8/23/2004 -- Unless you’ve been living in a remote networking closet somewhere, you probably know that Microsoft recently delivered a long-awaited Service Pack 2 (SP2) update for its Windows XP operating system.

On the basis of the back-to-basics security overhaul it gives the Windows XP operating system, many analysts have called SP Microsoft’s most important deliverable ever. There’s just one catch, however: SP2’s significantly enhanced security model could break compatibility with some applications, especially software from third-party vendors -- like Cisco Systems.

Earlier this month, at least one contributor to the NTBugtraq listserve reported that SP2 effectively broke an unspecified version of Cisco’s VPN Client used by his company. As with so many SP2-related application problems, the culprit seems to be the Windows Firewall, which is now turned on by default.

“After installing Win XP SP2, the Cisco VPN Client no longer works unless you disable the Windows Firewall. After some trouble-shooting, the problem appears to be related to how Windows Firewall is handling the outbound Port Address Translation,” this user wrote. “I’m running the Cisco Client with either TCP or UDP Encapsulation. Neither appears to work.”

Not all users had such bad luck, of course. One NTBugtraq contributor said that he had successfully used several versions of the Cisco VPN Client (versions 3.5.4, 4.0.4D, and 4.0.5) over UDP/NAT with the Windows Firewall enabled since the first SP2 beta without difficulty.

For the record, Microsoft does not list Cisco’s VPN Client in its list of applications that are affected (in one way or another) by SP2. But in spite of the experiences of at least one user, not everyone is willing to give Cisco’s VPN Client get a clean bill of SP2-ready health.

“[NTBugtraq contributor] Brad Metzler said that his helpdesk people told them that they needed the Cisco VPN (not Cisco Secure VPN) client version 4.x and above in order to avoid incompatibilities with XP SP2,” wrote Russ Cooper, editor of the NTBugtraq listserve and a security professional with TruSecure Corp. “They're rolling out 4.0.5 proactively in order to avoid problems. These problems were uncovered during beta testing.”

If that doesn’t do the trick, Cooper passed on another tip from NTBugtraq contributor Christopher L. Hodges, who discovered that administrators must create Windows Firewall rules for TCP port 10000 and UDP ports 4500 and 62515 in order to get the Cisco VPN to work. -Stephen Swoyer