HBS-Mach
asked on
How to get Local traffic to bypass Proxy, so WSUS shows client IP not Webmarshal IP address
I had an issue with the WSUS clients not being able to report to the WSUS server and update themselves.
I worked out that this was an issue with the Web Marshal proxy server not passing the local requests through correctly
See:
https://www.experts-exchange.com/questions/27791510/New-WSUS-Server-not-updating-clients.html
The solution was:
################
When I have put the WSUS server in the Proxy Bypass settings in Webmarshal, both the FQDN and the NetBIOS name with the port number of WSUS (http://WSUSSERVER.xxx.LOCAL:8530/ as well as http://WSUSSERVER:8530/) most of the clients are now reporting their status.
I needed both names in the Proxy Bypass for the reporting to work, it seems
However, the clients are reporting their status as the IP address of the WebMarshal proxy, which isnt correct, but the question as asked is solved.
My clients are reporting their status and they are updating the latest patches.
##################
This question is how can I ensure that, to quote npsingh123, "local or at least certain local traffic to bypass Webmarshal"
Ive tried changing the WPAD file to explicitly state that the local requests should be returned directly.
wpad.txt
However that doesnt work and the WSUS console still shows the IP Address of the Web Marshal Proxy, not the clients IP address.
I also tried putting the server names into the local exceptions tab in Internet Explorer, but that didnt work either.
*.YYYYYYYY.com, *.xxxxxxx.local, 10.254.*.*, wsusserver, LaeWSUSServer, hv-server1, wafi-server1, gpserver, hpsim, blackberry, laeadserver, fileserver, exchange, laefileserver, laeprintserver, rdp, pos-server, server2, vcentreserver, antivirus, hagen-server1, wsusserver:8530, laewsusserver:8530, hv-server1:8530, wafi-server1:8530, hagen-server1:8530
Im at a bit of a loss as to what steps to try next.
WSUS works ok, just shows that it is passing all its traffic through the Web Marshal Proxy server, which isnt needed for internal traffic.
And i strongly suspect that there would be other things that are "broken" or "not right" if all local traffic is passed through the Proxy before being served.
I havent specifically seen anything, but its likely to be there somewhere :-)
I worked out that this was an issue with the Web Marshal proxy server not passing the local requests through correctly
See:
https://www.experts-exchange.com/questions/27791510/New-WSUS-Server-not-updating-clients.html
The solution was:
################
When I have put the WSUS server in the Proxy Bypass settings in Webmarshal, both the FQDN and the NetBIOS name with the port number of WSUS (http://WSUSSERVER.xxx.LOCAL:8530/ as well as http://WSUSSERVER:8530/) most of the clients are now reporting their status.
I needed both names in the Proxy Bypass for the reporting to work, it seems
However, the clients are reporting their status as the IP address of the WebMarshal proxy, which isnt correct, but the question as asked is solved.
My clients are reporting their status and they are updating the latest patches.
##################
This question is how can I ensure that, to quote npsingh123, "local or at least certain local traffic to bypass Webmarshal"
Ive tried changing the WPAD file to explicitly state that the local requests should be returned directly.
wpad.txt
However that doesnt work and the WSUS console still shows the IP Address of the Web Marshal Proxy, not the clients IP address.
I also tried putting the server names into the local exceptions tab in Internet Explorer, but that didnt work either.
*.YYYYYYYY.com, *.xxxxxxx.local, 10.254.*.*, wsusserver, LaeWSUSServer, hv-server1, wafi-server1, gpserver, hpsim, blackberry, laeadserver, fileserver, exchange, laefileserver, laeprintserver, rdp, pos-server, server2, vcentreserver, antivirus, hagen-server1, wsusserver:8530, laewsusserver:8530, hv-server1:8530, wafi-server1:8530, hagen-server1:8530
Im at a bit of a loss as to what steps to try next.
WSUS works ok, just shows that it is passing all its traffic through the Web Marshal Proxy server, which isnt needed for internal traffic.
And i strongly suspect that there would be other things that are "broken" or "not right" if all local traffic is passed through the Proxy before being served.
I havent specifically seen anything, but its likely to be there somewhere :-)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I believe that will work, I was going to suggest that, but I didn't want to make my post to complex.
I have not tested that before, but if the results work how you expect, if you be great to know :)
I have not tested that before, but if the results work how you expect, if you be great to know :)
ASKER
Hi Brendan,
At first pass, this looks like its working now.
The clients are mostly reporting back with their IP address, rather than the WebMarshal proxy IP when i force an update with a batch script on the clients.
I'll wait a day, ensure that the clients report correctly, then I will change the WPAD.DAT file to remove all the Internal Server entries and leave just
And see if that works as well.
So it may be a couple of days before I can report back with certainty that this is fixed and working.
But its looking good so far!
At first pass, this looks like its working now.
The clients are mostly reporting back with their IP address, rather than the WebMarshal proxy IP when i force an update with a batch script on the clients.
wuauclt /reportnow /detectnow
gpupdate /force /target:computer
sc.exe config "bits" start= auto
sc.exe config "wuauserv" start= auto
Net Stop "wuauserv"
Net Stop "Bits"
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionStartTime /f
Reg Delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f
Net Start "Bits"
Net Start "wuauserv"
wuauclt /detectnow
I'll wait a day, ensure that the clients report correctly, then I will change the WPAD.DAT file to remove all the Internal Server entries and leave just
if (isInNet(host, "10.254.149.0", "255.255.255.224")) return "DIRECT";
And see if that works as well.
So it may be a couple of days before I can report back with certainty that this is fixed and working.
But its looking good so far!
thats all good, glad to set you on the right path.
and it will be a good reference for other people with similar issues, if everything goes well
look forward to hearing the outcome
and it will be a good reference for other people with similar issues, if everything goes well
look forward to hearing the outcome
ASKER
Thanks Brendan, that worked a treat.
I tried the individual server statements in the WPAD.DAT file.
if (shExpMatch(url, "http://wsusserver/*")) { return "DIRECT"; }
That worked fine.
However, it did make the WPAD file look ugly and would require me to add new lines in each time i put in a new server.
So again, thanks to Brendan, I used the Subnet statement to capture all IP's within my Server range (10.254.xxx.1 to 30) and that also works perfectly and is much cleaner.
if (isInNet(host, "10.254.149.0", "255.255.255.224")) { return "DIRECT"; }
FYI, my WPAD.DAT file now looks like:
function FindProxyForURL(url, host)
{
if (shExpMatch(url, "https://mail.yyyyyyyyyyy.com/*")) { return "DIRECT"; }
if (shExpMatch(url, "http://mail.yyyyyyyyyyyyyyy.com/*")) { return "DIRECT"; }
if (shExpMatch(url, "http://autodiscover.yyyyyyyyyy.com/*")) { return "DIRECT"; }
if (shExpMatch(url, "https://autodiscover.yyyyyyyyyyyyyy.com/*")) { return "DIRECT"; }
if (isInNet(host, "10.254.149.0", "255.255.255.224")) { return "DIRECT"; }
if (isInNet(host, "10.254.148.0", "255.255.255.224")) { return "DIRECT"; }
if (isInNet(host, "10.254.140.0", "255.255.255.224")) { return "DIRECT"; }
if (isInNet(host, "10.254.130.0", "255.255.255.224")) { return "DIRECT"; }
if (isInNet(host, "10.254.120.0", "255.255.255.224")) { return "DIRECT"; }
// Proxy if PC is on local LAN
if (isInNet(myIpAddress(), "10.254.149.0", "255.255.255.0"))
return "PROXY PROXY.xxxxxxxxxx.LOCAL:312 8";
if (isInNet(myIpAddress(), "10.254.148.0", "255.255.255.0"))
return "PROXY PROXY.xxxxxxxxxx.LOCAL:312 8";
if (isInNet(myIpAddress(), "10.254.130.0", "255.255.255.0"))
return "PROXY WAFI-SERVER1.xxxxxxxxxx.LO CAL:3128";
if (isInNet(myIpAddress(), "10.254.140.0", "255.255.255.0"))
return "PROXY HV-SERVER1.xxxxxxxxx.LOCAL :3128";
if (isInNet(myIpAddress(), "10.254.120.0", "255.255.255.0"))
return "PROXY HAGEN-SERVER1.xxxxxxxxxx.L OCAL:3128" ;
else
return "DIRECT";
}
I tried the individual server statements in the WPAD.DAT file.
if (shExpMatch(url, "http://wsusserver/*")) { return "DIRECT"; }
That worked fine.
However, it did make the WPAD file look ugly and would require me to add new lines in each time i put in a new server.
So again, thanks to Brendan, I used the Subnet statement to capture all IP's within my Server range (10.254.xxx.1 to 30) and that also works perfectly and is much cleaner.
if (isInNet(host, "10.254.149.0", "255.255.255.224")) { return "DIRECT"; }
FYI, my WPAD.DAT file now looks like:
function FindProxyForURL(url, host)
{
if (shExpMatch(url, "https://mail.yyyyyyyyyyy.com/*")) { return "DIRECT"; }
if (shExpMatch(url, "http://mail.yyyyyyyyyyyyyyy.com/*")) { return "DIRECT"; }
if (shExpMatch(url, "http://autodiscover.yyyyyyyyyy.com/*")) { return "DIRECT"; }
if (shExpMatch(url, "https://autodiscover.yyyyyyyyyyyyyy.com/*")) { return "DIRECT"; }
if (isInNet(host, "10.254.149.0", "255.255.255.224")) { return "DIRECT"; }
if (isInNet(host, "10.254.148.0", "255.255.255.224")) { return "DIRECT"; }
if (isInNet(host, "10.254.140.0", "255.255.255.224")) { return "DIRECT"; }
if (isInNet(host, "10.254.130.0", "255.255.255.224")) { return "DIRECT"; }
if (isInNet(host, "10.254.120.0", "255.255.255.224")) { return "DIRECT"; }
// Proxy if PC is on local LAN
if (isInNet(myIpAddress(), "10.254.149.0", "255.255.255.0"))
return "PROXY PROXY.xxxxxxxxxx.LOCAL:312
if (isInNet(myIpAddress(), "10.254.148.0", "255.255.255.0"))
return "PROXY PROXY.xxxxxxxxxx.LOCAL:312
if (isInNet(myIpAddress(), "10.254.130.0", "255.255.255.0"))
return "PROXY WAFI-SERVER1.xxxxxxxxxx.LO
if (isInNet(myIpAddress(), "10.254.140.0", "255.255.255.0"))
return "PROXY HV-SERVER1.xxxxxxxxx.LOCAL
if (isInNet(myIpAddress(), "10.254.120.0", "255.255.255.0"))
return "PROXY HAGEN-SERVER1.xxxxxxxxxx.L
else
return "DIRECT";
}
good to hear :)
ASKER
I'll give the /* at the end of each if statement a go and report back.
For the statement
if (isInNet(host, "<ip of server>", "255.255.255.255")) return "DIRECT";
As all my servers are in the first 30 IP's can I use this statement to alway return all traffic directly?
if (isInNet(host, "10.254.149.0", "255.255.255.224")) return "DIRECT";