Marc Kean

February 9, 2010

Setting up Proxy .pac files in IIS7 for proxy use

Filed under: Uncategorized — marckean @ 4:33 pm

If you want the clients to connect using an automatic configuration script to connect to your proxy server, which will work if it is accessible, and won’t work from else where, e.g. laptop users at home. If the location (http://pac/proxy.pac) can’t be reached, IE will skip over the script and go direct out to the internet.

image

To setup your proxy .pac file on a Windows Server 2008 server.

  1. Create your proxy.pac file (follow the examples below)
  2. Copy your .pac file to (C:\inetpub\pac) of your IIS server which will host the .pac file
  3. In IIS, right click on sites, choose Add Web Siteimage
  4. Fill in the details as below. Under bindings, the host name is what the site will respond to, for example (http://pac/proxy.pac) if you wanted to use a fully qualified DNS name, e.g. http://pac.domain.local/proxy.pac then after you add this site, edit the bindings of the website to add this second binding.image
  5. Next thing you need to do is edit the MIME types.image
  6. Add in a custom MIME type for the .pac file extention – application/x-ns-proxy-autoconfigimage
  7. You will need to setup a DNS CNAME record so that the hostname pac.domain.local will point to your IIS server.
  8. Last thing you will need to do is setup a group policy for all your users to enforce these settings.

Simple PAC file

function FindProxyForURL(url, host)
{
if (isInNet(myIpAddress(), “192.168.1.0″, “255.255.255.0″))
return “PROXY 192.168.1.1:8080″;
else
return “DIRECT”;
}

More complex PAC file

function FindProxyForURL(url, host)
{
if (shExpMatch(url, “http://principia.mo.techpaths.com*”)) {
return “DIRECT”;
}
if (isInNet(myIpAddress(), “192.168.1.0″, “255.255.255.0″))
return “PROXY 192.168.1.1:8080″;
else
return “DIRECT”;
}

Complex PAC file

function FindProxyForURL(url, host)
{
// variable strings to return
var proxy_yes = “PROXY 192.168.1.1:8080″;
var proxy_no = “DIRECT”;
if (shExpMatch(url, “http://www.mycompanywebsite.com*”)) { return proxy_no; }
if (shExpMatch(url, “http://www.myotherwebsite.com*”)) { return proxy_no; }
if (shExpMatch(url, “http://www.my3rdlocalsite.com*”)) { return proxy_no; }
// Proxy anything else
return proxy_yes;
}

Very complex PAC file


function FindProxyForURL(url, host)
{
// variable strings to return
var proxy_yes = “PROXY 192.168.1.1:8080″;
var proxy_no = “DIRECT”;
if (shExpMatch(url, “http://www.mycompanywebsite.com*”)) { return proxy_no; }
if (shExpMatch(url, “http://www.myotherwebsite.com*”)) { return proxy_no; }
if (shExpMatch(url, “http://www.my3rdlocalsite.com*”)) { return proxy_no; }
if (shExpMatch(url, “http://192.168.1.100*”)) { return proxy_no; }
// Proxy if PC is on local LAN
if (isInNet(myIpAddress(), “192.168.1.0″, “255.255.255.0″))
return “PROXY 192.168.1.1:8080″;
else
return “DIRECT”;
}

This is my favorite one

function FindProxyForURL(url, host)
{
// variable strings to return
var proxy_yes = “PROXY 10.3.4.15:8080″;
var proxy_no = “DIRECT”;
var resolved_ip = dnsResolve(host);

// If a specific URL needs to bypass the proxy then send traffic direct.
if (shExpMatch(url, “*.domain.local*”)) { return proxy_no; }
if (shExpMatch(url, “*.dmshm.local*”)) { return proxy_no; }
if (shExpMatch(url, “*rms.domain.com.au*”)) { return proxy_no; }
if (shExpMatch(url, “*.domain.net.au*”)) { return proxy_no; }
if (isInNet(resolved_ip, “10.0.0.0″,  ”255.0.0.0″)) { return proxy_no; }

// If the source IP is in VIC then send traffic via the proxy
if (isInNet(myIpAddress(), “10.3.0.0″, “255.255.0.0″))return proxy_yes;

// If the source IP is in NSW then send traffic via the proxy
if (isInNet(myIpAddress(), “10.2.0.0″, “255.255.0.0″))return proxy_yes;

// If the proxy fails or the request doesn’t meet any of the above criteria then send the traffic direct
elsereturn “DIRECT”;
}

About these ads

8 Comments »

  1. Hi there,
    Thank you for the article, I was trying to do exactly this before I ran into your article! The only difference is that I am not using the Group Policy Yet.
    My issue is that when when my browser executes the .PAC file I can see the content of it which means that it is working but the file is not being executed (proxy script just doesn’t work). This was working on the old IIS6 windows 2003 webserver and it still does with the same procedure. Does this script needs to be on the same Server as the DNS Cname is pointing to or can this be hosted from another IIS server on the Network? Hope this makes sense. Thank you for your help in advance.

    Comment by Travis — November 13, 2010 @ 4:24 am | Reply

    • Hi Travis, having the CNAME record is only a cosmetic thing, doesn’t change the way proxy PAC files work.

      Once all setup, you should be able to enter the proxy PAC URL into the browser and navigate to it, it should prompt you to download the file.

      As a test, stick the proxy PAC on the C: drive and reference it in the internet settings like this – file://c:/windows/proxy.pac

      Comment by marckean — November 13, 2010 @ 8:53 am | Reply

  2. Hi Marc,

    Your guide works brilliantly, however I seem to be having a problem with the if statement which tries to resolve my local IP address. I can get it to work this way via the hosting guide above:

    function FindProxyForURL(url, host)
    {
    return “PROXY removedforsecuritypurposes:8080; DIRECT”;
    }

    ..so I know its not a configuration issue of hosting the pac file (NB- I can’t go direct out here, it has to be through the proxy and therefore I know its working when web pages are parsed)

    As soon as I try to add some conditional logic so it only applies the proxy based on IP range it just times out. Basically I want it to use the proxy when on the corporate network but to go direct when at home, exactly like your example. It seems to be the part where it checks the local IP when the problem occurs. Any ideas would be greatly appreciated.

    Cheers.

    Comment by Rob Jefferson — September 16, 2011 @ 11:46 pm | Reply

    • Sorry, forgot to turn on the notification of follow-up comments so have done so on this post.

      Comment by Rob Jefferson — September 16, 2011 @ 11:47 pm | Reply

  3. Scratch that, fixed it. Had a single missing ” which made all the difference. Cheers for the rest of the guide though, very helpful indeed.

    Comment by Rob Jefferson — September 16, 2011 @ 11:58 pm | Reply

  4. Thanks for this nice tutorial.

    Comment by Jack — March 29, 2012 @ 1:23 am | Reply

  5. [...] [...]

    Pingback by [IOS] How to get iphone/ipad to view local websites - Page 2 — April 24, 2012 @ 2:04 am | Reply

  6. [...] Setting up Proxy .pac files on IIS7 for proxy use. Please follow this link. [...]

    Pingback by Configuration of .pac “proxy auto-config” with “CCProxy” proxy server on Windows Server – Amir Zalaghi (Amir Z) : Personal Website — November 22, 2012 @ 10:00 pm | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Theme: Rubric. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 27 other followers

%d bloggers like this: