How to implement SmartPAC in your Windows environment using AD GPO?

Follow

Considering the changes to Group Policy in the past few years (i.e. changes from server 2008R2 to 2016 with GPP and the depreciation of ‘Internet Explorer Maintenance’ post IE10) we believe that registry setting adjustment is the easiest way of PAC enforcement.

This KB article guides you through the implementation of Securly’s SmartPAC solution within your Windows environment using Active Directory GPO.

Things to remember before getting started:

  1. The  GPO’s listed in this guide are based at a user level.  Active Directory environments can differ vastly from one another. It is important to figure out beforehand which users you want to target with SmartPAC as it is designed for offsite filtering.
  2. Not only do you need to push SmartPAC but in order for SmartPAC to be effective, you will need to create separate GPO’s that lock down the Proxy and Connection settings of Internet Explorer, Edge, and Chrome.
  3. Proxy caching will need to be disabled within Internet Explorer to prevent redirect loops.


Step 1: Create Registry Key for SmartPAC

smartpac5.png

  1. Create a new Group Policy Object (GPO) and name it ‘Securly SmartPAC’.
  2. Edit the newly created object and navigate to Registry > New > Registry Item.
  3. Input the following details in the ‘General’ tab to create the new Registry Item.

Hive:  HKEY_CURRENT_USER

Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings

Action: Replace

Value Name:  AutoConfigURL

Value Type: REG_SZ

Value Data: Substitute “http://<servername>/my_proxy.pac” with the SmartPAC URL provided to you by Securly Support or Sales team member.

smartpac4.png

  1. Go to the ‘Common’ tab and select the checkbox for “Remove this item when it is no longer applied”.

This option removes the GPO item should you decide to remove Securly and delete the GPO. If you delete the GPO without this option selected, the setting will remain and users will continue to be filtered.

smartpac3.png

Note that the above option should be considered for all of the GPO’s in this guide should you ever want to remove Securly correctly.

Step 2: Lock things down

Create a new GPO and name it ‘Lock Internet Settings Down’. This setting would help users remove the proxy and get unfiltered access.

disable_internet_connection_settings.png

The menu targeted with the above policy is shown below:

connections_lockdown.png

Step 3:  Modify Intranet Zone Settings in IE

SmartPAC uses a patented API to process traffic for filtering. This is unique and makes it imperative to adjust a setting within IE to prevent ‘looping’ during browsing.

Note that this is an IE specific issue and does not affect Chrome.

  1. Create a new Group Policy titled ‘Disable Proxy Caching in IE’
  2. Ensure that this Group Policy has the following settings:

Hive:  HKEY_CURRENT_USER

Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings

Action: Replace

Value Name:  “EnableAutoProxyResultCache

Value Type: “REG_DWORD”

Value Data: “0

smartpac2.png

This entry will disable the ‘Include all sites that bypass the proxy server’ setting within IE.

disable_proxy_bypass_proxy_server.png

You will now have three new objects that will work together to filter your students’ devices.

smartpac1.png

Ensure that you place the objects in the correct OU that corresponds to your offsite users (in most cases this will be your students).

Have more questions? Submit a request

Comments