Configure DNS WPAD on Microsoft Network (IE Automatically Detect Settings)
What is WPAD?
Do you ever request your client to input proxy server address, port and a lot of proxy exceptions. It is clumsy. Moreover, whenever there is a change to the proxy exception list, you need to inform all users to change it.
Although you may argue that the proxy exception list can be distributed via Group Policy, the update of group policy is not in real time.
Transparency Proxy is a user friendly way to solve the problem. It still has the below drawbacks:
In the middle between transparency proxy nad "Use a proxy server" , we can make use of IE's "Automatically Detect Setting" or "Use an automatic configuration script"
First, you need to create a PAC file in JavaScript format. I have created a sample for you:
The above sample use proxy.lan.local:3128 as default. It will exclude *.local, 10.* and 192.168.* addresses from using proxy.
If you want to have two proxy servers, you can change the last statement as below:
If proxy1 fails, the browser will try to connect to proxy2.
Save this file as proxy.pac. Then you can serve this file using an HTTP server.
You need to enter the below line under "Use an automatic configuration script" inside your Internet Option - Connection:
http://myserver.localdomain.local/proxy.pac
Notice:
By default, IIS does not handle *.pac file properly. You can either add extra MIME type to IIS, or simply change the filename to proxy.js.
"Automatic Detect Setting (DNS WPAD)"
The previous sample still require the user to enter a long URL for the proxy.pac file. We can further improve the usability by using DNS WPAD. WPAD is Web Proxy Automatic Discovery Protocol.
This website provides a brief introduction of what is needed. In brief, to use WPAD DNS, we need the below setup:
Do you ever request your client to input proxy server address, port and a lot of proxy exceptions. It is clumsy. Moreover, whenever there is a change to the proxy exception list, you need to inform all users to change it.
Although you may argue that the proxy exception list can be distributed via Group Policy, the update of group policy is not in real time.
Transparency Proxy is a user friendly way to solve the problem. It still has the below drawbacks:
- It double the network traffic (from browser --> firewall --> proxy server)
- The NAT consumes firewall's processing power. It may be a problem the firewall is very old.
In the middle between transparency proxy nad "Use a proxy server" , we can make use of IE's "Automatically Detect Setting" or "Use an automatic configuration script"
Use an automatic configuration script
The "Use an automatic configuration script" uses a JavaScript file to define the proxy server address and exception rule. For details, you may refer to this website.First, you need to create a PAC file in JavaScript format. I have created a sample for you:
function FindProxyForURL(url, host)
{
if (
shExpMatch(host, "*.local") ||
isInNet(host, "10.0.0.0", "255.0.0.0") ||
isPlainHostName(host) ||
isInNet(host, "192.168.0.0", "255.255.0.0")
)
{
return "DIRECT";
}
// default handling
return "PROXY proxy.lan.local:3128; DIRECT";
}
The above sample use proxy.lan.local:3128 as default. It will exclude *.local, 10.* and 192.168.* addresses from using proxy.
If you want to have two proxy servers, you can change the last statement as below:
// default handling
return "PROXY proxy1.lan.local:3128; PROXY proxy2.lan.local:3128";
If proxy1 fails, the browser will try to connect to proxy2.
Save this file as proxy.pac. Then you can serve this file using an HTTP server.
You need to enter the below line under "Use an automatic configuration script" inside your Internet Option - Connection:
http://myserver.localdomain.local/proxy.pac
Notice:
By default, IIS does not handle *.pac file properly. You can either add extra MIME type to IIS, or simply change the filename to proxy.js.
"Automatic Detect Setting (DNS WPAD)"
The previous sample still require the user to enter a long URL for the proxy.pac file. We can further improve the usability by using DNS WPAD. WPAD is Web Proxy Automatic Discovery Protocol.
This website provides a brief introduction of what is needed. In brief, to use WPAD DNS, we need the below setup:
- DNS server setup
- On your DNS server, a a new CNAME or A reocrd for wpad.yourdomain.com.
- Please perform a NSLOOKUP test. If you are using Microsoft DNS and you cannot resolve wpad.yourdomain.com, it is probably because wpad is inside block list for security reason. Please remove wpad at the below register entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\GlobalQueryBlockList - Please restart DNS server(s) after registry change. If you have more than one DNS server, you need to perform the above registry change to every DNS server.
- Add IIS website
- Create a new website. The domain name must be wpad.yourdomain.com. (That's why you may want to use a CNAME to point WPAD to your server hostname).
- Please note your website must be also be able to accessed via IP address e.g. http://192.168.1.10. If your website cannot be accessed via IP address (may be because port 80 of the IP address is assigned to other website), you may add an additional IP address to your Web Server, then bind the IP address to the newly create website.
- You need to save to proxy.pac file you created into wpad.dat
- We need to add special MIME type for *.dat file. The MIME type is application/x-ns-proxy-autoconfig.
- The final test is to test if you can open via http://192.168.1.10/wpad.dat or http://wpad.yourdomain.com/wpad.dat
- IE Setup
- enable "Automatic Detect Configuration" (no need to enable Use a proxy server or Use an automatic configuration script.
iPad/iPhone setup
iOS does not have a place to enter Proxy Exception (see discussion here). If you need to have proxy exception (e.g. local web server), we must use either automatic configuration script or Automatic Detect Setting.- Go to Settings.
- Select Wi-Fi.
- Select the Wi-Fi Network to which you are connected.
- In the Wi-Fi Networks window, tap on the arrow to the right of your Wi-Fi network name.
- Your IP Address selection should be DHCP.
- Scroll down to the bottom of the screen to HTTP Proxy.
- Select Auto.
- (If you have implemented DNS WPAD, you do not need to enter anything here.)
Fill in the URL text box.
http://myserver.localdomain.local/proxy.pac
Comments