Surface 2 –VPN bug disables Metro Internet Explorer

Update 2 – NOT FIXED

Yeah, so, I was apparently deluded, the problem is still here. It appears to be a bona-fide bug in Windows 8, with a Hotfix at - but that’s only for x86 versions of Windows, and not for the Surface 2.

Update – FIXED

Since I wrote this article, another issue caused me to reset my WMI database, by deleting everything under C:\Windows\System32\wbem\Repository and rebooting. After that, the VPN issues documented in this article have gone away.

Original article

I have a home VPN – everyone should, because it makes for securable access to your home systems when you are out and about, whether it’s at the Starbucks down the street, or half way across the world, like I was on my trip to China last week.

Useful as my home VPN is, and hard as it is to get working (see my last post on Windows 8 VPN problems), it’s only useful if I can get my entire computer to talk through the VPN.

Sidebar – VPN split tunneling

Note that I am not disputing the value of split tunneling in a VPN, which is where you might set up your client to use the VPN only for a range of addresses, so that (for example) a computer might connect to the VPN for connections to a work intranet, but use the regular connectivity for the major part of the public web. For this article, assume I want everything but my link-local traffic to be forwarded to my VPN.

So, in my last VPN post, we talked about setting up the client end of a VPN, and now I want to use it.

Connecting is the easy part, and once connected, most of my apps on the Surface 2 work quite happily, connecting to the Internet through my VPN.

All of the Desktop apps seem to work without restriction, but there are some odd gaps when it comes to using “Windows Store” apps, also known as “Metro” or “Modern UI” apps. Microsoft can’t call this “Metro” any more, even though that’s the most commonly used term for it, so I’ll follow their lead and call this the “Modern UI” [where UI stands for User Interface].

Most glaring of all is the Modern UI Internet Explorer, which doesn’t seem to allow any connections at all, simply displaying “This page can’t be displayed”. The exception to this is if I connect to a web server that is link-local to the VPN server.

I’d think this was a problem with the way I had set up my VPN server, or my client connection, if it weren’t for the fact that my Windows 8.1 laptop connects correctly to this same VPN with no issues on Modern or Desktop versions of Internet Explorer, and of course the undeniable feature that Internet Explorer for the Desktop on my Surface 2 also works correctly.

I’d like to troubleshoot and debug this issue, but of course, the only troubleshooting tools for networking in the Surface 2 run on the Desktop, and therefore work quite happily, as if nothing is wrong with the network. And from their perspective, this is true.

When Bagpuss goes to sleep, all his little friends go to sleep, too.

Of course, Internet Explorer has always been claimed by Microsoft to be a “part of the operating system”, and in Windows 8.1 RT, there is no difference in this respect.

Every Modern UI application which includes a web control, web view, or in some way asks the operating system or development framework to host a web page, also fails to reach its intended target through the VPN.

Technical Support – what’s their take?

Technical support had me try a number of things, including resetting the system, but none of their suggestions had any effect. Eventually I found a tech support rep who told me this is a bug, not that that is really what you’d call a resolution of my problem. These are the sort of things that make it clear that the Surface is still in its early days, and while impressive, has a number of niggling issues that need “fit and finish” work before significant other features get added.

Deploying on the road…

Now that I have a Surface 2, I’m going to leave my laptop at home when I travel.

This leaves me with a concern – obviously, I’m going to play with some of my hobby software development while I have “down time”, but the devices for which I’m building are traveling with me, while the dev machine stays at home.

That’s OK where I’m building for the laptop, because it’s available by Remote Desktop through a Remote Desktop Gateway.

Deploying to my other devices – the Windows Phone and the Surface 2 running Windows RT – is something that I typically do by direct connection, or on the local network.

Windows Phone

For the Windows Phone, there’s a Store called “Beta” as opposed to “Public”, into which you can deploy your app, make it available to specific listed users, and this will allow you to quickly distribute an app remotely to your device.

Details on how to do this are here.

Windows Store

The story on Windows Store apps appears, at first blush, to be far more dismal, with numerous questions online asking “is there a beta store for Windows like there is for the phone?”

The answer comes back “no, but that’s a great idea for future development”.

But it is completely possible to distribute app packages to your Windows RT and other Windows 8.1 devices, using Powershell.

The instructions at MSDN, here, will tell you quite clearly how you can do this.

Thoughts on a New Year

It’s about this time of year that I think…

  • Why do reporters talk so much about NSA spying and Advanced Persistent Threats, when half the websites in existence will cough up cookies if you search for "-alert(document.cookie)-" ?
  • How can we expect people to write secure code when:
    • they don’t know what it is?
    • they can’t recognise insecure code?
    • it’s easier (more clicks, more thinks, etc) to write insecure code?
  • What does it take for a developer to get:
    • fired?
    • a bad performance review?
    • just mildly discomforted?
  • What is it about developers that makes us all believe that nobody else has written this piece of code before? (or that we can write it better)
  • Every time a new fad comes along, whether it’s XML, PHP, Ruby, etc, why do we spend so much time recognising that it has the same issues as the old ones? But without fixes.
  • Can we have an article on “the death of passwords” which will explain what the replacement is – and without that replacement turning out to be “a layer in front of a big password”?
  • Should you let your application out (publish it, make it available on the Internet, etc) if it is so fragile that:
    • you can’t patch it?
    • you can’t update the framework or libraries on which it depends (aka patch them)?
    • you don’t want a security penetration test to be performed on it?
  • Is it right to hire developers on the basis that they can:
    • steer a whiteboard to a small function which looks like it might work?
    • understand an obfuscated sample that demonstrates an obscure feature of your favourite framework?
    • tell you how to weigh twelve coins, one of which might be a fake?
    • bamboozle the interviewer with tales of technological wonders the likes of which he/she cannot fathom?
    • sing the old school song?

Ah, who am I kidding, I think those kinds of things all the time.