Integration · Internet · Linux · Networking · Open Source · Proxy · Windows

Setting up Web Proxy Autodiscovery Protocol (WPAD) using DNS


In order to use the DNS only method to setup Web Proxy Autodiscovery Protocol (WPAD) you need to check on the following

  • To use WPAD using DNS method a DNS entry is needed for a host named WPAD. This name should be resolvable from the clients machine
  • Web server must be configured to serve the WPAD file with a MIME type of “application/x-ns-proxy-autoconfig”
  • A file named wpad.dat must be located in the WPAD Web server’s root directory.
  • The host at the WPAD address must be able to serve a Web page.

DNS server

A DNS entry is needed for a host named WPAD, in this content on the DNS server of the enterprise network. It is preferably the DNS server client access to resolve any DNS query. This entry should be point to the server that will host the WPAD.DAT file as discussed in the next section.

If your domain name is example.com, the client machine should be able to resolve your web servers IP address looking up wpad.example.com.

Hosting the PAC file on a web server for client to access

Host your Proxy Auto Configuration file in a web server. This should work on any web environment as long as the right configuration parameters are entered.

Assuming you are using apache 2 on Redhat 5

Make sure you have a working proxy.pac ready with you.

It is not recommended to host wpad file in a virtual host environment, use default virtual host environment

Upload the file in server root /var/www/html/proxy.pac

Can create a symlink of proxy.pac file as wpad.dat

Add the following line in your /etc/httpd/conf/httpd.conf

AddType application/x-ns-proxy-autoconfig .pac

AddType application/x-ns-proxy-autoconfig .dat #used for configuring auto detect setting using DNS

Restart/reload your web server (probably required)

Make sure the client can access this file using the url http://wpad.example.com/wpad.dat

Setting up client browser to use Web Proxy Autodiscovery Protocol (WPAD) using GPO/ Group policy

If you are using windows professional Machine in an enterprise network you can use Active Directory and Group Policy Objects (GPO) you can configure Internet Explorer settings automatically via GPO. A tool called FirefoxADM is available for Firefox which allows configuration, however I haven’t tried out this tool and looks last update was over a year old. Please share if you know of any better tool.

How to use GPO/Group policy to configure enterprise wide browser setting on a windows network

You can configure all web browser on the network to automatically detect proxy setting. This will work with IE and Chrome. Use group policy on the domain controller to endorse windows domain wide configuration use following steps.

  1. On the domain controller run gpedit
  2. User configuration -> windows setting -> internet explorer maintenance -> connection -> automatic browser configuration
  3. Select automatically detect configuration setting

GPO, proxy, internet explorer, ie, group policy, wpad, proxy auto diect

GPO, proxy, internet explorer, ie, group policy, wpad, proxy auto diect, windows

You can use “gpupdate /force” on the client machine to update group policy immediately

You may use “gpreuslt /Z” or  “gpreuslt /V” to check if group policy is taking effect on your local PC/client PC

Manually Setting up client browser to use Web Proxy Autodiscovery Protocol (WPAD)

Firefox

Option  -> network -> Settings

Select “auto-detect proxy setting for this network”

Firefox, connection setting, Auto-detect proxy settings for this network, WPAD, auto detect, proxy

Chrome

Settings -> show advanced settings (at the bottom) -> Change proxy settings

Under connections tab click on LAN settings

Enable “automatically detect settings” (disable all other option)

Local Aria Network (LAN) Settings, local area network setting, ie, automatically detect settings, wpad, proxy autodetect

IE

Tools -> internet option -> connection -> LAN setting

Enable “automatically detect settings” (disable all other option)

Local Aria Network (LAN) Settings, local area network setting, ie, automatically detect settings, wpad, proxy autodetect

Check if the traffic is going through proxy

In my setup I have been using squid as a proxy, so I monitor for “tail -f /var/log/squid/access.log” and check for traffic request from the client. Make sure any transparent proxy configuration is turned off to avoid wrong reading.

Please share if you know of any other way to check from the client side.

If your traffic is passing through the proxy server, congratulations you have successfully configured automatic proxy configuration server with a PAC file.

Debug

If you are not getting the desired result you may try the following steps

Try setting up the auto configuration file manually and see if that works

Read the overview on proxy auto configuration on enterprise network

11 thoughts on “Setting up Web Proxy Autodiscovery Protocol (WPAD) using DNS

  1. Dear Saad thanks the link https://tektab.com/2012/09/28/squid-t…s-ssl-traffic/ has done the job. But i am receiving the following error after entering user name and password for my gmail and yahoo email accounts

    Connection to 173.194.70.94 failed
    The system returned71) Protocol error
    the remote host or network may be down. Please try the request again.

    Note Please: i am using two proxy server in my environment one for students and one for staff and have more than 1500 hundred users, unfortunately for some reasons we have workgroup environment, no domain environment.

    Please help in this regard.
    Regard.

      1. that means your proxy is configured properly. Next thing you need to check is if your wpad file is accessible from the clients machine.
        try the url http://wpad.example.com/wpad.dat and see if it is accessible without using any proxy server, where example.com is your search domain.
        next step is the use http://wpad.example.com/wpad.dat
        next you can try using automatic proxy configuration url in your proxy setting (firefox)
        let me know if this helps.

        Thanks,

  2. Hi, I want to do the opposite. I want to totally turn off WPAD. I have a web service that is trying to use WPAD. But since it is not configured to use it, it adds a long delay while it tries it. But we don’t use any proxy. How do you ensure that WPAD is not used?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s