Solved

Internet Restriction GPO needs allowance for internal addresses on the LAN.

Posted on 2007-04-03
20
723 Views
Last Modified: 2008-06-01
Running Windows Server 2003/XP environment.  

I have a GPO for Internet Access and a GPO for Internet Restriction.  Internet Access GPO gets full internet access while Internet Restriction GPO is to get only access to the Intranet and then certain websites such as, Fedex.com and a public address to some Citrix apps.  My focus here is on the Internet Restriction GPO.

Since I only have a handful of external addresses, I have been going to User Configuration > Windows Settings > Internet Explorer Maintenance > Connection > Proxy Settings and Enabling Proxy Settings and then putting in the loopback address(127.0.0.1:80) as the Address of Proxy and then under the Exceptions box adding a few sites in there.  Also checking the box "Do not use proxy server for local (intranet) addresses."

Still, some of our Intranet web pages do not load.  The ones that do not load are running off IIS on other servers on our LAN, would this make a difference?  

Also, some of the external sites do not open for them either.  I'm not as concerned about that as much as the other internal sites not opening.  

Any ideas how I can get other internal addresses to open up for this restricted group?  Probably the click of the mouse but I've been looking at this for too long now, I think I fried my brain on this subject.  

Thanks.


0
Comment
Question by:wfssupport
20 Comments
 

Author Comment

by:wfssupport
Comment Utility
Any takers?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Sorry if I am being dull here but this has appeared in one of my Zones (MS ISA server). Is ISA server involved here somewhere or shall I just climb back in my box...? :)
0
 

Author Comment

by:wfssupport
Comment Utility
No ISA server.  We have a Cisco ASA in place.  But it's only working defense for the outside world. Everything on the LAN is wide open as far as the ASA goes.
0
 

Author Comment

by:wfssupport
Comment Utility
Bump?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
When you try to go to internal intranet servers, are you trying to get to their public IP address, or the private internal IP addresses? If you're trying to get to the public IP's, then you have a nat issue in the ASA firewall that requires you to use the private IP's. External clients will resolve www.yourdomain.com to the public IP, internal clients have to resolve www.yourdomain.com to the private IP..

There are easier ways to accomplish your goals if you use Windows ISA server as a local proxy
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
If your intranet servers aren't being recognized as being in the I.E. "Intranet Zone," they will be treated as external addresses and will hit the dummy proxy.

Make sure they are added to your Intranet Zone, which can be done via GPO as well, IIRC.
0
 

Author Comment

by:wfssupport
Comment Utility
Irmoore, They are internal addresses only.  

ShineOn, I am not seeing anywhere in GP that I can set the servers to be in the Intranet Zone other than: User Configuration>Windows Settings>Internet Explorer Maintenance>Security>Security Zones and Content Ratings

And in here when I try to add an internal address to one of the servers it just says that it's already in another Zone which it is not, as far as I can see.
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
Yes, User Configuration>Windows Settings>Internet Explorer Maintenance>Security>Security Zones and Content Ratings.

Select the radio button for Security Zones and Privacy to Import the current security zones.  Click Modify Settings.  Select "Local Intranet" and click Sites.

Leave all the checkboxes checked, and click "Advanced."  

Add whatever URLs you use for your intranet sites...  Include both http and https, short name and fqdn, ip addresses, anything you can think of that the user might try for accessing the intranet sites.

In fact, what you can do first is to set up your own PC to use the proxy and then add the intranet sites to your own IE setup until you're satisfied it's all covered, and then when you make the selection to import the current zones, it will take what you already have configured - you won't have to add anything else.

0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
Note that if you already have  a server set up in your own setup in "trusted sites" then you should move it to "local intranet."  The proxy bypass doesn't look at what's in trusted, just what's in the Local Intranet zone.

That may be why you're getting told that it's already in another zone.  Check the trusted zone sites and if any of the intranet sites are there, remove them so they can be added to the intranet zone.  
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:wfssupport
Comment Utility
I do not have any sites in any Zones.  So I do not know why I'm being told "The site you specified exists in another zone."  Now I'm confused.  I've checked any policies that I think would be interfering and still get it.  
0
 

Author Comment

by:wfssupport
Comment Utility
At this point I think I'm going to deactivate the server rooms Halon system and start the servers on fire.
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
Have you tried setting those servers in the intranet zone on your PC's IE profile, before running the GP editor?
0
 

Author Comment

by:wfssupport
Comment Utility
Yes.  It does nothing different when I add them to my local PC first and then go into edit the GPO.
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
Odd.  I don't have that problem.

Does it let you add any servers, or do they all come up as "... exists in another zone?"

Are you using the group policy management control panel, gpmc.msc, and not gpedit.msc?  Are you logged in as a domain admin?
0
 

Author Comment

by:wfssupport
Comment Utility
I can add anything I want now, but it makes no difference.

I am logged in as a Domain Admin. using Group Policy Management.

The main Intranet page comes up fine, but nothing else when I log in as a user on our internet restriction policy.

I cannot believe that there is no clear-cut way of doing this!

I am at wits end on this.  Someone please help. Thank you.
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
Actually, there is a clear-cut way to do it, but not with GPO's.  You use an Internet proxy that uses user-based ACLs.

There are many that do, and many of those will use Active Directory group membership or LDAP lookups for the user-based ACL.  You set up the proxy to pass internal (intranet) requests directly (route instead of proxy) so it doesn't matter whether the browser is set to bypass the proxy for local (intranet) addresses.  

You could do some of this with WPAD and a wpad.dat file, too.  The wpad.dat file has to be served by a web server on your network that is pointed to by DNS and/or DHCP.  It's a javascript file that can be configured to check for specific criteria in the URL - for example, *.mydomain.local, and pass it to "DIRECT" otherwise pass it to the proxy address as named in the wpad.dat file.

Then, you simply configure your browsers to autodetect proxy.
0
 

Author Comment

by:wfssupport
Comment Utility
I figured it out and as I suspected, it was something simple.

I originally set it up so that I Restricted PC's were sent to a fake proxy server at 127.0.0.1 and then put in exceptions to a few sites and intranet pages that they need.  All through GPO.  What I did now is delete all exceptions and entered them all back in manually.  Seems as though one of them may have been reentered wrong in the last month or two.  When that happens, it doesn't let any of them work.  Which is dumb.  Either way, now that they are all entered in correctly it works fine.  Thank you so much for your advice.  
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
Comment Utility
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Learn about cloud computing and its benefits for small business owners.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now