloud server such a meshcentral.com, the mesh agents can work independent of a central server.
Before getting to the advanced settings, let’s start by creating a new mesh. For our purpose, a mesh is defined as a collection of computers that run the mesh agent and have a common mesh policy and a common administrator or administrative entity. A mesh is created when we first create a trusted mesh policy and install mesh agents that trust this policy.
It’s possible for computers on the same network to belong to different administrators. In this case, computers will, by default, still communicate to each other, but will not follow the same policies.
Note that a computer can only be part of a single mesh at any time.
It’s also possible for a single mesh to span across many sites. In fact, with increasing usage of mobile devices, this happens a lot.
1
Mesh Agent Advanced Installation MeshCentral.com
3. Creating a mesh network
Most mesh administrators will create a mesh on a central server such a meshcentral.com, but it can also be created using a standalone tool such a Mesh Controller. The result is a mesh policy block or file (extension .msh) which is used to install mesh agents.
When installing a new agent, the mesh policy file must have the same name as the mesh agent, but with the .msh extension. When installing, the agent will grab this file and use it as its main runtime policy. A mesh policy includes:
A policy version or serial number.
The policy name or mesh name.
The central server to connect to (optional).
The central server certificate hash (optional).
Any access rights delegates to the central server (optional).
A node revocation list (optional).
The encrypted administrator certificate (optional).
The mesh policy block is s igned by the mesh administrator’s certificate and can only be updated by the administrator. Agents will trade mesh policy blocks automatically between themselves. In order to know which policy is the latest one, the agents look at the policy serial number. The higher number is the latest version. Each time the mesh policy is updated, the serial number is incremented by one.
On meshcentral.com, administrators can create a new mesh by going to the “account” tab and pressing o n the “new” link. This will bring up a web dialog box where basic information about the mesh is collected.
2
Mesh Agent Advanced Installation MeshCentral.com
Creating a new mesh using the online site is easy, but offers only minimal configuration. It also has a security concern since the mesh password is, for a moment, known by the online site.
Ideally, administrators should create a mesh policy using a separate tool. This allows the administrator to create a mesh without the online site ever knowing the mesh administrator password. Many other tools are available to create a new mesh. If you are using the mesh along with a central server, the best and simplest tool is the mesh connector tool.
Mesh connector allows users the ability to log into the central server and remotely create and edit mesh policies from anywhere on the internet. The central server will take care of propagating updated mesh policies to all the agents on any network. Using Mesh Connector, use the “Create
New Mesh” button to create a new mesh, or select a mesh and click “Edit Mesh Policy” to edit an existing mesh. Note that the mesh creation wizard does not offer all of the advanced settings, so administrators may need to create a mesh and then go back and edit the mesh policy to access and configure more advanced settings.
Both online and Mesh Connector tools assume that the mesh will be connected to a central server. For creation and maintenance of a standalone mesh, the administrator must use a tool like Mesh Controller. In Mesh Controller, go in “File” and “Create new mesh…”, the mesh creation wizard will not assume that the mesh will be connected to an external central server and so, will prompt for more options.
3
Mesh Agent Advanced Installation MeshCentral.com
To edit an existing mesh policy, the Mesh Controller tool must be used on the same network as mesh agents that are part of the mesh we want to edit. Mesh Controller will find all the mesh computers running on the network and use information that it finds to allow for mesh edits.
4. Installing a mesh agent
To install a mesh agent, it’s important to not only to install the agent, but also to install it with a trusted mesh policy. Mesh agents can run without any policy, but in this case, they run with “No
Administrator” and have limited use. “No Administrator” nodes will still relay mesh traffic, provide node state, node power state, relay mesh policies and node information, but these nodes can’t be managed.
To install a mesh agent with a mesh policy, obtain the “.msh” file for the mesh you wish to install along with the agent. On Windows, the files are:
MeshAgent.exe
MeshAgent.msh
MeshAgent.proxy
- Mesh agent
- Mesh policy
- Optional proxy information
4
Mesh Agent Advanced Installation MeshCentral.com
The first file is the mesh agent itself, and the second is the policy file. The files must have the same name, but the policy file has the .msh extension. When running the agent, a built-in service installer will show up and it will decode the mesh policy.
The built-in mesh agent installer will show the current state of the mesh agent, the new mesh agent version, trusted policy name and trusted policy hash. Many different meshes can have the same name, but each will have a unique trusted hash which is the value that really matters. If an agent is already installed or running, clicking on the “Install / Update” button will install this new agent and policy over whatever existing agent is currently installed and/or running.
For other non-Windows mesh agent installations, the process is command line based, but similar to the Windows installation process. The mesh policy file (.msh) is identical across all architecture ports of the mesh agents. A single mesh policy file can be used for installing to Windows, Mac OS
X, Linux, Android and more.
The “MeshAgent.proxy” file is created automaticaly when you press the “Install / Update” button if one is needed. The installer will get the proxy setting for the current user account and save it to this file so that, when running as a background service, the service can use the proper proxy.
5. Mesh policy propagation
Once a mesh of computers is up and running, it may be interesting to edit the mesh policy.
Administrators can change almost everything in a mesh policy except for the certificate that signs the policy itself. For example: The policy name, central server and more can all be changed.
The two best tools available for modifying an existing policy are the Mesh Connector Tool for meshes that use a central server or the Mesh Controller Tool for standalone meshes. The two tools use the same mesh policy editor, but are very different in how they obtain the policy and how they distribute updates.
5
Mesh Agent Advanced Installation MeshCentral.com
The Mesh Connector tool makes use of the central server to gather information about existing meshes and sends updates to the central server which then updates all the mesh agents within all private networks anywhere on the Internet. This is the best way to make policy changes for most usages.
In the case of standalone meshes, Mesh Controller can be used to directly change mesh policies on mesh nodes on the local network. The tool will push the updated mesh policy to every node it can reach. Other nodes on the network that are offline or sleeping during the policy update will get the update later from peer nodes.
6
Mesh Agent Advanced Installation MeshCentral.com
While Mesh Controller is the only option for standalone meshes, it can also be used if a central server is used. In that case, the central server will get the updated policy from one of the nodes and participate in updating all other nodes on other networks.
If no central server is used, an updated mesh policy can still propagate across networks if devices move from network to network. Mesh policy distribution will also cross a network boundary if a device is on two networks at the same time (multi-home). Obviously, this is not the preferred way to update a policy, but it does work and will be done automatically.
6. Policy Editor
As indicated earlier, both Mesh Connector and Mesh Controller tools use the same mesh policy editor. And so, regardless of the tool used the mesh policy configuration is the same. In this section, we look at the policy editor.
7
Mesh Agent Advanced Installation MeshCentral.com
Regardless of the tool used, the mesh policy editor may prompt for the mesh password to decrypt the mesh certificate used to perform the policy update. If the certificate is already present in the certificate store of the local computer, no password is needed.
Once in the mesh policy editor, administrators will see 4 tabs: General, Web Service, Web
Permissions and Advanced. In Mesh Connector, the Web Service tab is omitted and will not appear. The General tab allows changes to the mesh policy name and mesh password. If the mesh password is to stay the same, there is no need to enter a new password, and you should just leave the “New Password” box blank.
The mesh policy name is used throughout the online web site and mesh tools. This name can be changed at any time since the mesh certificate is the true mesh policy identifier, not the name.
In the Web Service tab, we can set the central server to which members of this mesh will connect to. The editor offers a list of well-known servers, but an administrator can set this own custom server address, port and TLS server certificate hash. All members of a mesh can be instructed to change central server, in this case, as soon as a node receives a copy of the new policy, it will disconnect from the previous server and connect to the new one.
8
Mesh Agent Advanced Installation MeshCentral.com
The next tab is the “Web Permissions”. By default, mesh agents will only allow administrative operations to come from the mesh administrator. This includes: remote wake, remote desktop, remote file access and much more. By default, the central server can’t perform any administrative tasks and so, all web management features are turned off. With this tab, the administrator can autorize delegation of administrative commands to the central web site, enabling web based management.
The last tab is the “Advanced” tab. It allows the administrator to configure how the mesh agents are to behave. The advanced settings are a list of values, like timings and more. Agents come with a default value for each setting and so, leaving the advanced tab blank will keep all defaults intact. Adding new values in this box will override the default value built into the agent.
Some of these settings could cause the peer-to-peer mesh to stop working entirely, so, to prevent problems the agents have built-in guards. A mesh policy may contain incorrect values, but the agents will in most cases ignore them.
6.1 Advanced Values
Possible advanced values are as follows:
MulticastTimerMin
MulticastTimerVar
ServiceTimeBeforeConnect
- Seconds
- Seconds
ServiceConnectionRetry
ServiceIdleTimeout
CycleTime
- Seconds
- Seconds
- Seconds
- Seconds
- Minimal interval between discovery multicasts.
- Added variation interval between multicasts.
- Time to wait after agent launch to connect.
- Time to wait between each service retry.
- Time without traffic before dropping service.
UdpAttemptStart
UdpAttemptSpacing
TlsFallbackTimeout
AmtRetryCount
MeshMaxTargets
MeshMaxHttpConnections
- Seconds
- Seconds
- Seconds
- Count
- Count
- Count
- Internal mesh agent sync clock.
- Time after last contact to launch next sync.
- Interval between sync retries.
- Time after last contact to launch TLS sync.
- Intel
®
AMT relay count.
- Maximum number of peers.
- Maximum number of simultaneous HTTP.
This serves as an overview table, each value will be looked at in more detail.
6.1.1 Multicast Discovery
When a mesh agent is first run on the network, or when new network interfaces are added, the mesh agent will attempt to find other agents on the network using a multicast discovery packet.
Multicast discovery is used at regular intervals until at least one other node is found. After a node is found, multicast is no longer used except when new network interfaces are connected.
9
Mesh Agent Advanced Installation MeshCentral.com
The multicast discovery is sent on IPv4 "239.255.255.250" and IPv6 "FF02:0:0:0:0:0:0:C" to port
16990 where other agents are listening. The first two advanced settings allow the administrator to set the frequency and variation of the multicast packets.
When the mesh agent is first launched, it sends a pair of multicast discovery packets. It then waits the “MulticastTimeMin” time plus a random value between 0 and “MulticastTimerVar” time before sending the next pair of multicast discovery packets. Each time multicast packets are sent, the process repeats until another mesh node is found.
“MulticastTimeMin” and “MulticastTimerVar” allows the administrator to set the frequency and variability of the multicast packets used for initial discovery.
6.1.2 Central Server Connection
When the mesh policy includes instructions to connect to a central server, the agents will attempt to connect to the server according to another set of timer values. Three values are used to configure the connection b ehavior with the central server: “ServiceTimeBeforeConnect”,
“ServiceConnectionRetry”, and “ServiceIdleTimeout”.
10
Mesh Agent Advanced Installation MeshCentral.com
“ServiceTimeBeforeConnect” is the time to wait before connecting to the central server. It may be useful to set a longer time depending on mesh usages because a starting time delay in the connection will give the agent time to find other peers that may already have a connection to the central server. The “ServiceConnectionRetry” sets the interval to wait between service connection attempts. If the server is not connectable, a low value will cause the agent to retry often. Lastly, the “ServiceIdleTimeout” value sets how many seconds with an idle connection to the server should be accepted before the connection is dropped and re-established. The server will send regular short “ping” messages to assure that the connection is alive.
The server regular “ping” message also serves another purpose. The responding “pong” from the mesh agent not only confirms to the server that the agent is still alive, it also indicates that “no state has changed” allowing the server to update timelines in its database.
6.1.3 Peer Synchronization
The values that will most profoundly change the behavior of the peer-to-peer mesh are the synchronization time between nodes and maximum number of peer nodes. Each agent keeps a list of peer nodes it found and, at regular intervals, performs a synchronization exchange with the other nodes.
The most important value is how many peers each agent is allowed to have, this is set using the
“MeshMaxTargets” value. The largest recommended value is 20; this allows for a node to connect too many peers while still being able to perform node-to-node synchronization with a single network packet. A larger “MeshMaxTargets” will allow for a more connected mesh at the expense of more network traffic.
11
Mesh Agent Advanced Installation MeshCentral.com
Once discovered using the multicast system or using the candidate proposal system, mesh agents that want to connect to a new node will first set up an HTTPS connection using mutually authenticated TLS.
They then exchange session keys and switch over to using UDP for regular peer-to-peer synchronization. The value “MeshMaxHttpConnections” sets the maximum number of HTTPS or
TLS connections that can be established with other nodes. These connections are short lived and a maximum of 4 is generally plenty.
Once a node gets the session key of another node, it then performs synchronization at regular intervals using the “UdpAttemptStart” value, which sets the number of seconds between synchronizations. A higher “UdpAttemptStart” value will lower the amount of traffic on the network at the cost of slower mesh synchronization. Since UDP is not reliable, “UdpAttemptSpacing” indicates the number of seconds between retries after the initial UDP sync request has been made.
After a few UDP synchronization attempts are made, mesh agents will fall back to performing another HTTPS/TLS connection. This is needed in case the other node was reset and lost the encryption session keys. The “TlsFallbackTimeout” value indicates the time since the node was last reached after which a TLS connection should be attempted.
To limit the amount of work performed by the mesh agent, the values for “UdpAttemptStart”,
“UdpAttemptSpacing” and “TlsFallbackTimeout” are minimal values. The mesh agent actually checks its database at a regular interval set by the value “CycleTime”. A higher cycle time will mean the mesh agent will have less accurate peer-to-peer timing, a value of 5 seconds between checks is plenty small.
Lastly, for mesh nodes that fail to respond to both UDP and HTTP synchronization requests and that are equipped with Intel AMT, the mesh agent will try to sync with Intel AMT. Since the management engine that implements Intel AMT is small and not intended to support many connections, it’s possible for HTTP/HTTPS connections to Intel AMT to fail occasionally. The value “AmtRetryCount” indicates how many times to try to connect to Intel AMT before failing.
12
Mesh Agent Advanced Installation MeshCentral.com
7. Conclusion
The peer-to-peer mesh facilitates a wide array of usages and applications. To better serve our customers and users, the mesh agent is built to be configurable. Mesh administrators can use the mesh policy editor to change the policy that will be followed by all mesh agents. The mesh policy includes advanced settings that provide fine-grained control over the behavior of the mesh agents.
13
