Corporate proxy problems
- We have a web proxy server located on our intranet, listening on port 8080. We have configured a MDM device GPO with the setting "Corporate proxy server for internet access" set to the IP address of our web proxy server.
With this configuration, we encounter two problems:
- When we enroll a new device, that device will access the DM server directly using port 8443 until the GPO is applied. After that, the device tries to access the DM server using port 8443 through the configured web proxy server(!?) The inner firewall does not allow this traffic, and even if it did allow it, the web proxy wouldn't listen on that port. Why does the device try to use the web proxy for intranet based DM server access?
- When using Internet Explorer on the device, it will try to access Internet sites through the proxy, using port 80, while the proxy listens on port 8080.
How can we solve these problems? How can we prevent the device from using the proxy for accesses to intranet based systems? How can we configure proxy ports to be used?
Risposte
- Hi Gunnar,
You have an error in the GPO. Easy fix. It needs to be:
fqdn:8080 or ip:8080, i.e. proxy.corp.com:8080 or 172.18.10.1:8080
Try that and let us know if you're still seeing the same problems.
best, Pat.
Mobility Architect, Enterprise Mobile - Gunnar Carlson said:
We have a web proxy server located on our intranet, listening on port 8080. We have configured a MDM device GPO with the setting "Corporate proxy server for internet access" set to the IP address of our web proxy server.
With this configuration, we encounter two problems:
- When we enroll a new device, that device will access the DM server directly using port 8443 until the GPO is applied. After that, the device tries to access the DM server using port 8443 through the configured web proxy server(!?) The inner firewall does not allow this traffic, and even if it did allow it, the web proxy wouldn't listen on that port. Why does the device try to use the web proxy for intranet based DM server access?
- When using Internet Explorer on the device, it will try to access Internet sites through the proxy, using port 80, while the proxy listens on port 8080.
How can we solve these problems? How can we prevent the device from using the proxy for accesses to intranet based systems? How can we configure proxy ports to be used?
Hi Gunnar, ITo solve the first part of your problem with the proxy allowing SSL traffic towards port 8443, I believe these steps will help you configure your ISA 2006 server:1. Make sure that the proxy can resolve the DNS name for MDM Device Management Server, and that this server can be accessed from the proxy.
2. Configure the proxy server to tunnel HTTPS packets on port 8443. To allow tunneling port 8443 with ISA Server as the proxy, use the AddTPRange.vbs script as described in “Managing Tunnel Port Ranges” at this Microsoft Web site: http://www.microsoft.com/technet/isa/2004/plan/managingtunnelports.mspx
3. In Mobile VPN Settings, under Corporate Proxy Server policy, configure <ProxyIPaddress>:8080 in the policy setting.
|\\arco..
http://www.enterprisemobile.com
http://marco.blogsite.org
|\\arco..
Tutte le risposte
- Hi Gunnar,
You have an error in the GPO. Easy fix. It needs to be:
fqdn:8080 or ip:8080, i.e. proxy.corp.com:8080 or 172.18.10.1:8080
Try that and let us know if you're still seeing the same problems.
best, Pat.
Mobility Architect, Enterprise Mobile - I'd rather call it "an error in the documentation" when I miss to add a completely undocumented parameter in the GPO ;-)
Anyhow, I tried adding the ":8080" to the proxy parameter in the GPO, and now the DM Server accesses are sent to the proxy using port 8080. But since the proxy server (an ISA 2006) is neither configured to bounce traffic back to the intranet, nor is configured to proxy 8080-> 8443 SSL traffic, it still fails.
I tried to manually add our local domain name to the "Exceptions" list in the Connection Settings on the device, and then it works as expected, i.e. the DM server is accessed directly without passing the proxy server.
I then tried to add the same domain name to the "Configure Internet/Work Domains" in the GPO (as "Work Domain"), assuming that this parameter is the same as the one I manually configured on the device. (I can't find any good explanation on that GPO parameter...).
This GPO setting did not produce the same result as the manual configuration; is there some other GPO parameter I shoudl tweak to accomplish this? - Hi Gunnar,
I _think_ this ties in to something I'm wrestling with right now. In beta-1 & 2 the way it would work was that if short (netbios) name is used AND the target is in the device's "Work" configuration it'll go direct, otherwise it's presumed to be part of the "Internet" connection and thus goes via the proxy. From what I can tell (and am seeing on wireshark traces) that may no longer be applicable.
will know more tomorrow. Stay tuned. Also in beta-2 was the need to extend the SSL tunnel range, but that appears to have gone away. Have a meeting lined up with the product team to go over exactly this issue and nailing down precisely how traffic flow works.
P.
Mobility Architect, Enterprise Mobile - Gunnar Carlson said:
We have a web proxy server located on our intranet, listening on port 8080. We have configured a MDM device GPO with the setting "Corporate proxy server for internet access" set to the IP address of our web proxy server.
With this configuration, we encounter two problems:
- When we enroll a new device, that device will access the DM server directly using port 8443 until the GPO is applied. After that, the device tries to access the DM server using port 8443 through the configured web proxy server(!?) The inner firewall does not allow this traffic, and even if it did allow it, the web proxy wouldn't listen on that port. Why does the device try to use the web proxy for intranet based DM server access?
- When using Internet Explorer on the device, it will try to access Internet sites through the proxy, using port 80, while the proxy listens on port 8080.
How can we solve these problems? How can we prevent the device from using the proxy for accesses to intranet based systems? How can we configure proxy ports to be used?
Hi Gunnar, ITo solve the first part of your problem with the proxy allowing SSL traffic towards port 8443, I believe these steps will help you configure your ISA 2006 server:1. Make sure that the proxy can resolve the DNS name for MDM Device Management Server, and that this server can be accessed from the proxy.
2. Configure the proxy server to tunnel HTTPS packets on port 8443. To allow tunneling port 8443 with ISA Server as the proxy, use the AddTPRange.vbs script as described in “Managing Tunnel Port Ranges” at this Microsoft Web site: http://www.microsoft.com/technet/isa/2004/plan/managingtunnelports.mspx
3. In Mobile VPN Settings, under Corporate Proxy Server policy, configure <ProxyIPaddress>:8080 in the policy setting.
|\\arco..
http://www.enterprisemobile.com
http://marco.blogsite.org
|\\arco.. - Hi Marco,
Thanks for the suggestion, but I don't think that this is a working solution. We have an ISA server as web proxy in our test environment, but there's another product in the production environment. And to configure the web proxy to handle all kind of traffic that shouldn't go there in the first place seems to be a correction in the wrong place...
The real solution should be to configure the devices to directly access intranet based systems without bothering the web proxy with that traffic. I can manually configure the device to do this, but haven't been able to do it with a GPO... - Hi Gunnar,
it's actually working as designed because this is just SSL traffic which is using a port other than tcp443, and that's one reason why the choice of port is administrator-configurable. It's being treated identically to 80/443 traffic because that's exactly what it is.
I'd be really surprised if your production proxy couldn't handle this.
Mobility Architect, Enterprise Mobile - Hi Patrick,
Maybe the prod proxy server can handle this, but that doesn't automatically mean that it should.
Normally when you configure a proxy client, you have the option to "bypass proxy for web servers in this network..." so that the proxy need not bother about traffic targeting web sites on the intranet.
This option is also available in the mobile device by manually configuring the Exception list in Start - Settings - Connection tab - Connections icon - Advanced tab - Exceptions button - Add new URL. If I add the intranet domain dns name to that list, accesses to the MDM DM server is sent directly to the DM server using port 8443 without involving the proxy server.
I assumed that the Mobile Device GPO setting Computer Configuration - Windows Mobile Settings - Configure Internet/intranet Domains - Work Domain was the GPO version of the manual setting, but adding the local DNS name to that list doesn't affect the MDM DM web site access. The GPO processing of the "Work Domain" setting seems to be broken.
- I add out local dns domain name to the "Exceptions" list in the connection setting on the device.
- I add the same local dns name to the Works Domains GPO setting in AD, together with a proxy server configuration.
- I enroll the device. The device has no problem contacting the MDM DM server directly without using any proxy.
- The GPO is downloaded from teh DM server.
- The GPO is applied.
- The proxy configuration is applied correctly, causing the device to use the web proxy for Internet access.
- The "Exceptions" list list in the connection settings is cleared, as it should be when the "Work Domains" GPO setting is set to "Enabled".
- The Work Domain settings from the GPO is not applied, leaving the Exceptions list empty and causing the device to try to contact the MDM DM server through the Internet proxy.
I will file an error report on this.
- It's not an error; that's the way it's designed to work.
If a proxy is defined then all http(s) traffic will go via it, including the management traffic, regardless of what you may have configured on the device. That's why Marco's earlier response was right on the money. All other traffic (ftp, rdp, whatever) will go direct.
Pat.
Mobility Architect, Enterprise Mobile - "If a proxy is defined then all http(s) traffic will go via it, including the management traffic, regardless of what you may have configured on the device"
This is not true. If I configure the local dns domain name in the Exception list in Start - Settings - Connection tab - Connections icon - Advanced tab - Exceptions button - Add new URL, the device will access the DM server without going via the proxy. Non-local domain access will still be sent to the proxy. This is exactly the way I expect (and want) it to work.
If it is designed to always go to the proxy regardless of how the device is configured, exactly what is the purpose of the "Work Domains" GPO setting?
A note in the GPO setting description (http://technet.microsoft.com/en-us/library/cc135634.aspx) says "If the list is empty and Work Domains are Enabled, then all previous domain settings on the device are removed.". Well, the the Work Domains are Enabled and all previous settings are removed, but the list in the GPO isn't empty, although the end result looks as if it where.
Given the fact that configuration of the Exception list will cause the device to bypass the proxy for local web sites, I still regard it as a bug that the "Work Domains" GPO setting clears the Exception list without adding the entries defined in the GPO. - I think Gunnar has a point here. The exceptions should work. If all HTTP/S traffic should go to the proxy, there would be no point in configuring the exceptions at all. I am struggling with the same problem and the only solution I have found so far really is adding the custom SSL port to ISA.
The exceptions really seem to be ignored. Even if I browse an internal page from Pocket IE the traffic goes through the proxy.
Regards
David - Here is a thought on this process. Does the receiving server have its exceptions list configured? My thought is that the client IS sending the information to the internal server, but that the server is sending it to the Proxy (given that all Internet traffic to be sent through the proxy). Just a thought...
Also, have you used Wireshark or another packet tracer to see where the traffic is indeed heading for when it is comming out of the client's NIC? It very well may be heading directly for the server instead of the Proxy.
However, I do have question since we are on the topic of Proxies and port forwarding. My employer has a proxy setup on port 80 for all non-internal addresses. My question is if I goto an SSL site (login to my bank, mobile phone account, etc), can the proxy see what I see?
I ask because when I think of proxies I think of them terminating the incoming traffic and doing a port forward to me. Therefore, the external server would see them as the client instead of my actual machine, correct?
Thank you and hope what I mentioned helps,
--Richard
Security Consultant
