Solved

Zone Alarm causes conflicts with VPN clients on Windows XP machine

Posted on 2006-11-02
12
1,117 Views
Last Modified: 2008-01-09
Hi experts.  This one has me buggers!  I have a client, who does programming for different manufacturers and has to connect through muliple VPN clients to access their networks.  Sometimes it seems hard to get this stuff to all work together.  Currently they use Cisco client primarily along with Windows VPN.  Also, one of their clients requires Aventail with Zone Alarm Integrity client, which just seems to be a proprietary client put out by Checkpoint.  I won't even get into the AT&T client, since that won't work with anything.  We have to have that set up alone on it's own machine.
The Zone Alarm seems to be the problem.  Whenever the Zone Alarm is loaded at system boot it will lock up the machine.  If I disable the True Vector Service and change the preferences to prevent the program from loading on start up everything is fine to boot.  The other problem is that I can't remove Zone Alarm with the Add and remove Programs.  At this point something seems to be damaged as I can't connect through the Cisco or MS VPN.  I ran winsockfix, but that didn't work.  We have this same setup on about 10 Dell laptops and I only just ran into the issue on our two newest machines-Dell 620's.  I finally did a clean install on one to get it cleaned up, but it's still an issue on this machine.  Help experts! I've spent many hours beating myself up on this one.
0
Comment
Question by:baggio8
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17862789
Hi baggio8,

What is stopping you from just purging your network of ZoneAlarm and simply using the Windows firewall in SP2?

ZoneAlarm has never been good with VPNs, you need to add it as a trusted IP Address (the VPN server) before it will get close to working

-red
0
 

Author Comment

by:baggio8
ID: 17862804
I'd drop it like a hot potato if I could.  The proprietary design of Aventail requires that the Zone Alarm Integrity client be loaded before it will allow the VPN client to connect.  
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17862850
What a pain.

Have you tried manually reconfiguring ZA so that it cosiders the VPN server addresses as trusted?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 43

Expert Comment

by:Steve Knight
ID: 17862872
Personally what I do for customer connections is have a VMWARE virtual 2000 or XP machine for each client with their own VPN client software installed and any patches and AV software they insist on.  I use it on VMWARE workstation as I have a licensed version but it could easily run on the free VMWARE player too.  This connects back through bridged network connection and gets IP from DHCP as normal and to all intents and purpose is just another machine on the network.  The virtual machines connect back to host machine to share files etc.  It also means that people that need different software versions that clash or issues like you have only effect one VM - you can also roll this one VM out to all your laptops by simply copying the directory and changing the hostname :-)

Steve
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17862894
(Sorry, I don't know how to fix your current problem, just been there with client apps breaking other stuff already installed like this which is why they all go on seperate VM's...)

Steve
0
 
LVL 4

Expert Comment

by:Smacky311
ID: 17863300
I have several questions to narrow down your issue.

1.  Have you tried removing Zonealarm in safe mode?
2.  What error message do you get when trying to connect through the Cisco VPN client?  
3.  Can you telnet through the VPN port that you are using?
4. A). What transport protocol are you using in the cisco client, UDP or TCP?  (have you tried switching protocols)
    B). If TCP then what port are you trying to connect through and have you tried using an alternate port number?
5.  What happens when you perform a trace route to the VPN host?
6.  What version of the cisco VPN software are you using?  Have you tried another version?
7.  Assuming the new Laptops have a different hardware abstraction layer, then I assume they are imaged differently.  In this case what software is installed on these laptops that is not on the old laptops (windows updates, new software versions, different network cards or more recent network card drivers, Adobe 6.0 rather than Adobe 6.4...etc)
0
 
LVL 4

Expert Comment

by:Smacky311
ID: 17863378
8.  This is probably obvious from the above, but please verify the version of the VPN client you are using is the same on the older and newer machines.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17863497
We've solved a very similar situation by using Virtual machines. Create a different virtual machine for each unique VPN client/requirement. Use Microsoft Virtual PC to create the VM's and then you can use VMWare's free player to run multiple VM's at once on most any good desktop.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17864404
lrmoore: snap :-)
0
 

Author Comment

by:baggio8
ID: 17976122
Hello experts!  Thank you for your feedback and sorry for my delay in responding.  
Since my initial post my first laptop that I did the clean install on just "done blowed up".  I have since performed new clean installs on both and they are (for now) working fine.  I can provide no explanation as to why or how I accomplished this, nor do I care to continue.  I have come to the conclusion that it is folly to further consider "why bad things happen to good software"  and to babysit misbehaving rogue applications.  
The VM ultimately sounds like the way to go, but I haven't a clue as to how to proceed.  I have multiple copies of MS VM 2004 and I see where to download the VM Player.  Do I need to have multiple licenses of the OS on each laptop? Would it make sense to set up the laptop standard config with Cisco client and then add a VM for Aventail and a VM for AT&T client?  How would I do this?

Thanks experts for your valuable information!  
0
 

Author Comment

by:baggio8
ID: 18190950
Merry Christmas experts.  I didn't get any feedback to my last post.  Please respond so I can get this info and I can close the question.

Thanks!
0
 
LVL 43

Accepted Solution

by:
Steve Knight earned 500 total points
ID: 18191157
Didn't see the last question sorry - think I read it at the time and saw you saying you'd rebuilt and assumed that was it.

Yes technically (actually) you need multiple OS licenses, one per install of the OS afaik..... I would suggest adding a VM for the machine that drops the network connection to your local LAN which in this case was the Cisco I think.  Then you can continue to use your main machine and any other vpn's on there at the same time as the Cisco etc.

I used this technique at one customer site with Virtual PC just fine if that is what you have ... my preference is VMWARE but Virtual PC will do the same and you have the software... VMWARE Player is irrelevant here unless you have a copy of VMWARE to create the virtual machine in the first place... Just install VirtuaL PC on all machines you want to have it on.

Don't forget this is a proper machine on the LAN so it needs patching, AV, firewall turned on etc. as any other.

Merry Christmas and all that!

Steve
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question