Some of our systems have extra "security needs", and they are not allowed to initiate outgoing connections by default. This means that IP ACLs are used so that they can only reach neccessary services (SMTP gateway, DNS resolvers, NTP etc).
...
Code Block |
---|
^(.*\.|)(s-)?microsoft\.com$ ^(.*\.|)windowsupdate\.com$ ^(.*\.|)microsoftupdate\.com$ ^(.*\.|)secunia\.com$ ^(.*\.|)vmware\.com$ ^(.*\.|)msftncsi\.com$ ^(.*\.|)public-trust\.com$ ^(.*\.|)thawte\.com$ |
Configuring operating systems and software to use the proxy
Now that you have a proxy, your software should use it as well.
Every OS has it's own way of configuring these settings, and not everything is clear from the start. I'll list a few things I ran into while trying to massage everything to use our proxy.
Windows servers
Windows 2003
There are two ways to update software on Windows 2003 (and XP).
- The "Windows Update" start menu items opens up http://update.microsoft.com/windowsupdate/v6/default.aspx in an Internet Explorer browser window. In order for this to work through a proxy, go to Control Panel -> Internet Options. This will bring up the IE settings dialog, go to Connections -> LAN settings, and fill in the stuff there.
For automatic updates to work, go to Control Panel -> System -> Automatic Updates, and configure it to your needs (I usually let them install automatically because I don't have the time to look at all the updates, let alone test them. If an update screws up - though luck).
The updates downloading is done by BITS, but this does not honour any of the stuff from Internet Options. Proxy settings for BITS are configured using the proxycfg command:Code Block C:\Documents and Settings\Administrator>proxycfg -p proxy.terena.org:8888 Microsoft (R) WinHTTP Default Proxy Configuration Tool Copyright (c) Microsoft Corporation. All rights reserved. Updated proxy settings Current WinHTTP proxy settings under: HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\ WinHttpSettings : Proxy Server(s) : proxy.terena.org:8888 Bypass List : (none)
Windows Server 2008R2/2012
There is only one way to configure the updates and that is through the Windows Update control panel.
Similarly to 2003, the proxy settings of BITS need to be set using a command, this time it is done using netsh:
Code Block |
---|
C:\Users\Administrator>netsh winhttp set proxy proxy6.terena.org:8888
Current WinHTTP proxy settings:
Proxy Server(s) : proxy6.terena.org:8888
Bypass List : (none) |
There might be other (3rd party) software that uses Internet Explorer to phone home for updates etc. In that case, you need to use the Internet Options control panel again.
In the client version Windows Vista, 7, and 8 this works the same.
Monitoring
To keep an eye on any refused domain that your hosts might try to access, run this script every morning, after the log files have been rotated (7AM on Ubuntu systems is good):
...