Automatic Web Proxy Configuration

Automatic Web Proxy Configuration is useful on networks where end-user Internet access is required to pass through a proxy server. The technologies for Proxy Auto Config (PAC) and Web Proxy Auto-Detect (WPAD) were developed before the year 2000 by companies including Netscape, Microsoft, and Sun Microsystems (see links below for details). Basic steps to enable this on a Microsoft Active Directory network include the following steps. REPLACE YOURDOMAIN.COM with your actual internal DNS domain name.

  • Install IIS or other web-server software on a system to be used as your WPAD server. An HTTP (NON-SSL) site must be listening on the default port 80.
  • Configure your IIS or other web-server to use MIME-Type “application/x-ns-proxy-autoconfig” for file extension “.dat” .
  • Create a file named “wpad.dat” containing JavaScript code with a single function “FindProxyForURL” conforming to the Proxy-Auto-Config (PAC) convention. This file should be tested with both Internet Explorer and Firefox for cross-browser compatibility. Use examples linked below from the FindProxyForURL web-site as an aid to building your WPAD/PAC file and make sure to use proxy settings specific to your network. The primary purpose of this file is to notify the browser which URLs/host-names should be directed to a proxy server and which should be direct-connected without proxy. SEE ALSO – sample wpad.dat file listed at bottom of this post.
  • Update your DNS server to resolve “wpad.YOURDOMAIN.COM” to the web-server designated to host your WPAD/PAC settings “wpad.dat” file.
  • Place your “wpad.dat” file in the document root of your IIS or other designated WPAD web server and make sure that anonymous browser users “everyone” can read the file. The file should be accessible by entering http://wpad.YOURDOMAIN.COM/wpad.dat into any web browser on your internal network.
  • Configure any test browsers to automatically detect proxy settings and then close-restart the browser before testing the new proxy settings. Visit sites that are inaccessible without the proxy to see if the new WPAD config is directing clients through the proxy. Visit sites that should be accessed directly without proxy to see if they still function correctly.
  • If testing is successful, direct all users to use the automatic proxy setting in their browser of choice. For Internet Explorer users, you can automate this browser configuration through group policy if desired.
// SAMPLE wpad.dat FILE ///////////////////////////
function FindProxyForURL(url,host) {
  var proxy_yes = "PROXY YOUR.PROXYSERVER.COM:80";
  var proxy_no = "DIRECT";

  // EXEMPT ... short names, private subnet, private domain //
  if (isPlainHostName(host)) { return proxy_no; }
  if (dnsDomainIs(host, ".YOURDOMAIN.COM")) { return proxy_no; }
  if (isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0")) {
    return proxy_no; 
  }
  // DEFAULT ... USE PROXY ///////////////////////
  return proxy_yes;
}

There are other ways to support WPAD/PAC, and you can read about them in the related articles linked below. The method described above is the most compatible (author’s opinion) across different operating systems and browsers. Related Links:

Advertisements

About notesbytom

Keeping technology notes on WordPress.com to free up my mind to solve new problems rather than figuring out the same ones repeatedly :-).
This entry was posted in System Administration and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s