Solved

Proxy Override not working consistently

Posted on 2015-01-13
11
1,215 Views
Last Modified: 2015-01-19
Hi,

I am having a problem very similar to this abandoned question:-

www.experts-exchange.com/Software/Internet_Email/Web_Browsers/Q_28472037.html

We have implemented a proxy server but certain local web services are going via the proxy server when they should be classed as local and not even be hitting the proxy server in the first place.

The problem is most apparent on (though not limited to) a Windows Server 2008 Terminal Server (running IE11).  I also have a server 2003 server that is doing the same kind of thing. (running IE8).

DC's are Server 2012 R2

We have implemented these registry keys - but the proxyoverride doesn't seem to be working for certain sites even though they are listed in the registry key.

This registry key was rolled out using a group policy - User Configuration, Preferences, Windows Settings, Registry.  I can see that the registry settings are applied:-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

"ProxyEnable"=dword:00000001

"ProxyServer"="sXXXXXXXXXX.domain.dmz:8080"

"ProxyOverride"="http://*.domain.local;https://*.domain.local;http://*.domain.dmz;https://*.domain.dmz;http://*.domain.public;https://*.domain.public;http://10.254.254.14;https://10.254.254.14;http://sXXXXXX6;https://sXXXXXX6;http://sXXXXXXX1;https://sXXXXXXX1;http://sXXXXXXXX2;https://sXXXXXXXX2;http://sXXXXXXXX3.domain.co.uk;https://sXXXXXXXX3.domain.co.uk;http://dXXXXXXXXX;https://dXXXXXXXXX;http://sXXXX4;https://sXXXX4;<local>;"

Yes, I keep seeing these entries in the logs:-

CONNECT   Jan 13 17:03:12 [31125]: Connect (file descriptor 6): 172.16.1.18 [172.16.X.XX]
CONNECT   Jan 13 17:03:12 [31125]: Request (file descriptor 6): POST http://sXXXXXXXX3.domain.co.uk:8000/publish/apps HTTP/1.1
NOTICE    Jan 13 17:03:12 [31125]: Proxying refused on filtered domain "sXXXXXXXX3.domain.co.uk"

CONNECT   Jan 13 17:03:12 [31120]: Connect (file descriptor 6): 172.16.1.18 [172.16.1.18]
CONNECT   Jan 13 17:03:12 [31120]: Request (file descriptor 6): POST http://dXXXXXXXXX/XXXXservices/Xdataaccess.asmx HTTP/1.1
NOTICE    Jan 13 17:03:12 [31120]: Proxying refused on filtered domain "dXXXXXXXXX"

CONNECT   Jan 13 18:29:44 [31126]: Connect (file descriptor 6): 10.254.254.11 [10.254.254.11]
CONNECT   Jan 13 18:29:44 [31126]: Request (file descriptor 6): POST http://sXXXXXXX1/XXXXXXXXXXWebService/XXXXXXXXXX.asmx HTTP/1.1
NOTICE    Jan 13 18:29:44 [31126]: Proxying refused on filtered domain "sXXXXXXX1"

Any ideas why this might be?  The problem *might* be limited to NTLM names and services that use non-standard ports although that might not actually be the case.  Just strikes me from the above.


Jon
0
Comment
Question by:FriendlyIT
  • 5
  • 3
  • 2
11 Comments
 
LVL 36

Expert Comment

by:Mahesh
ID: 40547411
make sure there are no extra spaces between exception list or it will create issues and all addresses are separated with semi colons
Check below article for allowed exception list characters
http://technet.microsoft.com/en-us/library/dd361953.aspx
0
 

Author Comment

by:FriendlyIT
ID: 40548685
There are no extra spaces.  All addresses are separated with semicolons.

All characters are as per article.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 40550229
Are you using Internet Explorer Maintenance"  to configure the proxy exclusions? If so , IEM no longer works for IE 10 or greater and you need to use GPP instead.

https://thommck.wordpress.com/2013/11/08/the-new-way-to-configure-internet-explorer-proxy-settings-with-group-policy/
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:FriendlyIT
ID: 40550823
Yes, as stated in the original question I have done it as registry keys exactly as outlined in that link.

This registry key was rolled out using a group policy - User Configuration, Preferences, Windows Settings, Registry.  I can see that the registry settings are applied:-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

 "ProxyEnable"=dword:00000001

 "ProxyServer"="sXXXXXXXXXX.domain.dmz:8080"

 "ProxyOverride"="http://*.domain.local;https://*.domain.local;http://*.domain.dmz;https://*.domain.dmz;http://*.domain.public;https://*.domain.public;http://10.254.254.14;https://10.254.254.14;http://sXXXXXX6;https://sXXXXXX6;http://sXXXXXXX1;https://sXXXXXXX1;http://sXXXXXXXX2;https://sXXXXXXXX2;http://sXXXXXXXX3.domain.co.uk;https://sXXXXXXXX3.domain.co.uk;http://dXXXXXXXXX;https://dXXXXXXXXX;http://sXXXX4;https://sXXXX4;<local>"
0
 

Author Comment

by:FriendlyIT
ID: 40551767
I have tweaked the ProxyOverride list - stripped out the http:// and https:// to make the argument more succinct but I can still see the requests hitting the proxy server.

Anyone got any other ideas or even just some clue as to how to troubleshoot this?


Jon
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 40552137
Sorry, don't have clues
However you can try to deploy proxy policy from 2012 R2 \ win 8.1 machine with GP Preferences
It will work as it is standard way of implementing proxy policies

You need either win 8.1 \ 2012 R2 server with GPMC installed for that
On win 8.1 machine you need to download RSAT for 8.1
From there you can deploy GPO with GP preferences for all version of IE (right from IE 5 to IE 10), IE 10 will also work for IE 11
0
 
LVL 19

Accepted Solution

by:
compdigit44 earned 500 total points
ID: 40552407
Sorry for the misunderstanding FriendlyIT...

Have you tried to apply the settings under HKLM in set of HKCU?
0
 

Author Comment

by:FriendlyIT
ID: 40557540
Hi,

Mahesh - the registry hack was a way of avoiding having to do this which doesn't support all versions of IE.

compdigit44 - can't believe I hadn't already thought to try that (though nothing on the Internet suggested HKLM - all talked about HKCU).  I have added HKLM too and initial signs look promising.  I will do some testing today and report back.
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 40557797
Sorry other question comment passed - wrong comment - I have deleted my last comment
0
 

Author Closing Comment

by:FriendlyIT
ID: 40558216
I added HKLM as well as HKCU and I believe things are working now.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question