Web proxy auto detection

If you have proxy servers between your staff and the public internet, and you’re configuring the proxy server name/IP and port in web browsers then

CUT THAT OUT RIGHT NOW!

Your web browsers can find your proxy servers automatically (with a little help….)

What is Web Proxy Autodiscovery Protocol (WPAD)?

The Web Proxy Autodiscovery Protocol (WPAD) is a method used by web clients (IE, Firefox, Chrome, Winodws) to locate an internet proxy automatically. Use this to configure the browser’s web proxy settings instead of hardcoding proxy settings (doesn’t suit travelling laptops).

Please find more details here: http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol

DNS record for WPAD

Make a DNS A record or CNAME (alias) called wpad.mycompany.com.  Where mycompany.com matches the machine’s DNS suffix.  Point this at an internal web server with an anonymous access website.  The only thing on this website is going to be a text file called wpad.dat (another gotcha, you’ll need to configure IIS with a mimetype for .dat files to be of type javascript).

If you’re using Microsoft DNS, remove WPAD blocking by Windows DNS (there to prevent sneaky types renaming their PCs to WPAD and subverting web browsing) http://technet.microsoft.com/en-us/library/cc441517.aspx

Build and test your WPAD file rules

PACMagic is a handy tool for building and testing WPAD file rules.

The FindProxyForURL website has a great guide to get you started.

Consider which cases you want to bypass proxy (accessing intranet websites *.companyname.com and also internal websites accessed by IP address) and which cases you do want to route via proxy (that website in DMZ that looks like an internal site but you can’t get to directly).

Deploy

Make a group policy to set IE to autodetect proxy. Deploy this to your test users (group policy scope filtering on AD group).  Import the group policy template for Google Chrome and manage this with AD too.  For Firefox you’ll need to put down a mozilla.cfg file.

Gotcha: JRE 7 update 21 has a bug with the dnsResolve function in WPAD files.  For intranet sites accessed by IP, substitute for URL string compare tests like url.substring(7, 11)==”10.1″ until JRE7 is fixed.  https://bugs.openjdk.java.net/browse/JDK-8062034


Find more IT Infrastructure tips at www.alexmags.com

Leave a Reply