In most environments a proxy server is required to allow applications and web browsers to  communicate with the internet.  In Windows environments, proxy settings are typically configured in the ‘Internet Options‘ for Internet Explorer. Other applications can also use this information. Still, there are some applications and services that will not be able to use the IE proxy server. This post will describe why and how you can configure the different proxy settings.

In general, applications can use proxy servers in 3 major ways:

  • Applications that have their own proxy settings. The settings must be configured in the application itself and the types of proxies that are supported depends on the application. The application is basically doing a lot of down-level tasks by itself, for example directly using the Winsock library to create TCP connections.
  • Applications using the WinINET library.  WinINET is an API that can be leveraged in order to avoid reinventing the wheel. WinINET is the core of Internet Explorer and can also be used by other applications. Almost all functions available in IE (cookie handling, SSL, authentication, pop ups,..) are available.  As such applications using the WinINET library directly take over the same proxy settings as the ones configured in Internet Explorer.
  • Applications using the WinHTTP library. WinHTTP is more suited for non-interactive usage, such as windows services or background tasks that need to communicate over HTTP where no user-interaction is required. It is a lot faster than the WinINET library.  WinHTTP is also easily accessed from .NET based applications making it a popular library for .NET Applications. WinHTTP by default does not use the proxy settings from WinINET. Typical examples for applications and services using WinHTTP are:
  • Adding/Removing features and roles in Windows 8.
  • Windows Update
  • Certificate validation of code
  • Signed binaries / .NET applications that validate the certificate during application launch.

For both WinINET and WinHTTP, the proxy can be configured using different mechanisms:

  • proxy auto-configuration scripts
  • auto-discovery
  • manual configuration

Proxy Configuration for WinHTTP

By default, WinHTTP does not use the WinINET proxy settings that are defined in IE. The developer using WinHTTP can choose to perform an auto-detect of the proxy server to use, or specify a server manually. When a proxy server is not specified, WinHTTP falls back to the default WinHTTP proxy setting. This can be configured using the NETSH.EXE command line utility.

View current WinHTTP default proxy settings:
netsh.exe winhttp show proxy

Set a fixed default WinHTTP proxy server and exclude local addresses:
netsh.exe winhttp set proxy <proxyserver:port> “”

Import the IE proxy settings of the current user as the default WinHTTP settings:
netsh.exe winhttp import proxy source=ie

What about x64 and x86 ?
When you want to configure the WinHTTP proxy settings for 32-bit applications on a 64-bit platform, you have to start the netsh.exe utility from the C:\Windows\Syswow64\ folder.

Proxy Configuration  for WinINET

Windows proxy settings explained

IE Proxy Settings (WinINET)

These proxy settings are typically configured using IE (see screenshot above) but other methods are available for each option. Note that these proxy settings are by default Per User. The following sections lists the registry keys that can be used to configure each setting. The keys can be configured using a logon script, group policy preferences, or User Environment Management tools such as AppSense, RES and others.

Automatically detect settings:

This is enabled by default. When this setting is enabled, the Web Proxy Auto Discovery (WPAD)  protocol is used.  The proxy will be discovered by checking DHCP option XX or by issuing a DNS query to a WPAD A record in the current domain and top level domains.  When an address is returned, that server will be queried to download a proxy autoconfiguration file containing the logic to determine the correct proxy to use for a given URL.

How to control Automatically Detect Settings?

Registry Key : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
DWORD AutoDetect = 0 or 1

More information about the WPAD protocol can be found here: http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol

Use a proxy autoconfiguration script

An administrator can also specify the URL to an autoconfiguration script directly. This script is then downloaded and parsed. PAC scripts should have the .pac extension and contain the javascript function FindProxyForURL() that contains the required logic. The script returns either DIRECT or PROXY <server> .

How to control the Autoconfiguration Script setting?

Registry Key : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
REG_SZ AutoConfigURL = http://<your url>/proxy.pac
REG_DWORD ProxyEnable = 0

Manually specify proxy server

The proxy server(s) to use can also be specified manually, including a list of exceptions.

How to control manually specified proxy server?

Registry Key : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
REG_SZ ProxyServer = “<your proxyserver>:<port>”
REG_SZ ProxyOverride = “<local>;<your exclusion>”
REG_DWORD ProxyEnable = 1

Making WinINET Proxy settings per-machine

The settings for the IE proxy are by default per user. This means that a user always has the ability to change his own proxy settings. In order to force a specific proxy server for all users on a machine, the proxy settings can be made machine-wide. This means only users with administrative rights can change the proxy settings. In order to make the proxy settings machine-wide, the following registry key or GPO must be set:

GPO: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Make proxy settings per-machine (rather than per user)
Registry Key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DWORD: ProxySettingsPerUser = 0

The same registry keys can be used as for manually specifying the proxy server, but they have to be set in HKLM instead of HKCU.  The machine-level settings can also be changed by running Internet Explorer as Administrator.

What about x64 and x86 ?
By default the IE proxy settings are configured per-user. Within the HKCU registry hive, there is no distinction between x86 and x64 so the configured settings apply to both architectures.
When the above change is made to apply proxy settings machine-wide, the settings are stored in HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings AND in HKLM\Software\Wow6432Node\…
When the settings are changed with IE (Run As Administrator) they will be updated in BOTH locations. When you want to set the machine-wide proxy manually you have to update the two locations.

2018-02-26T14:38:55+00:00September 9th, 2014|

About the Author:

Leave A Comment

SecureLink Belgium