Endpoint Protection

Guys,

I have a problem here. I have some traffics between my proxy server and my client and GUP.

Below is a line of my Squid Proxy Log, take a look:

1375721874.525  27449 172.20.101.105 TCP_MISS/206 1319830 GET http://172.20.101.6:2967/content/{812CD25E-1049-4086-9DDD-A4FAE649FBDF}/130802002/xdelta130725002.dax - DIRECT/172.20.101.6 text/plain
 

172.20.101.105 = client in the LAN

172.20.101.6 = GUP in the same LAN

I do not know why, but some connections is using my proxy. The traffic must be directly from the client to the GUP, cause they are in the same subnet.

When my user connects in the domain, we have some polices to apply internet settings, like proxy and exceptions. Yes, we have exceptions for 172.20.* and for SEPM servers IPs inside the IE Exceptions.

I did a double check in the group, External Communications Setting inside the SEPM and I have Do Not Use a Proxy Server..

It seems SEP client does not respect the IE settings and uses proxy to connect through the LAN

But, why is it happening? Any idea how to fix it?

Thanks!

What's the exact SEP version you're using?

Have you set any Location Specific policy? These logs are from Laptop or from  a Desktop  Client?

SEPM 12.1.2

And the client in the case, is 12.1.1

I have location Mobile, just for the group Notebooks.

The client and the GUP, in this case, are not in the group Notebook, so, they dont have any other location, just Default.

Maybe is there any config inside the Windows, that uses a proxy for the local system? Because if I turn on the machine, but I dont log in the domain, what config SEP will use for IE?

So is the client bypassing the GUP?

To reach the GUP, the client is going through the Proxy...

The connection must be directly from the client to the GUP...

Client = 172.20.101.105

GUP = 172.20.101.6

Proxy = 172.19.4.147

They do not need to use Proxy for this connection.

can you try this

Back up registry
1. Click Start, and then click Run.
2. In the Open box, type regedt32, and then click OK.
3. Locate HKEY_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\.
4. Right Click on Connections from the menu, click Export.
5. In the Save inbox, select a location in which to save the .reg file, type a file name in the File name box, and then click Save. 

Remove DefaultConnectionSettings & SavedLegacySettings
1. Delete the following registry keys:
HKEY_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
2. Reboot the system.

pete,

could you explain me what is the meaning of?

Gotcha. The setting you checked about not using a proxy, I believe only applies it the client tries to go out to the Internet for submissions and would not factor in in this case since you're on your internal network.

In IE, do you use a PAC file or is it automatically configured to use a proxy?

Can you check on one of the affected clients in Control Panel -> Symantec Liveupdate -> is the proxy configuration specified here -> if yes can you set it not to use proxy traffic and see if the connection to GUP gets the over the LAN?

In IE have you checked bypass proxy for local server address. If its done with different tool or pac file,just check it once again.

Rafeeq,

I dont have Symantec Liveupdate in the Control Panel. In SEP 12 this option doesnt exist anymore, right?

Yes, in the IE I have this option checked. For example, if I open the browser and access http://IP_GUP:2967/content/contentinfo.txt I do not use proxy for this connection.

No PAC file. Settings configured by GPO, to use the proxy.

Can you confirm this once for system account. 

How to verify SYSTEM account proxy settings on Windows XP

Interesting as to why the proxy is being used. I use a PAC file but do not experience this. Are all clients affected or only specific ones? Did this work as expected in previous versions?

grep -c :2967 /var/log/squid/access.log
8508
 

8508 is the rows with 2967 in my Proxy since Sunday or Monday... So, I have more than 1 or 2 clients.

About others versions, I dont know. I noticed it months ago, so I allowed this traffic, because it was denied by the proxy. (some months ago) and yesterday I received many issues with bandwidht cause of this.

Good News!!!

I executed that command Rafeeq on Windows XP, and I could check that the proxy configuration is wrong.

But, this wrong config just occur on windows XP and why it happen?

Is there anyway to fix it for all clients, like GPO?

Great new , all you have to do is to erase the proxy info in reg and reboot so that it can load the new ones.

Here is the step

Back up registry
1. Click Start, and then click Run.
2. In the Open box, type regedt32, and then click OK.
3. Locate HKEY_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\.
4. Right Click on Connections from the menu, click Export.
5. In the Save inbox, select a location in which to save the .reg file, type a file name in the File name box, and then click Save. 

Remove DefaultConnectionSettings & SavedLegacySettings
1. Delete the following registry keys:
HKEY_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
2. Reboot the system. after reboot it should use the new setting and no proxy request on your server.. please keep us posted

Nice... And this problem occur just with Windows XP and SEP 11?

These the keys with store the proxy info it not updated properly you would face such issues. It might happen on all the OS as well not specific to XP alone. We have seen issues with Win7 as well. Did you fix it ? :) All is well :) ??

Ok, I got it.

Well, I made a change yesterday, but I didnt produce the error again.

I will apply it for all clients, and I will check my squid log.

Anyway, it is clear to me that the problem was it.

Thanks Rafeeq, Brian and Pete