But it's not even attributed to you. We need a Jim Harrison RSS. Oh, and **HAND**! You are a great teacher and mentor. Amy -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Sunday, January 29, 2006 9:14 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Web Client Requests http://www.ISAserver.org Like unto thusly: http://www.microsoft.com/technet/community/columns/sectip/st1205.mspx -------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------- -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Sunday, January 29, 2006 5:23 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Web Client Requests http://www.ISAserver.org Works for me! What security newsletter? A public or internal one? Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Sunday, January 29, 2006 7:21 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Web Client Requests > > http://www.ISAserver.org > > ..maybe I should make this my next security newsletter offering right > after "ISA & 802.1Q - a marriage made in heaven"? > > -------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > -------------------------------------------- > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Sunday, January 29, 2006 5:10 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Web Client Requests > > http://www.ISAserver.org > > BRAVO!!!! :)) > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > Sent: Sunday, January 29, 2006 5:58 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Web Client Requests > > > > http://www.ISAserver.org > > > > Soitenny! > > (note that I had to trim the thread due to list size limits) > > > > First, we'll cover the bare basics of WinInet and WinHTTP. > > > > You'll have to put on your developer hat for this one, > though cuz I'm > > about to "background" you a bunch... > > > > First a couple of links from MSDN: > > WinInet: > > http://msdn.microsoft.com/library/en-us/wininet/wininet/portal.asp > > WinHTTP: > > http://msdn.microsoft.com/library/en-us/winhttp/http/winhttp_s > > tart_page. > > asp > > > > The most generic term that can be applied to either WinInet > or WinHTTP > > is "Internet library", since they both provide similar APIs > > for HTTP and > > FTP-over-HTTP traffic. Unlike WinInet, WinHTTP has no support for > > direct FTP communications; you *must* use a CERN proxy to access FTP > > sites with WinHTTP; but enough of that... > > > > You'll also hear wild rumors of other things such as XMLHTTP and > > ServerXMLHTTP, but these are just wrappers around WinInet > and WinHTTP, > > respectively. By the same token, neither of them should be confused > > with Winsock, which is another layer them and the actual > TCP/IP stack. > > > > Basically, they all look sorta like this in the "grand scheme > > of things" > > (look out, Alexandre; more ASCII art for ya): > > > > YourApplication.exe > > | | > > WinInet WinHTTP > > |___________| > > | > > Winsock <----> Firewall Client > > | > > TCP/IP > > | > > Yadda > > > > WinInet > > - proxy configuration registry > > Policy: > > HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet > > Settings\ProxySettingsPerUser. > > Default user: > > HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Interne > > t Settings > > Interactive user: > > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings > > System: > > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings > > > > Which one of the above locations is used depends on whether > or not an > > actual user account is in use (logged in or impersonated) and the > > setting of the ProxySettingsPerUser value. If this is set > to 0, then > > only the System default proxy settings will be used by WinInet-based > > applications. Note that the proxy configuration used by IE is the > > default proxy configuration used by any other application > > that makes use > > of WinInet *unless* they explicitly change them as described in > > http://msdn.microsoft.com/library/en-us/wininet/wininet/settin > > g_and_retr > > ieving_internet_options.asp. > > > > Unfortunately, if they only change them for the current > > session, there's > > no way you can determine this except via netcap analysis. > > > > > > WinHTTP > > - proxy config registry > > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet > > Settings\WinHttp > > > > As you can see (you can, can't you?), WinHTTP proxy configuration is > > simpler than WinInet because it uses only one location. > The preferred > > method of configuring WinHTTP proxy is via the use of > ProxyCfg.exe, a > > tool written specifically to handle this task. This KB addresses an > > updated version of the tool: > > http://support.microsoft.com/kb/830605/en-us. WinHTTP does (almost) > > understand how to use the wpad script, but with limitations > > as outlined > > here: > > http://msdn.microsoft.com/library/en-us/winhttp/http/autoproxy > > _issues_in > > _winhttp.asp. > > > > Using ProxyCfg, you have two options; direct or specific > proxy. Note > > that you don't get to specify "auto-" or "config URL". What > > they don't > > tell you is that if there are no values stored here, WinHTTP > > will defer > > to the WinInet settings, which is why OL2K3 usually seems > to "obey" IE > > configuration. If WinInet is configured for wpad, then > > WinHTTP will use > > it, too. > > > > WPAD > > While WinHTTP and WinInet both understand how to retrieve > and consume > > the wpad script, the calling application can also instruct > both to use > > either static proxy or wpad (called "autoproxy" by WinHTTP). > > To answer > > your "SBS wpad" question, there is nothing special about the wpad > > package I built for SBS; the package merely takes advantage > > of the fact > > that this script is available via the Web Proxy listener as > > well as the > > auto-configuration listener. IOW, nothing will change for > > this package > > when SP2 hits the streets. > > > > GPO > > ..of course, GPO WinInet (IE) settings affect how and WinHTTP > > applications behave as well... > > > > WTF? > > > > The biggest question in anyone's mind is less likely to be > "what does > > each do?", but more "how do I know when app <blah> is using > one or the > > other?", or "how do I control the behavior of app <blah>?", or even > > "will you just get on with it?!?" This is a toughie. > > > > Determining library usage for app <blah>: > > The simplest thing I can recommend is that you learn to use > > winhttptracecfg. This tool enables you to configure WinHTTP > > tracing so > > that you can not only determine what applications or services > > are using > > WinHTTP, you can also see what they're doing "on the wire". > > Instructions for use of this tool are found here: > > http://msdn.microsoft.com/library/en-us/winhttp/http/winhttptr > > acecfg_exe > > __a_trace_configuration_tool.asp. My fav cmd-line is: > Winhttptracecfg > > -e 1 -l c:\<TestName>. This enables WinHTTP tracing and > configures it > > to write to a file on C:\ with a filename starting with > <TestName>, so > > that I have an idea what I was about when this file was written. If > > this file gets created when I run my app, then I know it's using > > WinHTTP; otherwise, it's using WinInet or custom code (ew). > The only > > way you can see if an app is using WinInet is to either ask the > > developers or sun it under a debugger and watch the system > calls. By > > default, WinHTTP tracing adds to the filename so that you know what > > process was being logged and the date/time of the start of > > the logging, > > as: "WinMedia-wmplayer.exe-1236.10.27.05.660-01.29.2006.LOG". Since > > WinHTTP tracing creates a file "per-process", it's sometimes fun to > > enable WinHTTP tracing to see what things are happening on > your system > > that you don't even know about. Just remember to disable > it or it'll > > run forever. > > > > How do I control how app <blah> behaves? > > This is the real problem isn't it? How can I make app (1) > > act as a web > > proxy client, but app (2) act as a SecureNET client, and app > > (3) act as > > a Firewall Client, all the while allowing app (4) to take > > nudie pictures > > of me while my webcam is broken (did I really say that out loud)?. > > Unfortunately, there isn't a "one size fits all" answer because: > > - Not all applications are proxy-aware > > - Not all applications allow you any form of control over > > their behavior > > - Not all applications allow you the same level of control > > - Not all applications behave the same when configured as <blah> > > - Not all application developers have a freakin' clue how to > > write code > > that behaves properly > > > > In general follow these guidelines: > > - use WinInet settings first - both WinInet and WinHTTP use these by > > default > > - use wpad whenever possible; if the applications can > properly consume > > it, you get one-stop shopping for your proxy config > > - use system-level settings and disable per-user settings. This can > > help keep the users from buggering themselves (unless app (4) is in > > use). > > - use proxycfg only when you've positively determined that > > the settings > > you created for app (1) don't' adversely affect apps (2) through (4) > > (especially (4)). > > > > Next entry in the thread == Java app. > > > > -------------------------------------------- > > Jim Harrison > > MCP(NT4, W2K), A+, Network+, PCG > > http://isaserver.org/Jim_Harrison/ > > http://isatools.org > > Read the help / books / articles! > > -------------------------------------------- > > > > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx