The Deployment Guys

Helping to deploy your world automagically...

Windows 8 – Supporting proxy services with Static Configurations, Web Hosted PAC files and Domain Policy Configured Proxy

Windows 8 – Supporting proxy services with Static Configurations, Web Hosted PAC files and Domain Policy Configured Proxy

  • Comments 9
  • Likes

Many companies have started using Windows 8 and have noticed with some of the new features there are times when things just don’t seem to work the way they expected them too; this was due to configuration needs and not actual issues in many cases.  We have found this is normally due to some additional configurations that are required to enable the newer features and applications that have been introduced with the new OS.

I would like to focus on one that I have been putting some extra effort towards to help customers get the best experience they can when the enterprise has proxy services enabled and they see issues such as the Windows 8 apps and basic services are not communicating with web services.

Sometimes communities identify issues and is important that we help improve the user experience when issues are identified. There are a couple articles currently articles addressing some of the original issues.   Specifically the need to use the NETSH commands to correct the WINHTTP Proxy service; see the reference articles within this blog for links to them.  This include transitioning to new networks and the use of WPAD for the most robust model for Windows 8.

Note: It is important to also understand before we review these scenarios and options that for the best Windows 8 experience it is recommended to use WPAD to enable all the features of Windows 8 without additional work for the client.  Use these links to understand how to implement WPAD and enabling Authenticated Proxy support.

Supporting Articles: 

Implementing WPAD: KB2777643

Authenticated Proxy Support: KB2778122

Proxy Service in the Enterprise:

Key Scenarios: Typical results in the following scenarios with “Static Proxy”, “Web Hosted Proxy PAC Files” and “Domain Policy Defined Proxy”, hosted PAC files is the following:

  • Window 8 Network Location Awareness: NLA is required for Windows 8 applications to function properly by determining that you are connected to the internet by looking for a file called ncsi.txt on the internet and is the feature that tells the Windows 8 applications if your online.  When this is working right your Network Icon will reflect your online and when you access Windows 8 Application such as Bing Sports it will identify your access and function properly. Properly define proxy services will enable this.
  • Windows 8 Applications:  In general testing Windows 8 applications will function as designed.  Note: This is not a blanket statement for all Windows store application due to the lack of testing. I have tested the normal inbox apps and some additional application downloaded.  
  • The Windows Store Application updates: This feature is functioning while using Static or PAC files when the user is on public networks only.   In some cases it has been noticed that the Inbox Windows 8 apps will be able to update while connected to the corporate network.  If the updating is needed internally and you must use a PAC file you may wish to look at using WPAD. Another option is to use the PAC file model I describe below. 
  • The Windows Store Catalogue:  Can be  viewed and searched. 
  • Windows Store Apps Downloads:  This feature is functioning while using Static or PAC files when the user is on public networks only to purchase apps and download.   If the download is needed internally and you must use a PAC file you may wish to look at using WPAD. Another option is to use the PAC file model I describe below.
  • Windows Update:   For Windows updates it has been observed that Automatic Updates do not work with Proxy configuration but both User Activated updates in the Windows 8 WU and the Classic Update model they will work.  Once the computer is on the public network it will be able to receive Automatic Updates or with the user checking for updates. 

Note: There is a known Issue for Authenticating Proxies Solutions:  You will need to follow the guidance in the KB2778122 for whitelisting certain HTTP address’s listed in article to ensure the best experience while on the corporate network.

Note: Known issue with local installed PAC files:  Local install of PAC files will not work for more than Local Browser services.

Enabling these PROXY scenarios:

We will walk through the simplest implementation which also has most limitation to the preferred method and options for configuration of PAC files.

 

Static Proxy Services:

Note: Only noted to help customers understand chance for negative experience. This is not preferred, this shouldn’t be used unless you are supporting desktop only. I just wanted to make people aware of it.   Preferred approach is WPAD and then Web Proxy PAC file

This model is a direct insertion of the proxy server address and port used for communication via Internet Explore through the configuration via “Internet Options” and clicking on “Connections Tab” then “LAN Settings” and setting up your proxy definition under Proxy Server”

Load Internet Explorer  and open Settings / Internet Options

 

clip_image001 clip_image002

With this implementation you will find that as long as your computer is on the proper network where the proxy server can be found your services as described above will work.  If the Proxy Server is not locatable the following error will be observed due to WEB services not routing properly. Resolution will be to connect the system back to the proper network.

clip_image003

Put the system back onto the proper network or remove the static proxy setting.

Web Based Proxy PAC File:

Note:  Using the following two configuration options in the Proxy path configuration do not work:

If Proxy PAC files need to be used in the enterprise environment using a web hosted service is the preferred method.  This can be hosted on the proxy server or any other IIS services hosting the file so it can be accessed by the computer at boot.   To do this you need to configure the PROXY setting in the manner below.

This model is a direct insertion of the web server address for the PAC file for communication via Internet Explore through the configuration via “Internet Options” and clicking on “Connections Tab” then “LAN Settings” and setting up your proxy definition under Proxy Server

Load Internet Explorer  and open Settings / Internet Options

clip_image001clip_image004

In this case you will have the expected results I noted above in the top of this Blog. I also want to provide a couple sample PAC files that I have found to help make the user experience work well.   I also will discuss a model where you could potentially enable the Windows 8 App Store for downloading applications that was mentioned above where it may potentially not work with PAC files. 

Sample PAC file #1:

Net Results will be that your system will function with new Windows 8 Apps but you will not be able to download new apps till the device is placed outside the corporate network.  The proxy will be offline and your system will default to standard full internet access allowing the download of the selected applications.  If for some reason you have an external Proxy you will need to consider the second sample file for the best results.

This file is the simplest and will identify your host network and then designate the Proxy Server for that network.  If the network host is not found it instructs the WINHTTP services to use the default gateway of the computer.  While on the company network Windows 8 App Store Downloads may not work but when the computer is on a public network it will be able to download Windows Store Apps.

You can use  notepad.exe to create a simple test file, example: Sample1.PAC

//Begin

function FindProxyForURL(url, host)

{

if (isInNet(myIpAddress(), "10.0.0.0", "255.255.255.0"))

return "PROXY ProxyServerName:8080";

else "Proxy Direct";

}

//End

Sample PAC File #2:

Note: This will require corporate review and approval most likely. The purpose of this Script is to enable Windows Application Store Downloads within the corporate network with proxy services or if the company is using an External Web based Proxy Service.

In this scenario you have a Default Gateway on the corporate network that is open to the internet but normal traffic is always processed through the Proxy server.   With this configuration we have directed any traffic required to communicate with Microsoft to be allowed to operate through the default gateway and the limited capabilities are now removed and Windows Store Apps will now be successfully downloaded on the corporate network.

You can use  notepad.exe to create a simple test file, example: Sample2.PAC

//Begin

function FindProxyForURL(url, host)

{

// variable strings to return

var proxy_online = "PROXY ProxyServer:8080";

var proxy_offline = "DIRECT";

if (shExpMatch(url, "http://*.microsoft.com*"))

      { return proxy_offline; }

if (shExpMatch(url, "https://*.microsoft.com*"))
{ return proxy_offline; }

// Proxy anything else

return proxy_online;

}

//END

Domain Policy Configuration for a PAC File:

This procedure assumes you are familiar will traversing the Group Policy Management tool using either Server 2012 or the Remote Server Administration Toolkit for Windows 8. 

 

First create a policy for Internet Explorer 10 for the proxy configuration under “User Settings” Preference – Control panel settings.

clip_image005

Wizard will pull up and then you can select “Connection” Tab and then “LAN settings” Radio Button

Enter the required Proxy settings and then link the GPO to you target OU

clip_image007

Make sure to select F5 on the Field when you enter the Name so it is accepted.

clip_image008

This will allow you to now set the Proxy GPO on your system. 

Additional information for PAC Files Scripting options can be found here: MS TechNet on PAC File Scripting

This post was contributed by Scott Culbertson, a Solution Architect with Microsoft Consulting Services.

The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use.

  • If the PAC file has to be on a Web server but the purpose of the PAC file is to tell the machine how to reach the Internet (etc.) then isn't there a catch 22 here?  Should we put this PAC file on the intranet or the Internet?  If the machine boots when on the Internet it won't be able to reach an internal server to get a PAC file.  But if it boots when on the LAN then it wouldn't yet have the proxy configuration from the PAC file to tell it how to get to a PAC file on the Internet.

  • There are two types of Proxy web services, one where some third party companies manage your proxy service from both the cloud and the intranet.   This works fine when you post a http://site type pac file.   Then the other is when you have an internal server and it will still communicate with this as well.   This will still enable your service properly.  

    I am only communicating the required model.  

    To plug our new OS:  Windows 8.1 has fixed the proxy issues by allowing local configuration.  

  • Fully Agreed with the points here, and it shows a great deal of correct sense. Thanks for the wonderful flow of information 

  • Hi Scott,

    Can't we use local pac file at all? We need a requirement to do that? Any insight on that? Any upgraded ie browser will give a fix?

  • Hi, good blog entry and most needed - getting Windows 8 to work nicely in an enterprise is hard work without the hassle of Proxy access making things worse.

    We use Forefront as our forward proxy.   It offers out a client but we STILL see issues on Windows 8 and 8.1.   What gives, especially when we are using auto setup scripts offered directly out of our Proxy (proxyname.com/array.dll)

  • Scott Culbertson  10/1/2013

    Sorry for the Delays,  Just got back from a vacation,

    Selvakumar:   There is no support for Local PAC files; it just wont work.  I worked extensively on this and it just won't work.  

    A Cox:  I have to apologize but I am not sure if anyone tested using an array.dll instead of the HTTP hosted PAC file.  This is basically the same scripting model as a PAC file.  I will reach out and see what I can find out.    I would be interested in what issues you are still seeing other than the ones I noted above.

    Scott    

  • I also use TMG 2010 and Windows 8.1 apps are still unable to authenticate behind the proxy. I have whitelisted several MS sites, but that doesn't help third party apps. Should 8.1 apps support authentication behind TMG 2010? Should it work behind any proxy that requires authentication?

  • I will need to rebuild my lab to test against latest updates but in the early release of 8.1 all these issues were fixed.  How are you configuring and defining your proxy?   Local Pac files are not supported just as a note.  

  • thanks

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment