Microsoft Active Directory and the WPAD

This entry was posted in Browsers settings on by

If you are using Microsoft Active Directory and Internet Explorer, the recommended approach is to use a Group Policy Object (GPO).

To create your GPO, see Managing Browser Settings with Group Policy Tools.
Most browsers are able to download a PAC file but do not provide GPO support. take a look on FrontMotion as FireFox for corporate networks.

  1. Log on to a server in the domain, and, with administrative permission, open Start > Programs > Administrative Tools > Active Directory Users & Computers and expand your domain.
  2. Right click the top-level domain or Organisational Unit where the policy should be applied, select Properties, and then select the Group Policy tab.
  3. Create a ‘GPO’ and give it a meaningful name (Hosted Web Security, for example).
  4. Edit the GPO from the following location: User configuration > Windows Settings > Internet Explorer Maintenance > Connection > Automatic Browser Configuration
  5. Select Enable Automatic Configuration.
  6. Under Auto-proxy URL (.JS, .JVS, or .PAC file), enter the Artica URL path to the PAC file.

Internet Explorer retrieve GPO settings the next time that group policy refreshes – by default is every 90 minutes for Windows clients, and every 5 minutes for Domain Controllers (or the next time a user logs off and on again) -.

You can change the refresh interval in the default domain policy, or by entering the following in the command prompt:

gpupdate /force

With most browsers, the PAC retrieve function is called every time a request is made.
However, Internet Explorer since 5.5 include a feature called Automatic Proxy Result Cache that caches the requested URL host name and the returned proxy address.
This has the advantage of minimizing web server calls but:

  1. The Automatic Proxy Result Cache use the host name for key cache, it is not possible for a PAC file to distribute traffic to distinct proxy servers based on any part of the URL in addition to the host name.
    It is not possible to redirect traffic to different proxy servers based on the URLs  path portion for a single host.
  2. Automatic Proxy Result Cache caches the host name/proxy result pair instead of  the full proxies list.
    The failover by PAC file will not be used.
    This feature is discussed in more detail in the Microsoft knowledge base article titled How to disable automatic proxy caching in Internet Explorer.

Leave a comment