How to use PAC file to configure browser to use proxy server when inside work network, but use autodetect when connected anywhere else

I would like our Laptop users to point to our Proxy server when they are connected inside any of the branch offices in our network. I would also like the browsers to use AutoDetect settings when connected anywhere else (eg when they are at home).

Is this possible with a PAC file?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Usually the user workstation is configured for "automatic settings".  This will instruct IE to search for a proxy configuration file on an internal web server.  Some info here: 

Depending on the gear you are using, it is often easier to simply enable transparent proxying.
HowzattAuthor Commented:
I would prefer not to use DHCP to deploy the WPAD.
Our branch office DHCP scopes are managed on the router at each site by our ISP. For the ISP to add the appropriate scope setting in DHCP, it will cost thousands of dollars in project management & will take 3 months for them to implement.  

Is that the only way to achieve what I am looking to do?
If you have control of the DNS server for the domain your machines belong to,y ou can create an 'A' record for the host 'wpad'.  Then point that to a web server (which is also assumed to be under your control).  Client computers will look for proxy settings at http://wpad/wpad.dat.  Create your PAC file and save it as 'wpad.dat' in the root folder of the web server.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

HowzattAuthor Commented:
Thanks for that. Do you know where I can get an example of a wpad file?

I want to add the list of subnets for our branch offices (for which to use the Proxy server)
and I would like it to treat any other network as direct internet access.
HowzattAuthor Commented:
I ended up going with a PAC file.
I have hosted on a web server, created the PAC CNAME ref in AD and it is pointing to the IIS host.
URL is http://pac/proxy.pac
I also added the MIME setting for .pac

If I enter the file path into a browser, the PAC file is presented and I can open it if I like. I would assume this would mean the URL path is fine. However if I then type that address into the "Use Auto Config Script" section in the IE Internet options, and try browse a page, it just times out.

There are no events generated on the web host.

I cannot test the PAC file locally as I am running IE11 & apparently it no longer supports local paths for PAC files.
HowzattAuthor Commented:
I am guessing I am missing something from my PAC file. As it never seems to apply. I have tested it on a PC running IE7 (where apparently you can still run it from a local path), but nothing still.

I can manually enter the proxy server IP & port into the proxy settings in IE & it works, but just not when I point the auto config script to the pac file.

My basic test pac file is as follows ( I X'd out the IP details for privacy):

function FindProxyForURL(url, host)
if (isInNet(myIpAddress(), “XXX.XXX.XXX.XXX”, “”))
      return “PROXY XXX.XXX.XXX.XXX:XXXX";
      return “DIRECT”;

There are approx 15 subnets where I want users to point to the proxy. But lets just start with 1 subnet where the test machine is.

If the user is not in one of the subnets, then they need direct access.
Currently the page times out with the pac file in place.

We use pac file from several years now. If the pac file is located on a internal ressource then don't worry in the outside word the IE will ignore the proxy file.
This is the good side of the pac file. You can specify one or more proxy servers inside LAN without forcing user to modify the proxy server settings when it goes outside LAN.
If you put the file locally then it will be availlable all time, so it will apply all time.
the only problem is when the user are connected using a VPN: you should control the pac file using the VPN software solution.
here you have a testing pac tools if you need:

HowzattAuthor Commented:
Thanks for that, as you mentioned, I only want users to point to the proxy server in the office.
So if the pac file location was hosted on an internal resource, and I add the auto config file path, it should use it in the office, but it will ignore it at home and use auto detect? (just making sure the users don't have to make the changes themselves when in & out of the office).
In fact the users don't need proxy servers outside. So you don't need to check "Automatically detect settings". Because the pac file is not availlable outside, the first page will open 5 seconds slower (until IE understood that there aren't a pac file), then all works normally.
User are forced to modify settings if they visit another office that require proxy server. But if they visit this place all times you can install firefox on the pc (is the only browser I know that can use a different proxy configuration) .
HowzattAuthor Commented:
I don't have Auto detect ticked. Never did.

I just want for PC's to point to our proxy server when in the office & to have direct internet access anywhere else.

My understanding is that this is achieved through either a Proxy.pac or WPAD.dat file and entering the path into the "auto config script" section in the browsers LAN settings.

If this is not right, please tell me otherwise. I'm not saying that I need to use Proxy.pac or WPAD, but this is what I was advised was the most practical solution.
If this is right, then it brings us to problem 2 (But lets ignore everything said above for now. I just want the browser to detect the pac or wpad file first)

Neither file works when the path is entered into the browsers auto config script (when in the office). It appears as if the browser ignores the details in the script & the browser eventually fails to load anything. However if I navigate to the path with Windows Explorer, I am prompted to either open or save the file (which I assume means the path is correct). In older browsers, instead of opening the file, it displays the script text in the browser.

I have tested hosting the file locally on the client device, on a web server & in a UNC share. All fail to detect the file. I have since discovered that since IE10, you cannot use local paths anymore.

I read somewhere that the file needs to be saved as a ANSI file type, but this doesn't seem to change anything. I am out of ideas. Perhaps there is a role or feature that I am missing off the web host or off the client?
One cause could by that you need to create a associations for the .pac file like text file on the IIS server where the file is hosted.

HowzattAuthor Commented:
The file associations were in place already
the pac should be published on IE like http://yourlocalwebserver/pathifneeded/pacfilename.pac

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocols

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.