Enabling ASF

advertisement
How to enable and use ASF within Client
Management Suite 7.0
Intel’s AMT technology incorporated in the vPro platform provides useful functions for managing
systems out of band. What about ASF? Broadcom and Intel put ASF onboard NICs before Intel
introduced AMT and vPro. Altiris offers support for ASF technology with Out of Band Management 7.0,
Real-Time System Manager 7.0, Network Discovery 7.0, Task Server, and other OEM Solutions. Setting
up ASF isn’t a simple as throwing a switch. This article covers how to enable and use ASF functionality in
the Client Management Suite 7.0 Infrastructure.
Introduction
You may have ASF capable machines out in the environment and not know it. Symantec can identify
those systems and provide details of ASF’s current state. Does the NIC support ASF? Is ASF enabled or
disabled in the BIOS? What steps need to be taken to enable ASF fully so that components like Realtime System Manager and Network Discovery can use the technology? What can ASF do? These
questions are addressed in this article. If you are familiar with using ASF within the 6.x Notification
Server infrastructure then this article is a refresher including
ASF Overview
ASF, or Alerts Standard Format, resides directly on the NIC in firmware. This provides out of band
capabilities that sit below the hard drive and the loaded operating system. The following features are
available to use once ASF has been enabled both within the firmware of the system and within the
Symantec CMS infrastructure.
Alert Functionality
ASF provides functionality for PET (platform event trap) alerts. Alert functions are limited to what the
hardware OEM provides. The full list of potential alerts follows.
Alert
Description
Chassis: Chassis Intrusion - Physical Security
Violation
System chassis has been opened.
Chassis Intrusion - Physical Security Violation
Event Cleared
System chassis intrusion alert has been cleared.
BIOS: Corrupt BIOS
The system BIOS is corrupted.
Corrupt BIOS Cleared
The system BIOS corruption has been resolved.
Boot: Failure to Boot to BIOS
The system BIOS did not complete loading upon
initiation.
CPU: CPU DOA Alert
The CPU is not functioning properly.
CPU DOA Alert Cleared
The CPU is now running properly.
Heartbeats: Entity Presence
Periodic heartbeats transmitted to verify system
presence.
Temperature: Generic Critical Temperature
Problem
System temperature is out of limits.
Generic Critical Temperature Problem Cleared
The system temperature problem has been cleared.
Voltage: Generic Critical Voltage Problem
The voltage from onboard voltage regulators is out
of limits.
Generic Critical Voltage Problem Cleared
The voltage problem has been cleared.
Power Supply: Critical Power Supply Problem
System power supply voltage is out of limits.
Critical Power Supply Problem Cleared
System power supply voltage problem has been
resolved.
Cooling Device: Generic Critical Fan Failure
Fan speed/rpm is out of limits.
Generic Critical Fan Failure Cleared
Fan speed/rpm problem has been resolved.
Connectivity: Ethernet Connectivity Enabled
Ethernet connectivity is enabled.
Ethernet Connectivity Disabled
Connectivity is disabled.
Again note that all OEMs do not support all of the above alert features. Check the manufacturer’s
documentation for a list of what alerts are supported on your specific systems.
Remote Interaction Functionality
Not all the functionality is available through Symantec CMS, but the following list shows the full remote
functionality available on an ASF-enabled system.
 Get System State – Returns the current system status. – This is incorporated when executing ASF
states in Task Server; for RTSM this is fully supported
 Get Client Capabilities – Returns client ASF configuration per the DMTF ASF specification. – Task
Server will not specifically capture this information but will attempt ASF functions if ASF is
detected as active; RTSM does capture this information so the proper functions are available in
the Real-Time Interface
 Presence Ping – Similar to Internet Control Message Protocol (ICMP) ping utility; responds with
pong to verify the system presence.
 Power up – Powers up the remote system. – SUPPORTED



Power down – Powers down the remote system. – SUPPORTED
Reboot – Reboots the remote system. – SUPPORTED
Reboot with a redirect – Reboots the remote system with options to boot to PXE, the local
floppy or optical drives (This isn’t a true IDE redirect) – SUPPORTED
Enabling ASF
Enabling ASF requires a series of steps. This section outlines the steps as described within the Symantec
Client Management Suite infrastructure. The full steps are highly recommended to ensure that all
functionality is enabled in ASF and available to the Symantec Management Platform and supporting
Solutions.
Enabling Steps
Walk through the following steps to discover and enable ASF on all supported systems.
1. Run an Out of Band Discovery on all applicable systems to discover what systems are ASF
capable. This requires the Altiris Agent. The steps are as follows:
a. In the Symantec Management Console, browse under Home > Remote Management >
and select Out of Band Management.
b. In the left-hand tree browse under Out of Band Agent Install > and select Out of Band
Discovery.
c. On the title bar for the task, click the button labeled off and click on ‘On’ (this is only
required if this policy is not already enabled).
d. Change the assigned collection if needed (This discovery can run on any Windows
system and it does not harm non ASF or AMT systems).
e. NOTE: It will take time for this Task to propagate out to all systems and for the
applicable data to be returned to the Notification Server.
2. Once sufficient time has passed (a good time mark is 24 hours) identify which machines are ASF
capable by browsing under Manage > and select Filters. In the left-hand tree browse under
Filters > Out of Band Management > and click on either Broadcom ASF Capable computers or
Intel ASF Capable Computers.
3. In the BIOS, enable ASF. The OEM may ship systems as ASF enabled if that option is indicated
during the ordering of the systems. This would greatly simplify the process since this step
requires a remote or site boot into the BIOS to enable ASF (it’s possible a BIOS update can
enable this remotely, check with the computer manufacturer). ASF enabling differs depending
on the manufacturer and version of the BIOS.
4. Enable the rollout the Out of Band Task Agent. The steps are listed as follows:
a. In the Altiris Console, browse under Home > Remote Management > and select Out of
Band Management.
b. In the left-hand tree browse under Out of Band Agent Install > and select Out of Band
Task Agent – Install.
c. On the title bar for the task, click the button labeled off and click on ‘On’ (this is only
required if this policy is not already enabled).
d. It will take time for this Task to propagate out to all systems and for the agent to be
installed.
5. ASF settings need to be updated to enable any and all functionality. Execute an Update ASF
Configuration Settings task within Task Server. See the screenshot below and the following
steps on how to do this:
a. In the Symantec Management Console, browse under Manage > Jobs and Tasks.
b. In the left-hand tree, browse under System Jobs and Tasks > Real-Time Console
Infrastructure.
c. Right-click on the folder Real-Time Console Infrastructure (you can also choose another
location to create the task if so desired) and choose New > Job or Task.
d. In the resulting window, within the right-side tree browse down under Remote
Management and select the task type Update ASF Configuration Settings.
e. Check the box labeled ‘Modify ASF general settings’.
f. Make sure ‘Enable ASF’ is checked.
g. Check the option ‘Modify security settings’. Current experience shows that each field
should be populated by 40 digit keys. Once set, a profile can be created with the proper
keys to authenticate in the Symantec Management Platform for Out of Band
Management and Real-Time System Manager use. See the section ‘Utilizing ASF in
Altiris’ below for details. Keep track of the Generation and Authentication Keys as these
will be required under ‘Utilizing ASF within the Symantec Client Management Suite.
h. Click the OK button to save the task (you can rename the task if you wish before saving).
i.
Once saved, browse to the bottom in the right-pane window (it should show the new
task you created) and click the New Schedule button.
j. Leave the radial set to ‘Now’, or if you need this to run at a different time, select the
schedule radial and set the schedule appropriately to your situation.
k. Use the Selected Devices dialog to add filter/targets or individual systems to this run
instance.
l. Click Schedule when ready.
6. Run OOB Discovery again so that the system is seen as ASF Enabled and configured in the
filters/targets.
Utilizing ASF within the Symantec Client Management Suite
Once enabled, Symantec can utilize ASF within the Symantec Management Platform Task-Server
infrastructure, or individually through the Real-Time System Manager interface. To use RTSM or Task
Server with ASF, a profile must be created that contains the proper security keys. Please see Step 5-g.
under enabling steps above to see what keys need to be set. This can be done with the following steps:
1. In the Symantec Management Console browse under Settings > and select All Settings.
2. In the left-hand tree browse under Monitoring and Alerting > Credential Settings > and select
Credential Management.
3. Click the Add Credentials button. If you’ve previously setup ASF credentials, choose it from the
available list and click the edit button.
4. From the Credential Type dropdown select ASF Credentials.
5. Provide a name for these specific credentials.
6. Input the Generation key and Authentication key previous configured when configuring the ASF
devices, as shown in this screenshot:
7. Click ‘OK’ to save the ASF Credentials.
8. Browse back up to the Monitoring and Alerting folder > browse under Protocol Management >
Connection Profiles > and select Manage Connection Profiles.
9. Select the profile you wish to use (the Default Connection Profile can be used for general usage)
and click the edit button.
10. Wait for the full page to load before attempting to make changes, as shown in this screenshot:
11. Expand the section labeled ASF by clicking on the down arrow to the right.
12. In the ‘Select existing credentials’ dropdown select the credentials you created previously.
13. On the bar for the credentials, click the button labeled off and click the ‘On’ (this is only required
if this protocol is not already enabled).
14. Click OK to save the changes.
Task Server
With the introduction of the Symantec Management Platform 7.0, ASF functions are added to a large
number of tasks available through the Task Server interface. A single job or task can be run
simultaneously on many systems, and any available tasks within Task Server can be utilized with the ASF
functions. This allows functions such as reliable power management to be included amid a job that
might roll out patches, software delivery programs, inventory scan, etc…
The following example job contains ASF functions. The steps used to create the Job are included as
follows:
1. In the Symantec Management Console, browse under Manage > and select Jobs and Tasks.
2. In the left-hand window browse under System Jobs and Tasks > Software > and select Quick
Delivery.
3. Right-click on the Quick Delivery folder > choose New > Job or Task.
4. From the left-hand tree select the option Server Job, usually located at the bottom of the tree.
5. Name the Job: Software Rollout using ASF Power Management.
6. Under Jobs / Tasks choose New > Task.
7. In the resulting window looking under Real-Time Console Infrastructure and select Power
Management.
8. Name the Task ASF Power On.
9. Choose the power action Power On and click OK.
10. To the right of the Job tree, select the radial option Enter task input now.
11. Under the section For Connection credential settings dropdown select use a set value.
12. Click on the resulting link Select Connection Profile and choose the profile you configured your
ASF credentials within.
13. Now add a Quick Delivery Task (for demonstration purposes the configuration etc of this task
will not be covered in this article).
14. Lastly, select New > Task again.
15. Select Power Management again but this time configure it as a Power Off.
16. Done! See this screenshot for an example:
You can now schedule this job to run on ASF enabled computers. Any other combination can be used
within a Task Server Job, or the individual functions can be executed individually as stand-alone tasks.
Real-Time System Manager (RTSM)
In the Symantec Client Management Suite RTSM is now included! When connecting to a system through
the Real-Time tab from Resource Explorer, available ASF functionality should be automatically detected.
This assumes that ASF has been properly enabled and configured as per the previous steps. The RTSM
console is a one-to-one console that allows direct interaction with a system. Most of the functions
found in Task Server are also available in the Real-Time interface, though for RTSM it is a direct system
manipulation.
Conclusion
Understanding the steps for setting up and configuring ASF will enable you to properly configure all
available ASF systems, making the technology available. Once available, power management becomes
reliable. Also PXE boot can be directly invoked if necessary from the RTSM console, negating the need
to visit a machine that is down for imaging or other PXE related tasks.
Download