Setting up Proxy .pac files in IIS7 for proxy use

If you want the clients to connect using an automatic configuration script to connect to your proxy server, which will work if it is accessible, and won’t work from else where, e.g. laptop users at home. If the location (http://pac/proxy.pac) can’t be reached, IE will skip over the script and go direct out to the internet.

image

To setup your proxy .pac file on a Windows Server 2008 server.

  1. Create your proxy.pac file (follow the examples below)
  2. Copy your .pac file to (C:\inetpub\pac) of your IIS server which will host the .pac file
  3. In IIS, right click on sites, choose Add Web Siteimage
  4. Fill in the details as below. Under bindings, the host name is what the site will respond to, for example (http://pac/proxy.pac) if you wanted to use a fully qualified DNS name, e.g. http://pac.domain.local/proxy.pac then after you add this site, edit the bindings of the website to add this second binding.image
  5. Next thing you need to do is edit the MIME types.image
  6. Add in a custom MIME type for the .pac file extention – application/x-ns-proxy-autoconfigimage
  7. You will need to setup a DNS CNAME record so that the hostname pac.domain.local will point to your IIS server.
  8. Last thing you will need to do is setup a group policy for all your users to enforce these settings.

Simple PAC file

function FindProxyForURL(url, host)
{
if (isInNet(myIpAddress(), “192.168.1.0”, “255.255.255.0”))
return “PROXY 192.168.1.1:8080”;
else
return “DIRECT”;
}

More complex PAC file

function FindProxyForURL(url, host)
{
if (shExpMatch(url, “http://principia.mo.techpaths.com*”)) {
return “DIRECT”;
}
if (isInNet(myIpAddress(), “192.168.1.0”, “255.255.255.0”))
return “PROXY 192.168.1.1:8080”;
else
return “DIRECT”;
}

Complex PAC file

function FindProxyForURL(url, host)
{
// variable strings to return
var proxy_yes = “PROXY 192.168.1.1:8080”;
var proxy_no = “DIRECT”;
if (shExpMatch(url, “http://www.mycompanywebsite.com*”)) { return proxy_no; }
if (shExpMatch(url, “http://www.myotherwebsite.com*”)) { return proxy_no; }
if (shExpMatch(url, “http://www.my3rdlocalsite.com*”)) { return proxy_no; }
// Proxy anything else
return proxy_yes;
}

Very complex PAC file


function FindProxyForURL(url, host)
{
// variable strings to return
var proxy_yes = “PROXY 192.168.1.1:8080”;
var proxy_no = “DIRECT”;
if (shExpMatch(url, “http://www.mycompanywebsite.com*”)) { return proxy_no; }
if (shExpMatch(url, “http://www.myotherwebsite.com*”)) { return proxy_no; }
if (shExpMatch(url, “http://www.my3rdlocalsite.com*”)) { return proxy_no; }
if (shExpMatch(url, “http://192.168.1.100*”)) { return proxy_no; }
// Proxy if PC is on local LAN
if (isInNet(myIpAddress(), “192.168.1.0”, “255.255.255.0”))
return “PROXY 192.168.1.1:8080”;
else
return “DIRECT”;
}

This is my favorite one

function FindProxyForURL(url, host)
{
// variable strings to return
var proxy_yes = “PROXY 10.3.4.15:8080”;
var proxy_no = “DIRECT”;
var resolved_ip = dnsResolve(host);

// If a specific URL needs to bypass the proxy then send traffic direct.
if (shExpMatch(url, “*.domain.local*”)) { return proxy_no; }
if (shExpMatch(url, “*.dmshm.local*”)) { return proxy_no; }
if (shExpMatch(url, “*rms.domain.com.au*”)) { return proxy_no; }
if (shExpMatch(url, “*.domain.net.au*”)) { return proxy_no; }
if (isInNet(resolved_ip, “10.0.0.0”,  “255.0.0.0”)) { return proxy_no; }

// If the source IP is in VIC then send traffic via the proxy
if (isInNet(myIpAddress(), “10.3.0.0”, “255.255.0.0”))return proxy_yes;

// If the source IP is in NSW then send traffic via the proxy
if (isInNet(myIpAddress(), “10.2.0.0”, “255.255.0.0”))return proxy_yes;

// If the proxy fails or the request doesn’t meet any of the above criteria then send the traffic direct
elsereturn “DIRECT”;
}

18 thoughts on “Setting up Proxy .pac files in IIS7 for proxy use

  1. Hi there,
    Thank you for the article, I was trying to do exactly this before I ran into your article! The only difference is that I am not using the Group Policy Yet.
    My issue is that when when my browser executes the .PAC file I can see the content of it which means that it is working but the file is not being executed (proxy script just doesn’t work). This was working on the old IIS6 windows 2003 webserver and it still does with the same procedure. Does this script needs to be on the same Server as the DNS Cname is pointing to or can this be hosted from another IIS server on the Network? Hope this makes sense. Thank you for your help in advance.

    1. Hi Travis, having the CNAME record is only a cosmetic thing, doesn’t change the way proxy PAC files work.

      Once all setup, you should be able to enter the proxy PAC URL into the browser and navigate to it, it should prompt you to download the file.

      As a test, stick the proxy PAC on the C: drive and reference it in the internet settings like this – file://c:/windows/proxy.pac

  2. Hi Marc,

    Your guide works brilliantly, however I seem to be having a problem with the if statement which tries to resolve my local IP address. I can get it to work this way via the hosting guide above:

    function FindProxyForURL(url, host)
    {
    return “PROXY removedforsecuritypurposes:8080; DIRECT”;
    }

    ..so I know its not a configuration issue of hosting the pac file (NB- I can’t go direct out here, it has to be through the proxy and therefore I know its working when web pages are parsed)

    As soon as I try to add some conditional logic so it only applies the proxy based on IP range it just times out. Basically I want it to use the proxy when on the corporate network but to go direct when at home, exactly like your example. It seems to be the part where it checks the local IP when the problem occurs. Any ideas would be greatly appreciated.

    Cheers.

  3. I blog quite often and I really appreciate your information.
    The article has really peaked my interest. I will bookmark your blog and
    keep checking for new information about once a week.

    I subscribed to your RSS feed too.

  4. After I initially left a comment I seem to have clicked on the -Notify me when new comments are
    added- checkbox and now every time a comment is added I get 4 emails
    with the exact same comment. There has to be an easy
    method you can remove me from that service?
    Thanks!

  5. Man, seriously i’m hopeless because i dont have any idea about web server.
    I have followed the instruction above, when i try to browse the website, it is stated that “this page cannot be displayed, make sure http://pac is correct address”
    my socks is 192.168.55.1:1080.
    can anyone help me here?

  6. To furnish your home with all beautiful items, buy home decor
    online at a great deal on festivals and other seasons.
    Each season has a cycle of what is “hot” and what is “not”.

    Many are dedicated to their respective work and profession just to fulfill that goal.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s