Updates to Office 365 Proxy PAC Generator

Updates to Office 365 Proxy PAC Generator


I wrote the original Proxy PAC tool for a customer almost a year ago, and since have added a lot of new functionality.  Rather than updating my previous blog posts about it, I thought I would start a fresh thread.  If you want some background on how Proxy PAC files work and how to distribute them to your users via GPO or WPAD, I would suggest taking a look at my posts dealing with those topics:

Now, on to the new stuff.



I try hard to build in good help, which you can access by running Get-Help .\Office365ProxyPac.ps1.


I added a few new parameters that I’m really excited about and want to share.  So, without further ado:


This is a feature that I put in after some questions from customers about including public URLs such as Facebook or YouTube in the O365IPAddresses.xml file.  Some organizations don’t really want to allow access to those URLs carte blanch, so I added a feature to exclude those from being included in the “DIRECT” directive by omitting them from the list overall.  Using the feature:

.\Office365ProxyPac.ps1 -Blocklist youtube,facebook



However, just to cover all the bases, maybe the customer wants to ensure that those URLs on the Blocklist are actually proxied.  In that case, they can use the -AlwaysProxyBlocklist parameter, which causes the script to build a new section and assign them the PROXY directive with no fall-back configuration.  To use this feature:

.\Office365ProxyPac.ps1 -Blocklist youtube,facebook


When you open the Office365PAC.pac file, you’ll see this new directive:



This was by far the most requested feature that I added.  I received a lot of feedback about being able to only configure proxy bypass (DIRECT) for individual services, so I have finally implemented a feature to be able to do it.  To use the feature:

.\Office365ProxyPac.ps1 -Products EXO,Identity



Once you’ve created your PAC file, I would suggest testing it to make sure you get the desired behavior.  I use the FindProxyForUrl toolset (http://findproxyforurl.com/official-toolset/).  After you download and extract it, you can use pactester.exe to verify that it works as planned.  For my test PAC, I used the parameters -Products EXO,OneNote,Identity -AlwaysProxyBlockList -Blocklist youtube,facebook.

To run the tool, the syntax is:

pactester.exe -p <pac file> -u <url to test>


In my case, the desired result is to send URLs with the pattern facebook to the proxy and for everything else to go direct.

The updated version of the Office 365 Proxy Pac tool is available here: https://gallery.technet.microsoft.com/Office-365-Proxy-Pac-60fb28f7.

Happy Proxying!

Published by Aaron Guilmette

Helping companies conquer inferior technology since 1997. I spend my time developing and implementing technology solutions so people can spend less time with technology. Specialties: Active Directory and Exchange consulting and deployment, Virtualization, Disaster Recovery, Office 365, datacenter migration/consolidation, cheese.

Reader Comments

  1. The BlockList function is good. However, I need to explicitly put in every public URL individually.
    Is there an easier method to omit/put together all the Non-Microsoft URLs in the xml?

  2. I was going to build a tool for this myself (to simultaneously learn more about scripting and solve my O365 PAC problem) when I came across this. Great stuff, thanks a bunch!!

    However, I’m running into a problem where the script will only generate a correct PAC file when a single Product is chosen.
    – When ‘-Product’ flag is omitted, Script outputs that PAC will be generated for All products, but actual .PAC file only contains the hard coded dnsDomainIs(host, “office365.com”):
    – When ‘-Product WAC,O365’ is used, or any combination of more than 1 Product, Script outputs that PAC will be generated for selected products, but actual .PAC file only contains the hard coded dnsDomainIs(host, “office365.com”):
    – When ‘-Product O365’ is used, PAC file is generated correctly with all the domains listed under that product in the XML.

    So PAC file generator is only working for a single product. Wondering if maybe the XML format changed since last update of this script?

  3. I’m struggling a bit to understand why my use case for this is so different from the use case and examples that it was apparently built for. We can not access any Internet sites without traversing the Proxy server. So DIRECT does nothing for us and that’s the primary method used here. So it seems I don’t need this script at all? What I was looking for is a way to generate a Proxy.pac which properly routed client traffic DIRECT when there is an alternate route (It’s not on the Internet and Not on the Local Intranet).

    1. Thanks–we have a several large customers using it (or incorporating parts of it into their PAC file creation). I’m really excited about the new updates.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.