WPAD using with Windows server 2012r2? (SOLVED)



  • Hi,
    I was wondering if someone could assist me on what im doing wrong?

    First im running windows server 2012r2(192.168.3.253) which handles DHCP and DNS/AD

    So my pfSense(192.168.3.254) is the gateway with squid+squidguard. Now that im leaving transparent proxy I want to implement WPAD.

    I have followed these 3 guides:

    https://forum.pfsense.org/index.php?topic=93060.msg516254#msg516254
    http://blog.ninjatek.co.za/2010/11/proxy-autodetection-using-pac-file-and.html
    https://sites.google.com/a/moh10ly.com/tech/blog/pfsense/block-facebook-on-pfsense

    1. im using a program on my windows server 2012r2 called HFS for the wpad files and when I do the nslookup seems that its getting the wpad no issue there.

    2. Now that windows server is running the DHCP it gets tricky for me because on pfSense it lets you put the three 252 strings of the wpad.dat,pac,da while on windows sever only lets me put one. So im not sure if im doing it correctly.

    3. whats odd on my windows server if i go towpad.casa.local/wpad.dati can download the file or```
      http://zeus.casa.local/wpad.dat

    
    So im a bit confused what to do next?
    
    Thank you
    
    ![Clipboarder.2016.01.13-004.png](/public/_imported_attachments_/1/Clipboarder.2016.01.13-004.png)
    ![Clipboarder.2016.01.13-004.png_thumb](/public/_imported_attachments_/1/Clipboarder.2016.01.13-004.png_thumb)
    ![Clipboarder.2016.01.13-005.png](/public/_imported_attachments_/1/Clipboarder.2016.01.13-005.png)
    ![Clipboarder.2016.01.13-005.png_thumb](/public/_imported_attachments_/1/Clipboarder.2016.01.13-005.png_thumb)
    ![Clipboarder.2016.01.13-006.png](/public/_imported_attachments_/1/Clipboarder.2016.01.13-006.png)
    ![Clipboarder.2016.01.13-006.png_thumb](/public/_imported_attachments_/1/Clipboarder.2016.01.13-006.png_thumb)
    ![Clipboarder.2016.01.13-007.png](/public/_imported_attachments_/1/Clipboarder.2016.01.13-007.png)
    ![Clipboarder.2016.01.13-007.png_thumb](/public/_imported_attachments_/1/Clipboarder.2016.01.13-007.png_thumb)
    ![Clipboarder.2016.01.13-008.png](/public/_imported_attachments_/1/Clipboarder.2016.01.13-008.png)
    ![Clipboarder.2016.01.13-008.png_thumb](/public/_imported_attachments_/1/Clipboarder.2016.01.13-008.png_thumb)
    ![Clipboarder.2016.01.13-009.png](/public/_imported_attachments_/1/Clipboarder.2016.01.13-009.png)
    ![Clipboarder.2016.01.13-009.png_thumb](/public/_imported_attachments_/1/Clipboarder.2016.01.13-009.png_thumb)


  • You don't really need the DHCP entry.  As long as wpad.yourdomain.whatever can resolve, you're good.  The web server serving the file must be HTTP from what I understand.  IE and CHrome use the system's Internet Options settings, while Firefox does it's own thing.  Make sure Firefox is set to either Auto-detect proxy settings for this network, or Use system proxy settings.  You need at least wpad.dat, and perhaps proxy.pac if you have Macs.  Android doesn't do WPAD, so don't even try.  Create a simple wpad.dat like this and test with that:

    function FindProxyForURL(url,host)
    {
     return "PROXY 192.168.3.254:3128";
    }
    


  • Hi KOM,
    Thank you for the reply, So web server (HFS) That im using is it acceptable for this case? Also I did see the WPAD guide on pfSense forums it did somewhere mention about the DHCP but i  guess in my case pfSense does not handle DHCP, Also would it be better the webserver hosting the .dat,pac,da on pfSense?

    Thank you



  • That im using is it acceptable for this case?

    Should be, as long as it can server the wpad.dat file via HTTP.  I've never used it.  The DHCP option 252 is just another way of getting the proxy address to the client.  I find DNS to be more universal since I don't have a lot of DHCP clients on my network.  You can host the file on pfSense as long as you're running it in HTTP mode.  This is how I happen to do it.



  • @KOM:

    You don't really need the DHCP entry.  As long as wpad.yourdomain.whatever can resolve, you're good.

    There is something worth to be clarified:

    • WPAD relies potentially on multiple different mechanisms to discover proxy
    • unfortunately, RFC is still at the "draft" level, however, if we rely on it, it describes this:
    
    Discovery mechanisms, client side
    
       +-------------------------+--------+----------+
       | Discovery               |        | Document |
       | Mechanism               | Status | Section  |
       +-------------------------+--------+----------+
       | DHCP                    | MUST   | 4.4.1    |
       | SLP                     | SHOULD | 4.4.2    |
       | "Well Known Alias"      | MUST   | 4.4.3    |
       | DNS SRV Records         | SHOULD | 4.4.4    |
       | DNS TXT "service: URLs" | SHOULD | 4.4.5    |
       +-------------------------+--------+----------+
    
    

    Of course, one may decide not to implement everything and even decide to rely only on one single mechanism.
    However, because of RFC status, I suppose, implementation varies from one browser to another and deciding to implement only the "well known alias" would mean to not allow brothers not implementing it to benefit from WPAD.

    At least this is how I understand this.
    Furthermore, pushing DHCP option 252 is quite easy and painless.

    @killmasta93

    I'm still trying to understand what the problem is  :-[
    I'm running something very similar to your configuration: DHCP server for LAN is not pfSense. Same for DNS BTW. So my internal DNS/DHCP server is pushing both DHCP option 252 and well known alias information (as well as TXT and SRV records BTW) and it works pretty well so far.
    I've to say that all devices on my network are using DHCP, except DHCP server itself obviously.

    I don't understand why you want to push more than one option 252. Could you please clarify this?

    My first advice would be to drop Microsoft  ;D ;D ;D :-X



  • Hi Chris,
    Thank you for the reply,

    So I dropped the HFS server and put in the wpad.dat, wpad.da, and proxy.pac to pfSense /usr/local/www/
    Also changed pfSense webgui to http

    each of the 3 files contain this code

    function FindProxyForURL(url, host) {
        if (isPlainHostName(host) ||
            shExpMatch(host, "*.local") ||
            isInNet(dnsResolve(host), "192.168.3.0",  "255.255.255.0"))
            return "DIRECT";
    
        return "PROXY 192.168.3.254:3128";
    }
    

    Now since i changed it to pfSense i think its working now as i can see squidguard blocking twitter on 443 but a few questions:

    1. are the LAN rules correct?
    2. will there be any slow navigation speed? and if someone else connected to the network do they have to change to "auto detect proxy settings"
    3. i got firefox to work but out of curiosity how come internet explorer does not(even though no one uses it) (have yet to try chrome)
    4. Would it be possible instead of showing page cannot be found to redirect it to the blocked page as if it was http?

    New pictures

    Thank you
















  • EDIT: had to edit my firewall rules it was blocking email on outlook




  • I don't like the idea of running pfSense web interface on HTTP instead of HTTPS  :-\

    Something, at least to me, better could be to run an alternate web server instance, like described here, e.g.
    However, the way this instance, in this example, is launched is perhaps not the best idea if compared to rc.d

    Or you could run DHCP from pfSense if your current infrastructure doesn't allow to push option 252 and still keep HTTP server exposing proxy.pac elsewhere  ;)



  • Hi Chris,
    Thank you for the reply,

    I guess its working right now with the 252 wpad.dat on the windows server I have managed to block the sites (https) no issue there, now for the other .da and proxy.pac howcome on other tutorials they show pfSense having those 3 on the DHCP?

    Also i was reading the guide and there was a part that did interested me

    To catch any PCs which aren't configured with 'auto configure' in their settings, you could implement a port forward for any traffic directed at port 80 to 3128

    Does this mean that if the user does not configure auto proxy on firefox it would grab it automatic with "use system settings"?

    True I prefer using pfSense https but on the guide of aGeekHere https://forum.pfsense.org/index.php?topic=93060.msg516254#msg516254

    He does mention its "set pfsense Protocol to http (This is a MUST, it will not work if you do not do this)"

    Everything is great but I guess i dont really understand the

    WPAD.da and proxy.pac where would that come in? I do prefer windows server to handle the DHCP but because I can only use the WPAD.dat on the server options.

    Even though KOM did say

    The DHCP option 252 is just another way of getting the proxy address to the client.  I find DNS to be more universal since I don't have a lot of DHCP clients on my network.

    I would guess its not a necessary?

    Thank you



  • there is no WPAD RFC but only draft (as far as I know)
    As a result, implementation is not very consistent and varies from one OS or browser to another thus your own implementation really depends on your landscape.

    If you don't really know what will connect to your network, I do believe that offering at least both DHCP and well-known alias mechanisms is a very minimum.
    This step describes how to find your proxy server.
    Next step is to read proxy.pac which is the file describing how and when use proxy service.

    Here again, implementation varies.
    Some browser are looking for wpad.dat or wpad.da or even proxy.pac (which is the initial name, even without any willingness to implement any automatic mechanism).
    Because of this, here again, I strongly suggest to server, from your web server, same file exposed with different alias (logical link) so that you ensure wide coverage.

    What you describe in term of port redirection is no more than kind of transparent proxy. Notice that Squid could be configured to support both explicit and transparent proxy but as I really don't like transparent proxy and never use it, I can't really comment about this.

    Sorry for my poor and broken English but I even don't understand this sentence:

    I do prefer windows server to handle the DHCP but because I can only use the WPAD.dat on the server options.



  • Hi Chris,
    Thank you again for the reply and sorry for asking too many questions as I am new to WPAD i have been using transperent proxy for a while it was decent never had an issue but because now these days everything is HTTPS I was thinking to make the change.

    The part where i said

    I do prefer windows server to handle the DHCP but because I can only use the WPAD.dat on the server options.

    Well in theory setting up a AD environment i have been told that DHCP and DNS windows server handles it while everything else could be handled by other services (pfSense). When i said Server options its the part where I have the 252 string on the DHCP service on the windows server as you can see the photo I can only host the WPAD.dat while on other guides pfSense hosts WPAD.dat, WPAD.da, Proxy.pac But because in my case I have my LAN disabled DHCP on pfSense.

    The good thing about my network is that the on the LAN connects only Laptops, CPU with windows 8 or 7 the rest connects though guests VLAN. The only thing i would hate is configuring each computer on firefox or chrome of the  settings to auto detect the proxy :( The rest seems to be fine

    So i guess firefox looks for the WPAD.dat rather then the WPAD.da or the proxy.pac? But shouldn't DHCP force the client to use the WPAD automatically without changing any settings on firefox?

    Thank you again for your response :)

    EDIT: just tried it on chrome works perfect without changing any settings…welll this is awk on firefox




  • I'm not sure one can push, through DHCP, more than one single "252 option".
    I never tried and don't understand how this would work.
    All in sequence? Random?

    The wpad.dat vs. wpad.da  is, as far as I understand, only related to the well known alias mechanism.

    With DHCP mechanism, you push the full URL pointing to your proxy.pac file (whatever its name)
    With Well Known Alias mechanism, you don't have any choice and this is a two steps approach:

    • first one is related to domain and search domain: using DNS, goal is to resolve wpad.your_search_domain
    • second step is to look at… at this stage, it depends. some implementaitons look for wpad.dat, some others for wpad.da

    This means that DHCP option 252 requires only one single value.
    Same for DNS BTW: be sure that your DNS resolves one of the FQDN up to "wpad"
    Dealing with wpad.dat and wpad.da (and proxy.pac) is done at web server level (and I achieve this with logical links so that I maintain only one single file)

    At least this is my understand but I might be wrong  ;)



  • Hi Chris,

    Thank you for the reply, so far everything is great on blocking, but not sure if you have issues with your Email And antivirus? Because of blocking 443 the antivirus cannot seem to update and one of my Emails (godaddy exchange) uses the port 443 would it be possible to create a invert rule?

    Thank you



  • @killmasta93:

    …/...but not sure if you have issues with your Email And antivirus? Because of blocking 443 the antivirus cannot seem to update and one of my Emails (godaddy exchange) uses the port 443 would it be possible to create a invert rule?

    So topic changes  ;)
    We assume WPAD stuff is clear now and question if about proxy access control and filtering.
    Regarding this, you question is not clear to me (sorry): what do you mean exactly?
    You have configured proxy (Squid + Squidguard and wonder how to manage white-list or do you face different problem?



  • Hi Chris,

    Thank you for the reply, Sorry I will start a new topic :) a forum mod will scold me  :(

    Thank you again.



  • @killmasta93:

    1. Would it be possible instead of showing page cannot be found to redirect it to the blocked page as if it was http?

    Is there any possibility to block https using ext redirect as well? The filter works fine, but I'd like to get the same message using either http or https.

    Thank you!

    Martin



  • wow how the time passed posting this more then a year ago :0

    Well i tried the redirect URL but I just gave up and when a user cant get in a website they notify me and i fix it,