Vous êtes sur la page 1sur 67

Altiris Real-Time System Management 7.

5 User Guide

Altiris Real-Time System Management 7.5 User Guide


The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.

Legal Notice
Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Altiris, and any Altiris or Symantec trademarks used in the product are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party (Third Party Programs). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Licensed Software does not alter any rights or obligations you may have under those open source or free software licenses. For more information on the Third Party Programs, please see the Third Party Notice document for this Symantec product that may be available at http://www.symantec.com/about/profile/policies/eulas/, the Third Party Legal Notice Appendix that may be included with this Documentation and/or Third Party Legal Notice ReadMe File that may accompany this Symantec product. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com

Technical Support
Symantec Technical Support maintains support centers globally. Technical Supports primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantecs support offerings include the following:

A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and/or Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis Premium service offerings that include Account Management Services

For information about Symantecs support offerings, you can visit our website at the following URL: www.symantec.com/business/support/ All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy.

Contacting Technical Support


Customers with a current support agreement may access Technical Support information at the following URL: www.symantec.com/business/support/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available:

Product release level Hardware information

Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description:

Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes

Licensing and registration


If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/business/support/

Customer service
Customer service information is available at the following URL: www.symantec.com/business/support/ Customer Service is available to assist with non-technical questions, such as the following types of issues:

Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs, DVDs, or manuals

Support agreement resources


If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows:
Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America customercare_apac@symantec.com semea@symantec.com supportsolutions@symantec.com

Contents

Technical Support ............................................................................................... 4 Chapter 1 Chapter 2 Introducing Real-Time System Management .................. 9
About Real-Time System Management ............................................... 9

Running one-to-many tasks .............................................. 11


About one-to-many tasks ............................................................... Managing the power state of computers remotely ............................... Using the Restore State power action .............................................. Automatically turning off computers in critical state .............................. Collecting and viewing Intel AMT, DASH, and IPMI inventory ................ Updating BIOS settings ................................................................. Resetting a local user password on multiple computers ........................ Managing a process on multiple computers ....................................... Managing a service on multiple computers ........................................ Updating Intel AMT and DASH alert settings ..................................... Booting multiple computers from a remote location ............................. Filtering the network traffic on multiple computers .............................. Updating Intel AMT settings or unconfiguring Intel AMT ........................ 11 12 14 15 16 17 18 19 20 20 22 23 25

Chapter 3

Managing resourses one-to-one in real time ................ 27


About one-to-one real time management ........................................... Initiating real time connection .......................................................... Turning off, turning on, or restarting a client computer .......................... Starting a Keyboard-Video-Mouse (KVM) remote control session ........... Starting a Serial-over-LAN (SOL) remote control session ...................... Booting a computer from remote location using IDE-R ......................... Blocking network traffic from and to the computer ............................... Configuring the Intel AMT device settings ......................................... Viewing client computer logs ........................................................... Managing BIOS settings ................................................................ Managing the properties of Symantec Management Agent in real time ..................................................................................... Activating a virtual layer ................................................................. 27 28 29 30 31 33 34 35 36 37 38 39

Contents

Chapter 4

Additional functionality ..................................................... 41


Additional functionality and portal actions available in Real-Time System Manager ............................................................................... Resetting a domain user password .................................................. Running the port check .................................................................. Configuring the port check settings .................................................. Modifying the list of open network filtering ports .................................. Adding or removing custom views .................................................... 41 41 42 42 42 43

Appendix A

List of available operations ............................................... 44


List of available operations ............................................................. Managements processes ............................................................... Audit Nodes ................................................................................ Information Nodes ........................................................................ 44 44 47 48

Appendix B

Troubleshooting

.................................................................. 52 52 54 55 56 57 58

Troubleshooting Real-Time System Manager connection ...................... Configuring the firewall to allow WMI connection ........................... Configuring the firewall on a single computer ............................... Configuring the firewall on multiple domain computers with a group policy ............................................................................. Disabling simple file sharing on Windows XP SP2 ......................... Configuring User Access Control on Windows Vista or later versions of Windows .........................................................

Appendix C

Technical Reference ........................................................... 59


Ports used by Real-Time System Manager ........................................ How authentication works .............................................................. About changes in default system security .......................................... Network filtering ports and settings ................................................... Power management and redirection capabilities ................................. 59 61 62 62 63

Index

.................................................................................................................... 66

Chapter

Introducing Real-Time System Management


This chapter includes the following topics:

About Real-Time System Management

About Real-Time System Management


The Real-Time Console Infrastructure software provides the necessary infrastructure for real time management using the Real-Time System Manager. Also, Real-Time Console Infrastructure lets you perform one-to-many out-of-band management tasks on a group of computers that support ASF, DASH, or AMT. With Real-Time System Manager, you can view detailed real time information about the managed computers and remotely perform various administrative tasks. For example, you can collect the hardware and the configuration inventory even if the computers are turned off. Also, you can restart the computer, reset a password, run a port scan, terminate a process. Real-Time System Manager also lets you run some of the management tasks on a group of computers, immediately or on a schedule. Using Real-Time System Manager with properly configured out-of-band capable computers, you can manage the computers that are turned off or that failed to load an operating system. Managing computers remotely out of band lets you significantly reduce the number of desk-side visits. Some of the supported out-of-band features are as follows:

Remote boot through Integrated Drive Electronics Redirection (IDE-R) See Booting a computer from remote location using IDE-R on page 33. Remote console redirection See Starting a Serial-over-LAN (SOL) remote control session on page 31.

Introducing Real-Time System Management About Real-Time System Management

10

See Starting a Keyboard-Video-Mouse (KVM) remote control session on page 30.

Hardware filtering of network traffic (Circuit Breaker) using Intel vPro System Defense technology See Blocking network traffic from and to the computer on page 34. Hardware alerts for Intel AMT and DASH See Updating Intel AMT and DASH alert settings on page 20.

Chapter

Running one-to-many tasks


This chapter includes the following topics:

About one-to-many tasks Managing the power state of computers remotely Using the Restore State power action Automatically turning off computers in critical state Collecting and viewing Intel AMT, DASH, and IPMI inventory Updating BIOS settings Resetting a local user password on multiple computers Managing a process on multiple computers Managing a service on multiple computers Updating Intel AMT and DASH alert settings Booting multiple computers from a remote location Filtering the network traffic on multiple computers Updating Intel AMT settings or unconfiguring Intel AMT

About one-to-many tasks


One-to-many tasks let you manage multiple computers at the same time, but limit the options that are available. Full list of remote management features is available using real time one-to-one management. One-to-many actions are carried out in a form of scheduled tasks. You must install Symantec Management Agent on the client computer for in-band management.

Running one-to-many tasks Managing the power state of computers remotely

12

For out-of-band management, client computers also must support ASF, DASH, or AMT technology. For example, you can perform the following one-to-many tasks:

Boot a group of computers from either a PXE, a floppy/HDD/CD device, or an image that is located in a remote location. Block network traffic to and from the client computer's operating system. Remotely reset a password for a local user account on a group of computers. Remotely start or stop a process on a group of computers. Perform various power operations: start, stop or reboot a group of computers.

See List of available operations on page 44. For more information on how to discover out-of-band capable computers, see http://www.symantec.com/docs/DOC6628.

Managing the power state of computers remotely


You can manage the power state of client computers remotely using WMI, Intel AMT, ASF, IPMI, and DASH technologies. For example, you can turn on the computers before delivering a software package. You can also turn off the computers that have sent critical SNMP alerts to Notification Server. See Automatically turning off computers in critical state on page 15. Note: A graceful Reboot/Reset and Power Off through the WMI is always tried first. If the WMI operation fails, the Power Off, Reboot/Reset, and Restore State actions perform a hard shutdown (losing all unsaved data) through ASF, DASH, IPMI, or Intel AMT. To perform a hard shutdown, the target computers must support and be properly configured to use these technologies. To manage the power state of computers remotely

1 2

In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, expand System Jobs and Tasks > Real-Time Console Infrastructure > Power Management.

Running one-to-many tasks Managing the power state of computers remotely

13

In the right pane, under Power action, select the power action to execute. Choose from the following actions:
Power On Turns on the target computers using the out-of-band management technology (ASF, DASH, IPMI, or Intel AMT) that the target computers are configured to use. Attempts to turn off the target computer through WMI. If WMI fails, a hard shutdown is performed using one of the out-of-band management technologies. Attempts to restart the target computer through WMI. If WMI fails, a hard reset is performed using one of the out-of-band management technologies. You can use this power action when you include the power management task in a job. You cannot use this power action in a standalone task. This power action lets you restore the power state that you changed by running another power management task earlier in the job. For example, you can run the Power On action, and later in the job, you can run the Restore State action. The latter turns off the computers that were turned off, but the computers that were turned on stay turned on. See Using the Restore State power action on page 14.

Power Off

Reboot/Reset

Restore State

Running one-to-many tasks Using the Restore State power action

14

(Optional) Configure the advanced boot options. The options are as follows:
Lock client keyboard Prevents the users from interacting with the target computer. Prevents the users from turning off and restarting the computer using the buttons that are located on the computer case. Lets you start the computer without the startup password. When the computer starts, it can send the detailed progress PET events to the SNMP server. Use the Update Out-of-Band Alert Settings task to configure the event's destination address. See Updating Intel AMT and DASH alert settings on page 20.

Disable power buttons

Bypass computer's startup password Client's firmware transmits all progress PET events

The availability of these features depends on the hardware that you use.

5 6

Click Save changes. Run the task once or on a schedule. For more information, view the topics about running and scheduling tasks in the Symantec IT Management Suite powered by Altiris technology User Guide. Choose a connection profile that is configured with correct WMI, ASF, DASH, IPMI, or Intel AMT credentials. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide.

Using the Restore State power action


The Restore State power action of the Power Management task returns computers to the power state they were in, before the previous power action ran. The Restore State power action lets you run different jobs. For example:

Run the Power On action to turn on computers. After that, run another task. After that, run the Restore State task, to restore the power state of the computers.

Running one-to-many tasks Automatically turning off computers in critical state

15

In this example, if a computer was turned off, the Restore State action turns off the computer. If a computer was turned on, the Restore State action keeps the computer turned on. The Sample Job is an example of the Restore State power action usage in a job. For this power action to work, you must configure the Task Input to use the output from the previous power management task, as shown in the sample job. You can use the Restore State power action only in a job. To use the Restore State power action

1 2 3 4

In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, expand Samples > Real-Time Console Infrastructure > Sample Job. On the Sample Job page, under Jobs/Tasks, click Run "Restore power state". Under Task Input, see how the task input is configured.

Automatically turning off computers in critical state


Using Real-Time Console Infrastructure with Event Console lets you automatically turn off the computers that have sent critical SNMP alerts (for example, the hardware failure alerts) to Notification Server. If the computers support and are properly configured to use any of the out-of-band management technologies, you can remotely turn off the computers even if the computers have failed to load an operating system. See Updating Intel AMT and DASH alert settings on page 20. To automatically turn off computers in critical state

1 2 3 4 5 6 7 8

In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, expand Monitoring and Alerting > Alert Rule Settings. In the right pane, click the Task Rules tab. On the toolbar, click Add. Under Rule, on the toolbar, click Add > Alert protocol. In the Select comparison drop-down list, click equals. In the Enter value drop-down list, click Simple Network Management Protocol. Under Rule, on the toolbar, click Add > Alert severity.

Running one-to-many tasks Collecting and viewing Intel AMT, DASH, and IPMI inventory

16

In the Select comparison drop-down list, click equals.

10 In the Enter value drop-down list, click Critical. 11 Under Task, click New. 12 In the Create New Task dialog box, in the left pane, click Real-Time Console
Infrastructure > Power Management.

13 In the right pane, click Power Off. 14 Click OK. 15 Turn on the task rule.
At the upper right of the page, click the colored circle, and then click On.

16 Click Save.

Collecting and viewing Intel AMT, DASH, and IPMI inventory


You can collect the hardware and the configuration inventory even if the computers are turned off. The inventory is stored in the NVRAM of properly configured Intel AMT and DASH computers. On computers with IPMI, the inventory is obtained from the Baseboard Management Controller. To collect Intel AMT, DASH, or IPMI inventory from a client computer

1 2 3

In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, click System Jobs and Tasks > Real-Time Console Infrastructure > Get Out-of-Band Inventory. Run the task once, or on a schedule. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide. Choose a connection profile that is configured with correct Intel AMT, DASH, or IPMI credentials. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide.

Running one-to-many tasks Updating BIOS settings

17

To view the Intel AMT, DASH, or IPMI inventory for a client computer

Open the Resource Manager for a computer by double-clicking on a specific resource that is found in a filter. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide.

2 3

On the View menu, click Inventory. In the tree view pane, expand the Real-Time Console Infrastructure folder and select an inventory data class.

You can also view out-of-band inventory from the Reports page. To view Intel AMT, DASH, and IPMI inventory using a report

1 2 3

Click Reports > All reports. In the left pane, click Reports > Remote Management > Real-Time Console Infrastructure > Out-of-band Harware Inventory. In the right pane, on the Out-of-Band Hardware Inventory page, under Parameters, choose the setting for the report that you want to view.

Updating BIOS settings


The Update BIOS settings task lets you remotely view and update the BIOS settings of the target computers that can be managed through the DASH technology. To identify these computers, you must collect the DASH settings inventory. Note: After you update BIOS settings, you must restart the target computers for the settings to take effect. You can combine the BIOS management and power management tasks into a job. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide. You can also manage BIOS settings on a single computer in real time. Run the Get Out-of-Band Inventory task. See Collecting and viewing Intel AMT, DASH, and IPMI inventory on page 16. In the Resource Manager, in the Inventory view, expand Real-Time Console Infrastructure > RTCI DASH Registered profile. If the computer supports WS-MAN BIOS Management, the BIOS Management profile is displayed on this page.

Running one-to-many tasks Resetting a local user password on multiple computers

18

To update BIOS settings

1 2 3 4 5 6

In the Symantec Management Console, on the Manage menu, click Jobs and Taks. In the left pane, expand System Jobs and Tasks > Real-Time Console Infrastructure > Update BIOS Settings. Under the Select and configure BIOS settings, add the settings that you want to modify. Click Save changes. Run the task once or on a schedule. Restart the target computers to apply the new BIOS settings. Note: If BIOS is password protected, Symantec recommends, that you create a job that includes the Set Administrator Password task and the Update BIOS settings taks See Managing the power state of computers remotely on page 12.

Resetting a local user password on multiple computers


You can reset the password for a local user on multiple computers at a time. You can also perform this task on a single computer in real time. You can also use Real-Time System Manager to reset the password for a domain user. See Resetting a domain user password on page 41. To reset a local user password on multiple computers

1 2 3 4 5

In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, expand System Jobs and Tasks > Real-Time System Manager. Click Password Management. Type the user name that you want to reset the password for in the following format: COMPUTER\User Type and confirm a new password.

Running one-to-many tasks Managing a process on multiple computers

19

6 7 8

Type the name and password of an administrative user with permissions to manage the specified user account. Click Save changes. Run the task once or on a schedule. FFor more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide.

Managing a process on multiple computers


You can run or stop a process on multiple computers at a time. You can also manage processes on a single computer in real time. See About one-to-one real time management on page 27. To manage a process on multiple computers

1 2 3 4

In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, expand System Jobs and Tasks > Real-Time System Manager. Click Process Management. Type the name of the process to run or stop. Example: AeXNSAgent.exe You can also type a full UNC path (Example: \\server\share\AeXNSAgent.exe) as long as you have the authentication infrastructure to support that. This means that either you have no authentication (null session shares) or you have Kerberos with the intermediate computer trusted for delegation, and delegatable credentials for the user.

5 6 7

Select an action. Click Save changes. Run the task once or on a schedule. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide.

Running one-to-many tasks Managing a service on multiple computers

20

Managing a service on multiple computers


You can start, stop, restart a service on multiple computers at a time. You can change the startup mode of a service. You can manage services on a single computer in real time. See About one-to-one real time management on page 27. To manage a service on multiple computers

1 2 3 4

In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, expand System Jobs and Tasks > Real-Time System Manager. Click Service Management. Type the name of the service to manage. Example: cisvc

5 6 7

Select an action. Click Save changes. Run the task once or on a schedule. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide.

Updating Intel AMT and DASH alert settings


Intel AMT and DASH alerts help you respond to memory faults, temperature issues, hard drive warnings, chassis intrusion, and so forth. These alerts help you fix issues before they become destructive. The Update Out-of-Band Alert Settings task lets you remotely update the Intel AMT and DASH alert settings on properly configured client computers with Intel AMT or DASH. You can configure the following alert settings:

Where to send the alerts. Which alerts to send. Which alerts to log.

You can also run this task on the computers that are turned off.

Running one-to-many tasks Updating Intel AMT and DASH alert settings

21

This task also lets you configure the SNMP traps destination address for computers with ASF. However, this functionality is performed in-band, through the WMI connection. The ASF-capable computer must be turned on with a Microsoft Windows operating system running. To update Intel AMT and DASH alert settings

1 2 3

In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, expand System Jobs and Tasks > Real-Time Console Infrastructure > Update Out-of-Band Alert Settings. Under Subscription settings, type the SNMP servers IP address. This value is applied to computers with Intel AMT and ASF. By default, the task is configured with the Notification Server computers IP address. In this case, Event Console (a component of Notification Server) accepts and displays the SNMP events that the client computers send. For more information, view topics about alert management in the Altiris Monitor Solution for Servers from Symantec User Guide.

Type the SNMP community string. Example: public

Type the destination URI for DASH alerts. By default, the value is set to the Notification Servers Web service event listener, which is part of the Pluggable Protocol Architecture component:
http://<Notification Server IP>/Altiris/WSEL/wsel.aspx

Currently, DASH does not support sending alerts through an HTTPS connection. If your Notification Server is installed on a secure Web site, configure the wsel.aspx file so that it can be accessed through HTTP.

Select the DASH alerts delivery mode. The options are as follows:
Push The DASH client computer does not verify if the event listener accepted the alert.

Push with acknowledge The DASH client computer verifies if the event listener accepted the alert. If no reply is received from the event listener, the client computer can unsubscribe this particular event filter (vendor dependent).

Running one-to-many tasks Booting multiple computers from a remote location

22

7 8

Under Select and configure event filters, click Add, select the alerts that you want to configure with the task, and then click OK. Under Select and configure event filters, select one or more alerts, and, on the Actions menu, click what you want to do with this alert. The options are as follows:
Subscribe Activates the alert. When the alert triggers, a message is sent to the destination address that you provided in the Subscription settings section. Deactivates the alert, but does not remove it from the memory.

Unsubscribe

Remove from client Removes the alert from the client computers memory and reclaims space.

(Optional) If the client computer does not have enough free space to fit all of the alerts that you configured. To allow partial alert subscription, check Allow partial alert application. and reclaim space before applying new subscriptions, check Remove 3rd party filters and alert subscriptions.

10 (Optional) To remove all previous alert subscriptions from the client computer

11 Click Save Changes. 12 Run the task once or on a schedule.


For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide. Choose a connection profile that is configured with correct Intel AMT, DASH, or WMI credentials. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide. Note: Alerts that are marked as critical power down the client computers. You can configure which alerts are considered critical.

Booting multiple computers from a remote location


(Intel AMT, ASF, DASH) You can boot the computers with ASF, DASH, or Intel AMT from a remote disk drive or image.

Running one-to-many tasks Filtering the network traffic on multiple computers

23

You can also perform this task on a single computer in real time. See Booting a computer from remote location using IDE-R on page 33. To boot multiple computers from a remote location

1 2 3 4 5

In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, expand System Jobs and Tasks > Real-Time System Manager. Click Boot Redirection. In the right pane, click a device to boot from. To start the computer from an image, click Browse to navigate to a network share where the image is located. Warning: Do not use an image file that is placed on a CD or a DVD-ROM to start the computer. Use only the images that are stored on local or network hard disk drives.

6 7

Click Save changes. Run the task once or on a schedule. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide. Warning: If there is already an active IDE-R session, it is terminated when the task runs.

Filtering the network traffic on multiple computers


(Intel AMT only) The Intel AMT network filtering (Circuit Breaker) functionality lets you block network traffic from and to the target computers' operating systems. For example, you can use this feature to isolate infected computers from the network. Note: Network Filtering works only if both the client operating system and Intel AMT network settings are configured to use Dynamic Host Configuration Protocol (DHCP). Some ports stay open when network filtering is active.

Running one-to-many tasks Filtering the network traffic on multiple computers

24

See Network filtering ports and settings on page 62. You can customize the ports that you want to stay open. See Modifying the list of open network filtering ports on page 42. You can also manage network traffic on a single computer in real time. See Blocking network traffic from and to the computer on page 34. To filter the network traffic on multiple computers

1 2 3 4

In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, expand System Jobs and Tasks > Real-Time System Manager. Click Network Filtering. If you want to block network traffic to and from the operating system, do the following:

Click Filter network traffic other than to and from the Notification Server. Choose if you want to use the default solution filtering settings or browse for a custom .xml file. (Optional) To prevent the client computer from sending malicious packets, check Enable anti-spoofing filter. This feature forces the identity verification of outgoing network traffic and drops packets if the computer is suspected of originating malicious attacks that are known as IP spoofing.

(Optional) To protect the client computer from network flooding, click Limit the number of PING packets to, and type the number of packets per second allowed to pass through the Intel AMT network filter. Default: 10 packets per second.

6 7 8

(Optional) To disable network filtering, click Allow all network traffic. Click Save changes. Run the task once or on a schedule. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide.

Running one-to-many tasks Updating Intel AMT settings or unconfiguring Intel AMT

25

Updating Intel AMT settings or unconfiguring Intel AMT


You can use the Update Intel AMT Settings task to update the configuration and the network settings of the Intel AMT device on properly configured client computers with Intel AMT. Also, you can use this task to unconfigure the Intel AMT device. To update Intel AMT settings

1 2 3

In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, expand System Jobs and Tasks > Real-Time Console Infrastructure > Update Intel AMT Settings. Select which of the following Intel AMT features you want to allow:
Web UI You can use this web-based interface for direct remote management and maintenance of Intel AMT devices. When Web UI is enabled, you can access the Intel AMT management console using the following URL: http://<Intel_AMT_computer_name>:16992 (or port 16993 for Intel AMT computers configured in secure mode).

Task progress window and This feature is also known as Serial-over-LAN. It lets you remote control manage an Intel AMT computer remotely by encapsulating keystrokes and character display data in a TCP/IP stream. Redirect to optical/floppy This feature is also known as IDE-Redirection. It remotely drive or image on a server enables, disables, formats, or configures individual floppy or IDE CD drives. It also reloads operating systems and software from remote locations.

Define the network settings as follows:


Respond to ping Check if you want the Intel AMT device to respond to a ping.

Running one-to-many tasks Updating Intel AMT settings or unconfiguring Intel AMT

26

5 6

Click Save changes. Run the task once or on a schedule. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide. Choose a connection profile that is configured with active Intel AMT credentials. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide.

To unconfigure Intel AMT devices

1 2 3

In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, expand System Jobs and Tasks > Real-Time Console Infrastructure > Update Intel AMT Settings. Check Unconfigure Intel AMT, and then choose the unconfiguration method and the Intel AMT mode to set after unconfiguration. The options are as follows:
Partial Removes all Intel AMT settings except for administrative user credentials and PID-PPS pairs. After partial unconfiguration is complete, the Intel AMT client computer starts sending configuration requests to the setup and configuration server (Intel SCS). The computer is not available for management through the Intel AMT interface until it is configured again by Intel SCS. Full Removes all settings from the Intel AMT device. You must initialize, set up, and configure the device again. If you click this option, you can also select a Small Business or Enterprise configuration model to set after unconfiguration is complete.

4 5

Click Save changes. Run the task once or on a schedule. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide. Choose a connection profile that is configured with active Intel AMT credentials. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide.

Chapter

Managing resourses one-to-one in real time


This chapter includes the following topics:

About one-to-one real time management Initiating real time connection Turning off, turning on, or restarting a client computer Starting a Keyboard-Video-Mouse (KVM) remote control session Starting a Serial-over-LAN (SOL) remote control session Booting a computer from remote location using IDE-R Blocking network traffic from and to the computer Configuring the Intel AMT device settings Viewing client computer logs Managing BIOS settings Managing the properties of Symantec Management Agent in real time Activating a virtual layer

About one-to-one real time management


Real time one-to-one management allows you to use the full list of remote features available in Real-Time System Manager. For example, you can perform the following one-to-one tasks:

Managing resourses one-to-one in real time Initiating real time connection

28

Take full control of the client computer with active keyboard, display and mouse. View detailed information and audit dynamic proccesses. Manage BIOS settings with console view. Change the NS server that the client computer is assigned to. Manage software virtualization layers.

Real-Time System Manager can connect to the target computer using the following protocols: WMI, ASF, Intel AMT, DASH, SNMP, IPMI. Connection protocols define which features are available. See List of available operations on page 44. Setting up the connection profiles and credentials: http://www.symantec.com/docs/HOWTO62827. With Real-Time System Manager, you can manage computers in-band and out-of-band. Out-of-band means that computer is not turned on or the operating system is not running. You can manage a computer in such state if the client computer has AMT, ASF, DASH, or IPMI technology present and is configured for out-of-band management. For more information on how to discover out-of-band capable computers, see http://www.symantec.com/docs/DOC6628.

Initiating real time connection


There are three different ways to initiate a real time connection to a client computer that you want to manage. You can open a management session in a pop-up dialog box, while maintaining your current position in the Symantec Management Console. To connect to a client computer using a pop-up dialog box

1 2

In the Symantec Management Console, on the Actions menu, click Remote Management > Real-Time Management. On the Real-Time Management page, type the host name or the IP of the computer that you want to connect to, and then click Connect.

You can use the Real-Time System Manager Portal, that also displays the portal actions that are available to you before establishing a real time connection. See Additional functionality and portal actions available in Real-Time System Manager on page 41.

Managing resourses one-to-one in real time Turning off, turning on, or restarting a client computer

29

To connect using the Real-Time System Manager Portal

1 2

In the Symantec Management Console, on the Home menu, click Remote Management > Real-Time System Manager Portal. On the Real-Time System Manager Portal page, in the Manage Web Part, in the Computer text box, type the IP address or the name of the computer that you want to manage, and then click Connect.

You can initiate a real time connection to a client computer from any resource list in the Symantec Management Console. To initiate real time connection from a resources list

1 2

Open a list of computer resources. Right-click the computer resource, click Remote Management, and then click one of the following:

Manage Manage Power State and Redirection See Turning off, turning on, or restarting a client computer on page 29. Manage Users Port check See Running the port check on page 42. Trace Route

Turning off, turning on, or restarting a client computer


You can view the power state of a remote computer, and then turn off, turn on, or restart the client computer remotely. Note: The availability of power commands depends on the current power state and the technologies (WMI, ASF, Intel AMT, DASH, IPMI) that are available on the target computer. For example, WMI power management is limited to Reboot and Power off commands and can be performed on a computer with a running operating system. This limitation is because WMI is an in-band functionality. For client computers with properly configured out-of-band technologies, you can configure the Redirection options before restarting or turning on the client computer.

Managing resourses one-to-one in real time Starting a Keyboard-Video-Mouse (KVM) remote control session

30

Turning off, turning on, or restarting a client computer

Connect to the client computer, that you want to manage. See Initiating real time connection on page 28.

In the navigation pane, under Real-Time Consoles, expand Real-Time System Manager > Management Operations > Manage Power State and Redirection. In the right pane, on the Manage Power State and Redirection page, under Remote power management, select a power action. (Optional) To perform a graceful restart or shutdown through WMI, check Allow user to save data before power operation. If the WMI operation fails, the hard shutdown of the target computer is performed out-of-band using ASF, DASH, Intel AMT, or IPMI. The hard shutdown is possible if any of these technologies are supported and properly configured on the target computer.

3 4

Click Run task now.

Starting a Keyboard-Video-Mouse (KVM) remote control session


Keyboard-Video-Mouse remote control lets you access any client computer and manage it in-band or out-of-band. This type of remote control does not depend on any features of the operating system, it is fully hardware-based and it can bypass virus protection firewall. It lets you troubleshoot a client computer remotely, with full access to video and input devices. To initiate a remote control session, the client computer user must provide to the administrator a six-digit code, that pops up once a remote control session is requested. Client computer user is always aware of an active remote control session by a specific icon in the corner of the screen. If the operating system of the client computer is down, the booting process can be redirected to an external location or a network drive. The prerequisites for using remote control are the following:

Intel vPro Technology (Intel AMT), version 6 or later Integrated Intel video adapter Power cable plugged in Network cable plugged in

Managing resourses one-to-one in real time Starting a Serial-over-LAN (SOL) remote control session

31

Current IP address of the computer that you want to manage WS-MAN protocol (DASH + AMT profile and credentials)

Note: You can remotely access a client computer with Intel AMT below version 6 using Intel AMT feature Serial-over-LAN (SOL).See Starting a Serial-over-LAN (SOL) remote control session on page 31. You must configure the client computer for management. Ensure that remote control sessions are allowed on the client computer. To start a KVM remote control session

1 2

In the Symantec Management Console, on the Home menu, click Remote Management > Real-Time System Manager Portal. On the Real-Time System Manager Portal page, in the Manage Web part, in the Computer text box, type the IP address of the computer that you want to manage, and then click Connect. On the Resource Manager page, in the right pane, under Supported protocols, click Default Connection Profile. In the Select connection profile dialog box, enable AMT and DASH profiles, and then click OK. For more information on setting up the connection profiles and credentials, see: http://www.symantec.com/docs/HOWTO62827

3 4

5 6

In the navigation pane, under Real-Time Consoles, expand Real-Time System Manager > Management Operations, and then click Remote Control. In the right pane, under Remote control options, click Start Remote Control.

To avoid problems with service keys, a virtual keyboard with F-service keys is available under the screen. Note: If you want to reboot the client computer during a wireless KVM remote control session, click Switch to Me before you reboot the client computer to keep the session active. After the operation system on the client computer reboots, click Switch to Host to restore the wireless connection on the client computer.

Starting a Serial-over-LAN (SOL) remote control session


(Intel AMT only)

Managing resourses one-to-one in real time Starting a Serial-over-LAN (SOL) remote control session

32

The Intel AMT feature Serial-over-LAN (SOL) redirects the remote computer's screen text output to a virtual serial port that Real-Time System Manager can read and display in the Symantec Management Console. For example, this feature lets you access the remote computer's BIOS using the remote terminal window and change BIOS settings, or watch the boot process. To use this feature with the Intel AMT client computers that are configured in secure mode, their Fully Qualified Domain Name (FQDN) must be resolved correctly on the Notification Server computer. Also, you must configure the connection profile to use the right certificates for authentication. If the SOL session cannot start, make sure that the Intel AMT device is configured to allow this functionality. See Configuring the Intel AMT device settings on page 35. To start a SOL remote control session

Connect to the client computer that you want to manage. See Initiating real time connection on page 28.

In the navigation pane, under Real-Time Consoles, click Real-Time System Manager > Management Operations > Manage Power State and Redirection. To create a new SOL session after you turn on the target computer, in the right pane, under Redirection options, check Display task progress and remotely control computer. Note that, if the session is closed from the client side (for example, the computer is restarted locally), the Remote Control Terminal is not closed automatically. In this case, you must close the terminal window manually. Note: Boot redirection to local devices (PXE server, CD-ROM, local HDD) is not supported during a SOL remote control session. You can only redirect the boot to a remote device (CD or floppy image, remote CD-ROM, or to a server).

Warning: If there is already an active SOL session, it is terminated when the task runs.

Managing resourses one-to-one in real time Booting a computer from remote location using IDE-R

33

(Optional) To change the BIOS settings remotely during the SOL session, check Enter BIOS on startup. Note that, when you exit the BIOS on the client computer, the client computer stops sending the information to the terminal. However, the Remote Control Terminal windows is not closed automatically. In this case, you must close the terminal window manually.

Turn on or restart the computer. See Turning off, turning on, or restarting a client computer on page 29.

To view the details of an active SOL session

1 2 3

On the Manage Power State and Redirection page, click Details. (Optional) To disconnect an active SOL session, in the Redirection Details dialog box, click Stop remote control. Click Close.

Booting a computer from remote location using IDE-R


(Intel AMT, ASF, DASH) The IDE-R feature of Intel AMT, ASF, and DASH technologies lets you boot the target computer from a remote disk drive or image. This feature lets you diagnose and fix the operating system problems. To use this feature with the Intel AMT client computers that are configured in secure mode, their Fully Qualified Domain Name (FQDN) must be resolved correctly on the Notification Server computer. Also, you must configure the connection profile to use the right certificates for authentication. If the IDE-R session cannot start, make sure that the Intel AMT device is configured to allow this functionality. See Configuring the Intel AMT device settings on page 35. You can also run this task on multiple computers, immediately or on a schedule. See Booting multiple computers from a remote location on page 22. To start an IDE-R session

Connect to the client computer you want to manage. See Initiating real time connection on page 28.

In the navigation pane, under Real-Time Consoles, click Real-Time System Manager > Management Operations > Manage Power State and Redirection.

Managing resourses one-to-one in real time Blocking network traffic from and to the computer

34

In the right pane, on the Manage Power State and Redirection page, under Redirection options, check Perform boot from, and then, in the drop-down menu, click the device to boot from. Warning: If there is already an active IDE-R session, it is terminated when the task runs.

To start the computer from an image, on the right, click Browse to navigate to a network share where the image is located. Warning: Do not use an image file that is placed on a CD or a DVD-ROM to start the computer. Use only the images that are stored on local or network hard disk drives.

Turn on or restart the computer. See Turning off, turning on, or restarting a client computer on page 29.

To view details of active IDE-R session

1 2 3

On the Manage Power State and Redirection page, under Redirection options, click Details. (Optional) To disconnect a boot device, in the Redirection Details dialog box, click Stop redirection. Click Close.

Blocking network traffic from and to the computer


(Intel AMT only) The network filtering (Circuit Breaker) functionality on Intel AMT lets you block network traffic from and to the target computer's operating system. For example, you can use this feature to isolate an infected computer from the network. Note: Network filtering works only if both client operating system and Intel AMT network settings are configured to use Dynamic Host Configuration Protocol (DHCP).

Note: Some ports stay open when network filtering is active. See Network filtering ports and settings on page 62.

Managing resourses one-to-one in real time Configuring the Intel AMT device settings

35

You can also run this task on multiple computers, immediately or on a schedule. See Filtering the network traffic on multiple computers on page 23. To block network traffic from and to the computer

Connect to the client computer that you want to manage. See Initiating real time connection on page 28.

2 3 4

In the navigation pane, under Real-Time Consoles, click Real-Time System Manager > Networking > Intel AMT Network Filtering. In the right pane, under Intel AMT Network Filtering, select Filter network traffic other than to and from the Notification Server. (Optional) To prevent the target computer from sending malicious packets, check Enable anti-spoofing filter. This feature forces the identity verification of outgoing network traffic and drops packets if the computer is suspected of originating malicious attacks that are known as IP spoofing.

Click Save changes.

To protect the target computer from network flooding

Connect to the client computer that you want to manage. See Initiating real time connection on page 28.

2 3

In the navigation pane, under Real-Time Consoles, click Real-Time System Manager > Networking > Intel AMT Network Filtering. In the right pane, under Intel AMT Network Filtering, select Limit the number of PING packets to, and then type the number of packets per second, that are allowed to pass through the Intel vPro network filter. The default setting is packets per second.

Click Save changes.

Configuring the Intel AMT device settings


(Intel AMT only) You can allow or forbid SOL and IDE-R sessions. You can configure Intel AMT power-saving settings.

Managing resourses one-to-one in real time Viewing client computer logs

36

To allow SOL and IDE-R sessions

Connect to the client computer that you want to manage. See Initiating real time connection on page 28.

2 3 4

In the navigation pane, under Real-Time Consoles, click Real-Time System Manager > Configuration > Intel AMT Settings. To allow the target computer to start SOL sessions, in the right pane, under Allow following settings, check Task progress window and remote control. To allow the target computer to start IDE-R sessions, in the right pane, under Allow following settings,check Redirect to optical/floppy drive or image on a server. Click Save Changes.

To change the Intel AMT power-saving settings

Connect to the client computer that you want to manage. See Initiating real time connection on page 28.

2 3

In the navigation pane, under Real-Time Consoles, click Real-Time System Manager > Configuration > Intel AMT Settings. To allow the Intel AMT device to enter sleep state, in the right pane, under Allow following settings, check Use Manageability Engine's power saving mode after, and then type the timeout value. Example: 5 minutes.

Click Save Changes.

See Starting a Serial-over-LAN (SOL) remote control session on page 31. See Booting a computer from remote location using IDE-R on page 33.

Viewing client computer logs


You can view the client computer events logs.

Windows event logs (application, security and system logs) Intel AMT log Symantec Management Agent diagnostic log See Managing the properties of Symantec Management Agent in real time on page 38.

Managing resourses one-to-one in real time Managing BIOS settings

37

To view Windows Application Log

Connect to the client computer, that you want to see the Application Log for. See Initiating real time connection on page 28.

2 3

In the Navigation pane, expand Real-Time Consoles > Real-Time System Manager > Event Logs > Application Log. In the right pane, view the application log information. Note: By default, only error type of events are viewed in the list. To change the parameters, on the Appliction Log page, double-click Event filters, and apply new filters.

To view the Intel AMT log

Connect to the client computer, that you want to see the AMT Log for. See Initiating real time connection on page 28.

Click Real-Time System Manager > Event Logs > Intel AMT Event Log.

Managing BIOS settings


(Broadcom DASH only) You can use the Manage BIOS Settings page to remotely view and update the BIOS settings of the target computers that are capable of BIOS management through the DASH technology. To identify these computers, you must collect the DASH settings inventory. To check if the functionality is supported by the client computer

1 2

In the Resource Manager, in the Inventory view, expand Real-Time Console Infrastructure > RTCI DASH Registered profile. If BIOS Management profile is displayed on this page, then the client computer supports WS-MAN BIOS Management.

You can also run this task on multiple computers, immediately or on a schedule. See Updating BIOS settings on page 17.

Managing resourses one-to-one in real time Managing the properties of Symantec Management Agent in real time

38

To update BIOS settings

Connect to the client computer that you want to manage. See Initiating real time connection on page 28.

2 3

In the navigation pane, under Real-Time Consoles, click Real-Time System Manager > Management Operations > Manage BIOS Settings. In the right pane, on the Manage BIOS Settings page, under Available BIOS settings, configure BIOS settings. If BIOS is protected by administrator or system passwords, specify the passwords.

4 5

Click Save changes. Restart the client computer for the new settings to take effect. See Turning off, turning on, or restarting a client computer on page 29. If you have a system password set on the target computer, on the Manage Power State and Redirection page, check Bypass computer's startup password, and then restart the computer using ASF protocol.

Managing the properties of Symantec Management Agent in real time


To manage Symantec Management Agent properties using Real-Time System Manager, you must connect to a client computer with a WMI profile and credentials. To manage the properties of Symantec Management Agent in real time

1 2

In the Symantec Management Console, on the Home menu, click Remote Management > Real-Time System Manager Portal. On the Real-Time System Manager Portal page, in the Manage Web part, in the Computer text box, type the IP address of the computer, that you want to manage, and then click Connect. On the Resource Manager page, in the right pane, under Supported protocols, click Default Connection Profile.

Managing resourses one-to-one in real time Activating a virtual layer

39

In the Select connection profile dialog box, choose the WMI profile, and then click OK. For more information on setting up the connection profiles and credentials see: http://www.symantec.com/docs/HOWTO62827

In the navigation pane, under Real-Time Consoles, expand Real-Time System Manager > Software > Symantec Management Agent, and then click one of the following management or audit nodes.
Diagnostic Log View and filter Symantec Management Agent logs. You can filter by severity, or view all entries: errors, warnings, and information. Diagnostic log can be exported into a file. View, turn on/off the maintenance windows on the client computer. View the full list of plug-ins that are installed on the client computer.

Maintenance Windows

Registered Plug-ins

Settings

Assign the client computer to a different Notification Server. Force an update for Symantec Management Agent. Force a collection of basic inventory. Enable diagnostics.

Tasks

Review the tasks that are currently running on the client computer.

Activating a virtual layer


Software Virtualization Solution only virtualizes the application environment, not the complete PC. It installs the Altiris Software Virtualization Agent that provides false information to the host operating system. The operating system works as if it is running a normal application, while in fact the associated file and registry calls are redirected to a newly created virtual layer, where the application actually resides. You can install several applications into the same layer, or configure them separately in their own individual environments, to avoid any potential conflicts. The initial layer, that is created when the application is installed is read-only, so it cannot be corrupted. A separate associated editable layer holds the program data, configuration files, etc. After you delete that information, the application returns to its initial condition. After you install Software Virtualization Solution and create layers, you can manage existing layers using Real-Time System Manager.

Managing resourses one-to-one in real time Activating a virtual layer

40

For more information about the requirements, installation, and configuration of Software Virtualization Solution, see Altiris Software Virtualization Solution Reference Guide. http://www.symantec.com/docs/DOC1655 The prerequisites for managing virtual layers in real time are as follows:

Connection to the client computer with a WMI profile and credentials Software Virtualization Solution installed in a mode that provides WMI classes

Real-Time System Manager lets you:


Activate and deactivate existing layers Enable layers to start automatically after the boot of the client computer Reset layers Remove existing layers View details for existing layers

To activate a virtual layer

1 2

In the Symantec Management Console, on the Home menu, click Remote Management > Real-Time System Manager Portal. On the Real-Time System Manager Portal page, in the Manage Web part, in the Computer text box, type the IP address of the computer, that you want to manage, and then click Connect. On the Resource Manager page, in the right pane, under Supported protocols, click Default Connection Profile. In the Select connection profile dialog box, activate the WMI profile, and then click OK. For more information on setting up the connection profiles and credentials see: http://www.symantec.com/docs/HOWTO62827

3 4

5 6

In the navigation panel, under Real-Time Consoles, expand Real-Time System Manager > Software > Manage Virtual Layers. In the right pane, click the layer in the list, that you need to activate, and then, on the toolbar, click Activate. On the toolbar, to allow or deny the layer to start automatically after the restart of the operation system on the client computer, click Auto or Manual.

Chapter

Additional functionality
This chapter includes the following topics:

Additional functionality and portal actions available in Real-Time System Manager Resetting a domain user password Running the port check Configuring the port check settings Modifying the list of open network filtering ports Adding or removing custom views

Additional functionality and portal actions available in Real-Time System Manager


Additional functionality and customization capabilities are available in Real-Time System Manager.

Resetting a domain user password


You can reset a domain user password. To reset a domain user password

1 2 3

In the Symantec Management Console, on the Home menu, click Remote Management > Real-Time System Manager Portal. In the Tools Web part, click Reset Domain Password. In the Reset Domain Password dialog box, fill in the required fields, and then click OK.

Additional functionality Running the port check

42

You can also reset user passwords on multiple computers. See Resetting a local user password on multiple computers on page 18.

Running the port check


The Port Check tool lets you detect which ports are open on the target computer. You can run the Port Check tool from a computer filter. See Configuring the port check settings on page 42. To run the port check

1 2

In the Symantec Management Console, on the Manage menu, click Filters. In the left pane, select a filter. For example, click Computer Filters > All Computers.

In the right pane, right-click on a computer resource, and then click Remote Management > Port check.

Configuring the port check settings


Real-Time Console Infrastructure includes a Port Check tool. This tool lets you detect which ports are open on the target computer. You can run the Port Check tool from a computer filter. See Running the port check on page 42. You can configure the port check settings that the Port Check tool uses. For example, you can configure which ports to check. To configure port check settings

1 2 3 4 5

In the Symantec Management Console, click Home > Remote Management > Real-Time System Manager Portal. In the left pane, click Port Check. On the Port Check page, click Configure Ports. On the Modify Ports page, add or remove ports to check. Click OK.

Modifying the list of open network filtering ports


You can modify the list of ports to keep open when network filtering is active on the Network Filters page.

Additional functionality Adding or removing custom views

43

See Network filtering ports and settings on page 62. See Blocking network traffic from and to the computer on page 34. See Filtering the network traffic on multiple computers on page 23. To modify the list of open network filtering ports

1 2 3

In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, click Remote Management > Real-Time System Manager > Network Filters. Modify the filters.

Adding or removing custom views


You can add or remove custom views, which appear in the Resource Manager's Real-Time view. For example, you can add the Linux OpenWSMan view, which is included in Real-Time Console Infrastructure. The location of the custom view file is C:\Program
Files\Altiris\RTCI\Web\Samples\Linux-Demo.config

For more information on how to configure the Linux OpenWSMan sample view, see http://www.symantec.com/docs/HOWTO10140. To add or remove a custom view

1 2 3

In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, click Remote Management > Real-Time Console Infrastructure > Manage Custom Views. On the Manage Custom Views page, add or remove a view.

Appendix

List of available operations


This appendix includes the following topics:

List of available operations Managements processes Audit Nodes Information Nodes

List of available operations


By default, all of the actions in Real-Time System Manager and Real-Time Console Infrastructure are available in-band and one-on-one, with a few exceptions that are marked in the footnotes. Actions that are available out-of-band or as one-to-many tasks are marked with X-s in corresponding columns. Nodes are divided into 3 groups: management processes, audit and information sections. Information nodes provide constant data about client computers. Audit nodes allow you to track variable information about client computers in real time.

Managements processes
Table A-1 Available Data
Manage Local Users and Groups Manage Printers Manage Processes

Management Operations Technical Requirements


WMI WMI WMI

O u t o f b a n d 1-to-many
x x

List of available operations Managements processes

45

Table A-1 Available Data


Manage Services Manage Alerts Remote Control

Management Operations (continued) Technical Requirements


WMI AMT or DASH Media redirection Remote control * AMT DASH x x x

O u t o f b a n d 1-to-many
x x -

Manage Power State and Redirection

Basic Power Operations

Power Up Power Down Restart WMI or AMT or DASH or IPMI x x

Advanced Power Options

Bypass boot password AMT Lock Keyboard AMT AMT AMT or ASF AMT DASH x x x x x x x x x x

Console Terminal Redirection (SOL) BIOS Management with SOL Local media redirection Remote media redirection BIOS Management **

* Remote control is currently supported only on Intel AMT clients with AMT version 6+ and Intel integrated Video Adapter. ** To use BIOS Management under DASH, client computer must support BIOS Management DASH Profile. Table A-2 Available Data
Intel AMT Configuration Mode Intel AMT Settings Unconfigure Intel AMT Device

Configuration Technical Requirements


AMT

O u t o f b a n d 1-to-many
x x

AMT

List of available operations Managements processes

46

Table A-2 Available Data


Intel Remote Access Policy

Configuration (continued) Technical Requirements


AMT

O u t o f b a n d 1-to-many
x

Table A-3 Available Data


Diagnostic Log * Maintenance Windows * Registered Plug-ins * Settings * Tasks * Software Virtualization Layers ** Details Activate

Software Technical Requirements


WMI WMI WMI WMI WMI WMI

Deactivate Reset Auto or Manual Remove

* Symantec Agent must be installed. ** Requires Symantec Workspace Virtualization Agent with Admin Tools.

List of available operations Audit Nodes

47

Audit Nodes
Table A-4 Available Data
Basic Information Computer name Primary owner name Currently logged in user Domain Operation system Product Version CPU Information Name Current/max speed Load percentage Memory Usage Virtual Physical Committed Page file @ C Disk Usage Capacity Used Free File system Network Connectivity Security

Summary Technical Requirements


WMI or AMT or DASH WMI WMI WMI WMI AMT WMI WMI or AMT WMI or AMT or DASH WMI WMI or AMT or DASH WMI or AMT or DASH WMI WMI WMI or AMT WMI WMI WMI WMI or AMT WMI x x x

O u t o f b a n d
x

List of available operations Information Nodes

48

Table A-5 Available Data


Application Log Security Log System Log Directory Service Log * DNS Server Log * File Replication Service Log * System Event Log Intel AMT Event Log

Event Logs Technical Requirements


WMI WMI WMI WMI WMI WMI IPMI AMT x x

O u t o f b a n d

* This log is only available for clients that are Domain Controllers.

Information Nodes
Information nodes are mostly available as in-band one-on-one actions, exceptions are marked in the footnotes. In some cases it is possible to modify the settings from the Detailed view of some of the information nodes.

List of available operations Information Nodes

49

Table A-6 Nodes


Operating System

Information nodes (static) Available Data


Local Time

Technical Requirements
WMI

O u t o f b a n d 1-to-many

Operating System WMI Page File Settings WMI Printing Job Proxy Server Quick-Fix Engineering Registry Registry Share Terminal Server Input and Output Devices Keyboard Modem Monitor Pointing Device Printer Video Adapter Controllers and Ports IDE Controller Parallel Port Serial Port USB Controller SCSI Controller USB Hub WMI WMI WMI

WMI WMI WMI WMI WMI WMI WMI WMI WMI WMI WMI WMI WMI WMI WMI WMI

List of available operations Information Nodes

50

Table A-6 Nodes


Physical System

Information nodes (static) (continued) Available Data Technical Requirements O u t o f b a n d 1-to-many


x

Agent Watchdogs AMT Battery BIOS AMT WMI or AMT or IPMI

Computer System WMI or AMT or x DASH or SNMP or IPMI DASH Registered DASH Profiles DASH Software Physical System Fan DASH DASH

Field Replaceable AMT or DASH Unit Motherboard Device Power Supply Processor WMI or AMT or DASH or IPMI DASH WMI or AMT or DASH DASH or IPMI WMI WMI WMI or DASH WMI x x

Sensors SMBIOS Sound Device Memory Cache Memory Logical Memory Configuration Physical Memory Mass Storage Disk Drive Logical Drive Media Device

WMI or DASH WMI and AMT WMI WMI

x x

List of available operations Information Nodes

51

Table A-6 Nodes


Networking

Information nodes (static) (continued) Available Data


IP Route Table Network Adapter Network Adapter Configuration Network Connection

Technical Requirements
WMI and SNMP WMI and SNMP WMI or AMT or SNMP or IPMI WMI

O u t o f b a n d 1-to-many

Server Connection WMI Server Session WMI x x

Intel Filter AMT AMT network Network traffic Filtering Export AMT filtering settings Intel AMT Network Settings Wireless Profile

Appendix

Troubleshooting
This appendix includes the following topics:

Troubleshooting Real-Time System Manager connection

Troubleshooting Real-Time System Manager connection


Listed bellow are some of the reasons why Real-Time System Manager cannot establish a real time connection.

Troubleshooting Troubleshooting Real-Time System Manager connection

53

Table B-1

Possible reasons of real time connection errors

Technology Possible reasons


WMI The connection credentials are incorrect. The computer is turned off . The operating system is not loaded. The computer is not connected to the network. The firewall does not allow incoming WMI connections. See Configuring the firewall to allow WMI connection on page 54. Simple file sharing is enabled. See Disabling simple file sharing on Windows XP SP2 on page 57. User Access Control is turned on. See Configuring User Access Control on Windows Vista or later versions of Windows on page 58. You are connecting to Microsoft Windows Home (Basic) editions, where WMI remote connection is not available. You are connecting with a user that has an empty password. ASF The connection credentials are incorrect. ASF is turned on in the BIOS but not configured. ASF is turned off in the BIOS. The computer is not connected to the network. The target computer is not ASF capable. Intel AMT The connection credentials are incorrect. The Intel AMT device is not configured. The Intel AMT device is in secure mode, but the connection profile is not configured to use the correct certificates, and vice versa. For more information on configuring connection profiles, see the Symantec IT Management Suite powered by Altiris technology User Guide. Intel AMT is turned off in the BIOS. The computer is not connected to the network. The computer is not Intel AMT capable.

Troubleshooting Troubleshooting Real-Time System Manager connection

54

Table B-1

Possible reasons of real time connection errors (continued)

Technology Possible reasons


DASH The connection credentials are incorrect. DASH is turned on in the BIOS but not configured. DASH is turned off in the BIOS. The computer is not connected to the network. The target computer is not DASH capable. IPMI The connection credentials are incorrect. The IPMI device is not configured. The IPMI device is in secure mode, but the connection profile is not configured to use the correct certificates. IPMI is turned off in the BIOS. The computer is not connected to the network. The target computer is not IPMI capable. SNMP The SNMP community string is incorrect. SNMP is not installed on the target computer. The SNMP service is not running on the target computer. The Notification Server computer is not in the list of hosts to accept the SNMP packets from. Check SNMP service properties.

Configuring the firewall to allow WMI connection


WMI connection through the Real-Time view can fail when you try to connect to a computer with Microsoft Windows XP Service Pack 2, Windows Vista, or Windows 7 operating system. This issue can occur when the default configuration of the Windows Firewall program blocks incoming network traffic for Windows Management Instrumentation (WMI) connection. For the connection to succeed, the remote computer must permit incoming network traffic on TCP ports 135, 445, and additional dynamically-assigned ports, typically in the range of 1024 to 1034. You can resolve this issue in one of the following ways:

Configure the firewall on the computer that you want to connect to. See Configuring the firewall on a single computer on page 55. Configure the firewall on all computers in the domain using a group policy.

Troubleshooting Troubleshooting Real-Time System Manager connection

55

See Configuring the firewall on multiple domain computers with a group policy on page 56.

Temporarily disable the firewall.

See Troubleshooting Real-Time System Manager connection on page 52.

Configuring the firewall on a single computer


You can configure the firewall using the computers local settings. See Configuring the firewall to allow WMI connection on page 54. To configure the firewall on Windows XP SP2

1 2 3

Log on to the target computer as the administrator. Click Start > Run, in the Open field, type gpedit.msc, and then click OK. In the Group Policy window, expand Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall, and the click one of the following:

If the computer is in a domain, click Domain Profile. If the computer is not in a domain, click Standard Profile.

In the right pane, double-click Windows Firewall: Allow remote administration exception, in the Windows firewall dialog box, select Enable, and then click OK.

To configure the firewall on Windows Vista

1 2 3

Log on to the target computer as the administrator. From the Control Panel, open the Windows Firewall Settings dialog box. On the Exceptions tab, check Windows Management Instrumentation (WMI).

To configure the firewall on Windows 7

1 2 3 4

Log on to the target computer as the administrator. From the Control Panel, locate and open the Windows Firewall configuration dialog box. In the left pane, click Allow a program or feature through Windows Firewall. Check Windows Management Instrumentation (WMI).

Troubleshooting Troubleshooting Real-Time System Manager connection

56

Configuring the firewall on multiple domain computers with a group policy


Before you start the firewall configuration, ensure sure that all the computers that you want to manage with this policy are in the same organizational unit. For more information about how to use a group policy, visit the following Microsoft Web site: http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx These steps assume that Windows Firewall is configured to use the domain profile. The domain profile is the most typical scenario. For more information about Windows Firewall profiles and about how Windows selects the profile to load, see the Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2 guide. For more information, visit the following Microsoft Web site: http://www.microsoft.com/downloads/details.aspx?FamilyID= 4454e0e1-61fa-447a-bdcd-499f73a637d1&DisplayLang=en See Configuring the firewall to allow WMI connection on page 54. To configure the firewall on multiple domain computers with a group policy

Create a group policy object for the organizational unit that contains the Windows XP SP2 computers that you want to manage:

Log on to a domain controller. Click Start > Run, type dsa.msc in the Open dialog box, and then click OK. Expand your domain, right-click the organizational unit in which you want to create the group policy, and then click Properties. On the Group Policy tab, click New. Type a name for the group policy object, and then press Enter. Click Close.

Log on to a domain-member computer that is running Windows XP SP2. Log on with a user account that is a member of one or more of the following security groups:

Domain Admins Enterprise Admins Group Policy Creator Owners

Click Start > Run, in the Open field, type mmc, and then click OK.

Troubleshooting Troubleshooting Real-Time System Manager connection

57

4 5 6 7 8

On the File menu, click Add/Remove Snap-in. On the Standalone tab, click Add. In the Add Standalone Snap-in dialog box, click Group Policy, and then click Add. In the Select Group Policy Object dialog box, click Browse. Click the group policy object that you want to update with the new Windows Firewall settings. For example, click the organizational unit that contains the Windows XP SP2 computers, click OK, and then click the group policy object that you created in step 1.

Click OK, and then click Finish.

10 Click Close, and then click OK. 11 Under Console Root, expand the group policy object that you selected in step
8, and then click Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.

12 In the right pane, double-click Windows Firewall: Allow remote


administration exception.

13 Click Enabled, and then specify the administrative scope in the Allow
unsolicited incoming messages from dialog box. For example, to permit remote administration from a particular IP address, type that IP address in the Allow unsolicited incoming messages from dialog box. To permit remote administration from a particular subnet, type that subnet by using the Classless Internet Domain Routing (CIDR) format. In this scenario, type 192.168.1.0/24 to specify the network 192.168.1.0 with a 24-bit subnet mask of 255.255.255.0. For more information on how to specify a valid administrative scope, see the Syntax area of the Setting tab in this policy.

14 Click OK, and then on the File menu, click Exit .

Disabling simple file sharing on Windows XP SP2


The ForceGuest option that is enabled by default on all Windows XP computers that are members of a workgroup (in contrast to domain members). All users who log onto such computers over the network are forced to use the Guest account. This is limitation is Windows XP specific. See Troubleshooting Real-Time System Manager connection on page 52.

Troubleshooting Troubleshooting Real-Time System Manager connection

58

To disable simple file sharing on Windows XP SP2

Do one of the following steps:

Open Control Panel, double-click Folder Options, and on the View tab, uncheck Use simple file sharing. Click OK. On the client computer, in the Windows registry, set the ForceGuest DWORD value equal to 0 (zero) under the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] key. For more information, see Microsoft knowledge base articles : http://support.microsoft.com/default.aspx?scid=KB;EN-US;180548 http://support.microsoft.com/default.aspx?scid=kb;en-us;290403

Configuring User Access Control on Windows Vista or later versions of Windows


You must turn off the User Access Control (UAC) on non-domain computers if you want to install the Symantec Management Agent to those computers and manage the computers remotely through WMI. For more information, see Microsoft article http://technet.microsoft.com/en-us/ windowsvista/aa905108.aspx. See Troubleshooting Real-Time System Manager connection on page 52. To configure User Access Control on Windows Vista

1 2 3 4

On the client computer with the Microsoft Windows Vista operating system, open the Control Panel. Double-click User Accounts. In the User Accounts dialog box, click Turn User Account Control on or off. Uncheck Use User Account Control (UAC) to help protect your computer, and then click OK.

To configure User Access Control on Windows 7

1 2 3 4

On the client computer with the Microsoft Windows 7 operating system, open the Control Panel. Click User Accounts. Click Change User Account Control settings. Move the slider to Never notify, and then click OK.

Appendix

Technical Reference
This appendix includes the following topics:

Ports used by Real-Time System Manager How authentication works About changes in default system security Network filtering ports and settings Power management and redirection capabilities

Ports used by Real-Time System Manager


The following table lists the ports that are used for communication by Real-Time System Manager, Symantec Management Platform, and the Symantec Management Console. You can use the table to configure the firewall between your console, server, and managed computers as needed. See Configuring the firewall to allow WMI connection on page 54. Table C-1 Protocol
TCP

Ports used by Real-Time System Manager Port


80

Description

Direction

Binding
Symantec Management Console Symantec Management Platform Symantec Management Console Symantec Management Platform

WWW (HTTP) both

TCP

389

LDAP

both

Technical Reference Ports used by Real-Time System Manager

60

Table C-1 Protocol


TCP/UDP

Ports used by Real-Time System Manager (continued) Port


443

Description

Direction

Binding
Symantec Management Console Symantec Management Platform Symantec Management Platform managed computer Symantec Management Platform managed computer Symantec Management Platform managed computer Symantec Management Platform managed computer Real-Time System Manager managed computer Real-Time System Manager managed computer Real-Time System Manager managed computer

(optional) SSL both (HTTPS)

TCP/UDP

Echo (ICMP)

both

TCP/UDP

135

DCE endpoint both resolution

TCP/UDP

445

Microsoft-DS

both

TCP/UDP

>1024

RPC

both

UDP

161

SNMP

both

UDP

162

SNMP trap

both

UDP

623

Non-secure both ASF and IPMI connection port Secure ASF and IPMI connection port Non-secure DASH connection port both

UDP

664

Real-Time System Manager managed computer

TCP/UDP

623

both

Real-Time System Manager managed computer

TCP

664

Secure DASH both connection port

Real-Time System Manager managed computer

Technical Reference How authentication works

61

Table C-1 Protocol


TCP

Ports used by Real-Time System Manager (continued) Port


16992

Description
Non-secure Intel AMT connection port Secure Intel AMT connection port

Direction
both

Binding
Real-Time System Manager managed computer

TCP

16993

both

Real-Time System Manager managed computer

TCP

16994

Non-secure both Intel AMT remote control port (SOL/IDE-R) Secure Intel AMT remote control port (SOL/IDE-R) both

Real-Time System Manager managed computer

TCP

16995

Real-Time System Manager managed computer

How authentication works


Authentication accurs on the Notification Server computer where Real-Time System Manager is installed. When you use Real-Time System Manager, the following authentication points apply:

When you try to access the Symantec Management Console or the Resource Manager page, Notification Server verifies that the user has the rights to access Real-Time System Manager. You can access the console either as a user who is interactively logged on to the Notification Server computer or as a user who is connected to the Notification Server computer remotely through a browser. In case of an interactively logged on user, the Windows logon information is passed to Notification Server. When a computer is managed locally from a target computer, the Internet Explorer credentials are used. By default, Real-Time System Manager uses the Notification Server Application Identity credentials (WMI Credential for Default Connection Profile) to connect to remote computers. If the Notification Server Application Identity account has no administrator rights to access the remote computer, the connection fails. Create a new connection profile with correct credentials.

Technical Reference About changes in default system security

62

Once successfully authenticated, Real-Time System Manager administrative-user credentials are used as administrative credentials for all WMI commands until the Resource Manager page is closed. The Notification Server computer and the target computer can be on different domains. In this case, you must specify the user in the form of "domain\username" in the connection profile. This is not true for the following cases:

If there is a trust relationship between domains that ensures that users from the Notification Server domain have a sufficient privilege level (on the target Real-Time System Manager host) that WMI requires. If the target computer has a local account (with sufficient WMI rights) with the user name and password identical to the user whose credentials were used to access Real-Time System Manager.

About changes in default system security


During installation and setup of Real-Time System Manager, the access list for the Windows_Folder\Temp directory is changed as follows:

The IIS_WPG (SERVER_NAME\IIS_WPG) group is added with full control for the folder, subfolder, and files. The ASP.NET computer account (SERVER_NAME\ASPNET) user is added with full control for the folder, subfolder, and files.

Network filtering ports and settings


To allow communication with the Notification Server computer for remediation, the following ports stay open on the target computer when network filtering is active. Table C-2 Port #
53 67 68 80* 88

Ports kept open when network filtering is active Port name and description
DNS port

Type
TCP/UDP

Direction
Receive/Transmit Receive/Transmit Receive/Transmit Receive/Transmit Receive/Transmit

DHCP boot protocol server UDP DHCP boot protocol client UDP Notification Server port Kerberos port TCP UDP

Technical Reference Power management and redirection capabilities

63

Table C-2 Port #


137 389 636 2054 52028*

Ports kept open when network filtering is active (continued) Port name and description
NETBIOS Name Service LDAP port Secure LDAP port ARP Notification Server Tickle port

Type
TCP TCP/UDP TCP/UDP Ethernet frame TCP

Direction
Receive/Transmit Receive/Transmit Receive/Transmit Receive/Transmit Receive/Transmit

Depends on Notification Server configuration

See Modifying the list of open network filtering ports on page 42. See Blocking network traffic from and to the computer on page 34. See Filtering the network traffic on multiple computers on page 23.

Power management and redirection capabilities


The following table displays the power management and redirection capabilities for the Intel AMT or ASF-capable computers in different power states. Table C-3 Power state
S0/G0 working S1 sleeping with system h/w & processor context maintained S2 sleeping, processor context lost S3 sleeping, processor & h/w context lost, memory retained S4 non-volatile sleep / suspend-to disk

Intel AMT power management capabilities AMT reboot AMT power off
Yes Yes Yes Yes

AMT power on
No No

Boot redirect
Yes2 Yes

No

No

No

Yes

Yes1

Yes1

Yes

Yes2

Yes1

Yes1

Yes

Yes2

Technical Reference Power management and redirection capabilities

64

Table C-3 Power state


S5/G2 soft-off

Intel AMT power management capabilities (continued) AMT reboot AMT power off
No No No No

AMT power on
Yes No

Boot redirect
Yes Yes

S4/S5 soft-off, particular S4/S5 state cannot be determined G3/Mechanical Off

No

No No

No No

No Yes

Sleeping in an S1, S2, or S3 No state (used when particular S1,S2, S3 state cannot be determined), or Legacy SLEEP state G1 sleeping (S1-S4 cannot No be determined) S5 entered by override, for example, by 4-second power button override No

No

No

Yes

No

No

Yes

Legacy ON, for example, No non-ACPI OS working state Legacy OFF, for example, non-ACPI OS off state Unknown
1 2

No

No

Yes

No

No

No

Yes

No

No

No

Yes

Performed through the power on command. Redirection can be enabled only for the reboot command. ASF power management capabilities ASF reboot ASF power ASF power off on
Yes Yes Yes No No

Table C-4 Power state


S0/G0 working

Boot redirect3
Yes2 Yes

S1 sleeping with system Yes h/w & processor context maintained

Technical Reference Power management and redirection capabilities

65

Table C-4 Power state

ASF power management capabilities (continued) ASF reboot ASF power ASF power off on
Yes Yes No

Boot redirect3
Yes

S2 sleeping, processor context lost S3 sleeping, processor & h/w context lost, memory retained S4 non-volatile sleep / suspend-to disk S5/G2 soft-off S4/S5 soft-off, particular S4/S5 state cannot be determined G3/Mechanical Off

Yes

Yes

Yes

Yes2

Yes1

Yes1

Yes

Yes2

No Yes

No Yes

Yes Yes

Yes Yes

No

No Yes

No No

No Yes

Sleeping in an S1, S2, or Yes S3 state (used when particular S1,S2, S3 state cannot be determined), or Legacy SLEEP state G1 sleeping (S1-S4 cannot be determined) S5 entered by override, for example, 4-second power button override Yes

Yes

No

Yes

No

No

Yes

Yes

Legacy ON, for example, Yes non-ACPI OS working state Legacy OFF,for example, No non-ACPI OS off state Unknown
1 2 3

Yes

No

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Performed through the power up command. Redirection can be enabled only for the reboot command. Only local redirection can be enabled with ASF.

Index

A
alerts out-of-band 20 SNMP 12 authentication about 61 available operations 44

firewall configuring 5455 multiple computers 56

I
IDE-R 25 enabling 35 starting session 33 using 22 view details 34 Intel AMT changing settings 25 configuring 35 network traffic filtering 34 unconfiguring 25 web console 25 inventory collecting and viewing 16

B
BIOS management 37 remote configuration 31 updating setting 37 updating settings 17 boot redirection 22 booting from remote location 22, 33

C
Circuit Breaker. See network filtering client computer reassign to another Notification Server 38 restarting remotely 29 turning off, on 29 view logs 36 configuring hardware alerts 20 Intel AMT settings 25, 35 port check settings 42 connection real time 52 custom views Linux 43

K
Keyboard-Video-Mouse (KVM). See KVM

L
local user password resetting 18 logs monitoring client computer 36 Symantec Management Agent 38

M
manage power state 12 processes 19 management in real time 27 one-to-many 11 one-to-one 27 managing services 20

D
DHCP 34

F
file sharing disabling 57

Index

67

N
network filtering enabling and using 23 modifying ports 42 ports, settings 62 network flooding enabling protection 24

S
security about changes 62 Serial-over-LAN. See SOL service running or stopping 20 SOL 25 enabling 35 starting session 31 viewing active sessions 33 Symantec Management Agent manage properties 38

O
one-to-many about 11 filtering network traffic 23 list of operations 44 resetting password 18 one-to-one about 27 list of operations 44 out-of-band inventory 16 list of operations 44 power management 12

T
troubleshooting connection 52 firewall 5456

U
unconfiguring Intel AMT device 25 user access control configuring 58

P
port check configuring 42 running 42 ports list 59 power management 29 capabilities 63 event console 15 on, off, restart 12 restoring state 14 power-saving options configuring 35 process running or stopping 19

V
Virtual layers management 39

X
.xml file 24

R
real time management initiating connection 28 Real-Time Portal 28 port check 42 redirection capabilities 63 remote control KVM 30 SOL 31