When you roll out new computers or make changes to your network, much of your time can be spent configuring connection and proxy settings. Rather than relying on an image build of a machine that might not be up to date or making setting changes manually, you can use Group Policy to roll out changes for you. This saves you time and allows you to focus on more important tasks.
Computers can have network connections for dial-up, broadband, and virtual private network (VPN). You configure network connections manually using the Network Connections utility in Control Panel, and you can use Group Policy to deploy new configurations (to update existing configurations when you need to make changes and to delete existing configurations and replace them with new ones).
Whenever you manage connection settings through Group Policy, you should create the necessary connections on a test system and then check them by dialing in to the network, connecting through broadband, or using VPN as necessary. Once you’ve verified the settings, you can import the settings into the Connection Settings policy from the test system. Be sure to import settings at the appropriate level in Group Policy. In most cases, you won’t want to roll these settings out to the entire domain and instead will want to apply these settings only to the appropriate Active Directory OUs.
When you work with connection settings, you should note several important caveats:
Local area network (LAN) settings for automatic detection and proxy servers are also imported with the connection configuration settings. The address for automatic configuration scripts is not imported, however. These settings are managed with the Automatic Browser Configuration policy.
Existing connections with the same names as the imported connections are updated with the new settings, so you don’t need to delete the existing settings to make these updates. You must delete existing settings only if you think that users or other administrators have created connections that might no longer be valid and you want to make sure they are removed to prevent connectivity problems.
When you deploy connection settings, you have the option of deleting existing connection settings. When you do this, all previous connections created by both administrators and users are permanently removed.
You can deploy connection settings through Group Policy by completing the following steps:
Create the necessary connections on a test system, and then check them by dialing in to the network, connecting through broadband, or using VPN as necessary.
Once you’ve verified the settings, log on to the system where you created the connection settings you want to use.
Access User ConfigurationWindows SettingsInternet Explorer MaintenanceConnection in Group Policy. Double-click Connection Settings in the right pane. This displays the Connection Settings dialog box, shown in Figure 8-7.
Select Import The Current Connection Settings From This Machine. To view or modify the settings that will be imported, click Modify Settings and then use the Connections tab of the Internet Properties dialog box to work with the settings. The options available are the same as those on the Connections tab of the Internet Options utility.
If you are replacing previously configured connections, you might want to specify that existing connections should be deleted. To do this, in the Connection Settings dialog box, select Delete Existing Dial-Up Connection Settings.
Click OK.
As part of your connection settings rollout, you might also want to restrict the ways users can work with connection settings. You’ll find the key policies for controlling access to connections and managing their settings under User ConfigurationAdministrative TemplatesNetworkNetwork Connections in Group Policy. The available policies include:
Ability To Rename LAN Connections Or Remote Access Connections Available To All Users
Ability To Change Properties Of An All User Remote Access Connection
Ability To Delete All User Remote Access Connections
Ability To Rename All User Remote Access Connections
Ability To Rename LAN Connections
Enable Windows 2000 Network Connections Settings For Administrators
Prohibit Access To Properties Of A LAN Connection
Prohibit Access To Properties Of Components Of A LAN Connection
Prohibit Access To Properties Of Components Of A Remote Access Connection
Prohibit Access To The Advanced Settings Item On The Advanced Menu
Prohibit Access To The New Connection Wizard
Prohibit Access To The Remote Access Preferences Item On The Advanced Menu
Prohibit Adding And Removing Components For A LAN Or Remote Access Connection
Prohibit Changing Properties Of A Private Remote Access Connection
Prohibit Connecting And Disconnecting A Remote Access Connection
Prohibit Deletion Of Remote Access Connections
Prohibit Enabling/Disabling Components Of A LAN Connection
Prohibit Renaming Private Remote Access Connections
Prohibit Tcp/Ip Advanced Configuration
Prohibit Viewing Of Status For An Active Connection
Turn Off Notifications When A Connection Has Only Limited Or No Connectivity
Internet Explorer requests can be directed to a proxy service to determine whether access to a particular protocol is allowed. If the protocol is allowed, the proxy server sends the request on behalf of the client and returns the results to the client securely. Because the proxy server uses network address translation (NAT) or a similar protocol, the actual Internet Protocol (IP) address of the client making the request isn’t revealed to the target server. You can configure proxy servers for Hypertext Transfer Protocol (HTTP), Secure Sockets Layer (SSL), File Transfer Protocol (FTP), Gopher, and Socks (the Microsoft proxy service protocol).
You configure proxy settings manually using the Local Area Network (LAN) Settings dialog box. You access this dialog box from the Internet Options utility—on the Connections tab, click LAN Settings, select Use A Proxy Server For Your LAN, and then click the Advanced button. When you want to use Group Policy to deploy new configurations, update existing configurations, or replace existing configurations with new ones, you use Proxy Settings policy. You can configure unique proxy settings for each Web service (HTTP, SSL, FTP, Gopher, and Socks), or you can use one or more proxy servers to handle all types of requests. You can also configure exceptions so that a proxy isn’t used for specific services, IP address ranges, or the local network.
You can configure proxy settings through Group Policy by completing the following steps:
Access User ConfigurationWindows SettingsInternet Explorer MaintenanceConnection in Group Policy, and then double-click Proxy Settings in the right pane.
In the Proxy Settings dialog box, shown in Figure 8-8, select Enable Proxy Settings. On the Proxy Servers panel, you’ll find two columns of text boxes:
Address Of Proxy. Used to set the IP address of the related proxy server or servers. Type the IP address for each service. If multiple proxies are configured for a particular service, type the IP address for each proxy server in the order in which you want the Web client to attempt to use them. The addresses must be separated by a semicolon. If a proxy isn’t configured for a service, don’t fill in the related box.
Port. Used to set the port number on which the proxy server responds to requests. Most proxies respond to port 80 for all requests. However, the standard ports are port 80 for HTTP, port 443 for SSL (listed as Secure), port 21 for FTP, port 70 for Gopher, and port 1081 for Socks. Check with your organization’s Web administrator for the proper settings.
The Use The Same Proxy Server For All Addresses check box is selected by default. This setting allows you to use the same IP address and port settings for the HTTP, SSL, FTP, Gopher, and Socks services. You have two options:
If your organization has proxy servers that handle all requests, select Use The Same Proxy Server For All Addresses, type the IP address or addresses you want to use, and specify the port number on which the server or servers respond.
If you want to use a unique proxy server or servers for each type of service, clear the Use The Same Proxy Server For All Addresses check box and type the necessary IP addresses and port numbers in the text boxes provided.
Note
The Do Not Use Proxy Server For Local (Intranet) Addresses check box is selected by default. In most cases, you won’t want to use a proxy for requests made to servers on the same network segment, so this is a suitable setting. However, this setting doesn’t work well when your internal network uses multiple network segments. In this case, you must specify the IP address range for each network segment on the Exceptions list. An example is shown in Figure 8-8. In this case, you don’t want a proxy to be used to access servers on the same network segments as the proxy servers, so you configure the IP addresses on these network segments as exceptions.
If your network has multiple segments or if specific address ranges shouldn’t be proxied when accessed, specify the appropriate IP addresses or IP address ranges in the Exceptions list. The entries must be separated by a semicolon. You can use the asterisk (*) character as a wildcard to specify an address range of 0 through 255, as in 192.*.*.*, 192.168.*.*, or 192.168.10.*.
If your network has specific DNS domain suffixes that shouldn’t be proxied, add these DNS domain suffixes to the Exclusion list. As before, separate entries with a semicolon. Use the asterisk as a wildcard to specify all names at a particular level, such as *.*.cpandl.com, *.tech.cpandl.com, or *.cpandl.com.
Click OK.
For the next step in the proxy configuration process, you might want to ensure that proxy settings are applied uniformly to all users of a particular computer and also prevent users from changing the proxy settings. You can do this by enabling an additional policy that assigns proxy settings per machine rather than per user and prevents users from overriding the standard proxy settings for the organization.
To set proxy settings per machine, complete the following steps: