Ghost Solution Suite

 View Only

  • 1.  ISA Server, McAfee and GSS

    Posted Jul 11, 2007 05:31 AM
    Hi all,
     
    I was wondering if someone could help me with GSS.
     
    I run GSS server on a machine with Microsoft Server 2003, ISA 2004 and McAfee Virus Defense 8.5 installed. Prior to the installation of SP2 for server 2003 (which bricked our machine 1st time around) i had GSS running and correctly seeing clients in 3 different rooms. I had run the remote installation in these rooms where i had come across the mcafee allow IRC connections problem.
     
    In room1 i have D-Link DFE-528tx Network cards. Previous to GSS i used Ghost 8 and these cards were recognised and worked correctly with ghost (thats the reason i used these cards). The backup was done via diskette and i used the network boot to grab the image. Now in this room using GSS and the ghostcast server i am actually able to make a backup of the machines. This part is relatively easy.
    Ive made the backup and its sat on a nas box etc... However when i come to restore this backup it point blank refuses. The client machine shutdowns, boots into ghost for a few seconds then restarts. Once restarted it goes back into dos where it displays the following message (or words to this effect):
     
    "Sending status to <Server ip>"
    "Status Aknowledged"
    "Sending status to <Server ip>"
    "Status Aknowledged"
     
    And on...
     
    And on...
     
    Yes ive searched the website and the forums and google and whilst i can find a few posts and people with this exact issue i have found no workaround that works for me.
     
    This scenario also exists in my 2nd room which has Intel Pro 10/100 network cards, which has been supported by ghost since i can remember... (a long long long time ago). I can ghost the image but i can not restore it, which makes the product currently worthless to me.
     
    Now room3 is somewhat different... In this room i have 10 machines built by systemax uk. These machines come with... VIA Rhine II Fast Ethernet Adapter. In previous versions of ghost i could get these cards to mount the network share but they posted various error messages. I could also ghost from this network share however, the speed at which these cards transmitted data was a staggering 4mbs. This resulted in ghost taking 6 days and 11 hours, give or take a day... (this is also the reason i replaced all network cards in room1).
    To try to resolve this issue i downloaded about 30 different versions of the ndis drivers. While almost every version worked in the same way ghost was unable to automatically create the drivers for that card (you know that option where you just select the file and it predefines all the params). It was this i assumed was at fault.
     
    However... forgetting all these issues post service pack 2 i have now encountered another issue...
     
    My server can no longer view clients. To give you a rundown on what occurred...
     
    M$ released ISA sp2 wayyyyy back and after this release they rolled out sp2 for server 2003. Instead of placing in the release notes that users of ISA sp2 should install ADAM sp1 or server 2003 would BRICK THEIR SERVER, they just released it as per usual.
     
    Thankfully i host all my data on an independent iscsi NAS. Since the sp for isa was released long long ago my backup contained a flawed image. So i rebuilt.
     
    However since rebuilding and updating the os, then installed and updating isa to sp3 ghost no longer sees the clients. I also have installed mcafee AVD 8.5 (which is the vista compatible version).
     
    I have stopped mcafee from blocking irc msg and i can remote install clients.
     
    And i see ISA server blocking access to various udp ports, one which is external. Why is ghost requiring access to external addresses? 229.55.150.208
     
    I also see ISA ignoring internal udp broadcasts on ports... 1345 / 137 / 1346 / 6666-7777
    and TCP ports... 1346
     
    As stated in the FAQ. It ignores these ports and displays 'The operation completed successfully'. I see no denied messages displayed in my log for anything to and from the client ip and the server ip.
     
    And yet now i am unable to see any clients from the ghost server.
     
    I would be most appreciative if someone could help as i really need this thing working properly. Ive already put it to the back of the pile for far far too long.
     
    Kind regards


  • 2.  RE: ISA Server, McAfee and GSS

    Posted Jul 11, 2007 07:21 AM
    That's quite a tale, and I can't help with all of it but I can explain a couple of things. 29.55.150.208 isn't a "normal" IP address - it's a different kind of thing entirely, which is a multicast group ID.

    Originally the IP address system was divided up into 4 ranges; A, B, and C which had different division points between the "network" and "host" parts of the address, plus a fourth class D which was reserved for the future. Later on, class D was given over to multicasting, and instead of naming a specific host like the classic IP addresses did, class D addresses represent multicast groups which behave more like "channels" that hosts can subscribe to receive traffic from.

    In the case of 229.55.150.208, that's a particular multicast group ID we use to have the client machines locate their associated server. Other parts of the GSS system use different multicast addresses and different port ranges, but that one is used by the console machine. The console machine subscribes to that multicast group ID (which is done using a protocol called IGMP, which tells the switches and routers about the subscription), and then when the clients send to that address the switches and routers automagically send their query to the right place. So, that address is one that the server ideally needs to be able to listen to.

    For the imaging process, the Ghost clients and the GhostCast server negotiate to use a randomly-chosen temporary multicast channel just for the image transfer, and use the two fixed UDP ports 6666 and 7777- since the GhostCast server aims to reduce traffic by sending data to all the clients at once, all the clients have to use the same port assignments and the easiest way to ensure that is to use the same port numbers but vary the multicast group ID.

    In terms of the imaging process, right now you just have to configure any firewall you have not to block that traffic.


  • 3.  RE: ISA Server, McAfee and GSS

    Posted Jul 11, 2007 09:44 AM
    Thanks for the reply nigel, i confess i was not aware it worked this way...
     
    I dont know if you have ever used ISA server but it is incredibly... well microsoft. It takes things rather literally.
     
    ISA would assume that this particular multicast ID was in fact an IP Address. Off the top of my head i dont beleive there is any way to suggest to isa that it is not. So would i be correct in thinking that i should allow the internal network (specified by a range in isa) to access that particular IP address? or does that address require access to internal as well?
     
    I could simply add the address as part of the local network, but that could compromise the internal network at some point, as isa would literally allow all traffic from that ip, even if spoofed...
     
    I can restrict traffic and protocols over this range however. But what ISA doesnt contain (so far as i can see) by default is IGMP. Since the specification for something like DHCP (request) is just udp port 68 send i would assume IGMP is of a similar ilk? It must just be ports based on either TCP/IP or UDP and i am unable to find which.
     
    I pretty much created a 'Ghost' protocol which was a list of ports and allowed access to this protocol from all protected networks to all protected networks. However ISA consideres 229.55.150.208 as part of the 'external' network.
     
    Do i need to enable traffic too and from this range? I could then add it as another network and only allow the ports i specify.
     
    Its seems strange to me M$ have not added IGMP as default in ISA.


  • 4.  RE: ISA Server, McAfee and GSS

    Posted Jul 12, 2007 12:37 AM
    Ah, you've jogged my memory the right way now - I have looked at ISA server in the past, but it's the kind of experience you tend to blank out. If memory serves the TCP/IP stack in ISA server bears no resemblance to a stock one in any other OS, and it's pretty much unaware of the existence of multicast at any level.
    Since the specification for something like DHCP (request) is just udp port 68 send i would assume IGMP is of a similar ilk? It must just be ports based on either TCP/IP or UDP and i am unable to find which.

    Actually, IGMP is not a protocol on top of IP like UDP or TCP. As the IGMP RFC says, in the introduction:
       Like ICMP, IGMP is a integral part of IP.  It is required to be
       implemented by all hosts wishing to receive IP multicasts.  IGMP
       messages are encapsulated in IP datagrams, with an IP protocol number
       of 2.
    My hazy memory of the last time I tried to make sense of ISA is that it simply isn't capable of working in any way whatsoever with multicast traffic. That means turning off all the use of multicast in the console, and if you have to do that then the clients and the console need to find each other using the WINS (aka NetBIOS nameservice) protocol instead. I do hope to have other alternatives in future versions, but WINS is the only alternative as it stands now.

    The basic Ghost cloning tool can also find manual GhostCast sessions using WINS instead of multicast, and the actual image transfers in GhostCast will have to use the subnet-level broadcast transfer mode instead of multicast.


  • 5.  RE: ISA Server, McAfee and GSS

    Posted Jul 12, 2007 12:04 PM
    Ok...
     
    Apprently ISA was 'filtering' WINS resolution on my particular installation. There is a bug with RSS (Recieve Side Scaling) when switched on
     
    "PPTP access would be stopped in its tracks due to the RSS bug. See my blog post on how SP2 can destroy your ISA Firewall! You might also find that your publishing rules and more do not work."
     
    Completely obliterated WINS on the ISA server (and strangley only the isa server). So the Ghost Console could not resolve via Multicast or WINS. The fix for me:
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
     
    Set the Value EnableRSS=0
    You may/may not need to create this. And then reboot.
     
    The second i rebooted all my clients show up... However im still experiencing the error on restoring images.
     
    I execute the restore task.
    The machine reboots into ghost.
    It says Sync with 'server name' and pullxx.
    Then it goes black screen into does a load of text, which looks like a stack and then reboots.
    It then goes back into dos and has:
     
    Sending status to: 100.0.0.40:1347
    Aknowledged by: 100.0.0.40:1347
     
    Over and over and over... and over.
     
    I see nothing in the ghostcast server for incoming clients.
     
    Any ideas?


  • 6.  RE: ISA Server, McAfee and GSS

    Posted Jul 16, 2007 06:43 AM
              Throttle byte count limit[7] = 0
              Bound RML socket to 0.0.0.0:16560
              Setting multicast scope to 16
              State was 0, now 1
              Bound TCP socket to 0.0.0.0:16561
              Bound UDP socket to 0.0.0.0:6666
              Interface <second nic Public IP> (0) ws2AddMembership succeeded
              Interface 100.0.0.40 (1) ws2AddMembership succeeded
     340783500 R:   LEN: <277>  SESSION: <SWDT2K3PUSH29> FROM: <100.0.0.194:1025>
              S:   LEN: <260>  SESSION: <SWDT2K3push29> TO: <100.0.0.194:1025>
     340783796 T0: Couldn't write: Bad file descriptor.
     
    The Clients that are ghosting reboots, polls for bound server, loads into ghost, initialises ip and packet driver then attempts to contact the push session, then reboots.
     
    It then reboots back into pc-dos and sits Sending status / Status aknowledged by over and over again.
     
    The only way to get this pc back into windows and get the error log generated is to Ctr+c the task in Dos. This ends the ghosting session and generates the log file and then the pc goes back into windows.
     
    The annoying thing is i have 16 machines with identical hardware (everything is the same make and model) and on the 1st machine i tried it would'nt clone without being given a computer configuration. So i set one and then it worked perfect. I even did multiple ghosts to check (its completed 5 flawlessly).
     
    So then i tried it on L1-2 (1st was L1-1 etc...) and it rebooted as if it were about to send / recieve stick but it went into ghost and did the clone fine. So then i tried it on L1-3 and it refuses to ghost same with 4 and 5.
     
    It just sits at this send/revieve screen indefinately. I even left one running over the weekend.
     
    Ive tried unicast / directed and multicast. Dont know of much else to try.

    Message Edited by wintermj on 07-16-200703:43 AM



  • 7.  RE: ISA Server, McAfee and GSS

    Posted Jul 17, 2007 08:58 AM
    Thanks for that log fragment; that "Bad file descriptor" log message is really an attention-grabber. However, I'm still at something of a loss to really know what is causing it given that the ISA Server's TCP/IP stack is so unusual.

    I suspect that we should try and set one up here to see what we can see, since it may be that whatever is going on could be recoverable somehow, and it's just that we need to discover what ISA is throwing at us to try and know how to respond properly to this when it happens.

    I'll need to have a chat with our QA folks about this - they've been pretty busy over the last week but I can ask to have someone volunteer to try this here.