When using a standard mode proxy, it can be difficult to easily distribute proxy settings to your users browsers. If you have more than a workgroup worth of computers, then manually changing each machine is likely not possible. Also, there are some instances where this can be problematic. For instance, laptop users must enable proxy settings within the office, but disable it when travelling. Also, some websites may not display properly when proxied, or you may want to skip proxying internal websites entirely. These problems call for a more dynamic solution.
What To Do
Using Web Proxy Auto-discovery Protocol (wpad.dat / proxy.pac)
This method has been widely tested, and all major browsers used today can take advantage of method. The web proxy autodiscovery protocol was designed to allow administrators to push out dynamic proxy configuration policies to their users. The core of this protocol is a configuration script commonly called a proxy.pac or wpad.dat file. This file contains a single Javascript function called FindProxyForURL. This function is called by the browser each time a URL is requested, and it returns instructions on whether or not a proxy should be used for a site, or from a network location.
Here is a sample script, which can be customized for your network. It meets two basic requirements of most customers. Proxy settings can be specified that will only be used when a machine is in a given location, and certain URLs can be specified that will be skipped from proxying. The lines beginning with // are only comments, and are not necessary for the script to function, but are useful in understanding how to customize this example.
//-----------------------------------------------------------------------
function FindProxyForURL(url, host)
{
//The following URLs will not be proxied
if ( dnsDomainIs(host, "domain.com")
|| dnsDomainIs(host, "company.com")
|| dnsDomainIs(host, "intranet.mycompany.com")
// Add new domains by customizing the line below,
// and removing the ‘//’ comment markers: //
|| dnsDomainIs(host, "your.domain.here")
)
return "DIRECT" ;
else {
// If the client is in one of the following networks
// set the proxy server they will use if (isInNet(myIpAddress(), "192.168.0.0", "255.255.0.0"))
return "PROXY 192.168.0.1:8080" ;
if (isInNet(myIpAddress(), "10.0.0.0", "255.0.0.0"))
return "PROXY 192.168.0.1:8080" ;
// Add new networks by customizing the lines below
// and removing the ‘//’ comment markers
// if (isInNet(myIpAddress(), "172.16.1.0", "255.255.255.0"))
// return "PROXY 10.92.168.0.1:8080" ;
// If the client is not in one of the above networks
// No proxy will be used
return "DIRECT" ;}}
//-----------------------------------------------------------------------
The above script can be saved to a file named proxy.pac, or wpad.dat, and will need to be hosted on a web server accessible by all of your workstations. Google provides a useful tool for testing auto-configuration scripts, called “pactester”. If you have problems with your script, this program may be useful. It can be found at http://code.google.com/p/pactester/ along with instructions on its use.
Creating the script is only the first step. In order to make use of this script, your browsers must know how to find it. There are several ways to do this. Most major browsers offer two options for automatically setting proxy configurations. Either can be used.
a) Automatic proxy configuration URL (FF), Use Automatic Configuration Script (IE) This option is the simplest. All that is needed is to put the full URL of where you placed the configuration script in the field next to this option in the browsers settings. For example: http://www.mydomain.com/proxy.pac When the browser is launched, it will download the file, and use it to configure proxy settings.
b) Auto-detect proxy settings for this network (FF), Automatically detect settings (IE) There are two ways that a browser can automatically discover the proxy configuration. The first, and most common method, is to create a dns record for the default domain that your client machines are in, called wpad. This hostname should point to the IP of a webserver, that contains your script named wpad.dat, in the root path of that server. For example, if the default domain name given to your workstations is internal.mydomain.com, then with the above option selected, browsers will try to download the following url: http://wpad.internal.mydomain.com/wpad.dat
If the supplied URL exists, then your browsers will use this option to configure their proxy settings.
The second option is to provide the auto configuration URL through DHCP. This is less commonly used, and may not be possible for all DHCP servers. To use this method, your DHCP server must be capable of configuring additional option values, and you must configure option 252 as a text option. This option will then contain the URL of your autoconfig script, which will be distributed to clients when they receive a DHCP assigned address on the network.
Regardless of which method you choose, you may need to have changes made in each user’s browser.
To do this, there are a number of methods we recommend.
1) Ask users to make the change In an organization where users are not restricted from configuring such settings themselves, this option can work surprisingly well. A clear set of instructions sent to users can be easy to follow, even for non technical users. “Dear user, Two weeks from today, we will be making changes to our firewall, which will require a setting changed in your browser. Without this change, you will not be able to surf the web after the cutoff; however, you can make this change at any time before then. Please follow these simple instructions:”
2) Active Directory group policy Active Directory network admins have a simple method to push proxy settings out to all IE browsers running on Windows machines that are part of their domain. A group policy option can be set in Active Directory to set proxy autoconfiguration settings on users browsers from a central group policy for users, OUs or entire domains. Similar features are also available for firefox running on windows workstations, using a variety of third party tools. Two free projects which provide group policy support for firefox are FirefoxAdm(http://sourceforge.net/projects/firefoxadm and Wetdog(http://wetdog.sourceforge.net/). Both provide group policy adm templates to allow policies to be set in active directory. Implementation of those policies is done through scripts in the case of firefoxadm or an exe in the case of wetdog that must be referenced in users login scripts. An additional commercial option is Frontmotion(http://www.frontmotion.com/Firefox/index.htm) who provides customizable MSI packages of firefox that will read and apply group policy settings.
3) Login Scripts This method can be used in other environments such as Novell eDirectory. For IE, configuration settings can be distributed in the form of a registry file. You can either push out hard set proxy settings, or the autoconfiguration URL. Here is an example of a .reg file.
Not all lines are needed, depending on what you want to set.
//-----------------------------------------------------------------------
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
"ProxyEnable"=dword:00000001
"ProxyServer"="10.129.0.1:8080"
"ProxyOverride"="*.local;<local>"
"AutoConfigURL"="http://192.168.0.1/wpad.dat"
//-----------------------------------------------------------------------
The above file should be saved as proxy.reg, and can be merged to the registry from a login script as follows:
regedit.exe /s proxy.reg