Lazy Web Proxy Auto-Discovrey protocol configuration

To setup the WPAD in our network we can choose between these options:

1. DHCP
2. DNS
3. AD group policy enforcing PAC (Proxy Auto Configuration) file

The .PAC file contains the configuration for the proxy. We will need to prepare a http server to serve this file.

• DHCP under using linux's isc dhcpd

This configuration is set trough the option wpad-url. Since version 3 we need to specify what code and content it has:

option wpad-url    code 252 = text;
option wpad-url    "http://sin-proxy-001.local.domain/proxy.pac ";

We add these lines to the dhcpd.conf and reload the service.

• DNS serving wpad

We need to create two records, one type A named wpad pointing to the IP address  of the server with the .PAC file and another one with TXT content specifying the URL to locate the .PAC file. On windows would look something like this:

 On linux, we need to add some lines in our zone with this content:

$ORIGIN local.domain.
wpad            IN      A       10.9.98.2
                IN      TXT     "service: wpad:!http://sin-proxy-001.local.domain:80/proxy.pac"
wpad.tcp        IN      SRV     0 0 80 sin-proxy-001.local.domain.

After that, reload DNS service.

• AD Group Policy wpad enforcing

We open the Group Policy Management Console and create a new policy. Then we proceed to edit and we go to Computer Configuration - > user configuration - > windows settings -> Internet Explorer Maintenance -> connection and we set our preferences:

To avoid caching problems, is better to disable that feature for the .pac file:

If our users are too naughty and they disable the proxy, we can always remove this privilege from them activating the option Make proxy settings per-machine:

We have finished the WPAD policy.

• The .PAC file

As a basic example, this will provide proxy for everything and if it fails we will provide direct access. If the host try to access our intranet connection will be direct, and if is on our local office network proxy will be enforced:

function FindProxyForURL(url, host) {
      else if (shExpMatch(host, "*.myintranet.com"))
      {
         return "DIRECT";
      }
      else if (isInNet(host, "10.9.98.0",  "255.255.255.0"))
      {
         return "PROXY sin-proxy-001.local.domain:3128";
      }
      else
      return "PROXY sin-proxy-001.local.domain:3128; DIRECT";
}

•  Web server configuration on Apache & Linux

This would be the configuration file on the sites-available folder (you'd need to enable it later). Is important to specify the .pac extension type:

MyServer:/etc/apache2/sites-available# cat sin-proxy-001
<VirtualHost *:80>
        ServerAdmin admin@local.domain.com
        ServerName sin-proxy-001.local.domain
        DocumentRoot /var/www/proxy/
        AddType application/x-ns-proxy-autoconfig .pac
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/wpad-error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/wpad-access.log combined

</VirtualHost>

Lazy deployment of Active Directory group policies over firefox

This scenario has been tested using frontmotion firefox msi installer available at http://www.frontmotion.com/

 

First of all we will download and install the add-on this link. We can see that in our firefox profile's extensions folder (%APPDATA%/Mozilla/Firefox/Profiles/<profile>/Extensions) there's a new one called gpofirefox@extensions.org, if we copy that folder into other Firefox profile's extension folder it will apply without any other touching.

Now we will:

• Put the add-on in a shared folder available for all the clients (\\ARSGPDC\software)
• Add the Firefox policy template to our server
• Add visual script on login time to copy this add-on to all the available firefox profiles

First step, download the .adm file in our computer. Then, we will need to open the group policy management console available in the administrative tools and create a new policy, for example called Set.Firefox.GlobalPreferences. We go to Administrative Templates under Computer Configuration, and select Add Template from the All Tasks menu using the right click:

And now we can start to edit our group policies with the new available menu:

Now, we can add this example vbs script in the logon scripts under the User Configuration. As I'm not much of a developer, this script is quiet dirty and have defined variables that are not used. However, it does work :)

The VB script basically will:

1. Create the local folder c:\software
2. Copy the add-on from the shared folder \\ARSGPDC\Software\FrontMotion\gpofirefox@extensions.org
3. Copy the extension to each available profile in the user's firefox folder
4. Create a control point on c:\software\gpofirefox.txt to avoid copying over and over again.

Here's the shit:

Option Explicit

'Set variables
Dim filesys
DIM fso
Dim WshShell
Dim return
Dim oFSO
Dim WshSysEnv
Dim AppdataPath
Dim FoxProfilePath
Dim GPOPath
Dim ProfileFolder
Dim ExtensionsPath

Set oFSO = CreateObject("Scripting.FileSystemObject")
Set WshShell = CreateObject("WScript.Shell")
Set WshSysEnv = WshShell.Environment("PROCESS")
AppdataPath = WshSysEnv("APPDATA")
FoxProfilePath = AppdataPath & "\Mozilla\Firefox\Profiles\"
GPOPath = "C:\software\gpofirefox@extensions.org"

'Set Object
Set fso = CreateObject("Scripting.FileSystemObject")
Set filesys = CreateObject("Scripting.FileSystemObject")
If (fso.FileExists("C:\software\gpofirefox.txt")) Then
        if oFSO.FolderExists(FoxProfilePath) Then
                        For Each ProfileFolder In oFSO.GetFolder(FoxProfilePath).Subfolders
                                        ExtensionsPath =ProfileFolder & "\extensions\"
                                        'MsgBox(ExtensionsPath)
                                        oFSO.Copyfolder "C:\software\gpofirefox*",ExtensionsPath,True
                        Next
        End If
        Else

        'first check for folder
        Dim objFSO
        Set objFSO= CreateObject("Scripting.FileSystemObject")                                                                                                                
        'Create the folder software                                                                                                                                           
        If Not objFSO.FolderExists("C:\software") then                                                                                                                        
        objFSO.CreateFolder("C:\software")
        End If
        'copy folder
        Set WshShell = CreateObject("WScript.Shell")
        WshShell.Run "c:\windows\system32\xcopy.exe /E /I /Y /H \\ARSGPDC\software\FrontMotion\gpofirefox@extensions.org c:\software\gpofirefox@extensions.org",0,true
        'Create control file
        Dim objFile
        Set objFSO = CreateObject("Scripting.FileSystemObject")
        Set objFile = objFSO.CreateTextFile("C:\software\gpofirefox.txt")
        if oFSO.FolderExists(FoxProfilePath) Then
                        For Each ProfileFolder In oFSO.GetFolder(FoxProfilePath).Subfolders
                                        ExtensionsPath =ProfileFolder & "\extensions\"
                                        'MsgBox(ExtensionsPath)
                                        oFSO.Copyfolder "C:\software\gpofirefox*",ExtensionsPath,True
                        Next
        End If
End If
'Exit Script


WScript.Quit()

Lazy radius authentification with Cisco and Windows 2008

As a first step we will add the network policy and access services role to our windows server. The following selections will be enough for our purpose:

 

Now, we are good to create our new network policy. Inside administrative tools we will find a new console called Network Policy Server. We open it and on the policies, we right click and select New:

 We set the new policy name and as per type of network access server we select Unspecified:

 
As next step, we will specify the security group My VPN Group as condition:

We select Access granted on the next window. Next step will be configure the Authentification method:

We modify the selections as per the above screen shot, and we proceed to add a Eap type. As per Constrains we can set the timeout in 30 minutes, and on the settings tab we set the Service-Type to Login and remove the default Framed-Protocol attribute:

 

On the Vendor Specific section we will ad a vendor with the value All and *in case that we want our users to have level 15 (admin) on the router* then we would need to add an attribute from Cisco and set the string value Shell:priv-lvl=15:

We are done with the policy. Now we need to create a radius client. In the main Network Policy Server console right click on Radius Clients and click on New Radius Client. We enter the client name (router name), it's IP and the authentication password :

We have finished the windows part, now we'll need to enter some commands in the router. SSH it and enter in config terminal mode:

• aaa new-model
• radius-server host radius.company.local timeout 3 retransmit 2 key <pre entered shared-secret>
• default timeout = 5
• default retransmit = 3

 As best practice, in case we have management / dedicated IT infrastructure VLAN we will make the radious auth go trough that one (Vlan1 in the example):

• ip radius source-interface Vlan1

 Now that we have the radius set up, we will add it to the router's authentification methods:

• aaa authentication login default group radius local
• aaa authorization exec default group radius local
• end

*if you want to allow radius clients to login trough terminal sessions, then we would add:

• line vty 0 15
• login authentication default
• end

Now we can add different groups for our remote admins, VPN users, etc.