Change Proxy Settings for LocalSystem account

[PhilScott]

Hi there,

I am wondering if someone can help me with this issue. We have recently
changed a our proxy server and this particular program installed on Windows
Server 2003 Service Pack 2 server will not connect to the internet to check
for updates automatically anymore. Instead it sends me an alert email to tell
me that the automatic update failed.

I have spoken to the manufacturers of the software and they inform me that
it will use the Proxy settings for the local system account and that I need
to change this. So i go into the registry looking for
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings and sure enough, the old proxy server is there. So I modify it and
restart and it has no effect. The updates still do not download and the Proxy
Server setting in the registry is back to the old proxy server.

Every other user of the server is fine. They can browse the internet without
a problem.

Can anyone help me to change the proxy settings for the LocalSystem account?

Your help is appreciated.

[Phillip Windell]

"PhilScott" <PhilScott@discussions.microsoft.com> wrote in message
news:E76AC3CC-09C2-4446-A510-F92FE24E0110@microsoft.com...
> I have spoken to the manufacturers of the software and they inform me that
> it will use the Proxy settings for the local system account and that I
> need
> to change this. So i go into the registry looking for
> HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings and sure enough, the old proxy server is there.

I was an ISA MVP (MS's proxy server/firewall) for three years and never ever
heard of doing anything like that. I would never expect it to work,..but
that is just me. Why? Because the Local System Account is specifically
designed to not function with "networking" and is supposed to be restricted
to local machine activity only. But I could be wrong....

Anyway...

What the application is and how it works matters

What protocols it uses matter
CERN Compliant Web Proxys only do Http, Https. read-only FTP, and gopher
Winsock Proxys only do TCP or UDP based protocols (not ICMP, GRE, etc)
Don't know about Socks Proxys, no experience with them.

What kind of proxy the old one was matters
(CERN Compliant Web Poxy, Winsock Proxy, Socks Proxy)

What the new proxy is matters
(again CERN Compliant Web Poxy, Winsock Proxy, Socks Proxy)

If the proxy requires authentication matters

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

[PhilScott]

Hi There,

It is only using http to download the update files. The old proxy server was
a single NIC ISA 2004 proxy server.... now we have a new server running ISA
2006 with dual NIC's and is providing firewall capabilities also.

There is no authentication required on the proxy server at this point... but
it will be required soon... In anticipation of this I have created a separate
rule for this server only which is above the general internet access rule
allowing unauthenticated internet access.



"Phillip Windell" wrote:

>
> "PhilScott" <PhilScott@discussions.microsoft.com> wrote in message
> news:E76AC3CC-09C2-4446-A510-F92FE24E0110@microsoft.com...
> > I have spoken to the manufacturers of the software and they inform me that
> > it will use the Proxy settings for the local system account and that I
> > need
> > to change this. So i go into the registry looking for
> > HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
> > Settings and sure enough, the old proxy server is there.
>
> I was an ISA MVP (MS's proxy server/firewall) for three years and never ever
> heard of doing anything like that. I would never expect it to work,..but
> that is just me. Why? Because the Local System Account is specifically
> designed to not function with "networking" and is supposed to be restricted
> to local machine activity only. But I could be wrong....
>
> Anyway...
>
> What the application is and how it works matters
>
> What protocols it uses matter
> CERN Compliant Web Proxys only do Http, Https. read-only FTP, and gopher
> Winsock Proxys only do TCP or UDP based protocols (not ICMP, GRE, etc)
> Don't know about Socks Proxys, no experience with them.
>
> What kind of proxy the old one was matters
> (CERN Compliant Web Poxy, Winsock Proxy, Socks Proxy)
>
> What the new proxy is matters
> (again CERN Compliant Web Poxy, Winsock Proxy, Socks Proxy)
>
> If the proxy requires authentication matters
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
>

[Phillip Windell]

"PhilScott" <PhilScott@discussions.microsoft.com> wrote in message
news:ACC5105B-4049-4038-B353-33BA1C025302@microsoft.com...
> Hi There,
>
> It is only using http to download the update files. The old proxy server
> was
> a single NIC ISA 2004 proxy server.... now we have a new server running
> ISA
> 2006 with dual NIC's and is providing firewall capabilities also.
>
> There is no authentication required on the proxy server at this point...
> but
> it will be required soon...

You won't be able to require it. It will have to stay without
authentication.

You will need run it throught the SecureNAT Service which doesn't require
anything beyond having the ISA in the LAN's "routing path" to the Internet.
The Rule should limit the source and destinations to the specific IP#s
involved and the Users portion of the Rule will need to be "All Users",..you
have no choice about that,..it must be "All Users".

You might be able to use the Firewall Client Software on the Server and let
it run against the same Access Rule,..this would allow the machine to not
have ISA in the LAN's "routing path" to the Internet,...but personally, I
think you best bet is going to be the SecureNAT Service.

With ISA2004 I have real doubts that it was really working [as you think it
was]. Because it was a single Nic ISA you therefore would have had a
Firewall on the LAN that was most likely the Default Gateway of the machine
or the Firewall was in the LAN's "routing path" to the Internet. The whole
"proxy setting thing" on the server was probably just flat out
failing,..which means the server would send the web request directly to the
Firewall which allowed it out to the Internet, effectively "ignoring" the
ISA,...so you would have no "visible" indication that it was not working as
you expected. But now that the ISA is running in a more proper dual nic
mode there is no way to "get around" the ISA if things fail becuase the ISA
is litterally physically "in the way",...so now when it fails it is visibly
obvious.

Anyway in respect to my last post, MS ISA Server is:

1. CERN Compliant Web Poxy
2. Winsock Proxy
3. NAT Server (same as typical "hardware firewalls")

It is all three types of Firewalls all rolled into a single product. Which
"component" of ISA that you use depends on how you setup the Client and the
ISA to interact with each other. It is possible for a Client to work as all
three types at the same time and will switch between the "modes" uniquely
for each connection "session" that the Client is involved in at the moment.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/l...chNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/l...chNet.10).aspx

Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/p...s/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------

[PhilScott]

Can I just say that this is now starting to go off in the wrong tangent. The
problem is not with my ISA Firewall or my rules or how it accesses the
Internet. The problem is with my server and this application.
The application on this server is trying to send HTTP requests for automatic
updates to a proxy server that now no longer exists. I am trying to update
this server with the new proxy server settings for the LOCALSYSTEM account
(no other account is affected), but every attempt is failing. There are no
problems with accessing the Internet on this server once I am logged in, but
when NO ONE is logged in and it is trying to update the application
automatically it uses the LOCALSYSTEM account (the account to which the
application's service runs!) to download updates. The LOCALSYSTEM Proxy
(settings in the registry key mentioned previously) is set to the OLD ISA
SERVER. NO HTTP REQUESTS ARE HITTING OUR CURRENT ISA SERVER AT ALL. Are you
able to help me with this?


"Phillip Windell" wrote:

>
> "PhilScott" <PhilScott@discussions.microsoft.com> wrote in message
> news:ACC5105B-4049-4038-B353-33BA1C025302@microsoft.com...
> > Hi There,
> >
> > It is only using http to download the update files. The old proxy server
> > was
> > a single NIC ISA 2004 proxy server.... now we have a new server running
> > ISA
> > 2006 with dual NIC's and is providing firewall capabilities also.
> >
> > There is no authentication required on the proxy server at this point...
> > but
> > it will be required soon...
>
> You won't be able to require it. It will have to stay without
> authentication.
>
> You will need run it throught the SecureNAT Service which doesn't require
> anything beyond having the ISA in the LAN's "routing path" to the Internet.
> The Rule should limit the source and destinations to the specific IP#s
> involved and the Users portion of the Rule will need to be "All Users",..you
> have no choice about that,..it must be "All Users".
>
> You might be able to use the Firewall Client Software on the Server and let
> it run against the same Access Rule,..this would allow the machine to not
> have ISA in the LAN's "routing path" to the Internet,...but personally, I
> think you best bet is going to be the SecureNAT Service.
>
> With ISA2004 I have real doubts that it was really working [as you think it
> was]. Because it was a single Nic ISA you therefore would have had a
> Firewall on the LAN that was most likely the Default Gateway of the machine
> or the Firewall was in the LAN's "routing path" to the Internet. The whole
> "proxy setting thing" on the server was probably just flat out
> failing,..which means the server would send the web request directly to the
> Firewall which allowed it out to the Internet, effectively "ignoring" the
> ISA,...so you would have no "visible" indication that it was not working as
> you expected. But now that the ISA is running in a more proper dual nic
> mode there is no way to "get around" the ISA if things fail becuase the ISA
> is litterally physically "in the way",...so now when it fails it is visibly
> obvious.
>
> Anyway in respect to my last post, MS ISA Server is:
>
> 1. CERN Compliant Web Poxy
> 2. Winsock Proxy
> 3. NAT Server (same as typical "hardware firewalls")
>
> It is all three types of Firewalls all rolled into a single product. Which
> "component" of ISA that you use depends on how you setup the Client and the
> ISA to interact with each other. It is possible for a Client to work as all
> three types at the same time and will switch between the "modes" uniquely
> for each connection "session" that the Client is involved in at the moment.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
> Technet Library
> ISA2004
> http://technet.microsoft.com/en-us/l...chNet.10).aspx
> ISA2006
> http://technet.microsoft.com/en-us/l...chNet.10).aspx
>
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Troubleshooting Client Authentication on Access Rules in ISA Server 2004
> http://download.microsoft.com/downlo...7/ts_rules.doc
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/p...s/default.mspx
>
> Microsoft ISA Server Partners: Partner Hardware Solutions
> http://www.microsoft.com/forefront/e...epartners.mspx
> -----------------------------------------------------
>
>
>

[Phillip Windell]

"PhilScott" <PhilScott@discussions.microsoft.com> wrote in message
news:A64BA4E2-912C-4B64-BBDD-08F3093EE84D@microsoft.com...
> Can I just say that this is now starting to go off in the wrong tangent.
> The
> problem is not with my ISA Firewall or my rules or how it accesses the
> Internet. The problem is with my server and this application.

> application's service runs!) to download updates. The LOCALSYSTEM Proxy
> (settings in the registry key mentioned previously) is set to the OLD ISA
> SERVER. NO HTTP REQUESTS ARE HITTING OUR CURRENT ISA SERVER AT
> ALL. Are you able to help me with this?

Then I guess not.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

[Sapper]

Hi,

I had the same issue with old proxy settings on my production servers in the HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings. If I deleted or change the proxy server key it would repopulate on reboot. I resolved the issue by exporting the HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet settings from a from a known good new server build. Deleting the problematic internet setting keys and sub keys (after a backup), then importing the known good registry settings.

Regards Sapper

[Sapper]

Hi Everyone,

Just an update, the above registry import worked for a while but after a few days the behaviour reoccurred.

We finally had success with the following.

• Searched the sysvol on our DC for cs folder
• Found Connect.set & cs.dat files in the cs folder.
• Identified the policy ID that the files belonged to \\servername\sysvol\domainname\Policies\{1FB2E411-2CEF-4324-9C04-730889F5A071}\User\MICROSOFT\IEAK\BRANDING\cs.
• Identified the policy within AD
• Removed and recreated the policy

On the servers that were affected

DELETE values within:
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings

Clear the ProxyEnable & ProxyServer Values
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Reboot server and check the .default registry settings.

Regards

Sapper

[Sapper]

Hi Everyone,

Just an update, the above registry import worked for a while but after a few days the behaviour reoccurred.

We finally had success with the following.

• Searched the sysvol on our DC for cs folder
• Found Connect.set & cs.dat files in the cs folder.
• Identified the policy ID that the files belonged to \\servername\sysvol\domainname\Policies\{1FB2E411-2CEF-4324-9C04-730889F5A071}\User\MICROSOFT\IEAK\BRANDING\cs.
• Identified the policy within AD
• Removed and recreated the policy

On the servers that were affected

DELETE values within:
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings

Clear the ProxyEnable & ProxyServer Values
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Reboot server and check the .default registry settings.

Regards

Sapper