Intel® Endpoint Management

Assistant
(Intel® EMA)

Server Installation Guide

Intel® EMA Version: 1.3.3.1

July 2020
Legal Disclaimer
Intel technologies may require enabled hardware, software or service activation.
No product or component can be absolutely secure.
Your costs and results may vary.
No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this
document.

Intel disclaims all express and implied warranties, including without limitation, the implied warranties of
merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course
of performance, course of dealing, or usage in trade.
The products and services described may contain defects or errors known as errata which may cause deviations from
published specifications. Current characterized errata are available on request.
Intel technologies’ features and benefits depend on system configuration and may require enabled hardware,
software or service activation. Performance varies depending on system configuration. No computer system can be
absolutely secure. Intel does not assume any liability for lost or stolen data or systems or any damages resulting
from such losses. Check with your system manufacturer or retailer or learn more at
http://www.intel.com/technology/vpro.
Copyright © Intel Corporation. Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its
subsidiaries. Other names and brands may be claimed as the property of others.
1 Introduction 1
1.1 Before You Begin 1
1.2 Supported Operating Systems 2
1.3 Installation Prerequisites 2
1.4 Security Recommendations 5
1.4.1 Back Up Important Data 5
1.4.2 Modify the Access Control List (ACL) for Key Configuration Files 5
1.4.3 Enable Transparent Data Encryption on SQL Server Enterprise 6
1.4.4 Secure all Certificates and Keys 6
1.4.5 Samples files for Intel® EMA REST API and JavaScript library 6
1.4.6 Disable Insecure Cipher Suites 6

1.4.7 Strong Encryption Protocols 7

1.4.8 IIS – Replace the Temporary Web TLS Certificate 7
1.4.9 IIS – Change IIS User Account 7
1.4.10 IIS – Enabling the Transport Layer Security Protocol 8
1.4.11 IIS – Machine Key Validation Method 8
1.4.12 IIS – Restrict Unlisted IIS Extensions Execution 8
1.4.13 IIS – Dynamic IP Address Restrictions 9
1.4.14 IIS – Configure Host Headers for All Sites 9
1.4.15 IIS - Review updated web.config File 9
1.4.16 Check Binary Signatures 10
1.4.17 Change the Platform Manager Service User Account 10
1.4.18 Modify permissions of SQL Server user if desired 10

1.4.19 User Creation and Management 10

1.4.20 Use SQL Server Installed with TLS 10
1.5 Intel® EMA Installed Components 11
1.6 Important File and Directory Locations 12
1.7 Scaling Considerations 12
2 Installing or Updating the Intel® EMA Server 14
2.1 Installing or Updating Using the Setup Wizard 14
2.1.1 Server Host Configuration 15
2.1.2 Single Server Standard Installation 16
2.1.2.1 Database Settings 16
2.1.2.2 Server Host Information 17
2.1.2.3 Platform Manager Configuration 18
 2.1.2.4 User Authentication 18
2.1.2.4.1 Normal Accounts 18
2.1.2.4.2 Domain Authentication 19
2.1.2.5 Global Administrator Account Setup 19
2.1.2.6 Summary 20
2.1.3 Distributed Server Architecture - Initial Installation 20
2.1.3.1 Database Settings 21
2.1.3.2 Load Balancer Information 22
2.1.3.3 Server Components to Deploy 23
2.1.3.4 Platform Manager Configuration 23
2.1.3.5 User Authentication 23

2.1.3.5.1 Normal Accounts 24

2.1.3.5.2 Domain Authentication 24
2.1.3.6 Global Administrator Account Setup 25
2.1.3.7 Summary 25
2.1.3.8 Modify IIS Settings If Ajax and Web Server Components Installed 26
2.1.4 Additional Server Installation for Distributed Server Architecture 26
2.1.4.1 Database Settings 27
2.1.4.2 Server Components to Deploy 27
2.1.4.3 Save the Server Settings Certificate Signing Request 28
2.1.4.4 Obtain Server Setting Certificate 28
2.1.4.4.1 Create Server Settings Certificate on Initial Distributed Server Machine 28
2.1.4.5 Upload Server Setting Certificate 29
2.1.4.6 Platform Manager Configuration 29
2.1.4.7 Summary 30
2.1.4.8 Modify Server Settings 30
2.1.4.9 Modify IIS Settings If Ajax and Web Server Components Installed 31
2.2 Installing or Updating Using the Command Line 31
2.2.1 Basic Mode 31
2.2.2 Advanced Mode 32
2.2.3 Distributed Server Architecture Installation 33
2.2.3.1 Initial Installation 33
2.2.3.2 Add an Additional Server 33
2.3 Uninstalling 34
2.3.1 Uninstalling Using the Installer GUI 34
 2.3.2 Uninstalling Using the Command Line 34
3 Using the Global Administrator Interface 36
3.1 Changing the Global Administrator Password 36
3.2 Creating and Deleting Tenants 36
3.3 Managing Users and User Groups 36
3.3.1 Adding, Modifying, and Deleting User Groups 36
3.3.2 Adding, Modifying, and Deleting Users 37
4 Performing Intel® EMA Server Maintenance 38
4.1 Configuring the Intel® EMA Platform Manager Service 38
4.1.1 Platform Manager TLS Certificate 38
4.1.2 Mutual TLS Certificate for Client Authentication 38

4.2 Using the Intel® EMA Platform Manager Client Application 38

4.2.1 Starting Intel® EMA Platform Manager 38
4.2.2 Monitoring Component Server Events 39
4.2.3 Monitoring Component Server Internal Tracking Information 39
4.2.4 Performing Basic Controls on Component Servers 40
4.3 Deploying New Packages 42
4.4 Updating the Database Connection String 43
4.5 Revoking a Server's Certificate 43
4.6 Periodic Database Maintenance 44
4.7 Restoring the Intel® EMA Server from Backup 44
5 Appendix: Troubleshooting After Installation 47
5.1 General Troubleshooting 47
5.2 Distributed Server Installation Troubleshooting 52
6 Appendix - Modifying Component Server Settings 54
6.1 Swarm Server 54
6.2 Ajax Server 55
6.3 Manageability Server 55
6.4 Web Server 56
7 Appendix – Domain/Windows Authentication Setup 57
7.1 Server Connection Information Set at Installation 57
7.2 IIS Website’s Authentication and .NET Authorization 57
7.3 Internet Explorer Used by the End User 57
7.4 Optional – Grant Permission to Website Content 57
7.5 Optional – Double-hop Structure 57
 7.6 References 58
8 Appendix – Configuring Network Infrastructure for 802.1X Authentication 59
8.1 RADIUS Server - NPS 59
8.2 Configure a Microsoft NPS 60
8.2.1 Dependencies 60
8.2.2 Step 1 – Adding the NPS Role to Windows Server 60
8.2.3 Step 2 – Configuring NPS as a RADIUS Server 61
8.2.4 Post-configuration Actions 62
8.2.4.1 Create or edit a RADIUS client 62
8.2.4.2 Create or edit a Connection Request Policy 63
8.2.4.3 Create or edit a Network Policy 63

8.3 Configuring the RADIUS Clients 64

8.4 Connecting Endpoints to the Network 65
8.5 Environment Setup Example 65
8.5.1 Active Directory Domain Services 66
8.5.2 Active Directory Certificate Services 70
8.5.3 Network Policy Server 70
8.5.4 Wired Connection 73
8.5.5 Wireless Connection 75
8.6 Glossary 75
1 Introduction
This document describes the procedure to install and configure the Intel® Endpoint Management Assistant (Intel®
EMA) server in a full production environment, as well as how to maintain and manage the Intel EMA server after
installation. It is intended for technically competent system administrator users working with Intel EMA in the Global
Administrator role.

Note: A simplified tutorial installation procedure for learning purposes is available in the Intel® EMA Quick
Start Guide.

The Global Administrator is responsible for installation, configuration, and management of the Intel EMA server as a
whole, as well as creating Tenant usage spaces within the Intel® EMA server. Other Intel EMA users, such as Tenant
Administrators and Account Managers are responsible for setting up and maintaining the users, user groups,
endpoint groups, and managed endpoint client systems for each Tenant hosted on the Intel EMA server.

Note: Key concepts such as user roles, tenants, and endpoint groups are described in detail in the Intel® EMA
Administration and Usage Guide, which also provides detailed information about the setup and maintenance
of Intel® EMA Tenants and their managed endpoint systems.

We recommend that you read this guide carefully before performing the installation. This document provides the
installation requirements, explains the configuration parameters, and provides detailed installation steps for the Intel®
EMA server and its components.

1.1 Before You Begin

The actual installation of the Intel® EMA server and its components is fairly straightforward, as described in Section 2.
However, before starting the procedure, we recommend that you take time to consider the following choices so that
you know in advance what to enter or select during the procedure.
l Ensure all prerequisites, described in Section 1.3, are met.
l Review the Security Recommendations in Section 1.4 and implement them as part of or after installing Intel
EMA.
l Review the Scaling Considerations in Section 1.7 to help you determine the right hardware to use for your
Intel EMA implementation.
l Decide whether you plan to implement a single server installation or a distributed server architecture install-
ation.
l Determine the Fully Qualified Domain Name (FQDN) and/or IP Address that will be used to connect to the Intel
EMA server.
l For the SQL Server connection, decide if you want to use Windows authentication mode (recommended, for
security reasons) or SQL Authentication. If SQL Authentication, you will need to ensure the target credentials
are set up in SQL Server before installing.
l Determine how you will want the Intel EMA website to be found via IIS and how it will process requests: by
FQDN/hostname only; using FQDN/hostname first, then IP Address; by IP Address only. For additional host-
names to work correctly, and to manage them, you must configure a DNS server or a router.
l Decide whether you plan to install Intel EMA under domain authentication mode (Kerberos) or normal account
(username/password) mode, the default. If domain authentication, we suggest using the FQDN of your
machine for the hostname. You still need to make sure that other endpoints or other client web browsers can

Intel® EMA Server Installation Guide - July 2020

1
 connect to the value you entered here. If you decide to use another value, follow IT practice to set up the Ser-
vice Principle Name (SPN) after Intel EMA is installed.
l Determine the valid email address to use for the Global Administrator user.

1.2 Supported Operating Systems

As a stand-alone application, the Intel® EMA Agent can be installed on the following operating systems:
l Microsoft Windows 7
l Microsoft Windows 10
Intel EMA Server can be installed on the following operating systems:
l Microsoft Windows Server 2012
l Microsoft Windows Server 2012 R2
l Microsoft Windows Server 2016
l Microsoft Windows Server 2019

1.3 Installation Prerequisites

This is a list of the prerequisites needed to set up the Intel® EMA Server:
l Computer: A computer or virtual machine with sufficient capability for the expected traffic. Systems not meet-
ing these minimum specifications could experience performance issues.
l 2 Intel® Xeon® Processors, 16 threads, 24GB RAM, 1TB Mirrored: This configuration should be able to
handle over 20k connections.
l Operating System: See Supported Operating Systems, section 1.2.
l Currently, Intel EMA does not provide internationalization support. The operating system needs to
have English-US Windows display language, English-US system locale, and English-US format (match
Windows display language).
l Database: Install the Microsoft SQL Server. The database may run on a separate server on the network or on
the same system as the Intel EMA Server. Ensure the Full Text Search feature is enabled in your SQL server.
Microsoft SQL Server 2012, 2014, 2016, 2017, and 2019 are supported. For demonstration or test purposes,
Microsoft SQL Server Express edition can be used if installed with Advanced Features. For production envir-
onments, we recommend using Microsoft SQL Server Enterprise. A strong working knowledge of installing,
configuring, and using SQL and Active Directory is required (if using 802.1x).

IMPORTANT: To achieve security in-depth, we recommend to use Microsoft SQL Server Enterprise
and enable Transparent Data Encryption. Additionally Windows authentication mode is recommended
as the authentication mode.

Notes:
l Be sure to allocate enough resources (CPU, memory, SSD, etc.) to SQL Server. If your
SQL Server's resources are dynamically allocated, ensure enough guaranteed fixed resources
are allocated. If not, you may see error messages like "Unable to get database connection, all
connections are busy" in the component server log files in Program Files (x86)\In-
tel\Platform Manager\EmaLogs.
l Intel EMA uses query notification in SQL Server to reduce the number of database reads. That
feature requires "Service Broker" to be enabled in SQL server. If Service Broker is disabled, you
will see warnings to that effect in the component server log files in Program Files (x86)\In-

Intel® EMA Server Installation Guide - July 2020

2
 tel\Platform Manager\EmaLogs.
l Before installing Intel EMA, ensure that the SQL account used in the Intel EMA SQL connection
string has sysadmin rights (to create new account for IIS default application pool identity) and
has at least dbcreator permission, which allows it to create, modify, and delete any database.
Also, this account must have the database level roles db_owner, db_datawriter, and db_
datareader. The “sysadmin” right is needed in order to create new users “IIS APPPOOL\\De-
faultAppPool\” and “ApplicationPoolIdentity\” for the SQL server (if they do not exist). If they
exist already or you do not use that account for the IIS application pool of the Intel EMA web-
site, then the role needed during installation is “dbcreator”, to create the Intel EMA database.
Keep in mind that the “sysadmin” or “dbcreator” rights are only needed during Intel EMA install-
ation. Lastly you must grant permission for "SUBSCRIBE QUERY NOTIFICATIONS" to the user
of Intel EMA database. See Section 1.4.18 for information about changing these permissions
and roles.

l Web Server: Intel EMA uses Microsoft Internet Information Server (IIS). Use the latest IIS 8, IIS 8.5, or IIS 10
version.
l Install IIS URL Rewrite Module for the target IIS. If it is installed, Intel EMA will set up the website set-
ting to remove the IIS server version from the response header, the HSTS header, the cookie Same Site
strict, and the auto redirect from HTTP to HTTPS. If it is not installed, these settings will not be
applied.

Note: If IIS is already installed, ensure that all authentication methods are disabled except for
“Anonymous” and “Windows” (only those two should be enabled). This only applies to Windows
Authentication mode.

l Intel® AMT PKI Certificate: Intel AMT Admin Control Mode (ACM) provisioning requires a certificate issued by
a trusted authority that matches the domain name of the target Intel AMT endpoints. The certificate file needs
to have the full certificate chain. Also, it needs to be issued with the supported OID 2.16.840.1.113741.1.2.3
(this is the unique Intel AMT OID).
l Microsoft .NET Framework versions: Intel EMA Server software is built with Microsoft .NET Framework 4.5.2.
The operating system must have Microsoft .NET Framework 4.5.2 or later.
l Firewall: We recommended using a firewall software to ensure that only authorized ports are available for con-
nection. The firewall software built into Windows can perform this task.
l Network: During the installation, you must specify the value (either hostname or IP address) to use for com-
munication among various components. If you choose hostname or FQDN, you need to make sure the value
is resolvable by a DNS server in the network. If you do not have the DNS server, a fixed IP address should be
used during installation. Incorrect hostname/IP address will cause Intel EMA features to not function properly.
In a distributed server archecture implementation, if using Active Directory, ensure all computers (including
the computer hosting the load balancer) are listed in Active Directory.

Intel® EMA Server Installation Guide - July 2020

3
 l Network ports:Table 1 lists the server network ports used for various communications among server com-
ponents.
l For certain features/usages, the AJAX server and Manageability server will establish a TCP connection
(locally or remotely) with the Swarm server.
l The endpoint and the Swarm server communicate via a secure TCP connection. Intel AMT (CIRA) and
the Swarm server communicate via a secure TCP connection.
l The Platform Manager service uses a named pipe to talk to other Intel EMA component servers on the
same machine. The Platform Manager client application talks to the Platform Manager service via a
secure TCP connection.

Table 1: Server network ports

Protocol Port Usage

TCP 443 HTTPS Web server port. This is used between the web browser and the web
server.

TCP 1433 SQL server remote access. This is used between the internal Intel EMA server
and the internal SQL server; only needed if Intel EMA server and the SQL server
are not on the same machine. This is the default port that SQL server uses.

TCP 8000 The default TCP port for communication between Platform Manager service
and Platform Manager client. You can change this port during installation.

TCP 8080† Agent, console, and Intel AMT CIRA port. This is between client endpoints and
the Intel EMA Swarm server. See note below.

TCP 8084 Web redirection port. This is used between the web browser and the web
server.

TCP 8089 Communication between the various Intel EMA component servers and Intel
EMA Swarm server. This port number is the default, and can be changed in the
Server Settings page (see "Appendix - Modifying Component Server Settings"
on page 54"Appendix - Modifying Component Server Settings" on page 54

TCP 8092 Port on which Ajax component server listens for internal component-to-com-
ponent communication. This port number is the default, and can be changed
in the Server Settings page (see "Appendix - Modifying Component Server Set-
tings" on page 54"Appendix - Modifying Component Server Settings" on
page 54

TCP 8093 Port on which Swarmcomponent server listens for internal component-to-
component communication. This port number is the default, and can be
changed in the Server Settings page (see "Appendix - Modifying Component
Server Settings" on page 54"Appendix - Modifying Component Server Set-
tings" on page 54

TCP 8094 Port on which Manageability component server listens for internal com-
ponent-to-component communication. This port number is the default, and
can be changed in the Server Settings page (see "Appendix - Modifying Com-
ponent Server Settings" on page 54"Appendix - Modifying Component Server
Settings" on page 54

† You can change the port that the agent and Intel AMT CIRA use to connect to the Intel EMA server.

Intel® EMA Server Installation Guide - July 2020

4
 1. On the load balancer, create a forwarding rule to route the desired port (for example, 8081) to the backend
Swarm server port 8080. Note that the Swarm server is still listening on port 8080, but this allows you to set a
different port for your external facing network.
2. On the Manageability server, change server settings ciraserver_port from 8080 to the desired port (i.e., 8081
in this example). Halt and restart the Manageability server. See "Appendix - Modifying Component Server Set-
tings" on page 54 for information about changing settings for Intel EMA component servers.
3. For web server settings, change server settings SwarmServerPort from 8080 to desired port. Sync the IIS app
setting with this change. See "Appendix - Modifying Component Server Settings" on page 54 for information
about changing settings for Intel EMA component servers.
4. Create a new endpoint group (note that the existing endpoint group will not have the new SwarmServerPort
information) and register an endpoint to this new endpoint group. Then provision Intel AMT on the endpoint.
See the Intel® EMA Administration and Usage Guide for information about endpoint groups and provisining
Intel AMT on endpoints.

1.4 Security Recommendations

This section details the security recommendations you should take into consideration when using Intel® EMA. Refer
to industry best practices sources and your IT organization’s policies for information on how to implement these
recommendations.

Important: For distributed server architecture installations, be sure to make all applicable changes below on
all your Intel EMA servers.

1.4.1 Back Up Important Data

Intel EMA’s component servers rely on several certificates created during the Intel EMA installation time.
The installer creates a self-signed MeshRoot root certificate, which it uses to create one or more
MeshSettingsCertificates that are stored in the Local Machine\Personal certificate store. These
MeshSettingsCertificate certificates are used to encrypt/decrypt the server settings stored in the database.
The MeshRoot certificate is used to create the mutual TLS certificates (EmaMtlsXXX) for the TCP-TLS
communications between the Intel EMA component servers (Ajax, Swarm, Manageability, Web). They are stored in
the Local Machine\Personal certificate store.
If these certificates are lost, there is no way to make Intel® EMA work again without completely reinstalling the Intel
EMA server.
Therefore, after installing the Intel EMA server (or each server in a distributed environment), it is strongly
recommended that you perform the following steps:
l Back up Intel EMA database (this should also be done periodically, not just after setup).
l Back up the MeshSettingsCertificate which is stored in the Local Machine\Personal certificate store on your
server machine. This certificate is used to encrypt/decrypt the server settings stored in the database.

1.4.2 Modify the Access Control List (ACL) for Key Configuration Files
After the Intel EMA server installation, you should modify the ACL to limit access to the following files\folders:
l [Intel EMA website root folder (e.g., C:\inetpub\wwwroot)] \ web.config.
l [Intel EMA server installation folder (e.g., C:\Program Files (x86)\Intel\Platform Manager)] \ Platform Manager
Server \ settings.txt

Intel® EMA Server Installation Guide - July 2020

5
 l [Intel EMA server installation folder (e.g., C:\Program Files (x86)\Intel\Platform Manager)] \ Runtime \ MeshSet-
tings \ connections.config
l [Intel EMA server installation folder (e.g., C:\Program Files (x86)\Intel\Platform Manager)] \ Runtime \ MeshSet-
tings \ app.config
l [Intel EMA server installation folder (e.g., C:\Program Files (x86)\Intel\Platform Manager)] \ EMALogs

1.4.3 Enable Transparent Data Encryption on SQL Server Enterprise

To achieve security in-depth, we recommend that you use SQL Server Enterprise and enable Transparent Data
Encryption.

1.4.4 Secure all Certificates and Keys

When Intel EMA is installed, several certificates and encryption keys are generated. The certificates and encryption
keys created by Intel EMA expire after 20 years.
Certificates are stored in the Intel EMA server database and in the server machine’s certificate store. Take care to keep
these certificates secure. If they are compromised, Intel EMA cannot replace them and push them to the managed
endpoints. In this case, you would need to uninstall and reinstall the Intel EMA server using new certificates, then
recreate all users and endpoint groups and then re-register all your endpoints.
Most of the encryption keys are stored in Intel EMA server settings, which is encrypted and saved in the Intel EMA
server database.

1.4.5 Samples files for Intel® EMA REST API and JavaScript library
The sample files are in the folder [Intel EMA installation package folder] \Samples. These files are not automatically
hosted on the Intel EMA website during installation. These sample files are implemented using bare-minimum code
to demonstrate how to use the API and do not use secure coding practices to guard against security concerns like
cross-site scripting.

IMPORTANT: These samples should never be hosted in a production environment.

For hosting in a test environment for development purposes, copy the Samples folder to the Intel EMA website root
folder (e.g., C:\inetpub\wwwroot\).

1.4.6 Disable Insecure Cipher Suites

Cipher suites determine the key exchange, authentication, encryption, and algorithms used in an SSL/TLS session.
It is strongly recommended that you disable insecure cipher suites to restrict the use of weak cryptographic
algorithms and protocols for TLS connections.
By default, many versions of Microsoft Windows Server may have an insecure cipher suite configuration. The
following are the warnings or threats that result from insecure ciphers:
l 64-bit block cipher 3DES vulnerable to SWEEET32 attack
l Broken cipher RC4 is deprecated by RFC 7465
l CBC-mode cipher in SSLv3 (CVE-2014-3566) – Oracle padding
l Cipher suite uses MD5 for message integrity
l Weak certificate signature for SHA1
l Key exchange (DH 1024) is of lower strength than the certificate key

Intel® EMA Server Installation Guide - July 2020

6
One workaround to avoid these threats and warnings is to download IIScrypto from this website:
https://www.nartac.com/Products/IIScrypto. This product helps to change schannels and cipher settings.
You must run the IIScrypto program and de-select the multi-protocols: unified hello, PCT 1.0, SSL2.0, MD5, and all
ciphers above triple DES. This helps clear all the aforementioned warnings (except for the SHA1 warning).

1.4.7 Strong Encryption Protocols

We strongly recommend that you disable weak encryption protocols, such as PCT 1.0, SSL 2.0, SSL 3.0, TLS 1.0, and
TLS 1.1, and instead enable strong encryption protocols, such as TLS 1.2. Additionally, we recommend that you use
the Diffie-Hellman Ephemeral (DHE) protocol.

1.4.8 IIS – Replace the Temporary Web TLS Certificate

The Web TLS certificate is used for HTTPS communications between the Web browser and the Web + AJAX Server. A
temporary self-signed Web TLS certificate is created during installation. This certificate can be replaced at any time.
We recommend that you use a valid HTTPS certificate issued from a valid trusted Certificate Authority.

Note:
l This TLS certificate can also be used for the Platform Manager TLS certificate if you are running Plat-
form Manager on the same system as the IIS server. See section 4.1.
l For the self-signed website TLS certificate (and the Intel EMA settings certificate), Intel EMA grants the
default IIS DefaultAppPool account read access to the private key. If you change the account that the
IIS default application pool will run under, you must also change the access control accordingly.

To replace the temp Web TLS Certificate:

1. Install the new certificate in the Local Machine\Personal certificate store.
2. Run the IIS Manager on the Web Server (IIS Server).
3. Place the certificate in the Server Certificates.
4. Edit the Bindings section in the Default Website dialog box to use the new certificate.

1.4.9 IIS – Change IIS User Account

By default, Intel EMA uses the IIS default application pool (app pool) to run the Intel EMA website. This default app
pool uses the ApplicationPoolIdentity account by default. In a distributed installation running under Windows
authentication, where the Intel EMA component servers need to access a remote SQL Server, you may need to
change the account the Intel EMA website runs under to one that can access the remote SQL Server.
To do this, follow the steps below:
1. If the SQL connection is using Windows authentication, ensure the new IIS user account satisfies the per-
mission and role requirements for the SQL Server account. See 1.4.18 "Modify permissions of SQL Server user
if desired" on page 10.
2. Add a new IIS application pool for Intel EMA.
1. Use IIS Manager to create a new app pool.
2. Choose .NET CLR Version v4.0.XXX, Integrated pipeline mode, and Start app pool immediately.
3. Assign an account to the new application pool.
1. Use IIS Manager to change the account for the new app pool.
2. Choose Custom Account and specify the desired Windows account.

Intel® EMA Server Installation Guide - July 2020

7
 4. Give the account access to Intel EMA assets (files and folders, certificate's private key).
1. Skip this step if the account is already in the local machine's administration group.
2. Give read and write access to [System drive]\Program Files (x86)\Intel\Platform Man-
ager\EMALogs.
3. Give full control to the following:
l [System drive]\C:\inetpub\wwwroot: also for all sub-folders and files.
l [System drive]\C:\inetpub\wwwroot\web.config
l [System drive]\Program Files (x86)\Intel\Platform Man-
ager\Runtime\MeshSettings\app.config
l [System drive]\Program Files (x86)\Intel\Platform Man-
ager\Runtime\MeshSettings\connections.config
l [System drive]\ProgramData\Intel\EMA\USBR
4. Use the Windows certlm tool to open the certificate store for Local Computer\Personal\Certificates
and give "read" permission for the following certificates by right-clicking the target certificate and
selecting All Tasks\Manage Private Keys:
l Temporary Web TLS certificate. "Issued To" is the Intel EMA web site FQDN or IP. "Issued By" is
"MeshRoot-XXXX".
l Settings certificate. "Issued To" is "MeshSettingsCertificates-XXX". "Issued By" is "MeshRoot-
XXXX".
l Inter-component TLS certificate for web server. "Issued To" is "EmaMtlsWeb-XXX". "Issued By"
is "MeshRoot-XXXX".
5. Use IIS Manager to change the application pool used by Intel EMA to the new one created above. Then restart
the whole web site. For verification, access the Intel EMA web site in a browser, then use Windows Task Man-
ager to verfiy that the w3wp.exe process is running under the specified account.

1.4.10 IIS – Enabling the Transport Layer Security Protocol

It is strongly recommended that you enable Transport Layer Security (TLS), which is an industry-standard protocol
designed to protect the privacy of information communicated over the internet.
The TLS protocol enables clients/server applications to detect these security risks:

l Message tampering
l Message interception
l Message forgery
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement policy, which must be enabled to ensure
connections can only be successful if the Transport Layer Security (TLS) protocol is used.

1.4.11 IIS – Machine Key Validation Method

The machine key element in the ASP.NET web.config specifies the algorithm and keys to be used by an application
for encryption and hashing. Ensure that one of the SHA-2 family methods (for example, HMACSHA256) is configured
as the validation method for the machine key.

1.4.12 IIS – Restrict Unlisted IIS Extensions Execution

If IIS features ISAPI Extensions or CGI are installed, ensure that unspecified ISAPI modules or unspecified CGI
modules, respectively, are not allowed to run.

Intel® EMA Server Installation Guide - July 2020

8
1.4.13 IIS – Dynamic IP Address Restrictions
Single server installations:
Dynamic IP Address Restrictions is an IIS setting that can be used to mitigate against DDoS and brute force attacks.
For single server installations, in IIS Manager, enable “Deny IP Address based on the number of concurrent requests”,
enable “Deny IP Address based on the number of requests over a period of time”, and then set values required to
protect your environment.
For more information, see the following link:
https://docs.microsoft.com/en-us/iis/manage/configuring-security/using-dynamic-ip-restrictions

Distributed server installations:

For distributed server architecture installations, consult your load balancer documentation to enable similar
protection.

1.4.14 IIS – Configure Host Headers for All Sites

If multiple websites will be hosted in IIS on the same IP address and port, configure host headers for all sites.

1.4.15 IIS - Review updated web.config File

The Intel® EMA server installation adds the following headers to your web.config file, and renames the existing
web.config file to web.config.original.<date>. After installation, review the new web.config file and modify if desired.
For more information about HTTP headers, refer to the following link:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
The following headers are automatically added to the web.config file during installation.
Table 2: Headers added to web.config

Header Value
X-Content-Type-Options nosniff

X-XSS-Protection 1; mode=block

X-Frame-Options SAMEORIGIN

Referrer-Policy strict-origin

Expect-CT max-age=86400, enforce

Feature-Policy payment 'none'; microphone 'none'; geolocation 'none';

strict-transport-security max-age=31536000; includeSubDomains;

Note: Added by IIS rewriter rule

Content Security Policy (CSP) default-src 'self' blob:;script-src 'self' 'unsafe-inline'

'nonce-<autogen_value> ' 'sha256-<multiple values> ';
Note: Added by plugin
object-src 'none';style-src 'self' 'unsafe-inline'
https://fonts.googleapis.com;img-src 'self' data:;
font-src 'self' data: https://fonts.gstatic.com;base-uri
'none';worker-src 'self' blob:

Intel® EMA Server Installation Guide - July 2020

9
The CORS header is added but commented out by default. To enable it, edit the web.config file and remove the
comment tags and add your domain information.

<!--
<add name="Access-Control-Allow-Origin" value="https://<YOURDOMAINHERE>" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
<add name="Access-Control-Allow-Methods" value="GET,POST,PUT,DELETE,OPTIONS"
/>
-->

Lastly, the X-Robots-Tag header is added, which disables web search engines from finding installed instances of the
Intel® EMA server.

Note: Intel EMA grants the default IIS DefaultAppPool account read access to the web.config file. If you
change the account that the IIS default application pool will run under, you must also change the access con-
trol accordingly.

1.4.16 Check Binary Signatures

All Intel EMA binaries are signed as an integrity mechanism. We recommend that you check and confirm the
signatures on these files. Further, we recommend that you only use installation packages from trusted sources (such
as www.intel.com).

1.4.17 Change the Platform Manager Service User Account

Perform this action after installing the Intel EMA server. By default, the Intel EMA Platform Manager service runs
under the System user. To improve security, we recommend that you modify this service to run as a local or domain
user.
To do this, find Intel Platform Manager in Windows services and change the user account under which this service
is running. The local or domain user account should have administrative rights on the Intel EMA server machine and
read/write rights to the Program Files (x86) folder where Intel EMA is installed.

1.4.18 Modify permissions of SQL Server user if desired

After installation, the SQL account used by Intel EMA needs to execute stored procedures and run database
commands. Therefore, this SQL account needs db_owner, db_datawriter, and db_datareader permissions for the Intel
EMA database. These permissions are granted by default during Intel EMA installation. If you do not want to give db_
owner permission, you must grant this SQL account Execute permission to run all Intel EMA stored procedures.
Also, you must grant permission for "SUBSCRIBE QUERY NOTIFICATIONS" to the user of Intel EMA database.

1.4.19 User Creation and Management

It is strongly recommended that you periodically check existing user accounts for Intel EMA and ensure that any
accounts that are no longer being used are deleted. See the Intel® EMA Administration and Usage Guide for
information on creating, modifying, and deleting user accounts.

1.4.20 Use SQL Server Installed with TLS

It is strongly recommended that you use an instance of SQL Server that has been installed with TLS to encrypt data
transmitted between SQL Server and Intel EMA. For more information, see the link below:

Intel® EMA Server Installation Guide - July 2020

10
https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-
database-engine?view=sql-server-ver15

1.5 Intel® EMA Installed Components

After installation, most software components are installed in the C:\Program Files (x86)\Intel\Platform Manager
folder. The main components are as follows:
l Intel® EMA Platform Manager service:
l Installed as an auto-started Windows service with display name Intel® EMA Platform Manager and
service name PlatformManager
l Deploys the Intel EMA website content to the IIS server
l Monitors Intel EMA component servers on the machine and auto-starts any that are not running
l In a distributed server architecture, each Intel EMA server machine will have its own Platform Manager
service
l Intel EMA Platform Manager client application:
l Installed as a Windows desktop application
l Provides the graphical user interface (GUI) for user interaction
l Used for checking Intel EMA internal server events and performing simple server controls
l Can communicates with the Platform Manager service on a local or remote machine
l Intel EMA website:
l Primary GUI for end users
l Deployed on the IIS server by the Platform Manager service after installation
l May have multiple instances in a distributed environment
l See the Intel® EMA Administration and Usage Guide for further details
l Intel EMA REST APIs:
l Deployed on the IIS server by the Platform Manager service after installation
l Enables third-party software development to create a different Intel® EMA GUI for end users
l See the Intel® EMA API Guide for further details
l Intel EMA JavaScript libraries:
l Deployed on the IIS server by the Platform Manager service after installation
l Delivers some features that REST APIs are not designed to support
l Enables third-party software development to create a different Intel EMA GUI for end users
l See the Intel® EMA JavaScript Libraries Guide for further details
l Intel EMA AJAX server:
l Started by the Platform Manager service
l Handles the JavaScript library’s requests
l May have multiple instances in a distributed environment
l See the Intel® EMA Administration and Usage Guide for further details about the scheduled tasks fea-
ture
l Intel EMA Swarm server:
l Started by the Platform Manager service
l Accepts the TCP connection from the endpoints (devices) and handles communication between end-

Intel® EMA Server Installation Guide - July 2020

11
 points
l May have multiple instances in a distributed environment
l Intel EMA Manageability server:
l Started by the Platform Manager service
l Manages Intel AMT provisioning and unprovisioning requests for endpoints
l Talks to the Swarm server to send provision/unprovision requests to the endpoints
l Only one instance in a distributed environment
l Intel EMA Agent:
l Agent software is not installed on the server machine
l Agent installer is included in Intel EMA software package
l Agent must be installed on the endpoint for the Intel EMA server to manage it
l See the Intel® EMA Administration and Usage Guide for how to download and manage the agent
installers

1.6 Important File and Directory Locations

<Installer Directory>/EMALog-Intel®EMAInstaller.txt Installation log

C:\Program Files (x86)\Intel\Platform Contains settings for the Platform Manager, including the
Manager\Platform Manager Server\settings.txt port number and password.

C:\Program Files (x86)\Intel\Platform Man- Contains the database connection string.

ager\Runtime\MeshSettings\app.config and con-
nections.config

C:\Program Files (x86)\Intel\Platform A log for each server component. These are the same log mes-
Manager\EMALogs sages that you can see in the Platform Manager’s Event log.
l EMALog-XXX.txt
l TraceLog-XXX.txt

C:\Program Files\Intel\Ema Agent Install location for 64 bit Intel EMA Agent files. For 32 bit
agent, see Program Files (x86).

C:\inetpub\wwwroot IIS web site locations.

1.7 Scaling Considerations

As you plan your Intel EMA server implementation, keep in mind that the configuration of the server hardware can
have an impact on the overall performance of your Intel EMA instance as the number of managed endpoints grows.
The following table shows testing results that may be helpful in determining the appropriate server hardware
configuration for your Intel EMA server installation. The table shows the number of managed endpoints required to
achieve the thresholds in the column headings (e.g., 80% CPU utilization) given the server hardware configurations in
the row labels (e.g., 4 CPUs and 16 GB memory).

Note: Performance can vary greatly from one implementation to another depending on a variety of envir-
onmental factors. The following test result information is provided solely to aid in pre-implementation
decision making and is not intended as any claim of actual performance.

Intel® EMA Server Installation Guide - July 2020

12
Based on the following test result data, for example, you could expect a single Intel EMA server with 4 CPUs and 16
GB of RAM to satisfactorily support approximately 82K managed endpoints (the 10% memory column below). Note
that if CIRA will be used, we recommend that you reduce the number of endpoints in any column below by half.
Furthermore, the data below is based on an idle state for the Intel EMA agent on the managed endpoint. You should
allow some headroom (for example, 20%) for usage such as KVM sessions on the endpoint.
Given the above considerations, for a single Intel EMA server with 4 CPUs and 16 GB of RAM in an implementation
where CIRA will be used, we recommend no more than approximately 33K managed endpoints (82K/2 * .80 = 32.8).
Table 3: Scaling Consideration Data

Intel EMA Intel EMA Intel EMA DB DB

80% CPU 100% CPU 10% mem 80% CPU 100% CPU

2 CPU, 8 GB mem 166,389 207,969 44,600 155,775 195,145

4 CPU, 16 GB mem 349,636 436,972 82,180 290,036 363,566

8 CPU, 32 GB mem 447,525 559,256 130,977 165,275 207,029

Intel® EMA Server Installation Guide - July 2020

13
2 Installing or Updating the Intel® EMA
Server
Follow the steps below to install or update the Intel® EMA server.

Notes:
l If you are updating from an existing version of Intel EMA, the Intel EMA website’s bindings in IIS will be
set to default values during the update installation. You can check the log files after installation to find
the pre-update bindings for your reference.
l Do not edit the Intel EMA database to manually add a user to the user table. Use the Intel EMA user
interface (either GUI or API) to create all Intel EMA user accounts.
l Installing two separate Intel EMA instances that use the same Intel EMA database is not supported.
Note that this is different from a distributed server architecture installation (described below) in which
an Intel EMA instance's server components are installed on multiple machines.

2.1 Installing or Updating Using the Setup Wizard

Extract the installation ZIP file, open the folder, and right-
click on EMAServerInstaller.exe and select Run as
administrator. The installer opens and the status bar at
the bottom shows Ready if the initial checks have passed.
Click the top-left icon to begin the installation process.

Notes:
l If you are updating from a previous Intel®
EMA version, an “update mode” dialog is
displayed and a message is logged.
l For assistance, click Help > Intel Support

Intel® EMA Server Installation Guide - July 2020

14
 WARNING! For first-time installations, if you
continue with the installation process, the Intel
EMA Setup Wizard will delete everything in the
c:\inetpub\wwwroot folder. Be sure to backup any
needed files before continuing with the installation
process.
This does NOT apply when updating from a
previous Intel EMA version, although IIS bindings
will be set to default values. Click Next on the
Welcome screen to continue the setup process.
When the License Agreement is displayed, accept
the license to continue.

Click Next on the Welcome screen to continue the setup

process.

2.1.1 Server Host Configuration

Choose which installation type you want to perform.
Standard Install for Single Server Architecture

All server components are installed on the

same server machine.
Skip to Section 2.1.2 "Single Server
Standard Installation" on the next page

Note: Switching from Single to

Distributed architecture requires a
full uninstallation and reinstallation.

Initial Install for Distributed Server Architecture

One or more of the server components are

installed on this server machine, and
additional instances of components can be
installed on different server machines
using the Additional Server Install option
below. This process also lets you specify a
configured load balancer to manage the
workload between the multiple server
machines.
Skip to Section 2.1.3 "Distributed Server
Architecture - Initial Installation" on
page 20.

Additional Server Install for Distributed Server

Architecture

Use this option AFTER completing the

Intel® EMA Server Installation Guide - July 2020

15
 Initial Install for Distributed Architecture
option above. This option allows you to
install additional server components on a
different server machine than the initial
distributed installation.
Skip to Section 2.1.4 "Additional Server
Installation for Distributed Server
Architecture" on page 26.

2.1.2 Single Server Standard Installation

2.1.2.1 Database Settings

Specify the server where the database is hosted. The

actual value depends on the database server you installed.
Refer to your SQL installation for details.

Notes:
l If you are using a SQL server installed on
the same machine as Intel® EMA then you
can use localhost.
l If you are using a remote SQL server, ensure
the SQL server’s account is set up for your
IIS Default Application Pool to connect.
l For security purposes, we recommend that
Windows authentication mode is used for
SQL Authentication. If using SQL Authentic-
ation, you must ensure the target credential
is set up in the SQL server first.
l For update mode, the fields are filled in and
cannot be changed.

To create a customized database connection string, click

the checkbox for Advanced Mode and enter a connection
string.
Note that both Basic and Advanced modes create a
connection string which is used by the Intel EMA
component servers. Advanced Mode allows you to create
a customized connection string. For more information
about connection strings, see
https://docs.microsoft.com/en-
us/dotnet/framework/data/adonet/connection-string-
syntax.

Note: The parameter “Mul-

tipleActiveResultSets=True” is required.

Intel® EMA Server Installation Guide - July 2020

16
 Regardless of mode (Basic or Advanced), the connection
string is encrypted and stored in c:\Program Files
(x86)\Intel\Platform
Manager\Runtime\MeshSettings\connections.config.

Note: For update mode, the connection

information is displayed but cannot be edited.

2.1.2.2 Server Host Information

Note: For update mode, this screen is not

displayed.

If you have a Website TLS certificate for the server, enter a

matching hostname for the server here.

This is the main Intel® EMA website HTTPS URL, and this is
the FQDN/hostname that will be provided in the agent
configuration file for endpoints to connect to, so make
sure that it resolves correctly in DNS.
For Identity mode:
l Use FQDN/hostname only: processes the request
with the FQDN/hostname only. We suggest enter-
ing the addressable, full FQDN.
l Use FQDN/hostname first: processes the request
using the FQDN/hostname, but can also find the
website via the IP Address.
l Use IP address: processes requests with the IP
address only

Note: If Intel EMA will be installed under domain/Windows authentication mode (Kerberos) in the next step,
we recommend using the FQDN of your machine at Hostname field. You still need to ensure that other end-
points or other client web browsers can connect to the value you entered here. If you decide to use another
value, follow IT best practices to set up the Service Principle Name (SPN) after Intel EMA is installed. Choosing
Use IP address does not work for Kerberos.

Intel® EMA Server Installation Guide - July 2020

17
2.1.2.3 Platform Manager Configuration

Note: For update mode, the fields are filled in and

cannot be changed.

External Port is used by the Intel® EMA Platform Manager

service running on this Intel EMA server to accept
connection from the Intel EMA Platform Manager client
application. Make sure that the port you specify is open in
the underlying network.

2.1.2.4 User Authentication

Choose either Use normal accounts or Use domain authentication.

2.1.2.4.1 Normal Accounts

Note: For update mode, the fields are filled in and

cannot be changed.

If you select Use normal accounts then Intel® EMA will

keep an internal user database.
This is the default setting of the installation process. This
puts the installed instance in username/password mode.

Intel® EMA Server Installation Guide - July 2020

18
2.1.2.4.2 Domain Authentication

Note: For update mode, the fields are filled in and

cannot be changed.

If your server is joined to an Active Directory domain, you

have the option to Use domain authentication.
The currently logged-in user is automatically added to
Intel EMA with the Global Administrator role (shown as
Site Administrator in the screen at left).

2.1.2.5 Global Administrator Account Setup

Note: Not displayed in update mode.

This screen only appears during setup if you have chosen

“Normal accounts” for user authentication. If using
domain accounts, the user running the installer will be
made a Global Administrator.

Note: The Name field must be entered in the form

of an email address (i.e., name@domain).

Global Administrator: This role is able to perform user

management, tenant creation, and server management.
This role does not perform device management.

Intel® EMA Server Installation Guide - July 2020

19
2.1.2.6 Summary

Review your installation settings and then click Install.

All required Windows components will be installed,
followed by the Intel® EMA software itself.

IMPORTANT: Do not abort or exit the installer until

installation is complete. Installation rollback is not
supported.

Installation status is shown at the bottom of the Installer

main menu. Installation options are unavailable during
installation.
To check the log file during installation, click File >
Advanced Mode. To exit Advanced Mode, click File >
Advanced Mode again.

After installation, you can check the logfile EMALog-

Intel®EMAInstaller.txt in the same folder as the Intel EMA
installer.

Note: The following warning appears in the installation log file regardless of whether you are installing with a
local SQL Server or a remote SQL Server. For installations with a remote SQL Server, this message can be
ignored. For local SQL server installations, ensure the the account is set up to allow your IIS Default Applic-
ation Pool to connect.
EVENT: DbWarning, ExecuteNonQuerySafe warning: CREATE LOGIN [IIS
APPPOOL\DefaultAppPool] FROM WINDOWS() - System.Data.SqlClient.SqlException
(0x80131904): User does not have permission to perform this action.

At this point, you are ready to begin using the Intel EMA Server’s Platform Manager, as described in Section 4.

2.1.3 Distributed Server Architecture - Initial Installation

Notes:
l Prior to installing the initial server of a distributed server architecture, you must configure at least one
load balancer, consisting of a Swarm Server load balancer and an Ajax and Web server load balancer. If
desired, these can be two separate load balancers. The Ajax and Web server load balancer should use
ports 443 and 8084, and must have session persistence configured. The Swarm Server load balancer
should use port 8080 (session persistence not required).
l Intel EMA does not support SSL offloading. The suggested load balancing rules and session per-
sistence based on IP address can be achieved by level-4 load balancers. Level-7 load balancers can be
used as long as SSL offloading is not enabled. Furthermore, Intel EMA front-end traffic includes the
Web socket type, so make sure the load balancer you use supports this.
l If you use multiple load balancers, make sure each load balancer has its own IP address and
DNS name, and that these values are fixed. Fixed IP address and DNS name values are required for
single load balancers as well.
l For the health monitoring rule of the Swarm server load balancer, use 8080 for the port and TCP for
the protocol. For the load balancing rule for the Swarm Server load balancer, use 8080 for the front-

Intel® EMA Server Installation Guide - July 2020

20
 end and back-end ports, TCP for the protocol, and do not enable session persistence.
l For the health monitoring rules of the Ajax and Web server load balancer 's port 8084, use 8084 for
port and TCP for protocol. For the load balancing rule of the Ajax and Web server load balancer's 8084
port, use 8084 for the front-end and back-end ports, TCP for the protocol, and enable session per-
sistence with "Client IP with long enough duration (e.g., 180 minutes)". For the health monitoring and
load balancing rules for this load balancer's port 443, simply substitute the value "443" for "8084" in
the preceding instructions.
l By default, the Intel EMA Platform Manager runs under the System account, and so do the component
servers (Ajax server, Swarm server, Manageability server). In a distributed server installation, these com-
ponents may need access to a remote SQL Server, in which case you need to change the account
these components run under to one that can access the remote SQL Server. See Section 1.4.9 and Sec-
tion 1.4.17

2.1.3.1 Database Settings

Specify the server where the database is hosted. The

actual value depends on the database server you installed.
Refer to your SQL installation for details.

Notes:
l If you are using a SQL server installed on
the same machine as Intel® EMA then you
can use localhost.
l If you are using a remote SQL server, ensure
the SQL server’s account is set up for your
IIS Default Application Pool to connect.
l For security purposes, we recommend that
Windows authentication mode is used for
SQL Authentication. If using SQL Authentic-
ation, you must ensure the target credential
is set up in the SQL server first.
l For update mode, the fields are filled in and
cannot be changed.

Intel® EMA Server Installation Guide - July 2020

21
 To create a customized database connection string, click
the checkbox for Advanced Mode and enter a connection
string.
Note that both Basic and Advanced modes create a
connection string which is used by the Intel EMA
component servers. Advanced Mode allows you to create
a customized connection string. For more information
about connection strings, see
https://docs.microsoft.com/en-
us/dotnet/framework/data/adonet/connection-string-
syntax.

Note: The parameter “Mul-

tipleActiveResultSets=True” is required.

Regardless of mode (Basic or Advanced), the connection

string is encrypted and stored in c:\Program Files
(x86)\Intel\Platform
Manager\Runtime\MeshSettings\connections.config.

Important: If installing a distributed server archi-

tecture, copy the customized Connection String to
a text file to save it for use when installing addi-
tional servers.

Note: For update mode, the connection

information is displayed but cannot be edited.

2.1.3.2 Load Balancer Information

Note: For update mode, this screen is not

displayed.

For Identity mode:

l Use FQDN/hostname only: processes the request
with the FQDN/hostname only. We suggest enter-
ing the addressable, full FQDN.
l Use FQDN/hostname first: processes the request
using the FQDN/hostname, but can also find the
website via the IP Address.
l Use IP address: processes requests with the IP
address only
Enter the FQDN/Hostname and/or IP Address (or both,
depending on Identity mode) of the load balancer for the
Swarm Server.
Enter the FQDN/Hostname and/or IP Address (or both,
depending on Identity mode) of the load balancer for the
Ajax Server and Web Server components (or select Same

Intel® EMA Server Installation Guide - July 2020

22
 as Swarm Server).

Note: If you plan to use domain/Windows authentication mode (Kerberos), you will need to set up a Service
Principle Name (SPN) for the load balancer that supports the Ajax and Web server(s).

2.1.3.3 Server Components to Deploy

Note: For update mode, this screen is not

displayed.

Specify which server components to deploy on this server

machine, then verify the IP Address of this server
machine (field filled in by default).

Note: Only one machine can run the Manageability

Server component.

For information about the various server components, see

Section 1.5.

2.1.3.4 Platform Manager Configuration

Note: For update mode, the fields are filled in and

cannot be changed.

External Port is used by the Intel® EMA Platform Manager

service running on this Intel EMA server to accept
connection from the Intel EMA Platform Manager client
application. Make sure that the port you specify is open in
the underlying network.

2.1.3.5 User Authentication

Choose either Use normal accounts or Use domain authentication.

Intel® EMA Server Installation Guide - July 2020

23
2.1.3.5.1 Normal Accounts

Note: For update mode, the fields are filled in and

cannot be changed.

If you select Use normal accounts then Intel® EMA will

keep an internal user database.
This is the default setting of the installation process. This
puts the installed instance in username/password mode.

2.1.3.5.2 Domain Authentication

Note: For update mode, the fields are filled in and

cannot be changed.

If your server is joined to an Active Directory domain, you

have the option to Use domain authentication.
The currently logged-in user is automatically added to
Intel EMA with the Global Administrator role (shown as
Site Administrator in the screen at left).

Intel® EMA Server Installation Guide - July 2020

24
2.1.3.6 Global Administrator Account Setup

Note: Not displayed in update mode.

This screen only appears during setup if you have chosen

“Normal accounts” for user authentication. If using
domain accounts, the user running the installer will be
made a Global Administrator.

Note: The Name field must be entered in the form

of an email address (i.e., name@domain).

Global Administrator: This role is able to perform user

management, tenant creation, and server management.
This role does not perform device management.

2.1.3.7 Summary

Review your installation settings and then click Install.

All required Windows components will be installed,
followed by the Intel® EMA software itself.

IMPORTANT: Do not abort or exit the installer until

installation is complete. Installation rollback is not
supported.

Installation status is shown at the bottom of the Installer

main menu. Installation options are unavailable during
installation.
To check the log file during installation, click File >
Advanced Mode. To exit Advanced Mode, click File >
Advanced Mode again.
After installation, you can check the logfile EMALog-
Intel®EMAInstaller.txt in the same folder as the Intel EMA
installer.

Note: The following warning appears in the installation log file regardless of whether you are installing with a
local SQL Server or a remote SQL Server. For installations with a remote SQL Server, this message can be
ignored. For local SQL server installations, ensure the the account is set up to allow your IIS Default Applic-
ation Pool to connect.
EVENT: DbWarning, ExecuteNonQuerySafe warning: CREATE LOGIN [IIS
APPPOOL\DefaultAppPool] FROM WINDOWS() - System.Data.SqlClient.SqlException
(0x80131904): User does not have permission to perform this action.

Intel® EMA Server Installation Guide - July 2020

25
2.1.3.8 Modify IIS Settings If Ajax and Web Server Components Installed

Advisory: For update installations, do not perform the steps in this section.

If you selected the Ajax and Web Server components on the Server Components to Deploy screen above, you need
to modify your IIS settings to set up fixed machine keys. This will allow other Web Servers to use the same keys if
you install additional server components on other virtual or physical machines.
1. In IIS Manager, stop the Default Web Site.
2. In IIS Manager, open your server in the left-hand pane and double-click the Machine Key section under
ASP.NET and set the Encryption method to AES and the Validation method to one of the SHA-2 family meth-
ods (for example, HMACSHA256).
3. Under Actions at right, click Generate Keys to generate the Validation key and the Decryption key. You will
need these keys later when you install additional servers (see Section 2.1.4).
4. Click Apply and then restart the Default Web Site.
At this point, you are ready to install additional Intel EMA servers, as described in Section 2.1.4.

2.1.4 Additional Server Installation for Distributed Server Architecture

Notes:
l You must complete the steps in Section 2.1.3 before performing the steps in this section (or you can
reference any existing Intel EMA server already in your distributed server architecture).
l The steps below assume you have started the Intel EMA Installer and selected Additional Server
Install for Distributed Server Architecture at the Server Host Configuration screen as described in
Section 2.1.1.
l By default, the Intel EMA Platform Manager runs under the System account, and so do the component
servers (Ajax server, Swarm server, Manageability server). In a distributed server installation, these
components may need access to a remote SQL Server, in which case you need to change the account
these components run under to one that can access the remote SQL Server. See Section 1.4.9 and
Section 1.4.17

Intel® EMA Server Installation Guide - July 2020

26
2.1.4.1 Database Settings

Specify the server where the database is hosted.

Notes:
l For installing additional servers in
a distributed architecture, use the
same database settings that you
used when performing the initial
server installation (section
2.1.3.1).
l For update mode, the fields are
filled in and cannot be changed.

2.1.4.2 Server Components to Deploy

Note: For update mode, this screen is not

displayed.

Specify which server components to deploy on this server

machine, then verify the IP Address of this server
machine (field filled in by default).

Note: Only one machine can run the Manageability

Server component.

For information about the various server components, see

Section 1.5.

Intel® EMA Server Installation Guide - July 2020

27
2.1.4.3 Save the Server Settings Certificate Signing Request

Note: For update mode, this screen is not

displayed.

This screen lets you save a Certificate Signing Request

(CSR) for the server settings, which is needed to connect
your new server to your existing distributed server
environment.
1. Click Save serverSettings.csr.
2. Select where to save the certificate signing request
file.
Note: Be sure to save the .csr file to a loc-
ation where it can be accessed from the ini-
tial server you installed in Section 2.1.3
(such as a shared network drive accessible
from both machines or a USB drive).

3. Click Next.

2.1.4.4 Obtain Server Setting Certificate

Note: For update mode, this screen is not

displayed.

On the initial server you installed in Section 2.1.3, perform

the steps in Section 2.1.4.4.1 below.
Once you have created the Server Settings Certificate on
the initial server, click Next to proceed with the Additional
Server installation.

2.1.4.4.1 Create Server Settings Certificate on Initial Distributed Server Machine

Advisory: For update installations, do not perform the steps in this section.

Perform the following steps on the machine (physical or virtual) where you performed the initial server installation
(Section 2.1.3). These steps must be completed before proceeding to the next Setup Wizard screen of the additional
server installation.

Intel® EMA Server Installation Guide - July 2020

28
 1. Run the Intel EMA installer, EMAServerInstaller.exe. Be sure to Run as administrator.
2. From the menu bar at top, click File > Create Server Settings Certificate.
3. Browse to the location where you saved (or copied) the Certificate Signing Request (.csr) file in Section 2.1.4.3
above.
4. Click Save Certificate to save the new certificate (.cer) file.
Note: Be sure to save the .cer file to a location where it can be accessed from the additional server you
are installing (such as a shared network drive accessible from both machines or a USB drive).

5. Once the "Saved .cer file" message is displayed, click Exit to close the dialog, then click File > Exit on the Intel
EMA Server Installer.

2.1.4.5 Upload Server Setting Certificate

Note: For update mode, this screen is not

displayed.

1. Click Upload Server Settings Certificate.

2. Select the certificate file (.cer) that you created on
the initial distributed server machine in the pre-
vious step.

2.1.4.6 Platform Manager Configuration

Note: For update mode, the fields are filled in and

cannot be changed.

External Port is used by the Intel® EMA Platform Manager

service running on this Intel EMA server to accept
connection from the Intel EMA Platform Manager client
application. Make sure that the port you specify is open in
the underlying network.

Intel® EMA Server Installation Guide - July 2020

29
2.1.4.7 Summary

Review your installation settings and then click Install.

All required Windows components will be installed,
followed by the Intel® EMA software itself.

IMPORTANT: Do not abort or exit the installer until

installation is complete. Installation rollback is not
supported.

Installation status is shown at the bottom of the Installer

main menu. Installation options are unavailable during
installation.
To check the log file during installation, click File >
Advanced Mode. To exit Advanced Mode, click File >
Advanced Mode again.

After installation, you can check the logfile EMALog-

Intel®EMAInstaller.txt in the same folder as the Intel EMA
installer.

Note: The following warning appears in the installation log file regardless of whether you are installing with a
local SQL Server or a remote SQL Server. For installations with a remote SQL Server, this message can be
ignored. For local SQL server installations, ensure the the account is set up to allow your IIS Default Applic-
ation Pool to connect.
EVENT: DbWarning, ExecuteNonQuerySafe warning: CREATE LOGIN [IIS
APPPOOL\DefaultAppPool] FROM WINDOWS() - System.Data.SqlClient.SqlException
(0x80131904): User does not have permission to perform this action.

2.1.4.8 Modify Server Settings

Advisory: For update installations, do not perform the steps in this section.

The following steps are performed on the Server Settings tab of the Intel EMA user interface. See Section 6,
"Appendix - Modifying Component Server Settings" on page 54 for more information about component server
settings.
1. Open a browser and navigate to the URL of the Ajax and Web server load balancer that you configured as part
of you initial server installation. The Intel EMA website user interface is displayed.
2. At the login page, enter the user name and password for the Global Administrator. The Overview page is dis-
played.
3. From the navigation pane at left, select Settings to open the Server Settings page.
4. On the Swarm Server tab, click Add Entry.
5. For Server ID, you will need to review the Intel EMA database, specifically the [dbo].[ServerSettings] table.
The correct Server ID value on this dialog will be the value of ValueInt field in the database table with Type = 2
and for the server Name corresponding to your new additional server.
6. For IP Address and Port, if a Swarm Server was selected for installation on this additional server, enter the
IP Address of the Swarm Server. For the port, enter the port number (e.g., 8089) that is shown in the Admin

Intel® EMA Server Installation Guide - July 2020

30
 Port field at the top of the Swarm Server tab. The format for this field is [IP Address]:[Port] (for
example, 123.456.789.10:8089).
7. Click Save. At this time, do not use the Save and Restart Server button.
8. Repeat the above process on each of the Ajax and Manageability component server tabs. Note that only the
Swarm server tab has the Admin Port field, so use the same value in the IP Address and Port field on the
other server tabs.
9. Once all tabs have been updated, on each server machine in the distributed server environment, run Platform
Manager and restart all server components on each machine using Platform Manager's Halt and Run com-
mands. Also recycle the Intel EMA website's IIS app pool if you installed the Intel EMA Web and Ajax com-
ponents on that machine. Alternatively, you can restart each server machine in the distributed server
environment.

2.1.4.9 Modify IIS Settings If Ajax and Web Server Components Installed

Advisory: For update installations, do not perform the steps in this section.

If you selected the Ajax and Web Server components on the Server Components to Deploy screen during
additional server installation above, you need to modify your IIS settings to use the fixed machine keys created on the
initial distributed server installation (Section 2.1.3).
1. In IIS Manager, stop the Default Web Site.
2. Double-click the Machine Keys section and set the Encryption method to AES and the Validation method to
one of the SHA-2 family methods (for example, HMACSHA256).
3. Deselect the Generate Keys option, then set the values for the Validation key and the Decryption key to the
values used for the initial distributed server (see Section 2.1.3.8).
4. Click Apply and then restart the Default Web Site.
At this point, you are ready to begin using the Intel EMA Server’s Platform Manager, as described in Section 4.

2.2 Installing or Updating Using the Command Line

There are two modes for command line installation: Basic Mode and Advanced Mode. Use Basic Mode to provide all
database connection values directly in the command line. Use Advanced Mode to provide a customized database
connection string.
Note that both Basic and Advanced modes create a connection string which is used by the Intel EMA component
servers. Advanced Mode allows you to create a customized connection string. For more information about
connection strings, see https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/connection-string-
syntax. Regardless of mode (Basic or Advanced), the connection string is encrypted and stored in c:\Program Files
(x86)\Intel\Platform Manager\Runtime\MeshSettings\connections.config.

Note: For updates from previous Intel EMA versions, the installer detects the connection string automatically.

Open a command prompt in Administrator mode in the folder where you unpacked the installation package.

2.2.1 Basic Mode

Use the command syntax template below and replace the placeholder values <in brackets> to install using normal
user accounts. For more options including domain authentication, run the executable with the --help option by

Intel® EMA Server Installation Guide - July 2020

31
itself.
EMAServerInstaller.exe FULLINSTALL --host=<server_fqdn> --dbserver=<db_server_address>
--db=<db_name> --dbuser=<SQL_user> --dbpass=<SQL_password> --guser=<global_admin_email>
--gpass=<global_admin_password> --verbose --console --accepteula

Note: For updates from previous Intel® EMA versions, do not enter the following parameters:dbserver, dbad-
vanced, db, dbuser, dbpass, guser, gpass. Doing so will cause the installation to abort and an error message
to be displayed.

For the connection to the server machine, you can also use the following structure:
--host=<name of FQDN of the server machine > --ip=<IP of the server machine > [--ipfirst|
--hostfirst]
If you want Intel EMA to use the IP to connect first, use the --ipfirst flag. If you want Intel EMA to use FQDN to
connect first, use the --hostfirst flag.
For the database connection, use the following:

Windows Authentication: --db=<DBName> and -–dbserver=<DBServerName>

SQL Authentication: --db=<DBName> and -–dbserver=<DBServerName>

--dbuser=<UserId> --dbpass=<Password>

If you want to install under “user name/password” mode (i.e., normal account mode), the command line structure
requires you to enter a username and password for the global administrator. These required parameters are identified
as follows:

For global administrator setup: --guser=<UserName> --gpass=<UserPassword>.

If you want to install under “domain/window authentication” mode, specify -– domainauth flag and do not enter -
-guser, --gpass.
The example syntax template uses the --console option, so no GUI will be loaded and instead the installer will
show progress on the screen and then return to the command prompt when completed.
At this point, you are ready to begin using the Intel EMA Server’s Platform Manager, as described in Section 4.

2.2.2 Advanced Mode

Note: For updates from previous Intel EMA versions, the installer detects the connection string automatically.

The --dbadvanced parameter is used to provide a customized database connection string, which is encrypted and
stored in c:\Program Files (x86)\Intel\Platform Manager\Runtime\MeshSettings\connections.config.
Use the command syntax template below and replace the placeholder values <in brackets> to install using normal
user accounts. For more options including domain authentication, run the executable with the --help option by
itself.
EMAServerInstaller.exe FULLINSTALL --host=<server_fqdn> --dbadvanced= “<connection_
string>” --guser=<global_admin_email> --gpass=<global_admin_password> --verbose --console
--accepteula
For more information about connection strings, see https://docs.microsoft.com/en-
us/dotnet/framework/data/adonet/connection-string-syntax.

Note: The parameter “MultipleActiveResultSets=True” is required.

Intel® EMA Server Installation Guide - July 2020

32
2.2.3 Distributed Server Architecture Installation
Use the command examples in this section to install a distributed server architecture instance of the Intel EMA server
(note that you can modify the examples below to use Basic or Advanced mode using the options described in the
sections above).

2.2.3.1 Initial Installation

To install the inital server of a distributed server architecture, use the syntax below , substituting correct values for
the placeholder values <in brackets> in the example .

Note: For updates from previous Intel® EMA versions, only the accepteula, console (c), and verbose (v) para-
meters are accepted. Do not enter any other parameters for updates. Doing so will cause the installation to
abort and an error message to be displayed.

EMAServerInstaller FULLINSTALL --isdistributedserverinit --swarmlbhost=<swarmHostLBName>

--swarmlbip=<w.x.y.z> --ajaxlbhost=<ajaxHostLBName> --ajaxlbip=<w.x.y.z>
--emaip=<w.x.y.z> [--ipfirst|--hostfirst] --dbserver=<dbServer> --db=<dbName>
--guser=<UserName> --gpass=<UserPassword> --deployajaxandweb --deploymanageability
--deployswarm --accepteula -c -v

2.2.3.2 Add an Additional Server

To install an additional server in a distributed server architecture, perform the following steps, substituting correct
values for the placeholder values <in brackets> in the examples.

Note: For updates from previous Intel® EMA versions, only the accepteula, console (c), and verbose (v) para-
meters are accepted. Do not enter any other parameters for updates. Doing so will cause the installation to
abort and an error message to be displayed.

1. Begin the installation on the additional server machine by entering the following command; the installation
will pause in order to consume the files created in the remaining steps. The installer command will pause for
the length of time specified in the --certimeoutseconds option. Note that if --csrfile option is not
provided, the default of .\serversettings.csr will be used (same for the cerfile, but with a .cer extension).

EMAServerInstaller FULLINSTALL --isdistributedserveradd --emaip=<w.x.y.z>

--dbserver=<dbServer> --db=<dbName> --certimeoutseconds=<timeOutSeconds>
--csrfile=<csrFilePath> --cerfile=<cerFilePath> --deployajaxandweb
--deploymanageability --deployswarm --accepteula -c -v
2. When the installer pauses, copy the generated certificate request (.csr) file to the initial server machine.
3. On the initial server machine, run the installer with the createsettingscert option, as shown below:

EMAServerInstaller CREATESETTINGSCERT --csrfile=<csrFilePath>

--cerfile=<cerFilePath> -c -v -a

Note: Alternatively, you can run the Intel EMA installer setup wizard on the initial server and click File
> Create Server Settings Cert, as described in Section 2.1.4.4.1.

4. On the initial server, copy the resulting certificate (.cer) file to the additional server machine. Or you can spe-
cify a shared folder accessible by both machines to save the .cer file to in the previous step, as long as you
specify the same location in the --cerfile option of the installer command in step 1 above.

Intel® EMA Server Installation Guide - July 2020

33
 5. On the additional server, the installation will automatically continue once it detects the certificate (.cer) file in
the location specified in the --cerfile option.

2.3 Uninstalling
Do not abort or exit the installer before the uninstallation is complete.

Notes:
l Before uninstalling, ensure the account used in the Intel EMA SQL connection string has at least db_
creator rights, which allow it to create, modify, and delete any database. This account must also have
the database level roles db_owner, db_datawriter, and db_datareader.
l If you uninstall Intel EMA but do not delete the database, it is recommended that you remove the
machine's IP address from the Server IPs server setting. On the Server Settings page (as a Global
Administrator), select the tab for the component(s) hosted on this machine, then under Server IPs,
select the correct IP address and click Remove Entry. Then click Save and Restart Server. Be sure to
do this for each component on the machine where you uninstalled Intel EMA. See Section 6 "Appendix
- Modifying Component Server Settings" on page 54.

2.3.1 Uninstalling Using the Installer GUI

1. On the Installer main menu, click the Uninstall the Intel® EMA Server option at bottom.
2. On the dialog, decide whether you want to delete the settings certificate.
3. Decide whether you want to delete the database.

WARNING! If this is a distributed server architecture installation, this option will make the entire Intel
EMA instance unusable. Use this option only if this is the last remaining server.

4. Click OK, then click OK to the warning message.

5. After the uninstall is complete, check the log by clicking File > Advanced Mode to confirm successful com-
pletion.

2.3.2 Uninstalling Using the Command Line

1. Open a command prompt window with administrative privileges.
2. Change directory to where the Intel EMA Installer Package was extracted.
3. To uninstall without removing the database and settings certificate, type the UNINSTALL command below
and press Enter.

EMAServerInstaller UNINSTALL –c --verbose

4. To uninstall and remove the settings certificate, add the --deletesettingscert option.

EMAServerInstaller UNINSTALL --deletesettingscert –c --verbose

5. To uninstall and remove the database, add the --deletedb option, shown below (to remove both the set-
tings certificate and the database, use both options).

EMAServerInstaller UNINSTALL --deletedb –c --verbose

WARNING! If this is a distributed server architecture installation, this option will make the entire Intel

Intel® EMA Server Installation Guide - July 2020

34
 EMA instance unusable. Use this option only if this is the last remaining server.

Intel® EMA Server Installation Guide - July 2020

35
3 Using the Global Administrator
Interface
Intel® EMA’s Global Administrator pages are used to manage tenants, users, and user groups.
To login to Intel EMA, do the following:
1. Open a browser and navigate to the FQDN/Hostname you specified during installation.
2. At the login page, enter the user name (i.e., email address) and password for the Global Administrator.

Note: If you specified domain authentication, the Global Administrator Overview page is automatically dis-
played.

At the right of the Global Administrator Overview page are “Quick links”, which provide shortcuts for the most
common operations. There is also a “Getting Started tips” link to simple tutorials for this user role.

To log out, click the user name in the top bar of the Overview page and select Log out.

3.1 Changing the Global Administrator Password

This operation can only be performed if “normal accounts” authentication mode was selected during installation.
Click the user name in the top bar and select Change password.

3.2 Creating and Deleting Tenants

To create a new Tenant, do the following:
1. From the Overview page, click Create a tenant under Quick links at top right. Or, from the Users page (avail-
able from the navigation bar at left), select the Tenants tab and click New Tenant.
2. Enter a Tenant Name and Description, then click Save.
The new Tenant is created, and the Manage Tenants & Users page is displayed.
To delete a Tenant, select the Tenants tab on the Manage Tenants & Users page, then click the ellipsis (…) for the
target Tenant and select Delete Tenant….

3.3 Managing Users and User Groups

To manage users or user groups, you must first select a target tenant. New users (except for a new global
administrator) and user groups are created under this target tenant.

3.3.1 Adding, Modifying, and Deleting User Groups

To create a new User Group, do the following:
1. From the Users page (available from the navigation bar at left), select the User Groups tab and click New
Group.
2. In the New Group dialog, enter a Group name, Description, and specify Access Rights, then click Save.
To delete a user group, go to the User Groups tab of the Manage Tenants & Users page, click the ellipsis (…) for the
target user group and select Delete Group....

Intel® EMA Server Installation Guide - July 2020

36
3.3.2 Adding, Modifying, and Deleting Users
To add a user, do the following:
1. From the Overview page, click Add or remove users under Quick links at top right. Or, from the Users page
(available from the navigation bar at left), select the Users tab.
2. Select which tenant to manage users for, and click New User.
3. In the New User dialog, enter a valid email address for User name, then enter a Password (and confirm), and
Description.
4. Select a Role for this user and click Save.
To delete a user, go to the Users tab of the Manage Tenants & Users page, click the ellipsis (…) for the target user,
and select Delete....

Note: The last Global Administrator user cannot remove its account, nor edit it.

To edit a user, go to the Users tab of the Manage Tenants & Users page, click the ellipsis (…) for the target user, and
select Edit....
If you are editing your own user account, in order to change the password, you will need to enter your current
password first. If you are editing other accounts (that your role can manage), you do not need to enter the user’s
current password.
For “locked” users, use the Edit option to unlock the user’s account.

Intel® EMA Server Installation Guide - July 2020

37
4 Performing Intel® EMA Server
Maintenance
Use the Intel EMA Platform Manager to monitor each Intel EMA server and perform various maintenance tasks on the
component servers running on the Intel EMA server machine. You can also use it to deploy a new Intel EMA
component server package. In a distributed server architecture environment, a Platform Manager client on one Intel
EMA server machine can connect to and monitor the server components on the other Intel EMA server machines.

Note: Be sure to change the user account under which the Platform Manager service runs. See Section 1.4.17
for details.

4.1 Configuring the Intel® EMA Platform Manager

Service
Before using the Platform Manager, review this section and decide if you want to modify any default settings. All of
the configurable values are in the file C:\Program Files (x86)\Intel\Platform Manager\Platform Manager
Server\settings.txt.

4.1.1 Platform Manager TLS Certificate

The Platform Manager Service provides the TCP TLS connection between the service and the client application. A
default certificate for this TLS connection is provided with the Intel EMA installation, but this default certificate can be
updated to a certificate from a reputable certificate authority by updating the “certhash” value in the settings.txt file
with the thumbprint of the TLS certificate you want to use.

4.1.2 Mutual TLS Certificate for Client Authentication

The Platform Manager Service can optionally require that Mutual TLS be used in the connection between the service
and client applications. To enable this, update the “allowedclientcert” value in the settings.txt file with the client
certificate thumbprint. Multiple client certificates are supported by adding multiple “allowedclientcert” lines.
When you enable this feature, only clients providing a certificate which corresponds to one defined in the
“allowedclientcert” list will be allowed to connect.

4.2 Using the Intel® EMA Platform Manager Client

Application
Once you have configured the Platform Manager service, you are ready to start using the Platform Manager client
application.

4.2.1 Starting Intel® EMA Platform Manager

1. Start the Intel® EMA Platform Manager application like any other normal Windows desktop application.
2. In the Connect to Platform Manager Server dialog, enter the identifier (hostname/FQDN/IP Address) and
port for the Intel EMA Platform Manager server. If you are on the same machine as the Intel EMA component
servers, use the localhost:port value. In a distributed server architecture environment, if using Active

Intel® EMA Server Installation Guide - July 2020

38
 Directory, ensure all computers (including the load balancer host) are in Active Directory and use the load bal-
ancer host's FQDN.
3. Enter the Intel® EMA Web Server Identifier. This is the hostname/FQDN/IP Address you use to open the
Intel EMA website.
4. If you configured the service for Mutual TLS, select a Client Authentication Certificate.
5. Click OK.
6. If prompted, Accept the Server Certificate.
7. In the Connection Credentials dialog, enter the username and password for the Global Administrator user. If
you are using Windows Authentication, select Use Windows Authentication and then click OK. If you get an
error connecting to the Intel EMA server, check to ensure you entered the correct identifier for the Platform
Manager server above, and that the Intel EMA server is up and running.

Note: If you are using Windows Authentication, ensure the system running Platform Manager is
joined to the domain, and that the Global Administrator account you are using is logged into the
domain. Otherwise you will be prompted for credentials.

8. The Intel EMA Platform Manager window is displayed, with the application servers shown in the left-hand
pane. If the screen prompts you to Connect, check to ensure you entered a user with Global Administrator
rights in the Connection Credentials dialog.

4.2.2 Monitoring Component Server Events

1. Select a component server from the list in the left-hand pane (for example, the EMAAjaxServer).
2. Select the Events tab to see the events for that server. Events are also logged in C:\Program Files (x86)\In-
tel\Platform Manager\EMALogs\EMALog-[server type].txt on the selected server machine. Note that the log
file contains more detail than what is displayed on the Events tab.
3. If desired, click Trace at the bottom of the panel to enable detailed debugging tracing (this will result in a lot
more messages being logged). The trace log is also logged in C:\Program Files (x86)\Intel\Platform Man-
ager\EMALogs\TraceLog-[server type].txt.

Note: The trace file will not be present if tracing is not enabled for the selected component server.

4.2.3 Monitoring Component Server Internal Tracking Information

1. Select a component server from the list at left.
2. Select the Component tab to display useful information for the selected component server. Different com-
ponent servers have different tracked values, as described below.
Intel EMA AJAX server:
l AjaxSessions: Number of active AJAX request sessions issued by Intel EMA JavaScript library, which are pro-
cess by the AJAX server.
l HttpSessions: Number of HTTP sessions (used for web redirection features) issued by Intel EMA JavaScript lib-
rary, which are process by the AJAX server.
l SwarmSessions: Number of active TCP connections to the Swarm server from the AJAX server.
l TerminalSessions: Number of terminal sessions (used for the Serial-Over-LAN feature and the file browsing
feature) issued by Intel EMA JavaScript library, which are process by the AJAX server.
l WebSocketSessions: Number of active Web Socket sessions issued by Intel® EMA JavaScript library, which
are process by the AJAX server.

Intel® EMA Server Installation Guide - July 2020

39
Intel EMA Manageability server:
l Each row is a slot to be used for Intel AMT provisioning. A pending Intel AMT provisioning request is put into
an available slot. The Manageability server starts the provisioning for all the slots individually. If there is no
slot available, the request awaits for an available slot to open. The row displays the information text of Intel
AMT provisioning.
Intel EMA Swarm server:
l ConAgents: Number of active Intel EMA Agent’s TCP connections to the Swarm server.
l ConConsoles: Number of active TCP connections from other Intel EMA servers.
l ConIntelAmt: Number of active Intel AMT CIRA connections to the Swarm server.
l DbFails: DB queries’ failure count made by this Swarm server.
l DbQueries: DB query count made by this Swarm server.

4.2.4 Performing Basic Controls on Component Servers

To halt/stop or resume an component server, right-click the server in the left-hand pane and select the desired
option.
To see the available control commands for a particular component server, select a server and go to its Console tab,
then type “help” and click Send. The commands are listed below.
All servers:
l testmessage: This sends out test blast messages via TCP connections between Intel EMA components. You
should see the Received test blast from: [source server] message in the Events tab of the AJAX server, Man-
ageability server, and the Swarm server.
l echo: Print back what you typed.
l time: Print the current server machine time.
l utctime: Print the current server machine time in UTC.
l version: Print the component version.
l shutdown: This will let you shutdown/halt this server; however, it will be re-launched soon after.
l collect: Trigger .NET garbage collection.
l whoami: Print the current account this server runtime is running under.
l logpath: Print the log folder path.
l trace: Lets you start/stop tracing info being logged in a trace file. The trace file is in the path specified by log-
path.
Intel EMA AJAX server:
l stats: Print the "tracked values", same as what Application tab shows.
l testdb: Test connection to Intel EMA server DB.
l ajaxcert: Print information about the inter-service TLS ajax certificate.
l swarmsessions: Print the current swarm sessions.
l alertsessions: Print the current alert sessions.
l restart: Restart the AJAX server.
l dbcount: Control DB trace counting.
l Start: This starts to collect the database SQL commands info, run by the Swarm server. It includes the
collection start time, the collection duration, and the total number of DB connections made by Swarm

Intel® EMA Server Installation Guide - July 2020

40
 server. For each SQL command item, it includes the execution count, the error count, the total running
time, and the SQL command. Note that our SQL commands are designed to use parameterized inputs.
Therefore, we only log the parameter name here, not the value.
l Save and Restart: Save the collected data to the EMALogs folder in the Intel® EMA server installation
folder.
l Cancel: Cancel the data collection and do not save anything to file.
l mcount: Print the count of different types of test blast messages sent via TCP connections between Intel
EMA components.
l triggertaskscheduler: Task scheduler normally checks if there is any scheduled task to run periodically. This
will trigger the checking immediately.
l getcompletedtransactions: Print the information for completed metadata uploads.
l getpendingtransactions: Print the information for pending metadata uploads.
Intel EMA Manageability server:
l testdb: Test connection to Intel EMA server DB.
l exec: This triggers the Manageability server to check Intel EMA server DB to find any Intel AMT provisioning
work to be done immediately. Otherwise, Manageability server checks that periodically.
l restart: Restart the Manageability server.
l dbcount: Control DB trace counting.
l slots: Print activation tasks' slots. Manageability server currently is performing internal throttling. It can do at
most concurrent 20 provisioning tasks (slots). For the remaining provisioning tasks, they will wait in the Intel®
EMA sever DB to be picked up later.
l rslots: Print redirection tasks' slots. Redirection is for some usages that Intel EMA is not currently supporting,
but will support in future releases, e.g. IDE-R. Manageability server currently is performing internal throttling.
It can do at most concurrent 20 redirection tasks (slots). For the new tasks that are beyond this capacity, it will
be ignored and dropped.
l manageabilitycert: Displays information about the inter-service TLS manageability certificate.
Intel EMA Swarm server:
l stats: Print
l The incoming traffic from Intel EMA Agent in bytes, the outgoing traffic to Intel EMA Agent in bytes.
l .Net Garbage Collector: GetTotalMemory’s value. Intel EMA DB queries count, connections count, DB
queries failure count made by this Swarm server.
l Connected Intel EMA agent counts.
l The number of received blast messages, the number of sent blast messages.
l Intel EMA server DB schema version.
l testdb: Test connection to Intel EMA server DB.
l swarmcert: Display information about the inter-service TLS swarm server certificate.
l servercert: Display information about the Intel EMA swarm server certificate.
l resetagentstore: Sync the in-memory agent installers information based on the available Intel EMA agent
installers in Intel EMA DB. Then it checks the agent download and agent upload for each connected Intel EMA
agents.
l forcedisconnect: This will disconnect this target endpoint for now. The endpoint can still connect back.
l restart: Restart the Swarm server.

Intel® EMA Server Installation Guide - July 2020

41
 l dbcount: Control DB trace counting.
l consoles: This lists the current connected Intel EMA application servers. For example, when you do a
"remote terminal" session, there will be 1 console session between AJAX Server and Swarm server.
l dbschema: Print the Intel EMA server DB schema version.
l allownode: Add an endpoint to white list. When Swarm server gets an Intel EMA agent connection request, if
there exists a non-empty endpoint banned list, it will check it. If this incoming agent/endpoint is banned, it
will reject the connection.
Note: The current Intel EMA release does not implement this feature.

l bannode: Add an endpoint to banned list.

l clearnodeaccess: Clear the banned and white list in memory. It will be reloaded when Swarm server starts
again.
l nodeaccesslist: Print the endpoint white/banned list.
l ipblocklist: When Swarm server gets an Intel AMT CIRA or Intel EMA agent connection request, if there exists
an non-empty IP block list, it will check it. If this incoming IP address is in the same subnet as specified in the
IP block list, it will reject the connection.
Note: The current Intel EMA release does not implement this feature.

l swarmid: Print the this Swarm server's id and the lead Swarm server's id. This is useful when you have mul-
tiple Swarm servers under load balancer. The leader is usually the Swarm server just started recently and with
highest ID.
l agentpingtime: Print the current ping time for maintaining Intel EMA agent TCP connection. If you provide a
numerical argument, it will set the ping time to this value in seconds.
l agentrequireping: Print if we need all the Intel® EMA agents to respond with a pong to a ping sent by the
Swarm server. 1 is true, and 0 is false. If this setting is true, then the Swarm server will drop the agent TCP con-
nection if a pong is not received. If you provide an argument (1 or 0), you can set the value.
l ignoredupagents: By default, this is disabled. When the Intel EMA Swarm server receives an incoming Intel
EMA agent connection, if this connection has an endpoint ID that is the same as an existing connection, then
we will disconnect and remove the existing connection and accept the new one. However, if this is enabled,
we will do nothing and just ignore the new incoming connection. This prints 1 or 0. 1 is true/enabled, and 0 is
false/disabled. If you provide an argument (1 or 0), you can set the value.
l swarmpeers: Print the other peer Swarm servers' IDs and IP addresses.

4.3 Deploying New Packages

A package is a zip file containing a component server or website. An Intel EMA release contains several packages.
Packages are located in the StoredPackages folder in your Intel EMA release.

Note: If you have an older version of Intel EMA, you can use Platform Manager to upload and deploy newer ver-
sions without touching your Intel EMA database. However, if the new release includes Intel EMA database
changes, then you should still use the Intel EMA installer to perform an update.

To update a particular component server:

1. In the left-hand pane, open Intel® EMA Servers and select a machine from the list (for example, localhost).
2. Select the Storage tab.

Intel® EMA Server Installation Guide - July 2020

42
 3. Click Upload and select the .zip package (for example, EMASiteCoreReact.zip) you want to deploy to that
machine. The old version is replaced with the new version in the Component Packages list.
4. Click Deploy to deploy the new package on the selected machine.

4.4 Updating the Database Connection String

To update the database connection string after installation, do the following:
1. Run the Intel® EMA Installer Wizard (in the installation folder, right-click on EMAServerInstaller.exe and
select Run as administrator).
2. From the File menu, select Advanced Mode. Additional menus are displayed, including the Database menu.
3. From the Database menu, select Update Database. The Update Database Settings dialog is displayed.
4. To update the server or database name, or the SQL authentication user and password, simply enter new val-
ues for these fields and click Update. To enter a new customized database connection string, continue to the
next step.
5. Click the checkbox for Advanced Mode.
6. Enter a new Connection String. For more information about connection strings, see https://-
docs.microsoft.com/en-us/dotnet/framework/data/adonet/connection-string-syntax.

Note: The parameter “MultipleActiveResultSets=True” is required.

7. Click Update to update the connection string and close the Update Database Settings dialog.

Note:
l You must restart all Intel EMA component servers (i.e., Swarm Server, .Manageability Server, etc.) in
order for the new connection string to take effect.
l A copy of the previous connection string file c:\Program Files (x86)\Intel\Platform Man-
ager\Runtime\MeshSettings\connections.config is created.
l In a distributed server architecture environment, the connection string must be updated on all Intel
EMA server systems.

4.5 Revoking a Server's Certificate

In a distributed server architecture environment, there may be situations where you want to revoke an Intel EMA
server's certificate. For example, if you suspect a server has been compromised, or if you plan to decommission a
server.
The following certificates (installed in the Personal certificate store on the local Windows machine) can be revoked:
l Inter-component TLS certificates: These certificates are used for communication between Intel
EMA components (Ajax server, Swarm server, etc.), as well as between Intel EMA server machines in a dis-
tributed server installation. They can be identified by the value "EmaMtlsXXX" in the IssuedTo field, and the
value "MeshRoot-XXXX" in the IssuedBy field.
l Intel EMA settings certificates: These certificates are used to read the encrypted Intel EMA server settings in
the Intel EMA database. They can be identified by the value "MeshSettingsCertificates-XXX" in the IssuedTo
field, and the value "MeshRoot-XXXX" in the IssuedBy field.

IMPORTANT! If you revoke the Intel EMA settings certificate on a single server installation (or on the last
server of a distributed server architecture), you will render the Intel EMA server inoperable. This cannot be
recovered and requires fully reinstalling the Intel EMA server using the installation wizard or the command line

Intel® EMA Server Installation Guide - July 2020

43
 installation.

The Intel EMA API provides an API called CRL, which stands for Certificate Revocation List. This API essentially adds a
certificate's serial number to a "blacklist" file of certificates known as a Certificate Revocation List.
To use this API to revoke a server's certificate, consult the Intel® EMA API Guide or review the API documentation
online in Swagger. Then use a tool like "cURL" to issue the CRL API commands at a command prompt window.

Note: The CRL API includes the option to restart the Intel EMA server components automatically (default) or
manually. The automatic option restarts all Intel EMA component servers (Ajax server, Swarm server, etc.),
including the IIS app pool that hosts the Intel EMA website. Note that any other websites in that app pool will
be restarted as well. The automatic option restarts all components on all servers in a distributed server archi-
tecture.

4.6 Periodic Database Maintenance

The Intel EMA database grows over time, which can eventually affect performance. Periodically, you should rebuild
the table indexes and clean up the database row file and log file to ensure optimal database performance.

4.7 Restoring the Intel® EMA Server from Backup

In Section1.4.1, we recommend that you back up your Intel EMA database and MeshSettingsCertificate after
installing Intel EMA. This section describes how to restore your Intel EMA server from that backup.

Note: These steps apply to a single server architecture installation. Further information on distributed archi-
tecture restoration is provided at the end of this section.

1. Start with a clean system.

2. Restore the database backup.
3. Restore the MeshSettingsCertificate certificate (including the private key) to the Local Machine/Personal loc-
ation of the Certificate Store. The access of the private key needs to be open for the account running the Intel
EMA components and the account running Intel EMA IIS website.
4. Run the Intel EMA Installer and choose Single Server setup, as described in Section "Installing or Updating the
Intel® EMA Server" on page 14. Be sure to point the installation to the restored database. The installer will indic-
ate that you are performing an update installation. This is normal.
5. Once the installation completes, check the installation log EMALog-IntelEMAInstaller.txt in the same folder as
the installer. You can ignore the WebSettingsSyncing error in the installer log.
6. In the Intel EMA installer, click the Advanced Mode menu, select Settings. On the Settings page, select Sync
web server settings.
7. In IIS Manager, check to ensure IIS bindings are correct. You should see information similar to the following:

Site bindings should be similar to this:

Intel® EMA Server Installation Guide - July 2020

44
 For ports 443 and 8084, you should see binding details like this (with 443 or 8084 port):

For URL rewrite, you should see settings like this:

Intel® EMA Server Installation Guide - July 2020

45
For distributed environments, as long as you have at least on machine left with a healthy Intel EMA installation, you
can use that machine to set up additional Intel EMA server machines as described in section 2.1.4.
If you do not have any healthy machines left, follow the steps above to recover a single server first. Then use the
Server Settings GUI page (see Section 6) to adjust the server settings (Server IPs, Swarm server list) to match your
current situation.

Intel® EMA Server Installation Guide - July 2020

46
5 Appendix: Troubleshooting After
Installation
5.1 General Troubleshooting
Check logs, traces, or events
Intel® EMA Server Installation Error
Intel® EMA Platform Manager Service
not starting
Intel® EMA Server Installation Guide - July 2020
The installation log file EMALog-Intel®EMAInstaller.txt is located in
the same folder as the Intel EMA installer (i.e., wherever you
downloaded and ran the installer).
Note: The following warning appears in the installation log file
regardless of whether you are installing with a local SQL Server
or a remote SQL Server. For installations with a remote
SQL Server, this message can be ignored. For local SQL server
installations, ensure the the account is set up to allow your IIS
Default Application Pool to connect.
EVENT: DbWarning, ExecuteNonQuerySafe warning:
CREATE LOGIN [IIS APPPOOL\DefaultAppPool] FROM
WINDOWS() - System.Data.SqlClient.SqlException
(0x80131904): User does not have permission to
perform this action.
Please see Section 4 of this guide for information on viewing the log
file, trace file, or events for each of the Intel® EMA component servers.
Intel® EMA Platform Manager Package path not set correctly
The installer can find an existing Platform Manager settings file (e.g.,
C:\Program Files (x86)\Intel\Platform Manager\Platform Manager
Server\settings.txt), but cannot find the Intel EMA packages (e.g.,
C:\Program Files (x86)\Intel\Platform Manager\Packages) listed in
that settings file.
To fix:
1. Uninstall the Intel EMA Server, selecting all options.
2. Ensure that Intel EMA Platform Manger is no longer installed
and there is no content in the Intel EMA installation folder
(e.g., C:\Program Files (x86)\Intel\Platform Manager).
3. Re-install the Intel EMA Server.
Like all Windows services, the Intel EMA Platform Manager Service
will timeout if the service takes too long to start (30 seconds by
default). On slow machines, this timeout limit may be reached while
the Intel EMA Platform Manager Service is starting. If this happens
Intel EMA will not work correctly.
Check the status, events, and log of this service:
l In the Windows Services viewer, check to see if it is started
successfully.
47

Error when trying to access the Intel®
EMA website
Intel® EMA Server Installation Guide - July 2020
l In the Windows Event Viewer, go to Windows Logs \ System
and look for entries with Level: Error and Source: Service Con-
trol Manager.
l If this service has exceptions thrown, you can find them in the
log file, PlatformManagerError.txt, on your Windows drive (e.g.
C:\PlatformManagerError.txt).
To fix:
Change the Windows registry settings to modify this timeout value.
We recommend doing an internet search for “Error 1053
ServicesPipeTimeout” for information on how to do this.
Ensure the website is deployed. The website may not be deployed
due to the package path issue mentioned above.
To fix:
Use Windows IIS Manager to determine the folder of the Intel® EMA
website (click Explore under Actions, top right). In that folder you
should see many subfolders and files.
If not, use the Platform Manager to “sync site” and redeploy the
website.
48
Using Internet Explorer on a Windows
Server machine
The target Intel® EMA website URL must If the URL used to access the Intel EMA website does not match the
match the Intel® EMA website’s cer-
tificate
Warnings and errors during Intel® AMT
setup/provision
Intel® EMA Server Installation Guide - July 2020
The default security settings of Internet Explorer on Windows Server
(e.g. Windows Server 2014) can cause many features of Intel EMA to
not function correctly.
To fix:
We recommend using other web browsers (e.g., Chrome or Firefox)
on Windows Server machines.
Issued to field of Intel EMA website certificate, the web browser’s
security filtering will block many features.
To fix:
Ensure Intel EMA URL matches the Issued to field of the certificate.
Depending on the target Intel® AMT firmware’s status, some of the
warnings/errors may be transient errors. The Intel EMA Manageability
server will automatically re-try the failed setup periodically. However,
some of the warnings/errors are valid and need to be addressed.
Note: Refer to the Platform Manager section of this guide for
information on warnings and error messages logged by the
Manageability server during the setup/provision process.
Transient warnings/errors that can be ignored
Warning/Error type – OTP_REQUIRED:
Message:Host Based Admin Setup (1st try): OTP_
REQUIRED
Message:Unable to go to admin mode, rolling back
out of client mode.
Warning/Error type – INTERNAL_ERROR due to Unauthorized WSMAN
call:
49
 Message:Creating DotNetWSManClient object...
Warning:Error (2):
Intel.Manageability.WSManagement.WSManException:
The remote server returned an error: (401)
Unauthorized.
Message:Host Based Setup (1st try): INTERNAL_ERROR

Note: The server will re-try the installation despite these errors

until the third try.

Valid warnings/errors that must be addressed

PKI domain suffix not matching the PKI certificate:

Warning/Error type – Message:Host Based Admin

Setup (3rd try): AUTH_FAILED
Warning/Error type – Message:Unable to go to admin
mode, rolling back out of client mode.

INTERNAL_ERROR due to Intel® Management and Security Application

Local Manageability Service (LMS) installed but disabled:

Warning/Error type – Warning:Error (2):

Intel.Manageability.WSManagement.WSManException:
The underlying connection was closed: The
connection was closed unexpectedly.
Warning/Error type – Message:Host Based Setup (3rd
try): INTERNAL_ERROR

WSManException due to Intel AMT FW requiring a reset:

Warning:Error (2):
Intel.Manageability.WSManagement.WSManException:
The underlying connection was closed: The
connection was closed unexpectedly. --->
System.Net.WebException: The underlying connection
was closed: The connection was closed unexpectedly.
If this does not resolve after the Intel® Manageability
Server retries the setup, then shut down the Intel® AMT
machine, unplug the power cable and unplug the
Ethernet cable to reset the Intel® ME firmware. Then
reconnect the cables back and restart the machine.

Error due to full certificate store in Intel® AMT FW:

Error: .[omitted]….. Certificate Store in firmware is full

and no more certificates can be added.
In this case, we suggest to unprovision this Intel® AMT
system. Then use Intel® EMA’s manual provision or

Intel® EMA Server Installation Guide - July 2020

50

Intel® AMT operation does not work, but This section applies to the scenario where Intel EMA server is
all other features function correctly
Uninstalling Intel® EMA server fails to
drop the database
Intel® EMA Server Installation Guide - July 2020
auto provision to set up this system again.
installed under Use hostname only mode and the target endpoint is
provisioned with Intel AMT CIRA.
If Intel AMT operation does not work, but all other features work, it is
very likely that the Intel AMT CIRA firmware cannot resolve the
hostname/FQDN entered during Intel EMA server installation.
To fix:
1. Unprovision the target endpoint.
2. With a clean setup and a clean/unprovisioned endpoint, per-
form a CIRA provision and monitor the provision events.
a. To monitor, go to the EMAManageabilityServer’s
Events tab in Platform Manager. Make sure there are
no errors (a few warnings are OK).
b. On the target endpoint, open the Intel® Management
and Security Status Tool and go to the General tab. If
the provision is successful, you should see two
events: Configured and Remote Control Connection
is Enabled.
c. If the provision was successful, continue with the
remaining steps. Otherwise, check the event and logs
of the Intel® Manageability server and fix the issues.
3. On the EMASwarmServer’s Component tab (in Platform Man-
ager), monitor the ConIntelAmt value. This is the number of
active CIRA connections. If you provisioned one endpoint with
CIRA and CIRA successfully established the connection to
Intel EMA Swarm server, this value should be 1. If this number
is not correct, restart the target endpoint and wait for one to
two minutes. If the ConIntelAmt value is still incorrect, con-
tinue with the remaining steps.
4. At this point, Intel AMT CIRA firmware probably cannot
resolve the hostname/FQDN. To verify this, use the fixed IP
address mode to do a provision. If fixed IP address mode
works, then the root cause is due to the name resolution
issue. In that case, consult your IT administrator. Follow these
steps to temporarily use the fixed IP address mode:
a. On the Server Settings page, change the ciraserver_ip
setting of the Manageability server (see "Appendix -
Modifying Component Server Settings" on page 54).
b. Save settings are restart the Manageability server.
5. Unprovision the target endpoint and re-perform the provision.
This time, CIRA will use the IP address you specified above.
When uninstalling the Intel EMA server, you may see the
warning/error: “Unable to drop database.”
51
 To fix:
1. Open Microsoft SQL Server Management Studio and connect
to your database, then check the existing databases.
Determine whether the Intel EMA database is set to “Single
User” mode.
2. Right click the target database and choose Delete. Do not
change any default values in the Delete option window. Delete
the target database.
3. If the database is not deleted, right-click the database server
and choose Restart. After the database server is restarted, try
to delete the target database again.

5.2 Distributed Server Installation Troubleshooting

Server components (Swarm, Ajax, etc.) do
not appear to be connecting to each other
across machines
Check the following:
l Load Balancer: Ensure your load balancer is configured
properly per its documentation. Specifically, ensure that
health checking rules and traffic forwarding rules include
ports 443 (front-end), 8084 (front-end), and 8080 (agent
and Intel AMT CIRA connections). For ports 443 and
8084, traffic forwarding rules must have session per-
sistence (stickiness) enable.
l Firewall and Network Ports: Ensure your firewall rules
have the required ports set to Open. See "Server network
ports" on page 4. Also check any other network security
rules for your environment.
l Server Settings: On the Server Settings page of the Intel
EMA UI, check the following for each component server:
l Server IP addresses: ensure the correct list of
IP addresses is shown for each type of component
server.
l Message Port: This is the port that this com-
ponent server type is listening on for inter-com-
ponent messages. If you changed this in Server
Settings, make sure the new port is not blocked by
a firewall.
l Swarm Server list: Ensure the correct list of "
[Machine ID]:[Machine IP Address]" pairs for the
Swarm Servers in your distributed installation. You
can verify the Machine ID in the Intel
EMA database under the Server Settings table.
Then use the Machine Name to obtain the correct
IP Address for that machine.
l After verifying, test the components by starting
Platform Manager and running "testmessage" on

Intel® EMA Server Installation Guide - July 2020

52

Authentication fails intermittently
From one of the machines in a distributed
server architecture installation:
l Platform Manager client cannot con-
nect to the Platform Manager service
-OR-
l Cannot open the Intel EMA UI in a
browser
Intel® EMA Server Installation Guide - July 2020
the Console tab of one of the Intel
EMA components. Each component should be
able to send out a blast message to all other com-
ponents (including itself) on all machines in the
distributed installation. Verify the reception of the
messages in the Events tab of each component on
each machine.
Ensure that all Intel EMA websites in the distributed environment
are using the same machine keys. Verify this using IIS Manager
on each machine where the Intel EMA website is hosted. See Sec-
tion 2.1.3.8.
In a distributed environment, if you install Intel EMA under
Kerberos (Windows Authentication), the Platform Manager client
may have difficulty connecting to the Platform Manager service
from one of the distributed server machines. Similarly, you may
have difficulty opening the Intel EMA UI in a browser from one of
the distributed server machines.
This is due to the Service Principal Name (SPN) for the load
balancer not being configured correctly in Active Directory.
To fix:
To fix this problem, ensure your SPN for the load balancer is
correctly configured.
Also, you can use one of the other server machines' FQDN for the
target URL, not the load balancer's FQDN (the other machine must
have an Ajax or Web server installed). Doing so will allow you to
launch Platform Manager or browse to the Intel EMA website
from one of the server machines in your distributed environment
(i.e., a host managed by the load balancer), regardless of the
SPN configuration for the load balancer.
Note that from all other machines (i.e., systems not managed by
the load balancer), you can simply use the load balancer's FQDN.
53
6 Appendix - Modifying Component
Server Settings
The settings for the various component servers (Swarm Server, Ajax Server, etc.) that comprise the Intel EMA server
can be modified using the Server Settings tab, which is accessible from the Settings selection on the vertical
navigation pane at left.
The following subsections describe the settings available for each of the component servers.

Note: If you change the serverIps or messagePort setting for any of the component servers, you must restart
all the component servers, not just the one whose settings you changed (in a distributed server architecture,
you must do this on all server machines). Also, you will need to recycle the Intel EMA web site's IIS application
pool to restart the Intel EMA web server when you change these two settings. For other settings, restarting
only the modified component server will suffice. If you change messagePort, make sure the new port is not
blocked by a firewall.

6.1 Swarm Server

Setting Description
Admin Port The port that Swarm Server's Admin TCP listener will bind to. This is for communication
from other Intel EMA server processes to the Swarm server. The default is 8089.

Admin Port Local Determines if the Admin TCP listener will only bind to the local loopback or not. Values
are 0 and 1.
0 = Single server environment
1 = Distributed-server environment

Audit Log Cleanup Inter- Interval in hours before cleanup of audit log records in the Intel EMA database.
val (Hours)

Audit Log Cleanup Inter- Interval in days before cleanup of audit log records in the Intel EMA database.
val (Days)

enableCIRAPowerPolling Enable periodic CIRA power state polling. Values are True/False. The default is True.

Log File Path Path to the Intel EMA logfile.

maxdbconnections The maximum number of concurrent DB connections for this server.

messagePort The TCP port this component server type is listening on to accept internal traffic from
other Intel EMA components. Default 8093.

serverIps List of machine IP addresses where this component server type is running. For example,
if the Swarm server is running on machine ip1, ip2, and ip3, then serverIps will include all
IP addresses.

Swarm Servers List of active Swarm Servers (format IP Address: port)

Intel® EMA Server Installation Guide - July 2020

54
6.2 Ajax Server
Setting Description
Ajax Cookie Auto Range in minutes in which the Ajax cookie life can be extended.
Refresh Range

Ajax Cookie Idle Amount of time, in minutes, from when the cookie is added until it expires.
Timeout

Http Header Access Additional headers to set in response to the Ajax request.
Control Allow Head-
ers

Log File Path Path to the Intel EMA logfile.

maxdbconnections The maximum number of concurrent DB connections for this server.

messagePort The TCP port this component server type is listening on to accept internal traffic from other
Intel EMA components. Default 8092.

serverIps List of machine IP addresses where this component server type is running. For example, if the
Ajax server is running on machine ip1, ip2, and ip3, then serverIps will include all
IP addresses.

Swarm Servers List of active Swarm Servers (format IP Address: port)

User Access Failed Number of failed password attempts before user account is locked by the Web API.
Max Count

Expire Sessions Sets whether the Ajax server should expire the session or not (default is enabled).

6.3 Manageability Server

Setting Description
CIRA Server IP IP Address of the CIRA access server, which is the Swarm Server (or the Swarm Server
load balancer in a distributed architecture). Only used when the installation mode is
using IP address.

CIRA Server Host Hostname of the CIRA access server, which is the Swarm Server (or the Swarm Server
load balancer in a distributed architecture). Only used when the installation mode is
using hostname. This is used in multi-server installations.

CIRA Server Port The port of the CIRA access server, which is the Swarm Server (or the Swarm Server
load balancer in a distributed architecture). Used by the load balancer to direct incom-
ing traffic (from CIRA) to the Swarm Server's 8080 port.

Log File Path Path to the Intel EMA logfile.

maxdbconnections The maximum number of concurrent DB connections for this server.

messagePort The TCP port this component server type is listening on to accept internal traffic from
other Intel EMA components. Default 8094.

serverIps List of machine IP addresses where this component server type is running. For
example, if the Manageability server is running on machine ip1, ip2, and ip3, then
serverIps will include all IP addresses.

Intel® EMA Server Installation Guide - July 2020

55
Setting Description
Swarm Servers List of active Swarm Servers (format IP Address: port)

6.4 Web Server

Setting Description
Access Token Time to Live Expiration duration of the API bearer token, in seconds.

Ajax Server Host Hostname or IP address of the Ajax server, or the load balancer of the Ajax
servers.

Allowed Domains, Enable Allowed Used by the Ajax server. If enabled, the web server checks incoming
Domains Ajax/websocket requests to accept or reject.
AllowedDomains is a comma delimited list with example
test1.intel.com,test2.intel.com.

EnableAllowedDomains is 0 (false) or 1 (true).

Log File Path Path to the Intel EMA logfile.

maxdbconnections The maximum number of concurrent DB connections for this server.

Swarm Server Host Hostname or IP address of the Swarm server, or the load balancer of the
Swarm servers.

Swarm Server Port 8080 in single server installation or the Swarm server port exposed by the
swarm server load balancer in distributed server architecture.

Global Catalog Port The port used for connecting to the Active Directory Global Catalog. This is
used to perform AD login when AD username and password are provided.
Default is 3269, which is the SSL port.

Max Access Token TTL Maximum time for API bearer tokens to be refreshed.

Frontend Storage Type Allows you to specify whether API bearer tokens should be stored in Local Stor-
age or Session Storage. If Local Storage is used, the session will remain (no
need to login again) after the front end website is closed. If Session Storage is
used, the session is lost when the front end website is closed.

Intel® EMA Server Installation Guide - July 2020

56
7 Appendix – Domain/Windows
Authentication Setup
The Intel® EMA installer sets up the fundamental settings for domain/Windows authentication if it is installed under
domain/Windows authentication mode. However, there are many different network infrastructure scenarios. Some of
the scenarios require the IT administrators to perform extra steps.

7.1 Server Connection Information Set at Installation

While running the Intel EMA installer, at the hostname field of External Identity setup, we suggest using the NetBIOS
hostname or NetBIOS FQDN of your machine in the Hostname field. You still need to make sure that other endpoints
or other client web browsers can connect to the value you entered here. You can find your NetBIOS name by right-
clicking This PC in Windows File Explorer, and choosing Properties.

If you decide to use another value (e.g., in a load balancing scenario), follow IT practice to set up the Service Principle
Name (SPN) after Intel® EMA is installed.

7.2 IIS Website’s Authentication and .NET

Authorization
Intel EMA sets the following properties (differently from most default IIS website setups) for the Intel® EMA website
when it is installed under domain/Windows authentication mode:
l At IIS \ Authentication, also enable “Anonymous Authentication” with “Application Pool Identity”
l At ASP.NET \ .NET Authorization Rules, “Anonymous Users” need to be allowed
Please double check that these properties are set correctly.

7.3 Internet Explorer Used by the End User

For the domain/Windows authentication to work correctly, the Intel EMA website should be recognized as being in
the Local Intranet zone. You can verify the zone by right-clicking on the Intel EMA web page, and then choosing
Properties.
Some users may have Display intranet sites in Compatibility View selected (checked) under the Compatibility View
Settings in Internet Explorer. This needs to be unchecked; otherwise, the Intel EMA website will not work correctly.

7.4 Optional – Grant Permission to Website Content

There are several options for setting up this permission, e.g., NTFS or URL Authorization. IT administrators need to
set it up based on their specific infrastructure need.

7.5 Optional – Double-hop Structure

In a normal Intel EMA installation, you don’t need to do this. However, if you need to support special double-hop
authentication, e.g., passing the logged-in credential to another backend server, then you need to set up several extra
settings, e.g., Delegation at AD’s Computer object for your server machine. Please follow standard IT practice.

Intel® EMA Server Installation Guide - July 2020

57
7.6 References
l https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-
in-iis/
l https://blogs.msdn.microsoft.com/webtopics/2009/01/19/service-principal-name-spn-checklist-for-ker-
beros-authentication-with-iis-7-07-5/
l https://support.microsoft.com/en-us/help/326214/how-to-configure-user-and-group-access-on-an-
intranet-in-windows-serve
l https://weblogs.asp.net/owscott/iis-using-windows-authentication-with-minimal-permissions-granted-to-
disk
l https://docs.microsoft.com/en-us/iis/-
configuration/system.webserver/security/authentication/anonymousauthentication
l https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-
2012/hh831722(v=ws.11)

Intel® EMA Server Installation Guide - July 2020

58
8 Appendix – Configuring Network
Infrastructure for 802.1X Authentication
This section is intended for those Intel® EMA Global Administrators who want to enable 802.1X authentication for
Intel® AMT. If this does not apply to you, skip this section.
Intel EMA supports Extensible Authentication Protocol (EAP), which is compatible with Microsoft’s implementation
of the RADIUS specification, the Network Policy Server (NPS).

Note: This section focuses on configuration for the Intel EMA server system to enable 802.1x usage overall.
For information on configuring an 802.1x profile for a specific Tenant usage space, see the Intel® EMA Admin-
istration and Usage Guide.

8.1 RADIUS Server - NPS

NPS is Microsoft’s implementation of the RADIUS standard specified by the Internet Engineering Task Force (IETF) in
RFCs 2865 and 2866. As a RADIUS server, NPS performs centralized connection authentication, authorization, and
accounting for many types of network access, including wireless, authenticating switch, dial-up and virtual private
network (VPN) remote access, and router-to-router connections.
NPS enables the use of a heterogeneous set of wireless, switch, remote access, or VPN equipment. You can use NPS
with the Remote Access service, which is available in Windows Server 2016.
The following figure shows NPS as a RADIUS server for a variety of access clients.
Figure 1: NPS components

To configure NPS as a RADIUS server, you can use either standard configuration or advanced configuration in the
NPS console or in Server Manager. To configure NPS as a RADIUS proxy, you must use advanced configuration.

Intel® EMA Server Installation Guide - July 2020

59
8.2 Configure a Microsoft NPS
8.2.1 Dependencies
User database: A database and all of the required objects for searching and authenticating users during connection
attempts is required. The most common source for this is Active Directory. This guide describes the use of Active
Directory as a source for configuring user authentication on the NPS.
PKI Infrastructure: If the 802.1X EAP protocol used requires the use of certificates, the required infrastructure and
Certification Authorities must already be deployed in the domain in order for the NPS to correctly validate the
credentials presented by RADIUS supplicants (endpoints).
RADIUS Clients: Any device capable of receiving and forwarding requests and responses to and from the RADIUS
server can function as a RADIUS client in this configuration. This is also true for any device capable of using the
information resulting from the process to allow or deny connection to the network. For wired connections, this
device is usually a Network Switch compatible with 802.1X authentication. For wireless connections, this is usually a
Network Router device compatible with 802.1X authentication (WPA Enterprise or similar).

All of the dependencies listed above must be configured independently of this feature in order for the NPS
deployment to proceed successfully.

8.2.2 Step 1 – Adding the NPS Role to Windows Server

1. From the Server Manager Console, launch the Add Roles and Features wizard
2. Click Next, and select Role-based or Feature-based installation.
3. Click Next again.
4. Select a server and click Next.
5. In the Server Roles panel, select Network and Policy Access Services and click Next.
Figure 2: Select server roles

(If requested, check the Install Management Tools box.)

6. Click Next on the Features panel.
7. Click Next on the Network and Policy Access Services panel.

Intel® EMA Server Installation Guide - July 2020

60
 8. On the Confirmation panel, verify the configuration and click Install. If asked to reboot, proceed.
9. When the configuration is complete, click Finish and close the wizard.
10. If the previous step was successful, the Network Policy and Access Services (NPAS) role should appear in the
Server Manager.
Figure 3: NPAS role shown on the left panel

8.2.3 Step 2 – Configuring NPS as a RADIUS Server

1. From the Server Manager console, select Network Policy and Access Server, then right-click the server and
select Network Policy Server.
Figure 4: Open NPS settings

Intel® EMA Server Installation Guide - July 2020

61
 2. From the NPS Console, in the Standard Authentication section, click the Configuration Scenario dropdown
list and select RADIUS Server for 802.1X Wireless or Wired Connections.
3. The configuration link below should now display “Configure 802.1X”. Click the link to continue the process.
Figure 5: Updated configuration link

4. The Select 802.1X Connections Type panel lets you select the type of network (wired / wireless) connections
that will be authenticated using this policy. Select Wired or Wireless connections, give the policy a name, and
click Next.
5. The Specify 802.1X Switches panel lets you configure one or more RADIUS clients. These devices will route
requests and responses to and from the NPS. Click Add, and in the resulting “New Radius Client”, fill out all of
the applicable information and click OK. Then, click Next.

Important: The shared secret must be the same on both the NPS and RADIUS clients.

6. On the Configure an Authentication Method panel, select the protocol and credential type to use on the
policy. The example in this guide shows the configuration of the EAP-TLS protocol with certificate-based cre-
dentials.
7. Click the Configure button, then select the TLS Certificate presented by the NPS to the supplicants (end-
points) when a connection attempt is received.

Important: The certificate must be issued by a Certification Authority trusted by the endpoint device.

8. Once finished, click OK, and then Next.

9. On the Specify User Groups panel, select all of the groups that the NPS will use to validate the client cre-
dentials when a connection attempt is received. Intel EMA supports specifying a list of Security Groups where
Intel AMT devices can be added in order to facilitate 802.1X authentication. Those groups should be included
in the Network Policy. Click Next to continue the configuration.
10. If needed, configure any applicable Traffic Control Attributes, then click Next.
11. Verify the configuration and click Finish.

8.2.4 Post-configuration Actions

Perform the following actions to NPS to adjust the RADIUS server as required.

8.2.4.1 Create or edit a RADIUS client

1. From the left-side navigation tree in the Network Policy Server window, open RADIUS Clients and Servers >
RADIUS Client.

Intel® EMA Server Installation Guide - July 2020

62
 Figure 6: Access the RADIUS client option

2. To create a new client, click on the section name and then click New. To edit an existing client, double-click
on it.
3. Set the required information, especially the following:
l Address (IP or DNS): This is the address of the Client device that will contact the server.
l Shared secret: Create a passphrase that will be used by the actual RADIUS Client for authentication.

8.2.4.2 Create or edit a Connection Request Policy

These policies will filter the requests made by the client. They will grant or reject the connections according to either
the client’s properties, type of network interface used, etc., and, optionally, will apply extra settings to the incoming
request.
1. From the left-side navigation tree in the Network Policy Server window, open Policies > Connection Request
Policies.
2. To create a new policy, click on the section name and then click New. To edit an existing policy, double-click
on it.
3. Set the required configuration. In particular, set the Conditions the request should fulfill.

8.2.4.3 Create or edit a Network Policy

These policies will be applied to the connection in order to grant or deny access to the network. The protocol to be
used by the 802.1X authentication is validated with these policies.
1. From the left-side navigation tree in the Network Policy Server window, open Policies > Network Policies.
2. To create a new policy, click on the section name and then click New. To edit an existing policy, double-click
on it.
3. Set the required configuration. In particular, set the Conditions and Constraints the request should fulfill.

Intel® EMA Server Installation Guide - July 2020

63
 Figure 7: Access the Network Policy properties (a)

Figure 8: Access the Network Policy properties (b)

8.3 Configuring the RADIUS Clients

To configure the RADIUS clients, refer to the device’s manual and follow the instructions to configure the desired
network using the settings specified above.
For Wireless Access Points, the settings will usually require the following:

Intel® EMA Server Installation Guide - July 2020

64
 l Select the network to authenticate using 802.1X
l From the authentication protocol select WPA/WPA2 Enterprise
l On the RADIUS Server field, enter the IP Address or hostname of the RADIUS Server (NPS)
l On the Shared Secret, enter the same secret used to configure the RADIUS server

For Wired Ethernet switches, the settings will usually require the following:
l On the RADIUS Server configuration, enter the IP Address or hostname of the RADIUS Server (NPS)
l On the Shared Secret, enter the same secret used to configure the RADIUS server
l Enable the 802.1X configuration for Port Based Authentication
l Configure Port authentication to indicate which ports will authenticate using 802.1X

8.4 Connecting Endpoints to the Network

In order for devices to access the network, ensure the following:
l RADIUS Server – NPS properly configured, enabled and with active network policies and Connection Request
policies that match the desired medium, RADIUS clients and credential types.
l RADIUS Client – All of the applicable network devices and Access Points are configured to forward requests
and responses to and from the NPS as above.
l Supplicant – The endpoint device must be configured to connect to the specified network using the correct
credential type. For in-band (OS) connections, this will require installing the applicable certificate on the Cer-
tificate store on the device. For out-of-band connections (Intel AMT), this will require provisioning the device
using an Intel AMT Profile that fits the 802.1X settings used to configure the network.

8.5 Environment Setup Example

This section provides a complete configuration of an environment that implements the 802.1X authentication
provisioning Intel AMT devices through Intel EMA.
The environment is composed of the following elements:

l Windows Server 2016 Standard with the following servers, services and programs:
l Active Directory Domain Services
l Active Directory Certificate Services
l DHCP Server
l DNS Server
l Internet Information Services
l Network Policy Server
l SQL Server 2016
l Endpoint Management Assistant v1.3.2
l Static IP Address: 192.168.1.2
l Netgear Prosafe GS108T Smart Switch for Ethernet connections
l Netgear AC1200 Smart WiFi Router Model: R6220 for Wireless connections
l Dell Latitude E7270 Intel vPro® capable Intel AMT v11.8.50 as endpoint

Intel® EMA Server Installation Guide - July 2020

65
8.5.1 Active Directory Domain Services
1. Add an Organization Unit under Domain: VPRODEMO.COM. This Organizational Unit, VProDevComputers,
stores the Computer objects used for 802.1X authentication.
Figure 9: Add a new Organization Unit

Intel® EMA Server Installation Guide - July 2020

66
 2. Add privileges to the machine where Intel EMA server is running.
a. Create a Security Group with Group scope = Domain Local.
Figure 10: Create a security group

b. Add the target Computer object to the new security group. Do this for the machine hosting the man-
ageability server.
Figure 11: Add computer to the new security group

Intel® EMA Server Installation Guide - July 2020

67
 Figure 12: Modify the security group’s members

c. Add the new security group to the Security tab of the Organizational Unit where the AD Computer
objects for 802.1X authentication will be created. Ensure that this security group has all available per-
missions allowed, and edit the Advanced Security Settings to apply this group's privileges to “This
object and all descendant objects.”

Intel® EMA Server Installation Guide - July 2020

68
 Figure 13: Modify Security list of the OU

Figure 14: Modify advanced security settings

Intel® EMA Server Installation Guide - July 2020

69
8.5.2 Active Directory Certificate Services
1. Choose the Certification Authority (Enterprise root CA): VPRODEMO-WIN-GUVUHKBNQ69-CA.
Figure 15: Certification Authority list

2. Create a Certificate Template: AMTComputer. This is a duplicate template based on the Workstation
Authentication template.
Figure 16: Certificate Templates list

a. Right-click AMTComputer and select Properties.

b. On the Subject Name tab, select Supply in the request.
c. On the Request Handling tab, select Allow private key to be exported.
d. On the Security tab, grant Read and Enroll permission to Domain Computers. (Also add Everyone for
manual enrollment.)
e. Enable the template in the Certification Authority (right-click on Certificate Template and select New
> Certificate Template to Issue).

8.5.3 Network Policy Server

1. Set up two RADIUS clients, one for each network access point, as shown below.
Table 4: Network Policy Server RADIUS clients

Friendly Name IP Address Device Manufacturer Status

NetgearGS108T 192.168.1.4 RADIUS Standard Enabled

NetgearR6220 192.168.1.3 RADIUS Standard Enabled

Intel® EMA Server Installation Guide - July 2020

70
 Figure 17: RADIUS client 1

Intel® EMA Server Installation Guide - July 2020

71
 Figure 18: RADIUS client 2

2. Set up a Connection Request Policy.

Figure 19: NPS Connection Request Policies view

Intel® EMA Server Installation Guide - July 2020

72
 3. Set up a Network Policy, used to evaluate connections using EAP-TLS protocol, indicating the following prop-
erties:
l Conditions: Authentication Type = EAP
l Constraints: Authentication Methods. EAP Types: Microsoft: Smart Card or other certificate
Figure 20: NPS Network Policies view

Figure 21: EAP Types: Microsoft: Smart Card or other certificate properties

8.5.4 Wired Connection

The example below uses an Ethernet switch Netgear GS108T with Static IP Address 192.168.1.4.

Intel® EMA Server Installation Guide - July 2020

73
 1. For Port Authentication: Security > Port Authentication > Advanced > Port Authentication:
a. Set Port Control to Auto to indicate the ports that will authenticate the connection using RADIUS
Server.
b. Set Port Control to Authorized for the ports that will not be restricted.
Figure 22: Port Authentication configuration

2. For 802.1X Configuration: Security > Port Authentication > Basic > 802.1X Configuration, enable 802.1X for
Port Based Authentication.
Figure 23: 802.1X configuration

3. For RADIUS Server configuration: Security > Management Security > RADIUS Server Configuration, add a
configuration for the RADIUS server, indicating the shared secret defined in the NPS RADIUS Client created for
this connection.
Figure 24: RADIUS Server configuration

Intel® EMA Server Installation Guide - July 2020

74
 4. For Authentication List: Security > Management Security > Authentication List, edit the current “defaultList”
to set RADIUS as the first authenticator.
Figure 25: Authentication List configuration

8.5.5 Wireless Connection

Wi-Fi access point Netgear R6220 with Static IP Address 192.168.1.3.
For Restricted Wireless Network: Basic > Wireless, choose one of the wireless networks for the 802.1X
authentication (2.4 GHz in this example).
l Security Options: Set WPA/WPA2 Enterprise.
l Security Options details: Set WPA2 [AES] (it also works with WPA).
l Specify the RADIUS Server’s IP address and set the shared secret defined in the NPS RADIUS Client created for
this connection.

Figure 26: Figure 7 26 Wireless Network configuration

8.6 Glossary
AAA: Authentication, Authorization, and Accounting.
CA: Certification Authority

Intel® EMA Server Installation Guide - July 2020

75
NPS: Network Policy Server (this is the Microsoft implementation of the RADIUS standard)

Intel® EMA Server Installation Guide - July 2020

76