If you've ever wanted to simplify your corporate network's browser settings, this post describes just that.
There are 4 key factors to make this work:
- You are using a proxy for internet access.
- You are using Microsoft Group Policy to set\adjust system proxy\IE settings.
- You have access to internal DNS.
- You will need a proxy.pac or wpad.dat file. In this example, we will use wpad.dat.
1. The proxy server in this example is used to control internet access to users via Microsoft Active Directory group membership. For example, if Bob is a member of group "InetAccessFull", the proxy checks this membership and would grant him full access to the internet. However, if Bob was a member of "InetAccessLimited", the proxy server would only grant him to select filtered sites.
My particular proxy also will host the wpad.dat file. I will not get in to detail how to host this, because many proxies settings vary, but it's hosted just as any other file on a website. In this example, the URL to access would be http://proxy.example.com/wpad.dat
2. With the introduction of IE9+, Microsoft has introduced IE gpo's in group policy "preferences".
You will need to add whichever browser support you need for your environment. Here I have added 8, 9 and 10. IE 11 is supported through version 10 gpo's.
To properly set the system proxy settings, you will need to set the gpo accordingly. Under Internet Options -> Connections -> LAN Settings - make sure Automatically detect settings is checked!
This is the default IE option, but we will force it in case a user decides to change it. With this enabled, IE (or any browser) will check the LAN for a specific DNS record, wpad.example.com.
This is the default IE option, but we will force it in case a user decides to change it. With this enabled, IE (or any browser) will check the LAN for a specific DNS record, wpad.example.com.
3. Create a DNS host or alias for wpad.example.com -> proxy.example.com. If you're using Microsoft DNS, you will need to perform an additional step, as this is blocked by default.
See this article for details: https://technet.microsoft.com/en-us/library/cc995158.aspx
After completion, try a test ping to wpad.example.com, it should now resolve and respond.
4. The wpad.dat file is a script that the system will read and translate for access to certain LAN segments or internet.
Here is a snippet of code to get you started, keep in mind, this is very basic:
function FindProxyForURL(url, host) {
// Do not proxy local plain host names
if (isPlainHostName(host)) {
return 'DIRECT';
}
// Exceptions that do not need proxied
if ((host == "80.80.20.20") ||
(dnsDomainIs(host, ".the-example.com")) ||
(dnsDomainIs(host, ".another-example.com"))) {
return "DIRECT";
}
// Do not proxy local lan subnet
if (isInNet(host,"192.168.0.0","255.255.0.0")) {
return "DIRECT";
}
// Do not proxy local example.com domain addresses
if (dnsDomainIs(host, ".example.com")) {
return "DIRECT";
}
// Default return condition is the proxy, since it’s assumed that everything
// else is on the Internet.
return "PROXY proxy.example.com:9090";
} // End of function
Save the file as wpad.dat and upload to your web server or proxy server of choice.
This is by far one of the simplest forms of enabling access by proxy script to a corporate LAN. Moreover, iOS, android, and many other devices will support this method as well!
