Marc Kean

February 9, 2010

Setting up Proxy .pac files in IIS7 for proxy use

Filed under: Computers and Internet,Uncategorized — marckean @ 4:33 pm

If you want the clients to connect using an automatic configuration script to connect to your proxy server, which will work if it is accessible, and won’t work from else where, e.g. laptop users at home. If the location (http://pac/proxy.pac) can’t be reached, IE will skip over the script and go direct out to the internet.

image

To setup your proxy .pac file on a Windows Server 2008 server.

  1. Create your proxy.pac file (follow the examples below)
  2. Copy your .pac file to (C:\inetpub\pac) of your IIS server which will host the .pac file
  3. In IIS, right click on sites, choose Add Web Siteimage
  4. Fill in the details as below. Under bindings, the host name is what the site will respond to, for example (http://pac/proxy.pac) if you wanted to use a fully qualified DNS name, e.g. http://pac.domain.local/proxy.pac then after you add this site, edit the bindings of the website to add this second binding.image
  5. Next thing you need to do is edit the MIME types.image
  6. Add in a custom MIME type for the .pac file extention – application/x-ns-proxy-autoconfigimage
  7. You will need to setup a DNS CNAME record so that the hostname pac.domain.local will point to your IIS server.
  8. Last thing you will need to do is setup a group policy for all your users to enforce these settings.

Simple PAC file

function FindProxyForURL(url, host)
{
if (isInNet(myIpAddress(), “192.168.1.0”, “255.255.255.0”))
return “PROXY 192.168.1.1:8080″;
else
return “DIRECT”;
}

More complex PAC file

function FindProxyForURL(url, host)
{
if (shExpMatch(url, “http://principia.mo.techpaths.com*”)) {
return “DIRECT”;
}
if (isInNet(myIpAddress(), “192.168.1.0”, “255.255.255.0”))
return “PROXY 192.168.1.1:8080″;
else
return “DIRECT”;
}

Complex PAC file

function FindProxyForURL(url, host)
{
// variable strings to return
var proxy_yes = “PROXY 192.168.1.1:8080″;
var proxy_no = “DIRECT”;
if (shExpMatch(url, “http://www.mycompanywebsite.com*”)) { return proxy_no; }
if (shExpMatch(url, “http://www.myotherwebsite.com*”)) { return proxy_no; }
if (shExpMatch(url, “http://www.my3rdlocalsite.com*”)) { return proxy_no; }
// Proxy anything else
return proxy_yes;
}

Very complex PAC file


function FindProxyForURL(url, host)
{
// variable strings to return
var proxy_yes = “PROXY 192.168.1.1:8080″;
var proxy_no = “DIRECT”;
if (shExpMatch(url, “http://www.mycompanywebsite.com*”)) { return proxy_no; }
if (shExpMatch(url, “http://www.myotherwebsite.com*”)) { return proxy_no; }
if (shExpMatch(url, “http://www.my3rdlocalsite.com*”)) { return proxy_no; }
if (shExpMatch(url, “http://192.168.1.100*”)) { return proxy_no; }
// Proxy if PC is on local LAN
if (isInNet(myIpAddress(), “192.168.1.0”, “255.255.255.0”))
return “PROXY 192.168.1.1:8080″;
else
return “DIRECT”;
}

This is my favorite one

function FindProxyForURL(url, host)
{
// variable strings to return
var proxy_yes = “PROXY 10.3.4.15:8080″;
var proxy_no = “DIRECT”;
var resolved_ip = dnsResolve(host);

// If a specific URL needs to bypass the proxy then send traffic direct.
if (shExpMatch(url, “*.domain.local*”)) { return proxy_no; }
if (shExpMatch(url, “*.dmshm.local*”)) { return proxy_no; }
if (shExpMatch(url, “*rms.domain.com.au*”)) { return proxy_no; }
if (shExpMatch(url, “*.domain.net.au*”)) { return proxy_no; }
if (isInNet(resolved_ip, “10.0.0.0”,  “255.0.0.0”)) { return proxy_no; }

// If the source IP is in VIC then send traffic via the proxy
if (isInNet(myIpAddress(), “10.3.0.0”, “255.255.0.0”))return proxy_yes;

// If the source IP is in NSW then send traffic via the proxy
if (isInNet(myIpAddress(), “10.2.0.0”, “255.255.0.0”))return proxy_yes;

// If the proxy fails or the request doesn’t meet any of the above criteria then send the traffic direct
elsereturn “DIRECT”;
}

18 Comments »

  1. Hi there,
    Thank you for the article, I was trying to do exactly this before I ran into your article! The only difference is that I am not using the Group Policy Yet.
    My issue is that when when my browser executes the .PAC file I can see the content of it which means that it is working but the file is not being executed (proxy script just doesn’t work). This was working on the old IIS6 windows 2003 webserver and it still does with the same procedure. Does this script needs to be on the same Server as the DNS Cname is pointing to or can this be hosted from another IIS server on the Network? Hope this makes sense. Thank you for your help in advance.

    Comment by Travis — November 13, 2010 @ 4:24 am | Reply

    • Hi Travis, having the CNAME record is only a cosmetic thing, doesn’t change the way proxy PAC files work.

      Once all setup, you should be able to enter the proxy PAC URL into the browser and navigate to it, it should prompt you to download the file.

      As a test, stick the proxy PAC on the C: drive and reference it in the internet settings like this – file://c:/windows/proxy.pac

      Comment by marckean — November 13, 2010 @ 8:53 am | Reply

  2. Hi Marc,

    Your guide works brilliantly, however I seem to be having a problem with the if statement which tries to resolve my local IP address. I can get it to work this way via the hosting guide above:

    function FindProxyForURL(url, host)
    {
    return “PROXY removedforsecuritypurposes:8080; DIRECT”;
    }

    ..so I know its not a configuration issue of hosting the pac file (NB- I can’t go direct out here, it has to be through the proxy and therefore I know its working when web pages are parsed)

    As soon as I try to add some conditional logic so it only applies the proxy based on IP range it just times out. Basically I want it to use the proxy when on the corporate network but to go direct when at home, exactly like your example. It seems to be the part where it checks the local IP when the problem occurs. Any ideas would be greatly appreciated.

    Cheers.

    Comment by Rob Jefferson — September 16, 2011 @ 11:46 pm | Reply

    • Sorry, forgot to turn on the notification of follow-up comments so have done so on this post.

      Comment by Rob Jefferson — September 16, 2011 @ 11:47 pm | Reply

  3. Scratch that, fixed it. Had a single missing ” which made all the difference. Cheers for the rest of the guide though, very helpful indeed.

    Comment by Rob Jefferson — September 16, 2011 @ 11:58 pm | Reply

  4. Thanks for this nice tutorial.

    Comment by Jack — March 29, 2012 @ 1:23 am | Reply

  5. [...] [...]

    Pingback by [IOS] How to get iphone/ipad to view local websites - Page 2 — April 24, 2012 @ 2:04 am | Reply

  6. [...] Setting up Proxy .pac files on IIS7 for proxy use. Please follow this link. [...]

    Pingback by Configuration of .pac “proxy auto-config” with “CCProxy” proxy server on Windows Server – Amir Zalaghi (Amir Z) : Personal Website — November 22, 2012 @ 10:00 pm | Reply

  7. […] Source: http://marckean.wordpress.com/2010/02/09/setting-up-proxy-pac-files-in-iis7-for-proxy-use/ […]

    Pingback by Setting up Proxy .pac files in IIS7 for proxy use | SysadminRay — June 5, 2013 @ 12:19 pm | Reply

  8. I blog quite often and I really appreciate your information.
    The article has really peaked my interest. I will bookmark your blog and
    keep checking for new information about once a week.

    I subscribed to your RSS feed too.

    Comment by proxy kat — June 14, 2013 @ 3:01 am | Reply

  9. […] This pac uses Embc Openhive for all traffic except https but then uses https just for Openhive. Also excludes local traffic from proxy eg WebDAV or local web intranet traffic Modify host name , change 10.2.*.* to your local ip range proxy if not on Openhive. Call file proxy.pac or .dat if using local web server remember to add mime type:- application/x-ns-proxy-autoconfig (as found here http://marckean.wordpress.com/2010/02/09/setting-up-proxy-pac-files-in-iis7-for-proxy-use/) […]

    Pingback by PAC file proxy | satdxsatdx — July 1, 2013 @ 11:44 am | Reply

  10. After I initially left a comment I seem to have clicked on the -Notify me when new comments are
    added- checkbox and now every time a comment is added I get 4 emails
    with the exact same comment. There has to be an easy
    method you can remove me from that service?
    Thanks!

    Comment by voteforthegirls.us — July 4, 2013 @ 2:31 am | Reply

  11. Do you have to configure any security settings on the pac folder for this to work?

    Comment by Robert Jemiolo — October 22, 2013 @ 2:47 am | Reply

  12. Man, seriously i’m hopeless because i dont have any idea about web server.
    I have followed the instruction above, when i try to browse the website, it is stated that “this page cannot be displayed, make sure http://pac is correct address”
    my socks is 192.168.55.1:1080.
    can anyone help me here?

    Comment by Vollsterndich — October 30, 2013 @ 2:24 am | Reply

  13. […] Setting up Proxy .pac files in IIS7 for proxy use | Marc Kean. […]

    Pingback by Setting up Proxy .pac files in IIS7 for proxy use | Marc Kean | #Total ICTS — January 4, 2014 @ 9:07 am | Reply

  14. To furnish your home with all beautiful items, buy home decor
    online at a great deal on festivals and other seasons.
    Each season has a cycle of what is “hot” and what is “not”.

    Many are dedicated to their respective work and profession just to fulfill that goal.

    Comment by Ulrich — July 3, 2014 @ 2:04 pm | Reply

  15. These are inn fact fantastic ideas in this post.
    You hage touched on some interesting points here.
    Keepp up the writing!

    Comment by kreativeplace — August 6, 2014 @ 12:30 pm | Reply

  16. Really enjoyed reading ur blog. ddcfkafkdgdd

    Comment by Johnd367 — August 17, 2014 @ 12:17 pm | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 67 other followers

%d bloggers like this: