Office 365 Proxy Autoconfiguration Generator
Introduction
We wrote the original Proxy PAC tool for a customer almost two years ago, and since have added a lot of new functionality. Rather than updating previous blog posts about it, we thought we would start a fresh thread. If you want some background on how Proxy PAC files work and how to distribute them to your users via GPO or WPAD, we would suggest taking a look at my posts dealing with those topics:
- Office 365 PAC File - https://blogs.technet.microsoft.com/undocumentedfeatures/2015/11/16/office-365-pac-file/
- Deploying the PAC file - https://blogs.technet.microsoft.com/undocumentedfeatures/2016/04/06/deploying-the-office-365-proxy-pac-to-manage-your-users/
Now, on to the new stuff.
https://msdnshared.blob.core.windows.net/media/2016/08/43523-Nathan-Fillion-shiny-gif-rNRf.gif
Configuring
We try hard to build in good help, which you can access by running Get-Help .\Office365ProxyPac.ps1.
https://msdnshared.blob.core.windows.net/media/2016/08/pac_v2-01.png
We added a few new parameters we're really excited about and want to share. So, without further ado:
Blocklist
This is a feature that we put in after some questions from customers about including public URLs such as Facebook or YouTube in the O365IPAddresses.xml file. Some organizations don't really want to allow access to those URLs carte blanch, so we added a feature to exclude those from being included in the "DIRECT" directive by omitting them from the list overall. Using the feature:
.\Office365ProxyPac.ps1 -Blocklist youtube,facebook
https://msdnshared.blob.core.windows.net/media/2016/08/pac_v2-02.png
AlwaysProxyBlocklist
However, just to cover all the bases, maybe the customer wants to ensure that those URLs on the Blocklist are actually proxied. In that case, they can use the -AlwaysProxyBlocklist parameter, which causes the script to build a new section and assign them the PROXY directive with no fall-back configuration. To use this feature:
.\Office365ProxyPac.ps1 -Blocklist youtube,facebook
https://msdnshared.blob.core.windows.net/media/2016/08/pac_v2-03.png
When you open the Office365PAC.pac file, you'll see this new directive:
https://msdnshared.blob.core.windows.net/media/2016/08/pac_v2-04.png
Products
This was by far the most requested feature that we added. We received a lot of feedback about being able to only configure proxy bypass (DIRECT) for individual services, so we have finally implemented a feature to be able to do it. To use the feature:
.\Office365ProxyPac.ps1 -Products EXO,Identity
https://msdnshared.blob.core.windows.net/media/2016/08/pac_v2-05.png
Testing
Once you've created your PAC file, we would suggest testing it to make sure you get the desired behavior. We use the FindProxyForUrl toolset (http://findproxyforurl.com/official-toolset/). After you download and extract it, you can use pactester.exe to verify that it works as planned. For my test PAC, we used the parameters -Products EXO,OneNote,Identity -AlwaysProxyBlockList -Blocklist youtube,facebook.
To run the tool, the syntax is:
pactester.exe -p <pac file> -u <url to test>
https://msdnshared.blob.core.windows.net/media/2016/08/pac_v2-07.png
In this case, the desired result is to send URLs with the pattern facebook to the proxy and for everything else to go direct.
We have also updated the tool recently to include an option to allow selection of the GCC High (US Department of Defense) XML feed.
The updated version of the Office 365 Proxy Pac tool is available here: https://gallery.technet.microsoft.com/Office-365-Proxy-Pac-60fb28f7.
Happy Proxying!