It's probably no secret to some people who read this that I do a fair bit of work with terminal servers and thin clients (dumb, low power machines that connect to a terminal or citrix server). However, most deployments I've been involved with at work at relatively small, our largest of which has recently gone up to a load balanced set of 5 Windows Terminal Servers, a few weekends ago.
One of the users for the client that I mentioned in my last post works from home a fair bit, using a site-to-site IPSec tunnel that was setup a number of weeks ago, and a MacBook Pro running Leopard. As the rest of this client's network is Windows based we hadn't really considered restricting the Mac at all. After all this user is relatively clued up.. Or so I thought.
A few weeks ago I had to setup my first IPSec tunnel between ISA 2004 and a non-Windows device, in this case a Draytek Vigor 2800, to create a site-to-site VPN. I had a few things that I hit on the Draytek which stumped me for a little bit (although probably could've been resolved much more quickly had I been more familiar with a Draytek Vigor I fear). First thing I did was to head into the ISA console and setup an IPSec tunnel, using almost all of the defaults (this is important as the settings for the Draytek must match the ISA/Windows defaults).
Restricted Groups is a part of the GPO Computer configuration tree that I've not ever used until today, primarily because I'd never looked into what it does exactly, and partially because it has a misleading name (in my mind) and I assumed that it did something else. What this feature allows you to do is configure member ship of groups within Active Directory or in the local groups of domain computers.
Thanks to Chris and Dave, whom I've worked with for almost 4 years, I've sung the praises of IBM's server kit. It was well built, full of features, well supported, not too expensive (although they are more expensive), and they have the “prestige”. In the last 1 or so years things in IBM have changed, from my point of view. They don't seem to care as much in the very rare occasions when we need to get parts replaced, the replacements come back faulty and calls get closed in clearing with poor quality and unsatisfactory answers in a few instances.
If you're having trouble with networking on both the host and guest machines, and are running Microsoft Virtual Server 2005 on a broadcom network card, the chances are that you're running old drivers. Update them directly from the broadcom website and you should be good to go. Interestingly it appears that IBM, and Dell, are still distributing installation aids with the older drivers, which cause issues in this situation. To be relatively technical it appearsthat arp packets aren't responded to or sent out correctly.
Able to connect, but appear not to beable to recieve any packets? Go into the properties of the VPN, go to security and untick “Require data encryption (disconnect if none)". In XP < SP3 this has always been ticked for my tunnels and I've never had a disconnection, but it appears that something in SP3 RC0 makes some behaviour change, but doesn't actually disconnect the tunnel. I've not discovered why this happens, but this has fixed it on my main desktop and on my virtual machines.
Converting a physical machine to a virtual machine can be a bit of an arduous task under many virtualisation solutions, and the various Microsoft solutions are no exception. Microsoft have released the VS Migration Tool Kit, however this unfortunately requires ADS 1.0 to be deployed. In my instance this isn't suitable. However, what you should realise is that it's simply possible to make an image of the hard disk, restore it and then quickly wap Windows on top again, as the quickest hands-free fix to sort any BSOD or driver issues (if required).