How to block browsers to bypass proxy?

chris4916

Clearer.

Answer is quite simple.

1 - set-up WPAD  ;) then you should not need this page any more.
2 - As I previously wrote, configure captive portal (without authentication) and display page explaining that proxy needs to be manually configured. This page will not be reached but in any case, for devices not WPAD aware, this may help

jetberrocal

@chris4916:

1 - set-up WPAD  ;) then you should not need this page any more.

There is a problem using WPAD.  Windows in fact has a flaw design for proxy setting.  It is design to ignore WPAD configurations after some time running in a network without proxy.  Which is mostly every regular PC.

@chris4916:

2 - As I previously wrote, configure captive portal (without authentication) and display page explaining that proxy needs to be manually configured. This page will not be reached but in any case, for devices not WPAD aware, this may help

This is an idea that I could try.  I will write down the outcome after trying.

jetberrocal

@jetberrocal:

@chris4916:

2 - As I previously wrote, configure captive portal (without authentication) and display page explaining that proxy needs to be manually configured. This page will not be reached but in any case, for devices not WPAD aware, this may help

This is an idea that I could try.  I will write down the outcome after trying.

OK.  It worked nicely.  I did not use the default CP page as it includes authentication fields, I loaded a ngnix sample test page and it work as expected

Thank you for the idea. 
I was trying CP with authentication before and it did not work. (But that is another thread)

Just one more question.  With this I do not need the block rules anymore?

chris4916

@jetberrocal:

There is a problem using WPAD.  Windows in fact has a flaw design for proxy setting.  It is design to ignore WPAD configurations after some time running in a network without proxy.  Which is mostly every regular PC.

:o :o :o
Who told you this ???

Any source is more than welcome.

WPAD works smoothly with any Windows device, once configured. Trust me and give a try.

jetberrocal

@chris4916:

@jetberrocal:

There is a problem using WPAD.  Windows in fact has a flaw design for proxy setting.  It is design to ignore WPAD configurations after some time running in a network without proxy.  Which is mostly every regular PC.

:o :o :o
Who told you this ???

Any source is more than welcome.

WPAD works smoothly with any Windows device, once configured. Trust me and give a try.

Yes. WPAD works but sometimes have some issues that are really difficult to fix, at least to me.  In fact I could not.

See the following links for the problem and their solutions:
http://kb.k12usa.com/Knowledgebase/Proxy-Auto-Detect-WPAD-Issues-With-IE-Windows-7
http://serverfault.com/questions/54567/internet-explorer-isnt-auto-discovering-http-wpad-wpad-dat-auto-config
https://infratalk.wordpress.com/2011/09/10/troubleshooting-windows-proxy-autodiscovery-wpad/

If you are willing to read the links, will see the problem that I am talking about on this thread.

KOM

IIRC, WPAD will not work if you're serving it from an HTTPS web server.  It must be HTTP.  This means you can't use pfSense to host the file if you have WebGUI running in HTTPS mode.

jetberrocal

@KOM:

IIRC, WPAD will not work if you're serving it from an HTTPS web server.  It must be HTTP.  This means you can't use pfSense to host the file if you have WebGUI running in HTTPS mode.

I am not serving the WPAD file from the pfsense server, but from another internal Web server.

And the wpad file is served alright it is windows that even though it gets the file does not use it. 
It is a design flaw in Windows which is not so easy to overcome.

Instead of banging my head I decided to create a group policy to force the machines in the domain to use the proxy.  But machines that are not in the domain wont get the policy have to rely on wpad process which is flawed.  Some machines refuse to use the wpad file even if they get it.

chris4916

@jetberrocal:

Some machines refuse to use the wpad file even if they get it.

Based on link you provided, beaviour is sliglty different: these machines do not "refuse" to use WPAD. Browser won't even search for WPAD.

e.g. did you check with another browser, just for your knowledge?

jetberrocal

I checked earlier with Chrome but it uses the same proxy configuration as IE.  Firefox I think did the job because it does not share the proxy settings on all options.

But I can not force my clients to use a particular browser.

jetberrocal

@jetberrocal:

@jetberrocal:

@chris4916:

2 - As I previously wrote, configure captive portal (without authentication) and display page explaining that proxy needs to be manually configured. This page will not be reached but in any case, for devices not WPAD aware, this may help

This is an idea that I could try.  I will write down the outcome after trying.

OK.  It worked nicely.  I did not use the default CP page as it includes authentication fields, I loaded a ngnix sample test page and it work as expected

Thank you for the idea. 
I was trying CP with authentication before and it did not work. (But that is another thread)

Just one more question.  With this I do not need the block rules anymore?

I answer my self the block rule question.  I removed them to test and it work without them.