Many companies have started using Windows 8 and have noticed with some of the new features there are times when things just don’t seem to work the way they expected them too; this was due to configuration needs and not actual issues in many cases. We have found this is normally due to some additional configurations that are required to enable the newer features and applications that have been introduced with the new OS.
I would like to focus on one that I have been putting some extra effort towards to help customers get the best experience they can when the enterprise has proxy services enabled and they see issues such as the Windows 8 apps and basic services are not communicating with web services.
Sometimes communities identify issues and is important that we help improve the user experience when issues are identified. There are a couple articles currently articles addressing some of the original issues. Specifically the need to use the NETSH commands to correct the WINHTTP Proxy service; see the reference articles within this blog for links to them. This include transitioning to new networks and the use of WPAD for the most robust model for Windows 8.
Note: It is important to also understand before we review these scenarios and options that for the best Windows 8 experience it is recommended to use WPAD to enable all the features of Windows 8 without additional work for the client. Use these links to understand how to implement WPAD and enabling Authenticated Proxy support.
Implementing WPAD: KB2777643
Authenticated Proxy Support: KB2778122
Proxy Service in the Enterprise:
Key Scenarios: Typical results in the following scenarios with “Static Proxy”, “Web Hosted Proxy PAC Files” and “Domain Policy Defined Proxy”, hosted PAC files is the following:
- Window 8 Network Location Awareness: NLA is required for Windows 8 applications to function properly by determining that you are connected to the internet by looking for a file called ncsi.txt on the internet and is the feature that tells the Windows 8 applications if your online. When this is working right your Network Icon will reflect your online and when you access Windows 8 Application such as Bing Sports it will identify your access and function properly. Properly define proxy services will enable this.
- Windows 8 Applications: In general testing Windows 8 applications will function as designed. Note:This is not a blanket statement for all Windows store application due to the lack of testing. I have tested the normal inbox apps and some additional application downloaded.
- The Windows Store Application updates: This feature is functioning while using Static or PAC files when the user is on public networks only. In some cases it has been noticed that the Inbox Windows 8 apps will be able to update while connected to the corporate network. If the updating is needed internally and you must use a PAC file you may wish to look at using WPAD. Another option is to use the PAC file model I describe below.
- The Windows Store Catalogue: Can be viewed and searched.
- Windows Store Apps Downloads: This feature is functioning while using Static or PAC files when the user is on public networks onlyto purchase apps and download. If the download is needed internally and you must use a PAC file you may wish to look at using WPAD. Another option is to use the PAC file model I describe below.
- Windows Update: For Windows updates it has been observed that Automatic Updates do not work with Proxy configuration but both User Activated updates in the Windows 8 WU and the Classic Update model they will work. Once the computer is on the public network it will be able to receive Automatic Updates or with the user checking for updates.
Note: There is a known Issue for Authenticating Proxies Solutions: You will need to follow the guidance in the KB2778122 for whitelisting certain HTTP address’s listed in article to ensure the best experience while on the corporate network.
Note:Known issue with local installed PAC files: Local install of PAC files will not work for more than Local Browser services.
Enabling these PROXY scenarios:
We will walk through the simplest implementation which also has most limitation to the preferred method and options for configuration of PAC files.
Note: Only noted to help customers understand chance for negative experience. This is not preferred, this shouldn’t be used unless you are supporting desktop only. I just wanted to make people aware of it. Preferred approach is WPAD and then Web Proxy PAC file
This model is a direct insertion of the proxy server address and port used for communication via Internet Explore through the configuration via “Internet Options” and clicking on “Connections Tab” then “LAN Settings” and setting up your proxy definition under Proxy Server”
Load Internet Explorer and open Settings / Internet Options
With this implementation you will find that as long as your computer is on the proper network where the proxy server can be found your services as described above will work. If the Proxy Server is not locatable the following error will be observed due to WEB services not routing properly. Resolution will be to connect the system back to the proper network.
Put the system back onto the proper network or remove the static proxy setting.
Note: Using the following two configuration options in the Proxy path configuration do not work:
If Proxy PAC files need to be used in the enterprise environment using a web hosted service is the preferred method. This can be hosted on the proxy server or any other IIS services hosting the file so it can be accessed by the computer at boot. To do this you need to configure the PROXY setting in the manner below.
This model is a direct insertion of the web server address for the PAC file for communication via Internet Explore through the configuration via “Internet Options” and clicking on “Connections Tab” then “LAN Settings” and setting up your proxy definition under Proxy Server
Load Internet Explorer and open Settings / Internet Options
In this case you will have the expected results I noted above in the top of this Blog. I also want to provide a couple sample PAC files that I have found to help make the user experience work well. I also will discuss a model where you could potentially enable the Windows 8 App Store for downloading applications that was mentioned above where it may potentially not work with PAC files.
Sample PAC file #1:
Net Results will be that your system will function with new Windows 8 Apps but you will not be able to download new apps till the device is placed outside the corporate network. The proxy will be offline and your system will default to standard full internet access allowing the download of the selected applications. If for some reason you have an external Proxy you will need to consider the second sample file for the best results.
This file is the simplest and will identify your host network and then designate the Proxy Server for that network. If the network host is not found it instructs the WINHTTP services to use the default gateway of the computer. While on the company network Windows 8 App Store Downloads may not work but when the computer is on a public network it will be able to download Windows Store Apps.
You can use notepad.exe to create a simple test file, example: Sample1.PAC
//Begin
function FindProxyForURL(url, host)
{
if (isInNet(myIpAddress(), "10.0.0.0", "255.255.255.0"))
return "PROXY ProxyServerName:8080";
else "Proxy Direct";
}
//End
Note: This will require corporate review and approval most likely. The purpose of this Script is to enable Windows Application Store Downloads within the corporate network with proxy services or if the company is using an External Web based Proxy Service.
In this scenario you have a Default Gateway on the corporate network that is open to the internet but normal traffic is always processed through the Proxy server. With this configuration we have directed any traffic required to communicate with Microsoft to be allowed to operate through the default gateway and the limited capabilities are now removed and Windows Store Apps will now be successfully downloaded on the corporate network.
You can use notepad.exe to create a simple test file, example: Sample2.PAC
//Begin
function FindProxyForURL(url, host)
{
// variable strings to return
var proxy_online = "PROXY ProxyServer:8080";
var proxy_offline = "DIRECT";
if (shExpMatch(url, "http://*.microsoft.com*"))
{ return proxy_offline; }
if (shExpMatch(url, "https://*.microsoft.com*"))
{ return proxy_offline; }
// Proxy anything else
return proxy_online;
}
//END
Domain Policy Configuration for a PAC File:
This procedure assumes you are familiar will traversing the Group Policy Management tool using either Server 2012 or the Remote Server Administration Toolkit for Windows 8.
First create a policy for Internet Explorer 10 for the proxy configuration under “User Settings” Preference – Control panel settings.
Wizard will pull up and then you can select “Connection” Tab and then “LAN settings” Radio Button
Enter the required Proxy settings and then link the GPO to you target OU
Make sure to select F5 on the Field when you enter the Name so it is accepted.
This will allow you to now set the Proxy GPO on your system.
Additional information for PAC Files Scripting options can be found here: MS TechNet on PAC File Scripting
This post was contributed by Scott Culbertson, a Solution Architect with Microsoft Consulting Services.
The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use.