NinjaTek

NinjaTek

Monday, November 22, 2010

Proxy Autodetection using a PAC file and WPAD

This is a really great and really easy feature to implement on your network. It basically means that you never need to manually enter the details for your proxy server in your internet browser…It will pick it up automatically…how cool is that?!

OK, so here’s the gameplan:

1)      Create a PAC (Proxy Automatic Configuration) file
2)      Publish your PAC file
3)      Enable Autodetection using WPAD (Web Proxy Autodiscovery Protocol)
a.       DHCP – preferred for IE
b.      DNS – required for other browsers (eg Firefox)
4)      Use Group Policy to Enable Automatically Detect Settings option in IE

1 - Creating a PAC file

PAC files contain JavaScript code used to define where to find a proxy server under certain conditions. I’m not going to get into the advanced functions of PAC files, as there are plenty of great resources on the web already (see end of post)

Here is a basic PAC file for a single address range network with no special conditions. All you need to do is change the BOLD to your network’s details. We want to be able to configure WPAD through DNS as well as DHCP, so we will need this file to be called wpad.dat (lowercase) – The DNS method requires this naming format.
Copy this into notepad and save it as: wpad.dat

function FindProxyForURL(url, host)
{
 if (isPlainHostName(host))
 {
  return "DIRECT";
 }
 if (isInNet(host, "192.168.0.0", "255.255.255.0"))
 {
  return "DIRECT";
 }
  if (isInNet(myIpAddress(), "192.168.0.0", "255.255.255.0"))
 {
  return "PROXY 192.168.0.1:8080";
 }
}

In the above example:
The IP range is: 192.168.0.0
Subnet Mask is: 255.255.255.0
Proxy Server IP is: 192.168.0.1
Proxy Server Port is: 8080

You can test your PAC file by entering it manually into Internet Explorer:
Tools -> Internet Options -> Connection -> LAN Settings -> Use Automatic configuration script
Address: file://C:\wpad.dat                    (With the wpad.dat file located on the C: root)

2 – Publishing the PAC file


We will publish our PAC file using IIS. If you don’t have IIS running yet, pause reading now while you quickly add it.
Ready?
Great…
If you are using IIS 6:
·         Right Click on the domain name and click Properties
·         On the HTTP Headers tab click MIME Types
·         Click New
Extension: .dat
MIME Type: application/x-ns-proxy-autoconfig
·         Click OK.
If you are using IIS 7:
·         Click on the Server
·         On the right hand side double click MIME Types
·         On the Right hand Pane click Add…
Extension: .dat
MIME Type: application/x-ns-proxy-autoconfig
·         Click OK.

Copy the wpad.dat file to the C:\inetpub\wwwroot\  directory of the IIS server.

3a – Enabling Autodetection using DHCP


·         Open the DHCP console
·         Server 2003: Right Click the server's name
·         Server 2008: Right Click on IPv4
·         Click Set Predefined Options…
·         Right Click on IPv4 and click Set Predefined Options…
·         Click Add…
Name: WPAD
Data type: String
Code: 252
·         In the String Value box, type the URL of the PAC file (eg: http://192.168.0.1/wpad.dat)
·         Right click Server Options and click Configure Options
·         Confirm that 252 – WPAD is ticked and contains the correct URL.
·         Right Click Scope Options and click Configure Options
·         Scroll Down and tick 252 – WPAD
·         Click OK

3b – Enabling Autodetection using DNS


·         Open the DNS console
·         Right click the appropriate Forward Lookup Zone and click New Host (A)
·         In Name type: wpad
·         Enter the IP address of the IIS server

NOTE: WPAD in Server 2008 DNS server Global Query Block List
If you are using Server 2008 you may not be able to ping WPAD once you have added the Host Record. This is because it is blocked by a new security measure called DNS server global query block list.  Please be aware of the reasons for this list before you remove wpad from it. Microsoft has an in depth document on the subject (See Source below).

To remove WPAD from the Global Query Block List, remove it from the following registry value:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\GlobalQueryBlockList

Source:   Google Search: DNS_Server_Global_ Query_Block List.doc

4 - Use Group Policy to Enable Automatically Detect Settings option in IE


Now that we are this far it should be working great…As long as the Automatically Detect Settings option is ticked in the client’s Internet Explorer. Here’s how to make that the default option for everyone in the domain using Group Policy:
·         Open Group Policy Management
·         Right Click on the Default Domain Policy and click Edit (or create a new GPO)
·         Go to the following: User Configuration\Policies\Windows Settings\Internet Explorer Maintenance\Connections
·         Open the Automatic Browser Configuration setting
·         Select Automatically detect configuration settings
·         Click OK




And that’s it…If all went well you won’t have to manually enter proxy settings in IE again. Below are some sites that explain how to use all the advanced settings of a PAC file.

20 comments:

  1. How to include sets of IP/URL to bypass proxy settings? in PAC file

    ReplyDelete
  2. but how to put this file on pfsense 2.0.
    mohanrao83@gmail.com

    ReplyDelete
  3. how to configure this using pfsense 2.0 using DNS Forwarder. is there a tweak on the Pfsense??

    ReplyDelete
  4. Configure this using DHCP SERVER on your PFsense

    ReplyDelete
  5. This Wpad thing sounds so cool when it really sucks, not properly documented anywhere when it comes to adding exceptions.

    ReplyDelete
  6. Hello

    I have a problem, in the step of making the test to the wpad.dat file added it in the proxy and works fine in Google Chrome but I does not work in IE 11 because?

    Do I have to do something extra for IE 11?

    Thanks for the help

    ReplyDelete
  7. The information on this web log is extremely helpful and extremely attention-grabbing.
    Torrent Downloads UK proxy

    ReplyDelete
  8. i have configured Proxy.pac file on my domain mechines and on their web browsers.it works fine.
    we have also C# developers in our environment.so when they debug their project in google chrome.its blocking their local host traffic.
    if you have any solution please help me.
    any help will be appreciated.
    waiting for your kind response.

    ReplyDelete
  9. At whatever point you open a proxy site, you can see numerous ads. mexico ip address

    ReplyDelete
  10. A proxy is any product that backings the http proxy conventions.YiFy In it's least difficult shape a proxy is a hand-off for information between two PCs.

    ReplyDelete
  11. I genuinely believed you would probably have something useful to say. All I hear is a bunch of whining about something that you can fix if you were not too busy looking for attention. After all, I know it was my choice to read.. click here

    ReplyDelete
  12. Wow this was amazing. I was just about to look for some expert and educative content like this, I am grateful that I have frequented here! scopri di piu

    ReplyDelete
  13. It was thinking about whether I could utilize this review on my other site, I will connect it back to your site though.Great Thanks. allertaprivacy.it

    ReplyDelete
  14. I am continually amazed by the amount of information available on this subject. What you presented was well researched and well worded in order to get your stand on this across to all your readers. https://privacyonline.com.br

    ReplyDelete
  15. I have read your blog it is very helpful for me. I want to say thanks to you. I have bookmark your site for future updates. prywatnoscwsieci

    ReplyDelete
  16. The CSOne is web-based maintenance management software designed for maintenance and repair service providers. It is specifically designed to fulfill the requirements for these services and successfully improved productivity of thousands of users around the world weneedprivacy

    ReplyDelete
  17. You guardians do an astounding web diary, and have some unfathomable substance. Continue doing extraordinary. internetprivatsphare

    ReplyDelete
  18. I wanted to thank you for this great read!! I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you post. vpn France

    ReplyDelete
  19. I'm impressed, I must say. Very rarely do I come across a blog thats both informative and entertaining, and let me tell you, you ve hit the nail on the head. Your blog is important.. netflix vpn

    ReplyDelete
  20. Hang up the dial-up association and reconnect before you attempt to restore an association with the Contivity VPN Switch; https://www.router-reset.com/can-isp-see-vpn/

    ReplyDelete