WSUS clients all have the IP of the TMG server ?


Recommended Posts

Im having an issue with windows proxy configuration, Normally I used the registry keys in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings ProxyServer ProxyOverride Proxy Enable etc to enable the proxy for everything but WSUS and my local adobe update server and I had no issues with wsus however after reading that the windows store doesn't use these settings

http://tmgblog.richardhicks.com/2012/11/15/windows-8-modern-ui-apps-and-forefront-tmg-2010/ (explaining the failed downloads I was having due to malware inspection)

I deployed a logon script to also include these applications with winhttp

netsh winhttp set proxy proxy-server=?http=SecureGateway.MyDomain.com:8080;https=SecureGateway.MyDomain.com:8080? bypass-list=?<local>;*.MyDomain.com;WSUS.MyDomain.com:8531"

(initially bypass-list="WSUS.MyDomain.com:8531" but ive added the above to try and get wsus working)

and then after forcing a gpupdate I tried windows update which showed no problems. Then after noticing an event log entry about the number of failed updates today I went in to the wsus console to discover every computer has the ip address of the tmg server :|

Even though ive set exclusions all the wsus traffic is going through the proxy. Ive tried setting an exclusion for the wsus server inside the TMG proxy server domain exclusions with no luck.

Should I kill the IE proxy definitions and just relay on winhttp or what ?

Link to comment
Share on other sites

Why don't you just use a pac file for your proxy settings on your clients - then the only thing you have to hand out to clients via script or group policy is the location of the pac file. You can then do whatever you want with bypasses, using lots of different if's and else's -- you can get as fancy as you need to for bypass, use different proxy, etc.. etc..

And just need to update the pac file for all clients to get the changes - no need to rerun a login script or update group policy on any changes, etc.

http://en.wikipedia....oxy_auto-config

here is a good ref to get you started using a pac file

http://www.proxypacfiles.com/proxypac/

Another nice thing about use of this is most browsers are set by default for autodect, so will use WPAD to find the location of said pac file and then use it.

http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol

This way guests or non AD members would also get your proxy info as long as they are setup for default auto discovery. Even if using a different browser vs just IE, etc.

Link to comment
Share on other sites

Why don't you just use a pac file for your proxy settings on your clients - then the only thing you have to hand out to clients via script or group policy is the location of the pac file. You can then do whatever you want with bypasses, using lots of different if's and else's -- you can get as fancy as you need to for bypass, use different proxy, etc.. etc..

And just need to update the pac file for all clients to get the changes - no need to rerun a login script or update group policy on any changes, etc.

http://en.wikipedia....oxy_auto-config

here is a good ref to get you started using a pac file

http://www.proxypacfiles.com/proxypac/

Another nice thing about use of this is most browsers are set by default for autodect, so will use WPAD to find the location of said pac file and then use it.

http://en.wikipedia....covery_Protocol

This way guests or non AD members would also get your proxy info as long as they are setup for default auto discovery. Even if using a different browser vs just IE, etc.

Ill try that now, Got one server reporting the correct address by removing the :8531 in ie settings

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.