Cb Protection agent-generated CRL (ocrl) traffic does not appear to follow netsh proxy settings
Cb Protection Agent 7.2.x
Cb Protection agent calls CertGetCertificateChain to perform CRL checks and build the certificate chain context. This can trigger a network request via WinHTTP to verify revocation status. WinHTTP should honor locally defined proxy settings however the user observes a direct OCSP connection rather than using the designated proxy.
Captured netsh (scenario=InternetClient) and CAPI2 logs show this network connection come into existence.
On 64-bit Windows machines there are two separate "netsh" commands and settings. In this case, the 64-bit netsh was being set to the proxy.
However Cb Protection is a 32-bit application.
Once the 32-bit netsh was called as below to point to the proxy server, OCRL calls starting respecting the proxy server settings:
c:\winidows\syswow64\netsh winhttp set proxy myproxy:80