Distribute Windows XP VPN-settings
As our Oslo branch has been gradually shut down, we now have very few (but some) users left in Oslo. Our office there has always been connected to the branch in Fredrikstad where all our servers reside trough a Firewall level VPN link making connections across the two subnets pretty transparent. Since so few users are left in Oslo however, we’ve decided to cancel the inet line subcription and connect them to sister companies in the same building, where other policies apply and a bridge between networks is out of the question.
We’ve had a VPN available for users working remotely for quite some time already, thanks to our beloved Dlink DFL-800’s. The challenge now was that we’d like to make the transition to client-based VPN links as easy and invisible for our users as possible.
Our Windows XP VPN-configuration required several custom, non-standard settings (such as no ‘Use default gateway on remote network’) in order to work, and we couldn’t expect our users to know these things. Most sysadmins tend to create a frustratingly long guide with lots of screenshots to make sure the user will set up a connection properly, but these are easily too complex and all in all pretty demotivating for the average user. Creating such a guide was not an option for us as it would ruin our goal all by itself; make the transition almost invisible to users.
Hoping that I could find a way to export these settings, then distribute them to our users, I googled and googled. I couldn’t find a good way to do this from the command line either (you do have rasdial, but it didn’t cover nearly all my needs).
After a lot of searching I came across some forum post (my apologies to the author of it for losing the URL) about a file called rasphone.pbk. And yes, this was what I was looking for, indeed. That’s where all the magic is stored!
So, here goes, “How to distribute VPN-settings to multiple users”:
As mentioned, the file we’re looking for is called rasphone.pbk and can be found in C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk by default on a Windows XP English install.
Each VPN-connection has a pretty long entry in this file, so it’s important that you copy the file out, open your fresh copy in a texteditor and edit out all other connections. Username, password and domain is not stored in this file, so no need to worry about clearing it!
VPN-connections are identified by [ ] around their name, and all lines until the next name between [ ] belongs to that VPN-connection. When you’ve edited out all other connections you can in fact distribute this file to others. When they double-click it they will be able to load VPN-settings on the fly.
Problem solved one might think, but no. Windows XP will not add this information to connections, so it’s not a persistent solution. My take on this was that I’d have to append my .pbk-file to the existing one. This was accomplished with a neat little bat-file:
echo. >> "%allusersprofile%\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk"
type YourVeryOwn.pbk >> "%allusersprofile%\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk"
The first echo puts in a newline to make sure we’re moving onto a separate line.
The second command, type, works pretty much like cat under linux; it catenates the given file to standard output. We then append this to rasphone.pbk with >>.
Please note that I use %allusersprofile% here, as you do not have an environment variable available that goes directly to the Application Data directory of All users (you have %appdata% for regular users). This prevents your bat from working under localized versions of XP. My solution for this was to create another bat for those who run a Norwegian version of XP.
Another note: after the bat has been run you’ll have to right click and select Refresh in your Network Connections overview for the new connection to appear. Once this has been done it’ll be available as any ordinary created VPN-connection.
I’ve began looking at Nullsoft Scriptable Install System (NSIS) to ensure Vista support and automate it further; localization will not be a problem there as you have $APPDATA depending on your ShellVarContext. I’ll most certainly publish my NSIS source code here if I decide to go down that approach.
In addition to appending VPN-settings I also encountered a problem with our internal DNS not being available, so our mailserver and more would not be available for Outlook once the DNS cache had been flushed. This wasn’t much of a problem tho, I just threw in some extra lines in my bat that appends necessary DNS overrides in Windows’ hosts-file:
echo. >> "%systemroot%\system32\drivers\etc\hosts"
echo #### MyCompany Mailserver #### >> "%systemroot%\system32\drivers\etc\hosts"
echo 10.0.0.1 mailserver >> "%systemroot%\system32\drivers\etc\hosts"
echo 10.0.0.1 mailserver.domain.local >> "%systemroot%\system32\drivers\etc\hosts"
Have a blast distributing VPN-settings!
Windows update not working after SP3
So, a while back, more specifically when Microsoft pushed XP Service Pack 3 onto Windows Update we started experiencing some problems. After SP 3 had been sucessfully installed, all attempts to update via Windows Update failed. A couple of friends that works in other organizations reported the same problems.
After some extensive research I found out that Microsoft had upgraded Windows Update in SP 3, which to me seemed like a plausible source of the problem.
I checked my version only to find that I ran the old one; something wasn’t right. So, after deep diving into my %systemroot%\system32\ folder I spotted the dll file for the new version, wups2.dll. Since it had not been loaded properly I decided to engage in some trial and failure.
Suspecting that the installation of Windows Update 2 had failed at some point I took a shot in the dark and tried to register the dll so Windows would reckognize it. And voila, it worked!
I am aware that there are fixes available from Microsoft for this issue, but if you’d like to save yourself some time try this little hack (it requires administrative rights on the machine you’re fixing):
Hit start, run and type cmd to bring up a command line prompt.
First you’ll have to stop the Windows Update service. Type “net stop wuauserv” and press enter.
Second, and this is the magic, register wusp2.dll. Type “regsvr32 %systemroot%\system32\wups2.dll” and press enter.
If all goes well you’ll now be able to restart Windows Update with “net start wuauserv”.
Hooray!
| Posted in Interesting, Technological, Tips and tricks | No Comments »
| Posted in Interesting, Technological, Tips and tricks | No Comments »