Solved

Proxy settings not applying

Posted on 2010-09-23
13
2,018 Views
Last Modified: 2013-11-25
I have created a new GPO called "Internet Explorer" (default permissions on the policy)
The GPO is applied at the root of the domain, so it covers all OU's within the domain.
All users are located in a "Users" OU and all workstations in a "Computers" OU.
Both OU's do NOT have inheritance blocked.

I've checked the "proxy server" settings under the "Connections" tab in "Internet Options"
They have not been applied.

I've ran RSOP.MSC and rsop confirms the settings as being applied.
I've check to see if the settings are being applied on XP and Windows 7 machines.
I've also tried with different user accounts (1 being a domain admin and another being a standard user)

I'm out of ideas, this is fairly urgent as currently my users have full access to the internet.

Regards
0
Comment
Question by:cbsbutler
  • 4
  • 3
  • 2
  • +1
13 Comments
 
LVL 1

Expert Comment

by:mrdodger
ID: 33745701
Try resolving proxy host in IE
0
 

Author Comment

by:cbsbutler
ID: 33745791
Manually setting it? What will this achieve?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 33766443
Run proxycfg from the command line in XP.. try proxycfg.exe -u
Make sure you can resolve the proxies IP, try manually setting to make sure it's working as intended. Chrome and Safari will look to your IE settings for proxy configs, FireFox will not. We use a proxy.pac file pushed to the GPO's of our users so we can make allowances and changes and not have to change the gpo itself or send any updates via AD.
-rich
0
 

Author Comment

by:cbsbutler
ID: 33767799
Manually setting proxy works fine.
All users use IE.

Where can I find this "proxycfg" command line utility?
0
 

Author Comment

by:cbsbutler
ID: 33767918
On Windows 7 I ran the reaplced proxycfg tool "netsh"
"NetSH WinHTTP import Proxy ie" replaces "proxycfg -u"
The settings displayed reads "Direct access (no proxy server)"
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33769539
Forget GPO.  That is a bad way to do proxy settings anyway.
Use WPAD over DNS & DHCP.  It's the way it was meant to be
0
 

Author Comment

by:cbsbutler
ID: 33769576
Yeah I'm beginning to realise that. Terribly unreliable to be accurately applying settings! I't s agood job I always check settings apply. If I fully trusted GPO it could have been months before it got picked up!
 
Anyways, I don't suppose you have any information on me to persue the WPAD method? I'm not too familiar with it.
0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 33769903
Nothing at my fingertips,...but it is all over the Internet.  All you have to do is Google "WPAD".
But I do have a couple things to say a bout it.
1. always use both methods at the same time (DNS and DHCP).
     A. They complement each other and work together
     B.  Not all Proxy clients will use each equally. So do better with one, some do better
          with the other,...cover your bases,...use both
2. Start with DNS and create a CNAME (not an "A" Record) that points to the "A" Records of the actuall proxy that should already exist in the DNS Zone
Zone:  Mydomain.org
"A" Record,   myproxy  = <LAN IP of the proxy>
CNAME,   "wpad" = myproxy
3. When doing the DHCP side of it then use the CNAME in the URL and not the actual name of the proxy.  (http://wpad.mydomain.org).  This way if the proxy is ever replaced all you do is change the "A"Record that the CNAME points to and everything fals into place and nothing needs touched
4. Lastly you must check the documentation of your proxy to see what has to be configured on it to "publish" the autodetection information.  The DNS and DHCP settings only tell the Client where to look for the information,...it is the properly configured proxy that has to actually give the client the information it needs.  The proxy information should be published by the proxy via a URL,...so when it works you can test it by opening the URL with a browser,...which should give you the Open/Save prompt.  You tell it to Open and you should see all the proxy information being presented by the proxy.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33769919
This works great with traveling Laptops because it is "intelligent" enough to know that the proxy is not available (like when in a hotel room or something) and the laptop drops using the proxy and operates direct.  So the user does not have to reconfigure anything when they move in and out of your facility.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 33770280
the wpad points to the proxy.pac file which is basically javascript that helps the browser make decisions on when to use and when not to use the proxy. Below is an example of a pac file we use:
Ours is very complex and has a lot of exceptions because some services don't play nice with our proxies, so users go direct. There are also some java work arounds when java applets don't detect the proxy settings no matter how they are set in the OS.
-rich
//************ Enter list entries here **************/

//Version 1.0 2/3/2010 8:00PM



// Define domains to be bypassed

var bypass_domains = new Array(

    "example.com",    // Citrix ICA (Siemens Help Desk) wont work

    ".localdomain"    // Localdomain

    ".company.com"    // internal websites

);

// Define URLs to be bypassed

var bypass_urls = new Array(

    "ftp://*",                 // Don't proxy FTP

    "http://localhost*",       // Localhost

    "https://localhost*"       // Localhost

);

// Define IPs to be bypassed

var bypass_ips = new Array(

    "64.68.96.0/255.255.224.0",        // Webex

    "66.114.160.0/255.255.240.0",      // Webex

    "66.163.32.0/255.255.240.0",       // Webex

    "209.197.192.0/255.255.224.0",     // Webex

    "127.0.0.1/255.255.255.255",       // Dest IP = Localhost

    "10.0.0.0/255.0.0.0",              // Dest IP = Internal Host

    "172.16.0.0/255.240.0.0",          // Private IP space

    "192.168.0.0/255.255.0.0"          // Private IP space

);

// Enter VPN users to go direct

var vpn_users = new Array(

    "10.2.20.0/255.255.248.0",       // Frankfort VPN

    "10.53.24.0/255.255.254.0",      // London VPN

    "10.63.20.0/255.255.252.0",      // Queens VPN

    "10.63.24.0/255.255.252.0"       // Springfield VPN

);

// Corporate, and any offices that get internet via NY (Frame/MPLS)

var ny_corp = new Array(

    "10.0.17.0/255.255.255.0",       // NY Clients - OPS

    "10.0.18.0/255.255.255.0",       // NY Clients - DEV Static IP

    "10.1.0.0/255.255.224.0",        // NJ NEW Clients

    "10.1.22.0/255.255.254.0",       // AZ NEW WIFI

    "10.1.1.0/255.255.255.0",        // CA

    "10.6.1.0/255.255.255.0",        // Denver, CO

    "10.9.6.0/255.255.255.0",        // Washington, DC

    "10.7.1.0/255.255.255.0",        // Raleigh, NC

    "10.5.1.0/255.255.255.0",        // Dallas, TX

    "10.0.28.0/255.255.254.0",       // NY WIFI

    //************ Enter list entries here **************/

//Version 1.0 2/3/2010 8:00PM

//Last edited by Scott Lazzari

// Define domains to be bypassed

var bypass_domains = new Array(

    "e-web.it-solutions.usa.siemens.com",    // Citrix ICA (Siemens Help Desk) wont work

    "remotecitrix.company.com",              // Citrix ICA (Internal for testing) wont work

    "*pacserver.company.com*",

    ".localdomain"                           // Localdomain

);



// Define URLs to be bypassed

var bypass_urls = new Array(

    "ftp://*",                 // Don't proxy FTP

    "http://localhost*",       // Localhost

    "https://localhost*"       // Localhost

);



// Define IPs to be bypassed

var bypass_ips = new Array(

    "64.68.96.0/255.255.224.0",        // Webex - Doesn't play nice with the proxy

    "66.114.160.0/255.255.240.0",      // Webex

    "66.163.32.0/255.255.240.0",       // Webex

    "209.197.192.0/255.255.224.0",     // Webex

    "127.0.0.1/255.255.255.255",       // Dest IP = Localhost

    "10.0.0.0/255.0.0.0",              // Dest IP = Internal Host

    "172.16.0.0/255.240.0.0",          // Private IP space

    "192.168.0.0/255.255.0.0"          // Private IP space

);



// Enter VPN users to go direct

var vpn_users = new Array(

    "10.0.22.0/255.255.248.0",       // NY VPN

    "10.0.22.0/255.255.254.0",       // NJ VPN

    "10.60.22.0/255.255.252.0",      // London VPN

);



// NY Corporate, and any offices that get internet via NY (Frame/MPLS)

var ny_corp = new Array(

    "10.0.17.0/255.255.255.0",        // NY Clients - OPS

    "10.0.18.0/255.255.255.0",        // NY Clients - DEV Static IP

    "10.1.0.0/255.255.224.0",         // NY NEW Clients

    "10.1.252.0/255.255.254.0",       // NY NEW WIFI

    "10.1.1.0/255.255.255.0",         // LA, CA

    "10.6.1.0/255.255.255.0",         // Denver, CO

    "10.9.6.0/255.255.255.0",         // Washington, DC

    "10.7.10.0/255.255.255.0",        // Raleigh, NC

    "10.5.17.0/255.255.255.0",        // Dallas, TX

);



// NY2, and all office that get access via NY2   (Frame/MPLS)

var ny2_corp = new Array(

    "10.8.4.0/255.255.255.0",        // Florida TEMP

    "10.6.3.0/255.255.254.0",        // Florida training

    "10.8.0.0/255.255.240.0",        // Florida TEMP

);



// Define proxy variables

var proxy1 = "PROXY proxy1.company.com:8080; ";

var proxy2 = "PROXY proxy2.company.com:8080; ";

var proxy3 = "PROXY proxy3.company.com:8080; ";

var proxy4 = "PROXY nyproxy4.company.com:8080; ";

var proxy5 = "PROXY nyproxy5.company.com:8080; ";

var proxy6 = "PROXY nyproxy6.company.com:8080; ";

var proxy7 = "PROXY temproxy7.company.com:8080; ";

var proxy8 = "PROXY proxy8.company.com:8080; ";

var proxy9 = "PROXY proxy9.company.com:8080; ";

var direct = "DIRECT";



//***************** No need to edit below here *****************/



// Get end-point IP address

var myIP = myIpAddress();



// replacement function for isInNet, as workaround for Java issue http://bugs.sun.com/view_bug.do?bug_id=6880340

function myisInNet(ip, net, mask)

{

    var ipa=new Array();

    var neta=new Array();

    var maska=new Array();



    ipa=ip.split('.');

    neta=net.split('.');

    maska=mask.split('.');



    if (

        (parseInt(ipa[0])&parseInt(maska[0]))==parseInt(neta[0]) &&

        (parseInt(ipa[1])&parseInt(maska[1]))==parseInt(neta[1]) &&

        (parseInt(ipa[2])&parseInt(maska[2]))==parseInt(neta[2]) &&

        (parseInt(ipa[3])&parseInt(maska[3]))==parseInt(neta[3]) )

    {

        return true;

    } else {

        return false;

    }

}



// Function checks an IP address against list of addresses

function isInNetCheck( ipAddress, networkAddresses)

{

    for (var i = 0; i < networkAddresses.length; i++)

    {

        var address = networkAddresses[ i];

        var network = address.split( "/");

        if (myisInNet( ipAddress, network[ 0], network[ 1]))  // use workaround function for Java

        {

            return true;

        }

    }

    return false;

}



// Function checks the host against list of URLs

function hostNameCheck( host, urls)

{

    for (var i = 0; i < urls.length; i++)

    {

        if (shExpMatch(host, urls[ i]))

        {

            return true;

        }

    }

    return false;

}



// Function checks the domain against list of domains

function domainCheck( host, domains)

{

    for (var i = 0; i < domains.length; i++)

    {

        if (dnsDomainIs(host, domains[ i]))

        {

            return true;

        }

    }

    return false;

}



// Main proxy function

function FindProxyForURL (url, destHost)

{

    // Get the IP address of the destination ONCE reducing total number of requests

    var destIP = dnsResolve(destHost);



    // For direct access to proxy boxes

    // DO NOT REMOVE will break WARN action, and not display images properly!

    if (shExpMatch(url, "*proxy101.company.com*")) {return proxy1101; }

    if (shExpMatch(url, "*proxy2.company.com*")) {return proxy1102; }

    if (shExpMatch(url, "*proxy3.company.com*")) {return proxy2201; }

    if (shExpMatch(url, "*proxy4.company.com*")) {return proxy2202; }

    if (shExpMatch(url, "*proxy5.company.com*")) {return temproxy; }

    if (shExpMatch(url, "*proxy6.company.com*")) {return proxy3; }

    if (shExpMatch(url, "*proxy7.company.com*")) {return proxy4; }

    if (shExpMatch(url, "*proxy8.company.com*")) {return proxy5; }

    if (shExpMatch(url, "*proxy9.company.com*")) {return proxy6; }



    // VPN users should go direct

    if (isInNetCheck(myIP, vpn_users)) { return direct; }



    // Return direct for bypassed domains

    if (domainCheck(destHost, bypass_domains)) { return direct; }



    // Return direct for bypassed hostscm

    if (hostNameCheck(url, bypass_urls)) { return direct; }



    // Return direct for bypassed IPs

    if (isInNetCheck(destIP, bypass_ips)) { return direct; }



    // NY corporate goes through NY proxy, failover to NY2 then direct

    if (isInNetCheck(myIP, ny_corp)) { return proxy1 + proxy2 + direct; }



    // NY2 corporate goes through NY2 proxy, failover to NY then direct

    if (isInNetCheck(myIP, ny2_corp)) { return proxy1 + proxy2 + direct; }



    // Remote offices with local internet circuits (we should REALLY consolidate these)

    if (myisInNet(myIP, "10.4.34.0", "255.255.254.0"  )) {return proxy5 + proxy2 + proxy1 + direct;}

    if (myisInNet(myIP, "10.3.0.0", "255.255.254.0"   )) {return proxy3 + proxy1 + proxy2 + direct;}

    if (myisInNet(myIP, "10.3.6.0", "255.255.254.0"    )) {return proxy4 + proxy2 + proxy1 + direct;}

    if (myisInNet(myIP, "10.7.8.0", "255.255.254.0"   )) {return proxy5 + proxy2 + proxy1 + direct;} // New York

    if (myisInNet(myIP, "10.7.16.0", "255.255.254.0"  )) {return proxy5 + proxy2 + proxy1 + direct;} // New York WIFI

    if (myisInNet(myIP, "10.5.24.0", "255.255.255.0" )) {return proxy6 + proxy2 + proxy1 + direct;}

    if (myisInNet(myIP, "10.1.80.0", "255.255.248.0"   )) {return proxy7 + proxy2 + proxy1 + direct;}

    if (myisInNet(myIP, "10.10.22.0", "255.255.255.0")) {return proxy8 + proxy2 + proxy1 + direct;}

    if (myisInNet(myIP, "10.5.1.0", "255.255.255.0"  )) {return proxy9 + proxy2 + proxy1 + direct;}



    // Return direct by default

    return direct;

}

    "10.13.23.0/255.255.255.0",       // Springfield

    "10.23.13.0/255.255.254.0"        // Springfield WIFI

);

Open in new window

0

Join & Write a Comment

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now