PAC and WPAD

There are plenty of deployment methods for proxies, and we've touched on a number of them in this blog. If you've decided on an explicit proxy implementation (where you block all access to the web from any IP address in your organization except for the IP address of the proxy), there's a need to configure the proxy's IP address in every browser's configuration. This alone sounds like a nightmare of a chore for any systems administrator.

Luckily there's two technologies to help with this chore, PAC (Proxy Auto Config) and WPAD (Web Proxy Autodiscovery Protocol). These technologies help to ensure that all browsers in your organization use the same proxy configuration, without the need for the administrator to visit every browser manually.

The PAC standard allows the administrator to create and publish one central proxy configuration file. A PAC file contains a javascript function "FindProxyForURL(url, host)". This function returns a string that cause the user agent to use a particular proxy server or to connect directly. Typically the PAC file is named "proxy.pac". You can configure the PAC file to have multiple proxy targets in order to provide a backup if a specific proxy fails to respond. To use PAC, you publish the PAC file on a Web server and instruct a user agent to utilize it, either by entering the URL in the proxy connection settings of your browser or through the use of the WPAD protocol.

The WPAD standard allows two ways for the system administrator to publish the location of the proxy configuration file, using the Dynamic Host Configuration Protocol (DHCP) or the Domain Name System (DNS).

Prior to fetching its first page, the web browser using WPAD sends the local DHCP server a DHCPINFORM query, and uses the URL from the WPAD option in the server's reply. If the DHCP server does not provide the necessary details, DNS is used. For example, if the hostname of the end-user's computer is dhcp123.company.com, the browser will try a URL based on the domain name to find the correct file. In this case it would try http://wpad.company.com/wpad.dat.

With the implementation of PAC and/or WPAD, you can relieve some of the administrative work in getting an explicit proxy deployment to work. If you need some additional information on PAC and WPAD, https://www.wikipedia.org has some great examples.