This is a cool little compact tower that has a few drive bays (2xLFF 3.5, 1xSFF 2.5, 1X5.25) and comes at a decent price used in 2024. I picked one up because it's much lower power than my ancient z800 and has support for intel based hardware transcoding with plex and jellyfin.
It comes with the intel desktop set of management tools using ME and AMT and vPRO, rather than an IPMI. I want the system to run headless and would rather not move it to hook up a monitor and keyboard.
Intel has stopped supporting meshcommander and I don't have a big enough lab to run a dedicated server for it anyhow.
I wanted a cheap and dirty remote access that would let me get into uefi and troubleshoot OS issues.
I wanted both video and Serial over LAN (SOL) access.
If I was running a proper rack with a proper server motherboard this wouldn't be an issue, but it's a fun experiment.
The way that ME and AMT are setup can be a real problem for access. The mode I am using to start is the weakest possible and is only suitable for my homelab and a non-sensitive system. I am putting this network interface on it's own management VLAN seperate from the rest of my gear. Turning this stuff on is very obscure and took quite a bit of digging. Physical access is required for the initial setup, but I know that there are ME exploits that have been used to bypass this in the past. The older version of the software I have does not handle the secured port redirection and still supports unencrypted VNC. I am also not setting up kerberos or AD integrations but using a local account and password.
- remove windows from the system
- install linux ( Ubuntu 22.04.4 LTS)
- deprovision ME in the bios
- restart machine and use F6 to configure base settings
- set a password
- hook it up to dhcp, don't register dynamic dns
- connect to the web interface at http://192.168.1.101:16992/
- setup ipv6 and another admin account. disable anon access.
- Run the unixcraft wsmancli commands from another linux machine to turn on VNC
- install realvnc because the native macos screen sharing client won't connect.
- ensure SOL is enabled in ME
- look in dmesg for a serial port. sudo dmesg | grep ttyS
- mine was ttyS4 so I used that with the ubuntu serial console instructions
- I created a file in /etc/init/ttyS4.conf and subsituted out ttyS0
- I also updated grub to point to ttyS4
The wsmancli won't compile on macos using homebrew, so I just installed it on a linux box. However because the ME system prevents the system itself from talking to AMT, I could not do it from the localhost.
Lots of tools seem to have depricated support for AMT and intel has stopped supporting meshcommander.
I have no idea why the macos screen sharing client won't talk to the AMT KVM, but it may be to do with auth modes and encryption. I am sure there is something there worth digging into.
I have not figured out the best way to update the firmware for ME and AMT on this box. I am not sure that I want to lose the built in VNC support, but I don't like the exposure of an unpatched ME firmware.
- Hp Service and Maintanance Guide - https://h10032.www1.hp.com/ctg/Manual/c06075968.pdf
- HP Manual on AMT setup - https://h10032.www1.hp.com/ctg/Manual/c03975296.pdf
- Unixcraft on accessing KVM from linux - https://www.cyberciti.biz/faq/remotely-access-intel-amt-kvm-linux-desktop/
- Intel reference for AMT KVM and port 5900- https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fdisablingtheoptinpolicy.htm
- Ubuntu serial console instructions - https://help.ubuntu.com/community/SerialConsoleHowto
- Debian page about AMT Serial - https://wiki.debian.org/AMT/SerialOverLan