Correctly formatting the Internet and Work domains policy
- In reference to this document:
http://technet.microsoft.com/en-us/library/cc135634.aspx
Q1: If I want all external sites to go through the proxy, how do I format this?
Q2: If I want all internal site to NOT go through the proxy, how do I format this?
Thanks!!!
Answers
- Alfalfa01 & Tim,
I can confirm that the Work Domains work well. I added :
*://*.domain.com/*
*://*.domain.com.au/*
*://*.domain.co.uk/*
*://*.local/*
as my work domains, and they bypass my proxy.
Cheers Wayne
Airloom
Thanks very much Jiri !- Marked As Answer byMarco NielsenAnswererTuesday, May 12, 2009 2:28 AM
- Proposed As Answer byDavid Creedy Tuesday, December 09, 2008 11:08 PM
All Replies
- Hi Alfalfa,
You luck may vary on this, but I have found some pointers on this. Most of them I believe are mentioned in Glen blog's posting here: http://www.glenscott.net/2008/11/04/windows-mobile-56-networking-profiles-proxy-and-vpn-setup/.
I assume you have already set the Proxy and tried to make the exception for your internal namespace and it didn't work?
I think this goes back to the logic on the devices stating that any lookup with a "." in it is assumed in the Internet namespace.
Please post more details of your setup, what you have tried, and maybe we can all further assist with a solution..
|\\arco.. Alfalfa01,
I knew you’d be asking this question at some point.
The mdm VPN Breaks the Internet / Work rules, as everything is channelled through the VPN. I know this link is for an mdm document but there have been many discussion on the forum about these settings not applying as expected. http://social.technet.microsoft.com/forums/it-IT/SCMDM/thread/a50aa752-c746-4b4a-b0af-773483317a11/
Glenn’s article is insightful, but I would also read http://technet.microsoft.com/en-us/library/cc678152.aspx which recommends channelling * & *.* Domains through the Internet Connect. There is also a cool section about resolving NETBIOS names through DNS.
Marco has posted a how-to on getting the DNS Settings to work - http://myitforum.com/cs2/blogs/mnielsen/archive/2008/10/05/writing_2D00_custom_2D00_gpos_2D00_for_2D00_scmdm_2D00_2008.aspx but that should be a separate post.
To get the exceptions to work you will need to open up the Internal Firewalls rules to allow the Device VPN IP Range to access the servers directly. If this is web traffic, then open up 80 and 443. If it’s DM traffic then 8443. Any other LOB Traffic, then add relevant potrs…
You may also want to temporarily open ICMP traffic to check whether your routing is correctly setup.
The next step depends on whether you are running a Standard or Professional device.
On Professional devices that is Exceptions Tab that you can use. You get to this by Start -> Settings –> connections (tab) –> connections (icon) –> Advanced (tab), Select Exceptions… (button). You can enter your internet server individually or you can add wildcards. I normally add several wildcards.
*.domain.com
*.domain.co.uk
*.domain.com.au
Etc
This will allow server requests matching the wildcard to bypass the proxy and head directing into you network.
There are no exceptions on Standard devices. I know it sucks. There are OMADM commands that can set Exceptions on Standard devices, but there is no way (That I know of) to inject OMADM command into mdm. You can build custom GPO template to deploy proxies but Exceptions are handled differently.
Cheers Wayne
Airloom- Proposed As Answer byWayne Phillips.MVP, ModeratorThursday, December 04, 2008 2:06 AM
- The proxy is set, but I have not set an exception for our internal namespace. Where is that located?
With the proxy set, we can't connect to either internal or external sites.
I'm going to take a look at the link you provided and get back to the thread with any findings...
Thanks! Alfalfa,
Just follow these steps on your device.
Start -> Settings –> connections (tab) –> connections (icon) –> Advanced (tab), Select Exceptions… (button). You can enter your internet server individually or you can add wildcards. I normally add several wildcards.
*.domain.com
*.domain.co.uk
*.domain.com.au
Etc
This will allow server requests matching the wildcard to bypass the proxy and head directing into you network.
Cheers Wayne
Airloom- Whoops. Wayne I was posting my reply when you posted the answer. Reading your info now, too.
If I understand this correctly, I have to MANUALLY add these settings into eat device? That stinks and obviously doesn't scale, but lemme check it out and see how it works. Let’s just check it works first and then we can work on automatically provisioning the settings. Anything is possbile with mdm, well almost !
Don't forget the firewalls !
Cheers Wayne
Airloom- Hmmmm. Well, I just looked at the policies we have set and it looks like the guy that manages the policies already applied the following settings before he left work:
Internet:
*.*
Work:
*.domain.biz
*.domain.com
*
I tried 2 of my phones and one phone actually allows external and internal web traffic (Verizon 6800) but the other one does not (AT&T Tilt).
Any way I can confirm, on the device, that these settings are actually applied?
Our firewall setup is as follows:
Port 8080 opened from VPN IP Pool to proxyserver.domain.com
Port 443 opened from VPN IP Pool to proxyserver.domain.com
Port 8443 opened from VPN IP Pool to DM server - Alfalfa,
That's great news. Can you confirm that the "Internal Traffic" is going directly, rather than through the Proxy server. When you say "Internal web Traffic", are you accessing a web page other than the DM server. The firewall in its current configuration would not allow this ! So it seems that the "Internal Traffic" is actual going through the proxy server. Which is fine, but not what you originally intended.
As for the other device, can you confirm it has the new policies ?
Cheers Wayne
Airloom - Wayne Ph1ll1ps said:
Alfalfa,
That's great news. Can you confirm that the "Internal Traffic" is going directly, rather than through the Proxy server. When you say "Internal web Traffic", are you accessing a web page other than the DM server. The firewall in its current configuration would not allow this ! So it seems that the "Internal Traffic" is actual going through the proxy server. Which is fine, but not what you originally intended.
As for the other device, can you confirm it has the new policies ?
Cheers Wayne
Airloom
How can I determine if the internal traffic is going through the proxy? For internal tests, I connect to our company's internal home page as well as some other "internal only" published pages.
How can I confirm that the other device has the policies applied? Connect Now on that device is showing "success". - OK, does you firewall allow the devices to connect directly to these internal servers? From what you previously posted, I would say no. Therefore the traffic must be going though the Proxy server.
Alfalfa01 said:
Our firewall setup is as follows:
Port 8080 opened from VPN IP Pool to proxyserver.domain.com
Port 443 opened from VPN IP Pool to proxyserver.domain.com
Port 8443 opened from VPN IP Pool to DM server
Cheers Wayne
Airloom - Wayne Ph1ll1ps said:
OK, does you firewall allow the devices to connect directly to these internal servers? From what you previously posted, I would say no. Therefore the traffic must be going though the Proxy server.
Alfalfa01 said:
Our firewall setup is as follows:
Port 8080 opened from VPN IP Pool to proxyserver.domain.com
Port 443 opened from VPN IP Pool to proxyserver.domain.com
Port 8443 opened from VPN IP Pool to DM server
Cheers Wayne
Airloom
Aah. I see now. So I would have to open a port for each site I'd want to direct the traffic to internally, right? That's not going to happen.
Any other way to bypass the proxy when going internal? Alfalfa,
To be short NO. You can either open the ports and go direct, or go via a Proxy Server. It looks like the proxy is working so go with it.Alfalfa01 said:
Aah. I see now. So I would have to open a port for each site I'd want to direct the traffic to internally, right? That's not going to happen.What are the reasons for not wanting to open the ports ?
Cheers Wayne
Airloom- Wayne Ph1ll1ps said:
Alfalfa,
To be short NO. You can either open the ports and go direct, or go via a Proxy Server. It looks like the proxy is working so go with it.Alfalfa01 said:
Aah. I see now. So I would have to open a port for each site I'd want to direct the traffic to internally, right? That's not going to happen.What are the reasons for not wanting to open the ports ?
Cheers Wayne
Airloom
Because that would require us to open a port for each website we wanted access to and that list would probably be quite large in the end - something hard to manage.
Funny that it is letting internal requests through the proxy. I was specifically told by the proxy admin guy that this would not work. Which is party why I brought up this thread in the first place....lol. Alfalfa,
Fair enough. In that case I would run all my internal web apges though the proxy server.
I am assuming you are running Exchange ActiveSync ? If you are running Exchange I would recommend running that directly, for three reasons... Performance... Battery life... and risk. If your proxy server is busy, Activesync will be effected, decreasing performance. Even if the Proxy is working perfectly, it will not be as quick as going directly. Exchange uses something called AUTD heart beat to managed the push function. This mechanism reduces battery drainage. Your Proxy server would effect this mechanism, therefore increasing battery drainage. If your Proxy fails, then Activesync fails. Usually an Exchange outage is seen as higher business impact, than web browsing. In this case you are adding to complexity, for no gain, and adding further risk. Just thought I'd ad my 10 cents.
I would also recommend running MDM policy update directly.
Apart from that you are cooking !
Cheers Wayne
Airloom- Wayne Ph1ll1ps said:
Alfalfa,
Fair enough. In that case I would run all my internal web apges though the proxy server.
I am assuming you are running Exchange ActiveSync ? If you are running Exchange I would recommend running that directly, for three reasons... Performance... Battery life... and risk. If your proxy server is busy, Activesync will be effected, decreasing performance. Even if the Proxy is working perfectly, it will not be as quick as going directly. Exchange uses something called AUTD heart beat to managed the push function. This mechanism reduces battery drainage. Your Proxy server would effect this mechanism, therefore increasing battery drainage. If your Proxy fails, then Activesync fails. Usually an Exchange outage is seen as higher business impact, than web browsing. In this case you are adding to complexity, for no gain, and adding further risk. Just thought I'd ad my 10 cents.
I would also recommend running MDM policy update directly.
Apart from that you are cooking !
Cheers Wayne
Airloom
Yes, we are using Exchange Activesync. I have a port open to that so it's going direct.
We also have 8443 open to the DM box, so that is going direct as well.
Have been trying all night to get the AT&T Tilt device to work, but to no avail.
One thing I'm noticing on both devices, is that if I go into the Exception list on the device and manually populate it with:
*.domain.biz
*.domain.com
And then do a Connect Now, the connection "succeeds" fairly quickly, 10 mins or so.
Then if I take a look at the Exception list again and the entries have been removed.
With the entries removed, connection takes a long time to "succeed", if at all.
Seems like something still is not right, even on the Verizon device. - More info....
Looks like the settings break the communication to the DM server for policy...somehow....on BOTH devices. Adding in the Exceptions noted above manually, allows the policy to come down, but then the device no longer receives policy. - Verizon 6800 device
AT&T Tilt device
These are the screenshots from the DM console for each device. What you see is a record of what is going on above - device is unable to get future policy after initial policy push, manual changes are made to exception list, device gets policy, but then is unable to get future policy again.
Not sure what is going on. - Alfalfa01 said:
More info....
Looks like the settings break the communication to the DM server for policy...somehow....on BOTH devices. Adding in the Exceptions noted above manually, allows the policy to come down, but then the device no longer receives policy.This still sounds like there are some Proxy or exception issues.. If using an ISA server for the Web Proxy you should also be aware of this tidbit:
To configure a Proxy running ISA server to tunnel HTTPS packets on port 8443 to the Device Management server, use the AddTPRange.vbs script from here: http://www.microsoft.com/technet/isa/2004/plan/managingtunnelports.mspx
|\\arco.. Alfalfa,
Last night I had an interesting chat with a Microsoft Mobility Services Field Engineer (During a Guitar Hero Thrash out) and he assures me that you can get the Internet and Work Domains to work. I've not tested this, and I’ll try to test this soon, but in the mean time you might want to give it a go. In your screen shots you can see the entry “ *://*/* ” for Work Domain and “*://*.*/*” for Internet Domain. Try using this more specific format when allocating the domains. Try “ *://*.domain.com/* “ and “ *://*.domain.biz/* “ for your work domains. I hope this makes a difference. You may need rebuild your device, seeing as it can’t pickup any further policies.Cheers Wayne
Airloom
- Wayne Ph1ll1ps said:
Alfalfa,
Last night I had an interesting chat with a Microsoft Mobility Services Field Engineer (During a Guitar Hero Thrash out) and he assures me that you can get the Internet and Work Domains to work. I've not tested this, and I’ll try to test this soon, but in the mean time you might want to give it a go. In your screen shots you can see the entry “ *://*/* ” for Work Domain and “*://*.*/*” for Internet Domain. Try using this more specific format when allocating the domains. Try “ *://*.domain.com/* “ and “ *://*.domain.biz/* “ for your work domains. I hope this makes a difference. You may need rebuild your device, seeing as it can’t pickup any further policies.Cheers Wayne
Airloom
Hey,
Last Oktober i followed the SCMDM 08 Workshop in Praque. There we also used the above syntax to define the Work and Internet domain.
There it worked fine (perfect envoirment) Back at the office i had the same problem as above, to bad i did not make a notification of this at the workshop.
Great answer ! I'm logging in to my work now to check and test this entry !Greetz
- Hi Tim,
I'm sure we can thrash out a GPO to get this working.
Cheers Wayne
Airloom - Alfalfa01 & Tim,
I can confirm that the Work Domains work well. I added :
*://*.domain.com/*
*://*.domain.com.au/*
*://*.domain.co.uk/*
*://*.local/*
as my work domains, and they bypass my proxy.
Cheers Wayne
Airloom
Thanks very much Jiri !- Marked As Answer byMarco NielsenAnswererTuesday, May 12, 2009 2:28 AM
- Proposed As Answer byDavid Creedy Tuesday, December 09, 2008 11:08 PM
- Goodmorning,
This morning i added the right syntax to use the workdomains.
What happens next is the following :
I changed the policy's, did a device policycalculation update and then use MDM Connect now.
I Get an Success messeage back from MDM connect, my internet works fine and it connects.
But everytime i know use MDM Connect it returns a Success but 1sec. after that the VPN Disconnects ! and re-connects.
When i use the standard policy (same as internet but without workdomain and proxy setting) this doenst happen.
It image below is a screen from the devices history, What worry's me is that everytime is use MDM connect the Workdomain policy is set and the last message is a Delete. (see attachment)
http://img369.imageshack.us/img369/6066/workdomainwk6.png- Proposed As Answer byDavid Creedy Tuesday, December 09, 2008 10:57 PM
- Tim NL said:
Goodmorning,
This morning i added the right syntax to use the workdomains.
What happens next is the following :
I changed the policy's, did a device policycalculation update and then use MDM Connect now.
I Get an Success messeage back from MDM connect, my internet works fine and it connects.
But everytime i know use MDM Connect it returns a Success but 1sec. after that the VPN Disconnects ! and re-connects.
When i use the standard policy (same as internet but without workdomain and proxy setting) this doenst happen.
It image below is a screen from the devices history, What worry's me is that everytime is use MDM connect the Workdomain policy is set and the last message is a Delete. (see attachment)
http://img369.imageshack.us/img369/6066/workdomainwk6.png
I noticed those deletes in mine as well.
BTW, I'm still working on this problem. Going through different combinations, wiping the devices, starting over, etc. etc. Very painful.
Hopefully this will be worked out before too long.
Thanks! - Tim,
The Delete command is normal, but, you are right, it should happen first. Maybe it's being listed in the History "out of order". It should delete the Domains container and then sets each individual Domain Name. From what I can deduce from the Screenshot, my system is setup exactly the same as yours. I'm using a Palm Treo Pro and Imate Ultimate 8502, and both work flawlessly. Even when I deploy new Domains to these devices the VPN doesn't drop. Don't know what's going on there.
Cheers Wayne
Airloom
Hi,
In our company we use the HTC Touch Diamond - HTC Touch Diamond Pro - HTC s740
Today i'm going to check with an other devices i only tested it with the touch diamond Pro.
I will report the test results when ready.
It looks like it works, but it strange that it keeps pushing the Proxy name and workdomain.
More later on.- But why ain't they exceptions shown on the mobile device when the policy is set like Wayne proposed?
Interesting point ! We need some input from the Windows Mobile design Team... but I have some theories. If the GPO exceptions were present in the connection setting then the user would be able to change them. Not something you really want the user to change in a corporate environment. It could have been implemented to show he exception but block the user from changing, but that would stop the user from adding their own exceptions. To be honest the users really don't need to see these exceptions, to perform their business functions.
Cheers Wayne
Airloom
