NinjaTek

NinjaTek

Monday, November 22, 2010

Proxy Autodetection using a PAC file and WPAD

This is a really great and really easy feature to implement on your network. It basically means that you never need to manually enter the details for your proxy server in your internet browser…It will pick it up automatically…how cool is that?!

OK, so here’s the gameplan:

1)      Create a PAC (Proxy Automatic Configuration) file
2)      Publish your PAC file
3)      Enable Autodetection using WPAD (Web Proxy Autodiscovery Protocol)
a.       DHCP – preferred for IE
b.      DNS – required for other browsers (eg Firefox)
4)      Use Group Policy to Enable Automatically Detect Settings option in IE

1 - Creating a PAC file

PAC files contain JavaScript code used to define where to find a proxy server under certain conditions. I’m not going to get into the advanced functions of PAC files, as there are plenty of great resources on the web already (see end of post)

Here is a basic PAC file for a single address range network with no special conditions. All you need to do is change the BOLD to your network’s details. We want to be able to configure WPAD through DNS as well as DHCP, so we will need this file to be called wpad.dat (lowercase) – The DNS method requires this naming format.
Copy this into notepad and save it as: wpad.dat

function FindProxyForURL(url, host)
{
 if (isPlainHostName(host))
 {
  return "DIRECT";
 }
 if (isInNet(host, "192.168.0.0", "255.255.255.0"))
 {
  return "DIRECT";
 }
  if (isInNet(myIpAddress(), "192.168.0.0", "255.255.255.0"))
 {
  return "PROXY 192.168.0.1:8080";
 }
}

In the above example:
The IP range is: 192.168.0.0
Subnet Mask is: 255.255.255.0
Proxy Server IP is: 192.168.0.1
Proxy Server Port is: 8080

You can test your PAC file by entering it manually into Internet Explorer:
Tools -> Internet Options -> Connection -> LAN Settings -> Use Automatic configuration script
Address: file://C:\wpad.dat                    (With the wpad.dat file located on the C: root)

2 – Publishing the PAC file


We will publish our PAC file using IIS. If you don’t have IIS running yet, pause reading now while you quickly add it.
Ready?
Great…
If you are using IIS 6:
·         Right Click on the domain name and click Properties
·         On the HTTP Headers tab click MIME Types
·         Click New
Extension: .dat
MIME Type: application/x-ns-proxy-autoconfig
·         Click OK.
If you are using IIS 7:
·         Click on the Server
·         On the right hand side double click MIME Types
·         On the Right hand Pane click Add…
Extension: .dat
MIME Type: application/x-ns-proxy-autoconfig
·         Click OK.

Copy the wpad.dat file to the C:\inetpub\wwwroot\  directory of the IIS server.

3a – Enabling Autodetection using DHCP


·         Open the DHCP console
·         Server 2003: Right Click the server's name
·         Server 2008: Right Click on IPv4
·         Click Set Predefined Options…
·         Right Click on IPv4 and click Set Predefined Options…
·         Click Add…
Name: WPAD
Data type: String
Code: 252
·         In the String Value box, type the URL of the PAC file (eg: http://192.168.0.1/wpad.dat)
·         Right click Server Options and click Configure Options
·         Confirm that 252 – WPAD is ticked and contains the correct URL.
·         Right Click Scope Options and click Configure Options
·         Scroll Down and tick 252 – WPAD
·         Click OK

3b – Enabling Autodetection using DNS


·         Open the DNS console
·         Right click the appropriate Forward Lookup Zone and click New Host (A)
·         In Name type: wpad
·         Enter the IP address of the IIS server

NOTE: WPAD in Server 2008 DNS server Global Query Block List
If you are using Server 2008 you may not be able to ping WPAD once you have added the Host Record. This is because it is blocked by a new security measure called DNS server global query block list.  Please be aware of the reasons for this list before you remove wpad from it. Microsoft has an in depth document on the subject (See Source below).

To remove WPAD from the Global Query Block List, remove it from the following registry value:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\GlobalQueryBlockList

Source:   Google Search: DNS_Server_Global_ Query_Block List.doc

4 - Use Group Policy to Enable Automatically Detect Settings option in IE


Now that we are this far it should be working great…As long as the Automatically Detect Settings option is ticked in the client’s Internet Explorer. Here’s how to make that the default option for everyone in the domain using Group Policy:
·         Open Group Policy Management
·         Right Click on the Default Domain Policy and click Edit (or create a new GPO)
·         Go to the following: User Configuration\Policies\Windows Settings\Internet Explorer Maintenance\Connections
·         Open the Automatic Browser Configuration setting
·         Select Automatically detect configuration settings
·         Click OK




And that’s it…If all went well you won’t have to manually enter proxy settings in IE again. Below are some sites that explain how to use all the advanced settings of a PAC file.

7 comments:

  1. How to include sets of IP/URL to bypass proxy settings? in PAC file

    ReplyDelete
  2. but how to put this file on pfsense 2.0.
    mohanrao83@gmail.com

    ReplyDelete
  3. how to configure this using pfsense 2.0 using DNS Forwarder. is there a tweak on the Pfsense??

    ReplyDelete
  4. Configure this using DHCP SERVER on your PFsense

    ReplyDelete
  5. This Wpad thing sounds so cool when it really sucks, not properly documented anywhere when it comes to adding exceptions.

    ReplyDelete
  6. Hello

    I have a problem, in the step of making the test to the wpad.dat file added it in the proxy and works fine in Google Chrome but I does not work in IE 11 because?

    Do I have to do something extra for IE 11?

    Thanks for the help

    ReplyDelete
  7. The information on this web log is extremely helpful and extremely attention-grabbing.
    Torrent Downloads UK proxy

    ReplyDelete