Explicit Proxy usage - Not working as expected

I am not sure I fully understand.

You have a client that does not have a proxy set in Internet Explorer (which is used by the rest of Windows).

Therefore if you tried to access a webpage, it would fail to load.

The periodic test to msftconncttest.com fails.

Isn't the msftconncttest.com failures correctly stating that you have no internet access?

Let me show you the problem in detail:

overall setup goal: global network internetaccess only through a direct proxy on port 3128

-> with v17.x and without an optional "drop all rule" at the end (no workaround needed)

- enable web proxy, at general settings set listening port to 3128, add allowed destination ports 80, 443 (minimal setup)

- add a firewall rule to allow lan,any to wan,any on port 3128

now every client with the correct proxy address added at internetoptions have a working internetconnection. At least they can surf through the web (http/https) and windows shows the network icon "internet access"

clients without the proxy address enabled don´t have internet access, they get the normal windows "no connection" error message in the browser if they try to surf and the windows network icon shows "limited connectivity"

<<< that is the normal windows behavior, but with the workaround it´s different:

-> with v18.x or with optional "drop all rule" at the end (v17.x) (workaround needed)

- web proxy settings are still the same, but now you have to add port 80,443 to your firewall proxy 3128-rule as well. (after this step, you have a transparent proxy as well, but that´s not desired (internetaccess is possible without adding the proxy settings at your client))

- so you need to add the lan to wan web rule "deney all" for 80,443 as shown in the workaround.

now every client with the correct proxy address added at internetoptions have a working internetconnection. The windows connection test is now broken, don´t work as expected for your windows system and you get the symptome that your system just opens a browser window on startup. (msftconnecttest.com/redirect -> msm.com) (you find this at google with keywords: msn opent at startup, explorer opens, ...) This all because your network setup isn´t a "normal one" for windows and this is the last possible step of the connection test to see if the open browser window has a connection. Respectively windows wants to open the proxy login/authenthication page to get full network access for your client. (your client has internet access and therefore msm.com opens)

Microsoft says: https://support.microsoft.com/en-us/help/4494446/an-internet-explorer-or-edge-window-opens-when-your-computer-connects

Overall the popup browser is just annoying in this kind of setup. (sometimes if you dont use the internet and windows runs the periodically passive connection test you get the pop up again)

- bigger problem with clients without the proxy address enabled (no internet allowed and you dont want/need any internet). After startup and periodically windows connection test opens the browser and the client get´s the "blocked site message" from sophos because now there is a "deny all" web firewall rule and windows wants to "fix" this by granting proxy access. This is a windows feature (see microsoft link above). You can fix this with another workaround but that´s not the way to go.

With the sophos workaround windows allways sees the direct proxy (also if you dont enter any proxy ip) and then windows wants you to log in/get access by pushing browser popups. (you dont get any "no connection" error messages any more like expected, just sophos blocked screens)

 In any direct proxy network setup you should not get/see any proxy features without adding the proxy to the client. If I dont add the proxy I dont want any connection and I dont want any popups because windows sees the proxy because of a workaround fix from sophos.

(I have about 20 windows 10 client, mostly all fully updatet but that makes no different)