F5 as a WPAD web server

November 8, 2013 at 9:27 pm Leave a comment

WPAD stands for Web Proxy AutoDetection.  Most browsers default to trying to find a proxy using WPAD.  If you plan to use this on your network, you need to test not only each major browser, but each major version as well.  In testing, we’ve found that IE 8 works differently than IE 10 in ways that we didn’t expect.

We serve our WPAD files from an F5 load balancer.  The reason is because of the built-in redundancy of an F5 pair, and because of iRules.  We mostly want to use WPAD for client machines, but because of user related Group Policy settings being applied against servers as users log in for maintenance, we need to have it work for them as well.  Generally, you don’t want your servers going to the Internet for anything directly, unless it’s required by the application.  This makes for a more secure environment, since if something does try to infect your servers, they won’t be able to easily get out to malicious command and control servers.

Back to iRules.  A long time back, we created an iRule to serve the wpad.dat and wpad.pac file (needed for different systems, in our case).  Essentially, the rule turned the VIP it was enabled on into a web server.

With our servers, we wanted them to NOT use a proxy server unless we specifically designated them to do so.  We didn’t want an Admin logging into a server and having his GPO applied, causing WPAD to turn on.  But, then, we though, what if it didn’t matter?  What if everyone could use WPAD and it could intelligently just work?

You see, our servers are confined to several subnets, separate from the client machines.  The vast majority of the servers do not need to use a proxy server.  In fact, if they accidentally get set to use a proxy server via WPAD, it can break applications.  (Remember the GPO thing I mentioned.. Yep, it’s not speculation, it happened.)

We used this arrangement to our advantage.  We rewrote the iRule to use F5’s Data Lists.  One data list contains the subnets where all the servers live, lets call it the wpadblock list.  This list is in place to specify which subnets we do not want to use a proxy.  We have another data list containing individual hosts we’ll call the wpadexceptions list.  These are for the few servers that we have that do need to use a proxy server.  The iRule looks to see if the Client IP is in the wpadexceptions list.  If it is, it serves the normal client WPAD file.  Otherwise, it checks the Client IP to see if it is a member of the wpadblock list.  If it is, it serves a tiny WPAD file that specifies that the machine is to go Direct (and not use a proxy server of any sort).  Finally, if the requesting client is on neither list, it gets handed the normal client WPAD file.

Using this iRule should allow us to have all devices pointing to a central location for their proxy settings, with the result being that each device will get the settings appropriate for itself, automatically.


Entry filed under: Networking. Tags: , .

How to get ahead financially Thinking Different with Credit Cards

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


November 2013
« Oct   Dec »

Most Recent Posts

%d bloggers like this: