How to implement Web Proxy Auto-Discovery Protocol
Web Proxy Auto-Discovery Protocol known as WPAD is protocol used by web browsers to locate URL of configuration file using DHCP or DNS.
How does it work?
Computer running web browser must be configured to detect settings automaticaly. It can be turned on in Internet Explorer:
When this browser starts it detects WPAD URL. If browser supports DHCP discovery it will send DHCPINFORM query on network asking for WPAD option. If client doesn’t get DHCP answer it will try DNS query. Let’s assume we have local domain expo.domain.local. Client will try following URLs:
-
http://wpad.expo.domain.local/wpad.dat
- http://wpad.domain.local/wpad.dat
When this DNS is not successful browser will try URL with NetBios name http://wpad/wpad.dat.
This behaviour can depend on WPAD implementation in browser. Some browser doesn’t use DHCP detection. Some will try also http://wpad.local/wpad.dat URL. I will write only about Internet Explorer behaviour.
Finally when browser gets wpad.dat file from WPAD URL it will parse this file and set proxy settings described in wpad.dat file.
How to make it work?
Let’s assume we have DHCP and DNS services running on Windows Server. We also need IIS installed on server. First of all we need to create new IIS Website:
We will bind this website to port 80 and Host name will be set to wpad.domain.local. We will create new directory C:\inetpub\wpad where website will point. Second, we need to define new MIME type in IIS. Click on IIS server name in IIS console. Then click on MIME Types:
On right side click on action Add.. and define new MIME type (.dat – application/x-ns-proxy-autoconfig):
In directory C:\inetpub\wpad create new file called wpad.dat with following content:
function FindProxyForURL(url, host) { if(shExpMatch(url,"*intranet/*")) { return "DIRECT"; } if(shExpMatch(url,"*.domain.local/*")) { return "DIRECT"; } if(shExpMatch(url,"10.0.*")) { return "DIRECT"; } if(shExpMatch(url,"192.168.*")) { return "DIRECT"; } // DEFAULT RULE: All other traffic, use below proxies, in fail-over order. return "PROXY 10.0.0.100:8080"; }
This file is in format Proxy auto-config (PAC file) and it is self-explanatory. It’s kind of fucntion which says if URL is “*intranet/*, “*.domain.local/*,… browser will go directly to this URL. Those are proxy exceptions. Other not defined traffic will be send to proxy server 10.0.0.100 and its port 8080. This script can be more advanced. Be aware, if you make some mistake some stupid browsers (including Internet Explorer) will skip whole script and not use it 🙂
Now when we have our wpad.dat file ready we can try if we are able to download it using browser. Just try if you can download file http://wpad.domain.local/wpad.dat.
If everything works let’s inform browsers we have published autoconfiguration file.
Publish in DHCP
We need to create new DHCP Option 252 first:
-
Open DHCP Console
- Right click on DHCP server and select Set Predefined Options and then click Add
- In Name type wpad, Data type select String and Code type 25
- Click OK
- Enter value http://wpad.domain.local/wpad.dat in Value String field
- Click OK
- Right-click on Scope Options in DHCP scope where you want add DHCP value 252 and select Configure Options…
- Scroll all the way down and select DHCP value 252 and click OK
This is all for DHCP setup. Let’s look on DNS setup.
Publish in DNS
You need to create DNS A record wpad.domain.local and point it to IP where WPAD Website runs. Windows servers will not answer on DNS A “wpad” requests. It’s basically for security reason. “wpad” is blocked in DNS by default. In default DNS block list are two records: wpad and isatap. To enable wpad we need to left only isatap in block list. You can do it by command dnscmd /config /globalqueryblocklist isatap.
Remember
- If browser has DHCP discovery and get some DHCP Option 252, it will not do DNS discovery
-
Some browsers don’t support DHCP discovery. Only Internet Explorer and Konqueror support both the DHCP and DNS discovery functions
That’s all folks for today 🙂
Recent Comments