Guest PhilScott Posted September 24, 2008 Posted September 24, 2008 Hi there, I am wondering if someone can help me with this issue. We have recently changed a our proxy server and this particular program installed on Windows Server 2003 Service Pack 2 server will not connect to the internet to check for updates automatically anymore. Instead it sends me an alert email to tell me that the automatic update failed. I have spoken to the manufacturers of the software and they inform me that it will use the Proxy settings for the local system account and that I need to change this. So i go into the registry looking for HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings and sure enough, the old proxy server is there. So I modify it and restart and it has no effect. The updates still do not download and the Proxy Server setting in the registry is back to the old proxy server. Every other user of the server is fine. They can browse the internet without a problem. Can anyone help me to change the proxy settings for the LocalSystem account? Your help is appreciated.
Guest Phillip Windell Posted September 24, 2008 Posted September 24, 2008 Re: Change Proxy Settings for LocalSystem account "PhilScott" <PhilScott@discussions.microsoft.com> wrote in message news:E76AC3CC-09C2-4446-A510-F92FE24E0110@microsoft.com... > I have spoken to the manufacturers of the software and they inform me that > it will use the Proxy settings for the local system account and that I > need > to change this. So i go into the registry looking for > HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet > Settings and sure enough, the old proxy server is there. I was an ISA MVP (MS's proxy server/firewall) for three years and never ever heard of doing anything like that. I would never expect it to work,..but that is just me. Why? Because the Local System Account is specifically designed to not function with "networking" and is supposed to be restricted to local machine activity only. But I could be wrong.... Anyway... What the application is and how it works matters What protocols it uses matter CERN Compliant Web Proxys only do Http, Https. read-only FTP, and gopher Winsock Proxys only do TCP or UDP based protocols (not ICMP, GRE, etc) Don't know about Socks Proxys, no experience with them. What kind of proxy the old one was matters (CERN Compliant Web Poxy, Winsock Proxy, Socks Proxy) What the new proxy is matters (again CERN Compliant Web Poxy, Winsock Proxy, Socks Proxy) If the proxy requires authentication matters -- Phillip Windell http://www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. -----------------------------------------------------
Guest PhilScott Posted September 24, 2008 Posted September 24, 2008 Re: Change Proxy Settings for LocalSystem account Hi There, It is only using http to download the update files. The old proxy server was a single NIC ISA 2004 proxy server.... now we have a new server running ISA 2006 with dual NIC's and is providing firewall capabilities also. There is no authentication required on the proxy server at this point... but it will be required soon... In anticipation of this I have created a separate rule for this server only which is above the general internet access rule allowing unauthenticated internet access. "Phillip Windell" wrote: > > "PhilScott" <PhilScott@discussions.microsoft.com> wrote in message > news:E76AC3CC-09C2-4446-A510-F92FE24E0110@microsoft.com... > > I have spoken to the manufacturers of the software and they inform me that > > it will use the Proxy settings for the local system account and that I > > need > > to change this. So i go into the registry looking for > > HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet > > Settings and sure enough, the old proxy server is there. > > I was an ISA MVP (MS's proxy server/firewall) for three years and never ever > heard of doing anything like that. I would never expect it to work,..but > that is just me. Why? Because the Local System Account is specifically > designed to not function with "networking" and is supposed to be restricted > to local machine activity only. But I could be wrong.... > > Anyway... > > What the application is and how it works matters > > What protocols it uses matter > CERN Compliant Web Proxys only do Http, Https. read-only FTP, and gopher > Winsock Proxys only do TCP or UDP based protocols (not ICMP, GRE, etc) > Don't know about Socks Proxys, no experience with them. > > What kind of proxy the old one was matters > (CERN Compliant Web Poxy, Winsock Proxy, Socks Proxy) > > What the new proxy is matters > (again CERN Compliant Web Poxy, Winsock Proxy, Socks Proxy) > > If the proxy requires authentication matters > > -- > Phillip Windell > http://www.wandtv.com > > The views expressed, are my own and not those of my employer, or Microsoft, > or anyone else associated with me, including my cats. > ----------------------------------------------------- > > >
Guest Phillip Windell Posted September 25, 2008 Posted September 25, 2008 Re: Change Proxy Settings for LocalSystem account "PhilScott" <PhilScott@discussions.microsoft.com> wrote in message news:ACC5105B-4049-4038-B353-33BA1C025302@microsoft.com... > Hi There, > > It is only using http to download the update files. The old proxy server > was > a single NIC ISA 2004 proxy server.... now we have a new server running > ISA > 2006 with dual NIC's and is providing firewall capabilities also. > > There is no authentication required on the proxy server at this point... > but > it will be required soon... You won't be able to require it. It will have to stay without authentication. You will need run it throught the SecureNAT Service which doesn't require anything beyond having the ISA in the LAN's "routing path" to the Internet. The Rule should limit the source and destinations to the specific IP#s involved and the Users portion of the Rule will need to be "All Users",..you have no choice about that,..it must be "All Users". You might be able to use the Firewall Client Software on the Server and let it run against the same Access Rule,..this would allow the machine to not have ISA in the LAN's "routing path" to the Internet,...but personally, I think you best bet is going to be the SecureNAT Service. With ISA2004 I have real doubts that it was really working [as you think it was]. Because it was a single Nic ISA you therefore would have had a Firewall on the LAN that was most likely the Default Gateway of the machine or the Firewall was in the LAN's "routing path" to the Internet. The whole "proxy setting thing" on the server was probably just flat out failing,..which means the server would send the web request directly to the Firewall which allowed it out to the Internet, effectively "ignoring" the ISA,...so you would have no "visible" indication that it was not working as you expected. But now that the ISA is running in a more proper dual nic mode there is no way to "get around" the ISA if things fail becuase the ISA is litterally physically "in the way",...so now when it fails it is visibly obvious. Anyway in respect to my last post, MS ISA Server is: 1. CERN Compliant Web Poxy 2. Winsock Proxy 3. NAT Server (same as typical "hardware firewalls") It is all three types of Firewalls all rolled into a single product. Which "component" of ISA that you use depends on how you setup the Client and the ISA to interact with each other. It is possible for a Client to work as all three types at the same time and will switch between the "modes" uniquely for each connection "session" that the Client is involved in at the moment. -- Phillip Windell http://www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- Technet Library ISA2004 http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx ISA2006 http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx Understanding the ISA 2004 Access Rule Processing http://www.isaserver.org/articles/ISA2004_AccessRules.html Troubleshooting Client Authentication on Access Rules in ISA Server 2004 http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc Microsoft Internet Security & Acceleration Server: Partners http://www.microsoft.com/isaserver/partners/default.mspx Microsoft ISA Server Partners: Partner Hardware Solutions http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx -----------------------------------------------------
Guest PhilScott Posted September 25, 2008 Posted September 25, 2008 Re: Change Proxy Settings for LocalSystem account Can I just say that this is now starting to go off in the wrong tangent. The problem is not with my ISA Firewall or my rules or how it accesses the Internet. The problem is with my server and this application. The application on this server is trying to send HTTP requests for automatic updates to a proxy server that now no longer exists. I am trying to update this server with the new proxy server settings for the LOCALSYSTEM account (no other account is affected), but every attempt is failing. There are no problems with accessing the Internet on this server once I am logged in, but when NO ONE is logged in and it is trying to update the application automatically it uses the LOCALSYSTEM account (the account to which the application's service runs!) to download updates. The LOCALSYSTEM Proxy (settings in the registry key mentioned previously) is set to the OLD ISA SERVER. NO HTTP REQUESTS ARE HITTING OUR CURRENT ISA SERVER AT ALL. Are you able to help me with this? "Phillip Windell" wrote: > > "PhilScott" <PhilScott@discussions.microsoft.com> wrote in message > news:ACC5105B-4049-4038-B353-33BA1C025302@microsoft.com... > > Hi There, > > > > It is only using http to download the update files. The old proxy server > > was > > a single NIC ISA 2004 proxy server.... now we have a new server running > > ISA > > 2006 with dual NIC's and is providing firewall capabilities also. > > > > There is no authentication required on the proxy server at this point... > > but > > it will be required soon... > > You won't be able to require it. It will have to stay without > authentication. > > You will need run it throught the SecureNAT Service which doesn't require > anything beyond having the ISA in the LAN's "routing path" to the Internet. > The Rule should limit the source and destinations to the specific IP#s > involved and the Users portion of the Rule will need to be "All Users",..you > have no choice about that,..it must be "All Users". > > You might be able to use the Firewall Client Software on the Server and let > it run against the same Access Rule,..this would allow the machine to not > have ISA in the LAN's "routing path" to the Internet,...but personally, I > think you best bet is going to be the SecureNAT Service. > > With ISA2004 I have real doubts that it was really working [as you think it > was]. Because it was a single Nic ISA you therefore would have had a > Firewall on the LAN that was most likely the Default Gateway of the machine > or the Firewall was in the LAN's "routing path" to the Internet. The whole > "proxy setting thing" on the server was probably just flat out > failing,..which means the server would send the web request directly to the > Firewall which allowed it out to the Internet, effectively "ignoring" the > ISA,...so you would have no "visible" indication that it was not working as > you expected. But now that the ISA is running in a more proper dual nic > mode there is no way to "get around" the ISA if things fail becuase the ISA > is litterally physically "in the way",...so now when it fails it is visibly > obvious. > > Anyway in respect to my last post, MS ISA Server is: > > 1. CERN Compliant Web Poxy > 2. Winsock Proxy > 3. NAT Server (same as typical "hardware firewalls") > > It is all three types of Firewalls all rolled into a single product. Which > "component" of ISA that you use depends on how you setup the Client and the > ISA to interact with each other. It is possible for a Client to work as all > three types at the same time and will switch between the "modes" uniquely > for each connection "session" that the Client is involved in at the moment. > > -- > Phillip Windell > http://www.wandtv.com > > The views expressed, are my own and not those of my employer, or Microsoft, > or anyone else associated with me, including my cats. > ----------------------------------------------------- > Technet Library > ISA2004 > http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx > ISA2006 > http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx > > Understanding the ISA 2004 Access Rule Processing > http://www.isaserver.org/articles/ISA2004_AccessRules.html > > Troubleshooting Client Authentication on Access Rules in ISA Server 2004 > http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc > > Microsoft Internet Security & Acceleration Server: Partners > http://www.microsoft.com/isaserver/partners/default.mspx > > Microsoft ISA Server Partners: Partner Hardware Solutions > http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx > ----------------------------------------------------- > > >
Guest Phillip Windell Posted September 26, 2008 Posted September 26, 2008 Re: Change Proxy Settings for LocalSystem account "PhilScott" <PhilScott@discussions.microsoft.com> wrote in message news:A64BA4E2-912C-4B64-BBDD-08F3093EE84D@microsoft.com... > Can I just say that this is now starting to go off in the wrong tangent. > The > problem is not with my ISA Firewall or my rules or how it accesses the > Internet. The problem is with my server and this application. > application's service runs!) to download updates. The LOCALSYSTEM Proxy > (settings in the registry key mentioned previously) is set to the OLD ISA > SERVER. NO HTTP REQUESTS ARE HITTING OUR CURRENT ISA SERVER AT > ALL. Are you able to help me with this? Then I guess not. -- Phillip Windell http://www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. -----------------------------------------------------
Recommended Posts