There are several ways to configure a web browser to use a proxy. This article focuses on the DNS & WPAD method but we’ll cover other options too. The objective is to force workstations to use a proxy server if and how the business needs depending on where the workstation is and where the target web server is.
To require that all machines on our office network use the office proxy server but portable workstations (laptops) should only use the office proxy while they are in the office – not while they are roaming.
A quick overview of what we’ll need to do:
- Create a WPAD file and place it on a web server on the office network.
- Create a “WPAD” DNS entry within the appropriate DNS Zone on the office DNS server.
- Create a Group Policy that forces the web browser to use “Automatic Proxy Configuration”.
- Test.
The remainder of this article goes into more depth on the above 4 items.
Create a WPAD file
The WPAD file must be named “wpad.dat” and be accessible via the URL “http://wpad.mydomain.local/wpad.dat“. It contains javascript code that web browsers understand. It sets out rules. The example below is a fully functional WPAD file that tells web browsers to use the proxy at “192.168.1.2” on port “3128” only if the target web server is not on the local network (being 192.168.x.y/16).
function FindProxyForURL(url, host) { if (isInNet(dnsResolve(host), "192.168", "255.255.0.0")) return "DIRECT"; else return "PROXY 192.168.1.2:3128"; }
You can find many more examples at “https://findproxyforurl.com/example-pac-file/“.
Create a WPAD entry in DNS
If the web browser is configured to use the “Auto Detect Proxy Settings” method, it will ask the DNS server for the IP address of the web server at “wpad.mydomain.local”. It will then ask the web server for the file at “http://wpad.mydomain.local/wpad.dat“. The DNS entry need only respond with the appropriate IP address for the host name “wpad.mydomain.local”.
Note that Windows DNS server don’t respond to requests for the WPAD entry because it’s considered a security risk. However, this can be corrected using the website at “https://technet.microsoft.com/en-us/library/cc995158.aspx”.
You’ll notice I’ve used the example domain of “mydomain.local”. This is an example of a Windows AD domain that the workstation is bound to. If your workstation is not bound to a domain, you can instead specify the URL “http://wpad.mydomain.local/wpad.dat” in the web browsers proxy settings field “Automatic Proxy Configuration URL”. More about that in the “Testing” section of this article.
Enforce the use of WPAD in a Group Policy
The only requirement here is to ensure web browsers are configured to use the “Auto Detect Policy Settings” method for obtaining the WPAD file. You can do this manually or via group policies. Web browsers often default to this method anyway.
Test & Troubleshooting
Obviously you’ll need to test your new setup and i suggest the following approach. Use the following diagram to help with where to set your options.
- Configure a web browser to point directly to your WPAD file that you’ve placed on a web server. The web browser’s proxy setting field “Automatic Proxy Configuration URL” should be populated with “http://wpad.mydomain.local/wpad.dat” (for example). Restart the browser (or click the “reload” button next to that field if it exists).
- Test if you’re going through your proxy now. If you control the proxy, check the logs on the proxy for your workstation’s activity. See if you’re going through the proxy.
- If the above isn’t working, keep troubleshooting until resolved and then continue with the testing steps below.
- Now we’ll check that DNS is returning the expected answer for “wpad.mydomain.local”. Use “nslookup” or “dig” or whatever tool you like to see what “wpad.mydomain.local” points to (which IP address – if any). Also try browsing to that URL and see if you get to the web server. If so, try with the full URL of “http://wpad.mydomain.local/wpad.dat”. You should see the javascript contents of your WPAD file.
- Now test your group policies if you’re opting to use them. At this point you’re finished and everything should be working.