# Updates to Office 365 Proxy PAC Generator

•
•
•
•
•
•

I wrote the original Proxy PAC tool for a customer almost a year ago, and since have added a lot of new functionality.  Rather than updating my previous blog posts about it, I thought I would start a fresh thread.  If you want some background on how Proxy PAC files work and how to distribute them to your users via GPO or WPAD, I would suggest taking a look at my posts dealing with those topics:

Now, on to the new stuff.

## Configuring

I try hard to build in good help, which you can access by running Get-Help .\Office365ProxyPac.ps1.

I added a few new parameters that I’m really excited about and want to share.  So, without further ado:

### Blocklist

This is a feature that I put in after some questions from customers about including public URLs such as Facebook or YouTube in the O365IPAddresses.xml file.  Some organizations don’t really want to allow access to those URLs carte blanch, so I added a feature to exclude those from being included in the “DIRECT” directive by omitting them from the list overall.  Using the feature:

.\Office365ProxyPac.ps1 -Blocklist youtube,facebook

### AlwaysProxyBlocklist

However, just to cover all the bases, maybe the customer wants to ensure that those URLs on the Blocklist are actually proxied.  In that case, they can use the -AlwaysProxyBlocklist parameter, which causes the script to build a new section and assign them the PROXY directive with no fall-back configuration.  To use this feature:

.\Office365ProxyPac.ps1 -Blocklist youtube,facebook

When you open the Office365PAC.pac file, you’ll see this new directive:

### Products

This was by far the most requested feature that I added.  I received a lot of feedback about being able to only configure proxy bypass (DIRECT) for individual services, so I have finally implemented a feature to be able to do it.  To use the feature:

.\Office365ProxyPac.ps1 -Products EXO,Identity

## Testing

Once you’ve created your PAC file, I would suggest testing it to make sure you get the desired behavior.  I use the FindProxyForUrl toolset (http://findproxyforurl.com/official-toolset/).  After you download and extract it, you can use pactester.exe to verify that it works as planned.  For my test PAC, I used the parameters -Products EXO,OneNote,Identity -AlwaysProxyBlockList -Blocklist youtube,facebook.

To run the tool, the syntax is:

pactester.exe -p <pac file> -u <url to test>

In my case, the desired result is to send URLs with the pattern facebook to the proxy and for everything else to go direct.

The updated version of the Office 365 Proxy Pac tool is available here: https://gallery.technet.microsoft.com/Office-365-Proxy-Pac-60fb28f7.

Happy Proxying!

Helping companies conquer inferior technology since 1997. I spend my time developing and implementing technology solutions so people can spend less time with technology. Specialties: Active Directory and Exchange consulting and deployment, Virtualization, Disaster Recovery, Office 365, datacenter migration/consolidation, cheese.

1. Edwin Mak says:

The BlockList function is good. However, I need to explicitly put in every public URL individually.
Is there an easier method to omit/put together all the Non-Microsoft URLs in the xml?

1. Aaron Guilmette says:

I don’t have a way to omit them or proxy them based on who “owns” the domain. I can look into that.

2. Jeff Kopko says:

I was going to build a tool for this myself (to simultaneously learn more about scripting and solve my O365 PAC problem) when I came across this. Great stuff, thanks a bunch!!

However, I’m running into a problem where the script will only generate a correct PAC file when a single Product is chosen.
– When ‘-Product’ flag is omitted, Script outputs that PAC will be generated for All products, but actual .PAC file only contains the hard coded dnsDomainIs(host, “office365.com”):
– When ‘-Product WAC,O365’ is used, or any combination of more than 1 Product, Script outputs that PAC will be generated for selected products, but actual .PAC file only contains the hard coded dnsDomainIs(host, “office365.com”):
– When ‘-Product O365’ is used, PAC file is generated correctly with all the domains listed under that product in the XML.

So PAC file generator is only working for a single product. Wondering if maybe the XML format changed since last update of this script?

1. Jeff Kopko says:

NM…..I didn’t have the correct powershell installed, so that’s why I couldn’t run it. Great tool!

1. Aaron Guilmette says:

Thanks! If you’re looking for ways to deploy it, you can read my post on WPAD.

3. Sascha Seipp says:

The example given for your “AlwaysProxyBlocklist” parameter states the wrong one (same as the example above)!

4. Eric Wood says:

I’m struggling a bit to understand why my use case for this is so different from the use case and examples that it was apparently built for. We can not access any Internet sites without traversing the Proxy server. So DIRECT does nothing for us and that’s the primary method used here. So it seems I don’t need this script at all? What I was looking for is a way to generate a Proxy.pac which properly routed client traffic DIRECT when there is an alternate route (It’s not on the Internet and Not on the Local Intranet).

1. Eric Wood says:

Disregard my previous comment. I read your other Blog posting where this is explained. I understand now.

1. Aaron Guilmette says:

Thanks–we have a several large customers using it (or incorporating parts of it into their PAC file creation). I’m really excited about the new updates.

This site uses Akismet to reduce spam. Learn how your comment data is processed.