Jump to content



Photo

WSUS clients all have the IP of the TMG server ?

tmg wsus wsus tmg

  • Please log in to reply
3 replies to this topic

#1 TPreston

TPreston

    Neowinian Senior

  • Tech Issues Solved: 2
  • Joined: 18-July 12
  • Location: Ireland
  • OS: Windows 8.1 Enterprise & Server 2012R2/08R2 Datacenter
  • Phone: Nokia Lumia 1520

Posted 23 November 2012 - 13:53

Im having an issue with windows proxy configuration, Normally I used the registry keys in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings ProxyServer ProxyOverride Proxy Enable etc to enable the proxy for everything but WSUS and my local adobe update server and I had no issues with wsus however after reading that the windows store doesn't use these settings

http://tmgblog.richa...front-tmg-2010/ (explaining the failed downloads I was having due to malware inspection)

I deployed a logon script to also include these applications with winhttp

netsh winhttp set proxy proxy-server=”http=SecureGateway.MyDomain.com:8080;https=SecureGateway.MyDomain.com:8080” bypass-list=”<local>;*.MyDomain.com;WSUS.MyDomain.com:8531"

(initially bypass-list="WSUS.MyDomain.com:8531" but ive added the above to try and get wsus working)

and then after forcing a gpupdate I tried windows update which showed no problems. Then after noticing an event log entry about the number of failed updates today I went in to the wsus console to discover every computer has the ip address of the tmg server :|

Even though ive set exclusions all the wsus traffic is going through the proxy. Ive tried setting an exclusion for the wsus server inside the TMG proxy server domain exclusions with no luck.

Should I kill the IE proxy definitions and just relay on winhttp or what ?


#2 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 23 November 2012 - 16:54

Why don't you just use a pac file for your proxy settings on your clients - then the only thing you have to hand out to clients via script or group policy is the location of the pac file. You can then do whatever you want with bypasses, using lots of different if's and else's -- you can get as fancy as you need to for bypass, use different proxy, etc.. etc..

And just need to update the pac file for all clients to get the changes - no need to rerun a login script or update group policy on any changes, etc.

http://en.wikipedia....oxy_auto-config

here is a good ref to get you started using a pac file

http://www.proxypacfiles.com/proxypac/

Another nice thing about use of this is most browsers are set by default for autodect, so will use WPAD to find the location of said pac file and then use it.

http://en.wikipedia....covery_Protocol

This way guests or non AD members would also get your proxy info as long as they are setup for default auto discovery. Even if using a different browser vs just IE, etc.

#3 +fusi0n

fusi0n

    Don't call it a come back

  • Tech Issues Solved: 3
  • Joined: 08-July 04
  • OS: OSX\Windows 8.1\Ubuntu 14.04
  • Phone: iPhone 6 Plus

Posted 23 November 2012 - 17:13

Nice work Budman..

#4 OP TPreston

TPreston

    Neowinian Senior

  • Tech Issues Solved: 2
  • Joined: 18-July 12
  • Location: Ireland
  • OS: Windows 8.1 Enterprise & Server 2012R2/08R2 Datacenter
  • Phone: Nokia Lumia 1520

Posted 23 November 2012 - 17:20

Why don't you just use a pac file for your proxy settings on your clients - then the only thing you have to hand out to clients via script or group policy is the location of the pac file. You can then do whatever you want with bypasses, using lots of different if's and else's -- you can get as fancy as you need to for bypass, use different proxy, etc.. etc..

And just need to update the pac file for all clients to get the changes - no need to rerun a login script or update group policy on any changes, etc.

http://en.wikipedia....oxy_auto-config

here is a good ref to get you started using a pac file

http://www.proxypacfiles.com/proxypac/

Another nice thing about use of this is most browsers are set by default for autodect, so will use WPAD to find the location of said pac file and then use it.

http://en.wikipedia....covery_Protocol

This way guests or non AD members would also get your proxy info as long as they are setup for default auto discovery. Even if using a different browser vs just IE, etc.


Ill try that now, Got one server reporting the correct address by removing the :8531 in ie settings