Setting Proxy Settings on Browsers - August 15, 2003

Updated August 15, with new Option 5 below, using DNS to push proxy settings with a proxy.pac file called wpad.dat.

For a number of reasons, HTTP Proxy is much better than the Transparent HTTP Proxy. Therefore, you will want all your browsers to point to the BorderManager HTTP Proxy IP address, port 8080, for HTTP, FTP and Security/SSL. The trick is getting all those browsers configured if you don't have time to run around manually setting them yourself. This tip lists several ways that you can push the settings out to the browsers without physically going to the PC.

Option 1 - Make the Users Do It Themselves!

No, this is not a joke. It is surprisingly effective, (especially if there is a teenager around, who will gladly run around doing it for everyone else).

In this method, you cut off web browsing access by disabling Transparent HTTP Proxy and using default filters, then you provide good instructions on how to set the proxy settings. You will want to at least provide some documentation with screenshots of each menu option the users have to click on, and the proper proxy settings. When users are given the choice of no internet access, or following a simple set of screenshots, 99% of them will get themselves on the Internet within 48 hours. You will then have the time to set up the management PCs, and the Help Desk will have time to help Aunt Betty when she gets confused.

Option 2 - Push the Browser Settings in the Login Script (for Internet Explorer)

Internet Explorer stores proxy settings in the registry. This makes it particularly easy to update, using a variety of methods. Even if your users do not normally use Internet Explorer as their usual browser, you will want to configure the proxy settings because many other applications key off proxy settings in Internet Explorer.

In this method, you determine the proper registry key for your version of IE, export the settings to a .REG file, and then use REGEDIT in the login script to push the settings to the PC. If you leave the setting in the login script for several days, most of the PC's should be updated by then, and you can remove or comment out the commands. Here is an example:

In the container login script add the lines

#Regedit /s z:\public\setpxy.reg

This assumes that the Z drive is mapped to SYS: of their local servers. Once this is done copy SETPXY.REG.to the Public directory.

To create the SETPXY.REG file, open notepad & type in as follows:

REGEDIT4 (or whatever version of REGEDIT is on your PC, such as REGEDT32)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"="<your proxy IP address>:8080"
"ProxyEnable"=dword:00000001
"ProxyOverride"="<local>"

Change <your proxy IP address> to the private IP address of your HTTP Proxy, and <local> to 127.0.0.1 or any combination of URL's for which you want to bypass the proxy. (I advise you to experiment with this for a while to get the syntax done correctly).

Option 3 - Push the Browser Settings with ZENWorks Application Launcher

Using ZENWorks (NAL), you can create a forced-run, run-once application for any browser that sets the proxy settings on the browser. Internet Explorer is probably one of the easiest browser to set, since it has a predictable registry key for proxy settings.

Netscape uses a text file called PREFS.JS which can be easily modified by a ZENWorks app, but the location of the file might be different on each PC, depending on how Netscape was set up. Search some of your PC's for that file, and if you are lucky, all PC's may have the file in a common location under a directory called Default.

Option 4 - Use DHCP to Push WPAD Settings for Browsers

Newer browsers can pick up certain settings from DHCP. Those settings can then be leveraged to have the browser pick up the proxy settings. See this Novell TID:

http://support.novell.com/cgi-bin/search/searchtid.cgi?/2953490.htm

and this Microsoft technical article:

http://www.microsoft.com/TechNet/IE/reskit/ie5/part3/ch13sser.asp

This works for both Netscape and Internet Explorer. Also, see the Novell AppNote described below in option 6.

Caveat: I was simply never able to get this to work for some reason, but I was able to get Option 5 to work with Internet Explorer!

Option 5 -Use DNS & Web Server to Push WPAD Settings for Browsers

This one really took me a long time to figure out, but turns out to be pretty simple and easy. There is an option in Internet Explorer called Automatic Proxy Configuration. (As far as I know, as of August 15, 2003, this may be a feature only found in Internet Explorer). IE 6 comes with this option set by default.

The concept: When Internet Explorer is launched, it makes a DNS query for WPAD.<your domain.com> is the Automatic Proxy Configuration option is checked. If it gets a DNS response, it will look for a file called WPAD.DAT at that location. WPAD.DAT is simply a PROXY.PAC file renamed to WPAD.DAT. (See the note on PROXY.PAC files below, which also links to a sample I provide at this web site). The WPAD.DAT file contains a bit of java script (which you write) telling the browser where a proxy server is located and when to use it.

The setup: First, you need a working PROXY.PAC file. You will end up renaming it, and launching it from a web server. If you already are launching it from a web server per my tip on PROXY.PAC files, you have only to set up a DNS entry. Your PC's need to be pointing to your own internal DNS server as their first option. (You can easily set up an internal DNS server with NetWare 5.0 or later.) The DNS server needs to have a WPAD entry for your domain. So if you have a domain called, for instance, CJC.COM, you would have a DNS 'A' record for WPAD.CJC.COM. You also need an internal web server - you cannot use the BorderManager miniwebserver here, or a web server that does not default to using port 80.

Take a working PROXY.PAC file, rename it to WPAD.DAT, and copy it to the root of the web server. You should be able to type HTTP://WPAD.CJC.COM/WPAD.DAT in Internet Explorer and get a file download prompt. If so, just set IE for auto proxy config and it should work.

Troubleshooting: I had a lot of problems making this work at first, until I understood just how Internet Explorer works, and how my web servers were working. The DNS part was simple. The PROXY.PAC/WPAD.DAT file was also simple, since I was already using a PROXY.PAC file. But it just wasn't working. The reason was essentially because I had an overly complex web server configuration on my system. I have Apache, Novonyx and iFolder (another instance of Apache) all running on the same server at the same time, giving up web pages on 5 different IP addresses. The issue I had was, I think, due to my web servers relying on redirection of URL's to the proper document root directories. I put copies of WPAD.DAT into various locations, but they didn't seem to work. When I typed the proper URL in IE, I did get a download prompt as described above! Turns out I did NOT get a download prompt if I typed in HTTP://192.168.10.245/WPAD.DAT - which was where I had my WPAD DNS entry. Internet Explorer resolved my WPAD.CJC.COM query to 192.168.10.245, and it then tried to pull the file from the IP address, not the URL, but my web servers weren't set up to take that sort of query. Eventually, I simply put the WPAD.DAT file in my iFolder document root directory and pointed DNS there. (Note: I have iFolder listening on a secondary IP address using port 80, not 52080...) As long as you can get the WPAD.DAT in the root directory of a web server listening on port 80 of an IP address called out in DNS, you should be fine.

Option 6 - Use Browser Customization Kits to Lock Down the Browser

Both Internet Explorer and Netscape can be customized by an administrator with settings that can then not be modified by the user. The idea here is to set up the browsers as required, and then push the customized browser to the workstation, perhaps with ZENWorks. See this link for customization kits for Netscape:

http://home.netscape.com/bisdev/distribution/index.html

You need the 'IEAK' (Internet Explorer Administration Kit) for your version of Internet Explorer. Unfortunately, Microsoft's site seems to change URL's of internal pages a lot, so I am not sure if the link below will get you where you want to go, but a search for IEAK or IE Toolkit should eventually link you to the toolkit you need, for your version of IE.

http://www.microsoft.com/windows/ieak/default.asp

PROXY.PAC Files

The methods above all describe ways to set the proxy to a particular HTTP proxy address. However, you may have laptops that move from your LAN to other LANs (at home, for instance) where no HTTP Proxy exists, or where there is a different HTTP Proxy address. Situations like this are best handled with a PROXY.PAC file. A PROXY.PAC file is a bit of java script that configures the browser's proxy settings. Instead of pointing the browser to the proxy, you point it to the PROXY.PAC file instead. The PROXY.PAC file can be extremely versatile (and complex). I have provided a simple example in this tip.

Other Documentation - Novell AppNote

Novell has an AppNote with some of this information at the following URL:

http://developer.novell.com/research/appnotes/2002/april/02/a020402.doc

This AppNote goes into much more detail on the WPAD and other options, and I recommend reading it.



Return to the Main Page