Several months ago, I released a tool (the Office 365 Proxy Pac Gen) to generate a Proxy Automatic Configuration file that can be used to bypass local proxy servers for Office 365 services. I also wrote a blog (Office 365 PAC file) on using the tool. I've received a lot of personal feedback on it, and wanted to expand on how to use the configuration file in production to manage desktops.
As I stated in my blog posting, bypassing the proxy requires two elements:
- A list of URLs/domains that the browser knows to not send to the proxy environment
- Firewall access rules configured to allow outbound access to the IP addresses corresponding to the domains found in the proxy bypass list
That sounds well and good; so how do you configure your desktop environment to take advantage of this proxy automatic configuration file? There are two basic ways that this can be accomplished.
- GPO that specifies the location of the .PAC file (which will typically only be useful for Internet Explorer or Edge browsers, unless separate administrative templates have been configured for Firefox or Chome
- WPAD (Web Proxy Autodiscover Protocol
First things first. In order for your clients to pick up a configuration file at all, there has to be a web server hosting the file. The configuration is relatively straightforward if you're setting up IIS.
- Install IIS. Yes, it's pretty easy. If you've never done it before, here's the cliff notes on the various IIS versions.
- IIS 7.x (Windows 2008 R2) - https://technet.microsoft.com/en-us/library/ee692294%28v=ws.10%29.aspx
- IIS 8.x (Windows 2012/R2) - http://www.iis.net/learn/get-started/whats-new-in-iis-8/installing-iis-8-on-windows-server-2012
- Configure the appropriate MIME types (at this point, we're going to configure a MIME type for both WPAD.DAT and the proxyautoconfig.pac file--it's the same file, but delivered via different methods.
- Launch an elevated PowerShell prompt.
- Run the following cmdlets:
C:\Windows\system32\inetsrv\appcmd.exe set config /section:staticContent /-"[fileExtension='.pac']"
C:\Windows\system32\inetsrv\appcmd.exe set config /section:staticContent /+"[fileExtension='.pac',mimeType='application/x-ns-proxy-autoconfig']"
C:\Windows\system32\inetsrv\appcmd.exe set config /section:staticContent /-"[fileExtension='.dat']"
C:\Windows\system32\inetsrv\appcmd.exe set config /section:staticContent /+"[fileExtension='.dat',mimeType='application/x-ns-proxy-autoconfig']"
- Place two copies of the PAC file in the root of the virtual directory for the default web site. You can schedule the Office 365 Proxy PAC generator PowerShell script on the web server to create the files. Name one "proxyconfig.pac" (or whatever, as long as the extension is .PAC). Name the other "wpad.dat" (this one is particular and must be named that). Here's an easy way to keep the PAC and WPAD files updated:
- Download the Office 365 PAC file generator and save it to C:\Scripts (for example) on the webserver hosting the PAC/WPAD files.
- Create a batch file called "C:\Scripts\PacSchedule.bat" with the following data (replacing the address of the proxy server with your own):C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe c:\scripts\Office365ProxyPac.ps1 -ProxyServer '192.168.0.1:8080' -OutputFile 'C:\InetPub\wwwroot\Proxyautoconfig.pac'
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe c:\scripts\Office365ProxyPac.ps1 -ProxyServer '192.168.0.1:8080' -OutputFile 'C:\InetPub\wwwroot\wpad.dat'
- Run it to test.
- Create the scheduled task. You can do this via the Task Scheduler GUI or from a PowerShell commandline:
$action = New-ScheduledTaskAction -Execute 'C:\scripts\PacSchedule.bat'
$trigger = New-ScheduledTaskTrigger -Daily -At 9am
Register-ScheduledTask -Action $action -Trigger $trigger -Taskname "PAC Scheduled download" -User 'forestc\labadmin' -Password 'Password1'
For WPAD deployments, the client machine Configure a DNS A record for "wpad.domain.com" (where 'domain.com' is your LAN's DNS zone) to point to the IP address of the virtual server.
- Launch DNS Management Console.
- Navigate to the forward lookup zone for your domain.
- Right-click > New Host > enter wpad as the hostname and the web server hosting the PAC and WPAD.DAT files in the IP address window, and click Add Host.
- Check to see if the DNS blocklist is configured. You can use either DnsCmd (native Windows command line utility) or the PowerShell cmdlet Get-DnsServerGlobalQueryBlockList.
- If a "1" is returned, the block list is enabled. If it is enabled, you should check to see if WPAD is on the block list. If you have a default installation of Windows 2008 R2 or later and WPAD was not *previously* configured in your environment, WPAD will be on the block list.
- As you can see, WPAD is on the blocklist At this point, you can either disable the DNS blocklist or exclude WPAD from the blocklist.
- To exclude WPAD:
- DnsCmd method:
dnscmd /config /globalqueryblocklist isatap
(Note: isatap was already included in the block list; DnsCmd overwrites the current values with whatever you specify, so you need to write out all the names that are currently blocked and want to remain blocked)
The DnsCmd method isn't my favorite, especially if you have a large number of items in the block list. If you have a default setup, it only has Isatap and WPAD, so it's not a huge deal. Fortunately, there's a nifty PowerShell way to do it as well.
- PowerShell method:
[array]$blocklist = (Get-DnsServerGlobalQueryBlocklist).List
$blocklist = $blocklist -ne "wpad"
Set-DnsServerGlobalQueryBlockList -List $blocklist
- DnsCmd method:
- To disable the DNS Blocklist:
- To exclude WPAD:
Now that the the web server and DNS records have been configured, we need to configure the DHCP server to distribute the appropriate option (252).
- Launch DHCP Administration Console.
- Select IPv4, right-click, and then select Set Predefined Options.
- Click the Add button, and then fill out the appropriate values and click OK:
Data type: string
- In the String value box, type http://wpad.domain.com/wpad.dat (replacing domain.com with your domain).
- Click OK.
- Right-Click Server Options, click Add, select Option 252 from the list, and click OK.
Once that's done, you can use a GPO or Group Policy preference to configure Windows hosts running IE to use WPAD or the specified PAC file. Firefox, Chrome, Safari and other browsers should have WPAD discovery on by default.
For more information on how proxy works under the hood, be sure to check out Eric's blog at https://blogs.msdn.microsoft.com/ieinternals/2013/10/11/understanding-web-proxy-configuration.