NNetSec work-around for Citrix PVS

smileybloatΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

190 εμφανίσεις

N
N
etSec work
-
around for Citrix PVS

By Harald Sabro Bolstad,

Norman ASA,
Lysaker

21 november 2013

The problem:

When installing NEM/NPRO on an OS
running Cit
rix Provisioning Services (PVS) there’s a possibility of
a bug check (BSOD)

oc
curring

that will persist across boots and render the OS inaccessible
.

Picture borrowed from case #5617

We’ve only seen this problem on Windows XP and Server 2003 so far, and Citrix seem to have
implemented safeguards against this issue on Windows Vista a
nd newer platforms (see additional
notes at the end for more details of the consequences of this).

The solution

:

This is
not

a bug in
our
NEM/NPRO software. The Citrix network driver accompanying the PVS client
software is, contrary to Microsoft specs and

guidelines, not able to coexist properly with other 3
rd

party network drivers (ours included).
Citrix

has acknowledged that this problem is attributed to the
architecture or design of their current PVS implementation
and has promised to rectify this as so
on
as possible
,
but
most likely in
a future

version

rather than with the existing software
.

Note that this
implies most of our competitors running similar network drivers suffer from the same problem.


The work
-
around

for customers already suffering from
this problem:

1.

Boot the affected image/host in a non
-
PVS mode. This might entail moving a virtual image
from Provisioning Services back to “regular” Xen server mode etc
. Basically you need to be
able to boot the affected OS in one way or other.

2.

There’
s thre
e

ways you can make Citrix and NEM/NPRO coexist at this point:

a.

Disable the “Norman Network Security” driver (see explanation below). This will
restrict certain features depending on modules used (passive discovery, firewall,
possibly other features in the
future).

b.

Uninstall Citrix Provisioning client software (in particular their Citrix network stack
driver) and NEM/NPRO
,
then re
-
install both making sure to install NEM/NPRO
-
FIRST
-
, then the Citrix Provisioning client
-
LAST
-
. This won’t compromise the featu
re
set of NEM/NPRO and is preferable. (Just uninstalling and re
-
installing Citrix may
work, but this hasn’t been tested).

c.

Uninstall NEM/NPRO, apply the
nnetsec registry patch (administrator privileges
required) then re
-
install NEM/NPRO
using an updated ins
taller

(I believe the
required fixes will be out with NEM/NPRO 8.1). In order for the registry patch to
work the installer needs to be aware of it. This will, as with option a, restrict certain
features.

3.

Return the image to provisioning mode. It should now

boot and run fine again.

The work
-
around for new installations:



You can install NEM/NPRO straight to an image running in PVS mode
using an updated
NEM/NPRO installer

(
I believe 8.1 or newer) provided you
first

apply the registry patch. This
will however r
estrict certain features depending on modules used (passive discovery,
firewall, possibly other features in the future).



If the target host is already running in PVS mode it’s recommended that you:

1.

Boot the target image/host in a non
-
PVS mode. This might e
ntail moving a virtual image
from Provisioning Services back to “regular” Xen server mode etc.

2.

Uninstall Citrix Provisioning client software (in particular their Citrix network stack
driver), install NEM/NPRO
-
FIRST
-

(no need to apply the registry patch in

this case), then
re
-
install the Citrix Provisioning client. This won’t compromise the feature set of
NEM/NPRO and is preferable.

Manually disabling the “Norman Network Security” driver:

On Windows 2000, XP and Server 2003:

1.

Go to “Control Panel”
-
> “Netwo
rk Connections”.

2.

Right
-
click the network adapter you’re having problems with and go to “Properties”.

3.

Uncheck “Norman Network Security” and click “OK”.


On Windows 7, Vista, Server 2008 and Server 2008 R2:

1.

Go to “Control Panel”
-
> “Network and Internet”
-
> “Network and Sharing Center”
-
>
“Change adapter settings”.

2.

Right
-
click the network adapter you’re having problems with and go to “Properties”.

3.

Uncheck “Norman Network Security” and click “OK”.


Installing NEM/NPRO

on a Citrix PVS client
running on Vis
ta or newer OS:

Due to the safeguards implemented by Citrix PVS, no doubt to prevent system instabilities, our own
network filter drivers (and those of our competitors), are unable to function properly if installed
after

the Citrix PVS client software. Thi
s has more or less the same effects as if those drivers weren’t
installed in the first place, implying the same loss of functionality.

Conclusion:

Until Citrix is able to fix these architectural issues in PVS it’s strong
ly recommended that NEM/NPRO
always
be
installed
prior

to any Citrix PVS client software
.