> Any ideas what other organizations do to handle this situation?
I don't, although I'd love to hear more people who do administer networks as well as the end PC's offer their opinions.
I can speculate, however; these days most routers or managed switches let people create far more sophisticated traffic-filtering rules than they did 10 years ago. It's both technically possible (and really, I think desirable) to apply a subnet of the of perimeter filtering rules internally as a defense-in-depth strategy, but these days you can now do that
without disabling useful internal-to-internal traffic.
> Rewriting the software seems like a drastic step.
It's a relatively small rework to send an additional unicast WOL packet to the last known client IP, and comparatively easy to test. Even though unicast Wake-On-Lan won't work reliably, I figure it's better to try it as a fallback than just not do anything.
In fact, I've just added this in the pre-GSS2.0 code, and it's an easy thing to backport to GSS1.1 - once this passes some basic internal testing over the next few days I could make a test build of the GSS1.1 ngserver.exe executable for you to try, perhaps next week.