Considering the changes to Group Policy in the past few years (i.e., Changes from server 2008R2 to 2016 with GPP and the depreciation of ‘Internet Explorer Maintenance’ post IE10) we believe that registry adjustment is the easiest way of PAC enforcement.
This KB article guides you through the implementation of Securly’s SmartPAC solution within your Windows environment using Active Directory GPO.
Things to remember before getting started:
- The GPO’s listed in this guide are based on the user level. Active Directory environments can differ vastly from one another. It is important to figure out beforehand which users you want to target with SmartPAC as it is designed for off-site filtering.
- Intranet Zones will need to be adjusted to prevent redirect loops in IE. IE places proxy servers automatically in the Intranet Zone. Since our proxy servers aren't on your intranet, this causes problems that prevent IE from properly loading web resources and results in a looping behavior.
*Pro Tip 1*
Each of the GPO's you will be creating in this guide may need to be removed one day. Simply deleting a GPO does not mean its settings will be reset to normal. Using the "Common" tab and checking "Remove this item when it is no longer applied" will accomplish this.
This option removes the GPO item should you decide to remove Securly and delete the GPO. If you delete the GPO without this option being selected, the settings will remain and users will continue to be filtered. Note that this option should be considered for all of the GPO’s in this guide should you ever want to remove Securly correctly.
*Pro Tip 2*
Each of these registry entries should be a separate GPO. You may at some point in time need to disable one such as the GPO that locks the browser down so proxy settings cannot be changed.
Creating a single GPO with all of the below settings will prevent you from being able to selectively disable and troubleshoot.
When done, it should look something like this:
Getting started - Creating User-Based Registry Items:
Step 1: Create Registry Key for SmartPAC with the following details
Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings
Value Name: AutoConfigURL
Value Type: REG_SZ
Value Data: The SmartPAC URL provided to you by Securly Support or Sales team member.
*Note that by default your SmartPAC URL may use HTTPS. Some versions of IE only support HTTP. Securly supports both so be aware that you may need to use HTTP.*
Step 2: Create Registry Key to Lock Down Internet Settings
Key Path: Software\Policies\Microsoft\Internet Explorer\Control Panel
Value Name: Connections Tab
Value Type: REG_DWORD
Value Data: 1
Step 3: Create Registry Key to Prevent Redirect Loops in IE
Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Value Name: ProxyByPass
Value Type: REG_DWORD
Value Data: 0
This entry will disable the "Include all sites that bypass the proxy server" setting within IE.
Ensure that you place the objects in the correct OU that corresponds to your off-site users (in most cases this will be your students).