Did you ever wondered what is this “automatically detect settings” option in LAN settings under connection tab in Internet Explorer? By setting this option you enable the web proxy auto discovery (WPAD) protocol functionality of the web browser. Using this protocol you are directing your web browser to use a special configuration file to automatically set its proxy settings. The benefit from the use of WPAD is the ability to instruct all web browsers in an organization to use the same policy, without configuring each of them manually.
Where is the configuration file?
The configuration’s file location can be published by using two alternative methods: DNS or DHCP. A web browser configured for WPAD, before fetching its first page sends a DHCPINFORM query to its local DHCP server in order to get the URL of the configuration file in the DHCP reply. If DHCP does not provide the desired information, the web browser will try to fetch the configuration file by using DNS resolution. For example if the FQDN of the client computer is computer.subdomain.domain.local, the web browser will try to fetch the configuration file from the following locations:
2. http://wpad.domain.local/wpad.dat (some web browsers)
3. http://wpad.com/wpad.dat (in incorrect implementations)
Hosting the wpad.dat
Since the web browser is trying to fetch the configuration file (wpad.dat) by using the HTTP protocol, the hosting server should be able to do so. The hosting web server must be also set to serve .dat files as “application/x-ns-proxy-autoconfig” mime types and the wpad.dat file should be located at the web site’s root directory. For example in an IIS configuration, you should do the following:
- Go to Start –> settings –> control panel –> administrative tools –> Internet Information Services (IIS) Manager
- Right click the web site node in which you are going to host the wpad.dat file (for example Default Web Site) and select properties
- Select the HTTP Headers tab and press MIME Types button
- In the “MIME Types” dialog box press NEW, type .dat in the extension field and application/x-ns-proxy-autoconfig in the MIME Type field, and press OK.
- Return back to IIS Manager and right click the web site node in which you are going to host the wpad.dat file (for example Default Web Site) and select explore.
- Right click somewhere in the right pane of the IIS snap-in and select new –> text document.
- Rename the document to wpad.dat.
Editing the wpad.dat file
In the example above, you are directing the web browser to use proxy1.mydomain.local on port 8080 in case the client computer belongs to 192.168.0.0/24 network (script marked with red). In case the client does not belong to the 192.168.0.0/24 network, all web traffic will go through proxy2.mydomain.local and if proxy2 fails to respond, it will try to go directly (script marked with orange). Finally, we instruct the web browser to bypass proxies in case the URL contains the .mydomain.com string (script marked with green). Note that you can add more rules by just adding lines to your configuration file.
Publishing the file location
To publish the file location you need to either setup a DHCP option or setup a DNS record. To setup the DHCP option in a windows DHCP server you need to do the following:
- Go to Start –> settings –> control panel –> administrative tools –> DHCP
- Right click the DHCP server name and select “set predefined options”
- In the Predefined options dialog box press “add”
- In the option type dialog box set the following values:
Data Type: String
Description: WPAD Auto Config Key
- Go back to DHCP snap-in and right click either your scope or server options.
- Select “Configure Options…”
- In the scope options dialog box select the 252 option and in the string value type your wpad.dat file location (like http://wpad.mydomain.local/wpad.dat) and press OK.
Finally, to configure your DNS server, you need to add a WPAD A or CNAME record for the server hosting your wpad.dat file (for example wpad.mydomain.local).
Note, that if you are planning to use a windows DNS server you have to take care of the Global Query Block list which introduced in windows 2008 and later operating systems. The global query block list by default prevents the resolution of wpad and isatap hostnames.