Intel AMT / vPro KVM port forwarding

In general, computers using vPro remote access should not be directly exposed to the Internet. The computer’s software firewall doesn’t block vPro ports, which exist outside of the operating system. An external firewall is necessary to protect vPro remote access.

Remote firewall connections to Intel vPro machines can be made via SSH port forward to use Intel AMT KVM. Don’t open Intel AMT vPro ports ports to the public Internet. These ports are the minimum that we’ve observed are necessary to use Intel AMT for remote control, including remote power cycling.

Port Purpose
5900 VNC
16992 HTTP remote web UI
16993 HTTPS remote web UI, TLS requires this port
16994 KVM traffic
16995 KVM traffic when TLS is used

To diagnose vPro remotely, I first connect with the ports above forwarded to the laptop, then browsg to https://localhost:16993. If you have previously enabled the vPro VNC server, you can connect on Port 5900 with any VNC client over SSH tunnel. Use MeshCommander to connect via the ports above. Certificate instead of password is generally preferable.

Reference: Intel AMT network ports