Home > Computer network, Microsoft, Security, Windows > How to implement Web Proxy Auto-Discovery Protocol

How to implement Web Proxy Auto-Discovery Protocol

Web Proxy Auto-Discovery Protocol known as WPAD is protocol used by web browsers to locate URL of configuration file using DHCP or DNS.

How does it work?

Computer running web browser must be configured to detect settings automaticaly. It can be turned on in Internet Explorer:

When this browser starts it detects WPAD URL. If browser supports DHCP discovery it will send DHCPINFORM query on network asking for WPAD option. If client doesn’t get DHCP answer it will try DNS query. Let’s assume we have local domain expo.domain.local. Client will try following URLs:

  • http://wpad.expo.domain.local/wpad.dat
  • http://wpad.domain.local/wpad.dat

When this DNS is not successful browser will try URL with NetBios name http://wpad/wpad.dat.

This behaviour can depend on WPAD implementation in browser. Some browser doesn’t use DHCP detection. Some will try also http://wpad.local/wpad.dat URL. I will write only about Internet Explorer behaviour.

Finally when browser gets wpad.dat file from WPAD URL it will parse this file and set proxy settings described in wpad.dat file.

How to make it work?

Let’s assume we have DHCP and DNS services running on Windows Server. We also need IIS installed on server. First of all we need to create new IIS Website:

We will bind this website to port 80 and Host name will be set to wpad.domain.local. We will create new directory C:\inetpub\wpad where website will point. Second, we need to define new MIME type in IIS. Click on IIS server name in IIS console. Then click on MIME Types:

On right side click on action Add.. and define new MIME type (.dat – application/x-ns-proxy-autoconfig):

In directory C:\inetpub\wpad create new file called wpad.dat with following content:


function FindProxyForURL(url, host) {

if(shExpMatch(url,"*intranet/*")) { return "DIRECT"; }

if(shExpMatch(url,"*.domain.local/*")) { return "DIRECT"; }

if(shExpMatch(url,"10.0.*")) { return "DIRECT"; }

if(shExpMatch(url,"192.168.*")) { return "DIRECT"; }

// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.

return "PROXY 10.0.0.100:8080";

}

This file is in format Proxy auto-config (PAC file) and it is self-explanatory. It’s kind of fucntion which says if URL is “*intranet/*, “*.domain.local/*,… browser will go directly to this URL. Those are proxy exceptions. Other not defined traffic will be send to proxy server 10.0.0.100 and its port 8080. This script can be more advanced. Be aware, if you make some mistake some stupid browsers (including Internet Explorer) will skip whole script and not use it 🙂

Now when we have our wpad.dat file ready we can try if we are able to download it using browser. Just try if you can download file http://wpad.domain.local/wpad.dat.

If everything works let’s inform browsers we have published autoconfiguration file.

Publish in DHCP

We need to create new DHCP Option 252 first:

  • Open DHCP Console
  • Right click on DHCP server and select Set Predefined Options and then click Add
  • In Name type wpad, Data type select String and Code type 25

  • Click OK
  • Enter value http://wpad.domain.local/wpad.dat in Value String field
  • Click OK
  • Right-click on Scope Options in DHCP scope where you want add DHCP value 252 and select Configure Options…

  • Scroll all the way down and select DHCP value 252 and click OK

This is all for DHCP setup. Let’s look on DNS setup.

Publish in DNS

You need to create DNS A record wpad.domain.local and point it to IP where WPAD Website runs. Windows servers will not answer on DNS A “wpad” requests. It’s basically for security reason. “wpad” is blocked in DNS by default. In default DNS block list are two records: wpad and isatap. To enable wpad we need to left only isatap in block list. You can do it by command dnscmd /config /globalqueryblocklist isatap.

Remember

  • If browser has DHCP discovery and get some DHCP Option 252, it will not do DNS discovery
  • Some browsers don’t support DHCP discovery. Only Internet Explorer and Konqueror support both the DHCP and DNS discovery functions

That’s all folks for today 🙂

  1. runco
    April 8th, 2014 at 21:45 | #1

    Moja reakcia,

    V systéme Microsoft Windows Vista a vyššie je implementovaná nová technológia za účelom zvýšenia výkonu a zníženiu nárokov na sieťové pásmo. Ide o rozhodovanie kedy sa služba autodiscover použiť má a kedy nie. Dôkazom je vetva registrov:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Internet Settings\Wpad

    Po vymazaní tejto vetvy autodiscover funguje tak ako si uviedol v blogu.

    Btw. ze co nato velky brat Microsoft?
    – If your computer has been able to resolve Internet FQDN before, then proxy auto discovery will not be used for performance consideration
    – If your computer is being unable to perform auto discovery for several tries, then proxy auto disovery will be disabled for performance consideration

    Netestoval som to na Windows 8.x 😉

    R.

  2. April 9th, 2014 at 09:41 | #2

    @runco
    Dakujem za dotaz. Ano, mas pravdu. Dokonca sa da vynutit aby sa WPAD nevypinal a vzdy bol aktivny, Viac je popisane http://kb.k12usa.com/Knowledgebase/Proxy-Auto-Detect-WPAD-Issues-With-IE-Windows-7

    Este raz dakujem za dotaz 🙂

  3. Michal_F
    April 15th, 2014 at 06:14 | #3

    Hi, another great article. In our enviroment, we use the DHCP 252 option with standard .pac file and it works with all browsers.

    Nice part from wiki ” administrator should make sure that a user can trust all the DHCP servers in an organisation and that all possible wpad domains for the organisation are under control. Furthermore, if there’s no wpad domain configured for an organisation, a user will go to whatever external location has the next wpad site in the domain hierarchy and use that for its configuration. This allows whoever registers the wpad subdomain in a particular country to perform a man-in-the-middle attack on large portions of that country’s internet traffic by setting themselves as a proxy for all traffic or sites of interest.

    On top of these traps, the WPAD method fetches a JavaScript file and executes it on all users browsers, even when they have disabled JavaScript for viewing web pages”

  4. April 15th, 2014 at 06:47 | #4

    @Michal_F
    Ano, presne tak. Je to dost nebezpecne a zneuzitelne. Ale je to asi rovnako zneuzitelne, ako ked si vo svojej sieti rozbehnes dalsie DHCP, budes davat IP z rozsahu ako normalne na sieti je, len budes podstrkovat svoje DNSko a tak mozes akukolvek webstranku presmerovat kde len chces. 🙂 Takze moznosti ako prist ku citlivym datam je viacej 🙂

  1. No trackbacks yet.