Autodetect Proxy settings using PAC and WPAD files

There is a GPO way of doing this and a more far reaching and flexible way of setting up proxy settings for all your LAN users. This is just my jurney into learning how to us .pac, .dat, .da files to automate proxy settings.

First of all I want to thank everyone out there that has posted so much information on this topic. Really if you want to find out more just google “Proxy WPAD” you are going to find more results and information then you can read on a Saturday morning.

The file is very easy to work with, and anyone comfortable with javascript can figure out how it works in seconds. Plus a PAC file can do way more then just setting the proxy server. you can setup all kinds of exceptions. For your laptop users you can setup a .pac file so that it will automatically know when to use the proxy based on their IP address. This is all possible through the use of simple scripting if, else, and and or statements.

An Example PAC file:

function FindProxyForURL(url, host)
{
        
        // Direct connections to non-FQDN hosts
        if (isPlainHostName(host) ||
        (host == "127.0.0.1") ||
        (host == "*.localdomain.com") ||
        (host == ".com") ||
        (shExpMatch(host, "*.somedomain.com")) ||
        (shExpMatch(host, "90.0.0.*")) ||
        (shExpMatch(host, "10.*"))) {
          return "DIRECT"
        } else {
          return "PROXY proxy.localdomain.com:8080"
        }
}

The biggest gotchas for me were DNS issues on Server 2008, and how IE 8 interacted with DNS and retrieving the dat file.

  • First Server 2008 blocks DNS WPAD records by default for security reasons
  • You need to make an A record not a Cname record in the the dns server for IE to even work with it
  • Even after all of that IE still may have issues pulling it off, I’m still testing this.
  • Make sure to ping wpad from a client – if you can you may have to remove wpad from Server 2008 block list

I found the best place to test your PAC file is on your local machine. I like to place my PAC file next to the host file “c:\windows\systems32\drivers\etc\wpad.pac”. Then point IE to FILE://windows/system32/drivers/etc/wpad.pac

For Firefox it is FILE:///windows/system32/drivers/etc/wpad.pac

 Once you have a working pac file just save as and change the  extension to .dat and .da, and place all three of the new files on the root of your webserver. You may allso need to add the MIME file type for each file type to your webserver. In apache2 it is just a matter of adding a few lines to the mime.conf file. You should be able to put wpad.localdomain.com/wpad.dat in your browser and it should ask you if you want to download the file. if you just see text, then you need to add the mime type.

Then set IE and firefox to autodetect. I found two things to check are local domain webservers where you might type “webservername” vs “webserver.localdomain.com”. If you have problems try seeing if placing the ip and wpad in your host file. If it works this we jsut fine it is probably a DNS issue.

At this point it is working perfect or not at all. One thing that is nice is at least being able to use a pac file localy on laptops. I may start using this way for now, until I figure out IE’s issues with wpad DNS records.

Your non-windows users should start pulling these new proxy settings quickly, as most browsers are set to autodetect.

More to come on this post: I plan to test this out more this week.

References:

http://blogs.technet.com/b/isablog/archive/2008/02/19/windows-server-2008-dns-block-feature.aspx

Advertisements

About Paul Cardelli, CISSP
Cyber Security Analyst, and computer guru

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: