WPAD File on External Web Server

Is it safe and what the potential security risks of storing my proxy WPAD.dat file on an external web server?  I don't have an internal one to host this file and I don't want to add an internal web server just for this purpose.
Who is Participating?
1) if your dhcp (I'm not talking of option 252) gives them an address+a DNS server
2) and if they are able to get to your wpad web server from there
=> you'll just have to tell them to set their browsers to "proxy auto-detection" and that's all

About point 2) : I'm thinking about possible network restrictions if these people are on separated vlan, separated ip range and so on
Usuaully, you just want them to be able to talk to your proxy to get outside, nothing more

"proxy auto-detection" works fine with firefox, IE (and every browser I guess)
If server is found => the PAC file applies
 If not => the browser tries a direct access
 You just have to configure all these browsers with proxy auto-detection. Via GPO if possible (there is a specific sourceforge project for firefox+GPO - I didn't test)
If your proxy is configured as transparent (meaning, all outgoing trafic to port 80 is redirect via your main firewall to your proxy port), it'll work even if you don't activate anything in your browser's proxy settings - https won't work

ok ?
look here too, I already explained some things about WPAD: http://www.experts-exchange.com/Networking/Protocols/DHCP/Q_24343652.html

It will need to resolve as wpad.DOMAIN_SUFFIX_IN_SEARCH_ORDER.TLD for the pc to find it. You could secure that url by ip access lists perhaps.

I don't know of any .pac javascript processing vulnerabilities, but controlling your browser wouldn't be too hard at that point...
Question is: what for?

If it's for some laptops, totally disconnected from your company network, they don't need this WPAD/PAC file to be available. They are probably directly connected to the Internet when they're outside
Remember that the failsafe behaviour of "proxy autodetection" is: if the wpad.server/wpad.dat file is not found => direct connection

If it's because your only choice is to store this file on your only web server, available internally as well as externally, you might set up virtual hosts (apache) or "sites" (iis) to restrict access if possible

About the risk:
The only risk might be to let someone know some details about your internal network; IP ranges, some hosts names ? depending on what's in your wpad.dat file

Give us some more detail if needed
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

ibidataAuthor Commented:
The reason what for is because we don't currently have an internal web server and I want to lock down port 80/443 on our firewall LAN -> WAN so they must use the proxy to get out on the Internet.  I also want it to be automatic so that visitors who connect to our network and are given an IP via DHCP will also be routed through the proxy.  

I tried putting the WPAD file on a file share with Everyone having read access and then use DHCP option 252 to notify the clients of the location but it doesn't appear to be working for workstations not on the domain.  So I'm left with putting a WPAD DNS record and having them get the automatic proxy information that way.

I hope that answers your questions and gives you a little more information.  Thanks for your help.
Ok, all we've said is still true
Unless your wpad.dat file has valuable information inside (I don't think so), you can make it available everywhere
Maybe you can restrict the destination IP on server side to restrict it to your company gateway
The risk is as stated external users could see information on your subnets, proxy exceptions and proxy server ips. Also is they are able to compromise the server they could give your users a list their own proxy servers and trick them into downloading whatever they desired, compromising all civilization. Somewhat far fetched though..

lanboyo: Hopefully he won't allow any outgoing connection on any port (and certainly not 80, 3128 and so on) from his internal network, except to that specfic web server. The rest must go through his [transparent] proxy
So even with a compromised wpad.dat, one won't get anywhere...

it's only a question of seeing ip ranges, host names and so on
now, having only one external web server, I do believe this user will only have one subnet, like 192.168, some host names, like proxy.hiscompany.com. No big deal
ibidataAuthor Commented:
How will workstations that are not a part of our domain get the proxy information?  Will that be through DHCP or DNS?  Does the DHCP option 252 and/or DNS method work for both IE and firefox?
Solution is true, however there are some caveots.

Dhcp option 252 is pretty hit and miss in my experience.

If a pc has downloaded a proxy.dat file in the past, and autodiscovery fails, it will use the osl one.
There are ssl solutions for proxying.
I didn't see this behaviour in my last tests (I was checking the proxy logs when the WPAD was forced to be able unavailable)
Maybe it's depending on the browser (and version)

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.