Distributing Proxy PAC using GPO (Active Directory)

To totally unlock this section you need to Log-in

If your organization uses Active Directory and Internet Explorer, Google Chrome, Safari or Firefox, you can use the Active Directory Group Policy Object (GPO) feature to distribute the PAC file URL to all devices in your organization.

When you configure Internet Explorer to use a PAC file, Google Chrome, Opera, and Safari use the same PAC file configuration as well. Firefox requires a separate configuration. To use GPO to distribute the PAC file URL to Firefox browsers, download the GPO for Firefox add-on.

A Proxy Auto-Configuration (PAC) file is a JavaScript function definition that determines whether web browser requests (HTTP, HTTPS, and FTP) go direct to the destination or are forwarded to a web proxy server.

A PAC file is a JavaScript function definition for FindProxyForURL(url, host). The complexity of the function varies with the requirements of each organization.

A PAC file is:

  • Flexible and extensible.
  • Supported by all popular browsers.
  • Easy to administer and maintain in any size network; however, as this paper explains, PAC files are easiest to administer when the browser is Internet Explorer.
  • Able to support mobile devices that use standard browsers.

A PAC file can:

  • Be stored on any server in your network. Small networks may store the file on the proxy itself, but large, enterprise-class networks should use a separate server for storing the PAC file.
  • Determine where Internet and intranet requests are routed.
  • Allow for exceptions in the form of bypassing the proxy for specified destinations.
  • Perform load distribution.
  • Handle proxy failover.

PAC files are used to support explicit proxy deployments in which client browsers are explicitly configured to send traffic to the web proxy. The big advantage of PAC files is that they are usually relatively easy to create and maintain.

It is important from an organizational security perspective that end users be prohibited from installing unapproved applications on their computers. Without such restrictions, users could install alternate browsers in an attempt to circumvent PAC controls.

Within the organizational perimeter, by application of appropriate firewall rules, users should be forced to browse through the designated proxy server(s) only.

Using GPO to Deploy PAC Files

The following procedure describes how to create a new GPO to distribute a PAC file URL to devices in your organization. It assumes that the Group Policy Management Console (GPMC) is installed. For information on Active Directory GPO and GPMC, refer to the Windows Active Directory and GPMC documentation.

To create a new GPO and distribute the PAC file URL:

  • Log in to the Active Directory server as the Administrator.
  • Open the GPMC.
  • In the Group Policy management tree, navigate to the domain or Organization Unit to which you are applying the GPO.
  • Right-click the domain or OU and select Create a GPO in this domain, and Link it here….
  • In the New GPO dialog, enter a name and leave the Source Starter GPO field blank.
  • Click OK to exit the dialog box.
  • Expand the Group Policy Objects item, select the newly created GPO, right-click and select Edit.
  • Depending on whether you are applying the GPO to computers or users, expand either Computer Configuration or User Configuration.
  • Navigate to Policies > Windows Settings > Internet Explorer Maintenance > Connection, and then double-click Automatic Browser Configuration.

In the Automatic Browser Configuration dialog, do the following and click OK:

  1. Select Enable Automatic Configuration.
  2. In the Automatic proxy URL field, enter the URL of the PAC file.
  3. In the following example, the a default PAC file is specified.

Distributing Proxy PAC using GPO (Active Directory)

You can use the Group Policy Results wizard to verify the policy settings of the users or computers in the domain.

Using GPO to Enforce the PAC File Setting

You can enforce the PAC File setting so your users will not be able to change it even when they’re logged in as Administrator.

To enforce the PAC file setting:

  • Open the GPMC.
  • In the Group Policy management tree, navigate to the domain or Organization Unit to which you applied the GPO.
  • Expand the Group Policy Objects item, select the newly created GPO, right-click and select Edit.
  • Go to User Configuration > Policies > Administrative Template > Windows Components > Internet Explorer.
  • From the list of settings on the right panel double click Disable changing Automatic Configuration settings.

Distributing Proxy PAC using GPO (Active Directory)

When the dialog appears, click Enabled and OK.

Distributing Proxy PAC using GPO (Active Directory)

From the list of settings on the right panel, double-click Disable changing proxy settings, and when its dialog appears, click Enabled and OK.

Distributing Proxy PAC using GPO (Active Directory)

After this change the user will not be able to change the proxy setting.

Distributing Proxy PAC using GPO (Active Directory)

Depending on your authentication configuration, your users will have to log in to the service at least once before the service can start protecting their web traffic. If a user logs into a captive portal, such as Starbucks or McDonald’s, the user must close the browser and open it again to reload the PAC file. The browser tries to fetch the PAC file only when there is a PAC URL timeout.