MeshCentral‎ > ‎

CIRA Setup

In this page, we walk thru how to manually setup a Intel® AMT client initiated remote access (CIRA) connection to MeshCentral2. The following flow works starting with MeshCentral2 Alpha 2. In the future, this configuration will be automated. First, start by getting MeshCentral2 running.

First, you need to start MeshCentral2 specifying the server name. This is the name that will be used to connect to meshcentral2. Use "--cert [servername]". For example:

This will create and run a server with the right server name in the certificate. Next, create and account, login and create a "Intel® AMT agent-less" mesh like you would do normally. When you go back to the devices screen, you should see the empty mesh with a "Add CIRA" button on the upper right. Click on that link.

This will bring up the things you need to setup Intel AMT with CIRA to this server. A trusted root certificate, the certificate organization name and the server name and port. This is all you need. Now, you will need to configure Intel AMT. In this example, we will use MeshCommander or MicroLMS to do this. Login to your Intel AMT machines and go to the "Security Settings" panel. Download the "Root Certificate File" from MeshCentral and drag & drop it on the certificates.

This will bring up the "Add Certificate" dialog, select "Trusted Root Certificate" and hit OK. Now, Intel AMT will trust the root certificate of the Mesh server. Next, hit the "Issue Certificate" and enter a computer name in "Common Name", cut & paste the Organization HEX value from the Mesh server into Organization in the "Issue Certificate" dialog. You can fill state and country with any value.

Done done, hit OK and the new certificate will be created. You will now have two certificates in the Intel AMT certificate store. One with a private key and one that is a trusted root.

Next, go to "Internet Settings" and hit "Add Server". Copy the host name and server port from the Mesh server, select "Certificate" as authentication type and the certificate you created above as authentication certificate.

Once done, hit OK. The new server will be added to Intel AMT. For this example, we want Intel AMT to always stay connected to the server, so select "Periodic Connection", select the server and put "10" in "Trigger interval" to connect CIRA every 10 seconds if not already connected.

Hit OK. Lastly, we need to setup environment detection. This tells Intel AMT when it's inside the home network. Anytime it's outside it will try to use CIRA. Hit "Environment Detection", enter "" and hit OK.

After environment detection is setup, MeshCommander will not be able to connect to Intel AMT anymore unless it's used locally. This is because Intel AMT just closed it's local management ports (16992 to 16995). After a few seconds, a new computer will show up on MeshCentral2.

Notice the new computer has the name that will put in the "Common Name" of the certificate and it show "CIRA" as long as an active CIRA connection is present. You can click on the machine to view it's status.

The Mesh server does not have credentials to log into Intel AMT for this machine, so "No Credentials" is shown in red. You can click on that to set credentials. You can then go to "Desktop" tab to start a HWKVM session.

That's it. In the future this configuration will be automated.