||Parallels Desktop 3.0 for Mac Got an Intel Mac? Run all the Windows and Mac applications you need without switching between Windows and Mac OS X! New features include: 3D Graphics Support, SmartSelect, SnapShots and Security Manager to truly enjoy the best of both worlds.|
Last updated June 2, 2004
On this page:
Microsoft Proxy Server, part of Microsoft Internet Information Server (IIS), is an NT/2000-based server that provides a firewall and gives a local network of computers access to Internet services. Like any proxy server, this one takes requests from the clients on the network and contacts the Internet on the clients behalf. Unfortunately, Macs have problems connecting to it, particularly with e-mail.
Macs can have access to Internet services via MS Proxy Server, but version 1.0 is more limiting than version 2.0. With Proxy Server 1.0, Macs only have access to browser protocols: HTTP, FTP, Gopher, SSL (HTTPS SNEWS). There is no way for Macs to access POP3/SMTP email through Proxy 1.0 without running Windows on the Mac via an emulator or coprocessor board. This is because version 1.0 uses the WinSock proxy, and there is currently no implementation of the WinSock proxy for Mac OS.
The successor to Proxy Server 2.0 is Microsoft Internet Security and Acceleration (ISA) Server. It offers improved security, faster caching, and better management features, according to Microsoft. However, readers have reported problem with Macs and ISA Server as well (see below).
MS Proxy Server 2.0 (and ISA Server) offers the SOCKS proxy protocol in addition to WinSock. With SOCKS enabled on the proxy server, SOCKS-compliant Mac client software can access the Internet through MS Proxy Server. There are Mac e-mail applications that are SOCKS-compliant, including Netscape Navigator and Apple's old Cyberdog (which also does SOCKS Telnet). Older versions of Microsoft Internet Explorer for Macintosh and Outlook Express also support SOCKS e-mail access to some degree, but have problems with DNS resolution of the Exchange server. (More on DNS a below.)
For FTP, NetFinder is compatible with SOCKS and MS Proxy Server, as are recent versions of Fetch (we know 3.0.3 works), as do Anarchie, and InterNews.
For telnet, dataComet from Databeast is SOCKS compatible. The old TCP/Connect by Intercon, which included email, was also SOCKS-compliant. However, Intercon was acquired by Ascend Communications, and TCP/Connect seems to have disappeared.
With any proxy server, you need to tell your Mac Internet software (the Mac Internet control panel) that you are using a proxy server. If you are having trouble getting to the Internet from a Mac through MS Proxy Server, try configuring the Mac software to use port 1080, a practice the Microsoft recommends. If you software is set up to use Internet Config (the Internet control panel), you can try configuring the port 1080 in the Advanced tab. However, Microsoft and some readers recommend configuring your software separately.
To configure the control panel:
Microsoft Knowledge Base article Q187038 details the configuration of Outlook Express for use with MS Proxy Server. The procedure is a little more complicated than simply setting port 1080.
You will need a DNS server (such as the one in NT/2000 Server) with an entry for the mail host running on the network in order for Outlook to access an outside POP/SMTP e-mail server. You'll need to enter your local nameserver address in the appropriate place in your Mac TCP/IP setup (see MacWindows Tutorials).
For FTP software, you can get by without a DNS server if you enter the FTP server's IP address instead of a URL. FTP clients should be configured to use the SOCKS.
You will also need to configure the server. The SOCKS proxy settings can be found under Microsoft Internet Service Manager. Microsoft offers two options to try, configuring SOCKS ports 25 and 110 and 1080, or configuring the proxy to "GE 0," which permits users to go through SOCKS on any port connection. The procedure on the NT server:
An alternative is to create a single filter for any port connection:
Microsoft Knowledge Base article Q187038 also describes this procedure.
For people having problems with FTP access through MS Proxy Server, Microsoft Knowledge base article Q177310 suggests putting FTP in passive mode by editing the Registry of the NT Server running MS Proxy. (Thanks to Steven Lyles for that tip.)
An Apple web page called Firewalls and QuickTime 4 mentions if you use a SOCKS proxy server, that you'll need a SOCKS version 5 server in order to view QuickTime 4 streams. Unfortunately, Microsoft Proxy Server 2.0 is compatible with SOCKS version 4. Also unfortunately, MS Proxy Server 2.0 cannot "chain" to upstream SOCKS servers, as is incorrectly stated in the Glossary of the Proxy Server 2.0 documentation.
SOCKS is a transparent proxying/bridging protocol. It means that users on a private LAN (RFC 1918) can connect to the outside world via a SOCKS server (proxy) and have "full" Internet access with DNS, even though they themselves are protected from the outside and cannot be seen by the Internet. SOCKS can interact with authentication software, but it cannot do it by itself.
On Windows, this is a snap: get SOCKSCap from NEC, set it to SOCKS5 with Remote DNS Resolution, set your LAN as the direct access node, point it at your SOCKS server, and "wrap" your chosen app up in it. I have used this with IRC, telnet, Hotline, FirstClass, and telephony software with perfect results. SOCKS is limited in what it can do (eg dynamic ports, port allocation etc) but it can get you out of a sticky LAN situation where "direct" access is needed. The only software I can't get it to do is ICQ, but then again ICQ is pretty dodgy in its networking code.
Unfortunately, there is no version of SOCKCap for Macs: you can only use SOCKS compliant software, which are few and far between. SOCKSCap for Win can make _ANY_ app SOCKS-compliant via its "Wrapping."
However, Craig Morey says the SOCKS4 app that comes with Interarchy 3.8 "appears to carry out the same function as the Windows SOCKSCap application:"
Just worthy of note is that the SOCKS4 app with Interarchy 3.8 not only lets FTP and QT streaming through MS Proxy Server 2, but also allows me to contact my webserver by SSH (using Niftytelnet 1.1 SSH). And a good thing it is too, I thought I'd lost contact from my Mac forever!
(Thanks to Ben Haylock of Ben Haylock of Macquarie University, Sydney, Australia for the SOCKS information.)
Microsoft offers this description of the difference between SOCKS Proxy and WinSock Proxy: "WinSock Proxy provides a transparent circuit level gateway to windows platform clients and takes advantage of the full richness and popularity of WinSock applications. It supports many protocols that are based on both TCP and UDP, like VdoLive, AOL, IRC, NetShow, and RealAudio. It also supports IPX clients. The SOCKS protocol provides a non-transparent (applications must be built with SOCKS support in mind) circuit level gateway optimized around lowest-common-denominator UNIX sockets. The SOCKS circuit level gateway does not support UDP based applications and therefore can not support VDOLive, NetShow, etc."
Many thanks to Richard Birchall of Atomic Energy of Canada, Ltd. for providing information and leads for this report. Also thanks to Philippe Lazzaroni of Informatique Direct Impact Inc. and Steve Crossman.
Bugs and other problems, fixes, and workarounds.
March 15, 2000
I have a lab of about 20 iMacs. After installing MS Proxy 2.0 SP1 and configuring IE on the Macs to use Proxy, the client is prompted for a password for every page that loads. Any ideas?
March 16, 2000
Several readers responded to this problem. Several readers had a simple workaround: use Netscape Communicator, which only asks for a password for the first page that loads. Rich Barron offered some details:
If you quit Netscape and launch it again, you have to put in the password again too. IE can remember the name/password/domain combo so that you just have to hit "OK" each time (even after a restart of the machine - which could be useful in a lab). Netscape doesn't have a place to put in your domain, so you may have to enter it as:domain\user_name to get it to work correctly.
Mark Martin also found a new problem with FTP transfers:
This MS Proxy update also killed all FTP transfers using any FTP client with the exception of Communicator or Explorer. Even SOCKS aware applications will not go through the Proxy...It worked with the older Proxy Server.
March 20, 2000
I'm not sure that this would apply to this situation, but we use the following workaround; note that it doesn't eliminate the 'proxy box', but it does curtail it drastically:
1) Go to Preferences --> Security Zones.
2) Next to Zone: choose Internet zone
3) Select Custom, then the Settings... button next to it
4) Under User Authentication Logon, select Automatic logon with saved settings
5) You'll need to do the same settings change for the Local intranet zone option under Zone: as well
March 26, 2002
Scott Burditt verifies this solution:
I've finally fixed it! Get into Internet Explorer preferences and click on security zones. Click Custom settings and then under User Authentication change this to Automatic. Job done at last. I have suffered for over 2 years with this problem.
March 20, 2000
I was reading about the MS IE authentication problem with PS2 SP1. This problem first started with IE4. IE3 was never a problem, as long as you mounted a shared drive in the domain it would never ask for authentication. We had this problem with PS without the SP1. IE4 made this exacerbated the authentication to the point where it was required on every page. Netscape only asks once, but would not store the domain name. There is no way to circumvent the authentication unless you set Proxy Server to allow Guest access or anonymous, which we have done here. Doing so does not allow you to know via PS logging, who was accessing what pages, except by IP address.
The DHCP server control panel in NT can tell you what client is associated to an IP address. But it eliminates the recurrent log on problem in IE4.x We see no problem with FTP read access through PS, but Macs cannot FTP write through PS unless everything is setup correctly. We use NetFinder and Socks Proxy on port mode 1080 for FTP writes. The only problem is SOCKS cannot retrieve DNS information from PS, so you must enter an IP number of the FTP server instead of by name lookup.
March 20, 2000: A workround
I just read your news item concerning the Proxy Issues and Explorer. I came across this problem a few months back and found Microsoft Knowledge Base Article Q198266 that explains how to fix it:If Proxy is set to use NTLM (challenge/response) authentication, then you experience these user/pass requests. The fix is to use ClearText or Anonymous authentication instead of NTLM.
March 22, 2000: Another suggested solution
I've had this problem where every time you look at a page it would ask for a password. It would only do it on Macs, our PCs were working fine through the proxy.
The problem was on the Proxy Server and that the local logon it uses, IUSR_SERVERNAME had a different password to what was being used in the Proxy Admin program. So I just changed the password in User Manager and Proxy Admin program to the same thing and the problem has gone away.
It took me six months to track down that problem. I don't really want anyone else to have to go through the pain of trying to figure that out again.
April 20, 2001
We too have had issues with Macs on NTLM enabled NT proxy servers. We have just been told by our MS support rep that IE6 cures this issue.
A solution to the problem is listed below.
March 21, 2000 -- Peter Norman reports of a problem with Internet Explorer 4.5.x that he suspects may be related to MS Proxy Server. (A solution to the problem is listed below.)
Internet Explorer 4.5.1/4.5 never finishes loading a page on my Mac, which sits behind an NT server running Small Business Server 4.5 (Exchange 5.5, proxy 2, etc.). The little progress meter at the lower right corner of the browser window is ALWAYS in progress. The net effect of this is - you cannot print pages or print to PDF because the browser thinks the page hasn't finished loading. If you click STOP, it simply pauses for a second (not long enough to print the page) and then resumes its misguided effort to finish loading the page.
It's GOT to be related to the Proxy server though I can find no information at Microsoft's Knowledge base that even hints that other people are having similar trouble.
Netscape and iCab work fine - they do not have the same problem. For this reason alone I have had to STOP using Explorer and go back to Netscape at work. In doing this, I have noted that Explorer 4.5.x does NOT do DHTML properly - but Netscape 4.7 does - but that's another story (DHTML based menu buttons on the member area of www.davidbowie.com do not work under Explorer so I must use Netscape.)
March 21, 2000
I have this problem a lot. The only thing I can do is quit IE and start it again. I don't know if it's related to MS Proxy but I am obviously using IE 4.5.1 on a Win NT network.
March 22, 2000
This is a fairly common occurrence for me. Some web sites always cause the perpetual loading phenomenon (e.g., Lexis.com research sessions, the hotmail calendar). Although I can't get the progress meter to stop, I have no problem printing from IE and the web pages seem to have all of their content, so for the most part I ignore it. Occasionally IE's performance will start to degrade after experiencing this and I am forced to deal with it. Sometimes restarting IE will clear up the problem, sometimes it won't and I end up having to log off SBS and log back on. Restarting the Mac hasn't been necessary.
The funny thing is that once I go to a "bad" site that causes the problem, further surfing to other sites, which normally do not have this problem, may lead to a continuation of this misbehavior. One workaround that I use is to keep the "bad" sites contained in their own window. For example, I start my day by checking a few tech support sites (macwindows.com included) that don't have the problem. Before I begin any Lexis research, I open a new window, log on, and like clock work the perpetual loading begins, but other windows I have open continue to work fine. I can switch back and forth and the unaffected windows continue to work fine. Of course if I stumble on to a "bad" site with my unaffected window then there can be problems.
Random tech tidbits for my situation:
My Mac is a Sawtooth G4 running OS 9.0 and IE 4.5.1 (128 bit encryption). I have OE 5 and MSN Messenger working via the server with no problems.
The server is SBS 4.5, and Proxy 2.0, with most of the proxy suggestions on this site applied (passive mode FTP registry hack, permissions set to full, etc.).
Solution for MS Proxy and never loading webpages in Explorer
April 13, 2000 -- Peter Norman discovered a fix for the problem of Internet Explorer 5 for Mac web pages never stop loading:
I've solved my problem of "never finishing loading pages" (thus preventing printing of pages) in Explorer 4.5.x and Explorer 5.0.
Open Explorer's Prefs from the Edit menu. Choose proxies from the network section. Under Use Proxy Servers chose Web Proxy and then click Settings. Add address (IP of proxy server), port (web port of proxy server), and method (normal, NOT socks).
NT server's proxy Server 2.0 SP1 is set to use plain text passwords for NTLM. This solves the issue of Explorer always asking for a password on "new page load."
May 18, 2001 -- Additional Info for this solution
I have had the same problem (the page not loading and the print button grayed out) with the Macs using the SOCKS proxy service through MS Proxy Server 2.0 on our network.
I tried the fix posted, and it worked. I have a small tip to add for those who didn't get it to work. The web proxy service must be running on the server (in Internet services manager) for the machines to connect via the proxy under the "Normal" setting in Internet Explorer.
May 30, 2001 -- Another discription of this solution
In Internet Explorer you need to go to your preferences and change somethings. Under the network settings, click on proxies. Then check the box that says web proxy, check the box that says "use web proxy for all" and then type in the box the IP number of the Gateway (router) in your building NOT the gateway (router) on the ISP side. Then click on settings and make sure that the port is set to the port of your ISP.This worked for me great.
Fix doesn't work for a reader
May 9, 2001
We are having the same problems with IE 4.5 and 5.0 never finishing a web page load. It always appears to hang on a .gif file at the very end of the load process.
We are a school district that has all PCs at the secondary level and all Macs at the elementary level.
Something interesting though. We have a LAN that includes the Administration bldg., High School, Junior High and one elementary. All of these buildings are connected through gigabit fiber and have 100MB desktop connections. ALL of the Macs connected to the Proxy Server 2.0 (connected to this fiber connection) work properly.
We have three other elementary schools that are connected to Proxy 2.0 by way of 128k ISDN lines. These are the Macs that are encountering the problem. I am 100% positive MS Proxy 2.0 is causing the problem.
To prove the case, we have a filtering server in place. The MS proxy server redirects all http traffic to the filtering server. On some of questionable Macs, I pointed the proxy to our filtering server, eliminating MS Proxy and the problem went away.
So, in conclusion, it appears (in our case anyway), the 128k connection is causing the problem. At these sites connected via ISDN, we do also have a few PCs. They are NOT having this problem.
To the other folks who submitted information on this item: Is your topology similar to this?
The solution provided by Peter Norman on April 13, 2000 is the scenario we've been using all along. It does not work for us.
May 29, 2001
I've had this problem too, but feel that it is actually due to the bandwidth management problems of NT. It's now accepted that NT Server 4 has problems with Mac clients connecting over broadband. If I connect the same Mac via a modem, the pages load perfectly.
Unfortunately, I don't know of a fix...We do get the same problem with Netscape. It just seems to affect IE more.
IE 5 adds printing problem to purpetually loading pages.
March 31, 2000 -- Bente Saugmann reports that Internet Explorer 4.5 and now version 5 has the problem mentioned above. Additionally, with IE 5.0, he can't print. (We've added Saugmann's message to our MS Proxy Special Report.)
I've just updated to IE 5.0 and all pages now behave this way [never finish loading] and I can't print anything at all (the print command is simply grayed out). I had a similar problem with IE 4.5 but without the printing problem.
The problem only occurs when I access the Internet through our NT-based MS Proxy Server, not when I use my IPS dial-up connection.
It's a shame really, as IE 5 seems to have solved many of the problems I had with java and scripting in IE 4.5 (but not the scripting errors I always get from Microsoft's support pages). Seems I have to go back to using IE 4.5 or Netscape.
April 3 , 2000-- Benjamin Iseman is having the same printing problem with pages that never stop loading:
After reading Bente's report I tested IE5's ability print and now I can also report that IE 5 is a step backwards from IE 4.5 in terms of the perpetual loading problem since now I can't print these problem pages either.
Then I noticed one piece of information showing in the status bar of IE 5 that I never noticed before when this problem would occur. It looks like IE is trying to load a graphics file that is already being displayed. For example, using the Hotmail calendar the page will appear fully loaded, but the status bar contains the following message:Receiving image (0 bytes of 961 bytes, 0 bytes/sec): passport_logo.gif
Everything on the page is fully loaded, including the passport logo.
As a test I went into IE preferences and turned off "show pictures" and the problem went away in the Hotmail calendar temporarily, but now its back and I can't shake it. I also played around with turning off other features in the browser's preferences but I am sure that I didn't exhaust every combination.
The best work around that I can come up with is to save the web page and then print it. Saving as archive or source both work on a perpetually loading web page. The saved page can be opened and printed with no problem.
April 27, 2001
RE:Proxy requesting login problem
The proxy box is probably configured on the web proxy to only allow "Authenticated Users". This is a very common configuration because it prevents users from accessing the network without logging in.
In the windows world once the user has logged into the network the Proxy box simply uses the NT domain accounts and will never ask them for a password. We had this problem and could not resolve it without creating local accounts on the proxy box for the Macintosh users. Even after that point they would occasionally be bombarded with authentication requests.
June 7, 2002
I have a workaround for the printer grayed out when a page won't finish loading in IE5 etc through a firewall connection. Press the stop loading page button or command-. and all application services will be restored.
April 17, 2000 --Ron Kuhlmeier reports that he had success with the solution for the "perpetual web page loading" problem with Internet Explorer 5 for Mac and MS Proxy 2 SP1. However, he has a new problem:
I now am having trouble loading multiple frames on certain sites. I get the infamous Error 403 message from the Proxy Server. Clicking "reload" sometimes gets more frames but I have yet to see an entire page load the first time around.
March 23, 2000 -- Shawn Williams reports a repeatable problem with MS Proxy Server and audio and video streaming with RealPlayer Plus 7 for Macs (final, purchased version):
They connect fine, start loading, and begin playing for about 45 seconds and then they crash. This is true on G4, G3, OS 8.6, and OS 9. Is there anything known to cause this? If I connect direct via a modem these problems go away.
March 31, 2000 -- David Valentine sent us a clue which may or may not be related to the MS Proxy problems readers have been reporting. Microsoft Knowledge Base article A249863 says:
Web clients may fail to connect to Web sites that use Server Gated Cryptography (SGC) for strong encryption when a secure connection is required. If either the Internet server or Web client is running Microsoft products, then the connection may fail. If the Internet server and Web client are both running Microsoft products, then no problem occurs.
Valentine had problems with a Windows machine, but as with some of the IE Mac/MS Proxy, going to Netscape worked without problems.
A patch for NT Server is available to fix this Server Gated Cryptography (SGC) bug.
Tip: Configuring Vicomsoft FTP Mac for MS Proxy Server.
April 7, 2000 -- Terry Martinez sent us the settings for configuring the new Vicomsoft FTP Client 3.0.1 for use with Microsoft Proxy Server 2.0. (This is the first version with SOCKS support.)
With the combination of the Port 1080 in the Proxy TCP and port 21 in the TCP port I never connected.
Default Server Tab:
- Ck User Passive File Transfers
- Ck Use FTP Proxy
- Proxy Server Address: <PROXY IP Address>
- TCP Port: 1080
- Proxy Method: SOCKS
For the Specific Connection in the FTP Service Book:
- Service Name <Name of the Connection>
- User Name <If Needed>
- Password <If Needed>
- Type <Specify if known or Needed>
- Server Address <FTP IP Address you are connecting to>
- Use TCP Port: 21
- Ck User Passive File Transfers
- Ck Use FTP Proxy
Disabling "remember password" in MS Proxy Server
Q: November 22, 2000 -- Henry Dunning asked this question:
We are using MS Proxy 2.0 sp1 and 250 Macs. When Proxy's access control for WWW is turned on it prompts the user for name and pass and we have not had many poblems with that.
Does anyone know if there is a way to disable the "Remember Password" option? At times we need to track certain students sites and we cannot be sure who has logged on if the remember pass is enabled.
A: November 28, 2000 -- Rich Pape answered the question:
MS Proxy 2.0 SP1 does not handle any of the password features Henry is asking about. Internet Explorer or another Internet application would handle that feature. Most apps can be told not to remember passwords in their preferences. Proxy just looks up the user in User Manager and then compares that name to its own list of which users are allowed to access what services. It does not check passwords except to have user manager validate that specific user name.
NOTE: John Lockwood reports that installing Service Pack 1 to Microsoft Proxy Server 2.0 fixes this problem (Sept. 25, 2000).
August 7, 2000 -- Shan Younker first reported this problem with Internet Explorer for Mac and Microsoft Proxy Server.
IE 4.0, 4.5 and 5.0 on the Mac going through MS Proxy does not always load all images for a web site every time. This is not the same as the "page never stops loading" problem [described above]. The page finishes loading but images are missing. If you refresh the page then the missing images may come in but different ones will be missing. Netscape on the Mac does not have this problem neither does IE or Netscape. It seems to be isolated to IE on the Mac.
August 8, 2000 --
I am running IE5 on the Mac and use Microsoft Small Business Server 4.5 with Proxy Server 2, and I have had exactly the same problem for many months now. I am afraid I cannot figure it out either, but without IE I cannot access the Internet full stop.
August 8, 2000 --
We have three Macs connected to the Internet through MS Proxy Server. I've seen the incomplete loading described in your August 7 posting, although I have not seen it since upgrading to IE 5. It was definitely an occasional problem under 4.0 and 4.5, though. It would happen sometimes and you would just have to manually load the images.
August 8, 2000 --
We have this problem with all our Macs. We are using i.e. 5 and an NT 4 server doing the proxying. We get regular messages asking for logon id and password to authenticate with the proxy server. They are not common enough to be a real nuisance but they may be part of the problem - may be the proxy server is rejecting the request for the image because of authentication problems.
The other error we get is HTTP 407 Proxy Authentication Required.
This is displayed instead of the requested page or frame. Refreshing the page or frame fixes the problem.
When I get a missing image that I want, I hold the mouse down on the image till I get the contextual menu. One of the options is 'Load image'. This avoids refreshing the whole page only to see different images go missing.
July 25, 2000 -- Gregg Eshelman reports on two Internet gateways for Windows, and how they faired with Mac Clients. He had trouble getting Macs through with WinGate 3.0, a firewall and proxy server for Widnows, but had better success with SyGate 3.0. (These and other Internet sharing products are listed on our Network Solutions page.)
I tried WinGate 3.0 and the next newer version a while back. ICQ would work but only for messages. File transfers would not work at all. The FTP required extensive tweaking to get to work but for some reason I could only get FTP on the Mac to work with _either_ FTP apps like Fetch _or_ with web browsers. Never both at the same time! Another problem with those versions of WinGate is a complete lack of usenet news server support. After some web searching and head scratching (and hair pulling) I figured out how to manually configure news server mapping for ONE server at a time. Overall performance through WinGate was slow.
Then I tried SyGate 3.0 and the difference was amazing. No need for setting proxy settings in all Internet apps on the Mac. Everything just works! Multiple usenet servers are no problem because the Windows PC is for the most part "invisible" to the Mac. The only problem I've had with SyGate is that I still can't send or receive files with ICQ. Doesn't bother me because I was just testing Mac ICQ and use it on Windows. (ICQ's lack of updates for the 68k version is another reason to not use it.)
July 27, 2000
Our organization uses WinProxy from Ositis Software. I saw them on your Solutions page, tried a demo, liked it, and bought it. It works well for Mac and PC clients. It is interesting because it doesn't require a password... it does its security based on IP addresses. This may not be ideal for all people but for most people who use only their own computer, it is fine and logging is very possible. If you have a public-access computer, you need to keep a log of users and what times they used it so you can match against the WinProxy log.
August 22, 2000
Our MS proxy/Mac incompatibility has just reached new depths. Last week, our IT contractors expired everyone's passwords. Since then the Mac clients have had major problems with the proxy server - surfing the web locks out our accounts. Previously we would get the occasional '407 Proxy Authentication Required' error message and images that didn't load. Now it seems that those authentication failures are being counted as logon errors and three in a row are locking out the account. This happens a couple of times a day.
Can anyone tell me what they changed to cause this to happen?
August 25, 2000
I suspect my problem with account lockouts is related to the image not loading problem with MS proxy server. I just used my brand new copy of Interarchy 3.8 to watch the network traffic while I opened the MacWindowshome page.
The page loaded correctly despite the traffic showing several 407 errors. These seem to have occurred because the Mac did not send the full authentication string. I would interested to find out what the network traffic showed for other people whose images failed to load.
September 6, 2000
This error just came up in my wife's company too! Is there any work around? Is it linked in some way to passwords? In her environment, the email works, DAVE works, UAM works...... just IE 5.
December 1, 2000 -- Tanya Howie is getting the error message "407 Proxy Authentication Required:"
I am using IE5 through a proxy server and when we first set it up it worked great. Never got the error message at all. Then the proxy server crashed and the IT department had to rebuild it or something. That's when I started getting the error messages. It does the same thing to me as it did to you, I get the three tries and I'm out. I then have to call IT and have them reset my profile.
If you've seen this problem, please let us know.
April 24, 2001
Our IT contractor recently made 2 changes that we know of which have hampered Mac usage. For Proxy authentication the 2 changes were implemented at the same time and involved changing the password length from 5 characters to 6 and the account lockout period from 30 minutes (we believe) to 1440 minutes. Since these changes our Mac users have been fighting the Proxy Error 407 syndrome while connected to the internet. Subsequent lockouts affect IE, Exchange and Dave connection to local servers.
December 5, 2000 --
We finally fixed the '407 Proxy Authentication Required:' error message by setting up a separate proxy server just for the Mac users with proxy authentication switched off. We used our MS Exchange server which was already sitting on the firewall. I think our IT people also restricted the IP addresses that could use this proxy server. Your IT people may not be as helpful.
I don't understand why the proxy server needs to authenticate every request, assuming that only people within our network can access it anyway.
This means using ClearText or Anonymous authentication instead of NTLM--same fix as for another problem.
May 29, 2001
One reader passed on some information he heard from Microsoft regarding the problem:
I have been in touch with MS engineers and they are aware of this problem. They promised a fix last October, but then stated they would not "fix" it till somewhere between August and October. I have 20 Macs on an NT network that has 26,000 NT machines. The multiple logon problems with lockouts happen almost daily on our Macs. I had narrowed the problem down to focusing on the proxy server. The "Netscape" or "anonymous" recommended fixes are not an option at my shop.
May 29, 2001
I am an IT support engineer working for a medium sized business in London. We recently split from our parent company and migrated all users into a new NT domain (I work almost exclusively on NT systems). Once we had migrated all of the company's Macs (about 20 in all), this problem started and is still going on. It has become immensely frustrating continually unlocking accounts, both for my users and myself -- and I am amazed to find that this seems to be the only site I can find which carries any information whatsoever about resolving the problem.
The main problem I have is that I can't allow anonymous access to the net via proxy, so I am hoping that I can try and bend the rules a bit.
October 2, 2001
Kyle Crawford reports of problems with some web browsers running on Mac OS X and Microsoft Proxy Server:
The version of IE that comes with 10.1 does not seem to work with proxy servers (at least not MS ones).
It appears to get its settings from the Internet system preference, but any attempt at web access results in a 407 error and does not even throw up an authentication box.
This is disconcerting given that MS promised a FIX for the existing proxy problems (listed on your site and experienced by thousands of users daily) this fall.
I've been using Mozilla in 10 and 10.1, which seems to be the only browser that does work well with MS Proxy servers in 10.x, though it too sometimes fails and simply draws a blank page with <body></body> tags showing in the browser window.Quitting and relauching a few times gets it working again. This may be similar to issues with Communicator 4.7.x where it continuously flashes connecting to proxy server.
September 12, 2002
I am using IE 5.2 for MAC OS X and have successfully installed it twice onto two Titanium PowerBooks, the third (identical in all ways) always give a HTTP error 407 even though all settings are correct. Using Netscape I have the same problems. I feel it is probably a permissions issue somewhere on the disk but have no idea where to find it.
September 16, 2002
I'm glad you're covering this on your site as it's the only place I've seen it and I've been wrestling with this problem for a couple of weeks now. I'm running IE5.2 on MAC OS 9 through MS Proxy Server 2.0 configured to use Web Proxy. I'm getting 407's pop up in certain frames on a page but not others.
Refreshing sometimes works for one part of the page but then another bit gets 407'd. Unfortunately none of the solutions suggested by your readers apply to my environment. I can't enable SOCKS on the proxy or anonymous access - both of these would bypass our web filtering software (SuperScout).
Allowing plain text instead of NTLM might work but I doubt I'd get that past our security guys. If anyone's managed to come up with an answer to this I'd be truly grateful. Even finding some official info on how this thing should or should not work would be useful.
September 23, 2002
Alan Baker has a better workaround:
I've seen this problem at one of my clients and while I don't have a solution that makes it go away, I do have a better workaround than simply refreshing the entire page.
If you control click in the frame that's "407ed" and select "Refresh Page" Internet Explorer will only refresh the *frame* and so you won't lose the contents of other frames to new 407 errors.
September 27, 2002
I have a rev 3 titanium 667 running 10.2.1, we have an ISA box as our proxy server. The problem is that if I use IP I get a 407 error, but if I use Netscape 7 if authenticates fine. The sys Damien does not want to open up any ports on the box regarding socks etc.
September 25, 2000 -- A reader named Raul was having a problem with Macs uploading files to an FTP site through Microsoft Proxy Server 2.0 running on NT Server. Raul tried Internet Explorer 4.5 and Anarchie and got the same result:
Whenever I drag a file to a site what happen is it will just open the file, like if it is a .sit file it will just decompress. I try downloading a file there is no problem.
He found the cause and the solution:
It is due to the Socks Server always performing a hard reset on the Internet Socket closure in order to save time. This in turn, causes the FTP server to reset during the PUT command. What I did is I installed the latest service pack for Proxy Server and it works.
September 25, 2000 -- John Lockwood found that MS Proxy Server SP1 did not fix: he can't get Fetch or Interarchy to work. He can FTP with Netscape and Internet Explorer by using Port 80, but this doesn't work with Fetch or Interarchy. If you seen this problem, please let us know.
I can successfully web browse using both Netscape and Explorer via my Proxy Server 2.0 (with SP1). I can also successfully use FTP in Netscape and Explorer using Proxy Server as an FTP Proxy. However I cannot get Fetch 3.0.3 or Interarchy 3.8 to work at all via the proxy server.
Explorer and Netscape are both using port 80 to talk to the Proxy Server for both HTTP and FTP (this works). If in Netscape (you cannot alter this setting in Explorer) I choose port 21 for the FTP proxy then I get a message saying it has been disabled for security reasons.
I have configured Proxy Server to not require authentication and to allow all ports and destinations (I have a separate firewall so all I want it to do is cache information).
If I try Fetch or Interachy with port 80 then they try to connect but just wait forever doing so. If I try with port 21 then in both I get the following in the transcript log:220 backup-server Microsoft FTP Service (Version 5.0).USER email@example.com Password required for firstname.lastname@example.org.PASS *****530 User email@example.com cannot log in.QUIT
Solution for getting Mac FTP to work through Proxy Server
September 28, 2000
Charles Christensen has a suggestion:
I've been consulting MacWindows for the past 2 years or so, in my quest to be able to FTP upload through our MS Proxy 2.0 server with my Mac.
I asked our network administrator to install MS Proxy Server Service Pack 1, then used the "Socks4 App" included with Interarchy 3.8. Using this little application, I'm able to connect with full upload/download capability with NetFinder, Fetch, even GoLive.
September 29, 2000 --
I've been using the SOCKS app that comes with Interarchy's predecessor (Anarchy) for almost a year now. It works very well from behind Microsoft Proxy Server 2.0.
More important, it even lets me use Eudora (even version 5) instead of Outlook Express 5 (which supports SOCKS Proxy stuff). It rocks!
More on the SOCKS utility included with Interarchy:
October 12, 2000 --
Ever since I installed and started using the SOCKS utility included with Interarchy 3.8, I've discovered more and more things I can do from behind our company's firewall that I couldn't do before. The latest is viewing/listening to streaming QuickTime content.
I launched the SOCKS4 application, then went into the QuickTime Settings control panel and turned "Streaming Proxy" off. I configured it to use HTTP transport, then closed the panel.
Now I can watch live TV, listen to NPR... Kudos to Peter Lovell for his extremely useful SOCKS app!
December 15, 2000 --
I, too, had problems using my Mac through my company's NTProxy Server. IE would ask for username, password, and realm. I would dutifully enter them. For some reason, though, IE had problems with subsequent requests using the authentication information.
One workaround mentioned was to disable NTLM authentication, but I don't have that much pull with the IT department. :-)
I did find another solution that has been working for me, and hope it might be of use to others.
First, the user needs to go to Edit/Preferences... and select the Network/Proxies Tab. Click on the settings... button for the proxy. Make note of the user name and password fields, then clear them out, and click OK.
Next, select the Network/Site Passwords and delete any entries that used the same username/password/domain combinations.
Quit IE and relaunch for good measure.
Now, the next time you are prompted by IE for your username/password/domain,
Given the following sample information:
_DO NOT_ enter it in the dialog in this manner!!!
- Instead, enter the following:
- domain:<Leave this field empty>
This seems to make IE and my proxy server communicate with each other.
January 22, 2001 -- Bob Fiorini reports that Microsoft Proxy Server 2.0 blocked Mac access to RealAudio streams; installing another Proxy server fixed his problem:
I have an NT network with 95, 98, NT 4.0 workstations. We're using MS Proxy Server 2.0 with the MSP client software to access RealAudio audio/video streams. I have a client that is using a Macintosh Powerbook G3 that wants to use RealAudio [but could not].
I have resolved the problem by installing WINPROXY 3.0 on a seperate server (which is SOCKS 5 compliant ) and after some configuring it works great. MS Proxy SOCKS won't handle UDP and thus the root of the problem. I now have a client with his own proxy server.
February 6, 2001 --
I am trying to ftp from my Mac through an NT server running NT4 and MS Proxy Server 2 and SOCKS. I've tried both Interarchy and Vicomsoft FTP clients and they both work. So what's my problem? I can't upload for more than 15 minutes. Download is fine. But uploading quits every time at 15 minutes. I figure it's a timeout setting within the server but neither myself nor my IT guy can seem to find that setting.
...I don't experience this with ftp from any of our PCs on the same network. Also, our Macs can connect to the web indefinitely with no dropped connections.
February 7, 2001 --
I can confirm this problem. We spent hours testing this very issue for a client through their MS Proxy and our own, but, after many hours, we were unable to find a setting on MS Proxy to alter anywhere. Furthermore, I tried every FTP client I knew (including NetFinder [our preferred client], Fetch 3.x, Transmit, the Vicomsoft client, and Interarchy, as well as trying to use the SOCKS app from Interarchy with the clients). Eventually, we had to set up a Mac outside the proxy for FTP. The FTP servers we were trying to upload to were MS FTP and ASIP 6.3. I can also confirm that this doesn't affect downloads or Windows.
Of course, many months later, another engineer in the office found a mention of this issue while looking for something else on MS TechNet! Neither of us can find the article now, but he recalls that it required modifying a Registry setting on the Proxy (which seemed like what would be necessary at the time, though we couldn't determine what the setting was).
February 27, 2001
I'm consulting at a company that uses MS Proxy Server 2.0. As others have noted, the Macs cannot reliably move files using FTP. Access to our servers from the outside world is great. Inside the building, only Netfinder will connect to internal and external sites only if I use IP numbers. After connection, I can see a file list, but file transfers freeze the Mac.
I tried all of the suggestions on this page dedicated to this subject (short of installing a dedicated FTP proxy), using Interarchie, Netfinder and others, but cannot get consistent results. Interarchie, (using SOCKS 4 or 5) will not connect at all, giving me an error (-3216). Using the "show connections" window in Interarchie, I can see that port 1080 is opened when I try to connect and closes after a second or less.
I've tried all combinations of configuring the Internet control panel, socks and no socks, passive transfers on and off. The proxy server is set to use NTLM? Authentication and allow all connections with port value greater than 0. Our "proxy person" tells me this. I do not have access to the server, but I'll be setting up a smaller net to debug.
Some questions for those of you who've made this work: what are your Proxy Server settings, can this be done without the Socks app and extension? When we use this app, our Novell Groupwise e-mail quits.
Mac problems with ISA Proxy Server
April 12, 2001
I saw your request for people who have experienced the Microsoft ISA Proxy Server. Mine has been short (roughly 5 minutes). As a result of some policy changes affecting password length and account lockout period our Mac users have been encountering the Proxy Error 407 messages and subsequent lockout. One of our IT troubleshooters had me experiment with a new ISA Proxy System being prepped for use by our company IT contractor.
My personal experience has found that going to CBSNews.com and opening their MarketWatch page will usually present about 5 to 10 graphic locations on that 1 page with the 407 error message. For me, lockout is almost guaranteed within a few minutes of being on this page. To test the new ISA server system I opened the MarketWatch page and had the same conditions occur.
Numerous graphic windows failed to load and were filled with a 407 error message, but the format of the message had changed. (Loading this page on a PC will not lock me out).
Here is the content of the 407 error message that showed up with the new ISA server. Needless to say, the ISA proxy system did not resolve the account lockout condition. I really don't know anything about how our Proxy Server or the NT Server are or were configured. I am using a PowerMac 9600/300 with OS 8.5.1 and IE 5.0. We also have a PB G4 400 MHz with 9.1 and IE 5.0 that gets locked out. Prior to the policy changes there were no lockout problems.The page cannot be displayed. There is a problem with the page you are trying to reach and it cannot be displayed.
Please try the following:
* Click the Refresh button, or try again later.
* Open the ad.doubleclick.net home page, and then look for links to the information you want.
* If you typed the page address in the Address bar, make sure that it is spelled correctly.
* Verify that the Internet access policy on your network allows you to view this this page.
* If you believe you should be able to view this directory or page,please contact the Web site administrator by using the e-mail address or phone number listed on the ad.doubleclick.net home page. HTTP 407 Proxy Authentication Required - The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. (12209)Internet Security and Acceleration Server
September 18, 2001|
I have the exact same issue and am unable to find a solution other than "a known concern."
September 20, 2001
I have two pieces of information regarding this:
1. The experience that I have had is the only time I get locked out by the ISA Proxy server is when I am connected to network drives on a Windows 2000 server.
2. Netscape 4.0.8 and Netscape 6.1 do not experience this problem.
That is at least a work around for some of our users.
September 6, 2001
Christopher Plummer notes a problem with using Netscape/AOL Instant Messenger for Mac over firewalls:
My Windows friends can bypass our Draconian corporate firewall by selecting HTTP in the 'Protocol' section of the "Connection" setup dialog. In the Mac version there are the same SOCKS and HTTPS choices that appear in the Windows version, but HTTP is missing. And that seems to be the only one that works. Pretty frustrating. I sent a note to Netscape, but haven't heard anything from them yet.
Netscape/AOL Instant Messenger 3.0N comes with Communicator 4.78. Apparently the current version is Netscape Instant Messenger 4.3.1233.
September 24, 2001 -- Two readers sent in the same solution. Rick Zeman stated it like this:
Christopher should type 80 (default is 5190) in the port field above the SOCKS and HTTPS choices.
Ron Bischof gave some more info:
You can accomplish the same result as the Windows version by setting the port number under the Connections section of preferences. A port scan will reveal any open ports, but frequently port 80 (HTTP) or port 23 (Telnet) will work.
May 6, 2002
Like a lot OS X user on an NT or Windows 2000 with ISA Server, I had a problem with authenticating behind a MS Proxy Server. Every time I used Explorer I had to authenticate my user name and password. On top of that, programs like Software Update, Quicken and Watson could not communicate correctly.
Our IT person, found that the Mac was not creating a session with the Proxy Server even though Macs were suppose to be able to communicate as a secured NAT client. However, there is a simple work around that has corrected all these problems.
On the Proxy server, allow the leased or the static IP address to the Mac to fully "open up" to the proxy. This allows the Mac to communicate directly with the Proxy. Thus allowing the Mac to communicate as a secured NAT client. Once this happens, all the programs communicate with the Proxy Server and they no longer have to authenticate with every use.
IE proxy issue: okay in Classic, not in Mac OS X.
March 17, 2003
Charlie Karno reports a problem proxy server issue that occurs with Internet Explorer for Mac OS X and Mac OS 9, but not with Mac OS X Classic:
We have a proxy server and I have always had problems connecting to the Internet. With Mac OS 9 and IE 5.0 I can connect and if I leave "pictures off" it works fine. With "pictures" on, I will get locked out of the server on sites with a substantial number of pictures. IE 5.2 usually just crashes.
In Mac OS X, IE 5.2 worked fine for a few days and then came up with a http error 407. I thought I was locked from the server; but wasn't. In frustration, I started IE 5.0 in Classic and it worked fine, pictures and all. No other browser works in either environment.
March 20, 2003
Charlie Karno's problems with proxies in IE sounds similar to the problems I had. My company uses an MS proxy server and requires MS-specific NTLM protocol to log in. I don't know the big details about NTLM except that it uses Windows domain server authentication (where you provide the domain, username, and password for the windows network). IE is the only Mac browser that supports this proxy.
With Mac OS X, I too had many 407 errors as well as instability. Basically it rendered my browser useless.
Desperate, I searched for a solution. Here's what I did:
I discovered "NTLM Authorization Proxy Server", or APS for short. Its a freeware proxy server that you run on your own machine that communicates with your corporate proxy server using the NTLM protocol. Its written in python, which is an object-oriented language. Mac OS X 10.2 comes with python built in. So all you have to do is download the APS program from the author's site http://apserver.sourceforge.net/ and edit the configuration file to include your domain and username. Then configure your network settings to use the APS as your proxy server. The
With APS running on my PowerBook, it now handles all the communication to my corporate proxy server. And now I can use many more Internet apps (Safari, Camaro, Windows Media Player, Real Player, Sherlock, etc.) that cannot work with an NTLM server.
The downside is that it isn't very fast for web browsing. File downloads seem to work just fine, but complicated web pages tend to stall. However, that beats unstable IE. Rumors are that IE 6 will fix this problem, but I'm not holding my breath.
March 21, 2003
We have a similar problem with our Mac machines. OS 9.x with IE 5.x hangs or quits with password authentication enabled on MS ISA server 2000 without password authentication it works fine.(Same for OS X.) The Mac logs on, starts to load the web page, then IE hangs or quits. Windows PC's are working OK with this.
We found a workaround. It seems you need to uncheck integrated authentication in the ISA server and activate basic authentication for the Macs to work. It seems a bug in IE 5.x for Mac since it works with integrated checked with IE 5.0.
March 26, 2003
Dan Foshee reports a problem with Mac OS X's Software Update getting through a proxy server, and that Authoxy from HR Softworks fixes the problem, as well as problems with Internet Explorer. He says:
We've long had a problem in OS 9 with the irritating "proxy box" that flashes up ALL the time in IE here; has something to do with the ISA server. Anyway, we'd also had a problem with using Software Update. Out of curiosity, I checked out Authoxy. Lo and behold, now Software Update worked flawlessly, and I no longer got the proxy box in Internet Explorer (Granted, my use of Internet Explorer for Mac OS X was rare b/c of its incessant crashing, and the proxy box doesn't show up in Camino or Safari or OmniWeb or...sorry, got carried away.) Per an Apple tech, using Authoxy is the best way to get past the proxy for Software Update.
On the down side, with Authoxy, using Internet Explorer 5 in Classic doesn't work past our intranet. However, it works flawlessly and speedily with any of the Mac OS X browsers.
March 28, 2003
The problem with Macs and ISA servers or even any Windows Proxy servers has a lot to do with the way Macs communicate with the proxy servers. Macs are not recognized as NAT clients on any MS proxy or ISA server. If the IT department goes into the ISA server and "opens" the Mac IP address to have full access through the ISA server than Software update works. Remember that with ISA servers the Proxies address in the network preferences must be set to port 8080 and not 80.
Some have said that if the Mac's IP address is opened to the ISA or Proxy server then in OS X the Mac's firewall should be enabled.
This will allow all programs- Software Update, Fetch and other like programs to fully work through the ISA server.
This has to do with problems accessing secure web pages through a Microsoft proxy server and Jaugar. Readers have reported that the problem is fixed in the Panther beta versions.
July 31, 2003
Tim McCleary can't get OS X web browsers through a Microsoft proxy server with https -- Netscape under Classic does work:
We're running into a problem in our school district connecting to secure web sites (https/SSL) with any of the Macs running OS X. We are using Microsoft ISA server to proxy all web traffic. Any PC and any Mac running OS 9 can access secure web sites without any problem. In OS X, it fails using any browser (Safari, Internet Explorer, etc.). We can use Netscape Communicator under Classic to access the sites, but this is less than desirable. All of the proxy settings are correct, but no go. Using the same systems in an environment without a proxy, they connect to secure web sites without a problem.
I have only seen limited rumblings about this in my searches of the web. I can only guess that not too many people are trying to access secure web sites with OS X through a proxy. Anyone else having this problem? It seems to be a bug with OS X.
August 1, 2003
Paul Drisgula he used to be able to do this with the OmniWeb browser:
I am responding to Tim McCleary's report of problems accessing a secure web site using browsers in OS X. I have experienced this problem for some time now. The only success I have had is with OmniWeb, version 4.2 and earlier. Early versions of Safari worked sporadically but the capability disappeared entirely in later versions.
Strangely, the newest version of OmniWeb, 4.5, has also lost this important functionality. The OmniWeb support staff have been great but after confirming this issue have still not figured out why it has occurred. OmniWeb, version 4.2, works fine with System X and I recommend trying it.
August 5, 2003
David Hanson reports that the upcoming Safari 1.1 with the Panther beta works:
I too have had a problem with https and Safari - every other browser (including OmniWeb 4.5 RC1) will work behind the company firewall but Safari will not. Safari won't access ftp sites either. In the early days of OS X Internet Explorer also would not access https sites but that was fixed.
Good new ahead however, I have 10.3 7B21 which has Safari 1.1 with it. This does work with https behind our company firewall.
August 5, 2003
Caspar Strandberg suggested a resource:
If you want Internet access for Mac´s and is using a SBS with ISA proxy server here´s a guide (it works with OS X as well ).
August 5, 2003
Paul Drisgula reports that the problem also occurs with the Camino browser:
Thanks for suggesting Camino suggestion. Unfortunately, I still get the same error message that all other browsers -- except OmniWeb 4.2 and earlier -- produce.
August 5, 2003
Toby Oldham also has problems with Safari:
My office also suffers from the https/MS Proxy Server issue. I figured it was a problem with Safari though, as using Mozilla and Explorer (combined - using either one or the other) I can work around specific issues.
I've had a few problems with OS X and the MS Proxy server, ranging from slow ftp uploads, to downloading Apple exclusive QuickTime movies, and https stalls.
August 6, 2003
We run ISA and had success using ISA's firewall service . Start the firewall service on the ISA server, then configure the Mac browsers to use SOCKS4 for secure web connections via the IP address for the ISA server and the port you have set for SOCKS v4 (default 1080).
If you've tried this, please let us know how it worked.
August 18, 2003
A reader who wishes to remain anonymous reports that the problems with Safari and Camino in accessing secure (https) web sites through Microsoft ISA Server's proxy server is caused by Mac OS X itself:
I believe the problem with Safari and https, proxy issues is actually caused by OS X itself. One way you can see this is trying to get your iDisk info from system preferences (Internet pane) and get an error. I followed the traffic with a network sniffer and found that any packets from Safari or the finder or system prefs to SSL based sites tried to connect directly to the site instead of going through the proxy. This would then cause the connection to fail. The other browsers that I have used Mozilla, IE, uses their own proxy settings and therefore bypass the system wide proxy settings. I too can confirm this has been fixed in Panther.
TIP: Entourage 2004 and Proxy Server.
June 2, 2004
Matthew Pinto sent us a workaround to a problem he was having with Entourage 2004 and Proxy Server:
We have a proxy server here and when I have HTTP set to "ON" in the Network Control Panel, Entourage 2004 becomes Disconnected. This is rather frustrating when trying to first set up Entourage as it will not connect and gives you a cryptic message as Error -114.
The fix my IT department came up with was to create an Automatic Configuration Page (http://"proxy web page"). This seems to bypass this problem with one exception: Internet Explorer will stop working (while Safari is OK). The other problem with this is that Automatic Setup is only available in Panther.
I'd like to hear if others have had this issue and if they had a better work around.
If you've seen this problem, or have a better workaround,
Copyright 1997-2004 John Rizzo. All rights reserved.