Deploying the Office 365 Proxy PAC to manage your users


Several months ago, I released a tool (the Office 365 Proxy Pac Gen) to generate a Proxy Automatic Configuration file that can be used to bypass local proxy servers for Office 365 services.  I also wrote a blog (Office 365 PAC file) on using the tool. I’ve received a lot of personal feedback on it, and wanted to expand on how to use the configuration file in production to manage desktops.

As I stated in my blog posting, bypassing the proxy requires two elements:

– A list of URLs/domains that the browser knows to not send to the proxy environment
– Firewall access rules configured to allow outbound access to the IP addresses corresponding to the domains found in the proxy bypass list

That sounds well and good; so how do you configure your desktop environment to take advantage of this proxy automatic configuration file?  There are two basic ways that this can be accomplished.

– GPO that specifies the location of the .PAC file (which will typically only be useful for Internet Explorer or Edge browsers, unless separate administrative templates have been configured for Firefox or Chome
– WPAD (Web Proxy Autodiscover Protocol

Web Server

First things first.  In order for your clients to pick up a configuration file at all, there has to be a web server hosting the file.  The configuration is relatively straightforward if you’re setting up IIS.

  1. Install IIS.  Yes, it’s pretty easy.  If you’ve never done it before, here’s the cliff notes on the various IIS versions.
    1. IIS 7.x (Windows 2008 R2) – https://technet.microsoft.com/en-us/library/ee692294%28v=ws.10%29.aspx
    2. IIS 8.x (Windows 2012/R2) – http://www.iis.net/learn/get-started/whats-new-in-iis-8/installing-iis-8-on-windows-server-2012
  2. Configure the appropriate MIME types (at this point, we’re going to configure a MIME type for both WPAD.DAT and the proxyautoconfig.pac file–it’s the same file, but delivered via different methods.
    1. Launch an elevated PowerShell prompt.
    2. Run the following cmdlets:
      C:\Windows\system32\inetsrv\appcmd.exe set config /section:staticContent /-“[fileExtension=’.pac’]”
      C:\Windows\system32\inetsrv\appcmd.exe set config /section:staticContent /+”[fileExtension=’.pac’,mimeType=’application/x-ns-proxy-autoconfig’]”
      C:\Windows\system32\inetsrv\appcmd.exe set config /section:staticContent /-“[fileExtension=’.dat’]”
      C:\Windows\system32\inetsrv\appcmd.exe set config /section:staticContent /+”[fileExtension=’.dat’,mimeType=’application/x-ns-proxy-autoconfig’]”

  3. Place two copies of the PAC file in the root of the virtual directory for the default web site.  You can schedule the Office 365 Proxy PAC generator PowerShell script on the web server to create the files. Name one “proxyconfig.pac” (or whatever, as long as the extension is .PAC). Name the other “wpad.dat” (this one is particular and must be named that).  Here’s an easy way to keep the PAC and WPAD files updated:
    1. Download the Office 365 PAC file generator and save it to C:\Scripts (for example) on the webserver hosting the PAC/WPAD files.
    2. Create a batch file called “C:\Scripts\PacSchedule.bat” with the following data (replacing the address of the proxy server with your own):C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe c:\scripts\Office365ProxyPac.ps1 -ProxyServer ‘192.168.0.1:8080’ -OutputFile ‘C:\InetPub\wwwroot\Proxyautoconfig.pac’
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe c:\scripts\Office365ProxyPac.ps1 -ProxyServer ‘192.168.0.1:8080’ -OutputFile ‘C:\InetPub\wwwroot\wpad.dat’
    3. Run it to test.
    4. Create the scheduled task.  You can do this via the Task Scheduler GUI or from a PowerShell commandline:
      $action = New-ScheduledTaskAction -Execute ‘C:\scripts\PacSchedule.bat’
      $trigger = New-ScheduledTaskTrigger -Daily -At 9am
      Register-ScheduledTask -Action $action -Trigger $trigger -Taskname “PAC Scheduled download” -User ‘forestc\labadmin’ -Password ‘Password1’

DNS Server

For WPAD deployments, the client machine Configure a DNS A record for “wpad.domain.com” (where ‘domain.com’ is your LAN’s DNS zone) to point to the IP address of the virtual server.

  1. Launch DNS Management Console.
  2. Navigate to the forward lookup zone for your domain.
  3. Right-click > New Host > enter wpad as the hostname and the web server hosting the PAC and WPAD.DAT files in the IP address window, and click Add Host.
  4. Check to see if the DNS blocklist is configured.  You can use either DnsCmd (native Windows command line utility) or the PowerShell cmdlet Get-DnsServerGlobalQueryBlockList.
    1. DnsCmd method:
      dnscmd /info /enableglobalqueryblocklist
    2. PowerShell Get-DnsServerGlobalQueryBlockList method:
      Get-DnsServerGlobalQueryBlocklist
  5. If a “1” is returned, the block list is enabled.  If it is enabled, you should check to see if WPAD is on the block list.  If you have a default installation of Windows 2008 R2 or later and WPAD was not *previously* configured in your environment, WPAD will be on the block list.
    1. DnsCmd method:
      dnscmd /info /globalqueryblocklist
    2. PowerShell Get-DnsServerGlobalQueryBlockList method:
      Get-DnsServerGlobalQueryBlockList
  6. As you can see, WPAD is on the blocklist  At this point, you can either disable the DNS blocklist or exclude WPAD from the blocklist.
    1. To exclude WPAD:
      1. DnsCmd method:
        dnscmd /config /globalqueryblocklist isatap

        (Note: isatap was already included in the block list; DnsCmd overwrites the current values with whatever you specify, so you need to write out all the names that are currently blocked and want to remain blocked)
         The DnsCmd method isn’t my favorite, especially if you have a large number of items in the block list.  If you have a default setup, it only has Isatap and WPAD, so it’s not a huge deal.  Fortunately, there’s a nifty PowerShell way to do it as well.
      2. PowerShell method:
        [array]$blocklist = (Get-DnsServerGlobalQueryBlocklist).List

        $blocklist = $blocklist -ne “wpad”
        Set-DnsServerGlobalQueryBlockList -List $blocklist
    2. To disable the DNS Blocklist:
      1. DnsCmd method:
        dnscmd /config /enableglobalqueryblocklist 0

      2. PowerShell method:
        Set-DnsServerGlobalQueryBlockList -Enable $False

DHCP Server

Now that the the web server and DNS records have been configured, we need to configure the DHCP server to distribute the appropriate option (252).

  1. Launch DHCP Administration Console.
  2. Select IPv4, right-click, and then select Set Predefined Options.
  3. Click the Add button, and then fill out the appropriate values and click OK:
    Name: wpad
    Data type: string
    Code: 252
  4. In the String value box, type http://wpad.domain.com/wpad.dat (replacing domain.com with your domain).
  5. Click OK.
  6. Right-Click Server Options, click Add, select Option 252 from the list, and click OK.

Once that’s done, you can use a GPO or Group Policy preference to configure Windows hosts running IE to use WPAD or the specified PAC file.  Firefox, Chrome, Safari and other browsers should have WPAD discovery on by default.

For more information on how proxy works under the hood, be sure to check out Eric’s blog at https://blogs.msdn.microsoft.com/ieinternals/2013/10/11/understanding-web-proxy-configuration.

Comments (5)

  1. Jelmer Jaarsma says:

    You’re missing the step to remove WPAD from the DNS blocklist:
    https://technet.microsoft.com/en-us/library/cc995158.aspx

  2. Thanks for that–I totally forgot about the Dns Blocklist! I’ve updated it accordingly.

  3. anonymouscommenter says:

    When we talk about Office 365 services with our customers, a lot of the discussion revolves around the

  4. Royce Lithgo says:

    This is good, but how about adding a step to insert a custom script at the start of the generated script (right after the FindProxyForURL function call)? I am doing this manually at the moment so I can apply overrides for other cloud systems and local intranet addresses. I’m sure this should be easy for someone with better powershell skills than mine.

    1. What if I made a way for you to insert another list of hosts/domains you wanted to either go direct or add to the AlwaysProxy lists?

Skip to main content