Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

GROUP POLICY??

3 views
Skip to first unread message

Al

unread,
Apr 28, 2006, 2:35:01 PM4/28/06
to
I have enabled the Proxy setting on my GP (User config, win set, IE main,
connection) and entere my proxy IP and Port 8080. Now I have VPN users that
log in and can surf IE with no problems, but when they log off our VPN they
can't surf IE at all...how can I correct this. All VPN users log in from the
road/hotels and or home.

I have Win2k and Win2003 servers, both DC are Win2k and the GP reside on
them. All users have WinXP Pro.

Al

Mark Heitbrink [MVP]

unread,
Apr 29, 2006, 9:29:36 AM4/29/06
to
Al schrieb:

> I have enabled the Proxy setting on my GP (User config, win set, IE main,
> connection) and entere my proxy IP and Port 8080. Now I have VPN users that
> log in and can surf IE with no problems, but when they log off our VPN they
> can't surf IE at all...how can I correct this. All VPN users log in from the
> road/hotels and or home.

Forget about using GPO to define the proxy, start using WPAD.
Indipendend from any kind of operating system, discovered via DHCP
and works with all popular browsers.
After configuring WPAD the only policy you need to manage IE is
"Automatically detect settings"
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/automaticdiscovery.mspx

If they are connected locally or via VPN, they will discover your
internal proxy, if they don´t find it, they are going directly to
the internet.

Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
extend GPO: www.desktopstandard.com
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.

Al

unread,
May 1, 2006, 9:29:02 AM5/1/06
to
Mark,

Thanks for the info, but it seems like that will only work with ISA
2000/2004 and I don't want to install that on my server.

Al

Mark Heitbrink [MVP]

unread,
May 1, 2006, 3:08:31 PM5/1/06
to
Hi,

Al schrieb:


> Thanks for the info, but it seems like that will only work with ISA
> 2000/2004 and I don't want to install that on my server.

No it works with every Proxy and doesn´t need the ISA. The Article
just mentioned the ISA, because it´s MS and the ISA Client can
handle it a litle bit easier.

All you need is the DHCP Option, the URL and a script file that the
browser can reach to read the proxy settings.

Sorry, didn´t find a better one in english, than this ...
http://www.craigjconsulting.com/setproxy.html
http://www.craigjconsulting.com/proxypac.html

Al

unread,
May 1, 2006, 4:36:01 PM5/1/06
to
Mark, I did create the DHCP Option 252 per the article in your first
post...but when I remove the Proxy settings in the GPO, I'm able to browse IE
with no problems, meanings my user can do the same and that isn't truly what
I want them to do.

Al

unread,
May 1, 2006, 4:43:02 PM5/1/06
to
also Mark in your second post you mentioned a "script file" but in the
instructions on how to Create an Option 252 Entry no script is created,
unless WPAD.DAT si the script entry.

Mark Heitbrink [MVP]

unread,
May 2, 2006, 3:45:05 PM5/2/06
to
Hi,

1. create clients.wpad, copy to e.g. inetpub\wwwroot
so that it can be reached via http://yourserver/clients.wpad
Edit the "return "Proxy ..." line to your settings.

------- clients.wpad -------
function FindProxyForURL(url, host)
{
if (isPlainHostName(host) || dnsDomainIs(host, ".yourdomain.dom"))
return "DIRECT";
else
return "PROXY yourserver.yourdomain.dom:8080; DIRECT";
}
------- clients.wpad -------

2. Create a option in DHCP and apply the URL
- DHCP Server -> Properties -> Set Predefined Options -> add
- Name: WPAP
Code: 252
Datatyp: String
String: http://yourserver/clients.wpad
- add this option to your scope

3. IIS configuration
if you copied the script to the wwwroot of the defaultwebsite, go to
properities of the website -> http-header -> MIME Types ->
New: x-ns-proxy-autoconfig -> .wpad

4. Change IE to "Automatic detect settings"

Connect the client to your LAN, it will detect yourdomain.com
and starts using your proxy. If I惴 outside the LAN it can愒 find
the script and will start using the gateway definied by IP Settings.

Al

unread,
May 3, 2006, 3:29:02 PM5/3/06
to
Hi Mark,

I clearly dont understand your script but let me know if I created it
correctly.

------- clients.wpad -------
function FindProxyForURL(url, host)
{
if (isPlainHostName(host) || dnsDomainIs(host, ".yourdomain.dom"))
return "DIRECT";
else

return "PROXY 192.196.0.xxx.abc.net:8080; DIRECT";
}

--------------------------------------------------------------------------
so do I just need to fill out the bottom line like I did above, the other
steps I can take care of.

Al

"Mark Heitbrink [MVP]" wrote:

> and starts using your proxy. If I´m outside the LAN it can´t find

Mark Heitbrink [MVP]

unread,
May 3, 2006, 4:08:09 PM5/3/06
to
Hi,

Al schrieb:


> ------- clients.wpad -------
> function FindProxyForURL(url, host)
> {
> if (isPlainHostName(host) || dnsDomainIs(host, ".yourdomain.dom"))

Change this to the name of your DNS. "yourdomain" is just a sample.

> return "DIRECT";
> else
> return "PROXY 192.196.0.xxx.abc.net:8080; DIRECT";

Then you mix IP and Name of proxy, decied one...
name or IP.
If your proxy is: 192.196.0.1
and the name is : myproxy.yourdomain.dom

use 192.196.0.1:8080 or myproxy.yourdomain.dom:8080
.. if 8080 is the port of your proxy, 3128 is also where common ...

Mark Heitbrink [MVP]

unread,
May 4, 2006, 6:41:24 AM5/4/06
to
Al schrieb:
> I clearly dont understand your script [...]

Addition:


| if (isPlainHostName(host) || dnsDomainIs(host, ".yourdomain.dom"))
| return "DIRECT";

means, that if you are accessing website inside your LAN, then
the client will not use the proxy.
Similar to IE Settings: bypass proxy at local adresses
(or whatever the right translationb is ;-)

Syntax of the proxy script and a few more examples:
http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html

Al

unread,
May 4, 2006, 10:53:02 AM5/4/06
to
Ok Mark,

I corrected the scrip and just used the name instead of IP. But no luck.
Once I disable the GP and run gpudate on a WinXP machine I can still browse
the internet freely meaning my user can browse all kinds of web sites. So I
had to place the GP back on.

I just need to find a way for the users VPN to browse when they are at home
and not VPN'd in. If I clear the Proxy tab on IE then other users can clear
and surf freely so I can't do that. Currently the tab is blocked so users
cant change the Proxy tab, but when I users at home they can't surf the net
because they can't clear the Proxy tab, hope that makes sense. Again,
thanks for your help.

"Mark Heitbrink [MVP]" wrote:

> Hi,
>
> Al schrieb:
> > ------- clients.wpad -------
> > function FindProxyForURL(url, host)
> > {
> > if (isPlainHostName(host) || dnsDomainIs(host, ".yourdomain.dom"))
>
> Change this to the name of your DNS. "yourdomain" is just a sample.
>
> > return "DIRECT";
> > else
> > return "PROXY 192.196.0.xxx.abc.net:8080; DIRECT";
>
> Then you mix IP and Name of proxy, decied one...
> name or IP.
> If your proxy is: 192.196.0.1
> and the name is : myproxy.yourdomain.dom
>
> use 192.196.0.1:8080 or myproxy.yourdomain.dom:8080

> ... if 8080 is the port of your proxy, 3128 is also where common ...

Mark Heitbrink [MVP]

unread,
May 4, 2006, 2:31:42 PM5/4/06
to
Hi,

Al schrieb:


> I corrected the scrip and just used the name instead of IP. But no luck.
> Once I disable the GP and run gpudate on a WinXP machine I can still browse
> the internet freely meaning my user can browse all kinds of web sites. So I
> had to place the GP back on.

So, they don´t use the proxy?
Just to test that your envirnment works with WPAD, remove the
Default gateway from a test client ... as long, as the client
can´t browse, your WPAD isn´t working properly ...

0 new messages