A Comprehensive Guide to Utilizing WPAD (Web Proxy Auto-Discovery Protocol) on Windows

The WPAD (Web Proxy Auto-Discovery) protocol provides an easy solution for proxy settings configuration on the network clients. WPAD is designed such that a client can utilize DHCP and/or DNS to locate a web server within your network holding a PAC configuration file with proxy settings (http://yourdomain/wpad.dat).

Create Proxy Auto-Discovery File (wpad.dat)

A distinctive PAC (Proxy Auto Configuration) file outlines the rules for proxy usage. This PAC file has a predefined name, wpad.dat. It encompasses rules that decide if the client must make use of a proxy server when connecting to a particular resource (HTTP, HTTPS, or FTP) or to access it directly.

Javascript syntax is used in the wpad.dat file. You can set a default proxy server address, as well as different exceptions and rules for when a client should (or should not) use a proxy for connections.

Let’s look at a simple example of wpad.dat syntax:

function FindProxyForURL(url, host)
{
 if (shExpMatch(host, "127.0.0.1" )) {return "DIRECT";}
 if (shExpMatch(host, "*/localhost*" )) {return "DIRECT";}
 if (isInNet(host, "192.0.0.0", "255.0.0.0")) {return "DIRECT";}
 if (isInNet(host, "10.0.0.0", "255.0.0.0")) {return "DIRECT";}
 
 if (isInNet(myIpAddress(), "172.15.1.0", "255.255.255.0"))
 {return "PROXY prx2.woshub.com:8080";}
 if (dnsDomainIs(host, "*.corp.woshub.com")) {return "DIRECT";}
 
 if (
 shExpMatch(url,"http://*.woshub.com") ||
 shExpMatch(url,"https://*.woshub.com") ||
 shExpMatch(url,"ftp://*.woshub.com")
 )
 return "DIRECT";
 
 if (isPlainHostName(host)) {return "DIRECT";}
 if (shExpMatch(host,"bank.example.com")) {return "DIRECT";}
 
 if (shExpMatch(url,"*.microsoft.com*")){return "PROXY prx2.woshub.com:8080";}
 
 return "PROXY proxy.woshub.com:3128";
}

A PAC file usually contains a single FindProxyForURL feature which provides the proxy address to the client in line with the requested URL. Here, the returned “DIRECT” directive suggests that a direct connection (without proxy) should be employed for accessing these IP addresses and domains. If the website a client wants to access does not comply with any rules in the WPAD file, they will use the default proxy server (PROXY proxy.woshub.com:3128) to access it.

You are free to use any widely recognized proxy servers like squid or 3proxy.

It’s possible to use the PAC file as a simple means to deny access to particular websites or to block access to domains with advertisements.

proxy_empty = "PROXY 127.0.0.1:3128"; // a link to an non-existing proxy
if ( shExpMatch(url,"*://twitter.com/*")) { return proxy_empty; }
if ( shExpMatch(url,"*://spam.*")) { return proxy_empty; }
if ( shExpMatch(url,"*doubleclick.net/*")) { return proxy_empty; }

Different OS versions have restrictions on the maximum size of the PAC file. For Windows, the size of the wpad.dat file should not exceed 1 MB.

Put wpad.dat on an HTTP web server in your local network and allow all users to read it. You can use a Linux-based (nginx, apache, lighttpd) or Windows-based (IIS or a simple HTTP server based on PowerShell) web server.

In this example, I will publish wpad.dat on an IIS web server on a domain controller. Copy wpad.dat to C:inetpubwwwroot.

If there are non-domain clients on your network, grant IUSR and IIS APPPOOLDefaultAppPool read-only permissions on the IIS folder.

Launch the IIS Manager (inetmgr), navigate to MIME Types under the IIS website settings, and implement a new type:

  • Extension of file name: .dat
  • Type of MIME: application/x-ns-proxy-autoconfig

Please ensure to restart IIS afterwards.

Configuring WPAD Records in DHCP or DNS

The next step involves configuring DHCP servers or DNS records so that clients are able to discover the PAC file.

For those who are using a DHCP server, a WPAD address for clients can be set with option 252. Below is an example for a DHCP running on a Windows Server:

  1. First, you need to open up the DHCP console using dhcpmgmt.msc, click on the IPv4 section, and then select the option for ‘Set Predefined Options’;
  2. Next, click the ‘Add’ button and generate an entry with the following options:

    • Name: WPAD
    • Data type: string

    • Code: 252
  3. After clicking OK, you need to specify the address of your WPAD host using http://wpad.woshub.com;
  4. Finally, go to ‘Scope Options’ and activate the 252 WPAD option (or modify the setting in the ‘Server Options’ section).

Create A or CNAME DNS records for wpad name in your domain.

If you are using Active Directory, note that the Microsoft DNS server defaults to blocking the use of wpad and isatap names. This can be verified by running the following command:

dnscmd mun-dc02 /info /globalqueryblocklist

To allow these names to be used in DNS, run this command:

dnscmd mun-dc02 /config /enableglobalqueryblocklist 0

You can clear the list:

dnscmd /config /globalqueryblocklist

And add a record for isatap:

dnscmd /config /globalqueryblocklist isatap

Make the same changes to all DNS servers.

Then create an A record with the name wpad that points to your web server where the WPAD file is located. You can create an A record manually in the DNS Manager dnsmgmt.msc or by using the Add-DnsServerResourceRecordA PowerShell cmdlet:

Add-DnsServerResourceRecordA -Name wpad -IPv4Address 192.168.13.10 -ZoneName woshub.loc -TimeToLive 01:00:00

How to Configure Browsers for WPAD

Now, you must set up your browsers to accept a PAC file upon startup automatically. To accomplish this, activate the Automatic Detect Settings function (Tools > Internet Options > Connections > LAN Settings) in the IE settings or in the Windows proxy settings in the Settings (MS-Settings quick URI command: ms-settings:network-proxy).

This function can be centrally activated using the Group Policy option User Configuration -> Preferences -> Control Panel Settings -> Internet Settings -> New ->Internet Explorer 10.

To learn more about setting up proxy server settings using GPO, you can refer to this link.

Upon launching, browsers on client devices will search for a wpad entry in the DNS (or obtain it from DHCP). If a WPAD host is spotted in the network, a client will download the http://wpad.%domain%/wpad.dat file, run the JavaScript command and implement the proxy-server directives from the PAC file.

For instance, Windows first explores the wpad name in DNS, followed by Link-Local Multicast Name Resolution (LLMNR), and ultimately through NetBIOS (NBNS). If the LLMNR and NetBIOS protocols are disabled, only DNS search is utilized.

To verify if your browser applies the PAC file while accessing the Internet (for Chromium-based web browsers: Google Chrome, Opera, Microsoft Edge), follow these steps:

  1. Launch a browser and navigate to chrome://net-export/
  2. Choose Strip private information and click on Start Logging to Disk;
  3. Next, specify the JSON file name for saving data;
  4. Select Stop Logging;
  5. Open the JSON file in any text editor and search for proxySettings. In this example, the browser utilizes the proxy settings from wpad.dat as shown below:

    "proxySettings":{"effective":{"pac_url":"http://wpad/wpad.dat"},"original":{"auto_detect":true,"from_system":true}}

If you wish to block the usage of WPAD on a Windows computer, develop a DWORD parameter named DisableWpad with a value of 1 under the registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsWinHttp.

Configuring proxy settings using the WPAD (PAC) file provides additional flexibility that cannot be achieved by setting the proxy through the Windows GPO. WPAD is also supported on Windows, Linux, MacOS, and other operating systems as well as mobile devices.

Posted

in

, , ,

by

Tags: