WPAD stands for Web Proxy Auto-Discovery Protocol. Basically, a WPAD file is simply a Proxy Pac file, just renamed to wpad.dat. Everything about it is the same as a pac file, the only difference is that browser do not have to point to the pac file in order for the proxy to be used. WPAD is a technology which aids a web browser in automatically detecting the location of a PAC file using DNS or DHCP. A browser that supports both DHCP and DNS will first attempt to locate the WPAD file using DHCP, and should DHCP fail, it will fall back to DNS. If neither exist, the browser will fail.
WHY SHOULD I USE WPAD?
The better question is, why not? WPAD is most likely the best way to push out a proxy to users, especially if you have a lot of mobile devices. With WPAD and the right configurations, the browser will need no proxy settings set and will auto-detect WPAD to deploy a proxy to all users.
PROS AND CONS
Like with Proxy Pac and Transparent proxies, WPAD have its own pros and cons when deciding what proxy to use in your network.
- Easy to manage, easy to configure.
- HTTP and HTTPS traffic is logged and tracked.
- Great for mobile devices such as iPads and smart phones.
- Requires no browser configuration.
- There aren’t many cons when it comes to WPAD. The only disadvantage could be that it may be hard to understand and set up for those that aren’t so technical.
SETTING UP WPAD
As mentioned earlier, a WPAD file is identical to a proxy pac file. It is just called wpad.dat instead of proxy.pac. All forms of configuration are essentially the same as well. Please refer to “Editing the Proxy Pac File” on page 6 for instructions on how to configure the file.
Configuring the Web Server
Unlike Proxy Pac, WPAD needs a bit more configuration to set up in order to get things working the way they should. Depending on your Web Server, there are different ways that you will have to configure the server:
IIS Web Server (Windows)
- Login to the server through Terminal Services or Remote Desktop Connection.
- Click Start, select Programs, and then click Administrative Tools.
- For IIS 5.0: Open Internet Services Manager.
- For IIS 6.0: Open Internet Information Services.
- In the left column you will see the Server Name.
- In IIS 5.0: expand the Server Name to find the domain name.
- In IIS 6.0: expand the Server Name and then Web Sites to find the domain name.
- Right-click on the domain name and select Properties.
- On the HTTP Headers tab click MIME Types.
- Click New.
- Enter the below information:
- Extension: .dat
- MIME Type: application/x-ns-proxy-autoconfig
- Click OK.
Other Linux-based Servers (Apache)
- Create .htaccess file.
- Add the below line into the file: AddType application/x-ns-proxy-autoconfig .dat
- Upload the file to the same location as the wpad.dat file.
Configuring the DNS Server
The DNS server needs to be configured to server (A) record for the host wpad. So that when browsers auto-lookup for the hostname wpad, they will be directed to where it is hosted on the Web Server.
Removing WPAD from the DNS Block List
The DNS Server role in Windows Server 2008 introduces a global query block list to reduce vulnerability associated with DNS Dynamic Update Protocol.
If you want to use WPAD with DNS, please note the following:
- If WPAD entries are configured in DNS before the DNS server is upgraded in Windows Server 2008, no action is required.
- If you configure or remove WPAD after you deploy the DNS server role on a server running Windows Server 2008, you must update the block list on all DNS servers that host the zones affected by the change. The affected zones are those where you registered the WPAD servers.
Updating the Block List
Use the dnscmd command prompt/line tool to manage the global query block list. Open Command Prompt, and then do the following:
- To check whether or not the global query block is enabled, type the following:
dnscmd /info /enableglobalqueryblocklist
- To display the host names in the current block list, type the following:
dnscmd /info /globalqueryblocklist
- To disable the block list and ensure that the DNS server does not ignore queries for names in the block list, type the following:
dnscmd /config /enableglobalqueryblocklist 0
- To enable the block list and ensure that the DNS Server service ignores queries for names in the block list, type the following:
dnscmd /config /enableglobalqueryblocklist 1
- To remove all names from the block list, type the following:
dnscmd /config /globalqueryblocklist
- To replace the current block list with a list of the names that you specify, type the following:
dnscmd /config /globalqueryblocklist name [name]…
For more information, you can refer to this link:
Adding a DNS Alias for WPAD in Windows 2008 Server
As well as removing the DNS entry from the block list in Windows 2008 Server, you will also have to configure an Alias for the WPAD entry:
- Click Start, point to All Programs, point to Administrative Tools, and then click DNS.
- In the console tree, right-click the forward lookup zone for your domain, and click New Alias (CNAME).
- In Alias name, type WPAD.
- In Fully Qualified Name for the Target Host, type the FQDN of the WPAD server (e.g. intranet.myschool.local).
For more information, you can refer to the following link:
Now that we’ve configured and set up WPAD to work within your network, it’s time to test if it works.
- In your browser settings, make sure “Auto-Detect Proxy Settings” is enabled, and close the settings.
- Attempt to browse. If all is working well, the browser should do an auto-lookup for the hostname “wpad”, and grab the wpad file from the web server you’re hosting it on. There may be a delay in retrieving the web page due to the browser searching for the wpad file.
You can also make sure that wpad is being hosted properly by doing an nslookup for wpad in command prompt on Windows. If the result returns the IP of the server it’s hosted on, wpad should be working successfully.