Tacobell2000
asked on
Proxy settings apply to users desktops and to the Terminal Server
Hello,
I am managing a domain with many servers two of which are terminal servers. Many users use remote desktop and connect to the terminal server. The terminal server has 2 accounting apps that users rely on to do their jobs. Unfortunately these accounting apps only run if users are local administrators. There is no way around that. As a consequence, I made the accounting group local administrators of 2 Terminal servers. To tighten security I created an OU "Terminal Servers" and moved both Terminal Servers to the OU. I then created a GPO and configured under:
USER Configuration
Windows Settings
Connection Proxy
Enable Proxy Settings and put some bogus proxy server address
I applied this to Authenticated Users
Resultis: Users logging on to the terminal server are unable to connect to the internet....This is what I want.
However users are unable to browse the internet from their desktop because of the bogus proxy address.
I just want all authenticated users to not go onto the internet from a terminal server session and i want them to browse the internet from their desktops. Where should I configure this using a GPO?
Many thanks,
Tacobell2000
I am managing a domain with many servers two of which are terminal servers. Many users use remote desktop and connect to the terminal server. The terminal server has 2 accounting apps that users rely on to do their jobs. Unfortunately these accounting apps only run if users are local administrators. There is no way around that. As a consequence, I made the accounting group local administrators of 2 Terminal servers. To tighten security I created an OU "Terminal Servers" and moved both Terminal Servers to the OU. I then created a GPO and configured under:
USER Configuration
Windows Settings
Connection Proxy
Enable Proxy Settings and put some bogus proxy server address
I applied this to Authenticated Users
Resultis: Users logging on to the terminal server are unable to connect to the internet....This is what I want.
However users are unable to browse the internet from their desktop because of the bogus proxy address.
I just want all authenticated users to not go onto the internet from a terminal server session and i want them to browse the internet from their desktops. Where should I configure this using a GPO?
Many thanks,
Tacobell2000
Another option is using Proxcfg.exe in a script that is only going to launch when logging into the TS.
Do you have a proxy? I know that on some proxies (Bluecoat in my experience) you can be machine specific (via IP, i.e x.x.x.x) stating whether to allow or deny web traffic.
If your firewall is acting as the proxy you might want to try and configure it there as well.
If your firewall is acting as the proxy you might want to try and configure it there as well.
"moved both Terminal Servers to the OU"
He stated that he moved the Terminal servers into the OU and not the Users. When they cannot surf the internet on their machine is it strictly when they are terminaling into the server? or does it take affect when they terminal in and then remain until corrected via gpupdate or manual entry of proper proxy information?
He stated that he moved the Terminal servers into the OU and not the Users. When they cannot surf the internet on their machine is it strictly when they are terminaling into the server? or does it take affect when they terminal in and then remain until corrected via gpupdate or manual entry of proper proxy information?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Question: When they cannot surf the internet on their machine is it strictly when they are terminaling into the server? or does it take affect when they terminal in and then remain until corrected via gpupdate or manual entry of proper proxy information?
Answer: They are terminaling in to the server and open a web browser...result they cannot surf the internet. I ask them to minimize their remote desktop and open a web browser from their desktop and they cannot surf the internet. I ask them to go into the internet options and the proxy server is checked.
Answer: They are terminaling in to the server and open a web browser...result they cannot surf the internet. I ask them to minimize their remote desktop and open a web browser from their desktop and they cannot surf the internet. I ask them to go into the internet options and the proxy server is checked.
What oBdA stated sounds like it might work, I would give that a shot.
ASKER
I'm configuring what oBdA wrote as.......i'm writing this
Loopback is what you need to use! Do you still have a problem?
If you users still get that the proxy is in use then perhaps they need to logout and in again to make it work? Or maybe the policy still affects them? Or if you are using Internet Explorer Maintanence to configure it then that's not the best and you might need to hit your users with a policy with IEM which removed the proxy check...
Why do you even have a supplier of programs that require the users to be local admin? Normally you can get around this to
If you users still get that the proxy is in use then perhaps they need to logout and in again to make it work? Or maybe the policy still affects them? Or if you are using Internet Explorer Maintanence to configure it then that's not the best and you might need to hit your users with a policy with IEM which removed the proxy check...
Why do you even have a supplier of programs that require the users to be local admin? Normally you can get around this to
ASKER
"You need to create a dedicated OU for your terminal servers in/under which there are no user accounts, only the terminal server objects.
Then you need to use the group policy "Loopback" feature:
Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "Disable User Configuration Settings" in properties. Edit the GPO and enable "User group policy loopback processing mode" in Computer Configuration\Administrati ve Templates\Group Policies. Set the mode to Merge, (or Replace, whatever suits you better). You can leave the default security settings."
This is done and i chose MERGE.
Now you can create additional GPO(s) for your users in this OU. .......Answer: There are no users...only Terminal Servers.
So i did not bother with the rest....
Will wait to see what the results are...give me a couple of days.
Then you need to use the group policy "Loopback" feature:
Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "Disable User Configuration Settings" in properties. Edit the GPO and enable "User group policy loopback processing mode" in Computer Configuration\Administrati
This is done and i chose MERGE.
Now you can create additional GPO(s) for your users in this OU. .......Answer: There are no users...only Terminal Servers.
So i did not bother with the rest....
Will wait to see what the results are...give me a couple of days.
Sorry, you misunderstood me; "for your users" just meant that you can now configure policies from the "User Configuration" part. Read on until the part that these policies will apply to all users logging on to the terminal servers, and that the user accounts do NOT need to be in the TS OU ...
ASKER
Right on....that did it.
You need to make the proxy setting under Computer Configuration and make it per computer.