Categories

Twitter

Support

Adium Boxee BBEdit Coda Alfred HandBrake ScreenFlow Caffeine Moom Evernote Pixelmator SecureFiles TextWrangler Transmit Shimo RapidWeaver VLC Dropbox Steam Spotify Acorn VMware Fusion Unison

Entries in Proxy (2)

Friday
May012009

Using Web Proxy Autodiscovery Protocol

I have previously written about how you can use a proxy auto-config (PAC) file to direct your web users to an appropriate proxy server for fetching a given URL. Unfortunately you still have to tell the client’s browser how to access that file and if you support several thousand users this configuration process can be a bit of a nightmare. One option is to hardcode the PAC files URL into the browser, however this can make any future infrastructure changes difficult and also provides little resilience if the PAC file becomes unavailable. It also offers no compatibility if the user was to connect from outside the corporate network. This is especially frustrating for roaming users who often need to connect to wireless hotspots that require web authentication. In this case the user would need to make a modification to the browser configuration, which although is relatively simple, is not recommended for enterprise level support.

The Web Proxy Autodiscovery Protocol (WPAD) is a method used by browsers to automatically locate a proxy auto-config file. When WPAD is used the .pac extension is updated to wpad.dat, however the file content is exactly the same as a PAC file.

WPAD was created by Microsoft and has been supported since Internet Explorer 5.0.

The WPAD standard dictates two methods in which the IT administrator can publish the location of the PAC file, using the Dynamic Host Configuration Protocol (DHCP), the Domain Name System (DNS) or both.

When the user first opens their browser to navigate to a web page, there will be a few seconds delay. It is during this time that the browser is automatically detecting the proxy settings. First, it checks the information received from the DHCP server, looking for site-local option 252, “auto-proxy-config”, which should include a string value “http://xxx.xxx.xxx.xxx/wpad.dat” where “xxx.xxx.xxx.xxx” is the address of a web server (IP or DNS).

If the DHCP server does not provide the information, DNS will be used. The browser requests from the DNS server to identify the IP address for WPAD. For example, if the network name of the user's computer is “pc.branch.region.company.com”, the browser will automatically try the following URLs in turn until it finds a proxy configuration file:

  • http://wpad.branch.region.company.com/wpad.dat
  • http://wpad.region.company.com/wpad.dat
  • http://wpad.company.com/wpad.dat
  • http://wpad.com/wpad.dat

For DNS lookup the file must be named “wpad.dat” and be located in the WPAD web site's root directory.

Whether DHCP or DNS is used, the web server must be configured to set up dat files with a MIME type of "application/x-ns-proxy-autoconfig". Although for DNS lookups, the path of the configuration file must always be wpad.dat, for the DHCP protocol, any URL is usable. Finally because DHCP has a higher priority than DNS, if DHCP provides the WPAD URL, no DNS lookup is completed.

When located, the browser will download the auto proxy-config file through the HTTP protocol and configure itself according to the content of the file.

On the client side the only configuration that needs to take place is to tick the "Automatically Detect Settings" option in "Internet Options > Connections > LAN Settings". This option is enabled by default in Internet Explorer or can be enabled via domain Group Policy. By having just this simple option enabled the client’s browser should be able to handle any network configuration automatically, whether they are connected to the corporate LAN, at home, or to a wireless hotspot.

Security Concerns:

Although WPAD greatly simplifies browser proxy configuration, it does have to be handled with care. Two specific examples of where WPAD can be used in a maliciously fashion are:

  • A rogue DHCP server is added to a network that starts issuing a non-approved PAC file. This could result in your users traffic and browsing information being forwarded to an untrustworthy source.
  • When using DNS lookup, if your company uses the domain "branch.company.com" and the PAC file "http://wpad.branch.company.com/wpad.dat" is not successfully served, the browser will automatically attempt to locate the file at "http://wpad.company.com/wpad.dat" and then "http://wpad.com/wpad.dat". It is possible that an attacker could configure and deliver a malicious PAC file from one of these un-approved locations.

Friday
Apr242009

Using a Proxy Auto-Config File

A proxy auto-config (PAC) file is used by web browsers to automatically choose an appropriate route to a proxy server for connection to the Internet. It can also be used to route certain groups of users to a specific proxy server and dictate different actions such as routing or filtering for certain URL’s and/or IP Addresses.

PAC files are primarily used in medium to large enterprise networks that use proxy servers with multiple breakout points to the Internet. The PAC file is used to simplify browser configuration, management and support as each time a user attempts to access the web the browser will automatically fetch the PAC file before attempting to access the Internet. This is useful because if you make a change to your network that impacts your Internet gateway infrastructure you don’t need to individually roll out a change of settings to all your users, instead you update a single file which is generally stored in a central location. By storing the file centrally it also makes management and support significantly easier. However, it should be noted that it can also add a single point of failure if no additional redundancy is introduced.

The PAC file settings can be configured in Internet Explorer by going to: "Internet Options > Connections > LAN Settings" and ticking "Use automatic configuration script".

The PAC file is essentially a JavaScript file that includes the function "FindProxyForURL" that accepts two arguments "url and host". This function is called before the browser requests a page and it tells the browser whether it should route to a proxy or attempt to go direct.

An example of a simple PAC file can be seen below:

function FindProxyForURL(url, host) { return "PROXY proxy01.fakecompany.com:8080; DIRECT"; }

In the above example all URL’s will be routed to “proxy01.fakecompany.com” on port “8080” and if this address is unavailable it will attempt to route direct. However, unless you have specific routing configured on your network for direct access, the request would fail.

 

For more information on PAC files please refer to the article "Writing Effective Proxy PAC Files".