Skip to content Skip to main navigation Skip to footer

Proxy Settings

Group policy proxy settings with Windows Server 2008 R2

Windows Server 2008 R2 does not have GPO settings to force Windows 7 or any other Windows machines with Internet Explorer 9+ to go through the proxy with the usual Internet Explorer Maintenance option that forces proxy settings. Below are helpful articles on how to get this working with the new Group Policy Preferences within Server 2008 R2 registry settings:

Using the PAC file in the new UI

When upgrading an older version 6.x.x of CyBlock to the newer version 9.x.x, the path for the PAC file needs to be updated in the browser settings, if you are using the PAC file to filter Web traffic.

  1. For the automatic proxy configuration in the browser, use the following URL:

http://<IP of Proxy Server>:8080/proxy.pac

  1. Replace port 8080 if this is not your current proxy port.
  2. To view your current proxy port, go to the Settings – Proxy – PAC File screen. The full URL is displayed for your PAC file.

Setting up the Wavecrest certificate for cloud users

If you are a CyBlock Cloud customer, you probably want to allow your cloud users to access secure sites (https://) and need to inspect this HTTPS traffic to ensure that your network is protected from Web threats and to enforce your AUP. The SSL Inspection feature in CyBlock Cloud allows you to inspect this HTTPS activity, but requires that you install the Wavecrest root certificate on your cloud users’ browsers. If the Wavecrest root certificate is not installed in the browser, a certificate warning message will be issued that must be accepted in order to display your blocking message.

Another reason to install the Wavecrest root certificate is if using cookie authentication to confirm the identity of users accessing the Internet through your network. The cookie authentication logon page that is presented to your users is a secure page and is automatically inspected. Therefore, to avoid your users receiving a certificate error, install the certificate on your users’ browsers.

The certificate may be installed in the following ways:

  • Through the browser
  • Using Active Directory GPO
  • Using Microsoft Management Console

The Wavecrest Certificate Installation Guide provides instructions on installing the certificate using Internet Explorer/Google Chrome and Firefox, importing it using Active Directory, and installing it in Windows 7 Professional/Enterprise.

If you need assistance, please contact Technical Support at (321) 953-5351, Ext. 4 or support@wavecrest.net.

How to troubleshoot Web sites that do not authenticate

This applies to CyBlock Software, CyBlock Appliance, and CyBlock Cloud.

If you have troublesome Web applications that fail to authenticate, you can turn off authentication for that specific IP address to determine if it is an authentication problem.

  1. Go to User Management – Authentication.
  2. On the Rules tab, create a rule as follows:
    • For the network definition, select IP Address/Subnet.
    • For the type of authentication, select Disabled.
    • Enter the IP address of the computer that is experiencing an issue.
    • Add the rule.
  3. Try to access the site again.

If the test is successful, that is, you are able to get to the site, the problem is authentication, and you can add the URL to the Bypassed list in the Authentication Manager.

If the test is unsuccessful, the issue is not authentication, but proxying/filtering. Contact Technical Support for assistance.

For CyBlock Cloud, customers will need to contact Technical Support to have troublesome URLs added to the Bypassed list.

 

See also:

How to set up a captive portal

For CyBlock customers, captive portal is available as an alternative to NTLM authentication in CyBlock Software, CyBlock Appliance, and CyBlock Cloud (version 9.1.0). Captive portal requires an account for each user who wants to access the Internet through your network. When a user tries to access a Web site, a browser cookie authentication logon page is displayed that will allow users to create an account or reset their password if forgotten. When entering their credentials, you can require users to agree to the company’s AUP before continuing on.

The steps to set up a captive portal are highlighted below. Be sure to check out the product Help or manual for detailed instructions.

  1. Set up your rules for proxy authentication. Go to User Management – Authentication.

userManagementAuthenticationRules

Note:  The Bypass and Cache tabs are available in CyBlock Software and CyBlock Appliance only.

  1. Define how long the cookie will persist, and specify and preview the details of your cookie authentication logon page. Go to User Management – Authentication and click the Cookie tab.

userManagementAuthenticationCookie

Note:  In CyBlock Appliance and CyBlock Cloud, this tab will be displayed differently.

  1. Ensure that users have an e-mail address entered in Groups and IDs. Go to User Management – Edit Users – Modify.

userManagementEditUsersModify

  1. Set up users’ browsers to allow local addresses to go through the proxy, that is, to not bypass the proxy server.
    • In Internet Explorer, go to Tools – Internet options and click the Connections tab.
    • Click LAN settings.
    • Under Proxy server, ensure that the “Bypass proxy server for local addresses” check box is not selected.
  2. Access a Web site, and the cookie authentication logon page will appear allowing you to create an account.
  3. After creating your account, enter your new password, and you will be redirected to the Web site that you were trying to access.

For additional assistance, please contact Technical Support at (321) 953-5351, Ext. 4 or support@wavecrest.net.

Configuring Windows Server 2012 and Windows Server 2008 R2

Configuring Windows Server 2012 and 2008 R2 to push out a group policy to all users can be challenging with Microsoft’s introduction of Group Policy Preferences. These preferences provide more than 20 Group Policy extensions that increase the number of configurable settings in a Group Policy object (GPO). Within most preference items, the configuration interface looks similar to the applicable user interface for configuring settings so the layout will be familiar. The guidelines to set up users’ browsers with a proxy configuration are alike for Internet Explorer 7, 8, 9, and 10, and the following instructions are for Internet Explorer 10.

  1. Go to Group Policy Management, and select the GPO to which you want to add the Internet Explorer 10 settings.
  2. Edit the GPO.
  3. In the Group Policy Management Editor, go to User Configuration, Preferences, Control Panel Settings, and then Internet Settings. If you have already created settings for Internet Explorer 7, 8, and 9, they will be displayed here.
  4. Right-click in the right-hand pane, select “New,” and then select “Internet Explorer 10.”
  5. In the New Internet Explorer 10 Properties dialog box, click the Connections tab, and then click LAN Settings.
  6. Under Proxy server, select the check box to enable the “Use a proxy server…” option.
  7. In the Address field, enter the IP address of your proxy server, and in the Port field, enter the port number.
  8. Now you need to enable the settings and apply them to all users. You can individually enable and disable underlined settings or settings preceded by a circle within a preference item. The underlining or circle of the setting indicates whether it is currently enabled or disabled.
    • A setting with a solid green underline or a green circle is enabled. The preference extension applies this setting’s value to the user or computer.
    • A setting with a dashed red underline or red circle with a slash is disabled. The preference extension does not apply this setting’s value to the user or computer.
  9. Press the following function keys to enable or disable the settings within a preference item. To select a setting, click the actual text of the setting or its text field.

    • F5 – Enable all settings on the current tab.
    • F6 – Enable the currently selected setting.
    • F7 – Disable the currently selected setting.
    • F8 – Disable all settings on the current tab.
  10. After enabling the settings, select the check box to enable the “Bypass proxy server…” option.
  11. Click OK, Apply, and then OK to save the changes. You will see the Internet Settings entry for Internet Explorer 10 along with Internet Explorer 7, 8, and 9, if they were previously created.

Configuring proxy settings in IE 10 and 11 with registry settings

For IE 10 and 11, the alternative way of configuring proxy settings is deploying the registry keys directly.

Key path/location for the registry keys: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

  • Automatically detect settings

Registry key: “AutoDetect”
Value Type: REG_DWORD
Value Data:
0 = Disable
1 = Enable

The key AutoDetect is only visible before you start IE 10 (or IE 11) on the machine, as IE will interpret it immediately and then delete the key right after.

  • Use automatic configuration script

Registry Key: “AutoConfigURL
Value Type: REG_SZ
Value Data: “http://<servername|host>/my_proxy.pac”

  • Proxy server

To configure this, you may need up to 3 registry keys:

ProxyEnable” check box for “Use a proxy server for your LAN (these settings will not apply to dial-up or VPN connection)
Value Type: REG_DWORD
Value Data:
0 = Disable
1 = Enable

ProxyServer
Value Type: REG_SZ
Value Data: “ProxyServerName:Port”

ProxyOverride
Value Type: REG_SZ
Value Data: “list_of_exclusion”

Value Data: “list_of_exclusion;<local>”
<local> value represents the check: “Bypass proxy server for local addresses
The value is added automatically when enabling the check box in the GPP User Interface (UI) when deploying through the registry key is required.

Deploying the registry keys via GPP registry item

There are different ways to deploy the registry keys, and it is important to correctly deploy the registry keys provided above.

Location of the policy: User Configuration / Preferences / Windows Settings / Registry / Right Click + New + Registry Item

REGISTRY AND SETTING CONFIGURATIONS
  • Automatically detect settings

Action: Replace

Hive: HKEY_CURRENT_USER

Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings

Value Name: “AutoDetect”

Value Type: “REG_DWORD”

Value Data: “0” or “1”

0 = Disable

1 = Enable

  • Use automatic configuration script

Action: Replace

Hive: HKEY_CURRENT_USER

Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings

Value Name: “AutoConfigURL”

Value Type: “REG_SZ”

Value Data: “http://<servername>/my_proxy.pac”

  • Use a proxy server for your LAN (These settings will not apply to dial-up for VPN connections)

Action : Replace

Hive: HKEY_CURRENT_USER

Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings

Value Name: “ProxyEnable”

Value Type: “REG_DWORD”

Value Data: “0” or “1”

0 = Disable

1 = Enable

  • Proxy Server : ProxyServerName:Port

Action: Replace

Hive: HKEY_CURRENT_USER

Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings

Value Name: “ProxyServer”

Value Type: REG_SZ

Value Data: “ProxyServerName:Port”

  • ProxyOverride

Action: Replace

Hive: HKEY_CURRENT_USER

Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings

Value Name: “ProxyOverride”

Value Type: “REG_SZ”

Value Data: “192.168.1.*;*.domain.com;<local>”

  • Bypass proxy Server for local addresses

The option is represented by the entry “<local>” added in ProxyOverride setting value data.

See https://blogs.msdn.microsoft.com/askie/2015/10/12/how-to-configure-proxy-settings-for-ie10-and-ie11-as-iem-is-not-available/, Case 2, Step 2 for more information.

Disappearing entries in Authentication Manager

There is a known issue with Authentication Manager in versions prior to 6.8.2e. Adding a new bypass entry appears to delete all other entries. A service restart may alleviate the issue until the next entry is added.

Upgrading to at least version 6.8.3a is recommended (Administration – Product Update).

Note:  A new release with a redesigned user interface and enhanced functionality is available. Get more information on this upgrade at http://www.wavecrest.net/support/announcements.html.

Laptop users and off-site access (PAC file)

When users are outside the network, they will not be able to access the Internet if proxy settings are in place. The proxy auto-config (PAC) file allows users to access the Internet directly after a time-out period, if no proxy is found.

  • For version 9.0.5 and later, use http://<IP of Proxy Server>:8080/proxy.pac.
  • For version 6.8.3a and earlier, use http://<IP of Proxy Server>:7999/pac/proxy.pac.

 

To bypass the proxy for certain domains, use the exceptions field in the CyBlock interface.

  • 9.0.5 and later: Settings – Proxy – PAC File
  • 6.8.3a and earlier: Advanced Settings – Proxy Settings – PAC File Configuration

How to manually configure proxy settings in browser

Microsoft Internet Explorer

  1. Go to Tools – Internet options – Connections – LAN settings.
  2. Select Use a proxy server for your LAN.
  3. Enter the IP address of your proxy server. The default port is 8080.
  4. Clear the Automatically detect settings check box.

 

Google Chrome (uses system settings by default)

  1. At the top-right of the browser, click the Customize and control Google Chrome icon and select Settings.
  2. At the bottom, click Show advanced settings…
  3. Scroll down to Network and click Change proxy settings…
  4. Click LAN settings and follow the instructions for Internet Explorer above.

 

Mozilla Firefox

  1. At the top-right of the browser, click the Open menu icon and select Options.
  2. Go to Advanced – Network – Connection and click Settings.
  3. Select Manual proxy configuration.
  4. Enter the IP address of your proxy server. The default port is 8080.
  5. Alternately, if you already have proxy settings configured in Internet Explorer, you can select Use system proxy settings.

How to bypass authentication requests from specific URLs

In the CyBlock interface, go to User Management – Authentication and select the Bypass tab¹ ².

  1. Click the green button green button in the upper right-hand corner to add a new bypassed entry.
  2. Enter the applicable URL. Asterisks are accepted as wildcards.
  3. For “User-Agent,” enter an asterisk (*).
  4. Click Add.

Note:  Bypassed traffic does not return a user name, only an IP address. Traffic of this nature is logged under the ID “bypassed”. A report can be run on “bypassed” in order to see the IP addresses.

 


¹ For CyBlock version 9.0.5 and later: User Management – Authentication – Manager. Click Add new bypass entry at the bottom of the Bypassed list.

² For CyBlock version 6.8.3a and earlier: Advanced SettingsProxy SettingsAuthentication Manager. Click Add new bypass entry at the bottom of the Bypassed list.