Using Proxy Auto-Configuration Scripts with Internet Explorer 11.

“Great Scott!” – Dr Emmett Brown

I recently decided to go back to using a proxy auto-configuration script (proxy pac file) on my Windows 8.1 system. I encountered quite a few difficulties getting the pac file to take effect, so I decided to do some analysis to work out what the requirements were to get it working. As a side note, I find proxy auto-configuration files very useful for forcing some traffic to a proxy server at my workplace (through the VPN), with all other traffic going directly out my internet connection.

This is a summary of what I found.

  1. Internet Explorer 11 does not like you trying to use a local proxy pac file (using the file:// syntax).
  2. Internet Explorer 11 does seem to work with both http and https access to a proxy pac file.
  3. Internet Explorer 11 does not seem to honour the alert() function call in the pac file, making troubleshooting a little more complex.
  4. Internet Explorer 11 will by default remember (cache) which proxy server to use for each web site, making any pac file changes difficult to test.
  5. Internet Explorer 11 seems to be picky regarding the MIME type returned with the proxy pac file from the web server.

Given that local proxy pac files can no longer be used, I copied the pac file to a web server that I have (running IIS 8.5). By default, IIS does not serve pages for which it does not have a registered MIME type. You can fix this with the IIS Management Console, or by using a web.config file (which is what the Management Console does anyway). I created a folder on the web site to host the proxy pac file, and then included a web.config file with the contents below. The MIME type application/x-ns-proxy-autoconfig appears to be a requirement (i.e. don’t use something else like application/octet-stream).

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
 <system.webServer>
  <staticContent>
   <remove fileExtension=".pac" />
   <mimeMap fileExtension=".pac" mimeType="application/x-ns-proxy-autoconfig" />
  </staticContent>
 </system.webServer>
</configuration>

With that in place, I was then able to create and upload a sample proxy pac file.

function FindProxyForURL(url, host)
{
    var strProxy = "PROXY proxy-server-host-name:8080";

    if (shExpMatch(host, "*.microsoft.com"))
        return strProxy;

    if (shExpMatch(host, "*.novell.com"))
        return strProxy;

    return "DIRECT";
}

The format of the proxy pac file is fairly straight forward. I’m simply checking for any request with a host that ends in microsoft.com or novell.com. If one of these sites is the target then use the proxy, otherwise connect directly.

With that in place, I configured the Internet Explorer 11 proxy settings. I disabled the Automatically detect settings option and enabled the Use automatic configuration script option, supplying the URL of the proxy pac file that I created (e.g. http://your-web-server/proxyfiles/proxy.pac). I started seeing intermittent results where the pac file would sometimes be downloaded, and sometimes not. For interest, I was using Wireshark to check network traffic to the proxy pac web server.

This is where I learnt that Internet Explorer 11 by default would remember which proxy server it had used to access a web site, and then continue to use that same proxy server. Therefore any changes I made to the proxy pac file seemed to be irrelevant to sites I had already accessed. For testing, I was able to change this behaviour with a registry setting, disabling the caching of proxy servers.

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
New DWORD (32 bit) EnableAutoproxyResultCache
Value: 0 (disable caching)

I applied the registry setting and restarted Internet Explorer. After that, the pac file was used for every request. Not ideal during normal circumstances, but handy when you’re making changes to the proxy pac file.

I also found that using the alert() function in the proxy pac file appeared to be ignored. Shame, as that was a very useful way of seeing what was happening during processing.

Lastly, I decided to switch the proxy pac file URL from a https secure URL to plain http. I seemed to have strange behaviour when using https to access the proxy pac file – some sites would simply fail to load.

Hopefully this helps if you’re experiencing any difficulties with your auto-configuration scripts.

~ Mike

9 thoughts on “Using Proxy Auto-Configuration Scripts with Internet Explorer 11.

  1. Mike,

    Just to add some clarification on File:// based URIs, IE11 deprecates them, for a number of good reasons, but they can be used via:

    Key: HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\
    Value: EnableLegacyAutoProxyFeatures
    Type: REG_DWORD
    Data: 1

    Should definitely be considered a temporary workaround.

    See http://blogs.msdn.com/b/ieinternals/archive/2013/10/11/web-proxy-configuration-and-ie11-changes.aspx

    The worst example of this is where the URL for the PAC script is the client filesystem.

    The availability of the PAC script, absent the actual proxy infrastructure (such as when off corporate network), can cause anomalous behaviour with zone mapping.

    For reasons covered in:
    http://blogs.msdn.com/b/ieinternals/archive/2012/06/05/the-local-intranet-security-zone.aspx
    and
    http://www.proxypacfiles.com/proxypac/index.php?option=com_content&view=article&id=49&Itemid=89

    Having the available PAC script process and return DIRECT (such as having DIRECT at the end of a chain of proxies to support the off campus scenario) leads to mapping the URL into the local intranet zone. Probably not ideal…

    1. Howdy Brian, completely agreed – from a corporate sense I’d never want to see file based locations for a pac file.

      My use case is specifically to control my proxy settings to precisely mandate which sites should be accessed through a corporate proxy (over a VPN), and which ones should use my home internet connection. I’ve also got the definition of the local intranet zone a bit non-standard as well.

      Appreciate the comments and info though, that’s great.

      Cheers

      Mike

  2. Hi,

    Just a small addition: “EnableAutoproxyResultCache” is to manage is PAC scripts are cached by Internet Explorer or not. Description from the GPO:

    “Prevents automatic proxy scripts, which interact with a server to automatically configure users’ proxy settings, from being stored in the users’ cache.

    If you enable this policy, automatic proxy scripts will not be stored temporarily on the users’ computer.

    If you disable this policy or do not configure it, automatic proxy scripts can be stored in the users’ cache.”

  3. FYI: The alert function DOES work in PAC files in IE11, but it is affected by the IE security settings. I am yet to track down which one, but from my troubleshooting, it appears that the address which is passed to the PAC file for proxy selection is truncated after the host part.

    For example: My alert function looked like this:
    if (shExpMatch(url, “*proxydebug=true”)) {alert(debugPAC);}

    So when I wanted users to debug the PAC file I would have them type: http://www.google.com/?proxydebug=true and the alert would show and google would ignore the query string in the URL.

    I modified the PAC file so that it always alerted if it was my IP address:
    if (isInNet(myIP, “10.10.10.10”, “255.255.255.255”)) {alert(url);}

    The debug messages showed that depending on whether the target URL was in the Local Intranet Zone or the Internet Zone that the initial url that was passed through the PAC file would be truncated, but that other URLs which were parsed as having been called by the page load would be unmodified.

    For example, if the URL in the address bar or favourite was: https://mail.google.com/mail/u/0/?shva=1#inbox, the first alert pop-up would be “https://mail.google.com/” followed by “https://mail.google.com/mail/u/0/?shva=1”.

    But if I passed in a URL that was in the Local Intranet Zone the first pop-up would be unmodified. I’ll be doing some more investigation to see if I can work out the setting that is affecting it.

  4. , Você deve estar ciente de que os restaurantes e empresas de alimentos
    fazer testes rigorosos para “gancho” você em seus produtos ,
    Então, quando você quer algo , é o resultado de estímulos psicológicos e visuais intencionais , bem colocado.
    As mulheres são constituídos por 20 % a 25 % de células de gordura adicional , em comparação com 10 % para 15 % para os homens , e
    isso é completamente bom. Esqueça todas as promessas do reparo rápido , começar um programa de exercícios e início
    mudar seus hábitos alimentares .

  5. Hey there! I’ve been following your web site
    for some time now and finally got the bravery to go ahead and give you a shout out from Kingwood
    Texas! Just wanted to tell you keep up the good work!

  6. Might sound strange, but how are we writing our PAC files so that we aren’t sending traffic out the Local Intranet Zone? I see warnings of this in a few places, but I’m not sure how else to end the PAC file if not with a ‘DIRECT’ statement.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s