How to implement SmartPAC in your Windows environment using AD GPO?

Follow

Considering the changes to Group Policy in the past few years (i.e. changes from server 2008R2 to 2016 with GPP and the depreciation of ‘Internet Explorer Maintenance’ post IE10) we believe that registry setting adjustment is the easiest way of PAC enforcement. 

This KB article guides you through the implementation of Securly’s SmartPAC solution within your Windows environment using Active Directory GPO. 

Things to remember before getting started:

  1. The  GPO’s listed in this guide are based at a user level.  Active Directory environments can differ vastly from one another. It is important to figure out beforehand which users you want to target with SmartPAC as it is designed for offsite filtering.
  2. Intranet Zones will need to be adjusted to prevent redirect loops in IE.  IE places proxy servers automatically in the Intranet Zone. As our proxy servers aren't on your intranet, this causes problems that prevent IE from properly loading web resources and results in a looping behavior.

*Pro Tip 1*

Each of the GPO's you will be creating in this guide may need to be removed one day.  Simply deleting a GPO does not mean its setting will be reset to normal.  Using the "Common" tab and checking "Remove this item when it is no longer applied" will accomplish this.

This option removes the GPO item should you decide to remove Securly and delete the GPO. If you delete the GPO without this option selected, the setting will remain and users will continue to be filtered. Note that this option should be considered for all of the GPO’s in this guide should you ever want to remove Securly correctly

smartpac3.png

*Pro Tip 2*

Each of these registry entries should be a separate GPO.  You may at some point in time need to disable one such as the GPO that locks the browser down so proxy settings cannot be changed.

Creating a single GPO with all of the below settings will prevent you from being able to selectively disable and troubleshoot.

When done it should look something like this:

Screenshot_for_SmartPAC_GPOs.PNG

 

Getting started - Creating User based Registry items:

smartpacgpo5.png

Step 1: Create Registry Key for SmartPAC with the following details

Hive:  HKEY_CURRENT_USER

Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings

Action: Replace

Value Name:  AutoConfigURL

Value Type: REG_SZ

Value Data: The SmartPAC URL provided to you by Securly Support or Sales team member. 

*Note: By default your SmartPAC URL may use HTTPS.  Some versions of IE only support HTTP.  Securly supports both so be aware you may need to use HTTP.*

 

 Step 2: Create Registry Key to Lock Down Internet Settings

Hive: HKEY_CURRENT_USER

Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings

Action: Replace

Value Name: AutoDetect

Value Type: REG_DWORD

Value Data: 0 

Step 3: Create Registry Key to Prevent Redirect Loops in IE

Hive:  HKEY_CURRENT_USER

Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

Action: Replace

Value Name:  ProxyByPass

Value Type: REG_DWORD

Value Data: 0

This entry will disable the ‘Include all sites that bypass the proxy server’ setting within IE.

disable_proxy_bypass_proxy_server.png

Ensure that you place the objects in the correct OU that corresponds to your offsite users (in most cases this will be your students).

Have more questions? Submit a request

Comments