Re: Using Ghost Console to manage clients across subnets

Seth,

	We have been using Corporate Edition Ghost to build
multiple
clients simultaneously using their Ghostcast server.
However, to get 
this to work for clients not on the same subnet we've had to
ask
networkseecs to activate "directed broadcast" with
the target subnet. 

	This may not be quite the same as what you're doing, but
perhaps it will be a clue. As a point of reference, the EECS
nets
are managed by EECS support rather than IST, and are Extreme
rather
than Cisco switches. EECS networking prefers to have
directed
broadcast turned off when we're not actually building
clients.

	Kevin

> Date: Fri, 04 May 2007 15:45:12 -0700
> To: micronet-listlists.berkeley.edu
> From: Seth Novogrodsky <sethls.berkeley.edu>
> Subject: [Micronet] Using Ghost Console to manage
clients across subnets
> 
> We have the Ghost Solution Suite 2.0, and we have
installed the Ghost 
> Console on a Windows 2003 server in the data center. 
So far we have 
> been unable to establish a connection between the
clients and server 
> either by specifying the name of the server in the
client or by 
> attempting to do a remote installation of the software
from the Ghost 
> Console.  As an experiment, we installed the Ghost
Console on a 
> machine in the same room as one of the clients, and we
were able to 
> manage the client in this case.  This console was able
to see one 
> client in another subnet but was not able to manage
it.
> 
> Has anyone successfully used the Ghost Console to
manage clients in 
> different subnets?  If so, did you need to do anything
special to get 
> it to work?  Any information you might have would be 
> helpful.  Symantec Technical Support has been of no
help so far.
> 
> Thanks,
> Seth
> 
> 
>
------------------------------------------------------------
------------------
> Seth Novogrodsky, Programmer/Analyst III  sethLS.berkeley.edu
> Letters & Science Computer Resources      Tel:
510-643-2104 Fax: 510-642-7578
> Office: Room 3, 2224 Piedmont Ave.        Mailing
address: 201 Campbell Hall
> University of California, Berkeley        Berkeley, CA 
94720-2920
> WWW: http://ls.
berkeley.edu/lscr/who/staff/seth
> 
> 
>
------------------------------------------------------------
------------
> The following was automatically added to this message
by the list server:
> 
> To learn more about Micronet, including how to
subscribe to
> or unsubscribe from its mailing list and how to find
out
> about upcoming meetings, please visit the Micronet Web
site:
> 
> http://micronet.berkele
y.edu/
> 

------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

To learn more about Micronet, including how to subscribe to
or unsubscribe from its mailing list and how to find out
about upcoming meetings, please visit the Micronet Web
site:

http://micronet.berkele
y.edu/

Kevin Zimmerman wrote: 
> 	We have been using Corporate Edition Ghost to build
multiple
> clients simultaneously using their Ghostcast server.
However, to get 
> this to work for clients not on the same subnet we've
had to ask
> networkseecs to activate "directed
broadcast" with the target subnet. 

ouch. "directed broadcast" is the foundation of
the infamous "smurf" DoS. enabling "directed
broadcast" allows the router to participate in smurf
attacks against other networks:

   http://en.w
ikipedia.org/wiki/Smurf_attack

Kevin, i assume you're using (or trying) the multicast mode
of Ghost? (is that implied by use of the word
"Ghostcast"?)

> 	This may not be quite the same as what you're doing,
but
> perhaps it will be a clue. As a point of reference, the
EECS nets
> are managed by EECS support rather than IST, and are
Extreme rather
> than Cisco switches. EECS networking prefers to have
directed
> broadcast turned off when we're not actually building
clients.

i imagine so. it is generally considered bad practice to
have it enabled.

i'm not real familiar with the Ghost Solution Suite, but i
assume the Ghost Console mentioned by Seth is a different
component from the Ghostcast server. is that correct?

thanks,
ken

> 
> 	Kevin
> 
>> Date: Fri, 04 May 2007 15:45:12 -0700
>> To: micronet-listlists.berkeley.edu
>> From: Seth Novogrodsky <sethls.berkeley.edu>
>> Subject: [Micronet] Using Ghost Console to manage
clients across subnets
>> 
>> We have the Ghost Solution Suite 2.0, and we have
installed the Ghost 
>> Console on a Windows 2003 server in the data
center.  So far we have 
>> been unable to establish a connection between the
clients and server 
>> either by specifying the name of the server in the
client or by 
>> attempting to do a remote installation of the
software from the Ghost 
>> Console.  As an experiment, we installed the Ghost
Console on a 
>> machine in the same room as one of the clients, and
we were able to 
>> manage the client in this case.  This console was
able to see one 
>> client in another subnet but was not able to manage
it.
>> 
>> Has anyone successfully used the Ghost Console to
manage clients in 
>> different subnets?  If so, did you need to do
anything special to get 
>> it to work?  Any information you might have would
be 
>> helpful.  Symantec Technical Support has been of no
help so far.
>> 
>> Thanks,
>> Seth
>> 
>> 
>>
------------------------------------------------------------
------------------
>> Seth Novogrodsky, Programmer/Analyst III  sethLS.berkeley.edu
>> Letters & Science Computer Resources      Tel:
510-643-2104 Fax: 510-642-7578
>> Office: Room 3, 2224 Piedmont Ave.        Mailing
address: 201 Campbell Hall
>> University of California, Berkeley        Berkeley,
CA  94720-2920
>> WWW: http://ls.
berkeley.edu/lscr/who/staff/seth
>> 
>> 
>>
------------------------------------------------------------
------------
>> The following was automatically added to this
message by the list server:
>> 
>> To learn more about Micronet, including how to
subscribe to
>> or unsubscribe from its mailing list and how to
find out
>> about upcoming meetings, please visit the Micronet
Web site:
>> 
>> http://micronet.berkele
y.edu/
>> 
> 
>
------------------------------------------------------------
------------
> The following was automatically added to this message
by the list server:
> 
> To learn more about Micronet, including how to
subscribe to
> or unsubscribe from its mailing list and how to find
out
> about upcoming meetings, please visit the Micronet Web
site:
> 
> http://micronet.berkele
y.edu/

------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

To learn more about Micronet, including how to subscribe to
or unsubscribe from its mailing list and how to find out
about upcoming meetings, please visit the Micronet Web
site:

http://micronet.berkele
y.edu/

At 08:05 PM 5/7/2007, ken lindahl wrote:

>i'm not real familiar with the Ghost Solution Suite, but
i assume 
>the Ghost Console mentioned by Seth is a different
component from 
>the Ghostcast server. is that correct?

Yes, that's correct.  We are currently just trying to manage
clients 
from the Ghost Console, which uses multicast, and we haven't
yet 
attempted to do anything with the GhostCast server. 
Ultimately, we 
would like to use the GhostCast server, however.

In any case, it's helpful to know that directed broadcast
probably 
won't be an option because we would need it enabled in
multiple 
subnets across campus.

Thanks, Ken and Kevin, for your responses.

Seth


>Kevin Zimmerman wrote:
>>         We have been using Corporate Edition Ghost
to build multiple
>>clients simultaneously using their Ghostcast server.
However, to 
>>get this to work for clients not on the same subnet
we've had to ask
>>networkseecs to activate "directed
broadcast" with the target subnet.
>
>ouch. "directed broadcast" is the foundation
of the infamous "smurf" 
>DoS. enabling "directed broadcast" allows the
router to participate 
>in smurf attacks against other networks:
>
>   http://en.w
ikipedia.org/wiki/Smurf_attack
>
>Kevin, i assume you're using (or trying) the multicast
mode of 
>Ghost? (is that implied by use of the word
"Ghostcast"?)
>
>>         This may not be quite the same as what
you're doing, but
>>perhaps it will be a clue. As a point of reference,
the EECS nets
>>are managed by EECS support rather than IST, and are
Extreme rather
>>than Cisco switches. EECS networking prefers to have
directed
>>broadcast turned off when we're not actually
building clients.
>
>i imagine so. it is generally considered bad practice to
have it enabled.
>
>i'm not real familiar with the Ghost Solution Suite, but
i assume 
>the Ghost Console mentioned by Seth is a different
component from 
>the Ghostcast server. is that correct?
>
>thanks,
>ken
>
>>         Kevin
>>
>>>Date: Fri, 04 May 2007 15:45:12 -0700
>>>To: micronet-listlists.berkeley.edu
>>>From: Seth Novogrodsky <sethls.berkeley.edu>
>>>Subject: [Micronet] Using Ghost Console to
manage clients across subnets
>>>We have the Ghost Solution Suite 2.0, and we
have installed the 
>>>Ghost Console on a Windows 2003 server in the
data center.  So far 
>>>we have been unable to establish a connection
between the clients 
>>>and server either by specifying the name of the
server in the 
>>>client or by attempting to do a remote
installation of the 
>>>software from the Ghost Console.  As an
experiment, we installed 
>>>the Ghost Console on a machine in the same room
as one of the 
>>>clients, and we were able to manage the client
in this case.  This 
>>>console was able to see one client in another
subnet but was not 
>>>able to manage it.
>>>Has anyone successfully used the Ghost Console
to manage clients 
>>>in different subnets?  If so, did you need to do
anything special 
>>>to get it to work?  Any information you might
have would be 
>>>helpful.  Symantec Technical Support has been of
no help so far.
>>>Thanks,
>>>Seth
>>>
>>>------------------------------------------------
------------------------------
>>>Seth Novogrodsky, Programmer/Analyst III 
sethLS.berkeley.edu
>>>Letters & Science Computer Resources     
Tel: 510-643-2104 Fax: 
>>>510-642-7578
>>>Office: Room 3, 2224 Piedmont Ave.       
Mailing address: 201 Campbell Hall
>>>University of California, Berkeley       
Berkeley, CA  94720-2920
>>>WWW: http://ls.
berkeley.edu/lscr/who/staff/seth
>>>
>>>------------------------------------------------
------------------------
>>>The following was automatically added to this
message by the list server:
>>>To learn more about Micronet, including how to
subscribe to
>>>or unsubscribe from its mailing list and how to
find out
>>>about upcoming meetings, please visit the
Micronet Web site:
>>>http://micronet.berkele
y.edu/
>>----------------------------------------------------
--------------------
>>The following was automatically added to this
message by the list server:
>>To learn more about Micronet, including how to
subscribe to
>>or unsubscribe from its mailing list and how to find
out
>>about upcoming meetings, please visit the Micronet
Web site:
>>http://micronet.berkele
y.edu/
>
>--------------------------------------------------------
----------------
>The following was automatically added to this message by
the list server:
>
>To learn more about Micronet, including how to subscribe
to
>or unsubscribe from its mailing list and how to find
out
>about upcoming meetings, please visit the Micronet Web
site:
>
>http://micronet.berkele
y.edu/


------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

To learn more about Micronet, including how to subscribe to
or unsubscribe from its mailing list and how to find out
about upcoming meetings, please visit the Micronet Web
site:

http://micronet.berkele
y.edu/

Hi:
I would like to have a small training on how these
applications work.  I had
a very difficult time when I was trying to use them and gave
up about a
month ago.  I've been meaning to post to the list and
publicly thank Graham
for all the help he gave me while I was trying to recover a
lost system.  He
was very supportive and had great tools that helped me bring
the lab back
online.


Lucia Greco
Assistive Technology Specialist
University Of California Berkeley
(510) 643-7591 
-----Original Message-----
From: owner-micronet-listlists.berkeley.edu
[mailto:owner-micronet-listlists.berkeley.edu] On
Behalf Of Seth
Novogrodsky
Sent: Tuesday, May 08, 2007 9:51 AM
To: micronet-listlists.berkeley.edu
Subject: Re: [Micronet] Using Ghost Console to manage
clients across subnets

At 08:05 PM 5/7/2007, ken lindahl wrote:

>i'm not real familiar with the Ghost Solution Suite, but
i assume the 
>Ghost Console mentioned by Seth is a different component
from the 
>Ghostcast server. is that correct?

Yes, that's correct.  We are currently just trying to manage
clients from
the Ghost Console, which uses multicast, and we haven't yet
attempted to do
anything with the GhostCast server.  Ultimately, we would
like to use the
GhostCast server, however.

In any case, it's helpful to know that directed broadcast
probably won't be
an option because we would need it enabled in multiple
subnets across
campus.

Thanks, Ken and Kevin, for your responses.

Seth


>Kevin Zimmerman wrote:
>>         We have been using Corporate Edition Ghost
to build multiple 
>>clients simultaneously using their Ghostcast server.
However, to get 
>>this to work for clients not on the same subnet
we've had to ask 
>>networkseecs to activate "directed
broadcast" with the target subnet.
>
>ouch. "directed broadcast" is the foundation
of the infamous "smurf" 
>DoS. enabling "directed broadcast" allows the
router to participate in 
>smurf attacks against other networks:
>
>   http://en.w
ikipedia.org/wiki/Smurf_attack
>
>Kevin, i assume you're using (or trying) the multicast
mode of Ghost? 
>(is that implied by use of the word
"Ghostcast"?)
>
>>         This may not be quite the same as what
you're doing, but 
>>perhaps it will be a clue. As a point of reference,
the EECS nets are 
>>managed by EECS support rather than IST, and are
Extreme rather than 
>>Cisco switches. EECS networking prefers to have
directed broadcast 
>>turned off when we're not actually building
clients.
>
>i imagine so. it is generally considered bad practice to
have it enabled.
>
>i'm not real familiar with the Ghost Solution Suite, but
i assume the 
>Ghost Console mentioned by Seth is a different component
from the 
>Ghostcast server. is that correct?
>
>thanks,
>ken
>
>>         Kevin
>>
>>>Date: Fri, 04 May 2007 15:45:12 -0700
>>>To: micronet-listlists.berkeley.edu
>>>From: Seth Novogrodsky <sethls.berkeley.edu>
>>>Subject: [Micronet] Using Ghost Console to
manage clients across 
>>>subnets We have the Ghost Solution Suite 2.0,
and we have installed 
>>>the Ghost Console on a Windows 2003 server in
the data center.  So 
>>>far we have been unable to establish a
connection between the clients 
>>>and server either by specifying the name of the
server in the client 
>>>or by attempting to do a remote installation of
the software from the 
>>>Ghost Console.  As an experiment, we installed
the Ghost Console on a 
>>>machine in the same room as one of the clients,
and we were able to 
>>>manage the client in this case.  This console
was able to see one 
>>>client in another subnet but was not able to
manage it.
>>>Has anyone successfully used the Ghost Console
to manage clients in 
>>>different subnets?  If so, did you need to do
anything special to get 
>>>it to work?  Any information you might have
would be helpful.  
>>>Symantec Technical Support has been of no help
so far.
>>>Thanks,
>>>Seth
>>>
>>>------------------------------------------------
---------------------
>>>--------- Seth Novogrodsky, Programmer/Analyst
III  
>>>sethLS.berkeley.edu
>>>Letters & Science Computer Resources     
Tel: 510-643-2104 Fax: 
>>>510-642-7578
>>>Office: Room 3, 2224 Piedmont Ave.       
Mailing address: 201 Campbell
Hall
>>>University of California, Berkeley       
Berkeley, CA  94720-2920
>>>WWW: http://ls.
berkeley.edu/lscr/who/staff/seth
>>>
>>>------------------------------------------------
---------------------
>>>--- The following was automatically added to
this message by the list 
>>>server:
>>>To learn more about Micronet, including how to
subscribe to or 
>>>unsubscribe from its mailing list and how to
find out about upcoming 
>>>meetings, please visit the Micronet Web site:
>>>http://micronet.berkele
y.edu/
>>----------------------------------------------------
------------------
>>-- The following was automatically added to this
message by the list 
>>server:
>>To learn more about Micronet, including how to
subscribe to or 
>>unsubscribe from its mailing list and how to find
out about upcoming 
>>meetings, please visit the Micronet Web site:
>>http://micronet.berkele
y.edu/
>
>--------------------------------------------------------
---------------
>- The following was automatically added to this message
by the list 
>server:
>
>To learn more about Micronet, including how to subscribe
to or 
>unsubscribe from its mailing list and how to find out
about upcoming 
>meetings, please visit the Micronet Web site:
>
>http://micronet.berkele
y.edu/


------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

To learn more about Micronet, including how to subscribe to
or unsubscribe
from its mailing list and how to find out about upcoming
meetings, please
visit the Micronet Web site:

http://micronet.berkele
y.edu/


------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

To learn more about Micronet, including how to subscribe to
or unsubscribe from its mailing list and how to find out
about upcoming meetings, please visit the Micronet Web
site:

http://micronet.berkele
y.edu/

Seth Novogrodsky wrote:
> At 08:05 PM 5/7/2007, ken lindahl wrote:
> 
>> i'm not real familiar with the Ghost Solution
Suite, but i assume the 
>> Ghost Console mentioned by Seth is a different
component from the 
>> Ghostcast server. is that correct?
> 
> Yes, that's correct.  We are currently just trying to
manage clients 
> from the Ghost Console, which uses multicast, and we
haven't yet 
> attempted to do anything with the GhostCast server. 
Ultimately, we 
> would like to use the GhostCast server, however.
> 
> In any case, it's helpful to know that directed
broadcast probably won't 
> be an option because we would need it enabled in
multiple subnets across 
> campus.

that's correct, IST would be extremely reluctant to enable
directed broadcast.

on the other hand, i believe a multicast application that is
working properly will be able to work across different
subnets without any need for directed broadcast. (that's
certainly true for the variety of streaming audio/video apps
that are successfully using multicast on campus today). if
an application doesn't work, i think either
  (1) the application is written incorrectly, or
  (2) the application is configured incorrectly, or
  (3) one or more campus routers are not configured
correctly for multicast.

if you want to pursue this, feel free to contact me
off-list.

ken

------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

To learn more about Micronet, including how to subscribe to
or unsubscribe from its mailing list and how to find out
about upcoming meetings, please visit the Micronet Web
site:

http://micronet.berkele
y.edu/

At 15:37 -0700 2007-05-08, ken lindahl wrote:
>i believe a multicast application that is working
properly will be 
>able to work across different subnets without any need
for directed 
>broadcast. (that's certainly true for the variety of
streaming 
>audio/video apps that are successfully using multicast
on campus 
>today). if an application doesn't work, i think either
>  (1) the application is written incorrectly, or
>  (2) the application is configured incorrectly, or
>  (3) one or more campus routers are not configured
correctly for multicast.

   As a gratuitous aside, nearly two years ago, with Ken's
help, we 
identified another issue with multicast:

>Problem: The standard configuration of Symantec Client
Firewall 
>(SCF) breaks IP multicast, which is used for streaming
video and 
>some other purposes, particularly over Internet2
networks.
>
>Solution: None at present, other than temporarily
disabling the firewall.
>
>Discussion: This issue probably will not affect a large
fraction of 
>campus users. A possible cause is that multicast uses
random UDP 
>ports, including some ports that SCF identifies as being
used by 
>known trojans.

   Karl, Allison, et al.: do you happen to know the current
status of 
this issue?

Aron Roberts
Information Services and Technology

------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

To learn more about Micronet, including how to subscribe to
or unsubscribe from its mailing list and how to find out
about upcoming meetings, please visit the Micronet Web
site:

http://micronet.berkele
y.edu/

Aron Roberts wrote:

>   As a gratuitous aside, nearly two years ago, with
Ken's help, we 
> identified another issue with multicast:

I'm not sure if the original issue is fixed, but there was
one multicast 
issue reported fixed in the latest MR (MR 6) for SCS:

=======
Multicast packets use default rule set
Fix ID: 923474
Symptom: When you use a program that sends multicast
packets, the 
connection uses the default rule set instead of the rules
for the active 
location.
Solution: Fixed in the new SymNetDrive build.
=======

On the other hand, Symantec's next generation product due in
September 
is based on a new FW engine (acquired when they bought
Sygate), so 
things will probably change again.

--Karl

Karl Grose
IST

=======
>> Problem: The standard configuration of Symantec
Client Firewall (SCF) 
>> breaks IP multicast, which is used for streaming
video and some other 
>> purposes, particularly over Internet2 networks.
>>
>> Solution: None at present, other than temporarily
disabling the firewall.
>>
>> Discussion: This issue probably will not affect a
large fraction of 
>> campus users. A possible cause is that multicast
uses random UDP 
>> ports, including some ports that SCF identifies as
being used by known 
>> trojans.
> 
>   Karl, Allison, et al.: do you happen to know the
current status of 
> this issue?
> 
> Aron Roberts
> Information Services and Technology

------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

To learn more about Micronet, including how to subscribe to
or unsubscribe from its mailing list and how to find out
about upcoming meetings, please visit the Micronet Web
site:

http://micronet.berkele
y.edu/