Sharepoint 2013 behind firewall - can't access internet causes RSSfeed issues and 15 second timeouts re-certificate failures - proxy settings (IIS vs System)

Hi all,

we have sp2013 behind a corporate fw and have several issues:

1. multiple 15second timeouts on certificate chain faliures
2. feed webparts are failing to retrieve the data from the external sources
3. occasionally the ULS logs complain that the "sharepoint store" cannot be contacted or "server is not responding"

we thought that these two things would solve everything:

IIS root site (on each WFE server in farm) - set up "system.net > default proxy" settings

and

using this (https://support.microsoft.com/en-us/kb/2625048) to get the SP self signed certificate installed locally on each server in the farm

NOPE!

So we found this: http://blogs.msdn.com/b/benjaminperkins/archive/2013/10/01/enable-capi2-event-logging-to-troubleshoot-pki-and-ssl-certificate-issues.aspx - which did shed more light on things! We can see that some of the issues are that the root certificate cannot be validated but there are other issues where there is a failure "getting the system http proxy" to get files for certificate revocation from windowsupdate (.cab files mostly from what we can see)

Now one of my infrastructure colleagues has pointed out that the "windows update" link is probably being done THROUGH the system or system service and not a web app/service and therefore knows nothing of the IIS proxy setup, and is going for the system proxy info (which is not set on our servers by default).

So he's said that we should do one of these three things:

1. figure out if there is a way to make the 15seconds smaller (< 1) so it fails immediately and just let it fail quickly and silently.
2. figure out how to get the system settings to know of the proxy server (and understand the security ramifications of this?! what user account will be used and so forth - he's primarily worried that it means OTHER (unwanted) THINGS in the system will also be able to send/receive to the internet... valid I guess)
3. figure out how to get this "thing" to feel like its updated and rely on our weekly server patching to provide these things, so its not checking for this update file.

In looking at these settings we could not determine if there was a "best practice" way of setting this up for the sharepoint system to HAVE the system settings - we are unsure if these proxy settings are system wide, or per user, and/or how best to configure them (ie: log in as local admin/farm account/sp_service_acct and update the settings/registry hack/other or event if this is a wise thing to do).

Regardless of this we are still getting the failures on the RSS/XML feeds in the webparts (and can't really see any ULS log errors for this? are they hidden somewhere?) and we are still getting the 15 second timeouts frequenting our servers... with"cannot download the certificate revocation CAB from windows update" and/or .

Any thoughts or guidance greatly appreciated!

- sure I'm noJedi but that's no reason to stop trying to make stuff levitate! -