Recently I’ve been involved with a bluecoat install; one of the requirements I’ve been faced with was helping the client with was removing fixed proxy settings within their browsers.
For how-to references a combination of google, wikipedia and this post are good places to start; I intend to document my experience you may find some overlap.
The 1st thing to understand is that Firefox (FF) and Internet Explorer (IE) both support an “automatically detect proxy” setting, but they are implement in different ways. Both FF & IE use a proxy.pac (also known as wpad.dat) for their configuration, they just “look for it” in different ways.
The proxy pac file is a java script that tells the browsers (both FF & IE) how to connect, there’s some good pac file examples here, this is what I did…
function FindProxyForURL(url, host)
{
// The 1st if function tests if the URI should be by-passed…
// Proxy By-Pass List
if (
// ignore RFC 1918 internal addreses
isInNet(host, "10.0.0.0", "255.0.0.0") ||
isInNet(host, "172.16.0.0", "255.240.0.0") ||
isInNet(host, "192.168.0.0", "255.255.0.0") ||
// is url is like http://server by-pass
isPlainHostName(host) ||
// localhost!!
localHostOrDomainIs(host, "127.0.0.1") ||
// by-pass internal URLS
dnsDomainIs(host, ".mycompany.com") ||
dnsDomainIs(host, ".mycompany.local")
)
// If True, tell the browser to go direct…
return "DIRECT";
// If False, it’s not on the by-pass then Proxy the request… if you fail to connect to the proxy, try direct.
return "PROXY 10.10.10.10:8080;DIRECT";
}
Once you’re happy with what you’ve written you need to “publish” the pac file on a webserver for your clients to download it… I’ve decided to use the bluecoat proxy SG.
Now you can’t upload the pac file via the GUI, you need to get down and dirty with the command line, below is an example ssh session…
Proxy> enable Proxy# conf t Proxy# inline accelerated-pac 123 ....... Paste the contents of proxy.pac ....... 123 Proxy#
Before going any further log into you’re bluecoat, make sure that under Services -> Proxy Services, HTTP 80 & 8080 are set to Intercept. Next check that Services -> Management services, HTTP-Console 8081 is enabled… this service will be used to get the pac file, leave HTTPS-Console 8082 on as using the 8081 for administrator access would be a bad idea.
You will now hopefully be able to download your pac file from the following url http://10.10.10.10:8081/accelerated_pac_base.pac .. change the IP as necessary.
Once that works we’re going to add some proxy policy to make that url (a) nicer (b) compatible with Firefox. In the Bluecoat GUI under policy (not the visual policy manager) make sure that the local policy is read 1st… at the top of the file list. The following ssh session of policy, re-writes the pac file for a variety of names, basically I’ve tried to capture every combination that a user might try…..
Proxy> enable Proxy# conf t Proxy# inline policy local 123 <proxy> url=http://proxy.mycompany.local/proxy.pac authenticate(no) url=http://proxy.mycompany.local/wpad.dat authenticate(no) url=http://wpad.mycompany.local/wpad.dat authenticate(no) url=http://www.wpad.com/wpad.dat authenticate(no) url=http://proxy.mycompany.local:8081/accelerated_pac_base.pac authenticate(no) url=http://10.10.10.10:8081/accelerated_pac_base.pac authenticate(no) <cache> url.domain=http://proxy.mycompany.local/proxy.pac cache(no) url.domain=http://proxy.mycompany.local/wpad.dat cache(no) url.domain=http://wpad.mycompany.local/wpad.dat cache(no) url.domain=http://www.wpad.com/wpad.dat cache(no) url.domain=http://proxy.mycompany.local:8081/accelerated_pac_base.pac cache(no) url.domain=http://10.10.10.10:8081/accelerated_pac_base.pac cache(no) <proxy> url=http://proxy.mycompany.local/proxy.pac action.rewrite_pac(yes) url=http://proxy.mycompany.local/wpad.dat action.rewrite_pac(yes) url=http://wpad.mycompany.local/wpad.dat action.rewrite_pac(yes) url=http://www.wpad.com/wpad.dat action.rewrite_pac(yes) url=/wpad.dat action.rewrite_pac(yes) define action rewrite_pac rewrite(url,"(.*)","http://10.10.10.10:8081/accelerated_pac_base.pac") end 123 Proxy#
Phew, thats the bluecoat side of things sorted, now we need to get clients to download the file! This is where the browser have different approaches….
Internet explorer uses DCHP Option 252 to detect the proxy, you can set the option of any of the URLS you’re re-writing on the bluecoat, I chose http://wpad.mycompany.local/wpad.dat .
Firefox uses DNS to detect the proxy, so you’re going to need to create some records… The bluecoat was called “proxy” so an A record for proxy.mycompany.local already existed, we created a CNAME record for wpad.mycompany.local pointing to proxy.mycompany.local … if your dns domain is something like uk.mycomany.local you’ll need to add cname records wpad.uk.mycompany.local & wpad.mycompany.local and add the necessary lines to the bluecoat rewire code above.
Once done you can set either browser to “automatically detect” and finger’s cross all will work!
That was really helpful Nick.
I have a question in this regards. If I have got a pair of Blucoat SG boxes working in active passive mode and have an option of configuring WCCP versus WPAD, which one is a better option?
Hi Magnet,
WCCP is transparent redirection of HTTP, where as WPAD is the browser “detecting” the proxy.
WCCP is better for overall compatibility but doesn’t support Authentication so WPAD may meet your security requirements better.
HTH,
Nick
Hi Nick,
Good article, but have similar question with Magnet. What do you mean by WCCP doesnt support authentication?
Cos currently am using IronPort, and I need user authentication for AD group Access Control. If I use WCCP, that is not supported?
Hello,
Apologies for the bad wording, to be clear what I should have said is that transparent redirection of HTTP (i.e. WCCP) doesn’t support proxy authentication…. i.e. passing authentication credentials in the HTTP header in the same way that explicit proxying can.
If you are using a bluecoat, with transparent interception of http (or WCCP), then you need to use cooke authentication which doesn’t necessarily work with all HTTP requests (unix wget would be an example, proxy auth or nothing).
I hope that helps!
Thanks Nick!
WPAD is the better option then.
Bear in mind that Windows DNS Servers blacklist wpad on CNAME. See below on how to remove this.
http://computersplace.net/microsoft-releated/windows-server-howto/unable-resolve-wpad.html
Hi Nick
I was referring to what you said as below
In the Bluecoat GUI under policy (not the visual policy manager) make sure that the local policy is read 1st… at the top of the file list.
I have check under Bluecoat->Policy->Policy Options
Policy Order is as follows
VPN->Local->Central->Forward
Am I looking at the right page as what you are referring?
Yes you’re looking at the right thing, the order should be … Local -> VPM -> Central -> Forward …. if you want the above to work
Do I need to make any changes to the Local (Policy) to get it working? Also, if I change the settings, will all my rules in the VPM still work?
Just don’t want to break anything.
Hello,
Yes, you need to change and paste the CPL above into your local policy.
Your VPM will still work, the local policy will be applied before the VPM.
Good luck hopefully you won’t break anything :-p
Thanks. May I know what is local 123?
Local is the policy you are editing; 123 is the input delimiter that I use
hi i have an issue with WPAD configuration. we have 5 ISA server globally, when i am changing to Automatic proxy my browser requesting for the autentication from all 5 server. Can you please share the recommected autentication tyep / how to solve the issues.