WSUS clients all have the IP of the TMG server ?

Topic	Stats	Last action by
whatsapp's working in General Discussion	1 Reply	+Mephistopheles
Using steam product key with retail DVDs in Computer Gaming	5 Replies	theyarecomingforyou
Doctor Who in The Media Room	5334 Replies	+djdanster
Doom Classic 2014 in Gamers' Hangout	11 Replies	theyarecomingforyou
Epic Threads forum? in Site & Forum Issues	10 Replies	+Mephistopheles

#1 TPreston

Resident Elite

1,699 posts

Joined:

18-July 12

Location: Ireland
OS: Windows Embedded Standard 8 & Server 2012/08 Datacenter
Phone: Nokia Lumia 920

Posted 23 November 2012 - 13:53

Im having an issue with windows proxy configuration, Normally I used the registry keys in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings ProxyServer ProxyOverride Proxy Enable etc to enable the proxy for everything but WSUS and my local adobe update server and I had no issues with wsus however after reading that the windows store doesn't use these settings

http://tmgblog.richa...front-tmg-2010/ (explaining the failed downloads I was having due to malware inspection)

I deployed a logon script to also include these applications with winhttp

netsh winhttp set proxy proxy-server=”http=SecureGateway.MyDomain.com:8080;https=SecureGateway.MyDomain.com:8080” bypass-list=”<local>;*.MyDomain.com;WSUS.MyDomain.com:8531"

(initially bypass-list="WSUS.MyDomain.com:8531" but ive added the above to try and get wsus working)

and then after forcing a gpupdate I tried windows update which showed no problems. Then after noticing an event log entry about the number of failed updates today I went in to the wsus console to discover every computer has the ip address of the tmg server

Even though ive set exclusions all the wsus traffic is going through the proxy. Ive tried setting an exclusion for the wsus server inside the TMG proxy server domain exclusions with no luck.

Should I kill the IE proxy definitions and just relay on winhttp or what ?

Ad Bot

Group: Treasury
Register: It's Free!

#2 +BudMan

Neowinian Super Star

23,797 posts

Joined:

04-July 02

Location: Schaumburg, IL
OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 23 November 2012 - 16:54

Why don't you just use a pac file for your proxy settings on your clients - then the only thing you have to hand out to clients via script or group policy is the location of the pac file. You can then do whatever you want with bypasses, using lots of different if's and else's -- you can get as fancy as you need to for bypass, use different proxy, etc.. etc..

And just need to update the pac file for all clients to get the changes - no need to rerun a login script or update group policy on any changes, etc.

http://en.wikipedia....oxy_auto-config

here is a good ref to get you started using a pac file

http://www.proxypacfiles.com/proxypac/

Another nice thing about use of this is most browsers are set by default for autodect, so will use WPAD to find the location of said pac file and then use it.

http://en.wikipedia....covery_Protocol

This way guests or non AD members would also get your proxy info as long as they are setup for default auto discovery. Even if using a different browser vs just IE, etc.