jmbrinkman

Archive for February, 2012|Monthly archive page

Von Smallhausen by Proxy

In Proxy, TMG 2010, Uncategorized on February 22, 2012 at 21:34

If you like my content please do check out my new blog at thirdpartytools.net ! 

 

If you work in an environment where access to the internet is “proxied” or “proxyfied” by a Microsoft proxy productandthat proxy requires authentication you are in for a treat. If you have to maintain or administer such an environment…

It looks like a great idea – you know who what on the big bad world wide wolf. But a lot of software doesn’t understand proxy authentication – if they are aware of it in the first place. So users complain because the can’t watch that Silverlight video. Because Silverlight…doesn’t understand proxy authentication. Passive FTP with a login doesn’t understand it – you have to provide the credentials the old style: ftp://user001:secretpassword@private.ftp-servers.example.com/mydirectory/myfile.txt .

Of course you can disable proxy authentication for certain sites, source or destination ip’s or even users. But that can be quite a hassle and depending on the amount of exclusions and the administrative discipline of the IT staff it can render authentication as a security (or productivity if you use to block sites)measure rather useless.

But my biggest problem with proxy authentication in a Microsoft environment is – not even the OS understands proxies. The strong bonds between Windows Explorer and Internet Explorer might have been severed…for most applications IE is the place to set a proxy – whether IE is a party in the application reaching the Internet or not.

But we have group policy so we can set the proxy so big deal…but hey why can’t OneNote reach my Skydrive? That’s because Microsoft provided us with two ways to use a proxy; WinInet and WinHTTP. And no one really tells which applications use or support them. MSDN says “..When selecting between the two, you should use WinINet, unless you plan to run within a service or service-like process that requires impersonation and session isolation…(WinHTTP vs. WinINet). Now I can’t judge why or how OneNote needs WinHTTP – but its annoying none the less that it does.

Now how can we solve this?

  • There is no GPO setting for Winhttp 😦
  • Of course you could script it. Use proxycfg.exe or netsh in the winhttp context (or Windows XP/2003 and later OS’s respectively)
  • Or in some way (OS template/script/GPO) makes some changes to HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttp
  • If you use an auto discovery script importing from IE won’t work you’ll have to maintain two ways of finding a proxy ( tho it understands WPAD)
  • So the only real solution is a computer start up script that uses the methods mentioned above with some smart logic to pick a server and keep things like proxy exclusions in sync between WinInet and WinHTTP

Or you could really move forward and think about stuff like Palo Alto firewalls or other solutions where fire-walling and proxying are integrated if seeing who does what really is your thing

Btw here is a list of appplications that use WinHTTP:

  • Connections to Microsoft Skydrive from an Office or Windows Live App
  • Windows Update
  • WebDAV ( so stuff like Sharepoint ) connections from Office or Windows Explorer

I will say this only once!

Advertisements