How do I apply IE proxy settings to computers on another subnet via Group Policy?

Here is my network layout, in brief:

192.168.2.0/24
    DC 192.168.2.3, DNS, DHCP, WINS
    Firewall 192.168.2.8 (Kerio WinRoute)
192.168.1.0/24
    No DC present (yet)

Subnets connected via Cisco 2500 routers.  All traffic flows just fine.

Since we added the Kerio WinRoute Firewall (great product), we have had to make some modifications to browser settings.  One of the main ones was to remove the proxy settings (we used to point to an old MS Proxy 2.0 server).  This was easily done via group policy.  The problem is that the 1.x subnet can no longer get out to the internet.  If we reset the proxy settings to point to the firewall then all is well again.  Rather than hitting every desktop in the enterprise, I thought we could do this through group policy.  

It ain't happenin'.

I have created two OUs...one for the 2.x subnet and one for the 1.x subnet.  I have created two new group policies and linked them to these OUs.  Computer objects only inhabit these OUs.  The 1.x policy sets the proxy settings properly and also has proxy setting per machine enabled.  Still no dice.

How do I get this to work?

Thanks,
Ling
LVL 1
LinguinutAsked:
Who is Participating?
 
Don S.Commented:
You have to Enable first.
Then: config term.
Then you can enter the IP route command.
0
 
Thanatos2kCommented:
That is whacked... Maybe try disabling proxy altogether through group policy, waiting for all machines to refresh, and then re-enabling proxy with the new settings?

What about adding a second IP on the new proxy server to match the IP the old server used to have?
0
 
LinguinutAuthor Commented:
Than,

I did disable proxy settings via group policy for the entire domain.  I slept well last night.

Today, no one in the 1.x subnet can access the internet since the proxy settings have been removed.  If I manually add them back, then internet access is alive and well.  

I do not want to manually add them back to every workstation, so I thought "what about group policy?".  Well, I may have "whacked" my domain by setting up two OUs which house the computers from each subnet (all computers used to exist under the Computer OU).

How do I un-"whack" it?  And, sleep well tonight, too?
Ling
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Don S.Commented:
Multiple OUs did not "whack" your domain.  It's fairly common to have multiple OUs for all sort of reasons.  It sounds like your GPs aren't getting applied to those on the 2.x subnet and probably never have been.  Check the event logs on on one of the 2.x computers as well as the domain controller.  I suspect you will find an error relating to applying group policies.  Also, check your GP hierarchy using the Group Policy Modeling tool in GPMC to see if everything is the way you expect it to be.
0
 
Don S.Commented:
GPs not applying often are related to DNS issues.  How are addresses and IP settings assigned on 2.x ?
0
 
LinguinutAuthor Commented:
Via DHCP on the DC.  The DC is also serving as the DNS.  IPCONFIG responds with all settings reflecting an accurate setup on the workstations.

Nothing shows up in the DC event logs, nor the desktop event logs.

The modeling tool shows the default domain policy and the OU policy being applied for the computer settings; however, only the default policy is applied for the user settings.  I actually would expect this.  Could the default policy be overriding the OU policy?  Also, shouldn't the OU computer settings dictate the users settings if machine specific proxy settings are enable?  

So many settings...so little time...so much confusion...

Ling
0
 
Don S.Commented:
User IE setting override Machine IE settings.  The proper place to set Proxy use in IE is in the User policy.  I'd create a new User GP to control all your IE settings.  I never like to mess with the default policies.

Do you have an IP helper address set in the Cisco router?
0
 
LinguinutAuthor Commented:
Here's the rub...UserA sits at a desktop in the 1.x network.  Tomorrow, UserA goes to the other location and logs on to the 2.x network.  The proxy settings must be different for each machine, but not for each user.  No matter who logs on to a machine in the 1.x subnet, they should get the same settings.  Same thing goes for anyone who logs on at a 2.x machine.

If it has to be done through user settings then it cannot be done.  No way.

I will remove the GPOs and OUs and VNC into every machine and adjust the settings myself.  The amount of time wasted on this issue is way more time than it would take to adjust every machine manually.  

If there is another way, please let me know.  Group Policies are a blessing, and a curse.

I will not sleep well tonight.
Ling
0
 
Thanatos2kCommented:
The firewall is the proxy server, yes? At 192.168.2.8. So is that not the proxy address for all machines? And the 192.168.1.x subnet routes through the cisco to the 192.168.2.x subnet? If all machines on both nets can ping 192.168.2.8, they should all be able to use the same settings for the proxy there?

Or maybe I am not understanding your setup correctly. (very likely)
0
 
Don S.Commented:
Opps, I just reread everything.  I should have refered to 1.x not 2.x since 2.x works correctly as is?  GPs work well but not always as intended nor as easily as desired.
  Are you trying to remove existing proxy settings on 1.x or trying to change an existing proxy to a different proxy?  Also, is there only one firewall?  Why would the proxy setting need to be different on 1.x vs. 2.x?  I might be missing something here.
0
 
LinguinutAuthor Commented:
I would prefer to NOT specify a proxy, at all.  It is not necessary--except on the 1.x subnet.

The issue began when I changed the default gateway on 2.x boxes to the firewall (192.168.2.8).  2.x boxes work great.  The 1.x boxes still must have their gateway set as the router (192.168.1.1) to the 2.x subnet.  Because of that, 1.x must have a proxy established in their browser settings.

If there were a way to setup 1.x machines with 2.8 as a gateway, then my job is done.  No proxy settings have to fiddled with.  Perhaps a persistent route on every workstation (2.x via 1.1)?  Can that be done...and still set their gateways to 2.8?

Hmmmmm,
Ling
0
 
Don S.Commented:
Ah, now I get it.  It sounds llike the routes aren't setup correctly in the Cisco Router.  Do you have a default route pointing to 192.168.2.8 set in the Router?  The entery would look like 0.0.0.0 0.0.0.0 192.168.2.8
You shouldn't need a proxy setting anywhere if routing is working right.
0
 
LinguinutAuthor Commented:
Dons,

Did that last entry help explain my Sitz im Leben a bit better?

One firewall for both subnets...yup.

We used to have MS Proxy 2.0 and the way our network was setup, we needed to add proxy settings to the browser.  Now, with a few tweaks to the network (ref gateways, above), and the introduction of the new firewall (Kerio), we do not need the proxy settings.

My goal...buy new desktop, turn on, join domain, log on, done.

Ling
0
 
LinguinutAuthor Commented:
1.x . . . . 192.168.1.1 <------T1------> 192.168.2.1 . . . . 2.x

Set the static route on the 1.1 router?  Right?

Do you know the command?  I think the router is a 1600, not a 2500, like I originally thought.

Ling
0
 
Don S.Commented:
Ok, so there is a T1 in between.  You should have a default route in 192.168.1.1 pointing to the t1 interface of the 192.168.2.1 router.  In the 2.x router you should have a statis route: 192.168.1.1 255.255.255.0 pointing to the t1 interface of the 1.x router.  You should also have a default route 0.0.0.0 0.0.0.0 192.168.2.8 set in the 2.x router.  The idea here is to have everything for 1.x going out the t1 and everything else going to the firewall.  The command would be:
IP ROUTE address mask gateway
0
 
LinguinutAuthor Commented:
I don't think IP ROUTE is the correct command.  I am telnetting into the router and attempting to add the route (0.0.0.0 0.0.0.0 192.168.2.8).  It has been a very long time since I did this last...if you don't use it, you lose it.

I'll keep looking for the right one.  If you think of it . . . holler.
Ling
0
 
LinguinutAuthor Commented:
Thanks a ton!!!  That was perfect!!

Ling
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.