Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How do I apply IE proxy settings to computers on another subnet via Group Policy?

Posted on 2006-05-25
17
Medium Priority
?
621 Views
Last Modified: 2008-02-01
Here is my network layout, in brief:

192.168.2.0/24
    DC 192.168.2.3, DNS, DHCP, WINS
    Firewall 192.168.2.8 (Kerio WinRoute)
192.168.1.0/24
    No DC present (yet)

Subnets connected via Cisco 2500 routers.  All traffic flows just fine.

Since we added the Kerio WinRoute Firewall (great product), we have had to make some modifications to browser settings.  One of the main ones was to remove the proxy settings (we used to point to an old MS Proxy 2.0 server).  This was easily done via group policy.  The problem is that the 1.x subnet can no longer get out to the internet.  If we reset the proxy settings to point to the firewall then all is well again.  Rather than hitting every desktop in the enterprise, I thought we could do this through group policy.  

It ain't happenin'.

I have created two OUs...one for the 2.x subnet and one for the 1.x subnet.  I have created two new group policies and linked them to these OUs.  Computer objects only inhabit these OUs.  The 1.x policy sets the proxy settings properly and also has proxy setting per machine enabled.  Still no dice.

How do I get this to work?

Thanks,
Ling
0
Comment
Question by:Linguinut
  • 8
  • 7
  • 2
17 Comments
 
LVL 2

Expert Comment

by:Thanatos2k
ID: 16763110
That is whacked... Maybe try disabling proxy altogether through group policy, waiting for all machines to refresh, and then re-enabling proxy with the new settings?

What about adding a second IP on the new proxy server to match the IP the old server used to have?
0
 
LVL 1

Author Comment

by:Linguinut
ID: 16763282
Than,

I did disable proxy settings via group policy for the entire domain.  I slept well last night.

Today, no one in the 1.x subnet can access the internet since the proxy settings have been removed.  If I manually add them back, then internet access is alive and well.  

I do not want to manually add them back to every workstation, so I thought "what about group policy?".  Well, I may have "whacked" my domain by setting up two OUs which house the computers from each subnet (all computers used to exist under the Computer OU).

How do I un-"whack" it?  And, sleep well tonight, too?
Ling
0
 
LVL 18

Expert Comment

by:Don S.
ID: 16763469
Multiple OUs did not "whack" your domain.  It's fairly common to have multiple OUs for all sort of reasons.  It sounds like your GPs aren't getting applied to those on the 2.x subnet and probably never have been.  Check the event logs on on one of the 2.x computers as well as the domain controller.  I suspect you will find an error relating to applying group policies.  Also, check your GP hierarchy using the Group Policy Modeling tool in GPMC to see if everything is the way you expect it to be.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 18

Expert Comment

by:Don S.
ID: 16763489
GPs not applying often are related to DNS issues.  How are addresses and IP settings assigned on 2.x ?
0
 
LVL 1

Author Comment

by:Linguinut
ID: 16763566
Via DHCP on the DC.  The DC is also serving as the DNS.  IPCONFIG responds with all settings reflecting an accurate setup on the workstations.

Nothing shows up in the DC event logs, nor the desktop event logs.

The modeling tool shows the default domain policy and the OU policy being applied for the computer settings; however, only the default policy is applied for the user settings.  I actually would expect this.  Could the default policy be overriding the OU policy?  Also, shouldn't the OU computer settings dictate the users settings if machine specific proxy settings are enable?  

So many settings...so little time...so much confusion...

Ling
0
 
LVL 18

Expert Comment

by:Don S.
ID: 16763636
User IE setting override Machine IE settings.  The proper place to set Proxy use in IE is in the User policy.  I'd create a new User GP to control all your IE settings.  I never like to mess with the default policies.

Do you have an IP helper address set in the Cisco router?
0
 
LVL 1

Author Comment

by:Linguinut
ID: 16763707
Here's the rub...UserA sits at a desktop in the 1.x network.  Tomorrow, UserA goes to the other location and logs on to the 2.x network.  The proxy settings must be different for each machine, but not for each user.  No matter who logs on to a machine in the 1.x subnet, they should get the same settings.  Same thing goes for anyone who logs on at a 2.x machine.

If it has to be done through user settings then it cannot be done.  No way.

I will remove the GPOs and OUs and VNC into every machine and adjust the settings myself.  The amount of time wasted on this issue is way more time than it would take to adjust every machine manually.  

If there is another way, please let me know.  Group Policies are a blessing, and a curse.

I will not sleep well tonight.
Ling
0
 
LVL 2

Expert Comment

by:Thanatos2k
ID: 16763791
The firewall is the proxy server, yes? At 192.168.2.8. So is that not the proxy address for all machines? And the 192.168.1.x subnet routes through the cisco to the 192.168.2.x subnet? If all machines on both nets can ping 192.168.2.8, they should all be able to use the same settings for the proxy there?

Or maybe I am not understanding your setup correctly. (very likely)
0
 
LVL 18

Expert Comment

by:Don S.
ID: 16763856
Opps, I just reread everything.  I should have refered to 1.x not 2.x since 2.x works correctly as is?  GPs work well but not always as intended nor as easily as desired.
  Are you trying to remove existing proxy settings on 1.x or trying to change an existing proxy to a different proxy?  Also, is there only one firewall?  Why would the proxy setting need to be different on 1.x vs. 2.x?  I might be missing something here.
0
 
LVL 1

Author Comment

by:Linguinut
ID: 16763859
I would prefer to NOT specify a proxy, at all.  It is not necessary--except on the 1.x subnet.

The issue began when I changed the default gateway on 2.x boxes to the firewall (192.168.2.8).  2.x boxes work great.  The 1.x boxes still must have their gateway set as the router (192.168.1.1) to the 2.x subnet.  Because of that, 1.x must have a proxy established in their browser settings.

If there were a way to setup 1.x machines with 2.8 as a gateway, then my job is done.  No proxy settings have to fiddled with.  Perhaps a persistent route on every workstation (2.x via 1.1)?  Can that be done...and still set their gateways to 2.8?

Hmmmmm,
Ling
0
 
LVL 18

Expert Comment

by:Don S.
ID: 16763910
Ah, now I get it.  It sounds llike the routes aren't setup correctly in the Cisco Router.  Do you have a default route pointing to 192.168.2.8 set in the Router?  The entery would look like 0.0.0.0 0.0.0.0 192.168.2.8
You shouldn't need a proxy setting anywhere if routing is working right.
0
 
LVL 1

Author Comment

by:Linguinut
ID: 16763911
Dons,

Did that last entry help explain my Sitz im Leben a bit better?

One firewall for both subnets...yup.

We used to have MS Proxy 2.0 and the way our network was setup, we needed to add proxy settings to the browser.  Now, with a few tweaks to the network (ref gateways, above), and the introduction of the new firewall (Kerio), we do not need the proxy settings.

My goal...buy new desktop, turn on, join domain, log on, done.

Ling
0
 
LVL 1

Author Comment

by:Linguinut
ID: 16763950
1.x . . . . 192.168.1.1 <------T1------> 192.168.2.1 . . . . 2.x

Set the static route on the 1.1 router?  Right?

Do you know the command?  I think the router is a 1600, not a 2500, like I originally thought.

Ling
0
 
LVL 18

Expert Comment

by:Don S.
ID: 16764010
Ok, so there is a T1 in between.  You should have a default route in 192.168.1.1 pointing to the t1 interface of the 192.168.2.1 router.  In the 2.x router you should have a statis route: 192.168.1.1 255.255.255.0 pointing to the t1 interface of the 1.x router.  You should also have a default route 0.0.0.0 0.0.0.0 192.168.2.8 set in the 2.x router.  The idea here is to have everything for 1.x going out the t1 and everything else going to the firewall.  The command would be:
IP ROUTE address mask gateway
0
 
LVL 1

Author Comment

by:Linguinut
ID: 16764054
I don't think IP ROUTE is the correct command.  I am telnetting into the router and attempting to add the route (0.0.0.0 0.0.0.0 192.168.2.8).  It has been a very long time since I did this last...if you don't use it, you lose it.

I'll keep looking for the right one.  If you think of it . . . holler.
Ling
0
 
LVL 18

Accepted Solution

by:
Don S. earned 2000 total points
ID: 16764066
You have to Enable first.
Then: config term.
Then you can enter the IP route command.
0
 
LVL 1

Author Comment

by:Linguinut
ID: 16764166
Thanks a ton!!!  That was perfect!!

Ling
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question