I have a real odd problem and was wondering whether anyone on here has come across this (or a similar) issue; Background A while a go the client I'm working at commissioned a new proxy server, the GPO that delivered the proxy server was updated and all seemed to be OK. Issue Recently clients have started reporting issues when coming in through the Cisco AnyConnect VPN. Essentially when the log on they get the old proxy server settings. They can manually edit the settings and all is OK however if they refresh their GPO (gpupdate /force) they get the old settings again. I've gone through all the GPOs and there is NO GPO that has the old proxy settings. Does anyone have any ideas as to what may be causing this behaviour..?

Perhaps thi may cure the problem (from elevated command prompt) netsh winhttp reset proxy

After you do the gpupdate /force and the old settings return, have you checked RSOP.MSC to see if the setting is coming from a GPO you recognize? Fatty McFatfat wrote: > > >Tried that one Milos...unfortunately the problem is still the same.! > >Anyone have any ideas as to where this 'rogue' policy may be coming from..? There's no GPO in Active Directory that is configured with the incorrect configuration yet when the clients coming in through the Cisco AnyConnect VPN client do a GPO refresh they get the old proxy settings..! > >Does anyone have any experience with Cisco AnyConnect VPN clients? What really confuses me is that if I manually set the proxy settings with the correct information and then do a 'gpupdate /force' they get overwritten with the old proxy server..! Can the Cisco cache old proxy information? Does the Cisco configure the proxy? > >Any and all advice/comments are most welcome. > >Rgds > >FMcFF Hay

Tried that one Milos...unfortunately the problem is still the same.! Anyone have any ideas as to where this 'rogue' policy may be coming from..? There's no GPO in Active Directory that is configured with the incorrect configuration yet when the clients coming in through the Cisco AnyConnect VPN client do a GPO refresh they get the old proxy settings..! Does anyone have any experience with Cisco AnyConnect VPN clients? What really confuses me is that if I manually set the proxy settings with the correct information and then do a 'gpupdate /force' they get overwritten with the old proxy server..! Can the Cisco cache old proxy information? Does the Cisco configure the proxy? Any and all advice/comments are most welcome. Rgds FMcFF

Strange. Not sure when IE Branding gets applied if you're using VPN. It's different from registry policy processing so maybe it doesn't get updated over VPN??? I guess you could look at the actual IE branding files to see if they say what you expected them to say. When branding occurrs, the files are copied down to the users profile at C:\Documents and Settings\<USERID>\Local Settings\Application Data\Microsoft\Internet Explorer\Custom Settings Then for each GPO that has any sort of branding, there will be a folder called Custom0, Custom1, Custom2, etc. Each of these represent a GPO that had branding applied, with the order going from earliest to last applied. Look for an "install.ins" file in these folders and open with notepad and see if there's any AutoConfigURL entries. Also check the brndlog.txt at the root of the Custom Settings folder. Hope it sheds some light....Hay

OK...looks like I may have gotten to the bottom of this issue... GPOTool showed sysvol mismatch error on the affected policy. When I went and looked at the policy on the affected server the settings report showed the proxy setting to be correct however, when I edited the setting the proxy server was configured as the "old" address. I've now updated the setting on the affected server and done a replication and all seems to be consistent (my gpotool report now shows the "Policy OK" message, the settings appear OK in the report and edit mode, and "gpupdate /force" now appears to keep the policy setting as it should be (i.e. the proxy is now the "new" dns entry). So issue was not with Cisco VPN AnyConnect configuration but with the Microsoft GPO synchronization (sysvol mismatch). Once the GPO inconsistencies were resolved everything began working as designed.

Interesting results from the RSOP... When I look in "User Config/Windows Settings/Internet Explorer Maintenenance/Connection/Proxy Settings" I see the old proxy IP Address listed in the "Address of proxy" field. The precendence lists the following GPOs; Internet Explorer Policy - Laptop Users-Users <enabled>Internet Explorer Policy - All Users-Users <disabled>Interenet Explorer Policy - All Users <disabled>Internet Explorer Policy - Laptop User <enabled> So looking at the above list number 4 is applied first, 3 & 2 ignored, and number 1 last (therefore whatever settings are in numer 1 are the winning ones.). Am I correct in assuming that? When I look in GPMC all the above policies I see the following; Internet Explorer Policy - Laptop Users-Users : Configured to use new proxy dns entryInternet Explorer Policy - All Users-Users : <not configured to give proxy settings>Interenet Explorer Policy - All Users : <not configured to give proxy settings>Internet Explorer Policy - Laptop User : Configured to use new proxy dns entry So if I read this correct, the GPOs would appear to be configured to give out the correct proxy information, the VPN'd clients are processing the GPO's but they are getting incorrect (old) settings. I guess the next step in my problem resolution is to run GPOTOOL to see if the above GPO's are consistent across the domain. Any other ideas?