Proxy setting for citrix users

I have a main site with group policy that has proxy setting enabled, and there is a remote site with no proxy setting, the citrix server in the main site, sometimes users from the remote site travel and use citrix, but they are unable to use the internet because no proxy setting is configured in their group policy, is there a way that I can enable proxy setting for them only when they connect through citrix?

We have windows 2003 domain environment.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Carl WebsterCitrix Technology Professional - FellowCommented:
Create a gpo that has just the proxy setting, attach it to the citrix server ou, remove authenticated users and the group the proxy users are in.
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
proxy? i was setting citrix Access Essential so its can be used through web browser without needing proxy , just set altaddr command
altaddr /set xx.yy.zz.ww
(the static IP ) , and on router set port forwarding to these ports :

i don't know if its same idea or not
its settings issue
Shando1971Author Commented:

can you please explain;
1- "attach it to the citrix server ou" you mean the OU that the citrix server computer account is under?
how do i attach it?

2- "remove authenticated users and the group the proxy users are in" for the main site?
and remove it from where?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Assuming you have your Citrix servers in an isolated OU:

He does mean the OU that the Citrix servers are in.
If you are using the Group Policy Management Console, Select the GPO and under Security Filtering, the default is Authenticated Users.  That is the part you can modify.

But, if you want all of the users on the Citrix servers to use the proxy settings, you can configure the policy for the proxy settings to Use Machine Settings Only  [Machine\Administrative Templates\Windows Components\Internet Explorer\Make Proxy Settings per-Machine (rather than Per-User)]

The other consideration is if you are using Loopback Mode and if so, in what mode? (replace or merge).  

Also, if you strip out the Authenticated Users, you will want to add the Domain Computers group also to make sure it applies (if doing the machine portion).


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shando1971Author Commented:
I want all the users that login to the particular citrix server to use proxy, so I guess your per machine idea will be better to use.
the proxy setting policy we have is for the whole main site's users, so I don't want to disable it, can you please give me steps on how to keep it for the site and just do that one citrix server exception?

the intended citrix server is under an OU that includes other member servers and PCs, should I move it to an isolated OU, there is no GP applied to its OU.

Loop-back mode is disabled.

You have a couple of options then, since you only want it to affect the 1 server.

1. Use Loopback processing - either merge or replace.  I use replace generally, since that guarantees *exactly* what the user gets affected by.  If you use Merge, then you have a combo of the machine policies, the user's native policies, and the user policies from the machine OU.  (The Machine OU overrides the native user policies in the event of a conflict).  To do this, you want it in an isolated OU (generally with inheritance blocked).

2. Set up a second policy for just that one server.  Change the security filter from "authenticated users" to that particular server only.  Set the GPO to set the proxy settings at the machine level, and then configure the proxy as an admin, or in the gpo itself.  That will prevent it from affecting the other servers.

 Security Filtering for the GPO in the GPMC
Shando1971Author Commented:
If I want to do option 2, I still have create a separate OU for the server, and apply the new gpo to it, correct?
Shando1971Author Commented:
Please scratch my previous question, I see that you already put " That will prevent it from affecting the other servers ".

I'll apply the policy and let you know..thank you..
Shando1971Author Commented:
It didn't work, here is what I did :
1- I added the proxy setting to the server using the domain admin account.
2- Created the new GPO to the OU that contains the citrix server.
3- Configured the new policy by going to [Machine\Administrative Templates\Windows Components\Internet Explorer\Make Proxy Settings per-Machine (rather than Per-User)] and enabled it.
4- Went to the property of the new policy, security tab, and removed authenticated users, and added the server (I noticed that it added $ to the end of server name), I also noticed that special permission is unchecked unlike the authenticated users before I remove it.

Looks like you got the order reversed :-)  When you configure the policy *after* the browser, it is not going to pick up the settings.  In theory, all you need to do is change the settings and then change them back.  But, I haven't tried this method directly.

The settings need to be stored in HKLM for it to affect everyone, so the correct location is:  
hklm\software\microsoft\windows\currentversion\internet settings\proxy server

Open in new window

That should do the trick :-)

Shando1971Author Commented:
I was unable to find the proxy server part in the registry!

also would this do the proxy for any browser?
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
what citrix you use? is it xenapp?
Shando1971Author Commented:
metaframe presentation server 3.
Shando1971Author Commented:
I didn't need this article or changing the registry key.
I found the group policy working today, I guess it just needed some time to push the policy to the other domain controller.
Shando1971Author Commented:
Thank you.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.