Recently I decided to push autoconfiguration proxy settings out to my clients via WPAD. The reason I did this is that I used to push them out via Active Directory Group Policy, however I have some computers on my network that are not part of a domain, and I wanted to be able to enforce our company’s web and security policies to them.  This was not extremely difficult, however, one problem that I ran into was that it would not work on subnets other than the one that my proxy was located on.  Here’ s how I was able to implement this and push it out to subnets:

First off I am using GFI WebMonitor 2010 for my web proxy. I like this product because it includes its own proxy server so I did not have to purchase ISA server in order to run this on. I use a hardware router so purchasing ISA just to run a web proxy seemed to be a waste of money.

To start off, this software makes it pretty easy to publish your WPAD to the network for computers to access. In GFI WebMonitor I just did the following:

This automatically creates your wpad.dat file and publishes it.

You can view the wpad.dat by going to http://wpad/wpad.dat  The wpad.dat has a lot of configuration info in it, but the gist of it is this:
function GetStandardProxy(url, host) { if(host == “127.0.0.1”) { return “DIRECT”; } else { return “PROXY 192.168.1.12:8080; DIRECT”; } }

Then I needed to create the entries in DHCP and DNS to point to the WPAD so browsers could find and use the proxy server. The main problem I ran into is that computers on the local network where the proxy is located picked this up automatically and gradually started redirecting to my proxy server, but computers on my other subnets would not pick this up. I assume that the router was blocking some sort of broadcast, so I decided to put the entries in both DHCP and DNS to circumnavigate this as there is a router or 2 that is controlled by another consultant.

In DHCP this is pretty easy to do although you need to add option 252. In DHCP, right-click on your server and click on “Set Predefined Options”, Click “Add”, for the code enter “252”, for the name enter “wpad” and for the “data type” enter “String”  Why its not there by default is baffling, but it’s easy enough to add.

Now for the DNS entry. Under Forward Lookup Zones, Enter a new alias (CNAME), call it wpad, and then point it the server that houses your wpad file.  This should replicate to your other DNS server.  For testing purposes just make sure that you do it on the first server listed when performing an IPCONFIG /all.

Now here’s the part that had me stumped for a while. I go to http://wpad/wpad.dat on a computer located on another subnet and you get a 404 page.  After doing some research I found out that microsoft blacklists this entry in DNS by default (?). The way to unblock it is to edit the following registry entry. At HKLM\System\CurrentControlSet\Services\DNS\Parameters open up “GlobalQueryBlockList” and delete the entry that says “wpad”. Then restart your DNS server.  Now go back to one of the computers on that subnet and then you should get the wpad.dat script.  (MS reference KB: http://support.microsoft.com/kb/2003485 )

There’s one more thing to do.  Go to your DHCP server, right-click and go to Scope Options, and select “252”, then enter your string value.  Mine is http://myserver/wpad.dat . Something to note on this address is that I read that it may be case-sensitive so just enter it lowercase to save you the headache.

That should be it. Here’s some reference and troubleshooting articles as well as some other sources where I pieced together all of the information from.

MS Lowercase Only
http://support.microsoft.com/kb/307502
Explanation of Blacklist
http://clintboessen.blogspot.com/2010/08/unable-to-resolve-wpad.html
MS Troubleshooting Automatic Connections
http://technet.microsoft.com/en-us/library/cc302643.aspx

Security info about WPAD and Man In the Middle Attacks.
http://perimetergrid.com/wp/2008/01/11/wpad-internet-explorers-worst-feature/

Advertisements