Several of my clients have asked for a way to have browsers automatically pick up proxy settings if the PC (usually a laptop) is on the local LAN, but not use a proxy server if the PC is not on the local LAN. For instance, moving a laptop from a home network with no proxy server to the office LAN, with a BorderManager server.
The browser can be configured with a simple PROXY.PAC file. The PROXY.PAC file can be quite complex, providing for load-balancing, fault tolerance, or other uses. I would be happy to produce a custom proxy.pac file for you (as a paid consulting project). The examples here are pretty basic.
I have tested this PROXY.PAC file on Netscape, Mozilla, Firefox, Opera and Internet Explorer on Windows XP Professional and Windows 2000 Professional.
Note: This is not a method for remotely or permanently setting the proxy settings, which can be done in a number of ways (ZENworks, login script, proxy configuration files from Netscape or Microsoft, etc.) I will assume that you will visit the workstations and enter the proxy settings as necessary to point to the PROXY.PAC file. If the PC is to be moved off the local LAN, you will also need to copy the file to the PC.
How it works:
The .PAC file checks the local IP subnet address of the PC, and branches with an IF / ELSE statement. If the PC is located in a subnet that matches, a proxy server is used. If the PC is on any other subnet, a direct connection is used instead of the proxy.
function FindProxyForURL(url, host)
| Code: |
| { if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0")) return "PROXY 192.168.1.1:8080"; else return "DIRECT"; } |
In my example file #1, I check that the host is in the 192.168.1.0 (255.255.255.0) subnet. If it is, I tell the browser to use a proxy at IP address 192.168.1.1, using port 8080. Obviously, you may need to change the subnet, subnet mask and proxy address/port for your LAN configuration.
There are methods which can be used to check for multiple subnets in case you have more than one internal LAN subnet. Ask in the Novell Public Forums about more complex PROXY.PAC files. (Or hire me to develop one for your environment!)
Download my example PROXY.PAC file #1 HERE (simple version)
More Complex Version
I have had a number of occasions where I needed to bypass the http proxy for a particular web site. This is easily done with a PROXY.PAC file, by putting in an IF statement with the proper syntax. (You can have lots of IF statements if you want to do this for multiple web sites.)
Here is an example that bypasses proxy for a particular web site (principia.mo.techpaths.com) that was giving grief when going to it through the HTTP Proxy:
function FindProxyForURL(url, host)
| Code: |
| { if (shExpMatch(url, "http://principia.mo.techpaths.com*")) { return "DIRECT"; } if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0")) return "PROXY 192.168.1.1:8080"; else return "DIRECT"; } |
You can download this version of PROXY.PAC here.
Slightly More Complex PROXY.PAC Example - Multiple Proxy Bypass URL's (not for laptops)
In this example you can add multiple URL's to NOT use a proxy, and then proxy everything else. In this example, you do not have a check for the local network, so it would not be a good example for a laptop that moves between networks.
function FindProxyForURL(url, host)
| Code: |
| { // variable strings to return var proxy_yes = "PROXY 192.168.1.1:8080"; var proxy_no = "DIRECT"; if (shExpMatch(url, "http://www.mycompanywebsite.com*")) { return proxy_no; } if (shExpMatch(url, "http://www.myotherwebsite.com*")) { return proxy_no; } if (shExpMatch(url, "http://www.my3rdlocalsite.com*")) { return proxy_no; } // Proxy anything else return proxy_yes; } |
Even More Complex PROXY.PAC Example - Multiple Proxy Bypass URL's with Local Address Check
In this example you can add multiple URL's to NOT use a proxy, and then proxy everything else. In this example, you have a check for the local network, so you can use this one on a laptop.
function FindProxyForURL(url, host)
| Code: |
| { // variable strings to return var proxy_yes = "PROXY 192.168.1.1:8080"; var proxy_no = "DIRECT"; if (shExpMatch(url, "http://www.mycompanywebsite.com*")) { return proxy_no; } if (shExpMatch(url, "http://www.myotherwebsite.com*")) { return proxy_no; } if (shExpMatch(url, "http://www.my3rdlocalsite.com*")) { return proxy_no; } if (shExpMatch(url, "http://192.168.1.100*")) { return proxy_no; } // Proxy if PC is on local LAN if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0")) return "PROXY 192.168.1.1:8080"; else return "DIRECT"; } |
Autoconfigure the Proxy Settings from the BorderManager Server (for Internet Explorer)
In this method, you point to a file being made available via the BorderManager miniwebserver. For a simple PROXY.PAC file and a PC that says on the local LAN, this doesn't make a lot of sense, as it is easier to just enter the proxy server address and port numbers. However, this technique is useful when you have complex PROXY.PAC files which do load balancing, etc.
1. Copy the PROXY.PAC file to the BorderManager SYS:ETC\PROXY\DATA directory.
2. In the browser proxy settings, configure the Automatic Proxy Configuration (Netscape) or Use Automatic Configuration Script (IE) URL to:
| Code: |
| http://192.168.1.1:1959/data/proxy.pac |
Where 192.168.1.1 must be changed to your BorderManager server's private IP address. The port 1959 is the default miniwebserver address.
If Internet Explorer doesn't see the file, it will default to using whatever proxy settings are configured under LAN settings.
Certain versions of Internet Explorer have a bug with .PAC files. This can be fixed with a patch. See the Microsoft article here.
Autoconfigure the Proxy Settings from a Local Copy of the PROXY.PAC File (IE or Netscape)
In this method, useful for laptops that travel on and off your LAN, you copy the file to some local directory, and point to it.
1. Copy the PROXY.PAC file to the C:\WINDOWS directory, or other directory of your choice.
2. In the browser proxy settings, configure the Automatic Proxy Configuration (Netscape) or Use Automatic Configuration Script (IE) URL to:
Netscape, use:
| Code: |
| file:///c|/windows/proxy.pac |
Internet Explorer, use:
| Code: |
| file://c:/windows/proxy.pac |
In Netscape, click on the Reload button.
Have Internet Explorer Automatically Configure Itself to Use a Proxy
There are ways to push the proxy settings (including PROXY.PAC) files to any browser, but Internet Explorere tends to be the easiest. In fact, you can have Internet Explorer automatically discover your PROXY.PAC file without you even having to touch the browser, if the browser is left at default settings. This is done by renaming PROXY.PAC to WPAD.DAT, and launching it from web server, using a local DNS entry. Please see this tip on methods for configuring browsers to pick up proxy settings.
Setting Proxy Settings on Browsers
For a number of reasons, HTTP Proxy is much better than the Transparent HTTP Proxy. Therefore, you will want all your browsers to point to the BorderManager HTTP Proxy IP address, port 8080, for HTTP, FTP and Security/SSL. The trick is getting all those browsers configured if you don't have time to run around manually setting them yourself. This tip lists several ways that you can push the settings out to the browsers without physically going to the PC.
Option 1 - Make the Users Do It Themselves!
No, this is not a joke. It is surprisingly effective, (especially if there is a teenager around, who will gladly run around doing it for everyone else).
In this method, you cut off web browsing access by disabling Transparent HTTP Proxy and using default filters, then you provide good instructions on how to set the proxy settings. You will want to at least provide some documentation with screenshots of each menu option the users have to click on, and the proper proxy settings. When users are given the choice of no internet access, or following a simple set of screenshots, 99% of them will get themselves on the Internet within 48 hours. You will then have the time to set up the management PCs, and the Help Desk will have time to help Aunt Betty when she gets confused.
Option 2 - Push the Browser Settings in the Login Script (for Internet Explorer)
Internet Explorer stores proxy settings in the registry. This makes it particularly easy to update, using a variety of methods. Even if your users do not normally use Internet Explorer as their usual browser, you will want to configure the proxy settings because many other applications key off proxy settings in Internet Explorer.
In this method, you determine the proper registry key for your version of IE, export the settings to a .REG file, and then use REGEDIT in the login script to push the settings to the PC. If you leave the setting in the login script for several days, most of the PC's should be updated by then, and you can remove or comment out the commands. Here is an example:
In the container login script add the lines
| Code: |
| #Regedit /s z:\public\setpxy.reg |
This assumes that the Z drive is mapped to SYS: of their local servers. Once this is done copy SETPXY.REG.to the Public directory.
To create the SETPXY.REG file, open notepad & type in as follows:
| Code: |
| REGEDIT4 (or whatever version of REGEDIT is on your PC, such as REGEDT32) [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyServer"=" "ProxyEnable"=dword:00000001 "ProxyOverride"=" |
Change
Option 3 - Push the Browser Settings with ZENWorks Application Launcher
Using ZENWorks (NAL), you can create a forced-run, run-once application for any browser that sets the proxy settings on the browser. Internet Explorer is probably one of the easiest browser to set, since it has a predictable registry key for proxy settings.
Netscape uses a text file called PREFS.JS which can be easily modified by a ZENWorks app, but the location of the file might be different on each PC, depending on how Netscape was set up. Search some of your PC's for that file, and if you are lucky, all PC's may have the file in a common location under a directory called Default.
Option 4 - Use DHCP to Push WPAD Settings for Browsers
Newer browsers can pick up certain settings from DHCP. Those settings can then be leveraged to have the browser pick up the proxy settings. See this Novell TID:
| Code: |
| http://support.novell.com/cgi-bin/search/searchtid.cgi?/2953490.htm |
and this Microsoft technical article:
| Code: |
| http://www.microsoft.com/TechNet/IE/reskit/ie5/part3/ch13sser.asp |
This works for both Netscape and Internet Explorer. Also, see the Novell AppNote described below in option 6.
Caveat: I was simply never able to get this to work for some reason, but I was able to get Option 5 to work with Internet Explorer!
Option 5 -Use DNS & Web Server to Push WPAD Settings for Browsers
This one really took me a long time to figure out, but turns out to be pretty simple and easy. There is an option in Internet Explorer called Automatic Proxy Configuration. (As far as I know, as of August 15, 2003, this may be a feature only found in Internet Explorer). IE 6 comes with this option set by default.
The concept: When Internet Explorer is launched, it makes a DNS query for WPAD.
The setup: First, you need a working PROXY.PAC file. You will end up renaming it, and launching it from a web server. If you already are launching it from a web server per my tip on PROXY.PAC files, you have only to set up a DNS entry. Your PC's need to be pointing to your own internal DNS server as their first option. (You can easily set up an internal DNS server with NetWare 5.0 or later.) The DNS server needs to have a WPAD entry for your domain. So if you have a domain called, for instance, CJC.COM, you would have a DNS 'A' record for WPAD.CJC.COM. You also need an internal web server - you cannot use the BorderManager miniwebserver here, or a web server that does not default to using port 80.
Take a working PROXY.PAC file, rename it to WPAD.DAT, and copy it to the root of the web server. You should be able to type HTTP://WPAD.CJC.COM/WPAD.DAT in Internet Explorer and get a file download prompt. If so, just set IE for auto proxy config and it should work.
Troubleshooting: I had a lot of problems making this work at first, until I understood just how Internet Explorer works, and how my web servers were working. The DNS part was simple. The PROXY.PAC/WPAD.DAT file was also simple, since I was already using a PROXY.PAC file. But it just wasn't working. The reason was essentially because I had an overly complex web server configuration on my system. I have Apache, Novonyx and iFolder (another instance of Apache) all running on the same server at the same time, giving up web pages on 5 different IP addresses. The issue I had was, I think, due to my web servers relying on redirection of URL's to the proper document root directories. I put copies of WPAD.DAT into various locations, but they didn't seem to work. When I typed the proper URL in IE, I did get a download prompt as described above! Turns out I did NOT get a download prompt if I typed in HTTP://192.168.10.245/WPAD.DAT - which was where I had my WPAD DNS entry. Internet Explorer resolved my WPAD.CJC.COM query to 192.168.10.245, and it then tried to pull the file from the IP address, not the URL, but my web servers weren't set up to take that sort of query. Eventually, I simply put the WPAD.DAT file in my iFolder document root directory and pointed DNS there. (Note: I have iFolder listening on a secondary IP address using port 80, not 52080...) As long as you can get the WPAD.DAT in the root directory of a web server listening on port 80 of an IP address called out in DNS, you should be fine.
Option 6 - Use Browser Customization Kits to Lock Down the Browser
Both Internet Explorer and Netscape can be customized by an administrator with settings that can then not be modified by the user. The idea here is to set up the browsers as required, and then push the customized browser to the workstation, perhaps with ZENWorks. See this link for customization kits for Netscape:
| Code: |
| http://home.netscape.com/bisdev/distribution/index.html |
You need the 'IEAK' (Internet Explorer Administration Kit) for your version of Internet Explorer. Unfortunately, Microsoft's site seems to change URL's of internal pages a lot, so I am not sure if the link below will get you where you want to go, but a search for IEAK or IE Toolkit should eventually link you to the toolkit you need, for your version of IE.
| Code: |
| http://www.microsoft.com/windows/ieak/default.asp PROXY.PAC Files |
The methods above all describe ways to set the proxy to a particular HTTP proxy address. However, you may have laptops that move from your LAN to other LANs (at home, for instance) where no HTTP Proxy exists, or where there is a different HTTP Proxy address. Situations like this are best handled with a PROXY.PAC file. A PROXY.PAC file is a bit of java script that configures the browser's proxy settings. Instead of pointing the browser to the proxy, you point it to the PROXY.PAC file instead. The PROXY.PAC file can be extremely versatile (and complex).
No comments:
Post a Comment