Recently we updated our auto-proxy setup for the network when we rolled out our ProCurve installation with different VLANs and subnets etc. With the new setup we had the opportunity to create a guest VLAN for Student internet access where they use their own machines over our network. However, we needed to give the Students a different proxy address to other machines on the network. I thought I’d take some time and create a post to outline the steps involved to setup auto-proxy and the reasons why it such a good thing.

In the past we’d force proxy settings through Group Policy which was fine for Internet Explorer but not as successful with other web browsers. That used to be OK, but now everyone has the web at home and that doesn’t work too well when they still have the proxy address from work in their preferences.

For the auto proxy to be a success you need a DNS server with an entry for WPAD pointing to a web server, and obviously, a proxy server for web traffic. This is really easy to setup, and will let your users run their preferred browser while still running through your proxy.


Create a new DNS host record for WPAD to point to the server that will host the wpad.dat and or proxy.pac files:
Alias name: WPAD
Fully Qualified Domain Name:
Fully Qualified Domain Name for target host:

If your network clients support receiving their proxy address through DHCP you can set the autoproxy file under option 252. Note: the string value is in lower case

Set option 252 ClassID with String Value http:/wpad/wpad.dat

If your web server is something like IIS 6 that can be particular about MIME types then you will have to manually create the MIME types for the proxy config files:
.dat application/x-ns-proxy-autoconfig
.pac application/x-ns-proxy-autoconfig

The code below is the JavaScript which makes up the wpad.dat or proxy.pac file. We are able to assign a different proxy for the students and guest machines by using isInNet to check which subnet the client IP belongs to and return a proxy address for that subnet. Lines 4 and 7 below check if the client is connected via one of the guest VLANs/subnets and assigns the proxy address. All other network clients receive an address from the range are assigned the proxy address from line 10.

   1: function FindProxyForURL(url,host)
   2: {
   3:     if(isPlainHostName(host) || isInNet(dnsResolve(host),"","")) {
   4:         return "DIRECT";
   5:     } else if (isInNet(myIpAddress(),"","")) {     // Guest Wireless
   6:         return "PROXY";
   7:     } else if (isInNet(myIpAddress(),"","")) {     // Guest Wired
   8:         return "PROXY";
   9:     } else {
  10:         return "PROXY; DIRECT";
  11:     }
  12: }

Future updates include adding some proxy exclusions for intranet and other internal webs using shExpMatch:

if (shExpMatch(url,”**”)) {return “DIRECT”;}

The WPAD and Pac file need to be in the root of the default web site in IIS. If you try and move the files to another site in IIS then the connection to the file is broken, even if the path is still valid. This quirk has something to do with different browsers sending different information to the web server when they request the auto proxy. This is from Wikipedia:

“When automatic proxy detection is used, Internet Explorer sends a “Host: <IP address>” header and Firefox sends a “Host: wpad” header. This is unexpected behavior, therefore, it is recommended that the wpad.dat file be hosted under the default Virtual Host rather than its own.”

OSX Auto Proxy

The auto proxy in OSX seems to be only semi-automatic… from experience with some of our Apple machines on campus, you have to manually set the address for the auto proxy file under Safari –> Preferences –> Advanced –> Proxies: Change Settings and manually enter http://wpad/proxy.pac

More Info

FindProxyForURL has more information and examples