Professional Documents
Culture Documents
5 User Guide
Legal Notice
Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Altiris, and any Altiris or Symantec trademarks used in the product are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party (Third Party Programs). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Licensed Software does not alter any rights or obligations you may have under those open source or free software licenses. For more information on the Third Party Programs, please see the Third Party Notice document for this Symantec product that may be available at http://www.symantec.com/about/profile/policies/eulas/, the Third Party Legal Notice Appendix that may be included with this Documentation and/or Third Party Legal Notice ReadMe File that may accompany this Symantec product. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Technical Support
Symantec Technical Support maintains support centers globally. Technical Supports primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantecs support offerings include the following:
A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and/or Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis Premium service offerings that include Account Management Services
For information about Symantecs support offerings, you can visit our website at the following URL: www.symantec.com/business/support/ All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy.
Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description:
Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes
Customer service
Customer service information is available at the following URL: www.symantec.com/business/support/ Customer Service is available to assist with non-technical questions, such as the following types of issues:
Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs, DVDs, or manuals
Contents
Technical Support ............................................................................................... 4 Chapter 1 Chapter 2 Introducing Real-Time System Management .................. 9
About Real-Time System Management ............................................... 9
Chapter 3
Contents
Chapter 4
Appendix A
Appendix B
Troubleshooting
.................................................................. 52 52 54 55 56 57 58
Troubleshooting Real-Time System Manager connection ...................... Configuring the firewall to allow WMI connection ........................... Configuring the firewall on a single computer ............................... Configuring the firewall on multiple domain computers with a group policy ............................................................................. Disabling simple file sharing on Windows XP SP2 ......................... Configuring User Access Control on Windows Vista or later versions of Windows .........................................................
Appendix C
Index
.................................................................................................................... 66
Chapter
Remote boot through Integrated Drive Electronics Redirection (IDE-R) See Booting a computer from remote location using IDE-R on page 33. Remote console redirection See Starting a Serial-over-LAN (SOL) remote control session on page 31.
10
Hardware filtering of network traffic (Circuit Breaker) using Intel vPro System Defense technology See Blocking network traffic from and to the computer on page 34. Hardware alerts for Intel AMT and DASH See Updating Intel AMT and DASH alert settings on page 20.
Chapter
About one-to-many tasks Managing the power state of computers remotely Using the Restore State power action Automatically turning off computers in critical state Collecting and viewing Intel AMT, DASH, and IPMI inventory Updating BIOS settings Resetting a local user password on multiple computers Managing a process on multiple computers Managing a service on multiple computers Updating Intel AMT and DASH alert settings Booting multiple computers from a remote location Filtering the network traffic on multiple computers Updating Intel AMT settings or unconfiguring Intel AMT
12
For out-of-band management, client computers also must support ASF, DASH, or AMT technology. For example, you can perform the following one-to-many tasks:
Boot a group of computers from either a PXE, a floppy/HDD/CD device, or an image that is located in a remote location. Block network traffic to and from the client computer's operating system. Remotely reset a password for a local user account on a group of computers. Remotely start or stop a process on a group of computers. Perform various power operations: start, stop or reboot a group of computers.
See List of available operations on page 44. For more information on how to discover out-of-band capable computers, see http://www.symantec.com/docs/DOC6628.
1 2
In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, expand System Jobs and Tasks > Real-Time Console Infrastructure > Power Management.
13
In the right pane, under Power action, select the power action to execute. Choose from the following actions:
Power On Turns on the target computers using the out-of-band management technology (ASF, DASH, IPMI, or Intel AMT) that the target computers are configured to use. Attempts to turn off the target computer through WMI. If WMI fails, a hard shutdown is performed using one of the out-of-band management technologies. Attempts to restart the target computer through WMI. If WMI fails, a hard reset is performed using one of the out-of-band management technologies. You can use this power action when you include the power management task in a job. You cannot use this power action in a standalone task. This power action lets you restore the power state that you changed by running another power management task earlier in the job. For example, you can run the Power On action, and later in the job, you can run the Restore State action. The latter turns off the computers that were turned off, but the computers that were turned on stay turned on. See Using the Restore State power action on page 14.
Power Off
Reboot/Reset
Restore State
14
(Optional) Configure the advanced boot options. The options are as follows:
Lock client keyboard Prevents the users from interacting with the target computer. Prevents the users from turning off and restarting the computer using the buttons that are located on the computer case. Lets you start the computer without the startup password. When the computer starts, it can send the detailed progress PET events to the SNMP server. Use the Update Out-of-Band Alert Settings task to configure the event's destination address. See Updating Intel AMT and DASH alert settings on page 20.
Bypass computer's startup password Client's firmware transmits all progress PET events
The availability of these features depends on the hardware that you use.
5 6
Click Save changes. Run the task once or on a schedule. For more information, view the topics about running and scheduling tasks in the Symantec IT Management Suite powered by Altiris technology User Guide. Choose a connection profile that is configured with correct WMI, ASF, DASH, IPMI, or Intel AMT credentials. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide.
Run the Power On action to turn on computers. After that, run another task. After that, run the Restore State task, to restore the power state of the computers.
15
In this example, if a computer was turned off, the Restore State action turns off the computer. If a computer was turned on, the Restore State action keeps the computer turned on. The Sample Job is an example of the Restore State power action usage in a job. For this power action to work, you must configure the Task Input to use the output from the previous power management task, as shown in the sample job. You can use the Restore State power action only in a job. To use the Restore State power action
1 2 3 4
In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, expand Samples > Real-Time Console Infrastructure > Sample Job. On the Sample Job page, under Jobs/Tasks, click Run "Restore power state". Under Task Input, see how the task input is configured.
1 2 3 4 5 6 7 8
In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, expand Monitoring and Alerting > Alert Rule Settings. In the right pane, click the Task Rules tab. On the toolbar, click Add. Under Rule, on the toolbar, click Add > Alert protocol. In the Select comparison drop-down list, click equals. In the Enter value drop-down list, click Simple Network Management Protocol. Under Rule, on the toolbar, click Add > Alert severity.
Running one-to-many tasks Collecting and viewing Intel AMT, DASH, and IPMI inventory
16
10 In the Enter value drop-down list, click Critical. 11 Under Task, click New. 12 In the Create New Task dialog box, in the left pane, click Real-Time Console
Infrastructure > Power Management.
13 In the right pane, click Power Off. 14 Click OK. 15 Turn on the task rule.
At the upper right of the page, click the colored circle, and then click On.
16 Click Save.
1 2 3
In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, click System Jobs and Tasks > Real-Time Console Infrastructure > Get Out-of-Band Inventory. Run the task once, or on a schedule. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide. Choose a connection profile that is configured with correct Intel AMT, DASH, or IPMI credentials. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide.
17
To view the Intel AMT, DASH, or IPMI inventory for a client computer
Open the Resource Manager for a computer by double-clicking on a specific resource that is found in a filter. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide.
2 3
On the View menu, click Inventory. In the tree view pane, expand the Real-Time Console Infrastructure folder and select an inventory data class.
You can also view out-of-band inventory from the Reports page. To view Intel AMT, DASH, and IPMI inventory using a report
1 2 3
Click Reports > All reports. In the left pane, click Reports > Remote Management > Real-Time Console Infrastructure > Out-of-band Harware Inventory. In the right pane, on the Out-of-Band Hardware Inventory page, under Parameters, choose the setting for the report that you want to view.
18
1 2 3 4 5 6
In the Symantec Management Console, on the Manage menu, click Jobs and Taks. In the left pane, expand System Jobs and Tasks > Real-Time Console Infrastructure > Update BIOS Settings. Under the Select and configure BIOS settings, add the settings that you want to modify. Click Save changes. Run the task once or on a schedule. Restart the target computers to apply the new BIOS settings. Note: If BIOS is password protected, Symantec recommends, that you create a job that includes the Set Administrator Password task and the Update BIOS settings taks See Managing the power state of computers remotely on page 12.
1 2 3 4 5
In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, expand System Jobs and Tasks > Real-Time System Manager. Click Password Management. Type the user name that you want to reset the password for in the following format: COMPUTER\User Type and confirm a new password.
19
6 7 8
Type the name and password of an administrative user with permissions to manage the specified user account. Click Save changes. Run the task once or on a schedule. FFor more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide.
1 2 3 4
In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, expand System Jobs and Tasks > Real-Time System Manager. Click Process Management. Type the name of the process to run or stop. Example: AeXNSAgent.exe You can also type a full UNC path (Example: \\server\share\AeXNSAgent.exe) as long as you have the authentication infrastructure to support that. This means that either you have no authentication (null session shares) or you have Kerberos with the intermediate computer trusted for delegation, and delegatable credentials for the user.
5 6 7
Select an action. Click Save changes. Run the task once or on a schedule. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide.
20
1 2 3 4
In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, expand System Jobs and Tasks > Real-Time System Manager. Click Service Management. Type the name of the service to manage. Example: cisvc
5 6 7
Select an action. Click Save changes. Run the task once or on a schedule. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide.
Where to send the alerts. Which alerts to send. Which alerts to log.
You can also run this task on the computers that are turned off.
Running one-to-many tasks Updating Intel AMT and DASH alert settings
21
This task also lets you configure the SNMP traps destination address for computers with ASF. However, this functionality is performed in-band, through the WMI connection. The ASF-capable computer must be turned on with a Microsoft Windows operating system running. To update Intel AMT and DASH alert settings
1 2 3
In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, expand System Jobs and Tasks > Real-Time Console Infrastructure > Update Out-of-Band Alert Settings. Under Subscription settings, type the SNMP servers IP address. This value is applied to computers with Intel AMT and ASF. By default, the task is configured with the Notification Server computers IP address. In this case, Event Console (a component of Notification Server) accepts and displays the SNMP events that the client computers send. For more information, view topics about alert management in the Altiris Monitor Solution for Servers from Symantec User Guide.
Type the destination URI for DASH alerts. By default, the value is set to the Notification Servers Web service event listener, which is part of the Pluggable Protocol Architecture component:
http://<Notification Server IP>/Altiris/WSEL/wsel.aspx
Currently, DASH does not support sending alerts through an HTTPS connection. If your Notification Server is installed on a secure Web site, configure the wsel.aspx file so that it can be accessed through HTTP.
Select the DASH alerts delivery mode. The options are as follows:
Push The DASH client computer does not verify if the event listener accepted the alert.
Push with acknowledge The DASH client computer verifies if the event listener accepted the alert. If no reply is received from the event listener, the client computer can unsubscribe this particular event filter (vendor dependent).
22
7 8
Under Select and configure event filters, click Add, select the alerts that you want to configure with the task, and then click OK. Under Select and configure event filters, select one or more alerts, and, on the Actions menu, click what you want to do with this alert. The options are as follows:
Subscribe Activates the alert. When the alert triggers, a message is sent to the destination address that you provided in the Subscription settings section. Deactivates the alert, but does not remove it from the memory.
Unsubscribe
Remove from client Removes the alert from the client computers memory and reclaims space.
(Optional) If the client computer does not have enough free space to fit all of the alerts that you configured. To allow partial alert subscription, check Allow partial alert application. and reclaim space before applying new subscriptions, check Remove 3rd party filters and alert subscriptions.
10 (Optional) To remove all previous alert subscriptions from the client computer
23
You can also perform this task on a single computer in real time. See Booting a computer from remote location using IDE-R on page 33. To boot multiple computers from a remote location
1 2 3 4 5
In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, expand System Jobs and Tasks > Real-Time System Manager. Click Boot Redirection. In the right pane, click a device to boot from. To start the computer from an image, click Browse to navigate to a network share where the image is located. Warning: Do not use an image file that is placed on a CD or a DVD-ROM to start the computer. Use only the images that are stored on local or network hard disk drives.
6 7
Click Save changes. Run the task once or on a schedule. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide. Warning: If there is already an active IDE-R session, it is terminated when the task runs.
24
See Network filtering ports and settings on page 62. You can customize the ports that you want to stay open. See Modifying the list of open network filtering ports on page 42. You can also manage network traffic on a single computer in real time. See Blocking network traffic from and to the computer on page 34. To filter the network traffic on multiple computers
1 2 3 4
In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, expand System Jobs and Tasks > Real-Time System Manager. Click Network Filtering. If you want to block network traffic to and from the operating system, do the following:
Click Filter network traffic other than to and from the Notification Server. Choose if you want to use the default solution filtering settings or browse for a custom .xml file. (Optional) To prevent the client computer from sending malicious packets, check Enable anti-spoofing filter. This feature forces the identity verification of outgoing network traffic and drops packets if the computer is suspected of originating malicious attacks that are known as IP spoofing.
(Optional) To protect the client computer from network flooding, click Limit the number of PING packets to, and type the number of packets per second allowed to pass through the Intel AMT network filter. Default: 10 packets per second.
6 7 8
(Optional) To disable network filtering, click Allow all network traffic. Click Save changes. Run the task once or on a schedule. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide.
Running one-to-many tasks Updating Intel AMT settings or unconfiguring Intel AMT
25
1 2 3
In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, expand System Jobs and Tasks > Real-Time Console Infrastructure > Update Intel AMT Settings. Select which of the following Intel AMT features you want to allow:
Web UI You can use this web-based interface for direct remote management and maintenance of Intel AMT devices. When Web UI is enabled, you can access the Intel AMT management console using the following URL: http://<Intel_AMT_computer_name>:16992 (or port 16993 for Intel AMT computers configured in secure mode).
Task progress window and This feature is also known as Serial-over-LAN. It lets you remote control manage an Intel AMT computer remotely by encapsulating keystrokes and character display data in a TCP/IP stream. Redirect to optical/floppy This feature is also known as IDE-Redirection. It remotely drive or image on a server enables, disables, formats, or configures individual floppy or IDE CD drives. It also reloads operating systems and software from remote locations.
Running one-to-many tasks Updating Intel AMT settings or unconfiguring Intel AMT
26
5 6
Click Save changes. Run the task once or on a schedule. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide. Choose a connection profile that is configured with active Intel AMT credentials. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide.
1 2 3
In the Symantec Management Console, on the Manage menu, click Jobs and Tasks. In the left pane, expand System Jobs and Tasks > Real-Time Console Infrastructure > Update Intel AMT Settings. Check Unconfigure Intel AMT, and then choose the unconfiguration method and the Intel AMT mode to set after unconfiguration. The options are as follows:
Partial Removes all Intel AMT settings except for administrative user credentials and PID-PPS pairs. After partial unconfiguration is complete, the Intel AMT client computer starts sending configuration requests to the setup and configuration server (Intel SCS). The computer is not available for management through the Intel AMT interface until it is configured again by Intel SCS. Full Removes all settings from the Intel AMT device. You must initialize, set up, and configure the device again. If you click this option, you can also select a Small Business or Enterprise configuration model to set after unconfiguration is complete.
4 5
Click Save changes. Run the task once or on a schedule. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide. Choose a connection profile that is configured with active Intel AMT credentials. For more information, view the topics about connection profiles in the Symantec IT Management Suite powered by Altiris technology User Guide.
Chapter
About one-to-one real time management Initiating real time connection Turning off, turning on, or restarting a client computer Starting a Keyboard-Video-Mouse (KVM) remote control session Starting a Serial-over-LAN (SOL) remote control session Booting a computer from remote location using IDE-R Blocking network traffic from and to the computer Configuring the Intel AMT device settings Viewing client computer logs Managing BIOS settings Managing the properties of Symantec Management Agent in real time Activating a virtual layer
28
Take full control of the client computer with active keyboard, display and mouse. View detailed information and audit dynamic proccesses. Manage BIOS settings with console view. Change the NS server that the client computer is assigned to. Manage software virtualization layers.
Real-Time System Manager can connect to the target computer using the following protocols: WMI, ASF, Intel AMT, DASH, SNMP, IPMI. Connection protocols define which features are available. See List of available operations on page 44. Setting up the connection profiles and credentials: http://www.symantec.com/docs/HOWTO62827. With Real-Time System Manager, you can manage computers in-band and out-of-band. Out-of-band means that computer is not turned on or the operating system is not running. You can manage a computer in such state if the client computer has AMT, ASF, DASH, or IPMI technology present and is configured for out-of-band management. For more information on how to discover out-of-band capable computers, see http://www.symantec.com/docs/DOC6628.
1 2
In the Symantec Management Console, on the Actions menu, click Remote Management > Real-Time Management. On the Real-Time Management page, type the host name or the IP of the computer that you want to connect to, and then click Connect.
You can use the Real-Time System Manager Portal, that also displays the portal actions that are available to you before establishing a real time connection. See Additional functionality and portal actions available in Real-Time System Manager on page 41.
Managing resourses one-to-one in real time Turning off, turning on, or restarting a client computer
29
1 2
In the Symantec Management Console, on the Home menu, click Remote Management > Real-Time System Manager Portal. On the Real-Time System Manager Portal page, in the Manage Web Part, in the Computer text box, type the IP address or the name of the computer that you want to manage, and then click Connect.
You can initiate a real time connection to a client computer from any resource list in the Symantec Management Console. To initiate real time connection from a resources list
1 2
Open a list of computer resources. Right-click the computer resource, click Remote Management, and then click one of the following:
Manage Manage Power State and Redirection See Turning off, turning on, or restarting a client computer on page 29. Manage Users Port check See Running the port check on page 42. Trace Route
Managing resourses one-to-one in real time Starting a Keyboard-Video-Mouse (KVM) remote control session
30
Connect to the client computer, that you want to manage. See Initiating real time connection on page 28.
In the navigation pane, under Real-Time Consoles, expand Real-Time System Manager > Management Operations > Manage Power State and Redirection. In the right pane, on the Manage Power State and Redirection page, under Remote power management, select a power action. (Optional) To perform a graceful restart or shutdown through WMI, check Allow user to save data before power operation. If the WMI operation fails, the hard shutdown of the target computer is performed out-of-band using ASF, DASH, Intel AMT, or IPMI. The hard shutdown is possible if any of these technologies are supported and properly configured on the target computer.
3 4
Intel vPro Technology (Intel AMT), version 6 or later Integrated Intel video adapter Power cable plugged in Network cable plugged in
Managing resourses one-to-one in real time Starting a Serial-over-LAN (SOL) remote control session
31
Current IP address of the computer that you want to manage WS-MAN protocol (DASH + AMT profile and credentials)
Note: You can remotely access a client computer with Intel AMT below version 6 using Intel AMT feature Serial-over-LAN (SOL).See Starting a Serial-over-LAN (SOL) remote control session on page 31. You must configure the client computer for management. Ensure that remote control sessions are allowed on the client computer. To start a KVM remote control session
1 2
In the Symantec Management Console, on the Home menu, click Remote Management > Real-Time System Manager Portal. On the Real-Time System Manager Portal page, in the Manage Web part, in the Computer text box, type the IP address of the computer that you want to manage, and then click Connect. On the Resource Manager page, in the right pane, under Supported protocols, click Default Connection Profile. In the Select connection profile dialog box, enable AMT and DASH profiles, and then click OK. For more information on setting up the connection profiles and credentials, see: http://www.symantec.com/docs/HOWTO62827
3 4
5 6
In the navigation pane, under Real-Time Consoles, expand Real-Time System Manager > Management Operations, and then click Remote Control. In the right pane, under Remote control options, click Start Remote Control.
To avoid problems with service keys, a virtual keyboard with F-service keys is available under the screen. Note: If you want to reboot the client computer during a wireless KVM remote control session, click Switch to Me before you reboot the client computer to keep the session active. After the operation system on the client computer reboots, click Switch to Host to restore the wireless connection on the client computer.
Managing resourses one-to-one in real time Starting a Serial-over-LAN (SOL) remote control session
32
The Intel AMT feature Serial-over-LAN (SOL) redirects the remote computer's screen text output to a virtual serial port that Real-Time System Manager can read and display in the Symantec Management Console. For example, this feature lets you access the remote computer's BIOS using the remote terminal window and change BIOS settings, or watch the boot process. To use this feature with the Intel AMT client computers that are configured in secure mode, their Fully Qualified Domain Name (FQDN) must be resolved correctly on the Notification Server computer. Also, you must configure the connection profile to use the right certificates for authentication. If the SOL session cannot start, make sure that the Intel AMT device is configured to allow this functionality. See Configuring the Intel AMT device settings on page 35. To start a SOL remote control session
Connect to the client computer that you want to manage. See Initiating real time connection on page 28.
In the navigation pane, under Real-Time Consoles, click Real-Time System Manager > Management Operations > Manage Power State and Redirection. To create a new SOL session after you turn on the target computer, in the right pane, under Redirection options, check Display task progress and remotely control computer. Note that, if the session is closed from the client side (for example, the computer is restarted locally), the Remote Control Terminal is not closed automatically. In this case, you must close the terminal window manually. Note: Boot redirection to local devices (PXE server, CD-ROM, local HDD) is not supported during a SOL remote control session. You can only redirect the boot to a remote device (CD or floppy image, remote CD-ROM, or to a server).
Warning: If there is already an active SOL session, it is terminated when the task runs.
Managing resourses one-to-one in real time Booting a computer from remote location using IDE-R
33
(Optional) To change the BIOS settings remotely during the SOL session, check Enter BIOS on startup. Note that, when you exit the BIOS on the client computer, the client computer stops sending the information to the terminal. However, the Remote Control Terminal windows is not closed automatically. In this case, you must close the terminal window manually.
Turn on or restart the computer. See Turning off, turning on, or restarting a client computer on page 29.
1 2 3
On the Manage Power State and Redirection page, click Details. (Optional) To disconnect an active SOL session, in the Redirection Details dialog box, click Stop remote control. Click Close.
Connect to the client computer you want to manage. See Initiating real time connection on page 28.
In the navigation pane, under Real-Time Consoles, click Real-Time System Manager > Management Operations > Manage Power State and Redirection.
Managing resourses one-to-one in real time Blocking network traffic from and to the computer
34
In the right pane, on the Manage Power State and Redirection page, under Redirection options, check Perform boot from, and then, in the drop-down menu, click the device to boot from. Warning: If there is already an active IDE-R session, it is terminated when the task runs.
To start the computer from an image, on the right, click Browse to navigate to a network share where the image is located. Warning: Do not use an image file that is placed on a CD or a DVD-ROM to start the computer. Use only the images that are stored on local or network hard disk drives.
Turn on or restart the computer. See Turning off, turning on, or restarting a client computer on page 29.
1 2 3
On the Manage Power State and Redirection page, under Redirection options, click Details. (Optional) To disconnect a boot device, in the Redirection Details dialog box, click Stop redirection. Click Close.
Note: Some ports stay open when network filtering is active. See Network filtering ports and settings on page 62.
Managing resourses one-to-one in real time Configuring the Intel AMT device settings
35
You can also run this task on multiple computers, immediately or on a schedule. See Filtering the network traffic on multiple computers on page 23. To block network traffic from and to the computer
Connect to the client computer that you want to manage. See Initiating real time connection on page 28.
2 3 4
In the navigation pane, under Real-Time Consoles, click Real-Time System Manager > Networking > Intel AMT Network Filtering. In the right pane, under Intel AMT Network Filtering, select Filter network traffic other than to and from the Notification Server. (Optional) To prevent the target computer from sending malicious packets, check Enable anti-spoofing filter. This feature forces the identity verification of outgoing network traffic and drops packets if the computer is suspected of originating malicious attacks that are known as IP spoofing.
Connect to the client computer that you want to manage. See Initiating real time connection on page 28.
2 3
In the navigation pane, under Real-Time Consoles, click Real-Time System Manager > Networking > Intel AMT Network Filtering. In the right pane, under Intel AMT Network Filtering, select Limit the number of PING packets to, and then type the number of packets per second, that are allowed to pass through the Intel vPro network filter. The default setting is packets per second.
36
Connect to the client computer that you want to manage. See Initiating real time connection on page 28.
2 3 4
In the navigation pane, under Real-Time Consoles, click Real-Time System Manager > Configuration > Intel AMT Settings. To allow the target computer to start SOL sessions, in the right pane, under Allow following settings, check Task progress window and remote control. To allow the target computer to start IDE-R sessions, in the right pane, under Allow following settings,check Redirect to optical/floppy drive or image on a server. Click Save Changes.
Connect to the client computer that you want to manage. See Initiating real time connection on page 28.
2 3
In the navigation pane, under Real-Time Consoles, click Real-Time System Manager > Configuration > Intel AMT Settings. To allow the Intel AMT device to enter sleep state, in the right pane, under Allow following settings, check Use Manageability Engine's power saving mode after, and then type the timeout value. Example: 5 minutes.
See Starting a Serial-over-LAN (SOL) remote control session on page 31. See Booting a computer from remote location using IDE-R on page 33.
Windows event logs (application, security and system logs) Intel AMT log Symantec Management Agent diagnostic log See Managing the properties of Symantec Management Agent in real time on page 38.
37
Connect to the client computer, that you want to see the Application Log for. See Initiating real time connection on page 28.
2 3
In the Navigation pane, expand Real-Time Consoles > Real-Time System Manager > Event Logs > Application Log. In the right pane, view the application log information. Note: By default, only error type of events are viewed in the list. To change the parameters, on the Appliction Log page, double-click Event filters, and apply new filters.
Connect to the client computer, that you want to see the AMT Log for. See Initiating real time connection on page 28.
Click Real-Time System Manager > Event Logs > Intel AMT Event Log.
1 2
In the Resource Manager, in the Inventory view, expand Real-Time Console Infrastructure > RTCI DASH Registered profile. If BIOS Management profile is displayed on this page, then the client computer supports WS-MAN BIOS Management.
You can also run this task on multiple computers, immediately or on a schedule. See Updating BIOS settings on page 17.
Managing resourses one-to-one in real time Managing the properties of Symantec Management Agent in real time
38
Connect to the client computer that you want to manage. See Initiating real time connection on page 28.
2 3
In the navigation pane, under Real-Time Consoles, click Real-Time System Manager > Management Operations > Manage BIOS Settings. In the right pane, on the Manage BIOS Settings page, under Available BIOS settings, configure BIOS settings. If BIOS is protected by administrator or system passwords, specify the passwords.
4 5
Click Save changes. Restart the client computer for the new settings to take effect. See Turning off, turning on, or restarting a client computer on page 29. If you have a system password set on the target computer, on the Manage Power State and Redirection page, check Bypass computer's startup password, and then restart the computer using ASF protocol.
1 2
In the Symantec Management Console, on the Home menu, click Remote Management > Real-Time System Manager Portal. On the Real-Time System Manager Portal page, in the Manage Web part, in the Computer text box, type the IP address of the computer, that you want to manage, and then click Connect. On the Resource Manager page, in the right pane, under Supported protocols, click Default Connection Profile.
39
In the Select connection profile dialog box, choose the WMI profile, and then click OK. For more information on setting up the connection profiles and credentials see: http://www.symantec.com/docs/HOWTO62827
In the navigation pane, under Real-Time Consoles, expand Real-Time System Manager > Software > Symantec Management Agent, and then click one of the following management or audit nodes.
Diagnostic Log View and filter Symantec Management Agent logs. You can filter by severity, or view all entries: errors, warnings, and information. Diagnostic log can be exported into a file. View, turn on/off the maintenance windows on the client computer. View the full list of plug-ins that are installed on the client computer.
Maintenance Windows
Registered Plug-ins
Settings
Assign the client computer to a different Notification Server. Force an update for Symantec Management Agent. Force a collection of basic inventory. Enable diagnostics.
Tasks
Review the tasks that are currently running on the client computer.
40
For more information about the requirements, installation, and configuration of Software Virtualization Solution, see Altiris Software Virtualization Solution Reference Guide. http://www.symantec.com/docs/DOC1655 The prerequisites for managing virtual layers in real time are as follows:
Connection to the client computer with a WMI profile and credentials Software Virtualization Solution installed in a mode that provides WMI classes
Activate and deactivate existing layers Enable layers to start automatically after the boot of the client computer Reset layers Remove existing layers View details for existing layers
1 2
In the Symantec Management Console, on the Home menu, click Remote Management > Real-Time System Manager Portal. On the Real-Time System Manager Portal page, in the Manage Web part, in the Computer text box, type the IP address of the computer, that you want to manage, and then click Connect. On the Resource Manager page, in the right pane, under Supported protocols, click Default Connection Profile. In the Select connection profile dialog box, activate the WMI profile, and then click OK. For more information on setting up the connection profiles and credentials see: http://www.symantec.com/docs/HOWTO62827
3 4
5 6
In the navigation panel, under Real-Time Consoles, expand Real-Time System Manager > Software > Manage Virtual Layers. In the right pane, click the layer in the list, that you need to activate, and then, on the toolbar, click Activate. On the toolbar, to allow or deny the layer to start automatically after the restart of the operation system on the client computer, click Auto or Manual.
Chapter
Additional functionality
This chapter includes the following topics:
Additional functionality and portal actions available in Real-Time System Manager Resetting a domain user password Running the port check Configuring the port check settings Modifying the list of open network filtering ports Adding or removing custom views
1 2 3
In the Symantec Management Console, on the Home menu, click Remote Management > Real-Time System Manager Portal. In the Tools Web part, click Reset Domain Password. In the Reset Domain Password dialog box, fill in the required fields, and then click OK.
42
You can also reset user passwords on multiple computers. See Resetting a local user password on multiple computers on page 18.
1 2
In the Symantec Management Console, on the Manage menu, click Filters. In the left pane, select a filter. For example, click Computer Filters > All Computers.
In the right pane, right-click on a computer resource, and then click Remote Management > Port check.
1 2 3 4 5
In the Symantec Management Console, click Home > Remote Management > Real-Time System Manager Portal. In the left pane, click Port Check. On the Port Check page, click Configure Ports. On the Modify Ports page, add or remove ports to check. Click OK.
43
See Network filtering ports and settings on page 62. See Blocking network traffic from and to the computer on page 34. See Filtering the network traffic on multiple computers on page 23. To modify the list of open network filtering ports
1 2 3
In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, click Remote Management > Real-Time System Manager > Network Filters. Modify the filters.
For more information on how to configure the Linux OpenWSMan sample view, see http://www.symantec.com/docs/HOWTO10140. To add or remove a custom view
1 2 3
In the Symantec Management Console, on the Settings menu, click All Settings. In the left pane, click Remote Management > Real-Time Console Infrastructure > Manage Custom Views. On the Manage Custom Views page, add or remove a view.
Appendix
Managements processes
Table A-1 Available Data
Manage Local Users and Groups Manage Printers Manage Processes
O u t o f b a n d 1-to-many
x x
45
O u t o f b a n d 1-to-many
x x -
Bypass boot password AMT Lock Keyboard AMT AMT AMT or ASF AMT DASH x x x x x x x x x x
Console Terminal Redirection (SOL) BIOS Management with SOL Local media redirection Remote media redirection BIOS Management **
* Remote control is currently supported only on Intel AMT clients with AMT version 6+ and Intel integrated Video Adapter. ** To use BIOS Management under DASH, client computer must support BIOS Management DASH Profile. Table A-2 Available Data
Intel AMT Configuration Mode Intel AMT Settings Unconfigure Intel AMT Device
O u t o f b a n d 1-to-many
x x
AMT
46
O u t o f b a n d 1-to-many
x
* Symantec Agent must be installed. ** Requires Symantec Workspace Virtualization Agent with Admin Tools.
47
Audit Nodes
Table A-4 Available Data
Basic Information Computer name Primary owner name Currently logged in user Domain Operation system Product Version CPU Information Name Current/max speed Load percentage Memory Usage Virtual Physical Committed Page file @ C Disk Usage Capacity Used Free File system Network Connectivity Security
O u t o f b a n d
x
48
O u t o f b a n d
* This log is only available for clients that are Domain Controllers.
Information Nodes
Information nodes are mostly available as in-band one-on-one actions, exceptions are marked in the footnotes. In some cases it is possible to modify the settings from the Detailed view of some of the information nodes.
49
Technical Requirements
WMI
O u t o f b a n d 1-to-many
Operating System WMI Page File Settings WMI Printing Job Proxy Server Quick-Fix Engineering Registry Registry Share Terminal Server Input and Output Devices Keyboard Modem Monitor Pointing Device Printer Video Adapter Controllers and Ports IDE Controller Parallel Port Serial Port USB Controller SCSI Controller USB Hub WMI WMI WMI
WMI WMI WMI WMI WMI WMI WMI WMI WMI WMI WMI WMI WMI WMI WMI WMI
50
Computer System WMI or AMT or x DASH or SNMP or IPMI DASH Registered DASH Profiles DASH Software Physical System Fan DASH DASH
Field Replaceable AMT or DASH Unit Motherboard Device Power Supply Processor WMI or AMT or DASH or IPMI DASH WMI or AMT or DASH DASH or IPMI WMI WMI WMI or DASH WMI x x
Sensors SMBIOS Sound Device Memory Cache Memory Logical Memory Configuration Physical Memory Mass Storage Disk Drive Logical Drive Media Device
x x
51
Technical Requirements
WMI and SNMP WMI and SNMP WMI or AMT or SNMP or IPMI WMI
O u t o f b a n d 1-to-many
Intel Filter AMT AMT network Network traffic Filtering Export AMT filtering settings Intel AMT Network Settings Wireless Profile
Appendix
Troubleshooting
This appendix includes the following topics:
53
Table B-1
54
Table B-1
Configure the firewall on the computer that you want to connect to. See Configuring the firewall on a single computer on page 55. Configure the firewall on all computers in the domain using a group policy.
55
See Configuring the firewall on multiple domain computers with a group policy on page 56.
1 2 3
Log on to the target computer as the administrator. Click Start > Run, in the Open field, type gpedit.msc, and then click OK. In the Group Policy window, expand Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall, and the click one of the following:
If the computer is in a domain, click Domain Profile. If the computer is not in a domain, click Standard Profile.
In the right pane, double-click Windows Firewall: Allow remote administration exception, in the Windows firewall dialog box, select Enable, and then click OK.
1 2 3
Log on to the target computer as the administrator. From the Control Panel, open the Windows Firewall Settings dialog box. On the Exceptions tab, check Windows Management Instrumentation (WMI).
1 2 3 4
Log on to the target computer as the administrator. From the Control Panel, locate and open the Windows Firewall configuration dialog box. In the left pane, click Allow a program or feature through Windows Firewall. Check Windows Management Instrumentation (WMI).
56
Create a group policy object for the organizational unit that contains the Windows XP SP2 computers that you want to manage:
Log on to a domain controller. Click Start > Run, type dsa.msc in the Open dialog box, and then click OK. Expand your domain, right-click the organizational unit in which you want to create the group policy, and then click Properties. On the Group Policy tab, click New. Type a name for the group policy object, and then press Enter. Click Close.
Log on to a domain-member computer that is running Windows XP SP2. Log on with a user account that is a member of one or more of the following security groups:
Click Start > Run, in the Open field, type mmc, and then click OK.
57
4 5 6 7 8
On the File menu, click Add/Remove Snap-in. On the Standalone tab, click Add. In the Add Standalone Snap-in dialog box, click Group Policy, and then click Add. In the Select Group Policy Object dialog box, click Browse. Click the group policy object that you want to update with the new Windows Firewall settings. For example, click the organizational unit that contains the Windows XP SP2 computers, click OK, and then click the group policy object that you created in step 1.
10 Click Close, and then click OK. 11 Under Console Root, expand the group policy object that you selected in step
8, and then click Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.
13 Click Enabled, and then specify the administrative scope in the Allow
unsolicited incoming messages from dialog box. For example, to permit remote administration from a particular IP address, type that IP address in the Allow unsolicited incoming messages from dialog box. To permit remote administration from a particular subnet, type that subnet by using the Classless Internet Domain Routing (CIDR) format. In this scenario, type 192.168.1.0/24 to specify the network 192.168.1.0 with a 24-bit subnet mask of 255.255.255.0. For more information on how to specify a valid administrative scope, see the Syntax area of the Setting tab in this policy.
58
Open Control Panel, double-click Folder Options, and on the View tab, uncheck Use simple file sharing. Click OK. On the client computer, in the Windows registry, set the ForceGuest DWORD value equal to 0 (zero) under the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] key. For more information, see Microsoft knowledge base articles : http://support.microsoft.com/default.aspx?scid=KB;EN-US;180548 http://support.microsoft.com/default.aspx?scid=kb;en-us;290403
1 2 3 4
On the client computer with the Microsoft Windows Vista operating system, open the Control Panel. Double-click User Accounts. In the User Accounts dialog box, click Turn User Account Control on or off. Uncheck Use User Account Control (UAC) to help protect your computer, and then click OK.
1 2 3 4
On the client computer with the Microsoft Windows 7 operating system, open the Control Panel. Click User Accounts. Click Change User Account Control settings. Move the slider to Never notify, and then click OK.
Appendix
Technical Reference
This appendix includes the following topics:
Ports used by Real-Time System Manager How authentication works About changes in default system security Network filtering ports and settings Power management and redirection capabilities
Description
Direction
Binding
Symantec Management Console Symantec Management Platform Symantec Management Console Symantec Management Platform
TCP
389
LDAP
both
60
Description
Direction
Binding
Symantec Management Console Symantec Management Platform Symantec Management Platform managed computer Symantec Management Platform managed computer Symantec Management Platform managed computer Symantec Management Platform managed computer Real-Time System Manager managed computer Real-Time System Manager managed computer Real-Time System Manager managed computer
TCP/UDP
Echo (ICMP)
both
TCP/UDP
135
TCP/UDP
445
Microsoft-DS
both
TCP/UDP
>1024
RPC
both
UDP
161
SNMP
both
UDP
162
SNMP trap
both
UDP
623
Non-secure both ASF and IPMI connection port Secure ASF and IPMI connection port Non-secure DASH connection port both
UDP
664
TCP/UDP
623
both
TCP
664
61
Description
Non-secure Intel AMT connection port Secure Intel AMT connection port
Direction
both
Binding
Real-Time System Manager managed computer
TCP
16993
both
TCP
16994
Non-secure both Intel AMT remote control port (SOL/IDE-R) Secure Intel AMT remote control port (SOL/IDE-R) both
TCP
16995
When you try to access the Symantec Management Console or the Resource Manager page, Notification Server verifies that the user has the rights to access Real-Time System Manager. You can access the console either as a user who is interactively logged on to the Notification Server computer or as a user who is connected to the Notification Server computer remotely through a browser. In case of an interactively logged on user, the Windows logon information is passed to Notification Server. When a computer is managed locally from a target computer, the Internet Explorer credentials are used. By default, Real-Time System Manager uses the Notification Server Application Identity credentials (WMI Credential for Default Connection Profile) to connect to remote computers. If the Notification Server Application Identity account has no administrator rights to access the remote computer, the connection fails. Create a new connection profile with correct credentials.
62
Once successfully authenticated, Real-Time System Manager administrative-user credentials are used as administrative credentials for all WMI commands until the Resource Manager page is closed. The Notification Server computer and the target computer can be on different domains. In this case, you must specify the user in the form of "domain\username" in the connection profile. This is not true for the following cases:
If there is a trust relationship between domains that ensures that users from the Notification Server domain have a sufficient privilege level (on the target Real-Time System Manager host) that WMI requires. If the target computer has a local account (with sufficient WMI rights) with the user name and password identical to the user whose credentials were used to access Real-Time System Manager.
The IIS_WPG (SERVER_NAME\IIS_WPG) group is added with full control for the folder, subfolder, and files. The ASP.NET computer account (SERVER_NAME\ASPNET) user is added with full control for the folder, subfolder, and files.
Ports kept open when network filtering is active Port name and description
DNS port
Type
TCP/UDP
Direction
Receive/Transmit Receive/Transmit Receive/Transmit Receive/Transmit Receive/Transmit
DHCP boot protocol server UDP DHCP boot protocol client UDP Notification Server port Kerberos port TCP UDP
63
Ports kept open when network filtering is active (continued) Port name and description
NETBIOS Name Service LDAP port Secure LDAP port ARP Notification Server Tickle port
Type
TCP TCP/UDP TCP/UDP Ethernet frame TCP
Direction
Receive/Transmit Receive/Transmit Receive/Transmit Receive/Transmit Receive/Transmit
See Modifying the list of open network filtering ports on page 42. See Blocking network traffic from and to the computer on page 34. See Filtering the network traffic on multiple computers on page 23.
Intel AMT power management capabilities AMT reboot AMT power off
Yes Yes Yes Yes
AMT power on
No No
Boot redirect
Yes2 Yes
No
No
No
Yes
Yes1
Yes1
Yes
Yes2
Yes1
Yes1
Yes
Yes2
64
Intel AMT power management capabilities (continued) AMT reboot AMT power off
No No No No
AMT power on
Yes No
Boot redirect
Yes Yes
No
No No
No No
No Yes
Sleeping in an S1, S2, or S3 No state (used when particular S1,S2, S3 state cannot be determined), or Legacy SLEEP state G1 sleeping (S1-S4 cannot No be determined) S5 entered by override, for example, by 4-second power button override No
No
No
Yes
No
No
Yes
Legacy ON, for example, No non-ACPI OS working state Legacy OFF, for example, non-ACPI OS off state Unknown
1 2
No
No
Yes
No
No
No
Yes
No
No
No
Yes
Performed through the power on command. Redirection can be enabled only for the reboot command. ASF power management capabilities ASF reboot ASF power ASF power off on
Yes Yes Yes No No
Boot redirect3
Yes2 Yes
65
ASF power management capabilities (continued) ASF reboot ASF power ASF power off on
Yes Yes No
Boot redirect3
Yes
S2 sleeping, processor context lost S3 sleeping, processor & h/w context lost, memory retained S4 non-volatile sleep / suspend-to disk S5/G2 soft-off S4/S5 soft-off, particular S4/S5 state cannot be determined G3/Mechanical Off
Yes
Yes
Yes
Yes2
Yes1
Yes1
Yes
Yes2
No Yes
No Yes
Yes Yes
Yes Yes
No
No Yes
No No
No Yes
Sleeping in an S1, S2, or Yes S3 state (used when particular S1,S2, S3 state cannot be determined), or Legacy SLEEP state G1 sleeping (S1-S4 cannot be determined) S5 entered by override, for example, 4-second power button override Yes
Yes
No
Yes
No
No
Yes
Yes
Legacy ON, for example, Yes non-ACPI OS working state Legacy OFF,for example, No non-ACPI OS off state Unknown
1 2 3
Yes
No
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
Performed through the power up command. Redirection can be enabled only for the reboot command. Only local redirection can be enabled with ASF.
Index
A
alerts out-of-band 20 SNMP 12 authentication about 61 available operations 44
I
IDE-R 25 enabling 35 starting session 33 using 22 view details 34 Intel AMT changing settings 25 configuring 35 network traffic filtering 34 unconfiguring 25 web console 25 inventory collecting and viewing 16
B
BIOS management 37 remote configuration 31 updating setting 37 updating settings 17 boot redirection 22 booting from remote location 22, 33
C
Circuit Breaker. See network filtering client computer reassign to another Notification Server 38 restarting remotely 29 turning off, on 29 view logs 36 configuring hardware alerts 20 Intel AMT settings 25, 35 port check settings 42 connection real time 52 custom views Linux 43
K
Keyboard-Video-Mouse (KVM). See KVM
L
local user password resetting 18 logs monitoring client computer 36 Symantec Management Agent 38
M
manage power state 12 processes 19 management in real time 27 one-to-many 11 one-to-one 27 managing services 20
D
DHCP 34
F
file sharing disabling 57
Index
67
N
network filtering enabling and using 23 modifying ports 42 ports, settings 62 network flooding enabling protection 24
S
security about changes 62 Serial-over-LAN. See SOL service running or stopping 20 SOL 25 enabling 35 starting session 31 viewing active sessions 33 Symantec Management Agent manage properties 38
O
one-to-many about 11 filtering network traffic 23 list of operations 44 resetting password 18 one-to-one about 27 list of operations 44 out-of-band inventory 16 list of operations 44 power management 12
T
troubleshooting connection 52 firewall 5456
U
unconfiguring Intel AMT device 25 user access control configuring 58
P
port check configuring 42 running 42 ports list 59 power management 29 capabilities 63 event console 15 on, off, restart 12 restoring state 14 power-saving options configuring 35 process running or stopping 19
V
Virtual layers management 39
X
.xml file 24
R
real time management initiating connection 28 Real-Time Portal 28 port check 42 redirection capabilities 63 remote control KVM 30 SOL 31