In Windows 8, we have introduced a new WinRT platform that gives users modern Apps with dynamic tiles and immersive user experiences.
If you are an enterprise user, have a company's proxy server environment, or you are a developer, believe you have found that all modern Apps are no longer able to access the network after a local connection replacement agent. This is due to the network isolation design of the new WinRT runtime.
In order to implement a new security policy and make the application on the WinRT platform more secure, modern Apps must be declared by the developer prior to using a feature. For example, to use a network connection, you need to declare that you need not only to declare a network connection, but also to declare clearly which type of connection is required. Due to the implementation of network isolation, all modern Apps cannot use IP loopback addresses for interprocess communication by default. When we set up a proxy server for the LAN in the connection settings of Internet settings, modern Apps will not be able to surf the Internet at this time, only the desktop version of the application can access through the proxy server. (WinRT has a certain ability to detect the default proxy server for the local network so that modern Apps access the Internet, but it cannot be automatically detected after the LAN agent has been manually specified.) )
Sometimes, when the default network proxy server inside the company does not work, the IT administrator may ask the user to manually specify another LAN proxy server, at this time, modern Apps can not surf the internet, really depressed, in fact, we have two ways to remove the limitations of network isolation, let modern Apps The internet can also be available at special times:
Law one: Use Group Policy to specify an Internet proxy for the network isolation environment
Open the Local Group Policy Editor, expand Computer Configuration-Manage Templates-network-network isolation, and we can see the following settings:
We can edit the "Applied Internet Proxy Server" to specify an Internet proxy. Note that the proxy specified here is consistent with the LAN agent you specified in the connection settings for the desktop IE option, so that modern Apps can be the basis for access to the Internet. Yes, it's just a foundation. Because, only specify this item, you add agent and system detected agent is a set, because of the priority of automatic detection, and after the desktop specified LAN agent, the detected agent and manually specified LAN agent inconsistent, the result is still not online. So in order to modern Apps can surf the internet, we also need to enable the "Proxy definition authority", let modern Apps only use the proxy specified here.
Method II: Add network Quarantine exclusions for specific apps using the WIN8 built-in debug command set
Windows 8 has a command line tool built in to facilitate modern APPS developers in diagnosing network problems. We can use it to add some modern Apps to the network Quarantine exclusion list:
Here we use the loopbackexempt parameters to achieve our needs. For this parameter, it is used with a specific two-level parameter that needs to be specified.
The program help is very clear, so this is no longer a list to repeat. Here, I want to remind you that because the Appcontainer or the SID of the package is harder to find (with the help of the registry), I personally recommend that you use –n=[name to operate the network isolation exemption by Appcontainer or the package name. Because the way to get the name is very simple, as long as you open the%localappdata%packages path, the following folder name is the name of each modern Apps, available for easy copy and paste.
As you can see from the diagram, it is not difficult to identify which modern app in the Start screen corresponds to, because part of the folder is the name of the program. For example, we can see the last one, "Winstore_cw5n1h2txyewy", which is undoubtedly the internal name of the application store.
Here, let's assume that the default proxy server is broken and I have a LAN agent set up in my desktop environment, and then I need to update my applications using the App Store, so I'm going to add a network quarantine exemption for it: Execute "CheckNetIsolation.exe Loopbackexempt-a-n=winstore_cw5n1h2txyewy, the application store is added to the exemption list.
To verify the exemption list, we use the "CheckNetIsolation.exe loopbackexempt-a-S" command:
To remove an exemption, change the-a parameter in the command that adds the exemption to-D, to quickly clear all the contents of the list, and to perform "CheckNetIsolation.exe loopbackexempt-c".
Comparing the above two methods, I personally suggest that you use the second approach. There are two reasons:
First, in Group Policy, you cannot specify proxy ports for the proxy server for the isolation network, so applications that are not 80-port may not work properly. For example, when the application store is set up in this way, it can only browse the application and cannot update the software and download the software.
Second, the use of checknetisolation can easily control and access to exemptions, and there is no port restrictions, the program function completely normal. And, for IT pros, this can be integrated into the code, and the code can be reused to automate control.
And in the second way, it is recommended that you add deletion exemptions in the form of-n=[appname] than the convenience mentioned above, and that the special modern app, like the Store, is in the registry Hkcusoftwareclasseslocal settingssoftwaremicrosoftwindowscurrentversionappcontainermappings There is no corresponding SID shown below. After adding the store exemption by name, and checking the exemption list, we found that the store's sid= s-1-15-2-2608634532-1453884237-1118350049-1925931850-670756941-1603938316-3764965493.