0

I've found a ton of information on how to implement proxy bypasses but not how the bypasses themselves are evaluated by Windows.

I'm looking for information specific to Windows and how the operating system evaluates those bypasses.

For example:

Say you have a domain such as "microsoft.com" with two subdomains, "security.microsoft.com" and "intune.microsoft.com". Your proxy bypass list has the following entries:

*.microsoft.com security.microsoft.com intune.microsoft.com

I'm trying to figure out in which order Windows would evaluate this list. My gut feeling is that Windows is going to evaluate the most specific bypass' first and then make its way down the list; the order of evaluation being [security.microsoft.com|intune.microsoft.com] then *.microsoft.com. However, I cannot seem to find any documentation on this.

I realize that this example is incredibly redundant and not a real-world example, I just couldn't think of a better generalized example.

Any assistance would be greatly appreciated.

Improve this question

1 Answer 1

Reset to default
0

Most organisations don't rely on a manually entered proxy settings but instead would direct their systems to a centralised PAC file https://en.wikipedia.org/wiki/Proxy_auto-config

Say you have a domain such as "microsoft.com" with two subdomains, "security.microsoft.com" and "intune.microsoft.com". Your proxy bypass list has the following entries:
*.microsoft.com security.microsoft.com intune.microsoft.com

I'm trying to figure out in which order Windows would evaluate this list.

Curiosity is not a bad thing but that order is completely irrelevant.

Either a hostname matches the patterns in the proxy exception list, or not.

The matching logic does not matter, first match, best match, last match, if there's any match they will all have the same result: a direct request bypassing the proxy.

When a hostname matches two or more patterns there won't be different effect either, multiple matches won't cancel each other out, the result will still be the same: a direct request bypassing the proxy.

I assume that the maximum input size of the proxy exception list is limited enough that whatever storing and matching algorithms are used will not have any the measurable performance impact either.

Improve this answer
1
  • A PAC file is definitely an option, just not something we currently have implemented and due to implementation restrictions, isn't something we're looking to do currently. To your last point though, regarding the matching algorithms; do you have any information on what those algorithms are? I realize that it shouldn't matter but the testing I've done indicates that may be incorrect in my specific use-case. I specifically notice multi-second differences in calls when a wildcard bypass is used vs a FQDN. No confirmation that it is a proxy issue but that's my best lead so far.
    – neteng45
    Commented Mar 8 at 16:10

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .