VASS v The Real World

For those fortunate enough never to have heard of VASS, it’s a site maintained by VCAA where school administrators can enrol students in VCE/VET courses and record results. While I’ve no doubt that the service the site provides is essential for our school and students, the site itself with it’s browser restrictions and configuration requirements make accessing the VASS website from anywhere impossible

While VCAA have recently published their requirements for Windows 7 and Internet Explorer 9, they have only done so and supported IE9 since January 2012, a lethargic ten months after the IE9 release.

While we currently use a GPO dedicated to the VASS browser settings for our SOE desktops, we weren’t prepared to wait for VASS to support IE9 before we updated our fleet of staff tablets to the latest browser. 

This time last year we were trialling RemoteApp for remote access to Synergetic, our school database system. We had an immediate need for our VASS Coordinator to access the VASS web site and obviously had problems after the IE9 update.

This week we were challenged again when we were asked to add RemoteApp VASS for two other members of staff. The challenge was with VASS’ ridiculous requirement for a unique USB dongle for each VASS user. We’d overcome this with our original VASS user by adding a floppy drive to the RemoteApp virtual server and using WinImage to create a virtual floppy disk from the USB dongle. The problem was that our VASS RemoteApp solution was limited to a single user!

Our RemoteApp server is running Windows Server 2008 R2 64bit with Internet Explorer 8 and already has the ridiculous VASS browser settings applied

We started by using WinImage to take copies of the two new USB dongles and copied the FLP files to the RemoteApp server


The next step was to create a batch file to check the logged on user for the VASS RemoteApp and load a virtual floppy with the users USB Dongle. Since the virtual floppy in VMware wasn’t an option for 3 different users, we found a utility called IMDISK which was perfect since it works on 64bit Server 2008 R2 and has the benefit of only being visible to the logged on user, so the these VASS users would only be able to see their own “USB Dongle”, not all three.

Now remembering that RemoteApp is just a clever way of using an RDP session into a server, we could use %username% in our batch file so IMDISK would load the desired virtual floppy

rem imdisk -d -m A:

if %username% == user1 imdisk -a -f c:\vass\user1vass.flp -s 1440K -m A:
if %username% == user2 imdisk -a -f c:\vass\user2vass.flp -s 1440K -m A:
if %username% == user3 imdisk -a -f c:\vass\user3vass2.flp -s 1440K -m A:

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

NOTE: The first line dismounts any virtual floppy mounted at A:. This seemed to be a little unreliable and the virtual floppies seemed to get stuck unloading, and wouldn’t reload. This didn’t seem to be an issue with the way the RDP sessions work on the RemoteApp server

The last line of the VASS.CMD file loads the 32bit version of IE8 (remembering that the 64bit version is not supported by VASS) on the RemoteApp server and goes straight to the VASS login page.

The last step was to create add a new RemoteApp pointing to the VASS.CMD and distribute the new RDP file to those users


With this in place, it only takes a couple of minutes to add a new VASS user by taking an image of their USB dongle and updating the VASS.CMD file, and we’re looking forward to a Windows 8 / Internet Explorer 10 rollout later this year, knowing that VASS won’t be holding us back!

Sonicwall NetExtender SSLVPN and Windows 8

After an email exchange with James Hiscott and some hard work on his behalf, James has an update and Sonicwall have release an update version of the NetExtender available at Read James’ post here

Like most people we’re keenly testing the pre RTM releases of Windows 8 and evaluating new hardware from HP to workout what we’d like to use for staff and students next year. Currently I have Windows 8 CP on a HP Folio13 and really like how it’s working for me. The only problem has been getting the Sonicwall SSLVPN client to work on Windows 8, which for the last week has stopped me from ditching my 2740p tablet and making the Folio13 my sole mobile device

After a few attempts at the NetExtender install it completed successfully after I installed *all* the drivers for the Folio13 from the HP site.

That got me excited and I thought I was all set, I tested the SSLVPN client and it authenticated and connected and looked like it was working. It wasn’t until later that evening when I went to use the VPN that I realised it wasn’t working at all, and even though the connection looked fine there was no network traffic being received by the VPN client.


A little digging this morning at the log and debug log files indicated an issue with the routes being added when connecting the vpn

Log File

Debug Log File

By running route print I could see that the Sonicwall Netextender was interface 38

Open the Properties window for the NetExtender


Add the required routes to the bottom of the NxConnect.bat


Funnily enough, you don’t seem to need the route delete commands in the NxDisconnect.bat?

route DELETE
route DELETE
route DELETE

And finally you need to change the privileges for NetExtender shortcut to run with administrator privileges. If you have the NetExtender as a startup program, go to

C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu

Right-click on the shortcut and tick box for run this program as an administrator


After all of that my NetExtender settings seemed to be reliable and working the same as my Windows 7 devices

PXE Booting Shadow Protect

If you’ve purchased a copy of StorageCraft’s ShadowProtect and have a copy of their ShadowProtect CD, you may not realise that the ISO contains a WinPE WIM image that you use to PXE boot ShadowProtect over the network


Currently, we’re using Altiris 6.9 for image deployment and use the Altiris PXE service, but the ShadowProtect BOOT.WIM will work with any PXE boot server that supports WinPE

To add the ShadowProtect boot image in Altiris, open the PXE Configuration Utility, and add a New Boot Menu Option


From here you can select the ShadowProtect BOOT.WIM but I found that to be unreliable in Altiris 6.9. I ended up getting it to work by adding an Altiris WinPE boot image that it had created, and replaced the Altiris boot image with the ShadowProtect BOOT.WIM in Windows Explorer


To replace the default Altiris BOOT.WIM, take note of the “Final Location on PXE Server” on the menu option you’ve just created and browse to the file location for your deployment server, in our case

C:\Program Files\Altiris\eXpress\Deployment Server\PXE\Images\MenuOption163\X86PC\sources


Simply replace the existing BOOT.WIM with the file from the ShadowProtect ISO and you’re finished

Next time you network boot a device, press F8 at the PXE menu to see all the menu items and ShadowProtect will be there!

The ShadowProtect ISO has drivers included for a lot of network cards, but if your device is fairly recent you may need to add NIC drivers after the ISO has loaded before you can backup a disk over the LAN

Pushing Microsoft Interactive Classroom

The Microsoft Interactive Classroom is a nifty tool for teachers to share their PowerPoint presentation with students running OneNote

“With Microsoft Interactive Classroom, students participate like never before while staying up-to-speed on instructor notes. It gives educators the power to add in-class polling and to share lessons over a wireless network. If a teacher updates a presentation, students capture the notes in real-time via Microsoft OneNote.”

Our staff trainer presented this to the teachers last night and with 460 student netbooks on campus, with another 320 coming in December, should get a bit of use.

We extracted the files from ICSetup.exe and used Altiris to push the InteractiveClassroom_O14.en-US_x86.MSI silently to our staff tablets and student netbooks. PowerPoint and OneNote gain an Academic menu which in PowerPoint is used to start a shared preso, and in OneNote is used to connect to the preso.

Even though we have separate VLAN’s for staff and students it was easy to get the machines talking to each other over the network. Most traffic seems to be over port 80, which is what we have allowed. The only restriction is that students have to manually enter the name of the staff machine to join the session

HP Slate 500 for the Enterprise

This week we’ve had a HP Slate 500 to try out and see how we like it for Staff and Students. Since the release of the iPad we’ve been under pressure from all and sundry to purchase some and put them around the school, especially in the junior years. The iPad’s consumer focus makes it a nightmare on the network, and the concessions that a systems administrator has to make between device permissions, network authentication, wireless security makes them a high maintenance device. We’ve been looking forward to the Slate 500 for some time, knowing that Windows 7 Pro will work perfectly on the network, and hoping that it will be an equivalent device to the iPad, and what it may lack in style, is certainly made up for in substance.

While I’ve been happy with the Slate 500 there have been a few disappointments. Only having one USB port on the device is limiting. There’s been a few time already where I’ve wanted to attach combinations of an external keyboard, mouse, memory stick and ipod, and have had to find the dock which has another two USB ports. Adding one more USB port to the device would make a huge difference.

The onscreen keyboard in Windows 7 could be better too. Having an option to remove the row of numbers and punctuation keys to make it similar to the iOS keyboard would allow for the keys to be larger and the keyboard to occupy less real estate on the screen. The onscreen keyboard can be resized but when reduced to a reasonable size the keys are unfit for the ham fisted.

It’s also disappointing that software on Windows 7 isn’t touch friendly. If I had a Slate 500 I’d hit IE9 and a PDF reader fairly hard and so far, it’s been a mediocre experience. The advantage that iOS apps relying on touch makes them typically touch friendly. The only exception being a horse racing app that I had for about 5 minutes that looked like it was made for Windows 3.1, which was fairly amazing. It’s probably safe to assume that as more Windows based tablets appear the OS and software will gradually catch up and become touch and gesture friendly….

Anticipating a purchase of Slate 500 devices, we would want to image and control the devices through Altiris. Neither the device nor dock are equipped with an ethernet port, however, the HP USB Ethernet Adapter may PXE boot for Altiris according to Rick on the forums.

The Slate 500 is essentially the same performance wise as the 5101/5103 netbooks that we’ve been using for the students, with a slight smaller LCD and screen resolution. The battery life supposedly is up to 5hrs, but I haven’t had the chance to confirm.

It seems that we’ll certainly get a handful and put them in the hands of teachers, students and executive staff to see how they compare to our fleet of netbooks and tablets, and whether they are a worthy replacement, or an additional tool.

I’d like to see an app for Windows Slate machines where the slate can act as a second screen for a PC/notebook. Then when I’m working on my tablet, I can find the information on the web that I need, flick that browser window to the slate. Then I can read instructions and work on my tablet without having to Alt-tab. That would be superb.

HP Networking PCM–VLAN MAP

This week we’ve been rolling out more Mitel VOIP handsets and had to make sure we had the Voice VLAN pushed out to all the switches and check the tagging on the uplinks to make sure the handsets would all connect properly.

After an hour of chasing VLAN tagging via the CLI I thought I’d better see if there was a smarter way to check the switches and fired up ProCurve Manager Plus.  Under Default Management Group –> Network Map –> VLANS you can select the VLAN number that you want to check and PCM will show a network map with the switches that have that VLAN tagged and show you how those switches are connected to each other. Or more importantly, not connected. VLANMAP

The screen capture above shows our VOIP VLAN and that I tagged all the right ports to connect the PE switch, but missed the VOIP tagging between the Queens Wing switch and the core. Easy to spot in PCM and just as easy to fix, and one less problem to fix once the handsets are rolled out

When I paid Adam (@DJADSA) a visit last week I noticed that he’d labelled important interfaces on his switches. When I was wondering which ports from the 5400 to tag for the edge switches, it occurred to me that we could be more organised with our switches and do something similar. Having that sort of documentation on the network ports/trunks/uplinks would save time when quickly adding new VLANs etc and would save time troubleshooting other network issues

from the CLI

interface A10 
   name "WirelessAP"
interface A20
   name "10Gb Uplink from Core"

Radius – Server 2008 R2 NPS

We’ve OLYMPUS DIGITAL CAMERA         been using NPS on Server 2008 for a while now and its been perfect for handling 802.1x authentication (EAPTLS) and radius auth from the HP WESM in the 5400zl. The radius setup for the HP Wireless Edge Services was pretty easy, it only needs radius clients for the Primary WESM and any Redundant WESM’s.

Now that we’re adding another 50-70 E-MSM422 AP’s for the MSM765 controller we need to add radius clients for each AP. After a conversation with Adam (@DJADSA) we worked out that we were going to hit the 50 radius client limit in Server 2008 Standard. Adam showed me a couple of neat tricks with their NPS configuration that would save us a tonne of time and are new additions to R2!

The first trick was adding a subnet range for Radius Clients instead of adding a radius client for AP individually. Adding the IP/CIDR and shared secret will let all devices in the range talk to the NPS server.


The next tip from Adam was with the Accounting in NPS. We’d tried to get SQL logging to behave in Server 2008 a few times and failed miserably. The NPS application in 2008 would connect to a SQL database but wouldn’t create the structure etc. There was a sql script on the web that would create it for you but we didn’t have any luck getting it all to work properly. 2008 R2 has a new wizard for setting up NPS accounting and the final stage of the wizard gives you the option of creating the SQL structure of the database. very tidy


With SQL logging enabled it give us the option of writing a web part or two for SharePoint to let staff know which users are connected where, and lets us easily run scripts to find client/authentication problems.

MSM765 SNTP Time Sync


This week we’ve been reconfiguring our MSM765 wireless controller and adding some new features for Students and guests to the School. With our old ZL WESM we were able to have a VLAN on the wireless network with an HTML based login, which allowed the students to use their own machines on the wireless network with their AD credentials. We wanted to replicate this setup on the MSM by using HTML-based user logins and still use their AD logins. We hit a problem when we tried to configure the Active Directory Authentication on the controller because the time on the controller wasn’t in sync with the 5400 chassis or the domain!

When we check Controller –> Management –> System Time, we could see the the time was incorrect, but there was no option to change it or specify an NTP server. The command ling reference for the controller (MSM7xx-CLI-RG-May09-5992-5933.pdf) gave a few clues on how to set the SNTP server and get the controller connected to our Windows time server

Connecting the terminal to the 5400 with the controller (MSM is in Bay I)

BGSCore(config)# services  I 2
BGSCore(msm765-application-I)> enable
BGSCore(msm765-application-I)# conf
BGSCore(msm765-application-I)(config)# ntp protocol sntp
BGSCore(msm765-application-I)(config)# ntp server 1
BGSCore(msm765-application-I)(config)# ntp server

The time sync’d straight away and made the connection to AD without a hitch


Sonicwall’s Application Firewall and blocking BitTorrent

We’ve just updated the firmware on our NSA 4500 to and have started playing with the Application Firewall and DPISSL (Deep Packet Inspection). The 4500 is a Layer 7 firewall and the application firewall feature lets you do some pretty tricky filtering. We’ve noticed that some of the student machines coming in for repair have bittorrent clients installed. At the moment that sort of traffic is blocked by our ISA firewall/proxy which is the gateway for the Student Netbook VLAN, but we want to remove that over the next few months because it causes a bottleneck for heavy traffic, like heavy ClickView use. When we remove ISA we can either use the Sonicwall or ACL rules on the ProCurve 5400 (or both) to filter the traffic between the netbooks and the rest of the world. After the firmware update with the addition of the DPISSL it seemed like a good chance to see how good the filtering was on the NSA4500.

Before creating the new application firewall policy, I had to create an object for the bittorrent traffic. The Sonicwall has an IDP category for all P2P traffic which has signatures for many P2P applications. You can block traffic for particular applications, eg only block Azureus and allow other bittorrent clients


With the Application object defined, we can create the policy. In this case we wanted to stop all bittorrent traffic, however, its possible to excluded addresses and or users, which would be handy with the SSO. The rule will look for any traffic deemed to be P2P going through the sonicwall and will drop the packets. nice and easy


Any requests that match the rule are blocked and can be checked in the log view, which can be filtered by application firewall


Setting up uTorrent on a test machine and queuing up some files showed that the rule was working properly and not allowing any traffic to get through. The sonicwall not only blocked the file transfer but also the attempts to look for other peers etc

The combination of the application firewall and the DPISSL would also prevent this traffic from running over secure ports or ssl vpn type setups.

Application firewall rules can also be configured to shape traffic to/from any site on the web. At the moment we’ve configured a rule to shape traffic to megaupload and other download sites that work over port 80, and depending on Facebook traffic that could be a contender too. Another type of rule that was described in some sonicwall promotional guff was a rule to catch IE6 traffic and redirect it to a warning page to upgrade your version of IE. That rule sounds like a good idea, I think that might be my next one

BSOD Shenanigans and Minidump files

WindowsRecoveredFromErrorSince we imaged our 2740p Tablets with our Windows 7 SOE two weeks ago, we’ve had a few problems with machines blue screening on shutdown and hadn’t been able to work out which application or driver was causing it. When a machine BSOD’s it creates a minidump file with debugging information about why Windows crashed. Usually we can work out what’s caused the BSOD and we can fix it without having to check the minidump, but this one had us stumped.

Downloading Windows Debugging Tools and the Windows SDK sounded like a massive effort for checking the contents of a file, but in the end, it turned out to be nice and easy. PCHell has a nice Step-by-Step guide to viewing minidump files and after downloading and installing the debugging tools, all we had to do was run WinDbg and open the last minidump file to see that NIPALK.SYS was the offender.


WinDbg doesn’t make you trawl through useless info to get to the offending driver, the info you need is at the bottom of the dmp file labelled Probably Caused by!

A search of the computer found NIPALK.SYS in the C:\Windows\Systen32\drivers folder and Google search found lots of results for Labview and Robolab. Since Robolab is in our SOE, we quickly removed it from the system and that seems to have fixed the BSOD issues on shutdown. Looks like we might need to update to the latest version of Robolab for our next SOE 🙁