If you tell enough stories, perhaps the moral will show up.


Proxy Access for Services

Of course you want to use a web proxy, but some of your services need web access. Proxy settings are per-user, and if you run services as specific users you can log on and set them. But for the built-in anonymous accounts SYSTEM, SERVICE, how can you tell them where to find the proxies?

The obvious need for this is to get Windows Update working behind a proxy server. It's needed even if you are using the web interface, because WU still depends on the BITS service.

Well there are a number of ways. But what's easy is proxycfg, a command-line program that will create the appropriate entries in

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings

The program is in the XP build, but it runs fine on W2K -- just copy it over. Running it with the -u option will copy the current user's settings in to the service default and you're done.

Of course, you still need to ensure that the requests will be permitted by the proxy: The service can't authenticate. On our Bluecoats, you make a combined destination object that precedes authentication and is accepted on the first rule.

No comments: