Windows activation fails when going through the ProxySG appliance

book

Article ID: 167641

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Windows activation fails when going through the ProxySG appliance.

Cause

The following URLs must be NOT Authenticated and Allowed if the appliance's default policy is deny.

  • http://go.microsoft.com/
  • https://sls.microsoft.com/
  • https://crl.microsoft.com/pki/crl/products/MicrosoftRootAuthority.crl
  • http://crl.microsoft.com/pki/crl/products/MicrosoftProductSecureCommunications.crl
  • http://www.microsoft.com/pki/crl/products/MicrosoftProductSecureCommunications.crl
  • http://crl.microsoft.com/pki/crl/products/MicrosoftProductSecureServer.crl
  • http://www.microsoft.com/pki/crl/products/MicrosoftProductSecureServer.crl
  • https://activation.sls.microsoft.com/
  • //wpa.one.microsoft.com/

Resolution

Do one of the following.

Steps for the Visual Policy Manager (VPM):

  1. Open the Management Console on the ProxySG (https://<ip.address.of.proxysg>:8082).
  2. Select Configuration > Policy > Visual Policy Manager > Launch.
  3. In the Web Authentication layer, add a new rule above the authentication rule that prompts for authentication.
  4. In the Destination column, right click and select Set > New > Request URL.
  5. The VPM displays the Add Request URL Object dialog.  You can do a simple match, regular expression match, or advanced match.  Generally the simple match is sufficient.
  6. In the simple match URL, enter the URL listed in the Cause section in this article for bypass authentication then click Add and Close. Repeat this step as needed for additional URLs.
  7. In the Destination column, right click and click Set. Select  New > Combined Destination Object. Select the URL that was added and click Add. All the selected URLs appear in the "At least one of these objects" box. Click OK.
  8. In the Action column, right click and select Set > Do Not Authenticate and click OK.  The rule should now read that any request for the URLs will not be authenticated.

To configure in Local Policy, use the following CPL:

define url.domain condition MS_Activation_url
    http://go.microsoft.com/
    https://sls.microsoft.com/
    https://crl.microsoft.com/pki/crl/products/MicrosoftRootAuthority.crl
    http://crl.microsoft.com/pki/crl/products/MicrosoftProductSecureCommunications.crl
    http://www.microsoft.com/pki/crl/products/MicrosoftProductSecureCommunications.crl
    http://crl.microsoft.com/pki/crl/products/MicrosoftProductSecureServer.crl
    http://www.microsoft.com/pki/crl/products/MicrosoftProductSecureServer.crl
    https://activation.sls.microsoft.com/
    //wpa.one.microsoft.com/
end


<proxy>
condition=MS_Activation_URL authenticate(no) ALLOW