Bypass or disable proxy based on computer name

internet explorermdt-2010PROXY

We are trying to deploy a bunch of new Windows 7 (and some old XP) machines using MDT2010 and MDT2012.

Because IE is set to "automatically detect proxy settings", it gets the settings from the proxy.pac/wpad.dat defined in the DHCP server.

The problem is that during deployment, the machine is not on the domain, so no authentication to the WebMarshal server is possible, so all internet-based operations fail unless someone "hands-on" fills in the authentication dialog box.

How can I do one of the following?

Disable auto proxy configuration for XP before the application installations begin
Have the proxy.pac/wpad.dat files bypass the proxy based on something identifiable on the machine (host name would do, but iirc that's not available to PAC, but any other variable I can set from MDT would do too)
Configure WebMarshal to bypass authentication for particular a computer name

Best Answer

This is what I use (a vbs I found):

DIM sKey,sValue,binaryVal
Dim oReg
Dim status
Set oReg=GetObject( "winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")    'For registry operations througout

Const HKCU=&H80000001

status = "off"
sKey = "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections"
sValue = "DefaultConnectionSettings"

oReg.GetBinaryValue HKCU, sKey, sValue, binaryVal

select case lcase(status)
  case "on"    binaryVal(8) = binaryVal(8) OR 8        'Force Autodetect on
  case "off"    binaryVal(8) = binaryVal(8) XOR 8        'Force Autodetect off
  case "show"    wscript.echo "Automatically detect is set to " & ((binaryVal(8) and 8) = 8)
  case else    wscript.echo "Invalid parameter - IEautomaticallydetect  on, off or show"
end select

if lcase(status)="on" or lcase(status)="off" then oReg.SetBinaryValue HKCU, sKey, sValue, binaryVal

Works flawlessly for me, I call it from a .cmd

Related Solutions

Cannot get proxy.pac file to get browsers to go DIRECT for localhost

I've not tried it but according to the sun.com docco, the IsInNet function takes a host, not an IP as the first param.

so I think that this:

if (isInNet(resolved_ip, "172.22.145.0",  "255.255.255.0") ||
        isInNet(resolved_ip, "192.168.1.0", "255.255.255.0") ||
        isInNet(resolved_ip, "127.0.0.1", "255.255.255.255"))
return "DIRECT";

should be changed to this:

if (isInNet(host, "172.22.145.0",  "255.255.255.0") ||
        isInNet(host, "192.168.1.0", "255.255.255.0") ||
        isInNet(host, "127.0.0.1", "255.255.255.255"))
return "DIRECT";

Internet Explorer isn’t auto-discovering http://wpad/wpad.dat auto-config

David,

In case you're still hitting up against this problem, it's actually rather simple to fix. But it's not documented ANYWHERE, and it took me ages to sort it out in my environment. Everything you've done is good, and it's what I'd call a bug in how IE gets it's WPAD info and connects to the web server.

First of all, you can't use a CNAME record for WPAD. Use an A record. Silly, I know, and it shouldn't make any difference, but it's definitely the case. So remove your CNAME in your DNS, and make an A record for the IP Address of the web server.

Secondly (and this may be more tricky for you), you need to have the WPAD.DAT file located on the root of the default website that's listening on the IP Address that you've assigned above. This is the key. It WILL NOT work with a host-header field or anything like that.

Explanation: What IE does is resolve the name WPAD to an IP Address. It's got to be able to resolve it directly to an IP Address. If it resolves as a CNAME query does to a different name, it won't work. So once IE's got the IP address that WPAD resolves to, what it actually does is connect to http://<>/WPAD.dat. If you've got a different website set up on the same webserver, listening on port 80 but using a host header field like I had (IE, "default web site", as well as "WPAD Website"), then you'll have everything set up correctly, but it won't work for that very reason. Put a copy of your WPAD.DAT file on the root of your default website, and things should start working.

Of course, if you can't get access to the root of that website (or you can't secure the root of that website), then you may need to look at moving your WPAD site to a different server where it can be at the root of the IP Address assigned to that server.

Give that a shot anyway. That's the process that worked for me. It took me ages to get it working, but it's been reliably working now for a long time. All the above though is simply my understanding of how IE works in relation to WPAD.DAT files, and might not be correct - it's simply based on the observation of what it does in my own environment. Yours may be different, but I'd put some money at least on that fixing your issue.

Let me know how you get on! Matto :)

Best Answer

Related Solutions

Cannot get proxy.pac file to get browsers to go DIRECT for localhost

Internet Explorer isn’t auto-discovering http://wpad/wpad.dat auto-config

Related Topic