Home > Forefront TMG 2010, Threat Management Gateway > Windows 8 Modern UI Apps and Forefront TMG 2010

Windows 8 Modern UI Apps and Forefront TMG 2010

November 15, 2012

On a Windows 8 client deployed behind a Forefront TMG 2010 firewall, users may receive the following error when trying to open the Windows Store app.

You’re PC isn’t connected to the Internet. To use the Store, connect to
the Internet and then try again.

Other Windows 8 “modern UI” applications may experience similar behavior if they require access to resources on the public Internet. However, you are able to access the Internet using both the modern UI and desktop versions of Internet Explorer 10.

The problem occurs when the Forefront TMG 2010 firewall is configured to require authentication on rules controlling access to the Internet over HTTP and HTTPS, or if the option to require all users to authenticate is enabled on the web proxy listener (which isn’t a good idea!). Authenticated web proxy access requires that client be configured either as a web proxy client or as a firewall client. Internet Explorer can be configured as a web proxy client, typically using automatic configuration (WPAD) through DNS or DHCP, but Windows 8 modern UI applications do not inherit Internet Explorer proxy server settings. As such, they behave as SecureNAT clients which do not support authentication. To resolve this issue, run the following command from an elevated command prompt on the Windows 8 client.

netsh winhttp set proxy <tmg_hostname_or_IP_address>:<web_proxy_listener_port>

For example…

netsh winhttp set proxy tmg.richardhicks.net:8080

More information about configuring WINHTTP can be found here.

Another workaround is to install the Forefront TMG 2010 firewall client. This will ensure that all outbound communication through the Forefront TMG firewall is always authenticated.

  1. November 22, 2012 at 10:44 pm

    The netsh workaround didn’t work for me 😦

  2. November 27, 2012 at 6:15 pm

    Not sure what the trouble is. It has worked perfectly for me on a number of occasions. Check the logs on the Forefront TMG 2010 firewall and make sure the requests are indeed being handled as web proxy requests.

  3. Tim Boggs
    May 9, 2013 at 7:50 am

    Doesn’t this setting cause problems for devices when they are outside the firewall? I had tried the netsh setting when I first started testing Win8, and it worked internally. Right now the majority of the our devices with Win 8 are Surface Pro or other tablets and mobility is the focus.

    I do have the firewall client installed on our Windows 8 devices, Win 8 modern apps seem to ignore it.

  4. May 11, 2013 at 7:49 pm

    Yes, that is an unfortunate side effect of this workaround. Ideally there should be an option for winhttp proxy to default to direct if a proxy can’t be reached, but obviously that feature doesn’t exist. I’ve had success using the Firewall Client, however, I’ve heard others have not…

  5. August 9, 2013 at 10:54 am

    In this KB article (http://support.microsoft.com/kb/2777643/en-us) Microsoft states that the ISA Firewall client does not work with Windows 8 Store apps. I found it while researching the changes in 8.1.

    “Proxy/Firewall client software that is installed as a LSP driver (TMG Client) will not work in Windows 8 with any Modern/Windows Store apps but will work with standard apps. Proxy/Firewall client software that is installed as a WFP driver will work with Windows 8 in all apps.”

    Now that 2012R2 will include reverse proxy support for publishing MS Products, I guess I will have to investigate other firewalls/proxy servers for outbound traffic that support WFP driver based clients.

  6. August 13, 2013 at 1:19 pm

    This is most interesting, and thanks for bringing that KB article to my attention. When I wrote this post I tested this to make sure it worked, and it did. I’ll certainly be testing it again just for a sanity check. 🙂

  1. No trackbacks yet.
Comments are closed.