I'll take a look at the updated Wiki later today. On 5/15/07, SSCR Internet Admin <admin@xxxxxxxxxxxxxx> wrote:
>>However, if the browser is not configured to use a PAC >>file but a PAC file is delivered it brings up a >>Security Alert because the browser never requested it. >>I know the old Netscape browsers did this but am not >>sure about IE. Well, im sure local users will accept it happily by clicking OK, if not they don't have access.. :)
The Netscape alert doesn't give the option to accept the PAC, it just gives a warning that an unsolicited PAC was received. If there was a trivial way to reconfigure browsers to use a PAC just by returning the right Active-X or Java, then we'd see all sorts of malicious sites using that technique to force random Internet users to use the attacker's proxy. So how do you force your users to use the PAC? What you can do is make sure your DHCP server and DNS are set up to be fully compatible with WPAD, and then if any clients do make an attempt to go DIRECT, return a web page containing: 1) Text instructing how to correctly enable WPAD and/or how to configure PAC in the most popular browsers. 2) A link to a .REG file which forces the registry settings for IE to use PAC on Microsoft Windows clients. 3) Instructions for manual configuration, for UNIX and for ancient MacOS clients. Even with all of this, expect to get plenty of support calls from confused users. I manage an environment with tens of thousands of internal customers, and all default route HTTP/HTTPS/SMTP/etc traffic is denied, the only exception being for a couple of really braindead clients that are downright proxy-hostile, maybe a half dozen workstations total have an exception to the policy. Kevin (P.S. Think carefully before conditioning users to accept REG files from strangers).
