Posts Tagged ‘Proxy server’

Von Smallhausen by Proxy

In Proxy, TMG 2010, Uncategorized on February 22, 2012 at 21:34

If you work in an environment where access to the internet is “proxied” or “proxyfied” by a Microsoft proxy productandthat proxy requires authentication you are in for a treat. If you have to maintain or administer such an environment…

It looks like a great idea – you know who what on the big bad world wide wolf. But a lot of software doesn’t understand proxy authentication – if they are aware of it in the first place. So users complain because the can’t watch that Silverlight video. Because Silverlight…doesn’t understand proxy authentication. Passive FTP with a login doesn’t understand it – you have to provide the credentials the old style: .

Of course you can disable proxy authentication for certain sites, source or destination ip’s or even users. But that can be quite a hassle and depending on the amount of exclusions and the administrative discipline of the IT staff it can render authentication as a security (or productivity if you use to block sites)measure rather useless.

But my biggest problem with proxy authentication in a Microsoft environment is – not even the OS understands proxies. The strong bonds between Windows Explorer and Internet Explorer might have been severed…for most applications IE is the place to set a proxy – whether IE is a party in the application reaching the Internet or not.

But we have group policy so we can set the proxy so big deal…but hey why can’t OneNote reach my Skydrive? That’s because Microsoft provided us with two ways to use a proxy; WinInet and WinHTTP. And no one really tells which applications use or support them. MSDN says “..When selecting between the two, you should use WinINet, unless you plan to run within a service or service-like process that requires impersonation and session isolation…(WinHTTP vs. WinINet). Now I can’t judge why or how OneNote needs WinHTTP – but its annoying none the less that it does.

Now how can we solve this?

  • There is no GPO setting for Winhttp 😦
  • Of course you could script it. Use proxycfg.exe or netsh in the winhttp context (or Windows XP/2003 and later OS’s respectively)
  • Or in some way (OS template/script/GPO) makes some changes to HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttp
  • If you use an auto discovery script importing from IE won’t work you’ll have to maintain two ways of finding a proxy ( tho it understands WPAD)
  • So the only real solution is a computer start up script that uses the methods mentioned above with some smart logic to pick a server and keep things like proxy exclusions in sync between WinInet and WinHTTP

Or you could really move forward and think about stuff like Palo Alto firewalls or other solutions where fire-walling and proxying are integrated if seeing who does what really is your thing

Btw here is a list of appplications that use WinHTTP:

  • Connections to Microsoft Skydrive from an Office or Windows Live App
  • Windows Update
  • WebDAV ( so stuff like Sharepoint ) connections from Office or Windows Explorer

I will say this only once!

Netscaler Load Balancing: Monitor TMG Webproxy with User Authentication

In Citrix, Netscaler, TMG 2010 on November 22, 2011 at 11:51

We use a Microsoft Forefront Threat Management Gateway 2010 server array as forward proxy servers. Instead of using a autoconfig script, WPAD or the firewall client we use a load balanced VIP on our Netscalers to direct client towards the proxy. The setup is quite simple – a client connects to the VIP on port 8080 and the Netscalers sends the request over to TMG. Because we want the second proxy server to be passive we use a backup VIP instead of two services behind the first VIP.

Now one of the advantages of a hardware load balancer in this scenario over a software based load balancing solution (such as vanilla or TMG integrated MS Network Load Balancing) is that a Netscaler can be configured in such a way that its application and even application performance aware if you want. We were only looking for application awareness – especially because we ran into situations where TMG said it was happy, SCOM said it was happy and there was more then enough cpu, memory, network resources and bandwith to go around – but clients weren’t able to get a single page from the Internet. But TMG has such a special place in my heart that I’ll devote an entire post to it later this week.

Anyway – Netscaler to the rescue.

This is what I wanted to do: build a monitor that retrieves a website through the webproxy server. That’s been done before: How to Configure an HTTP-ECV Health Monitor for Internet Proxy Servers . But that was for an unauthenticated proxy server.It did give some pointers on how to configure it with authentication. And luckily we allow Basic Authentication (using ntlm should be possible I guess using the right perl script) so all seemed well.

First I’d like to point out that I’ve moved from using the GUI to using the CLI to configure things such as new vservers and monitors. I’ve been in a situation twice where a change in the GUI didn’t come through properly – even after saving and refreshing all.

Secondly – the method in the article mentioned above doesn’t work :(.

I tweaked the parameters and headers over and over but either TMG didn’t accept the request or the Netscaler couldn’t find the pattern in the response. I did some tracing with Network Monitor but even when TMG sent back a proper 200 status code the Netscaler said the service was down. But at some point I found another Knowledge center article: How to Configure a NetScaler Monitor to Authenticate with a User Name and Password.

I quote: “Do not use an HTTP-ECV monitor when sending additional headers such as authentication, host, and so on.”.

Wow silly me – how did I ever get that idea…??

Following the article, what I did was this:

add lb monitor Proxy_Monitor TCP-ECV -send “GET HTTP/1.1\r\nProxy-Authorization: Basic Veryintimidatingbase64stringletsnotusepriviligedaccount\r\\r\nCache-control: no-cache\r\n\r\n” -recv 302 -LRTM ENABLED -interval 30


  • The base64 string can be obtained by using Powershell (or from the netscaler CLI – see the article):

function ConvertTo-Base64($string) { $bytes = [System.Text.Encoding]::UTF8.GetBytes($string); $encoded = [System.Convert]::ToBase64String($bytes); return $encoded; } Source

  • You need to use the Proxy Authorization instead of the Authorization header
  • You can set the realm using a header or include it in the username (domain\username:password and then encode with base64)
  • TMG really wants you to give it the full GET, so include the whole url and it wants a host header with the hostname of the destination url
  • We are testing getting a page from Internet – not from our cache so I use a cache-control header
  • The receive string here is not 200 but 302 because that’s the redirect we get when we request (or for that matter).
  • To prevent a failover when a single website is offline for some reason,I’ve made two monitors and bound them to each service, each going to another url and using another user account so that we can prevent an account lockout ruining our day as well. Then by setting the -monThreshold parameter on the service to 1 and giving each monitor a weight of 1 I can ensure that the service is up if one of the monitors is successful.

I hope someone will find this information useful – one small disclaimer: Basic Authentication is not encrypted – just encoded – and therefore basically clear text.