Solved

Zone Alarm causes conflicts with VPN clients on Windows XP machine

Posted on 2006-11-02
12
1,089 Views
Last Modified: 2008-01-09
Hi experts.  This one has me buggers!  I have a client, who does programming for different manufacturers and has to connect through muliple VPN clients to access their networks.  Sometimes it seems hard to get this stuff to all work together.  Currently they use Cisco client primarily along with Windows VPN.  Also, one of their clients requires Aventail with Zone Alarm Integrity client, which just seems to be a proprietary client put out by Checkpoint.  I won't even get into the AT&T client, since that won't work with anything.  We have to have that set up alone on it's own machine.
The Zone Alarm seems to be the problem.  Whenever the Zone Alarm is loaded at system boot it will lock up the machine.  If I disable the True Vector Service and change the preferences to prevent the program from loading on start up everything is fine to boot.  The other problem is that I can't remove Zone Alarm with the Add and remove Programs.  At this point something seems to be damaged as I can't connect through the Cisco or MS VPN.  I ran winsockfix, but that didn't work.  We have this same setup on about 10 Dell laptops and I only just ran into the issue on our two newest machines-Dell 620's.  I finally did a clean install on one to get it cleaned up, but it's still an issue on this machine.  Help experts! I've spent many hours beating myself up on this one.
0
Comment
Question by:baggio8
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 39

Expert Comment

by:redseatechnologies
Comment Utility
Hi baggio8,

What is stopping you from just purging your network of ZoneAlarm and simply using the Windows firewall in SP2?

ZoneAlarm has never been good with VPNs, you need to add it as a trusted IP Address (the VPN server) before it will get close to working

-red
0
 

Author Comment

by:baggio8
Comment Utility
I'd drop it like a hot potato if I could.  The proprietary design of Aventail requires that the Zone Alarm Integrity client be loaded before it will allow the VPN client to connect.  
0
 
LVL 39

Expert Comment

by:redseatechnologies
Comment Utility
What a pain.

Have you tried manually reconfiguring ZA so that it cosiders the VPN server addresses as trusted?
0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
Personally what I do for customer connections is have a VMWARE virtual 2000 or XP machine for each client with their own VPN client software installed and any patches and AV software they insist on.  I use it on VMWARE workstation as I have a licensed version but it could easily run on the free VMWARE player too.  This connects back through bridged network connection and gets IP from DHCP as normal and to all intents and purpose is just another machine on the network.  The virtual machines connect back to host machine to share files etc.  It also means that people that need different software versions that clash or issues like you have only effect one VM - you can also roll this one VM out to all your laptops by simply copying the directory and changing the hostname :-)

Steve
0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
(Sorry, I don't know how to fix your current problem, just been there with client apps breaking other stuff already installed like this which is why they all go on seperate VM's...)

Steve
0
 
LVL 4

Expert Comment

by:Smacky311
Comment Utility
I have several questions to narrow down your issue.

1.  Have you tried removing Zonealarm in safe mode?
2.  What error message do you get when trying to connect through the Cisco VPN client?  
3.  Can you telnet through the VPN port that you are using?
4. A). What transport protocol are you using in the cisco client, UDP or TCP?  (have you tried switching protocols)
    B). If TCP then what port are you trying to connect through and have you tried using an alternate port number?
5.  What happens when you perform a trace route to the VPN host?
6.  What version of the cisco VPN software are you using?  Have you tried another version?
7.  Assuming the new Laptops have a different hardware abstraction layer, then I assume they are imaged differently.  In this case what software is installed on these laptops that is not on the old laptops (windows updates, new software versions, different network cards or more recent network card drivers, Adobe 6.0 rather than Adobe 6.4...etc)
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 4

Expert Comment

by:Smacky311
Comment Utility
8.  This is probably obvious from the above, but please verify the version of the VPN client you are using is the same on the older and newer machines.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
We've solved a very similar situation by using Virtual machines. Create a different virtual machine for each unique VPN client/requirement. Use Microsoft Virtual PC to create the VM's and then you can use VMWare's free player to run multiple VM's at once on most any good desktop.
0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
lrmoore: snap :-)
0
 

Author Comment

by:baggio8
Comment Utility
Hello experts!  Thank you for your feedback and sorry for my delay in responding.  
Since my initial post my first laptop that I did the clean install on just "done blowed up".  I have since performed new clean installs on both and they are (for now) working fine.  I can provide no explanation as to why or how I accomplished this, nor do I care to continue.  I have come to the conclusion that it is folly to further consider "why bad things happen to good software"  and to babysit misbehaving rogue applications.  
The VM ultimately sounds like the way to go, but I haven't a clue as to how to proceed.  I have multiple copies of MS VM 2004 and I see where to download the VM Player.  Do I need to have multiple licenses of the OS on each laptop? Would it make sense to set up the laptop standard config with Cisco client and then add a VM for Aventail and a VM for AT&T client?  How would I do this?

Thanks experts for your valuable information!  
0
 

Author Comment

by:baggio8
Comment Utility
Merry Christmas experts.  I didn't get any feedback to my last post.  Please respond so I can get this info and I can close the question.

Thanks!
0
 
LVL 43

Accepted Solution

by:
Steve Knight earned 500 total points
Comment Utility
Didn't see the last question sorry - think I read it at the time and saw you saying you'd rebuilt and assumed that was it.

Yes technically (actually) you need multiple OS licenses, one per install of the OS afaik..... I would suggest adding a VM for the machine that drops the network connection to your local LAN which in this case was the Cisco I think.  Then you can continue to use your main machine and any other vpn's on there at the same time as the Cisco etc.

I used this technique at one customer site with Virtual PC just fine if that is what you have ... my preference is VMWARE but Virtual PC will do the same and you have the software... VMWARE Player is irrelevant here unless you have a copy of VMWARE to create the virtual machine in the first place... Just install VirtuaL PC on all machines you want to have it on.

Don't forget this is a proper machine on the LAN so it needs patching, AV, firewall turned on etc. as any other.

Merry Christmas and all that!

Steve
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Computers missing from Windows Explorer Networks 10 75
Change Time 5 43
Speed up DNS resolution 19 56
Hyper-V virtual switch card config 3 60
Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now