FriendlyIT
asked on
Proxy Override not working consistently
Hi,
I am having a problem very similar to this abandoned question:-
https://www.experts-exchange.com/questions/28472037/IE11-proxy-settings-issue.html
We have implemented a proxy server but certain local web services are going via the proxy server when they should be classed as local and not even be hitting the proxy server in the first place.
The problem is most apparent on (though not limited to) a Windows Server 2008 Terminal Server (running IE11). I also have a server 2003 server that is doing the same kind of thing. (running IE8).
DC's are Server 2012 R2
We have implemented these registry keys - but the proxyoverride doesn't seem to be working for certain sites even though they are listed in the registry key.
This registry key was rolled out using a group policy - User Configuration, Preferences, Windows Settings, Registry. I can see that the registry settings are applied:-
[HKEY_CURRENT_USER\Softwar e\Microsof t\Windows\ CurrentVer sion\Inter net Settings]
"ProxyEnable"=dword:000000 01
"ProxyServer"="sXXXXXXXXXX .domain.dm z:8080"
"ProxyOverride"="http://*.domain.local;https://*.domain.local;http://*.domain.dmz;https://*.domain.dmz;http://*.domain.public;https://*.domain.public;http://10.254.254.14;https://10.254.254.14;http://sXXXXXX6;https://sXXXXXX6;http://sXXXXXXX1;https://sXXXXXXX1;http://sXXXXXXXX2;https://sXXXXXXXX2;http://sXXXXXXXX3.domain.co.uk;https://sXXXXXXXX3.domain.co.uk;http://dXXXXXXXXX;https://dXXXXXXXXX;http://sXXXX4;https://sXXXX4;<local>;"
Yes, I keep seeing these entries in the logs:-
CONNECT Jan 13 17:03:12 [31125]: Connect (file descriptor 6): 172.16.1.18 [172.16.X.XX]
CONNECT Jan 13 17:03:12 [31125]: Request (file descriptor 6): POST http://sXXXXXXXX3.domain.co.uk:8000/publish/apps HTTP/1.1
NOTICE Jan 13 17:03:12 [31125]: Proxying refused on filtered domain "sXXXXXXXX3.domain.co.uk"
CONNECT Jan 13 17:03:12 [31120]: Connect (file descriptor 6): 172.16.1.18 [172.16.1.18]
CONNECT Jan 13 17:03:12 [31120]: Request (file descriptor 6): POST http://dXXXXXXXXX/XXXXservices/Xdataaccess.asmx HTTP/1.1
NOTICE Jan 13 17:03:12 [31120]: Proxying refused on filtered domain "dXXXXXXXXX"
CONNECT Jan 13 18:29:44 [31126]: Connect (file descriptor 6): 10.254.254.11 [10.254.254.11]
CONNECT Jan 13 18:29:44 [31126]: Request (file descriptor 6): POST http://sXXXXXXX1/XXXXXXXXXXWebService/XXXXXXXXXX.asmx HTTP/1.1
NOTICE Jan 13 18:29:44 [31126]: Proxying refused on filtered domain "sXXXXXXX1"
Any ideas why this might be? The problem *might* be limited to NTLM names and services that use non-standard ports although that might not actually be the case. Just strikes me from the above.
Jon
I am having a problem very similar to this abandoned question:-
https://www.experts-exchange.com/questions/28472037/IE11-proxy-settings-issue.html
We have implemented a proxy server but certain local web services are going via the proxy server when they should be classed as local and not even be hitting the proxy server in the first place.
The problem is most apparent on (though not limited to) a Windows Server 2008 Terminal Server (running IE11). I also have a server 2003 server that is doing the same kind of thing. (running IE8).
DC's are Server 2012 R2
We have implemented these registry keys - but the proxyoverride doesn't seem to be working for certain sites even though they are listed in the registry key.
This registry key was rolled out using a group policy - User Configuration, Preferences, Windows Settings, Registry. I can see that the registry settings are applied:-
[HKEY_CURRENT_USER\Softwar
"ProxyEnable"=dword:000000
"ProxyServer"="sXXXXXXXXXX
"ProxyOverride"="http://*.domain.local;https://*.domain.local;http://*.domain.dmz;https://*.domain.dmz;http://*.domain.public;https://*.domain.public;http://10.254.254.14;https://10.254.254.14;http://sXXXXXX6;https://sXXXXXX6;http://sXXXXXXX1;https://sXXXXXXX1;http://sXXXXXXXX2;https://sXXXXXXXX2;http://sXXXXXXXX3.domain.co.uk;https://sXXXXXXXX3.domain.co.uk;http://dXXXXXXXXX;https://dXXXXXXXXX;http://sXXXX4;https://sXXXX4;<local>;"
Yes, I keep seeing these entries in the logs:-
CONNECT Jan 13 17:03:12 [31125]: Connect (file descriptor 6): 172.16.1.18 [172.16.X.XX]
CONNECT Jan 13 17:03:12 [31125]: Request (file descriptor 6): POST http://sXXXXXXXX3.domain.co.uk:8000/publish/apps HTTP/1.1
NOTICE Jan 13 17:03:12 [31125]: Proxying refused on filtered domain "sXXXXXXXX3.domain.co.uk"
CONNECT Jan 13 17:03:12 [31120]: Connect (file descriptor 6): 172.16.1.18 [172.16.1.18]
CONNECT Jan 13 17:03:12 [31120]: Request (file descriptor 6): POST http://dXXXXXXXXX/XXXXservices/Xdataaccess.asmx HTTP/1.1
NOTICE Jan 13 17:03:12 [31120]: Proxying refused on filtered domain "dXXXXXXXXX"
CONNECT Jan 13 18:29:44 [31126]: Connect (file descriptor 6): 10.254.254.11 [10.254.254.11]
CONNECT Jan 13 18:29:44 [31126]: Request (file descriptor 6): POST http://sXXXXXXX1/XXXXXXXXXXWebService/XXXXXXXXXX.asmx HTTP/1.1
NOTICE Jan 13 18:29:44 [31126]: Proxying refused on filtered domain "sXXXXXXX1"
Any ideas why this might be? The problem *might* be limited to NTLM names and services that use non-standard ports although that might not actually be the case. Just strikes me from the above.
Jon
ASKER
There are no extra spaces. All addresses are separated with semicolons.
All characters are as per article.
All characters are as per article.
Are you using Internet Explorer Maintenance" to configure the proxy exclusions? If so , IEM no longer works for IE 10 or greater and you need to use GPP instead.
https://thommck.wordpress.com/2013/11/08/the-new-way-to-configure-internet-explorer-proxy-settings-with-group-policy/
https://thommck.wordpress.com/2013/11/08/the-new-way-to-configure-internet-explorer-proxy-settings-with-group-policy/
ASKER
Yes, as stated in the original question I have done it as registry keys exactly as outlined in that link.
This registry key was rolled out using a group policy - User Configuration, Preferences, Windows Settings, Registry. I can see that the registry settings are applied:-
[HKEY_CURRENT_USER\Software\Microsof t\Windows\ CurrentVer sion\Inter net Settings]
"ProxyEnable"=dword:00000001
"ProxyServer"="sXXXXXXXXXX.domain.dm z:8080"
"ProxyOverride"="http://*.domain.local;https://*.domain.local;http://*.domain.dmz;https://*.domain.dmz;http://*.domain.public;https://*.domain.public;http://10.254.254.14;https://10.254.254.14;http://sXXXXXX6;https://sXXXXXX6;http://sXXXXXXX1;https://sXXXXXXX1;http://sXXXXXXXX2;https://sXXXXXXXX2;http://sXXXXXXXX3.domain.co.uk;https://sXXXXXXXX3.domain.co.uk;http://dXXXXXXXXX;https://dXXXXXXXXX;http://sXXXX4;https://sXXXX4;<local>"
ASKER
Sorry, don't have clues
However you can try to deploy proxy policy from 2012 R2 \ win 8.1 machine with GP Preferences
It will work as it is standard way of implementing proxy policies
You need either win 8.1 \ 2012 R2 server with GPMC installed for that
On win 8.1 machine you need to download RSAT for 8.1
From there you can deploy GPO with GP preferences for all version of IE (right from IE 5 to IE 10), IE 10 will also work for IE 11
However you can try to deploy proxy policy from 2012 R2 \ win 8.1 machine with GP Preferences
It will work as it is standard way of implementing proxy policies
You need either win 8.1 \ 2012 R2 server with GPMC installed for that
On win 8.1 machine you need to download RSAT for 8.1
From there you can deploy GPO with GP preferences for all version of IE (right from IE 5 to IE 10), IE 10 will also work for IE 11
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
Mahesh - the registry hack was a way of avoiding having to do this which doesn't support all versions of IE.
compdigit44 - can't believe I hadn't already thought to try that (though nothing on the Internet suggested HKLM - all talked about HKCU). I have added HKLM too and initial signs look promising. I will do some testing today and report back.
Mahesh - the registry hack was a way of avoiding having to do this which doesn't support all versions of IE.
compdigit44 - can't believe I hadn't already thought to try that (though nothing on the Internet suggested HKLM - all talked about HKCU). I have added HKLM too and initial signs look promising. I will do some testing today and report back.
Sorry other question comment passed - wrong comment - I have deleted my last comment
ASKER
I added HKLM as well as HKCU and I believe things are working now.
Check below article for allowed exception list characters
http://technet.microsoft.com/en-us/library/dd361953.aspx