I manage the Support & Development department for the UK division of a fairly large multi-national corporation that provides Supply Chain solutions.  That’s not where I started though – I was originally hired as a code monkey, nothing more, and spent my first few years working for one particular customer developing customisations to our product to match their legacy requirements.

Moving off site from that company was a challenge.  Emotionally, the customer did not want to let go.  He’d got used to having someone right there to answer questions, change code, and re-write things on the fly – no matter that it was bad practice – so having to move to a more formal change request process was a real challenge.  Technically though, it was even more of a conundrum – we needed access to the customer’s systems to provide support & upgrades, but driving there every time they wanted a patch applied wasn’t an option.

The first “solution” proposed by the customer was a dial-up account.  This was fine – as long as I never needed to download any files bigger than about 1MB.  Oddly enough though, every time they had problems, the log files would ususally be about 5-10MB – totally impossible to download over that connection in a reasonable time.

Later on, they proposed Cisco VPN.  This was far better – at least, once they unrestricted the network speed for that connection – and support continued at a reasonable level.

As it happened, our next few customers were all far less paranoid, and were quite happy for us to use the built-in Windows VPN client to connect to their systems.  Which was a huge relief – as by this time, we’d discovered a few “conflicts” between Cisco VPN and the F-Secure firewall our corporate policy dictated we use…  Nothing earth-shattering – in fact, it was the kind of problem that you’d never know about until suddenly, everything stopped working.

Unfortunately, our next customer was a CheckPoint VPN client.  This is actually one of the best VPN clients I’ve come across so far – most importantly, the VPN client only intercepts data that is going to the secured network, so your normal internet browsing is totally unaffected.  Far more user-friendly than the VPN systems where once you’re connected, all you can access is that particular corporate network – for example, I can access both our Source Control system and the Customer’s server without continually connecting and disconnecting from the VPN!

Tragically though, this software refused to install – in fact, I got a very rare Blue Screen of death, on a file called “fw.sys”.  This turned out to be F-Secure’s fault – but reports on the internet suggested they should work fine together… Still, you’ve got to work with the facts in hand, so I uninstalled F-Secure and re-installed CheckPoint – only to find that after a reboot, I had no networking at all!

Many hours of searching on a spare computer later, I’ve found a tool called XP TCP/IP Repair, and completely wiped my networking stack.  Of course, this means that now both Cisco VPN and CheckPoint VPN are out of the loop, so I un-install them both, and reinstall them one by one, finishing with F-Secure.

Amazingly, this time, all three worked in perfect harmony…

This was not to last.  Our Paris recently released a new Intranet site, and to access it from out of the office, we need to use yet another VPN client – CheckPoint SSL Extender.  I thought, as part of the CheckPoint family, this would be friendly with my current configuration – more fool me.  Installing this one left me – once again – with a blue-screen on fw.sys.  By this time though, I knew the solution – and immediately wiped my network stack, uninstalled Cisco, CheckPoint and F-Secure, and started from scratch.

Again, by making sure F-Secure went on last, everything worked fine – for at least a couple of months.

The Curse of Christmas Holidays

Of course, over Christmas, everything went to pot.  Booting my laptop to check my email over the holiday, I suddenly discover my Wi-Fi no longer works.  Wired networking is fine, but something is screwy on the network stack.  I’m not fussed though – I’ve managed to check my email, so I guess I can sort it later.

The next day – a critial update needs to be installed for one of our customers!  I know my Wi-Fi is dead, so I connect the cable and get online – only to discover that although normal networking is fine, the VPN connections are deader than flares.

Bring on XP TCP/IP Repair.  I wipe the networking stack, uninstall all four utilities (Cisco VPN, CheckPoint VPN-1, CheckPoint SSL Extender and F-Secure Client Security), and install just the one I need.  Time will come later to install the other three.

After completing the update, I sit back to install the rest of the essential tools.  Except suddenly, they don’t want to play any more.  Installing CheckPoint SSL Extender seems to blue screen my laptop every time, even though there’s no F-Secure installed – or failing that, the software just doesn’t work.

The Missing Link

It turns out, I’d missed three essential ingredients when doing all my re-installs.

1. Previously, CheckPoint had always been the highest priority, so had been installed first
2. Many years ago, I’d used the Nortel VPN client – and this is impossible to completely uninstall.
3. Microsoft Virtual PC also adds to the networking stack, and must be added in the right order.

So, finally, after figuring it all out, here’s the install order you have to use to get all five of these utilities to work:

1. Make sure you have no Nortel VPN software on your PC.  Ideally, start with a fresh install of XP, but failing that, make sure you remove all Nortel drivers, network bindings – everything.  Nortel likes to hide too, so make sure you “View hidden items” in Device Manager – and you may need to use the advice here to uninstall devices that pretend to be essential to boot
2. Reboot your PC
3. Install CheckPoint VPN-1
4. Reboot your PC, check that both normal networking and CheckPoint function okay.
5. Install CheckPoint SSL Extender
6. Reboot your PC, check that all of normal networking and both CheckPoint VPNs function okay.  Reboot again.
7. Install Cisco VPN Client.
8. Reboot your PC, check that all of normal networking, both CheckPoint VPNs and Cisco VPN function okay.
9. Install F-Secure Client Security
10. Reboot
11. Install Microsoft Virtual PC
12. Reboot

This sequence worked fine for me three times in a row… but for some reason, the next day, the whole thing would be dead again.  I’ve put it down to not having completely cleared up Nortel; but I’m dreading tomorrow, when I’m back at work for the first day, and have no idea if any of my networking will be okay when I boot!