Proxy settings not applying

I have created a new GPO called "Internet Explorer" (default permissions on the policy)
The GPO is applied at the root of the domain, so it covers all OU's within the domain.
All users are located in a "Users" OU and all workstations in a "Computers" OU.
Both OU's do NOT have inheritance blocked.

I've checked the "proxy server" settings under the "Connections" tab in "Internet Options"
They have not been applied.

I've ran RSOP.MSC and rsop confirms the settings as being applied.
I've check to see if the settings are being applied on XP and Windows 7 machines.
I've also tried with different user accounts (1 being a domain admin and another being a standard user)

I'm out of ideas, this is fairly urgent as currently my users have full access to the internet.

Regards
cbsbutlerAsked:
Who is Participating?
 
pwindellConnect With a Mentor Commented:
Nothing at my fingertips,...but it is all over the Internet.  All you have to do is Google "WPAD".
But I do have a couple things to say a bout it.
1. always use both methods at the same time (DNS and DHCP).
     A. They complement each other and work together
     B.  Not all Proxy clients will use each equally. So do better with one, some do better
          with the other,...cover your bases,...use both
2. Start with DNS and create a CNAME (not an "A" Record) that points to the "A" Records of the actuall proxy that should already exist in the DNS Zone
Zone:  Mydomain.org
"A" Record,   myproxy  = <LAN IP of the proxy>
CNAME,   "wpad" = myproxy
3. When doing the DHCP side of it then use the CNAME in the URL and not the actual name of the proxy.  (http://wpad.mydomain.org).  This way if the proxy is ever replaced all you do is change the "A"Record that the CNAME points to and everything fals into place and nothing needs touched
4. Lastly you must check the documentation of your proxy to see what has to be configured on it to "publish" the autodetection information.  The DNS and DHCP settings only tell the Client where to look for the information,...it is the properly configured proxy that has to actually give the client the information it needs.  The proxy information should be published by the proxy via a URL,...so when it works you can test it by opening the URL with a browser,...which should give you the Open/Save prompt.  You tell it to Open and you should see all the proxy information being presented by the proxy.
0
 
mrdodgerCommented:
Try resolving proxy host in IE
0
 
cbsbutlerAuthor Commented:
Manually setting it? What will this achieve?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Rich RumbleSecurity SamuraiCommented:
Run proxycfg from the command line in XP.. try proxycfg.exe -u
Make sure you can resolve the proxies IP, try manually setting to make sure it's working as intended. Chrome and Safari will look to your IE settings for proxy configs, FireFox will not. We use a proxy.pac file pushed to the GPO's of our users so we can make allowances and changes and not have to change the gpo itself or send any updates via AD.
-rich
0
 
cbsbutlerAuthor Commented:
Manually setting proxy works fine.
All users use IE.

Where can I find this "proxycfg" command line utility?
0
 
cbsbutlerAuthor Commented:
On Windows 7 I ran the reaplced proxycfg tool "netsh"
"NetSH WinHTTP import Proxy ie" replaces "proxycfg -u"
The settings displayed reads "Direct access (no proxy server)"
0
 
pwindellCommented:
Forget GPO.  That is a bad way to do proxy settings anyway.
Use WPAD over DNS & DHCP.  It's the way it was meant to be
0
 
cbsbutlerAuthor Commented:
Yeah I'm beginning to realise that. Terribly unreliable to be accurately applying settings! I't s agood job I always check settings apply. If I fully trusted GPO it could have been months before it got picked up!
 
Anyways, I don't suppose you have any information on me to persue the WPAD method? I'm not too familiar with it.
0
 
pwindellCommented:
This works great with traveling Laptops because it is "intelligent" enough to know that the proxy is not available (like when in a hotel room or something) and the laptop drops using the proxy and operates direct.  So the user does not have to reconfigure anything when they move in and out of your facility.
0
 
Rich RumbleSecurity SamuraiCommented:
the wpad points to the proxy.pac file which is basically javascript that helps the browser make decisions on when to use and when not to use the proxy. Below is an example of a pac file we use:
Ours is very complex and has a lot of exceptions because some services don't play nice with our proxies, so users go direct. There are also some java work arounds when java applets don't detect the proxy settings no matter how they are set in the OS.
-rich
//************ Enter list entries here **************/
//Version 1.0 2/3/2010 8:00PM

// Define domains to be bypassed
var bypass_domains = new Array(
    "example.com",    // Citrix ICA (Siemens Help Desk) wont work
    ".localdomain"    // Localdomain
    ".company.com"    // internal websites
);
// Define URLs to be bypassed
var bypass_urls = new Array(
    "ftp://*",                 // Don't proxy FTP
    "http://localhost*",       // Localhost
    "https://localhost*"       // Localhost
);
// Define IPs to be bypassed
var bypass_ips = new Array(
    "64.68.96.0/255.255.224.0",        // Webex
    "66.114.160.0/255.255.240.0",      // Webex
    "66.163.32.0/255.255.240.0",       // Webex
    "209.197.192.0/255.255.224.0",     // Webex
    "127.0.0.1/255.255.255.255",       // Dest IP = Localhost
    "10.0.0.0/255.0.0.0",              // Dest IP = Internal Host
    "172.16.0.0/255.240.0.0",          // Private IP space
    "192.168.0.0/255.255.0.0"          // Private IP space
);
// Enter VPN users to go direct
var vpn_users = new Array(
    "10.2.20.0/255.255.248.0",       // Frankfort VPN
    "10.53.24.0/255.255.254.0",      // London VPN
    "10.63.20.0/255.255.252.0",      // Queens VPN
    "10.63.24.0/255.255.252.0"       // Springfield VPN
);
// Corporate, and any offices that get internet via NY (Frame/MPLS)
var ny_corp = new Array(
    "10.0.17.0/255.255.255.0",       // NY Clients - OPS
    "10.0.18.0/255.255.255.0",       // NY Clients - DEV Static IP
    "10.1.0.0/255.255.224.0",        // NJ NEW Clients
    "10.1.22.0/255.255.254.0",       // AZ NEW WIFI
    "10.1.1.0/255.255.255.0",        // CA
    "10.6.1.0/255.255.255.0",        // Denver, CO
    "10.9.6.0/255.255.255.0",        // Washington, DC
    "10.7.1.0/255.255.255.0",        // Raleigh, NC
    "10.5.1.0/255.255.255.0",        // Dallas, TX
    "10.0.28.0/255.255.254.0",       // NY WIFI
    //************ Enter list entries here **************/
//Version 1.0 2/3/2010 8:00PM
//Last edited by Scott Lazzari
// Define domains to be bypassed
var bypass_domains = new Array(
    "e-web.it-solutions.usa.siemens.com",    // Citrix ICA (Siemens Help Desk) wont work
    "remotecitrix.company.com",              // Citrix ICA (Internal for testing) wont work
    "*pacserver.company.com*",
    ".localdomain"                           // Localdomain
);

// Define URLs to be bypassed
var bypass_urls = new Array(
    "ftp://*",                 // Don't proxy FTP
    "http://localhost*",       // Localhost
    "https://localhost*"       // Localhost
);

// Define IPs to be bypassed
var bypass_ips = new Array(
    "64.68.96.0/255.255.224.0",        // Webex - Doesn't play nice with the proxy
    "66.114.160.0/255.255.240.0",      // Webex
    "66.163.32.0/255.255.240.0",       // Webex
    "209.197.192.0/255.255.224.0",     // Webex
    "127.0.0.1/255.255.255.255",       // Dest IP = Localhost
    "10.0.0.0/255.0.0.0",              // Dest IP = Internal Host
    "172.16.0.0/255.240.0.0",          // Private IP space
    "192.168.0.0/255.255.0.0"          // Private IP space
);

// Enter VPN users to go direct
var vpn_users = new Array(
    "10.0.22.0/255.255.248.0",       // NY VPN
    "10.0.22.0/255.255.254.0",       // NJ VPN
    "10.60.22.0/255.255.252.0",      // London VPN
);

// NY Corporate, and any offices that get internet via NY (Frame/MPLS)
var ny_corp = new Array(
    "10.0.17.0/255.255.255.0",        // NY Clients - OPS
    "10.0.18.0/255.255.255.0",        // NY Clients - DEV Static IP
    "10.1.0.0/255.255.224.0",         // NY NEW Clients
    "10.1.252.0/255.255.254.0",       // NY NEW WIFI
    "10.1.1.0/255.255.255.0",         // LA, CA
    "10.6.1.0/255.255.255.0",         // Denver, CO
    "10.9.6.0/255.255.255.0",         // Washington, DC
    "10.7.10.0/255.255.255.0",        // Raleigh, NC
    "10.5.17.0/255.255.255.0",        // Dallas, TX
);

// NY2, and all office that get access via NY2   (Frame/MPLS)
var ny2_corp = new Array(
    "10.8.4.0/255.255.255.0",        // Florida TEMP
    "10.6.3.0/255.255.254.0",        // Florida training
    "10.8.0.0/255.255.240.0",        // Florida TEMP
);

// Define proxy variables
var proxy1 = "PROXY proxy1.company.com:8080; ";
var proxy2 = "PROXY proxy2.company.com:8080; ";
var proxy3 = "PROXY proxy3.company.com:8080; ";
var proxy4 = "PROXY nyproxy4.company.com:8080; ";
var proxy5 = "PROXY nyproxy5.company.com:8080; ";
var proxy6 = "PROXY nyproxy6.company.com:8080; ";
var proxy7 = "PROXY temproxy7.company.com:8080; ";
var proxy8 = "PROXY proxy8.company.com:8080; ";
var proxy9 = "PROXY proxy9.company.com:8080; ";
var direct = "DIRECT";

//***************** No need to edit below here *****************/

// Get end-point IP address
var myIP = myIpAddress();

// replacement function for isInNet, as workaround for Java issue http://bugs.sun.com/view_bug.do?bug_id=6880340
function myisInNet(ip, net, mask)
{
    var ipa=new Array();
    var neta=new Array();
    var maska=new Array();

    ipa=ip.split('.');
    neta=net.split('.');
    maska=mask.split('.');

    if (
        (parseInt(ipa[0])&parseInt(maska[0]))==parseInt(neta[0]) &&
        (parseInt(ipa[1])&parseInt(maska[1]))==parseInt(neta[1]) &&
        (parseInt(ipa[2])&parseInt(maska[2]))==parseInt(neta[2]) &&
        (parseInt(ipa[3])&parseInt(maska[3]))==parseInt(neta[3]) )
    {
        return true;
    } else {
        return false;
    }
}

// Function checks an IP address against list of addresses
function isInNetCheck( ipAddress, networkAddresses)
{
    for (var i = 0; i < networkAddresses.length; i++)
    {
        var address = networkAddresses[ i];
        var network = address.split( "/");
        if (myisInNet( ipAddress, network[ 0], network[ 1]))  // use workaround function for Java
        {
            return true;
        }
    }
    return false;
}

// Function checks the host against list of URLs
function hostNameCheck( host, urls)
{
    for (var i = 0; i < urls.length; i++)
    {
        if (shExpMatch(host, urls[ i]))
        {
            return true;
        }
    }
    return false;
}

// Function checks the domain against list of domains
function domainCheck( host, domains)
{
    for (var i = 0; i < domains.length; i++)
    {
        if (dnsDomainIs(host, domains[ i]))
        {
            return true;
        }
    }
    return false;
}

// Main proxy function
function FindProxyForURL (url, destHost)
{
    // Get the IP address of the destination ONCE reducing total number of requests
    var destIP = dnsResolve(destHost);

    // For direct access to proxy boxes
    // DO NOT REMOVE will break WARN action, and not display images properly!
    if (shExpMatch(url, "*proxy101.company.com*")) {return proxy1101; }
    if (shExpMatch(url, "*proxy2.company.com*")) {return proxy1102; }
    if (shExpMatch(url, "*proxy3.company.com*")) {return proxy2201; }
    if (shExpMatch(url, "*proxy4.company.com*")) {return proxy2202; }
    if (shExpMatch(url, "*proxy5.company.com*")) {return temproxy; }
    if (shExpMatch(url, "*proxy6.company.com*")) {return proxy3; }
    if (shExpMatch(url, "*proxy7.company.com*")) {return proxy4; }
    if (shExpMatch(url, "*proxy8.company.com*")) {return proxy5; }
    if (shExpMatch(url, "*proxy9.company.com*")) {return proxy6; }

    // VPN users should go direct
    if (isInNetCheck(myIP, vpn_users)) { return direct; }

    // Return direct for bypassed domains
    if (domainCheck(destHost, bypass_domains)) { return direct; }

    // Return direct for bypassed hostscm
    if (hostNameCheck(url, bypass_urls)) { return direct; }

    // Return direct for bypassed IPs
    if (isInNetCheck(destIP, bypass_ips)) { return direct; }

    // NY corporate goes through NY proxy, failover to NY2 then direct
    if (isInNetCheck(myIP, ny_corp)) { return proxy1 + proxy2 + direct; }

    // NY2 corporate goes through NY2 proxy, failover to NY then direct
    if (isInNetCheck(myIP, ny2_corp)) { return proxy1 + proxy2 + direct; }

    // Remote offices with local internet circuits (we should REALLY consolidate these)
    if (myisInNet(myIP, "10.4.34.0", "255.255.254.0"  )) {return proxy5 + proxy2 + proxy1 + direct;}
    if (myisInNet(myIP, "10.3.0.0", "255.255.254.0"   )) {return proxy3 + proxy1 + proxy2 + direct;}
    if (myisInNet(myIP, "10.3.6.0", "255.255.254.0"    )) {return proxy4 + proxy2 + proxy1 + direct;}
    if (myisInNet(myIP, "10.7.8.0", "255.255.254.0"   )) {return proxy5 + proxy2 + proxy1 + direct;} // New York
    if (myisInNet(myIP, "10.7.16.0", "255.255.254.0"  )) {return proxy5 + proxy2 + proxy1 + direct;} // New York WIFI
    if (myisInNet(myIP, "10.5.24.0", "255.255.255.0" )) {return proxy6 + proxy2 + proxy1 + direct;}
    if (myisInNet(myIP, "10.1.80.0", "255.255.248.0"   )) {return proxy7 + proxy2 + proxy1 + direct;}
    if (myisInNet(myIP, "10.10.22.0", "255.255.255.0")) {return proxy8 + proxy2 + proxy1 + direct;}
    if (myisInNet(myIP, "10.5.1.0", "255.255.255.0"  )) {return proxy9 + proxy2 + proxy1 + direct;}

    // Return direct by default
    return direct;
}
    "10.13.23.0/255.255.255.0",       // Springfield
    "10.23.13.0/255.255.254.0"        // Springfield WIFI
);

Open in new window

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.