In my current role we have Direct Access deployed to a couple of thousand laptops, which works – it just works (I’m a big fan of DA from 2012 on-wards).
We also use a symantec proxy service, where the proxy settings have been set by GPO, which again is fine – however remote laptop users connecting over DA hit a snag when using WiFi from a hotel for example:
They would attempt to connect to guest hotel WiFi, which requires the user to accept the agreement on their captive portal – of course the proxy could not be accessed externally, therefore the user could not get Internet access and establish a DA tunnel for Corporate connectivity. The only we around this was disabling the proxy (through IE), which was insecure and not ideal, so I was given the task to find a permanent fix.
Symantec offer an agent call Smart Connect, which essentially is a Windows service that runs locally and acts as a local proxy and has a separate xml file where the exceptions are added. All Internet traffic is logged though normal means and Security are happy that they are able to track both internal and remote users traffic.
So how do I go about deploying this to laptops only, update their proxy settings with no impact?
The agent comes in .msi format so installing the agent is fairly straight forward, I opted for SCCM. This was fairly straight forward – what I found was that the Smart Connect Proxy Service does not start unless the ‘agentconfigure.xml’ file is present – perfect I can use this to my advantage.
I then decided to push the Proxy settings via GPO and batch file, I also applied a WMI filter for ‘laptops only’ set security settings to Domain Users (as we a large laptop pool where any user can use a laptop)
This Policy will:
- Push a logon script (batch file below)
- Push ‘agentconfigure.xml’ file
- Change proxy settings via Registry Group Policy Preferences
I only wanted the logon script to run if the Smart Connect agent was installed and the service was running, so I a service query as below:
sc query SmartConnectService | find "RUNNING"
If the service is running then go onto to change the proxy settings:
if "%ERRORLEVEL%"=="0" ( reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /t REG_SZ /d http=localhost:80;https=localhost:80;ftp=localhost:80 /f
This effectively changes the proxy settings to localhost port 80, which is the Smart Connect Agent
I wanted the GPO to always apply to Smart Connect clients – remember we have another GPO for internal workstations defining the Proxy settings, so this Policy was enforced.
For good measure I also added a line for a drop file (hidden) and used Item-Level Targeting so that the proxy settings will only get applied if this script has run successfully.
Code for the full batch file:
timeout /t 10 sc query SmartConnectService | find "RUNNING" if "%ERRORLEVEL%"=="0" ( reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /t REG_SZ /d http=localhost:80;https=localhost:80;ftp=localhost:80 /f echo.>"C:\admintools\Proxy.txt" attrib C:\admintools\Proxy.txt +h ) else ( echo Program is not running )
Here is the GPO Settings export in .pdf format Smart Connect (Jag Sandhu 14_10_2016).