Considering the changes to Group Policy in the past few years (i.e., Changes from server 2008R2 to 2016 with GPP and the depreciation of ‘Internet Explorer Maintenance’ post IE10) we believe that registry adjustment is the easiest way of PAC enforcement.
This KB article guides you through the implementation of Securly’s SmartPAC solution within your Windows environment using Active Directory GPO.
Things to remember before getting started:
- The GPO’s listed in this guide are based on the user level. Active Directory environments can differ vastly from one another.
- Intranet Zones will need to be adjusted to prevent redirect loops in IE. IE places proxy servers automatically in the Intranet Zone. Since our proxy servers aren't on your intranet, this causes problems that prevent IE from properly loading web resources and results in a looping behavior.
*Pro Tip 1*
Each of the GPO's you will be creating in this guide may need to be removed one day. Simply deleting a GPO does not mean its settings will be reset to normal. Using the "Common" tab and checking "Remove this item when it is no longer applied" will accomplish this.
This option removes the GPO item should you decide to remove Securly and delete the GPO. If you delete the GPO without this option being selected, the settings will remain and users will continue to be filtered. Note that this option should be considered for all of the GPO’s in this guide should you ever want to remove Securly correctly.
*Pro Tip 2*
Each of these registry entries should be a separate GPO. You may at some point in time need to disable one such as the GPO that locks the browser down so proxy settings cannot be changed.
Creating a single GPO with all of the below settings will prevent you from being able to selectively disable and troubleshoot.
When done, it should look something like this:
Getting started - Creating User-Based Registry Items:
Step 1: Create Registry Key for SmartPAC with the following details
Hive: HKEY_CURRENT_USER
Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings
Action: Create
Value Name: AutoConfigURL
Value Type: REG_SZ
Value Data: The SmartPAC URL provided to you by Securly Support or Sales team member.
*Note that by default your SmartPAC URL may use HTTPS. Some versions of IE only support HTTP. Securly supports both so be aware that you may need to use HTTP.*
Step 2: Create Registry Key to Lock Down Internet Settings
Hive: HKEY_CURRENT_USER
Key Path: Software\Policies\Microsoft\Internet Explorer\Control Panel
Action: Create
Value Name: ConnectionsTab
Value Type: REG_DWORD
Value Data: 1
Windows 10
Hive: HKEY_CURRENT_USER
Key Path: Software\Policies\Microsoft\Internet Explorer\Control Panel
Action: Create
Value Name: Proxy
Value Type: REG_DWORD
Value Data: 1
Note that this setting is essential to locking out the Windows 10/ Edge proxy settings.
Ensure that you place the objects in the correct OU that corresponds to your off-site users (in most cases this will be your students).
How to Uninstall SmartPAC from Your Windows Environment
To uninstall SmartPAC, you need to reverse the installation steps. Here’s how:
-
Remove the Group Policy Object (GPO):
- Open the Group Policy Management Console (GPMC) on your domain controller.
- Locate the GPO that was created for SmartPAC deployment.
- Right-click on the GPO and select "Delete". Confirm the deletion.
-
Update Internet Explorer Settings via GPO:
- Open the Group Policy Management Console (GPMC).
- Create a new GPO or edit an existing GPO linked to the desired organizational units (OUs).
- Navigate to
User Configuration > Preferences > Control Panel Settings > Internet Settings
. - Right-click on "Internet Settings" and select "New > Internet Explorer 10".
- In the "Connections" tab, under "Automatic configuration", uncheck "Use automatic configuration script".
- Click "OK" to save the settings and close the dialog.
-
Force Group Policy Update:
- Run
gpupdate /force
on the client machines or wait for the next automatic policy refresh cycle.
- Run
Comments
Article is closed for comments.