In Windows 8, we have introduced the WinRT platform to bring Modern Apps that include dynamic magnetic stickers and immersive user experience. If you are an enterprise user and have a corporate proxy server environment, or you are a developer and I believe you have discovered that after you replace the proxy locally, all Modern Apps will no longer be able to access the network. This is due to the network isolation design during the new WinRT runtime.
To implement new security policies and make applications on the WinRT platform more secure, Modern Apps must be declared by developers before using a function. For example, to use a network connection, you must declare not only the network connection, but also the type of connection required. Due to network isolation, all Modern Apps cannot use IP loopback addresses for inter-process communication by default. When a proxy server is specified for the LAN in the connection settings of the Internet, Modern Apps cannot access the Internet. In this case, only desktop applications can access the Internet through the proxy server. (WinRT has the ability to detect the default proxy server on the local network so that Modern Apps can access the Internet. However, after a LAN proxy is manually specified, it cannot be detected automatically .)
Sometimes, when the default network proxy server in the company does not work, the IT administrator may ask the user to manually specify another LAN proxy server. At this time, Modern Apps cannot access the Internet, which is really depressing, in fact, we have two ways to remove network isolation restrictions so that Modern Apps can access the Internet in special periods: www.2cto.com Method 1: use the Group Policy to specify an Internet proxy for the network isolation environment to open the Local Group Policy Editor and expand "Computer Configuration"-"management template"-"network"-"Network isolation ", we can see the following settings:
You can edit "Internet proxy server of an application" to specify an Internet proxy. Note that the specified proxy here must be consistent with the LAN proxy you specified in the connection settings of the desktop IE option, so that Modern Apps can have the foundation to access the Internet. Yes, this is only the basis, because if you only specify this item, the proxy you add is a union with the proxy detected by the system. Because of the priority of automatic detection, after a LAN proxy is specified on the desktop, the automatically detected proxy is inconsistent with the manually specified LAN proxy, and the result still cannot be accessed. Therefore, in order for Modern Apps to access the Internet, we also need to enable the "proxy definition authority" option so that Modern Apps can only use the proxy specified here.
Method 2: Use the built-in debugging command set of Win8 to add network isolation for a specific App. Exclude Windows 8 with a built-in command line tool to help Modern Apps developers diagnose network problems. We can use it to add some Modern Apps to the network isolation exclusion list:
Here we can use the LoopbackExempt parameter to meet our needs. For this parameter, it must be specified as a second-level parameter. The program help is very clear, so the list will not be repeated here. Here, I would like to remind you that the AppContainer or package SID is difficult to find (you need to use the registry ), I personally recommend that you use-n = [Name] to perform network isolation exemption using AppContainer or package Name. The method for obtaining the name is simple. As long as you open the % LocalAppData % \ Packages path, the names of the following folders are the names of various Modern Apps, which can be used for copying and pasting.
It can be seen that it is not difficult to identify the Modern App corresponding to these apps in the Start Screen, because the folder part is the name of the program. For example, we can see the last one, "WinStore_cw5n1h2txyewy", which is undoubtedly the internal name of the application "App Store. Here, we assume that the default proxy server is broken and I have set up a LAN proxy in the desktop environment. In this case, I need to use the App Store to update several of my applications, I want to add a network isolation exemption for it: Execute "CheckNetIsolation.exe LoopbackExempt-a-n = WinStore_cw5n1h2txyewy" to add the application store to the exemption list. To verify the exemption list, run the "CheckNetIsolation.exe LoopbackExempt-a-s" command:
To delete an exemption, replace "-a" in the "add exemption" command with "-d". To Quickly clear all the list content, Run "CheckNetIsolation.exe LoopbackExempt-c ".
Comparing the above two methods, I personally suggest using the second method. There are two reasons: first, in the Group Policy method, the proxy port of the proxy server cannot be specified for the isolated network. Therefore, applications that use non-80 ports may still not work normally. For example, an app store can only browse applications and cannot update or download software. Second, CheckNetIsolation can be used to conveniently control and check the exemption. Moreover, there is no port restriction, and the program function is completely normal. Moreover, for IT professionals, this can be integrated into the code, and the code can be reused and automatically controlled.
In the second method, we recommend that you use the-n = [AppName] method to add a delete exemption. Compared with the-p = [AppSID] method, it is not only convenient but also convenient, special Modern apps like Store, it is not displayed in the HKCU \ Software \ Classes \ Local Settings \ Software \ Microsoft \ Windows \ CurrentVersion \ AppContainer \ Mappings of the Registry. After adding a Store exemption by name and viewing the exemption list above, we found the Store SID = S-1-15-2-2608634532-1453884237-1118350049-1925931850-670756941-1603938316-3764965493.