Udostępnij za pośrednictwem


WinHTTP Proxy Settings deployed by GPO

Hello everyone! Dante here, once again, trying to help you get a new trick to be delighted.
Have you ever wondered how would you configure the proxy for Windows components such Windows Update, the NCSI and others? You probably know you can do that manually on each machine you need, which is very cool, but what happens when you have more than 100 servers you need to configure for this feature?
Don't worry, you don't need to hire slave-script-writers monkeys, just need to know 3 things:

  • Where do I configure the proxy for Windows components?
  • Where is this configuration stored?
  • How can I massively deploy that information?

Let's start for the beginning. Windows has 2 places where you can configure the proxy:

  • Internet Settings Control Panel (or inetcpl.cpl for you guys who are advanced users)
  • WinHTTP Windows Services.

The main difference between them is that the Internet Settings Control Panel works at the User level, while the WinHTTP Windows Component works globally at the computer level. In this note you can see how to deploy the Internet Settings Control Panel configurations for Proxy for the latest versions by GPO. That's amazing, but will only apply at the user level.

In some scenarios, you would love to have your Windows servers use a proxy to contact Windows Update services to download the updates, instead of the direct contact to the internet, since it will let you have more control of your traffic. If you don't have a Proxy server configured in the WinHTTP Services, your machine will try to directly contact the internet for any web traffic coming, for example, from the Windows Update service, so you will have no control on such communications. For Windows Update management and centralization in enterprise environment we highly recommend using WSUS instead of the normal Windows Update service, but that depends on you.

Now, coming back to our topic, how can I configure the proxy for the WinHTTP Services?

There is a simple way to do that, by issuing the following command on a command prompt with elevated privileges:

netsh winhttp set proxy <server IP or FQDN>:<Port> "<Exclusion list, separated by ";">"

As an example, this command will configure the address proxy.contoso.com in port 8080, with the exclusion of "localhost" and "contoso.com" domain:

netsh winhttp set proxy proxy.contoso.com:8080 "localhost;*.contoso.com"

Looking at the help of the command will show you some other parameters that can be used:

C:\WINDOWS\system32>netsh winhttp set proxy ?``Usage:  set proxy [proxy-server=]<server name> [bypass-list=]<hosts list>``Parameters:`` Tag             Value``  proxy-server  -  proxy server for use for http and/or https protocol``  bypass-list   -  a list of sites that should be visited bypassing the``                   proxy (use "<local>" to bypass all short name hosts)``Examples:``  set proxy myproxy``  set proxy myproxy:80 "<local>;bar"``  set proxy proxy-server="http=myproxy;https=sproxy:88" bypass-list="*.foo.com"

You can also import the settings from the Internet Settings Control Panel, but bear in mind the WinHTTP Services do not support the use of Scripts (like PAC or DAT files). For such behavior you can use following command:

netsh winhttp import proxy source=ie

Again, this works only for the manual section of the Internet Settings Control Panel proxy configuration, does not work for the automatic detection or the scripts.

The last part would be to check and ensure your proxy settings got properly applied to the WinHTTP Services. You can achieve that by issuing the following command:

netsh winhttp show proxy

Depending on the configuration, the output will look like this if nothing got applied:

C:\WINDOWS\system32>netsh winhttp sh proxy``Current WinHTTP proxy settings:``    Direct access (no proxy server).

Or something like this if you had your proxy settings properly updated:

C:\WINDOWS\system32>netsh winhttp sh proxy``Current WinHTTP proxy settings:``    Proxy Server(s) :  proxy.contoso.com:8080``    Bypass List     :  localhost;*.contoso.com

If you have everything properly set up and want to get back to direct connection, you'll need to issue the following command:

netsh winhttp reset proxy

Alright, I totally understood how all this WinHTTP proxy stuff works but, where is all that data stored in Windows?

That's a great question! Since you now know how to configure your proxy at system level, you now need to know where to look for that information.
All those configurations are stored in a registry key located in the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

Under the following Key name:

Key Name: WinHttpSettings``Type: Binary``Value (for Direct Access or No Proxy): 1800000000000000010000000000000000000000

When you modify the actual settings, and look for the new value, in the registry it will look like this:


Perfect! I already know how to configure it and where it is stored. Thank you! Now... What do I do with this information?

Now you already have the proper proxy configuration and the registry key, the only thing you need to do is to deploy these settings through a Group Policy Preference (or GPP)!
Let's begin with the process. I encourage you to do this from a simple workstation that will not affect your production environment. Doing this in a Domain Controller, for example, may get you in serious trouble, and saying this I totally disclose any responsibility in you :)

First Step: Open a Group Policy Management Console (or gpmc.msc from the command prompt) and create a new Group Policy Object with a name (I will do it as TestWinhttpProxy)

Second Step: Edit the GPO and locate the following path: Computer Configuration > Preferences > Windows Settings > Registry

Third Step: Right Click on the Registry item and select "New > Registry Item"

Fourth Step: In General tab leave action as "Update" and browse for your local WinHttpSettings registry key.

Fifth Step: Hit OK and Close the editor. You should see something like this (mine is showing the No Proxy configuration):

Sixth and last Step: Link the GPO to the desired OU.

Once you have all of this already setup you can just wait in your comfortable chair drinking a cup of coffe until the GPO applies or simply go to a target machine and execute a GPUPDATE /FORCE to make it happen NOW!

If everything went as we expect you should see the new configuration in place by doing the "show proxy" Network Shell command for WinHTTP.

Hope you enjoyed this entry and see you soon!

Comments

  • Anonymous
    January 15, 2019
    Great article Dante, ThanksI've got a few questions: 1: Is it possible to add subnets to the bypass list, we like a lot of orgs use this capability in PAC files to bypass/avoid traffic for internal traffic using private subnets (suspect the answer is No, but I live in hope) 2: If the defined proxies arent available how does it behave ...in other words does it give up or does it try a direct connection 3: Can Web browsers use alternative proxy settings e.g. proxy defined via internet settings including use of PAC file?
    • Anonymous
      January 15, 2019
      The comment has been removed