Jump to content

Change Proxy Settings for LocalSystem account

Guest PhilScott

By Guest PhilScott
in Windows 2003 Server

 Share

Recommended Posts

Guest PhilScott

Guest PhilScott

Posted
Posted

Hi there,

 

I am wondering if someone can help me with this issue. We have recently

changed a our proxy server and this particular program installed on Windows

Server 2003 Service Pack 2 server will not connect to the internet to check

for updates automatically anymore. Instead it sends me an alert email to tell

me that the automatic update failed.

 

I have spoken to the manufacturers of the software and they inform me that

it will use the Proxy settings for the local system account and that I need

to change this. So i go into the registry looking for

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet

Settings and sure enough, the old proxy server is there. So I modify it and

restart and it has no effect. The updates still do not download and the Proxy

Server setting in the registry is back to the old proxy server.

 

Every other user of the server is fine. They can browse the internet without

a problem.

 

Can anyone help me to change the proxy settings for the LocalSystem account?

 

Your help is appreciated.

  • Replies 5
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Phillip Windell

Guest Phillip Windell

Posted
Posted

Re: Change Proxy Settings for LocalSystem account

 

 

"PhilScott" <PhilScott@discussions.microsoft.com> wrote in message

news:E76AC3CC-09C2-4446-A510-F92FE24E0110@microsoft.com...

> I have spoken to the manufacturers of the software and they inform me that

> it will use the Proxy settings for the local system account and that I

> need

> to change this. So i go into the registry looking for

> HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet

> Settings and sure enough, the old proxy server is there.

 

I was an ISA MVP (MS's proxy server/firewall) for three years and never ever

heard of doing anything like that. I would never expect it to work,..but

that is just me. Why? Because the Local System Account is specifically

designed to not function with "networking" and is supposed to be restricted

to local machine activity only. But I could be wrong....

 

Anyway...

 

What the application is and how it works matters

 

What protocols it uses matter

CERN Compliant Web Proxys only do Http, Https. read-only FTP, and gopher

Winsock Proxys only do TCP or UDP based protocols (not ICMP, GRE, etc)

Don't know about Socks Proxys, no experience with them.

 

What kind of proxy the old one was matters

(CERN Compliant Web Poxy, Winsock Proxy, Socks Proxy)

 

What the new proxy is matters

(again CERN Compliant Web Poxy, Winsock Proxy, Socks Proxy)

 

If the proxy requires authentication matters

 

--

Phillip Windell

http://www.wandtv.com

 

The views expressed, are my own and not those of my employer, or Microsoft,

or anyone else associated with me, including my cats.

-----------------------------------------------------

Guest PhilScott

Guest PhilScott

Posted
Posted

Re: Change Proxy Settings for LocalSystem account

 

Hi There,

 

It is only using http to download the update files. The old proxy server was

a single NIC ISA 2004 proxy server.... now we have a new server running ISA

2006 with dual NIC's and is providing firewall capabilities also.

 

There is no authentication required on the proxy server at this point... but

it will be required soon... In anticipation of this I have created a separate

rule for this server only which is above the general internet access rule

allowing unauthenticated internet access.

 

 

 

"Phillip Windell" wrote:

>

> "PhilScott" <PhilScott@discussions.microsoft.com> wrote in message

> news:E76AC3CC-09C2-4446-A510-F92FE24E0110@microsoft.com...

> > I have spoken to the manufacturers of the software and they inform me that

> > it will use the Proxy settings for the local system account and that I

> > need

> > to change this. So i go into the registry looking for

> > HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet

> > Settings and sure enough, the old proxy server is there.

>

> I was an ISA MVP (MS's proxy server/firewall) for three years and never ever

> heard of doing anything like that. I would never expect it to work,..but

> that is just me. Why? Because the Local System Account is specifically

> designed to not function with "networking" and is supposed to be restricted

> to local machine activity only. But I could be wrong....

>

> Anyway...

>

> What the application is and how it works matters

>

> What protocols it uses matter

> CERN Compliant Web Proxys only do Http, Https. read-only FTP, and gopher

> Winsock Proxys only do TCP or UDP based protocols (not ICMP, GRE, etc)

> Don't know about Socks Proxys, no experience with them.

>

> What kind of proxy the old one was matters

> (CERN Compliant Web Poxy, Winsock Proxy, Socks Proxy)

>

> What the new proxy is matters

> (again CERN Compliant Web Poxy, Winsock Proxy, Socks Proxy)

>

> If the proxy requires authentication matters

>

> --

> Phillip Windell

> http://www.wandtv.com

>

> The views expressed, are my own and not those of my employer, or Microsoft,

> or anyone else associated with me, including my cats.

> -----------------------------------------------------

>

>

>

Guest Phillip Windell

Guest Phillip Windell

Posted
Posted

Re: Change Proxy Settings for LocalSystem account

 

 

"PhilScott" <PhilScott@discussions.microsoft.com> wrote in message

news:ACC5105B-4049-4038-B353-33BA1C025302@microsoft.com...

> Hi There,

>

> It is only using http to download the update files. The old proxy server

> was

> a single NIC ISA 2004 proxy server.... now we have a new server running

> ISA

> 2006 with dual NIC's and is providing firewall capabilities also.

>

> There is no authentication required on the proxy server at this point...

> but

> it will be required soon...

 

You won't be able to require it. It will have to stay without

authentication.

 

You will need run it throught the SecureNAT Service which doesn't require

anything beyond having the ISA in the LAN's "routing path" to the Internet.

The Rule should limit the source and destinations to the specific IP#s

involved and the Users portion of the Rule will need to be "All Users",..you

have no choice about that,..it must be "All Users".

 

You might be able to use the Firewall Client Software on the Server and let

it run against the same Access Rule,..this would allow the machine to not

have ISA in the LAN's "routing path" to the Internet,...but personally, I

think you best bet is going to be the SecureNAT Service.

 

With ISA2004 I have real doubts that it was really working [as you think it

was]. Because it was a single Nic ISA you therefore would have had a

Firewall on the LAN that was most likely the Default Gateway of the machine

or the Firewall was in the LAN's "routing path" to the Internet. The whole

"proxy setting thing" on the server was probably just flat out

failing,..which means the server would send the web request directly to the

Firewall which allowed it out to the Internet, effectively "ignoring" the

ISA,...so you would have no "visible" indication that it was not working as

you expected. But now that the ISA is running in a more proper dual nic

mode there is no way to "get around" the ISA if things fail becuase the ISA

is litterally physically "in the way",...so now when it fails it is visibly

obvious.

 

Anyway in respect to my last post, MS ISA Server is:

 

1. CERN Compliant Web Poxy

2. Winsock Proxy

3. NAT Server (same as typical "hardware firewalls")

 

It is all three types of Firewalls all rolled into a single product. Which

"component" of ISA that you use depends on how you setup the Client and the

ISA to interact with each other. It is possible for a Client to work as all

three types at the same time and will switch between the "modes" uniquely

for each connection "session" that the Client is involved in at the moment.

 

--

Phillip Windell

http://www.wandtv.com

 

The views expressed, are my own and not those of my employer, or Microsoft,

or anyone else associated with me, including my cats.

-----------------------------------------------------

Technet Library

ISA2004

http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx

ISA2006

http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx

 

Understanding the ISA 2004 Access Rule Processing

http://www.isaserver.org/articles/ISA2004_AccessRules.html

 

Troubleshooting Client Authentication on Access Rules in ISA Server 2004

http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

 

Microsoft Internet Security & Acceleration Server: Partners

http://www.microsoft.com/isaserver/partners/default.mspx

 

Microsoft ISA Server Partners: Partner Hardware Solutions

http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx

-----------------------------------------------------

Guest PhilScott

Guest PhilScott

Posted
Posted

Re: Change Proxy Settings for LocalSystem account

 

Can I just say that this is now starting to go off in the wrong tangent. The

problem is not with my ISA Firewall or my rules or how it accesses the

Internet. The problem is with my server and this application.

The application on this server is trying to send HTTP requests for automatic

updates to a proxy server that now no longer exists. I am trying to update

this server with the new proxy server settings for the LOCALSYSTEM account

(no other account is affected), but every attempt is failing. There are no

problems with accessing the Internet on this server once I am logged in, but

when NO ONE is logged in and it is trying to update the application

automatically it uses the LOCALSYSTEM account (the account to which the

application's service runs!) to download updates. The LOCALSYSTEM Proxy

(settings in the registry key mentioned previously) is set to the OLD ISA

SERVER. NO HTTP REQUESTS ARE HITTING OUR CURRENT ISA SERVER AT ALL. Are you

able to help me with this?

 

 

"Phillip Windell" wrote:

>

> "PhilScott" <PhilScott@discussions.microsoft.com> wrote in message

> news:ACC5105B-4049-4038-B353-33BA1C025302@microsoft.com...

> > Hi There,

> >

> > It is only using http to download the update files. The old proxy server

> > was

> > a single NIC ISA 2004 proxy server.... now we have a new server running

> > ISA

> > 2006 with dual NIC's and is providing firewall capabilities also.

> >

> > There is no authentication required on the proxy server at this point...

> > but

> > it will be required soon...

>

> You won't be able to require it. It will have to stay without

> authentication.

>

> You will need run it throught the SecureNAT Service which doesn't require

> anything beyond having the ISA in the LAN's "routing path" to the Internet.

> The Rule should limit the source and destinations to the specific IP#s

> involved and the Users portion of the Rule will need to be "All Users",..you

> have no choice about that,..it must be "All Users".

>

> You might be able to use the Firewall Client Software on the Server and let

> it run against the same Access Rule,..this would allow the machine to not

> have ISA in the LAN's "routing path" to the Internet,...but personally, I

> think you best bet is going to be the SecureNAT Service.

>

> With ISA2004 I have real doubts that it was really working [as you think it

> was]. Because it was a single Nic ISA you therefore would have had a

> Firewall on the LAN that was most likely the Default Gateway of the machine

> or the Firewall was in the LAN's "routing path" to the Internet. The whole

> "proxy setting thing" on the server was probably just flat out

> failing,..which means the server would send the web request directly to the

> Firewall which allowed it out to the Internet, effectively "ignoring" the

> ISA,...so you would have no "visible" indication that it was not working as

> you expected. But now that the ISA is running in a more proper dual nic

> mode there is no way to "get around" the ISA if things fail becuase the ISA

> is litterally physically "in the way",...so now when it fails it is visibly

> obvious.

>

> Anyway in respect to my last post, MS ISA Server is:

>

> 1. CERN Compliant Web Poxy

> 2. Winsock Proxy

> 3. NAT Server (same as typical "hardware firewalls")

>

> It is all three types of Firewalls all rolled into a single product. Which

> "component" of ISA that you use depends on how you setup the Client and the

> ISA to interact with each other. It is possible for a Client to work as all

> three types at the same time and will switch between the "modes" uniquely

> for each connection "session" that the Client is involved in at the moment.

>

> --

> Phillip Windell

> http://www.wandtv.com

>

> The views expressed, are my own and not those of my employer, or Microsoft,

> or anyone else associated with me, including my cats.

> -----------------------------------------------------

> Technet Library

> ISA2004

> http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx

> ISA2006

> http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx

>

> Understanding the ISA 2004 Access Rule Processing

> http://www.isaserver.org/articles/ISA2004_AccessRules.html

>

> Troubleshooting Client Authentication on Access Rules in ISA Server 2004

> http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

>

> Microsoft Internet Security & Acceleration Server: Partners

> http://www.microsoft.com/isaserver/partners/default.mspx

>

> Microsoft ISA Server Partners: Partner Hardware Solutions

> http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx

> -----------------------------------------------------

>

>

>

Guest Phillip Windell

Guest Phillip Windell

Posted
Posted

Re: Change Proxy Settings for LocalSystem account

 

 

"PhilScott" <PhilScott@discussions.microsoft.com> wrote in message

news:A64BA4E2-912C-4B64-BBDD-08F3093EE84D@microsoft.com...

> Can I just say that this is now starting to go off in the wrong tangent.

> The

> problem is not with my ISA Firewall or my rules or how it accesses the

> Internet. The problem is with my server and this application.

> application's service runs!) to download updates. The LOCALSYSTEM Proxy

> (settings in the registry key mentioned previously) is set to the OLD ISA

> SERVER. NO HTTP REQUESTS ARE HITTING OUR CURRENT ISA SERVER AT

> ALL. Are you able to help me with this?

 

Then I guess not.

 

--

Phillip Windell

http://www.wandtv.com

 

The views expressed, are my own and not those of my employer, or Microsoft,

or anyone else associated with me, including my cats.

-----------------------------------------------------

 Share
Go to topic listing
×
×
  • Create New...