Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

WPAD File on External Web Server

Posted on 2009-05-12
10
499 Views
Last Modified: 2012-05-06
Is it safe and what the potential security risks of storing my proxy WPAD.dat file on an external web server?  I don't have an internal one to host this file and I don't want to add an internal web server just for this purpose.
0
Comment
Question by:ibidata
  • 5
  • 3
  • 2
10 Comments
 
LVL 10

Expert Comment

by:lanboyo
ID: 24370537
It will need to resolve as wpad.DOMAIN_SUFFIX_IN_SEARCH_ORDER.TLD for the pc to find it. You could secure that url by ip access lists perhaps.

I don't know of any .pac javascript processing vulnerabilities, but controlling your browser wouldn't be too hard at that point...
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 24372565
Question is: what for?

If it's for some laptops, totally disconnected from your company network, they don't need this WPAD/PAC file to be available. They are probably directly connected to the Internet when they're outside
Remember that the failsafe behaviour of "proxy autodetection" is: if the wpad.server/wpad.dat file is not found => direct connection

If it's because your only choice is to store this file on your only web server, available internally as well as externally, you might set up virtual hosts (apache) or "sites" (iis) to restrict access if possible

About the risk:
The only risk might be to let someone know some details about your internal network; IP ranges, some hosts names ? depending on what's in your wpad.dat file

Give us some more detail if needed
0
 

Author Comment

by:ibidata
ID: 24373747
The reason what for is because we don't currently have an internal web server and I want to lock down port 80/443 on our firewall LAN -> WAN so they must use the proxy to get out on the Internet.  I also want it to be automatic so that visitors who connect to our network and are given an IP via DHCP will also be routed through the proxy.  

I tried putting the WPAD file on a file share with Everyone having read access and then use DHCP option 252 to notify the clients of the location but it doesn't appear to be working for workstations not on the domain.  So I'm left with putting a WPAD DNS record and having them get the automatic proxy information that way.

I hope that answers your questions and gives you a little more information.  Thanks for your help.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 7

Expert Comment

by:mchkorg
ID: 24373778
Ok, all we've said is still true
Unless your wpad.dat file has valuable information inside (I don't think so), you can make it available everywhere
Maybe you can restrict the destination IP on server side to restrict it to your company gateway
0
 
LVL 10

Expert Comment

by:lanboyo
ID: 24373838
The risk is as stated external users could see information on your subnets, proxy exceptions and proxy server ips. Also is they are able to compromise the server they could give your users a list their own proxy servers and trick them into downloading whatever they desired, compromising all civilization. Somewhat far fetched though..

0
 
LVL 7

Expert Comment

by:mchkorg
ID: 24374005
lanboyo: Hopefully he won't allow any outgoing connection on any port (and certainly not 80, 3128 and so on) from his internal network, except to that specfic web server. The rest must go through his [transparent] proxy
So even with a compromised wpad.dat, one won't get anywhere...

it's only a question of seeing ip ranges, host names and so on
now, having only one external web server, I do believe this user will only have one subnet, like 192.168, some host names, like proxy.hiscompany.com. No big deal
0
 

Author Comment

by:ibidata
ID: 24374315
How will workstations that are not a part of our domain get the proxy information?  Will that be through DHCP or DNS?  Does the DHCP option 252 and/or DNS method work for both IE and firefox?
0
 
LVL 7

Accepted Solution

by:
mchkorg earned 125 total points
ID: 24375491
1) if your dhcp (I'm not talking of option 252) gives them an address+a DNS server
2) and if they are able to get to your wpad web server from there
=> you'll just have to tell them to set their browsers to "proxy auto-detection" and that's all

About point 2) : I'm thinking about possible network restrictions if these people are on separated vlan, separated ip range and so on
Usuaully, you just want them to be able to talk to your proxy to get outside, nothing more


"proxy auto-detection" works fine with firefox, IE (and every browser I guess)
If server is found => the PAC file applies
 If not => the browser tries a direct access
 You just have to configure all these browsers with proxy auto-detection. Via GPO if possible (there is a specific sourceforge project for firefox+GPO - I didn't test)
If your proxy is configured as transparent (meaning, all outgoing trafic to port 80 is redirect via your main firewall to your proxy port), it'll work even if you don't activate anything in your browser's proxy settings - https won't work

ok ?
look here too, I already explained some things about WPAD: http://www.experts-exchange.com/Networking/Protocols/DHCP/Q_24343652.html

regards
0
 
LVL 10

Expert Comment

by:lanboyo
ID: 24396953
Solution is true, however there are some caveots.

Dhcp option 252 is pretty hit and miss in my experience.

If a pc has downloaded a proxy.dat file in the past, and autodiscovery fails, it will use the osl one.
There are ssl solutions for proxying.
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 24398913
I didn't see this behaviour in my last tests (I was checking the proxy logs when the WPAD was forced to be able unavailable)
Maybe it's depending on the browser (and version)

Regards
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
spanning tree loop even though stp is enabled 10 51
google exe file 5 59
Vyos VLANs 14 29
cannot view videos at msnbc 12 22
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question