Out-of-Band Management
Overview
ET Ducky's Out-of-Band (OOB) management feature lets you monitor, power-cycle, and inventory hardware endpoints at the firmware level — independently of the Windows OS and the standard ET Ducky agent. OOB access works even when the machine is powered off, unresponsive, or has a crashed operating system.
OOB management is delivered through a Gateway — a lightweight Linux service (designed for Raspberry Pi) that sits on the same LAN as your managed hardware. The gateway scans the network for OOB-capable devices, maintains a cloud connection, and relays commands from the ET Ducky dashboard to the target hardware.
Supported Protocols
| Protocol | Hardware | Port | Notes |
|---|---|---|---|
| Intel AMT | Intel vPro business laptops and desktops | 16992 (plain), 16993 (TLS) | ThinkPad, EliteBook, Latitude, OptiPlex with vPro badge |
| DASH | AMD PRO processors with Broadcom or Realtek enterprise NICs | 623 | HP EliteDesk AMD, Dell OptiPlex AMD, Lenovo ThinkCentre AMD |
| IPMI | Server baseboard management controllers | 623 | Identify/reachability probe only in current release |
Note: Consumer hardware (gaming PCs, home desktops, consumer laptops) does not support AMT or DASH regardless of Intel/AMD CPU brand. OOB management requires business-class vPro or AMD PRO processors paired with enterprise-grade NICs.
Gateway Hardware Requirements
- Raspberry Pi 4 or newer (64-bit OS required)
- Wired Ethernet connection to the target LAN (recommended over Wi-Fi)
- Network access from the Pi to
etducky.comon TCP 443 - Same subnet as the OOB-capable devices you want to discover
Recommended OS: Raspberry Pi OS Lite 64-bit. The gateway service runs as a systemd unit under a dedicated etducky service account.
Provisioning a Gateway Token
Gateway tokens are separate from Windows agent registration tokens. They use the etd_gateway_ prefix and are tied to a dedicated Agent record with AgentType = gateway.
- Navigate to Agents → Install New Agent and select your organization.
- Click Create Token.
- Select Gateway as the token type (defaults to Windows Agent).
- Enter a name for the gateway (e.g. Site A – Pi Gateway).
- Click Create Token — the
etd_gateway_token is shown once only. Copy it immediately.
Gateway tokens do not have max-agent limits, expiry dates, or installer downloads. Each token provisions exactly one Pi gateway.
Deploying the Gateway
1. Build and package
From the repo root on a Windows build machine (requires .NET SDK):
.\ETDucky.Gateway\packaging\publish-gateway.ps1 ` -Runtime linux-arm64 -Configuration Release ` -Output .\ETDucky.Gateway\artifacts\gateway-linux-arm64 tar -czf .\ETDucky.Gateway\artifacts\ETDucky.Gateway.tar.gz ` -C .\ETDucky.Gateway\artifacts\gateway-linux-arm64 .
2. Copy files to the Pi
scp .\ETDucky.Gateway\artifacts\ETDucky.Gateway.tar.gz [email protected]:/home/pi/ scp .\ETDucky.Gateway\install\setup.sh [email protected]:/home/pi/ scp .\ETDucky.Gateway\install\update.sh [email protected]:/home/pi/ scp .\ETDucky.Gateway\install\etducky-gateway.service [email protected]:/home/pi/
3. Install on the Pi
sed -i 's/\r//' setup.sh update.sh chmod +x setup.sh update.sh ./setup.sh ./update.sh /home/pi/ETDucky.Gateway.tar.gz
4. Configure
sudo nano /opt/etducky-gateway/appsettings.json
Set Gateway:AgentToken to the etd_gateway_ token you provisioned from the dashboard.
5. Start
sudo systemctl start etducky-gateway.service journalctl -u etducky-gateway.service -f
A healthy startup shows: config validation passing, WebSocket connected, heartbeat active, and a discovery scan starting.
Discovery
On startup the gateway immediately runs a discovery scan of the local network. By default it auto-detects the Pi's subnet and pings all host addresses. Live hosts are probed for AMT (ports 16992/16993) and DASH (port 623). Discovered devices appear in the Discovered / OOB tab on the Agents page.
| Setting | Default | Description |
|---|---|---|
ScanSubnets | ["auto"] | Auto-detect subnet from the Pi's network interface. Use ["192.168.1.0/24"] to specify explicitly. |
ScanIntervalMinutes | 15 | How often to run a full rediscovery sweep. |
DiscoveryEnrichWithAmtCredentials | true | When default AMT credentials are set, attempt a second-pass inventory to retrieve hostname, CPU, RAM, and serial number. |
AmtDefaultUsername | empty | Default AMT credential username for enrichment. |
AmtDefaultPassword | empty | Default AMT credential password. Never commit to source control. |
Updating the Gateway
After building and packaging a new version, copy the tarball to the Pi and run:
./update.sh /path/to/ETDucky.Gateway.tar.gz
The update script stops the service, extracts the package, sets the executable bit, fixes ownership, and restarts the service automatically.
Troubleshooting
| Symptom | Likely Cause | Fix |
|---|---|---|
| Service fails with Permission denied | Executable bit not set on binary | sudo chmod +x /opt/etducky-gateway/ETDucky.Gateway |
| WebSocket returns 401 | Token prefix mismatch or agent row missing | Ensure token starts with etd_gateway_ and was provisioned via the Gateway token type |
| Discovery finds 0 devices | No AMT/DASH hardware on subnet, or OOB not enabled in BIOS | Verify vPro/AMD PRO hardware is present and AMT/DASH is enabled in BIOS/MEBx |
| Gateway shows as Desktop Agent | Old frontend JS cached | Hard refresh (Ctrl+Shift+R). Gateway agents appear only in the Discovered / OOB tab. |