Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Virtual Composer - Creating VPN Client software packages

Created: 23 Mar 2014 • Updated: 24 Mar 2014 | 6 comments

Good Day,

I have many VPN Client software packages I am required to create.  After a few days of attemps I use the default template and create a package for Cisco VPN CLient v.5.  This is an IPSec VPN  Client that relies on a virtual adapter.  It creates in Composer successfully then I am able to activate it and open the program without error, the UI comes up without issue.  When I attempt to connect to a site I am getting a pop-up from the Cisco client indicating network driver issues, I also do not see the virtual adapter in network connections which I see on a normal install.

Seeking assistance on this as soon as possible,  I suspect I am missing something in regards to the network piece.

THanks very much,

Kyle

Edit - removed email address-

Operating Systems:

Comments 6 CommentsJump to latest comment

EdT's picture

You are indeed missing something. If I recall correctly, the network stack is built at boot up and therefore you cannot virtualise any software that inserts into the network stack as it will not be possible to do this dynamically.  I suspect there is an API to do this in recent versions of windows, but it means closing and restarting the network code throughout the machine, so maybe something not safe to do if a user has something else going on that could be affected.

If your issue has been solved, please use the "Mark as Solution" link on the most relevant thread.

kyle77's picture

Thankyou for the Insight EdT,  I plan to use this in a virtual machine image, eventually on a server.  I am not concerned if the specific network card for this outgoing connection is interupted but it sounds you are suggesting if my network stack is reinitialized everything will be interupted (including potentially my connection to the VM itself if remote).

Surely Symantec has been challenged with this type of request and I'd expect can offer some assistance if their software is capable of supporting this type of functionallity.

Thanks again for the response EdT,

Symantec?
 

Joseph_Carson's picture

Hello Kyle,

The Cisco VPN Client includes a driver which it binds to the existing network card drivers.  Any software that includes kernel level drivers can be tricky to virtualize and/or not possible to virtualize as the altitude of the driver maybe at a level which starts prior to the virtualization stack.  The best way to identify this is to compare the altitude in which the drivers load using the ftlmc command and if the altitude is lowering than the virtualizaton stack then it will not be possible.  In the upcoming release of Symantev Workspace Virtualization we are changing the load boot order of our virtualization driver so it is worth checking if it will start before the VPN Client driver.  if it does then it might be possible though the challenge then becomes making this portable after doing it on one machine, you might need to check the VPN Client API's as you might require some post event scripts to reinitialize the network driver bindings after each boot.

I know some customers have been successful in this area but I am not 100% certain on the Cisco VPN Client version you are using. 

if you can also provide further details on what the driver issues are then it might be possible to assist further in reducing the possible issues.

Kind Regards,

delvalled's picture

Kyle,

From the Symantec Workspace Virtualization 7.5 User's Guide, on page 24, there is list of what you should not attempt to virtualize. I've bolded the two items that are most pertinent to what you are trying to do.

What you should not virtualize

Do not virtualize the following:

  • Windows operating system components
  • Windows operating system patches
  • Most drivers
  • Applications that have dedicated drivers. For example, Client firewalls.
  • All management agents including antivirus software, security scanners, encryption agents, or any Symantec Management Platform agent.
  • Data files that you plan to encrypt
  • Utilities that are designed to run only in safe mode (Virtualization does not run in safe mode)

The Cisco VPN Client includes a miniport driver and we do not support virtualizing an application that includes a kernel-mode driver such as this. The application appears to work on your packaging workstation where you created the layer with Composer because the miniport driver likely "leaked" onto the base OS itself; when you move the layer to another machine, it's possible that the driver did not go along with it. This is just one possible scenario, the root cause could be something else altoghether; we might be able to make a better determination if you could provide screenshots, application logs, and any relevant Windows event log messages. 

Packaging applications can quickly become a very complex task. You may need to contact a Symantec-partner that specializes in application packaging. However, like Joe mentioned, it may be possible to virtualize this VPN client application and use OnEvent actions to lay down the Cisco minifilter driver onto the base OS and then activate the layer. You would need to find a way to extract the driver from the vendor's installer and then install/register the driver on the system appropriately. 

I also wanted to add some additional insight into one of Joe's comments:

In the upcoming release of Symantev Workspace Virtualization we are changing the load boot order of our virtualization driver so it is worth checking if it will start before the VPN Client driver.

We are indeed changing the load order of the virtualization driver, but this is meant to make our driver compatible with other kernel-mode drivers on the stack, such as other security/disk-encryption drivers; this change is not likely to address this issue as this is a packaging problem and not a conflict in elevation.

Best of luck,

Danny

kyle77's picture

Thankyou for the assistance everybody I really appreciate all the involvement and level of support provided today.

Kyle

sc123's picture

You may want to try TheGreenBow IPSEC VPN Client Software, which is Windows 8 32/64bit compatible and is currently in development. You may have fewer issues with it.