Using your Sophos UTM in Standard proxy mode has a few advantages over using it in Transparent mode. One of these is the ability to use a proxy configuration script, normally called wpad.dat.

These scripts not only allow you to instruct the browser which proxy to use, but also when to use it and when not to. Typically you would not want a client machine on your internal network to use the proxy when accessing sites within the network itself.

You could of course manually specify the proxy per user and add a list of exclusions, but using a proxy configuration script makes sure all clients are configured in the same manner. If you ever need to make a change, then it can be made in one place and distributed centrally.

This article takes you through the three simple steps to deploy auto proxy configuration with Sophos UTM.

Step 1: Create your script

You can create the proxy configuration script manually if you really want to, but there is a tool that makes the script creation a simple process. It is called PAC Magic and is available from Alan Toews’ great UTM Tools website.

PAC Magic allows you to quickly and easily specify the options that you want such as:

  • Use the hostname variable (I’ll cover that a little later)
  • Exclude the private and APIPA IP ranges (10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 | 169.254.0.0/16)
  • Exclude your internal domain(s)
  • Exclude unqualified domains or “Non-FQDN Hostnames” (http://intranet)

 

At the bottom of the screen you can test a few URLs see wither the your browser will use the proxy or not based on the settings.

  • Result : Proxy ${asg_hotname}:8080 means the browser will use the proxy
  • Result: DIRECT means that the browser will attempt to connect directly without using the proxy.

Once you are happy with your settings, you can go to the Script Testing tab and click the Copy PAC Script to Clipboard button so you are ready to paste it into the Sophos UTM.

Step 2: Configure the UTM

Sophos UTM can serve as the host for your WPAD file and it is recommended to do so. When the wpad file is downloaded from the UTM, the ${asg_hostname} variable is replaced by the UTM’s specified hostname. If you decide to host the wpad.dat file on a separate web server you need to manually replace this with the UTM’s hostname or IP address in the script.

To host your WPAD script on the UTM:

  1. From the Sophos UTM Management console select  Web Protection | Filtering Options | Misc
  2. In the section for Proxy Auto Configuration, check the Enable Proxy Auto Configuration checkbox
  3. Copy your script from the PAC Magic Script Testing tab and paste it into the text box. Click Apply

Testing the Auto Proxy Configuration Script

We are now ready to test our proxy configuration from a browser.

The file will always be hosted on http://utmhostname:8080/wpad.dat (replace utmhostname with your actual UTM’s hostname). If enter this URL into your browser, it will download the file. Open the file in a text editor and confirm that ${asg_hostname} variable has been replaced with the actual UTM’s hostname.

Next, you should manually configure your browser to use the auto configuration script. This allows you to test that everything is working as expected before you roll this out.

Open Internet Explorer and go to Internet Options | Connections | LAN Settings. Only check the box for “Use Automatic Configuration script” and enter http://utmhostname:8080/wpad.dat (again, replace utmhostname with your actual hostname).

 

Step 3: Roll out the Auto Proxy Configuration Script to all clients

Now that your script is configured and Sophos UTM is set up to serve it, you can roll it out to the rest of your network environment. There are a few ways of doing this, but the most effective, is to use DHCP as this works across all browsers.

  1. Log into your DHCP server and open the DHCP mmc console
  2. Expand IPv4
  3. Right click IPv4 and click Set Predefined Options | Add
  4. In the Option, specify the following:
    • Name – WPAD
    • Code – 252
    • Data – String
    • String – http://utmhostname:8080/wpad.dat

Any machine that is configured to “Automatically Detect Proxy Settings” will now discover the WPAD script automatically via DHCP. This will take effect the next time the IP lease is renewed.  The “Automatically detect” setting will take preference over all of the other proxy configuration settings.

For other options of rolling out the auto proxy configuration script, see the ‘Further Reading’ section below.

Conclusion

Proxy auto configuration scripts are a great way to optimize client request routing for when and when not to use the proxy. The scripts can also be extended to include other elements such as a secondary backup proxy.

Further Reading

If you would like to know more about other methods of distributing the configuration script, I have written some previous articles that you can help you. They are focused on Microsoft Forefront TMG, but the concepts are true for any proxy configuration.

http://fixmyitsystem.com/2010/10/tmg-auto-proxy-configuration-part-i.html
http://fixmyitsystem.com/2010/10/tmg-auto-proxy-configuration-part-ii.html
http://fixmyitsystem.com/2010/10/tmg-auto-proxy-configuration-part-iii.html
http://fixmyitsystem.com/2010/10/tmg-auto-proxy-configuration-part-iv.html

If you want to expand on your proxy configuration script, there are a range of PAC functions available to use:

Hostname based conditions:

  • isPlainHostName()
  • dnsDomainIs()
  • localHostOrDomainIs()
  • isResolvable()
  • isInNet()

Related utility functions:

  • dnsResolve()
  • myIpAddress()
  • dnsDomainLevels()

URL/hostname based conditions:

  • shExpMatch()

Time based conditions:

  • weekdayRange()
  • dateRange()
  • timeRange()

For more info on using these PAC Functions, see

https://web.archive.org/web/20061218002753/wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html

Or

http://findproxyforurl.com/pac-functions