So, you have a great Symantec Ghost deployment solution to deploy your standardized sysprep image. On every physical (office) location you have a dedicated Ghost Console because the Ghost Console isn’t build for concurrent multi-user access and it would probably flood your backbone fiber if you only had one Ghost Console.

So here you are, faced with a problem. You only want to maintain one image, but that image contains a Ghost Console membership certificate, which means if you are going to deploy that image using other Ghost Consoles, clone tasks will fail, because all computers will contact the Ghost Console on which the image is created.

Luckily Ghost Clients can discover a console. This works as follows according to the Symantec Knowledge base:

Ghost Clients find the Console using two methods. First, Method 1 is tried, and if that fails, Method 2 is attempted.

Method 1: Multicast
The client sends a Multicast packet to an address and port number that the Console is expecting. All Consoles register their interest in this traffic by sending IGMP (Internet Group Management Protocol) messages. Properly configured routers and switches pass this traffic to the Console. Ensuring that the routers will pass Multicast traffic is usually all that is necessary to get this method working.

Method 2: WINS
Details of this method are shown below for your interest. However, this method relies on a WINS infrastructure existing and working between the networks in question. Usually, if you can browse a computer in the remote site using My Network Places in Windows Explorer, then this method COULD work.

This means that if your routers are only passing multicast traffic to the VLANs they suppose to, it should work if you delete the pubkey.crt during the mini setup sysprep install of the new clients. You can do this by creating a cmdlines.txt in the i386\$oem$ directory. The content of cmdlines.txt could be something like this:

[Commands]
"c:\\windows\system32\\wscript.exe c:\\sysprep\\InSysprep.vbs"

 In that same sysprep directory create a file called InSysprep.vbs with the following content:

Set objFS = CreateObject("Scripting.FileSystemObject")
objFS.DeleteFile "C:\\Program Files\\Symantec\\Ghost\\pubkey.crt", True

This will delete the membership with the console during the Sysprep Mini-Setup. Since the ghost client service isn’t started when the Mini-Setup runs, Ghost Client will search for a Ghost Console the first time it will boot up Windows successfully.
In an Ideal world, this would be enough to encourage clients to pick the right console. But I ensure you, when you are ghosting a lot of clients at the same time, some will fallback to the 2th method of server discovery…. WINS…

So what can we do about that? Well, the answer is simple. Use a Firewall.. If you have the luxury of layer 4 Routers use them to block Ghost Client traffic (NOTE: port 1346 and 1347 are switched in stage 2 and 3) between VLANs to Ghost Consoles.

If not, please don’t download the first personal firewall you can find! Use build in Windows tools. IPSec is build into Windows since 2000. The interface is a bit overcomplicated, so I will use ipseccmd to show you how to only allow Ghost Clients that are on subnets you define. Ipseccmd is part of the support tools that can be downloaded from microsoft:

• Windows XP SP2 Support Tools
• Windows 2003 SP1 Support Tools
• Windows 2000 Support Tools

Run the following commands on your ghost consoles after you have installed the Support Tools (or extracted the ipseccmd.exe from the support tools):

ipseccmd.exe -w REG -p "Ghost Console Clients" -r "Block all Ghost Clients on non defined subnets" -f *=0:1345:UDP -f *+0:1347:UDP -f *+0:1347:TCP -n BLOCK -lan
ipseccmd.exe -w REG -p "Ghost Console Clients" -r "Allowed Ghost Clients on based on a subnet" -f 10.1.0.0/255.255.0.0=0:1345:UDP -f 10.1.0.0/255.255.0.0+0:1347:UDP -f 10.1.0.0/255.255.0.0+0:1347:TCP -n PASS -lan
ipseccmd.exe -w REG -p "Ghost Console Clients" -x

The first ipseccmd line blocks all Ghost Client traffic to the console. The Second line needs to be repeated for every subnet you want to allow. In this example only allows clients in the subnet 10.1.0.0/255.255.0.0 to connect to that ghost console… replace it for your allowed subnets…. The last line is there to tell IPSec to enable the rules.

If you screwed up, you can always run:

ipseccmd.exe -w REG -p "Ghost Console Clients" -o -y

To clear and disable the IPSec rules.

If the clients on the same subnet as the console and they are not suppose to be connecting the Ghost Console, the first and second line are different because they need to disable multicast discovery:

ipseccmd.exe -w REG -p "Ghost Console Clients" -r "Block all Ghost Clients on non defined subnets" -f *+0:1345:UDP -f *+0:1347:UDP -f *+0:1347:TCP -n BLOCK -lan
ipseccmd.exe -w REG -p "Ghost Console Clients" -r "Allowed Ghost Clients on based on a subnet" -f 10.1.0.0/255.255.0.0+0:1345:UDP -f 10.1.0.0/255.255.0.0+0:1347:UDP -f 10.1.0.0/255.255.0.0+0:1347:TCP -n PASS -lan

Good luck!

Last Modified : March 2nd, 2007 Filed under : Network-/System Administration TAG(s) : Network-/System Administration Navigate : Previous post / Next post