Internet Restriction GPO needs allowance for internal addresses on the LAN.

Running Windows Server 2003/XP environment.  

I have a GPO for Internet Access and a GPO for Internet Restriction.  Internet Access GPO gets full internet access while Internet Restriction GPO is to get only access to the Intranet and then certain websites such as, Fedex.com and a public address to some Citrix apps.  My focus here is on the Internet Restriction GPO.

Since I only have a handful of external addresses, I have been going to User Configuration > Windows Settings > Internet Explorer Maintenance > Connection > Proxy Settings and Enabling Proxy Settings and then putting in the loopback address(127.0.0.1:80) as the Address of Proxy and then under the Exceptions box adding a few sites in there.  Also checking the box "Do not use proxy server for local (intranet) addresses."

Still, some of our Intranet web pages do not load.  The ones that do not load are running off IIS on other servers on our LAN, would this make a difference?  

Also, some of the external sites do not open for them either.  I'm not as concerned about that as much as the other internal sites not opening.  

Any ideas how I can get other internal addresses to open up for this restricted group?  Probably the click of the mouse but I've been looking at this for too long now, I think I fried my brain on this subject.  

Thanks.


wfssupportAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

wfssupportAuthor Commented:
Any takers?
0
Keith AlabasterEnterprise ArchitectCommented:
Sorry if I am being dull here but this has appeared in one of my Zones (MS ISA server). Is ISA server involved here somewhere or shall I just climb back in my box...? :)
0
wfssupportAuthor Commented:
No ISA server.  We have a Cisco ASA in place.  But it's only working defense for the outside world. Everything on the LAN is wide open as far as the ASA goes.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

wfssupportAuthor Commented:
Bump?
0
lrmooreCommented:
When you try to go to internal intranet servers, are you trying to get to their public IP address, or the private internal IP addresses? If you're trying to get to the public IP's, then you have a nat issue in the ASA firewall that requires you to use the private IP's. External clients will resolve www.yourdomain.com to the public IP, internal clients have to resolve www.yourdomain.com to the private IP..

There are easier ways to accomplish your goals if you use Windows ISA server as a local proxy
0
ShineOnCommented:
If your intranet servers aren't being recognized as being in the I.E. "Intranet Zone," they will be treated as external addresses and will hit the dummy proxy.

Make sure they are added to your Intranet Zone, which can be done via GPO as well, IIRC.
0
wfssupportAuthor Commented:
Irmoore, They are internal addresses only.  

ShineOn, I am not seeing anywhere in GP that I can set the servers to be in the Intranet Zone other than: User Configuration>Windows Settings>Internet Explorer Maintenance>Security>Security Zones and Content Ratings

And in here when I try to add an internal address to one of the servers it just says that it's already in another Zone which it is not, as far as I can see.
0
ShineOnCommented:
Yes, User Configuration>Windows Settings>Internet Explorer Maintenance>Security>Security Zones and Content Ratings.

Select the radio button for Security Zones and Privacy to Import the current security zones.  Click Modify Settings.  Select "Local Intranet" and click Sites.

Leave all the checkboxes checked, and click "Advanced."  

Add whatever URLs you use for your intranet sites...  Include both http and https, short name and fqdn, ip addresses, anything you can think of that the user might try for accessing the intranet sites.

In fact, what you can do first is to set up your own PC to use the proxy and then add the intranet sites to your own IE setup until you're satisfied it's all covered, and then when you make the selection to import the current zones, it will take what you already have configured - you won't have to add anything else.

0
ShineOnCommented:
Note that if you already have  a server set up in your own setup in "trusted sites" then you should move it to "local intranet."  The proxy bypass doesn't look at what's in trusted, just what's in the Local Intranet zone.

That may be why you're getting told that it's already in another zone.  Check the trusted zone sites and if any of the intranet sites are there, remove them so they can be added to the intranet zone.  
0
wfssupportAuthor Commented:
I do not have any sites in any Zones.  So I do not know why I'm being told "The site you specified exists in another zone."  Now I'm confused.  I've checked any policies that I think would be interfering and still get it.  
0
wfssupportAuthor Commented:
At this point I think I'm going to deactivate the server rooms Halon system and start the servers on fire.
0
ShineOnCommented:
Have you tried setting those servers in the intranet zone on your PC's IE profile, before running the GP editor?
0
wfssupportAuthor Commented:
Yes.  It does nothing different when I add them to my local PC first and then go into edit the GPO.
0
ShineOnCommented:
Odd.  I don't have that problem.

Does it let you add any servers, or do they all come up as "... exists in another zone?"

Are you using the group policy management control panel, gpmc.msc, and not gpedit.msc?  Are you logged in as a domain admin?
0
wfssupportAuthor Commented:
I can add anything I want now, but it makes no difference.

I am logged in as a Domain Admin. using Group Policy Management.

The main Intranet page comes up fine, but nothing else when I log in as a user on our internet restriction policy.

I cannot believe that there is no clear-cut way of doing this!

I am at wits end on this.  Someone please help. Thank you.
0
ShineOnCommented:
Actually, there is a clear-cut way to do it, but not with GPO's.  You use an Internet proxy that uses user-based ACLs.

There are many that do, and many of those will use Active Directory group membership or LDAP lookups for the user-based ACL.  You set up the proxy to pass internal (intranet) requests directly (route instead of proxy) so it doesn't matter whether the browser is set to bypass the proxy for local (intranet) addresses.  

You could do some of this with WPAD and a wpad.dat file, too.  The wpad.dat file has to be served by a web server on your network that is pointed to by DNS and/or DHCP.  It's a javascript file that can be configured to check for specific criteria in the URL - for example, *.mydomain.local, and pass it to "DIRECT" otherwise pass it to the proxy address as named in the wpad.dat file.

Then, you simply configure your browsers to autodetect proxy.
0
wfssupportAuthor Commented:
I figured it out and as I suspected, it was something simple.

I originally set it up so that I Restricted PC's were sent to a fake proxy server at 127.0.0.1 and then put in exceptions to a few sites and intranet pages that they need.  All through GPO.  What I did now is delete all exceptions and entered them all back in manually.  Seems as though one of them may have been reentered wrong in the last month or two.  When that happens, it doesn't let any of them work.  Which is dumb.  Either way, now that they are all entered in correctly it works fine.  Thank you so much for your advice.  
0
Computer101Commented:
PAQed with points refunded (500)

Computer101
EE Admin
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.