We can use WPAD to automate the proxy setting process.

Deploy with IIS


The hosting web server must be also set to serve .dat files as “application/x-ns-proxy-autoconfig” mime types and the wpad.dat file should be located at the web site’s root directory. For example in an IIS configuration, you should do the following:

  • Go to Start –> settings –> control panel –> administrative tools –> Internet Information Services (IIS) Manager
  • Click the web site node in which you are going to host the wpad.dat file (for example Default Web Site)

Double Click  MIME Types button

  • In the “MIME Types” dialog box press Add…, type .dat in the extension field and application/x-ns-proxy-autoconfig in the MIME Type field, and press OK.
  • Return back to IIS Manager and right click the web site node in which you are going to host the wpad.dat file (for example Default Web Site) and select explore.
  • Right click somewhere in the right pane of the IIS snap-in and select new –> text document.
  • Rename the document to wpad.dat.


Editing the wpad.dat file


The wpad.dat file you have created in a previous step should be populated with a javascript in order to instruct the web browser how to configure its proxy settings. A sample configuration is illustrated below:

function FindProxyForURL(url, host) {
// our local URLs from the domains below mydomain.com don't need a proxy: 
if (shExpMatch(url,"*.mydomain.com/*")) {return "DIRECT";}
if (shExpMatch(url, "*.mydomain.com:*/*")) {return "DIRECT";}
// Client computers within this network are accessed through 
// port 8080 on proxy1.mydomain.local: 
if (isInNet(MyIPAdress(), "", ""))
{return "PROXY proxy1.mydomain.local:8080";
// All other requests go through port 8080 of proxy2.mydomain.local. 
// should that fail to respond, go directly to the WWW: 
return "PROXY proxy2.mydomain.local:8080; DIRECT";

Publishing the file location

In the example above, you are directing the web browser to use proxy1.mydomain.local on port 8080 in case the client computer belongs to network (script marked with red). In case the client does not belong to the network, all web traffic will go through proxy2.mydomain.local and if proxy2 fails to respond, it will try to go directly (script marked with orange). Finally, we instruct the web browser to bypass proxies in case the URL contains the .mydomain.com string (script marked with green). Note that you can add more rules by just adding lines to your configuration file.

To publish the file location you need to either setup a DHCP option or setup a DNS record. To setup the DHCP option in a windows DHCP server you need to do the following:

  • Go to Start –> settings –> control panel –> administrative tools –> DHCP
  • Right click the DHCP server name and select “set predefined options”
  • In the Predefined options dialog box press “add”
  • In the option type dialog box set the following values:
    Name: WPAD
    Data Type: String
    Code: 252
    Description: WPAD Auto Config Key
  • Go back to DHCP snap-in and right click either your scope or server options.
  • Select “Configure Options…”
  • In the scope options dialog box select the 252 option and in the string value type your wpad.dat file location (like http://wpad.mydomain.local/wpad.dat) and press OK.
Configure DNS


Finally, to configure your DNS server, you need to add a WPAD A or CNAME record for the server hosting your wpad.dat file (for example wpad.mydomain.local).


Note, that if you are planning to use a windows DNS server you have to take care of the Global Query Block list which introduced in windows 2008 and later operating systems. The global query block list by default prevents the resolution of wpad and isatap hostnames.

To remove WPAD from this list, first we check the current status:

C:\> dnscmd /info /GlobalQueryBlockList  
Query result:  
String: wpad  
String: isatap  

To reconfigure the current block list, use the /config switch with DNSCMD as follows:

C:\> dnscmd /config /GlobalQueryBlockList isatap 

The previously mentioned command would remove WPAD from the Global Query Block list, and would leave only isatap in the list, which is there by default.

Here is the registry location where you could view/modify/disable the Global Query Block List:


REG_DWORD: EnableGlobalQueryBlockList 
REG_MULTI_SZ: GlobalQueryBlockList
Configure the client

By now the client should be able to read the DHCP options when they try to lease IP address from DHCP server. But we still need to make sure the system is automatically read the Proxy info from the wpad file. Most of the OS are configured to automatically detect settings by default, To make sure this will happen, you can do it from group policy for windows machine.

Go to Group Policy management Editor, create a new GPO, and go to User Configuration/Preferences/Control Panel Settings/Internet Settings, right click Internet Settings, new, choose the right version for you, or choose Internet explorer 10 for all version later than 10.

Go to Connections Tab, click LAN settings button, tick Automatically detect settings.

Link this GPO to the users OU you want to enforce.