Windows server 2016/2019 ignore proxy settings

Question

Hi all
we are checking network connections of windows servers inside our lab.
We got 2 VM (2016/2019) configured to use proxy with latest level of updates.

Inside the lab firewall logs we found that both servers were attempting connections to public addresses.

On both windows the command "netsh winhttp set proxy x.y.z.w:8080" didnt´t fix the problem and the VM are still attempting to connect to public ip (for example: 13.68.93.109 13.74.179.117 40.125.122.176 40.81.120.44 51.103.5.159 51.105.208.173 51.124.78.146 40.90.137.120 40.90.137.124 40.90.23.247 52.114.77.33, etc) on tcp ports 443, 80.

Adding these addresses to deny rules of internal firewall doesn't solve the problem because the VM restart connection attempts to a different public ip.

What are these connections and how can we stop this unwanted traffic?

Thanks in advance

Answer 1

Hi,

Thanks for posting in Q&A platform.

Regarding of your issue VMs initiated connection to some public IP, I would like to suggest you find which process is sending traffic to these IP addresses firstly. You could check the process by Resource Monitor as below.

If the process belongs to the third-party application, please kindly reach out to the third-party application for help how to stop connect to these IP addresses.

If not, please kindly share us the connection is initiated by which process.

If you cannot find which process initiated the connection in Resource Monitor, I would like suggest you find out the process by Network Monitor.

You could download Network Monitor from the following link:
https://www.microsoft.com/en-us/download/details.aspx?id=4865

Note: Due to the community's security policy, analysis of network traffic is beyond community support level.

Best Regards,
Sunny

----------

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi,
thanks for your fast feedback.

The connection seems to be attempted from svchost service.

Answer 3

Hi @Peter Garlic

Thanks for your feedback.

svchost.exe is a system process that hosts multiple Windows services in the Windows NT family of operating systems. Svchost is essential in the implementation of so-called shared service processes, where a number of services can share a process in order to reduce resource consumption.

If you want to further verify which service initiated these connections, we might need collect more logs for further analyzing. Please understand, analysis of logs is beyond our forum support level, I would suggest you open a case with Microsoft where more in-depth investigation can be done so that you would get a more satisfying explanation to this question.

You may find phone number for your region accordingly from the link below:

Global-Customer-Service-phone-numbers

Also, it is also appreciated that the other members in our forum can share their experience with us about this question.

Best Regards,
Sunny

Answer 4

Hi @Anonymous ,

before to open a support case I would like to find how to set "system wide" the proxy configuration (excluding private ipv4 classes) to reduce the investigation points.

It seems impossible to me that using environment vars/registry/policies is not possible to reach this target.

I will update this post after some more test.

Regards
-Peter

Answer 5

How to remove ntp quesries (udp/123)

as default Windows attempt ntp sync to public address.
If you got one internal ntp this can be changed with:

w32tm /config /syncfromflags:manual /manualpeerlist:"ip-of-ntp-erver"
w32tm /config /reliable:yes /update
w32tm /resync

-Peter

(...work in progress...)