If you want the clients to connect using an automatic configuration script to connect to your proxy server, which will work if it is accessible, and won’t work from else where, e.g. laptop users at home. If the location (http://pac/proxy.pac) can’t be reached, IE will skip over the script and go direct out to the internet.
To setup your proxy .pac file on a Windows Server 2008 server.
- Create your proxy.pac file (follow the examples below)
- Copy your .pac file to (C:\inetpub\pac) of your IIS server which will host the .pac file
- In IIS, right click on sites, choose Add Web Site
- Fill in the details as below. Under bindings, the host name is what the site will respond to, for example (http://pac/proxy.pac) if you wanted to use a fully qualified DNS name, e.g. http://pac.domain.local/proxy.pac then after you add this site, edit the bindings of the website to add this second binding.
- Next thing you need to do is edit the MIME types.
- Add in a custom MIME type for the .pac file extention – application/x-ns-proxy-autoconfig
- You will need to setup a DNS CNAME record so that the hostname pac.domain.local will point to your IIS server.
- Last thing you will need to do is setup a group policy for all your users to enforce these settings.
Simple PAC file
function FindProxyForURL(url, host)
{
if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0"))
return "PROXY 192.168.1.1:8080";
else
return "DIRECT";
}
More complex PAC file
function FindProxyForURL(url, host)
{
if (shExpMatch(url, "http://principia.mo.techpaths.com*")) {
return "DIRECT";
}
if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0"))
return "PROXY 192.168.1.1:8080";
else
return "DIRECT";
}
Complex PAC file
function FindProxyForURL(url, host)
{
// variable strings to return
var proxy_yes = "PROXY 192.168.1.1:8080";
var proxy_no = "DIRECT";
if (shExpMatch(url, "http://www.mycompanywebsite.com*")) { return proxy_no; }
if (shExpMatch(url, "http://www.myotherwebsite.com*")) { return proxy_no; }
if (shExpMatch(url, "http://www.my3rdlocalsite.com*")) { return proxy_no; }
// Proxy anything else
return proxy_yes;
}
Very Complex PAC file
function FindProxyForURL(url, host)
{
// variable strings to return
var proxy_yes = "PROXY 192.168.1.1:8080";
var proxy_no = "DIRECT";
if (shExpMatch(url, "http://www.mycompanywebsite.com*")) { return proxy_no; }
if (shExpMatch(url, "http://www.myotherwebsite.com*")) { return proxy_no; }
if (shExpMatch(url, "http://www.my3rdlocalsite.com*")) { return proxy_no; }
if (shExpMatch(url, "http://192.168.1.100*")) { return proxy_no; }
// Proxy if PC is on local LAN
if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0"))
return "PROXY 192.168.1.1:8080";
else
return "DIRECT";
}
This is my favorite one
function FindProxyForURL(url, host)
{
// variable strings to return
var proxy_yes = "PROXY 10.3.4.15:8080";
var proxy_no = "DIRECT";
var resolved_ip = dnsResolve(host);
// If a specific URL needs to bypass the proxy then send traffic direct.
if (shExpMatch(url, "*.domain.local*")) { return proxy_no; }
if (shExpMatch(url, "*.dmshm.local*")) { return proxy_no; }
if (shExpMatch(url, "*rms.domain.com.au*")) { return proxy_no; }
if (shExpMatch(url, "*.domain.net.au*")) { return proxy_no; }
if (isInNet(resolved_ip, "10.0.0.0", "255.0.0.0")) { return proxy_no; }
// If the source IP is in VIC then send traffic via the proxy
if (isInNet(myIpAddress(), "10.3.0.0", "255.255.0.0"))return proxy_yes;
// If the source IP is in NSW then send traffic via the proxy
if (isInNet(myIpAddress(), "10.2.0.0", "255.255.0.0"))return proxy_yes;
// If the proxy fails or the request doesn't meet any of the above criteria then send the traffic direct
elsereturn "DIRECT";
}
Marc Kean 
Hi there,
Thank you for the article, I was trying to do exactly this before I ran into your article! The only difference is that I am not using the Group Policy Yet.
My issue is that when when my browser executes the .PAC file I can see the content of it which means that it is working but the file is not being executed (proxy script just doesn’t work). This was working on the old IIS6 windows 2003 webserver and it still does with the same procedure. Does this script needs to be on the same Server as the DNS Cname is pointing to or can this be hosted from another IIS server on the Network? Hope this makes sense. Thank you for your help in advance.
Hi Travis, having the CNAME record is only a cosmetic thing, doesn’t change the way proxy PAC files work.
Once all setup, you should be able to enter the proxy PAC URL into the browser and navigate to it, it should prompt you to download the file.
As a test, stick the proxy PAC on the C: drive and reference it in the internet settings like this – file://c:/windows/proxy.pac
Hi Marc,
Your guide works brilliantly, however I seem to be having a problem with the if statement which tries to resolve my local IP address. I can get it to work this way via the hosting guide above:
function FindProxyForURL(url, host)
{
return “PROXY removedforsecuritypurposes:8080; DIRECT”;
}
..so I know its not a configuration issue of hosting the pac file (NB- I can’t go direct out here, it has to be through the proxy and therefore I know its working when web pages are parsed)
As soon as I try to add some conditional logic so it only applies the proxy based on IP range it just times out. Basically I want it to use the proxy when on the corporate network but to go direct when at home, exactly like your example. It seems to be the part where it checks the local IP when the problem occurs. Any ideas would be greatly appreciated.
Cheers.
Sorry, forgot to turn on the notification of follow-up comments so have done so on this post.
Scratch that, fixed it. Had a single missing ” which made all the difference. Cheers for the rest of the guide though, very helpful indeed.
Thanks for this nice tutorial.
[…] […]
[…] Setting up Proxy .pac files on IIS7 for proxy use. Please follow this link. […]
[…] Source: https://marckean.wordpress.com/2010/02/09/setting-up-proxy-pac-files-in-iis7-for-proxy-use/ […]
I blog quite often and I really appreciate your information.
The article has really peaked my interest. I will bookmark your blog and
keep checking for new information about once a week.
I subscribed to your RSS feed too.
[…] This pac uses Embc Openhive for all traffic except https but then uses https just for Openhive. Also excludes local traffic from proxy eg WebDAV or local web intranet traffic Modify host name , change 10.2.*.* to your local ip range proxy if not on Openhive. Call file proxy.pac or .dat if using local web server remember to add mime type:- application/x-ns-proxy-autoconfig (as found here https://marckean.wordpress.com/2010/02/09/setting-up-proxy-pac-files-in-iis7-for-proxy-use/) […]
After I initially left a comment I seem to have clicked on the -Notify me when new comments are
added- checkbox and now every time a comment is added I get 4 emails
with the exact same comment. There has to be an easy
method you can remove me from that service?
Thanks!
Do you have to configure any security settings on the pac folder for this to work?
Man, seriously i’m hopeless because i dont have any idea about web server.
I have followed the instruction above, when i try to browse the website, it is stated that “this page cannot be displayed, make sure http://pac is correct address”
my socks is 192.168.55.1:1080.
can anyone help me here?
[…] Setting up Proxy .pac files in IIS7 for proxy use | Marc Kean. […]
To furnish your home with all beautiful items, buy home decor
online at a great deal on festivals and other seasons.
Each season has a cycle of what is “hot” and what is “not”.
Many are dedicated to their respective work and profession just to fulfill that goal.
These are inn fact fantastic ideas in this post.
You hage touched on some interesting points here.
Keepp up the writing!
Really enjoyed reading ur blog. ddcfkafkdgdd
Hi,
I was wondering what is VIC and NSW?
Short for Victoria and NSW, states in Australia
[…] Quelle: marckean.com […]