What is the best way to automatically configure Windows desktops and laptops in an AD environment to use a proxy server?

windows active-directory proxy group-policy squid

I have recently setup a Squid proxy server for caching purposes and would like to start pointing my desktops and laptops to it.

My computers are running Windows XP with IE8 and Windows 7 with IE9.


In my experience there is not single way that will work reliably every time. You probably need to setup WPAD, and and also setup the policies for some machines that won't do WPAD.

Since your users have laptops, you almost certainly are going to want to have WPAD. IE, Firefox, Chrome, can all support this, even on non-windows operating systems.

You should probably set it up so you deliver the wpad infromation both via DHCP for your Windows boxes, and also setup the DNS method. Place the config at http://wpad.yourdomain.example.org/wpad.dat

Setting group policies as another method will help to, but you will almost certainly want to exclude your laptops, or they may not be able to use the Internet when they are outside of your network.

If your squid doesn't require authentication, and you don't mind either breaking SSL, or permitting out without going through the proxy, then the easiest way is to simply place squid in a location on your network where you can set it up in Interception mode. In this mode you don't have to set anything on the clients. They are forced through the proxy by the ACLs on your firewall/router.


You can configure proxy settings for Internet Explorer in the Internet Explorer group policy settings templates. They are found in the IEAK for each version of the browser available on the Microsoft download site.


The above are all great examples.

We use a different method in our office to catch all HTTP traffic. What kind of network equipment are you using? Squid supports WCCP, and network equipment like Cisco routers and firewalls (ASA, PIX), and other vendors too, also support it. This allows you to do a transparent proxy server, forcing all http traffic to be routed at the firewall level, rather than the client level. This works on all browsers, not just IE, because it's handled at the network level. An example setup is documented nicely here.

Related

resolv.conf options not being honored
What protocols are used when a machine joins to a windows domain?
What does VC9 stand for in PHP version?
Is it possible for an intruder to restart a Linux server remotely (without having internal access)?
How can I configure multiple default gateways on a CISCO Router?
Are computer names guaranteed to be unique within a domain?
Calling LoadLibraryEx on ISAPI filter failed (v4.0.30319)
How to diagnose RAM?
Prevent 'cd' remembering symbolic links traversed
Multiple installers attached to a single GPO?
Remove user from root group
Apache won't start - unable to find IPv4 address of "(none)"