AD GPO - Set proxy server - How to use laptops at home?

[bence8810]

Hi

I set our AD to assign a GPO to all users to set their Proxy to a certain IP and port, and I also set it to grey out the settings, so they cannot remove the setting.

A user of mine works from home today, and called me "My interent doesnt work" so I thought, wonder why, the proxy is set.

My question is how can I make them able to use their machines at home, where they dont require a proxy? Our proxy is only internal, cannot be accessed from outside.

Thanks

Ben

 

[TheLad]

At places I have worked before, this practice is not allowed. The only reason their laptop should be connected to the Internet is to be able to VPN into the companies network (and they can access the web via the proxy server online if they like). If they really want to connect to the Internet, they should do so via their home PC.

FYI: these laptops all ran BlackIce, and a firewall is an absolute must if devices are going to be connected to the Internet

--------------------------------------------------------------------------
"Who is General Failure and what is he doing on my computer?"
--------------------------------------------------------------------------

 

[bence8810]

Hi

Yes, I see where you coming from, however I need to get them access to the internet, so they can view emails with outlook web access. VPN would solve everything, but we dont have a working solution yet.

So is there any way i can let the users have internet without Proxy from home?

Thanks

Ben

 

[porkchopexpress]

You could give them a vb script that they can run to set the settings, place it on their desktop and tell them to run it when required the company settings should be reapplied next time they plug into your network.

I'm just providing an idea for a solution there in principal i agree with thelad, you need to be very careful allowing users unrestricted access to the internet when they will be plugging back into your network.

 

[porkchopexpress]

Something like this should work.

WSHShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer", "proxy address:80"
WSHShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable", 1, "REG_DWORD"
WSHShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride", "192.168.*.*;<local>"

 

[bence8810]

Hi

Thanks, I understand this isnt a very clean and neat solution, but I need it fixed somehow. I will try the script, and that should get it done I guess.

Thanks

Ben

 

[BenChristian]

I need to get them access to the internet, so they can view emails with outlook web access"

You can acheive this by adding the public address of your Outlook Web Access server to the proxy bypass list, either via Group Policy, or locally. That way when they are at home and they try to access your OWA server it will bypass the proxy server and go directly to your OWA server.

This is still secure, they can't access any other sites, just your OWA server.

http://www.benchristian.com

 

[mazdaguru9]

We set proxy via long on script.
If ip is 10.10.x.x set to internal proxy else set to blank.

Works like a charm.

GP stinks for what you are trying to do.

 

[mazdaguru9]

You can change the section where it is looking for a vpn site with a 192.168 thing. but that is up to you. Also test before you deploy is you go that route.

'*********** 7-Internet Explorer Proxy Settings 

'This section will set proxy settings for Internet Explorer based on IP addresses 

Set IPConfigSet = objWMIService.ExecQuery _
    ("Select IPAddress from Win32_NetworkAdapterConfiguration ")
For Each IPConfig in IPConfigSet
    If Not IsNull(IPConfig.IPAddress) Then 
        For i=LBound(IPConfig.IPAddress) _
            to UBound(IPConfig.IPAddress)
                If IPConfig.IPAddress(i) = "0.0.0.0" Then
                Else
                strIPAdd = IPConfig.IPAddress(i)
                End If 
        Next
    End If
Next

'Don't Set Proxy Settings if machine is a VPN user, if not, set Default to Interal Proxy 

If Left(strIPadd,7) = "172.27." Then
	strProxy = ""
	Else 
	'Do Nothing
End If


'Set Proxy Settings for 6 digit subnets

Select Case Left(strIPadd,6) 
			Case "10.10." strProxy = "[URL unfurl="true"]http://foo.com/proxy.pac"[/URL]
			Case "10.48." strProxy = "[URL unfurl="true"]http://foo.com/proxy.pac"[/URL]
			Case "10.49." strProxy = "[URL unfurl="true"]http://foo.com/proxy.pac"[/URL]
			Case "10.64." strProxy = "[URL unfurl="true"]http://foo.com/proxy.pac"[/URL]
			Case "10.65." strProxy = "[URL unfurl="true"]http://foo.com/proxy.pac"[/URL]
End Select


'Set Proxy Settings for 9 digit subnets

If Left(strIPadd,9) = "10.65.37." Or Left(strIPadd,9) = "10.65.38." Then
	strProxy = "[URL unfurl="true"]http://otherproxy.foo.com/proxy.pac"[/URL]
	Else 
End If 




'Set default proxy to foo.com Proxy as long as user is not at a VPN Site 

If strProxy = emtpy AND (NOT Left(strIPadd,7) = "172.27.")Then 
	strProxy = "[URL unfurl="true"]http://mel-proxy.americanhm.com/proxy.pac"[/URL]
 Else
 'Do Nothing
End If 

	
'Write Proxy Registry Settings 

'Check for existence of Internet Settings subkey

If RegKeyExists("HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\") Then
'Do Nothing 
Else
objShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\","","REG_SZ" 'Create if not there
End If

objShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable","0","REG_DWORD"
objShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1","1","REG_DWORD"
objShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL","","REG_SZ"
objShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL",strProxy,"REG_SZ"
objShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer","","REG_SZ"
objShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutoproxyResultCache","1","REG_DWORD"

'Check for existence of Internet Explorer subkey

If RegKeyExists("HKCU\Software\Policies\Microsoft\Internet Explorer\") Then
'Do Nothing 
Else
objShell.RegWrite "HKCU\Software\Policies\Microsoft\Internet Explorer\","","REG_SZ" 'Create if not there
End If

'Check for existence of Control Panel subkey

If RegKeyExists("HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\") Then
'Do Nothing 
Else
objShell.RegWrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\","","REG_SZ" 'Create if not there
End If

objShell.RegWrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Proxy","1","REG_DWORD"
objShell.RegWrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\AutoConfig","1","REG_DWORD"

 

[bence8810]

Hi

Thanks, that looks good. Wouldnt the laptop need to have this script as a Local GPO setting though? We use the AD to assign the scripts, so when they log on from home, the script wont run, unless its their local Policy. If its local, they cal always remove it even from the office.

Please correct me if I am wrong,

Thanks

Ben

 

[BenChristian]

If you were to use a script to determine whether they are logged in to the network or not, you're probably better to use the %logonserver% environment variable. If the %logonserver% variable = the computer name, then the computer didn't authenticate with a domain controller, so is isn't connected to the network.

If you only need the users to access OWA, I still think that adding the OWA address to the proxy bypass is the most ideal solution.

http://www.benchristian.com

 

[bence8810]

Hi

Benchristian, thanks for your suggestion. I read it when you first posted too, but I was considering it. Now, I finally set it, just like you suggested. I am sure my users will burst out in flames when they cannot use Internet from home, but at least I have some time to think about what should be proper for us. We are a small company, part of a very large corporation, but we are only 35 people and we dont have very strict rules here. Lets see how will this suit the users' expectations.

Thanks

Ben