How to get Local traffic to bypass Proxy, so WSUS shows client IP not Webmarshal IP address

I had an issue with the WSUS clients not being able to report to the WSUS server and update themselves.
I worked out that this was an issue with the Web Marshal proxy server not passing the local requests through correctly

See:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_27791510.html 

The solution was:

################
When I have put the WSUS server in the Proxy Bypass settings in Webmarshal, both the FQDN and the NetBIOS name with the port number of WSUS (http://WSUSSERVER.xxx.LOCAL:8530/ as well as http://WSUSSERVER:8530/) most of the clients are now reporting their status.
I needed both names in the Proxy Bypass for the reporting to work, it seems

However, the clients are reporting their status as the IP address of the WebMarshal proxy, which isnt correct, but the question as asked is solved.
My clients are reporting their status and they are updating the latest patches.
##################


This question is how can I ensure that, to quote npsingh123, "local or at least certain local traffic to bypass Webmarshal"

Ive tried changing the WPAD file to explicitly state that the local requests should be returned directly.
wpad.txt

However that doesnt work and the WSUS console still shows the IP Address of the Web Marshal Proxy, not the clients IP address.

I also tried putting the server names into the local exceptions tab in Internet Explorer, but that didnt work either.

*.YYYYYYYY.com, *.xxxxxxx.local, 10.254.*.*, wsusserver, LaeWSUSServer, hv-server1, wafi-server1, gpserver, hpsim, blackberry, laeadserver, fileserver, exchange, laefileserver, laeprintserver, rdp, pos-server, server2, vcentreserver, antivirus, hagen-server1, wsusserver:8530, laewsusserver:8530, hv-server1:8530, wafi-server1:8530, hagen-server1:8530

Im at a bit of a loss as to what steps to try next.

WSUS works ok, just shows that it is passing all its traffic through the Web Marshal Proxy server, which isnt needed for internal traffic.

And i strongly suspect that there would be other things that are "broken" or "not right" if all local traffic is passed through the Proxy before being served.
I havent specifically seen anything, but its likely to be there somewhere :-)
LVL 1
HBS-MachAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
brendanmeyerConnect With a Mentor Commented:
if the wsus is the only service on the the server, or you want all traffic going to it bypassing the proxy anyway

you can use
if (isInNet(host, "<ip of server>", "255.255.255.255")) return "DIRECT";

Open in new window


or you need to put a "*" on all the lines in the if statements

eg:
if (shExpMatch(url, "http://wsusserver/*")) { return "DIRECT"; }
if (shExpMatch(url, "http://wsusserver:8530/*")) { return "DIRECT"; }
if (shExpMatch(url, "http://wsusserver.hbs.local:8530/*")) { return "DIRECT"; }

Open in new window

0
 
HBS-MachAuthor Commented:
Thanks Brendan

I'll give the /* at the end of each if statement a go and report back.

For the statement

if (isInNet(host, "<ip of server>", "255.255.255.255")) return "DIRECT";

As all my servers are in the first 30 IP's can I use this statement to alway return all traffic directly?

if (isInNet(host, "10.254.149.0", "255.255.255.224")) return "DIRECT";
0
 
brendanmeyerCommented:
I believe that will work, I was going to suggest that, but I didn't want to make my post to complex.

I have not tested that before, but if the results work how you expect, if you be great to know :)
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
HBS-MachAuthor Commented:
Hi Brendan,

At first pass, this looks like its working now.

The clients are mostly reporting back with their IP address, rather than the WebMarshal proxy IP when i force an update with a batch script on the clients.

wuauclt /reportnow /detectnow
gpupdate /force /target:computer
sc.exe config "bits" start= auto
sc.exe config "wuauserv" start= auto
Net Stop "wuauserv"
Net Stop "Bits"
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionStartTime /f
Reg Delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f
Net Start "Bits"
Net Start "wuauserv" 
wuauclt /detectnow

Open in new window


I'll wait a day, ensure that the clients report correctly, then I will change the WPAD.DAT file to remove all the Internal Server entries and leave just

 
if (isInNet(host, "10.254.149.0", "255.255.255.224")) return "DIRECT"; 

Open in new window


And see if that works as well.

So it may be a couple of days before I can report back with certainty that this is fixed and working.

But its looking good so far!
0
 
brendanmeyerCommented:
thats all good, glad to set you on the right path.
and it will be a good reference for other people with similar issues, if everything goes well

look forward to hearing the outcome
0
 
HBS-MachAuthor Commented:
Thanks Brendan, that worked a treat.

I tried the individual server statements in the WPAD.DAT file.

if (shExpMatch(url, "http://wsusserver/*")) { return "DIRECT"; }

That worked fine.

However, it did make the WPAD file look ugly and would require me to add new lines in each time i put in a new server.

So again, thanks to Brendan, I used the Subnet statement to capture all IP's within my Server range (10.254.xxx.1 to 30) and that also works perfectly and is much cleaner.

if (isInNet(host, "10.254.149.0", "255.255.255.224")) { return "DIRECT"; }


FYI, my WPAD.DAT file now looks like:


function FindProxyForURL(url, host)
{
if (shExpMatch(url, "https://mail.yyyyyyyyyyy.com/*")) { return "DIRECT"; }
if (shExpMatch(url, "http://mail.yyyyyyyyyyyyyyy.com/*")) { return "DIRECT"; }
if (shExpMatch(url, "http://autodiscover.yyyyyyyyyy.com/*")) { return "DIRECT"; }
if (shExpMatch(url, "https://autodiscover.yyyyyyyyyyyyyy.com/*")) { return "DIRECT"; }


if (isInNet(host, "10.254.149.0", "255.255.255.224")) { return "DIRECT"; }
if (isInNet(host, "10.254.148.0", "255.255.255.224")) { return "DIRECT"; }
if (isInNet(host, "10.254.140.0", "255.255.255.224")) { return "DIRECT"; }
if (isInNet(host, "10.254.130.0", "255.255.255.224")) { return "DIRECT"; }
if (isInNet(host, "10.254.120.0", "255.255.255.224")) { return "DIRECT"; }


// Proxy if PC is on local LAN

if (isInNet(myIpAddress(), "10.254.149.0", "255.255.255.0"))
return "PROXY PROXY.xxxxxxxxxx.LOCAL:3128";

if (isInNet(myIpAddress(), "10.254.148.0", "255.255.255.0"))
return "PROXY PROXY.xxxxxxxxxx.LOCAL:3128";

if (isInNet(myIpAddress(), "10.254.130.0", "255.255.255.0"))
return "PROXY WAFI-SERVER1.xxxxxxxxxx.LOCAL:3128";

if (isInNet(myIpAddress(), "10.254.140.0", "255.255.255.0"))
return "PROXY HV-SERVER1.xxxxxxxxx.LOCAL:3128";

if (isInNet(myIpAddress(), "10.254.120.0", "255.255.255.0"))
return "PROXY HAGEN-SERVER1.xxxxxxxxxx.LOCAL:3128";

else
return "DIRECT";
}
0
 
brendanmeyerCommented:
good to hear :)
0
All Courses

From novice to tech pro — start learning today.