Guests receive limited connectivity warning in Windows and can browse the Internet

book

Article ID: 168194

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Windows limited connectivity message
Windows limited connectivity message through the ProxySG
Guests receive Limited connectivity warning in Windows
Guests are able to browse the internet, yet they have limited connectivity message
Authentication Best Practice

Resolution

This issue occurs because Windows makes requests that do not understand authentication. Even though you may be able to browse the internet, Microsoft Crypto-APIĀ and Windows NCSI fail when prompted with authentication, and therefore, cause the limited connectivity message to appear on the network connection.

To remove this message, you must bypass authentication for Microsoft Crypto-API and NCSI user agents. This is also recommended in the authentication best practices.

Use the following CPL:

<Proxy>
       condition=userAgentList authenticate(no) allow
	   condition=DoNotAuthDomains authenticate(no) allow
	   condition=DoNotAuthActions authenticate(no) 
	   ;condition=IWA_SILENT_USERS deny.unauthorized ; (enable if running 6.2.7.1 or above)

define condition userAgentList
request.header.User-Agent="Microsoft-CryptoAPI" 
request.header.User-Agent="MSUpdate"
request.header.User-Agent="AVUpdate"
request.header.User-Agent="iTunes"
request.header.User-Agent="iphone" 
request.header.User-Agent="ipad"
request.header.User-Agent="Stocks" 
request.header.User-Agent="CFNetwork"
request.header.User-Agent="Windows-Media-Player"
request.header.User-Agent="NSPlayer"
request.header.User-Agent="flash"
request.header.User-Agent="Office"
request.header.User-Agent="webex utiltp" 
request.header.User-Agent="241Extra!"
request.header.User-Agent="Acrobat Messages Updater"
request.header.User-Agent="Adobe Log Transport"
request.header.User-Agent="Adobe Update Manager"
request.header.User-Agent="Microsoft BITS"
request.header.User-Agent="Microsoft Data Access Internet Publishing Provider Protocol Discovery"
request.header.User-Agent="Microsoft-CryptoAPI"
request.header.User-Agent="Microsoft-WebDAV"
request.header.User-Agent="Windows-Update-Agent"
request.header.User-Agent="ncsi"
request.header.User-Agent="TMUFE"
request.header.User-Agent="62691CB3BF62DAF233FB2C02782E7BD2"
request.header.User-Agent="Google"
end

define condition DoNotAuthDomains
url.domain=msftncsi.com  						; url used by windows vista/7/8 to verify network connectivity
url.domain=crl.microsoft.com  					; microsoft ssl cert verification url
url.domain=mscrl.microsoft.com  				; microsoft SSL cert verification URL
url.domain=verisign.com  			   			; SSL verification url used by IE 8/9
url.domain=watson.microsoft.com     			; microsoft URL used to report OS failures
url.domain=trendmicro.com			 			; trend micro AV update
url.domain=update.nai.com						; McAfee AV update
url.domain=update.symantec.com 					; Norton/Symantec AV update 
url.domain=symantecliveupdate.com                               ; Norton/Symantec AV update 
url.domain=liveupdate.symantecliveupdate.com                    ; Norton/Symantec AV update
url.domain=acs.pandasoftware.com 				; Panda AV update
url.domain=secure.pandasoftware.com 			; Panda AV license/Software update
end

define condition DoNotAuthActions
http.method=POST
http.method=PUT
end

define condition IWA_SILENT_USERS
user="NT AUTHORITY\anonymous logon"
;**** the below line can be uncommented if SGOS is 6.2.7.1 or above, as it helps account for and prevent Windows 7 fallback authentication credential caching
;user.regex='.+\$$' 
end