Informing users and clients how to connect their Windows PC to a VPN connection is easy, but could be easier. There are a few questions to answer and having the user type this in might mean wrong answers, and therefore a supsequent support call would be required.
To ease this issue, and reduce the support call costs Microsoft have made available for a number of years the Connection Manager Administration Kit (CMAK). Lots of websites and blogs describe how to make CMAK profiles but to date none that I can find solve the problem of installing CMAK on a x64 version of Windows 2008 (for example Small Business Server 2008, but any x64 bit architecture will do) and attempting to deploy the resulting executable on a i386 XP architecture.
The CMAK program within Windows 2008 (added to the default installation by adding a feature) has options for the creation of a "downlevel" build (i.e. XP, 2003 and 2000) as well as a Vista build (which covers 2008 and Windows 7 as well) but the resulting executable made from the downlevel option is not valid.
The reason for this is many. Firstly the executable is constructed using iexpress.exe on an x64 machine - resulting in a x64 installer that will not run on a i386 machine. Fix this problem (see below for steps) and you find that the installer runs a program to actually create the connection object in the Network settings area of Control Panel, but this program (cmstp.exe) is also x64 architecture and so will not run on an i386 architecture machine.
Before we go into the steps to do this successfully, here (for the benefit of the search engines) are the different errors that you will see:
- This profile was not built for this processor architecture. Please contact your Administrator to get the appropriate profile for this architecture.
- profile.exe is not a valid Win32 application.
- Error creating process <c:\docume~1\user\locals~1\temp\ixp000.tmp\.\cmstp.exe>. Reason: C:\WINDOWS\system32\advpack.dll
To fix this and create an i386 connection profile on an x64 architecture machine involves modifying the file that controls the creation of the executable (the .sed file) and getting two files from either an i386 Windows Server 2003 installation or an i386 XP installation.
First for those extra files. On the Windows 2008 Server that has CMAK installed, and having successfully created a profile (see windowssecurity.com and uksbsguy for profile creation steps) you need to create a folder called i386 inside C:\Program Files\CMAK\Support\en-US (C: and en-US might be different on your installation). This is best done from an elevated command prompt. Inside this folder place advpack.dll and cmstp.exe from an i386 installation of Windows Server 2003 or XP Professional (ensure latest service packs and patches on the source machine as well). Both of these files are found in \windows\system32 on the source installation.
Secondly, also from the elevated command prompt, you need to create a copy of the .sed file for each architecture you want to build for. The .sed file is named after the profile name that you have created and is located in a subfolder of C:\Program Files\CMAK\Profiles\Downlevel where the subfolder is the name of the profile. The default .sed file will work on x64 XP. Therefore to create a .sed file for i386 XP copy profile.sed to profile-i386.sed and then open this file in notepad (by typing notepad profile-i386.sed from the elevated command prompt).
The third step is to edit this .sed file so that the entries that point to the location of cmstp.exe and advpack.dll are to the new files you copied in the first step. Therefore change the line that starts FILE0= and the line that starts FILE1=. These should read something like the following:
- FILE0=C:\Program Files\CMAK\Support\en-US\i386\advpack.dll
- FILE1=C:\Program Files\CMAK\Support\en-US\i386\cmstp.exe
Additionally, but not required, I also change the TargetName= value from profile.exe to profile-i386.exe so that it does not overwrite the x64 executable that has already been created by the CMAK wizard and I edit the InstallPrompt= value to include something that indicates that I am about to install the i386 version of the connection object.
Now close and save the changes made to the new .sed file.
Finally you can build the executable. But the fun does not stop here. You might have noticed from the errors above that one of the errors is that the executable is not a valid win32 executable. This occurs if the x64 version of iexpress.exe is used to create the installation program. You need to use the 32 bit version that is installed on the x64 machine. The 32 bit version of the program is found in c:\windows\syswow64 (this stands for Windows On Windows 64) and so from the elevated command prompt type \windows\syswow64\iexpress /N profile-i386.sed (this is one command on one line if your browser happens to wrap the text over two lines). This will create the executable named after the TargetName value in the .sed file. This can then be copied to your software installation share and deployed to your users.