locked
Win8/10 + IE 11 + Enanced protected mode + 2012 RRAS SSTP VPN = Page cannot be displayed RRS feed

  • Question

  • I have a strange issue where domain attached Win 8/10 computers using desktop IE11 with enhanced protected mode enable are unable to browse internet zone pages when connected via SSTP via our 2012 rras server.

    The issue only occurs in this specific scenario.

    Windows 7 machines do not have this issue, the only significant difference between our Windows 7 machines and Windows 8/10 ones are that the 7 machines are 32bit whereas the 8/10 machines are 64bit.

    Other than turning off EPM which is not an option for us the only other way of getting browsing to work in this scenario is to use a web proxy on the vpn connection but again this is not a solution I wish to rollout across the organisation.

    I'm not able to run Wireshark as it wont see the VPN connection so wonder if anyone else has experienced this or a similar issue and might be able to shed some light on it?

    Thanks

    Jonathan

    Wednesday, January 18, 2017 6:39 PM

All replies

  • Hi JSPLATT,

    Have you turn off the firewall or check the firewall settings?

    All Internet and intranet sites are assigned to the Internet zone by default. Intranet sites are not part of the Local intranet zone unless you explicitly add them to this zone.

    suppose IE has gone through all the above configuration points and decide to enable EPM for the webpage, it will still need to check the following conditions, in order to decide how EPM should be enabled.

    Windows 8/8.1:

           Is the Windows 8 OS 32bit or 64bit?

    64bit process is not available in 32bit OS, so EPM only means the AppContainer IL of sandboxed HTML in 32bit Windows 8.

     Is it IE10 or IE11?

    The final decision will be 64bit process + AppContainer IL, if it is IE10.

    However if it is IE11, it will check if “Enable 64-bit processes for Enhanced Protected Mode*” is enabled in Internet Options.

    Please refer to the link below check if it is helpful.

    https://blogs.msdn.microsoft.com/asiatech/2013/12/25/how-internet-explorer-enhanced-protected-mode-epm-is-enabled-under-different-configurations/

    Hope it will be helpful to you


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 19, 2017 3:03 AM
  • We are not blocking any outbound traffic in windows firewall and disabling the firewall across all zones does not have any effect.

    Intranet sites are assigned to the correct zone and work as EPM is not enabled on the intranet zone.

    Win 8/8.1 machines are all x64

    All machines are using desktop version of IE 11

    Enabling “Enable 64-bit processes for Enhanced Protected Mode*”  has no effect

    This issue occurs only for internet traffic hitting the internet zone in IE 11 when a device is connected to the internal network via our SSTP VPN (2012 R2 RRAS)

    Thursday, January 19, 2017 11:58 AM
  • It seems not all traffic in IE is failing.

    I can access the default search provider, Bing, via http or https.

    I can seem to access some/most https addresses but http addresses do not work at all.

    Thursday, January 19, 2017 1:43 PM
  • I would be interested to get an idea if people are disabling EPM in their environments?

    I've tried everything i can think off but no internet url's will display when connected to the VPN with EPM enabled.

    Only way to get them to load via the VPN seems to be to disable EPM.

    Tuesday, April 4, 2017 4:50 PM