How to remove modern application network isolation in Win8

Source: Internet
Author: User

In Windows8, we have introduced a new WinRT platform, bringing to users modern Apps with dynamic tiles and immersive user experiences, if you are an enterprise user, have a company's proxy server environment, or you are a developer, I believe you have discovered that after a local connection to a replacement agent, all Modern Apps are no longer able to access the network. This is due to the network isolation design of the new WinRT runtime.

In order to implement a new security policy and make the application on the WinRT platform more secure, modern Apps must be declared by the developer prior to using a feature. For example, to use a network connection, you need to declare that you need not only to declare a network connection, but also to declare clearly which type of connection is required. Due to the implementation of network isolation, all modern Apps cannot use IP loopback addresses for interprocess communication by default. When we set up a proxy server for the LAN in the connection settings of Internet settings, modern Apps will not be able to surf the Internet at this time, only the desktop version of the application can access through the proxy server. (WinRT has a certain ability to detect the default proxy server for the local network so that modern Apps access the Internet, but it cannot be automatically detected after the LAN agent has been manually specified.) )

Sometimes, when the default network proxy server inside the company does not work, the IT administrator may ask the user to manually specify another LAN proxy server, at this time, modern Apps can not surf the internet, really depressed, in fact, we have two ways to remove the limitations of network isolation, let modern Apps The internet can also be available at special times:

Law one: Use Group Policy to specify an Internet proxy for the network isolation environment

Open the Local Group Policy Editor, expand Computer Configuration-Manage Templates-network-network isolation, and we can see the following settings:

We can edit the "Applied Internet Proxy Server" to specify an Internet proxy. Note that the proxy specified here is consistent with the LAN agent you specified in the connection settings for the desktop IE option, so that modern Apps can be the basis for access to the Internet. Yes, it's just a foundation. Because, only specify this item, you add agent and system detected agent is a set, because of the priority of automatic detection, and after the desktop specified LAN agent, the detected agent and manually specified LAN agent inconsistent, the result is still not online. So in order to modern Apps can surf the internet, we also need to enable the "Proxy definition authority", let modern Apps only use the proxy specified here.

Method II: Add network Quarantine exclusions for specific apps using the WIN8 built-in debug command set

Windows 8 has a command line tool built in to facilitate modern APPS developers in diagnosing network problems. We can use it to add some modern Apps to the network Quarantine exclusion list:

Here we use the loopbackexempt parameters to achieve our needs. For this parameter, it is used with a specific two-level parameter that needs to be specified.

The program help is very clear, so this is no longer a list to repeat. Here, I want to remind you that because the Appcontainer or the SID of the package is harder to find (with the help of the registry), I personally recommend that you use –n=[name to operate the network isolation exemption by Appcontainer or the package name. Because the way to get the name is very simple, as long as you open the%localappdata%packages path, the following folder name is the name of each modern Apps, available for easy copy and paste.

As you can see from the diagram, it is not difficult to identify which modern app in the Start screen corresponds to, because part of the folder is the name of the program. For example, we can see the last one, "Winstore_cw5n1h2txyewy", which is undoubtedly the internal name of the application store.

Here, let's assume that the default proxy server is broken and I have a LAN agent set up in my desktop environment, and then I need to update my applications using the App Store, so I'm going to add a network quarantine exemption for it: Execute "CheckNetIsolation.exe Loopbackexempt-a-n=winstore_cw5n1h2txyewy, the application store is added to the exemption list.

To verify the exemption list, we use the "CheckNetIsolation.exe loopbackexempt-a-S" command:

To remove an exemption, change the-a parameter in the command that adds the exemption to-D, to quickly clear all the contents of the list, and to perform "CheckNetIsolation.exe loopbackexempt-c".

Comparing the above two methods, I personally suggest that you use the second approach. There are two reasons:

First, in Group Policy, you cannot specify proxy ports for the proxy server for the isolation network, so applications that are not 80-port may not work properly. For example, when the application store is set up in this way, it can only browse the application and cannot update the software and download the software.

Second, the use of checknetisolation can easily control and access to exemptions, and there is no port restrictions, the program function completely normal. And, for IT pros, this can be integrated into the code, and the code can be reused to automate control.

And in the second way, it is recommended that you add deletion exemptions in the form of-n=[appname] than the convenience mentioned above, and that the special modern app, like the Store, is in the registry Hkcusoftwareclasseslocal settingssoftwaremicrosoftwindowscurrentversionappcontainermappings There is no corresponding SID shown below. After adding the store exemption by name, and checking the exemption list, we found that the store's sid= s-1-15-2-2608634532-1453884237-1118350049-1925931850-670756941-1603938316-3764965493

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.