Internet / proxy problems Internet Explorer (PAC file)

Question

we have some internet/proxy problems in our network since 2 weeks. Users are getting sporadic errors "This page can't be displayed" in Internet Explorer 11 when trying to access websites - but not the whole time. Sometimes it works for 10 minutes, then it doesn't work for a minute, and so on.. Every user has set a proxy configuration file (PAC) in the IE settings. Now we tried to analyze with wireshark what is happening here, because we can't find any problem with the proxy server itself, the PAC file, or the user settings.

In the wireshark log, we can see that the IE is talking to the proxy server, sending GET requests and getting authenticated (Proxy Authentication via NTLMSSP), the proxy is also answering with a "HTTP/1.1 302 Found (text/html)". In the next step, we can see that the client is trying to go directly to the internet via the destination ip adress of the website, and this is beeing blocked by our firewall, because the clients just have to go via the proxy.

But why is Internet Explorer trying to go directly? Maybe someone has an idea?

Users are working on a WinSrv2008R2 Terminalserver (Citrix). We suspect Windows Updates as the reason, because we installed many outstanding updates 2 weeks ago. But we couldn't find any note on the web describing our problems.

The wireshark log:

[...]

545159  11:18:02.456003 172.27.217.119  10.2.50.11  HTTP    599 GET http://www.our-website.de/ HTTP/1.1 

545160  11:18:02.456580 10.2.50.11  172.27.217.119  TCP 60  3128 → 55551 [ACK] Seq=1 Ack=546 Win=63424 Len=0

545161  11:18:02.457097 10.2.50.11  172.27.217.119  TCP 1434    [TCP segment of a reassembled PDU]

545162  11:18:02.457098 10.2.50.11  172.27.217.119  TCP 60  [TCP Previous segment not captured] 3128 → 55551 [FIN, ACK] Seq=2644 Ack=546 Win=63424 Len=0

545163  11:18:02.457117 172.27.217.119  10.2.50.11  TCP 54  55551 → 3128 [ACK] Seq=546 Ack=1381 Win=131072 Len=0

545164  11:18:02.457135 10.2.50.11  172.27.217.119  TCP 1317    [TCP Out-Of-Order] 3128 → 55551 [PSH, ACK] Seq=1381 Ack=546 Win=63424 Len=1263

545165  11:18:02.457145 172.27.217.119  10.2.50.11  TCP 54  55551 → 3128 [ACK] Seq=546 Ack=2645 Win=129792 Len=0

[...]

545199  11:18:02.466819 172.27.217.119  10.2.50.11  HTTP    683 GET http://www.our-website.de/ HTTP/1.1 , NTLMSSP_NEGOTIATE

545200  11:18:02.467245 10.2.50.11  172.27.217.119  TCP 60  3128 → 55552 [ACK] Seq=1 Ack=630 Win=63360 Len=0

545201  11:18:02.467546 10.2.50.11  172.27.217.119  HTTP    637 HTTP/1.1 407 Proxy Authentication Required , NTLMSSP_CHALLENGE

545202  11:18:02.467560 172.27.217.119  10.2.50.11  TCP 54  55552 → 3128 [ACK] Seq=630 Ack=584 Win=130304 Len=0

545206  11:18:02.474303 172.27.217.119  10.2.50.11  HTTP    1271    GET http://www.our-website.de/ HTTP/1.1 , NTLMSSP_AUTH, User: OUR_DOMAIN\user

545207  11:18:02.475012 10.2.50.11  172.27.217.119  TCP 60  3128 → 55552 [ACK] Seq=584 Ack=1847 Win=62144 Len=0

545213  11:18:02.519326 10.2.50.11  172.27.217.119  HTTP    835 HTTP/1.1 302 Found  (text/html)

545214  11:18:02.519359 172.27.217.119  10.2.50.11  TCP 54  55552 → 3128 [ACK] Seq=1847 Ack=1365 Win=129536 Len=0

545216  11:18:02.524742 172.27.217.119  #Website_IP#    TCP 66  55553 → 80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

545217  11:18:02.524880 172.27.217.119  #Website_IP#    TCP 66  55554 → 80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

545218  11:18:02.525377 #Website_IP#    172.27.217.119  TCP 60  80 → 55553 [RST, ACK] Seq=1 Ack=1 Win=8192 Len=0



545219  11:18:02.525487 #Website_IP#    172.27.217.119  TCP 60  80 → 55554 [RST, ACK] Seq=1 Ack=1 Win=8192 Len=0

We can see in our firewall log, that the connection is beeing blocked:

4   May 30 2017 11:18:02    106023  172.27.217.119  55553   #Website_IP#    80  Deny tcp [...]

// EDIT: PAC-File:

function FindProxyForURL(url, host)
{
   if (isPlainHostName(host)) { return "DIRECT"; }
   if (host == "127.0.0.1") { return "DIRECT"; }

// 10.x.x.x
   if (shExpMatch(url,"https://10.*.*.*") || shExpMatch(url,"http://10.*.*.*") || shExpMatch(url,"ftp://10.*.*.*"))
   {
    return "DIRECT";
   }
// 172.27.x.x
   if (shExpMatch(url,"https://172.27.*.*") || shExpMatch(url,"http://172.27.*.*") || shExpMatch(url,"ftp://172.27.*.*"))
   {
    return "DIRECT";
   }
// 192.168.x.x
   if (shExpMatch(url,"https://192.168.*.*") || shExpMatch(url,"http://192.168.*.*") || shExpMatch(url,"ftp://192.168.*.*"))
   {
    return "DIRECT";
   }
// KV-SafeNet (INCAS Medical)
   if((host == "www.incas-medical-safenet.de")) { return "DIRECT"; }
   if((host == "188.144.47.250")) { return "DIRECT"; }
   if(isInNet(host, "188.144.0.0", "255.254.0.0")) { return "DIRECT"; }


    // If the requested website is hosted within the internal network, send direct.
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
        isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||
        isInNet(dnsResolve(host), "192.168.0.0",  "255.255.0.0") ||
        isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
        return "DIRECT";

   return "PROXY 10.2.50.11:3128; PROXY 10.2.50.10:3128";
}

King Regards, Niko

Answer 1

Your firewall is blocking traffic that it should not, or traffic is being routed to the firewall that should not be.

You proxy file is configured for direct for "172.16.0.0", "255.240.0.0", which includes address range: 172.16.0.0 - 172.31.255.255. The example you provided is for 172.27.217.119, which should be allowed but is dropped by your firewall.