Considering the changes to Group Policy in the past few years (i.e. changes from server 2008R2 to 2016 with GPP and the depreciation of ‘Internet Explorer Maintenance’ post IE10) we believe that registry setting adjustment is the easiest way of PAC enforcement.
This KB article guides you through the implementation of Securly’s SmartPAC solution within your Windows environment using Active Directory GPO.
Things to remember before getting started:
- The GPO’s listed in this guide are based at a user level. Active Directory environments can differ vastly from one another. It is important to figure out beforehand which users you want to target with SmartPAC as it is designed for offsite filtering.
- Not only do you need to push SmartPAC but in order for SmartPAC to be effective, you will need to create separate GPO’s that lock down the Proxy and Connection settings of Internet Explorer, Edge, and Chrome.
- Proxy caching will need to be disabled within Internet Explorer to prevent redirect loops. (Optional step)
- Intranet Zones will need to be adjusted to prevent redirect loops in IE. IE places proxy servers automatically in the Intranet Zone. As our proxy servers aren't on your intranet, this causes problems that prevent IE from properly loading web resources and results in a looping behavior.
Step 1: Create Registry Key for SmartPAC
- Create a new Group Policy Object (GPO) and name it ‘Securly SmartPAC’.
- Edit the newly created object and navigate to Registry > New > Registry Item.
- Input the following details in the ‘General’ tab to create the new Registry Item.
Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings
Value Name: AutoConfigURL
Value Type: REG_SZ
Value Data: Substitute “http://<servername>/my_proxy.pac” with the SmartPAC URL provided to you by Securly Support or Sales team member.
Note: If you are on Windows build 1903, you will need to set the PAC URL to HTTP, not HTTPS. You can refer to this forum to read more. It is speculated Windows may revert this change and once again support PAC URLs over HTTPS. If they do we will update this article.
- Go to the ‘Common’ tab and select the checkbox for “Remove this item when it is no longer applied”.
This option removes the GPO item should you decide to remove Securly and delete the GPO. If you delete the GPO without this option selected, the setting will remain and users will continue to be filtered.
Note that the above option should be considered for all of the GPO’s in this guide should you ever want to remove Securly correctly.
Step 2: Lock things down
Create a new GPO and name it ‘Lock Internet Settings Down’. This setting would help users remove the proxy and get unfiltered access.
The menu targeted with the above policy is shown below:
Step 3: Proxy caching will need to be disabled within Internet Explorer to prevent redirect loops. (Optional step)
Step 4: Modify Intranet Zone Settings in IE
What this setting does is prevent Internet Explorer from permanently caching policy decisions. It's more of an optional setting that doesn't seem to break anything important when it's not changed. We do recommend that it is changed, but leaving it alone improves the performance of IE.
Note that this is an IE specific issue and does not affect Chrome.
- Create a new Group Policy titled ‘Disable Proxy Caching in IE’
- Ensure that this Group Policy has the following settings:
Key Path: Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Value Name: ProxyByPass
Value Type: REG_DWORD
Value Data: 0
This entry will disable the ‘Include all sites that bypass the proxy server’ setting within IE.
You will now have three new objects that will work together to filter your students’ devices.
Ensure that you place the objects in the correct OU that corresponds to your offsite users (in most cases this will be your students).