Defining / Locking and Managing Proxy Settings

KB ID 0000181 

Problem

If you have a proxy server at your corporate/home location, then there a few methods you can use to ensure that your clients use it. Before you start running though this, remember if you have a proxy server then it’s common sense that your firewall/router will block web access for your clients, and only allow the Proxy server (and any other servers/machines) that need direct web access out. If you are forcing your users out through one machine, for either caching, URL filtering, monitoring usage or just because it’s part of your corporate security strategy, then locking down Internet access around the proxy server should be your first consideration.

Once that’s done you can install your proxy and deploy the settings to the client PC’s

Solution

How you do this depends on your circumstances.

It’s a single stand alone machine. (Option 1)

To manually configure one machine simply open internet explorer (other browsers are also available) Tools > Internet Options > Connections > Tick Use a proxy server for your LAN > Enter the IP address of the Proxy server > Enter the port number > Tick Bypass proxy server for local addresses (If you have web servers on your local network). > OK >OK > restart Internet Explorer.

bypass proxy

It’s a single stand alone machine. (Option 2)

Optionally you can set the proxy with local policy – this is preferable if lots of people use the same computer and you don’t want to configure each user separately. Click start > In the search/run box type gpedit.msc {enter}

gpedit

The Group Policy Editor window will open > Navigate to User Configuration > Windows Settings > Internet Explorer Maintenance > Connection > Proxy Settings.

local policy

Local policy proxy settings

Double click proxy settings > Tick Enable Proxy settings > Enter the IP address(es) > Enter the Port(s) > Tick Do not use proxy server for local (intranet) addresses, (If you have web servers on your local network). > Apply > OK > Close the policy editor > Reboot. (or run gpupdate /force).

Note: Using this method a technically savvy user can simply get into the settings and change them in the browser – to stop this happening you can hide the tab that displays the proxy settings.

It’s a single stand alone machine. (Option 3)

You can also set the proxy options by directly editing the registry (Warning editing the registry can cause earthquakes and lead to teenage pregnancy!). Click start > In the search/run box type regedit {enter}.

regedit

Navigate to HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings. The keys that look after your proxy settings are,

ProxyEnable set 0 for disabled and 1 for enabled
ProxyOverride set <local> for bypass proxy for local addresses (Note:you can also add domains seperated by a semi colon ; that you don’t want to use the proxy for).
ProxyServer Sets the IP address and Port i.e. 192.168.99.1:808 (Note this setting WONT BE THERE if there’s never been a proxy set), you will need to create it as a new string value (REG_SZ).

proxy registry settings

Or you can simply run the following .reg file

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
"ProxyEnable"=dword:00000001
"ProxyOverride"=""
"ProxyServer"="192.168.99.1:808"

It’s On a Network with DHCP

You can lease proxy settings with your DHCP scope, its known as DHCP option 252.

To add Option 252 to a Server 2008 DHCP scope, On the Server Click Start > Administrative tools > DHCP > Expand your Server name> Right Click IPv4 > Select Set Predefined Options.

LEase Proxy from DHCP

In the Predefined Options and Values dialog box, click Add In Name type WPAD >In Code, type 252 > In Data type, select String, and then click OK > In String, type http://192.168.99.1:808/wpad.dat, (change as appropriate).

WPAD proxy

WPAD and DHCP

Then You need to ad that option to your existing scope > Expand the scope > Right click server options > Select Configure Options > Advanced > Scroll down top option 252 and select > Apply > OK.

dhcp option 252

dhcp proxy

Now you need to create a wpad.dat file (simply create it in notepad) and serve it from the URL you entered above.

Sample wpad.dat file (simply change the URL’s and port numbers as applicable).

function FindProxyForURL(url, host)
{
// variable strings to return
var proxy_yes = "PROXY 192.168.99.1:808";
var proxy_no = "DIRECT";

if (shExpMatch(url, "http://www.petenetlive.com*")) { return proxy_no; }
if (shExpMatch(url, "http://www.dont_want_to_proxy.com*")) { return proxy_no; }
if (shExpMatch(url, "http://192.168.99.5*")) { return proxy_no; }
if (shExpMatch(url, "https://subdomain.dont_want_to_proxy.com*")) { return proxy_no; }

// Proxy if PC is on local LAN
if (isInNet(myIpAddress(), "192.168.99.0", "255.255.255.0"))
return "proxy_yes";
else
return "DIRECT";
}

Once that’s done you need to allow .dat as a MIME extention on your IIS Server > Start Administrative tools > Internet Information Services (IIS) Manager > Select The Server name > Select MIME Types.

<empty>mime types proxy

In the right hand column > Click Add > Put in the file extension as .dat and the MIME Type as “application/x-ns-proxy-autoconfig” > OK.

proxy autoconfig

Then either reboot or run “iis /restart”

It’s on a Windows Domain

You can set the proxy settings for your USERS (Note: its a user policy so it CANT be applied to computers). On your Server Click Start > Administrative Tools > Group Policy Management > Right click Your domain (if you want the policy to apply at domain level) > Select Create a GPO in this domain and link it here > Give it a sensible name > OK.

gp management

fix proxy ip

 

Right Click your new Policy and select Edit > Navigate to User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > Connection > Proxy Settings.

Note: In modern domains this policy has been removed, see the following article;

Managing IE Settings via GPO

group polict proxy settings

lock proxy with gpo

 

Double click proxy settings > Tick Enable Proxy settings > Enter the IP address(es) > Enter the Port(s) > Tick “Do not use proxy server for local (intranet) addresses”, (If you have web servers on your local network). > Apply > OK > Close the policy editor > Reboot. (or run gpupdate /force).

Note: Using this method a technically savvy user can simply get into the settings and change them in the browser – to stop this happening you can hide the tab that displays the proxy settings.

 

My Users complain that their Laptops don’t work when they go home since I set the proxy?

 

Well that’s to be expected? While at home they can’t see your proxy server, some companies like this option, as it stops their users surfing the internet from their home internet connection. For other people this is a big problem, there are essentially three ways to solve this problem. 1) Send out your proxy settings Via DHCP. Then while your users are offsite they wont get any proxy settings (see above). Or 2) feel free to use the script I wrote (below), this can be applied via policy (Local or Domain), or simply put in the startup folder of your users laptops. Finally you can use a “Proxy.pac” file to autoconfigure the clients proxy settings.

How it works: It pings an IP address on your corporate network, (in this case the router) which is always on, if it gets a reply – then it must be on the corporate network so it enables the proxy Server, If it gets no reply, then it must not be connected to the corporate network and turns off the proxy server.

::-----------------------Begin Script------------------------------------
@ECHO OFF
:: Check LAN connectivity

PING 192.168.99.254 | FIND "TTL" > NUL
IF NOT ERRORLEVEL 1 GOTO ON_LAN
GOTO OFF_LAN

:ON_LAN
::**************Proxy ON**************

::Enable the Proxy Server (ticks the box "user a proxy server for your LAN...")
REG ADD "HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f

:: SET the proxy (fills in the Address and port values)
REG ADD "HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings" /v ProxyServer /t REG_SZ /d "192.168.99.1:808" /f

:: Set the bypass proxy server for local addresses option -  ticks the box each subsequent entry is additional domains to bypass for
REG ADD "HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings" /v ProxyOverride /t REG_SZ /d ";*.local;www.dontproxy.com" /f

GOTO END

:OFF_LAN
::**************Proxy OFF**************

REG ADD "HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f

:END
::-----------------------End Script------------------------------------

Or to use a proxy.pac file

1. Create a file on your PC in notepad and call it proxy.pac change the relevant network details, proxy IP address, and port number from the example below.

function FindProxyForURL(url, host)
{
if (isInNet(myIpAddress(), "192.168.99.0", "255.255.255.0"))
return "PROXY 192.168.99.1:808";
else
return "DIRECT";
}

2. Save the file in your C:windowssystem32 directory.

3. On the client open Internet Explorer > Tools > Options > Connections > LAN Settings > Tick “Use an automatic configuration script” and enter the following

file://c:/windows/system32/proxy.pac

Note: this can be done with a registry file see below.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
"AutoConfigURL"="file://c:/windows/system32/proxy.pac"

Note: This can be set in Policy as well, the policy lives in User Configuration > Windows Settings > Internet Explorer Maintenance > Automatic Browser Configuration> Configure as below.

GPO proxy

Related Articles, References, Credits, or External Links

NA

Author: Migrated

Share This Post On