Guests receive limited connectivity warning in Windows and can browse the Internet
Article ID: 168194
Updated On: 05-13-2017
Products
ProxySG Software - SGOS
Issue/Introduction
Windows limited connectivity message
Windows limited connectivity message through the ProxySG
Guests receive Limited connectivity warning in Windows
Guests are able to browse the internet, yet they have limited connectivity message
Authentication Best Practice
Windows limited connectivity message through the ProxySG
Guests receive Limited connectivity warning in Windows
Guests are able to browse the internet, yet they have limited connectivity message
Authentication Best Practice
Resolution
This issue occurs because Windows makes requests that do not understand authentication. Even though you may be able to browse the internet, Microsoft Crypto-API and Windows NCSI fail when prompted with authentication, and therefore, cause the limited connectivity message to appear on the network connection.
To remove this message, you must bypass authentication for Microsoft Crypto-API and NCSI user agents. This is also recommended in the authentication best practices.
Use the following CPL:
<Proxy>
condition=userAgentList authenticate(no) allow
condition=DoNotAuthDomains authenticate(no) allow
condition=DoNotAuthActions authenticate(no)
;condition=IWA_SILENT_USERS deny.unauthorized ; (enable if running 6.2.7.1 or above)
define condition userAgentList
request.header.User-Agent="Microsoft-CryptoAPI"
request.header.User-Agent="MSUpdate"
request.header.User-Agent="AVUpdate"
request.header.User-Agent="iTunes"
request.header.User-Agent="iphone"
request.header.User-Agent="ipad"
request.header.User-Agent="Stocks"
request.header.User-Agent="CFNetwork"
request.header.User-Agent="Windows-Media-Player"
request.header.User-Agent="NSPlayer"
request.header.User-Agent="flash"
request.header.User-Agent="Office"
request.header.User-Agent="webex utiltp"
request.header.User-Agent="241Extra!"
request.header.User-Agent="Acrobat Messages Updater"
request.header.User-Agent="Adobe Log Transport"
request.header.User-Agent="Adobe Update Manager"
request.header.User-Agent="Microsoft BITS"
request.header.User-Agent="Microsoft Data Access Internet Publishing Provider Protocol Discovery"
request.header.User-Agent="Microsoft-CryptoAPI"
request.header.User-Agent="Microsoft-WebDAV"
request.header.User-Agent="Windows-Update-Agent"
request.header.User-Agent="ncsi"
request.header.User-Agent="TMUFE"
request.header.User-Agent="62691CB3BF62DAF233FB2C02782E7BD2"
request.header.User-Agent="Google"
end
define condition DoNotAuthDomains
url.domain=msftncsi.com ; url used by windows vista/7/8 to verify network connectivity
url.domain=crl.microsoft.com ; microsoft ssl cert verification url
url.domain=mscrl.microsoft.com ; microsoft SSL cert verification URL
url.domain=verisign.com ; SSL verification url used by IE 8/9
url.domain=watson.microsoft.com ; microsoft URL used to report OS failures
url.domain=trendmicro.com ; trend micro AV update
url.domain=update.nai.com ; McAfee AV update
url.domain=update.symantec.com ; Norton/Symantec AV update
url.domain=symantecliveupdate.com ; Norton/Symantec AV update
url.domain=liveupdate.symantecliveupdate.com ; Norton/Symantec AV update
url.domain=acs.pandasoftware.com ; Panda AV update
url.domain=secure.pandasoftware.com ; Panda AV license/Software update
end
define condition DoNotAuthActions
http.method=POST
http.method=PUT
end
define condition IWA_SILENT_USERS
user="NT AUTHORITY\anonymous logon"
;**** the below line can be uncommented if SGOS is 6.2.7.1 or above, as it helps account for and prevent Windows 7 fallback authentication credential caching
;user.regex='.+\$$'
end
Feedback
Yes
No
Powered by
