Announcement

Collapse
No announcement yet.

Automatic Proxy Detection for clients-Windows 2003 Domian

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Automatic Proxy Detection for clients-Windows 2003 Domian

    Hi,

    I configured Internet Explorer proxy setting for our domain computers from the Windows 2003 DC GPO(Internet Explorer Maintenance policy) in such a way the domain users can not modify the settings manually from IE. The problem is, users are not able to change the proxy configuration even if they are off the domain i.e their home internet or other networks. The existing proxy settings will deny them from using the personal internet.

    Is there a method to get the domain proxy settings enabled/activated only when the user logs into the specific domain and get it changed/editable when they are in other networks?

    Thankful, provided a proper step by step procedure for this

    Thanks in advance
    Insaf Muhammed
    System Admin
    -----------------
    Never break four things in life: TRUST, PROMISE, RELATIONS & HEART. Cause when they break they don't make noise but pains a lot

  • #2
    Re: Automatic Proxy Detection for clients-Windows 2003 Domian

    Hmmm not sure but there might be an easier solution.
    Just enable the autodetect option and use a WPAD.dat or a proxy.pac file to configure the clients.
    These files can be "distributed" using DNS, poining to the host with the correct (http) file or using DHCP (custom) option 252

    If you are using ISA or TMG you can simply enable this setting in the console and automatically the WPAD.dat is generated. Just create an DNS or DHCP entry pointing to the ISA/TMG server.

    For the home location: Automatically detect will fail (since there is non of those entries configured) and it will using Direct connection instead.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Automatic Proxy Detection for clients-Windows 2003 Domian

      Hi,

      You could create a logoff script that alters the following reg keys

      HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings

      Proxy Enable REG_DWORD 1 change it to 0 this will disable the proxy settings and they can access the internet from home without having to change anything.


      HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel

      Proxy REG_DWORD 1 to 0 this will enable users to manage their own proxy settings when working on another companies network.

      This can be done using a simple batch file using the REG.exe by deleting and adding reg values, VB or powershell.

      Comment


      • #4
        Re: Automatic Proxy Detection for clients-Windows 2003 Domian

        Originally posted by Dumber View Post
        Hmmm not sure but there might be an easier solution.
        Just enable the autodetect option and use a WPAD.dat or a proxy.pac file to configure the clients.
        These files can be "distributed" using DNS, poining to the host with the correct (http) file or using DHCP (custom) option 252

        If you are using ISA or TMG you can simply enable this setting in the console and automatically the WPAD.dat is generated. Just create an DNS or DHCP entry pointing to the ISA/TMG server.

        For the home location: Automatically detect will fail (since there is non of those entries configured) and it will using Direct connection instead.
        unless you force it by group policy, I could just go into IE and turn it off.

        Of course, with a proxy implementation, you should prevent outbound access anyway, else someone may just be able to use Firefox.. unless you stop people using that., or use firefoxadm
        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

        Comment


        • #5
          Re: Automatic Proxy Detection for clients-Windows 2003 Domian

          You can force it but just enable auto detect and not the proxy server settings.
          Personally i think it's far from an ideal situation. No flexibility at all.
          And if a user disables the "automatically detect settings" option and he can't browse the internet anymore then I'm sure he will re-enable the setting again.
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: Automatic Proxy Detection for clients-Windows 2003 Domian

            I know, I simply felt like being a bit argumentative

            when someone is determined.. they will find a way
            I do agree that autodetect is definitely the best way

            (except 2008 DNS seems to have issues with registering WPAD.. I remember one of our other engineers remarking on that to me: it kept disappearing from client's DNS zone, and they were getting remarkably frustrated)
            Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

            Comment


            • #7
              Re: Automatic Proxy Detection for clients-Windows 2003 Domian

              Well For windows 2008, read my WIP (Work in Progress) blog
              There are indeed some issues with Windows 2008 DNS, but it are security "features"
              http://blog.nessus.nl/56/wpad-not-ge...dows-2008-dns/
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment


              • #8
                Re: Automatic Proxy Detection for clients-Windows 2003 Domian

                Thank you all

                Can someone tell me how to create a proxy.pac file?

                It might close my issue at all
                Insaf Muhammed
                System Admin
                -----------------
                Never break four things in life: TRUST, PROMISE, RELATIONS & HEART. Cause when they break they don't make noise but pains a lot

                Comment


                • #9
                  Re: Automatic Proxy Detection for clients-Windows 2003 Domian

                  can
                  http://www.google.co.uk/search?hl=en...meta=&aq=f&oq=

                  Tom Jones
                  MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                  PhD, MSc, FIAP, MIITT
                  IT Trainer / Consultant
                  Ossian Ltd
                  Scotland

                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment


                  • #10
                    Re: Automatic Proxy Detection for clients-Windows 2003 Domian

                    Please read this article: http://www.aspfree.com/c/a/BrainDump...ng-a-Pac-File/
                    It explains it pretty well. Actually I'm considering to write an article on my own blog but that might take some time.
                    Note: you need a (simple) webserver to deploy the pac file.

                    You can combine it with the WPAD discovery mechanism using DNS or DHCP
                    http://www.davidpashley.com/articles...tic-proxy.html
                    http://www.grape-info.com/doc/win200...pad/index.html
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment


                    • #11
                      Re: Automatic Proxy Detection for clients-Windows 2003 Domian

                      Thank you all

                      Hi dumber, from the link you sent I copied the proxy.pac code and modified with our configuration

                      ===================================


                      function FindProxyForURL(url, host)
                      {
                      if (isInNet(host, "192.168.0.0", "255.255.0.0")) {
                      return "DIRECT";
                      } else {
                      if (shExpMatch(url, "http:*"))
                      return "172.20.255.64:8080" ;
                      if (shExpMatch(url, "https:*"))
                      return "172.20.255.64:8080" ;
                      if (shExpMatch(url, "ftp:*"))
                      return "172.20.255.64:8080" ;
                      return "DIRECT";
                      }
                      }
                      =================================================
                      Please have a look at it and confirm if this is okey? In the code where I marked red, how can I add multiple subnets if required ? (we have differant IP subnets for servers and users and they all use the same proxy for internet)

                      We have an internal IIS server, so I think I can use it to publish the proxy.pac file over the domain and put the link on 'Auto-proxy URL ' option under 'Automatic browser Configuration' in the IEM GPO setting.
                      Now, why do I need a .wpad file anywhere here? Is it manadatory to use the .pac file?

                      Sorry for bothering with my crucial queries
                      Insaf Muhammed
                      System Admin
                      -----------------
                      Never break four things in life: TRUST, PROMISE, RELATIONS & HEART. Cause when they break they don't make noise but pains a lot

                      Comment


                      • #12
                        Re: Automatic Proxy Detection for clients-Windows 2003 Domian

                        Different apps automatically look for proxy.pac or wpad.dat. I've got both on my domain, just to be on the safe side. Incidentally, I'd make the following modifications to your file: Replace the first IF statement with
                        Code:
                        if
                         (
                        isInNet(host, "192.168.0.0", "255.255.0.0") ||
                        isInNet(host, "10.0.0.0", "255.255.252.0") ||
                        isPlainHostName(host) ||
                        dnsDomainIs(host, ".yourdomain.local")
                        ) 
                        {return "DIRECT";}
                        This will allow you to get around the local network by IP, hostname or FQDN without being bothered by the proxy (unless you wanted to proxy local http servers?). Also, the || means "or", so it's all neatly combined into one IF statement. Note I've added a second subnet into that for you too Also, for the return statements, I'd change them to the following:
                        Code:
                        return "172.20.255.64:8080;DIRECT"
                        This way, if your proxy server goes down, you don't lose internet access. If you don't want people on the network while the proxy is down, your code is OK as it is.
                        Last edited by Mr.Clark; 10th May 2010, 15:37.

                        Comment

                        Working...
                        X