Monday, September 2, 2013

GM 4T65E Hard Shift Fix

Summary

The GM 4T65-E transmission was produced between 1997 and 2011 and was used in many GM FWD vehicles with the Buick 3800 Series II V6 which is arguably one of the best engines ever made, but that is another story ..
One of the most common problems is the P1811 code or 'hard shifting' after the transmission and engine reach normal operating temperature. Usually after coming to a stop and moving off again. My 2002 Chevy Impala happened to have this problem, which surfaced after I had the dirty transmission fluid flushed - is seems the dirty fluid hid this issue.
  • The problem is often caused because the bores in the accumulators become too smooth and the rubber seals in the pistons will grab or bind up when the transmission fluid is hot.
  • This causes a long shift which is detected by the computer, to compensate the line pressure is increased. Mostly as a fail safe to prevent slipping clutches from burning up for example.
  • The result is very hard gear shifts, especially 3rd to 4th when the torque converter is locked up.
  • There are other causes of the hard shifting from things like a faulty MAF sensor, to faulty shift solenoids among other things, servicing the accumulators is not much more work than doing a fluid/filter change (which is probably overdue anyways) then you can at least rule this out.
There are two options, one cheaper than the other:
  1. Cheap and nasty option is drop the pan, remove the accumulators, scuff the bores, change the filter & put it all back together. Refill with BrandX Dex III ATF and call it a day.
  2. The more expensive route is to also install a shift kit while we're in there & replace gaskets and seals in the accumulator, refill the transmission with Dexron VI or Allison Transmission TES 295 ATF fluid.


Parts & Fluids

Following the more expensive route this is what you'll need:
  • 4T65E Shift Kit Combo Kit from Triple Edge Performance. Everything you need, this is what I got.
  • ZZPerformance also sell a 4T65E Shift Kit.
  • Allison Transmission TES 295 approved fluid. If you cant find the real stuff locally stocked anywhere, Amazon currently (09-Jul-13) sell Mobil Delvac in a 1 gallon pack and a 4 pack containing 4 gallons. Qualified for free shipping when I ordered the 4 pack.
  • Brakleen - used to clean the parts removed - it leaves no residue and should mention this on the can.
  • I found one can was only just enough for cleaning the pan, accumulators and those aluminum pipes. I would suggest two cans. This stuff is pretty toxic, spray the parts down outside away from everything into another plastic pan.
  • List of tools to be added.
  • Some gloves probably a good idea too.

The TransGo shift kit also includes parts that can only be replaced during transmission rebuild. The first side of the info sheet as shown above is only relevant when doing this fix on the accumulators.

Why TES 295

I spent a number of hours researching automatic transmission fluids and this is what I found:
  • All Dexron-III licenses expired permanently at the end of 2006, and GM now supports only Dexron-VI fluids for use in their automatic transmissions, it is backward compatible with Dexron-III.
  • Fluids asserted by their manufacturers to meet Dexron-III standards continue to be sold under abbreviated names such as Dex/Merc, but the licensing system no longer exists. These fluids are not regulated by GM.
  • Allison Transmission TES 295 is a good replacement for transmissions specifying Dexron-III. It exceeds the specification, doesn't lose viscosity with age or oxidize as easily as Dexron-III. It is also rated to -54 °C, desirable here in Fairbanks Alaska where winter temps range from -20 °C to -50 °C.
  • If you don't want to spend a bit extra then go for Dexron-VI.
  • TES 295 and Dextron-VI work out cheaper due to extended drain intervals.
  • Former Allison Transmission Fluids Engineer answers question about TES 295. This is where I got most of the info about TES 295 from, there are about 60 pages of posts so I mostly skimmed over them reading the replies from Tom (hzjcm8).

The Procedure

Most of the information is borrowed from these forum posts, so the credit goes to these guys for writing up what they did:
  • Ideally you'll want to do this when the transmission fluid is hot. In my case it was a 20 mile drive to my wife's parents place where her dad helped me do this - so the fluid was good and hot. I left the car idling while we got everything ready.
  • The ramps we had were too high for the low plastic bumper, so we jacked the car up with a trolly jack, and placed 2 axle stands under the sub frame, and two where a jack normally goes when changing a tire.
  • I placed a big piece of cardboard under car, and the large plastic tray that can hold at least 4 to 6 gallons so it's not too full when it's time to move it.
  • DISCONNECT THE BATTERY NEGATIVE LEAD!
  • Images are from different places, they are not all from the same car, so things look different in some of them, but the transmission it self is the same.

Dropping The Pan

  • The pan bolts are 10mm. Carefully loosen each pan bolt, then at one corner loosen them more - I did this on the front middle corner.
  • You may need a flat screwdriver to carefully pry the pan open - do not leaver against the soft aluminum.
  • Once the fluid starts to flow you can carefully undo the bolts to drop one corner down more to let the fluid out.
  • Once it's mostly out hold the pan up, remove the bolts (put them in a cup for safe keeping), then tip the rest of the fluid out of the pan into your plastic tray.
  • Fluid will continue to drip or “rain” out for some time.


  • Take the pan and gasket away outside somewhere to clean it up. In another plastic tray hold the pan up vertical with the magnet at the bottom and spray it with Brakleen back and forth from top to bottom making sure it's dissolving the fluid and gunk out of the pan leaving a clean surface. You should be-able to see the brakleen evaporating leaving no residue and a perfectly clean pan.
  • Put the pan on a clean surface facing down so nothing lands or falls into it. Avoid the temptation to touch or wipe it with a cloth.

Accumulators


  • First the filter has to come off, it's held on by the neck, the plastic is on the brittle side so be careful with it. It took about 5 mins to wiggle it out, I used a screw driver to apply some downward pressure where the filter neck is, and I wiggled the other end of the filter with my hand, it eventually came off. Don't leaver the screwdriver against any of the exposed parts of the transmission, and especially where the pan and seal bolt together.
  • Undo the 4 bolts shown, the pipe with the rubber join will just pop out, the other two will just pull out of the accumulator with a bit of wiggling as it's removed - these pipes are made of aluminum so be careful not to bend them, or they might grab and never come out.


  • When you undo the accumulator housing and remove the pistons, make a note of which one goes where, the springs are different! The 2-3 accumulator has the stronger thicker looking spring (in my case).
  • The accumulator bores will be mirror smooth - the root of the problem!

  • Service the accumulators by giving them a light scuff with the supplied Scotch Brite. Once done, give it a good dose of Brakleen.




Putting things back together

Try to get everything clean, and keep it clean.
The bolts that hold the accumulator together, and the 4 that bolt it to the transmission should be torqued to 97 inch pounds .
To put the new filter on, locate it and carefully tap the neck back into place with a plastic mallet.
The pan seal/gasket should be reusable if its the rubber coated steel type. Pan on, bolts in and done up finger tight, gradually tighten each bolt alternating between sides, then torque each one to 120 inch pounds, go around one last time to make sure you didn't miss one.
Just shy of 8 quarts came out. I put a full 8 back in:
Tip about 6 to 7 quarts back in, start the engine, go through the gears, check the level between putting about 1/2 a quart in at a time, until it's full, I then did a little forwards and backwards on the driveway, topped it off to full mark again, then took it for a drive, after that the last 1/2 a quart to the full 8 brought it up to about half way on the dipstick, and this is where I left it rather than crack the next bottle open.
Since the battery will have been disconnected for a while, the PCM will reset, gear shifts etc may be a little different for a couple of days until it's finished relearning.

Bolt Torque Settings

One thing none of them mention are the torque settings for the bolts:
You will need an inch pound torque wrench.
  • 8mm socket and ratchet.
  • 10mm deep well socket and ratchet.
  • Torque accumulator bolts to 97 inch pounds.
  • Torque pan bolts to 120 inch pounds.
I found the pan bolts on mine were barely tight when I undid them.

Sunday, July 14, 2013

Chevy Impala Passlock Bypass

Many people reportedly have this problem with their late 90s to early 2000s GM vehicles.


The problem in a nutshell is that the car wont start, the security telltail will flash. You have to go through the 10 minute reset process, or even the 30 minute reset sometimes. Understandably some people get pretty annoyed when their car does this randomly, or even every time in some cases. Also the security warning may have been coming on while driving.

What is Passlock?


It's a security feature on the ignition barrel where only the correct key will activate the passlock. The passlock normally provides a fixed value of resistance that the BCM (Body Control Module) reads, and if it's with-in range along with some other security checks it does, it'll allow the car to start.

If it's too far out of range it wont start and the security light or telltail will flash. On the Impala's Message Center the display will cycle between blinking “security” twice and the red battery. After waiting 10 mins with the key in the ON position it will cycle between security and battery with out blinking, turn the key to OFF, then back to ON and CRANK and it should start.

So what's the problem?


The contacts in the passlock module become worn, the connectors are not gold plated so corrosion can occur in more humid places, and if you're near the ocean the salt air wont help much either. The worn contacts and/or corrosion changes the resistance the BCM sees and the new value has to be relearned via the 10 minute reset.

I happen to have a 2002 Impala with this problem.. At the time I lived in Fairbanks Alaska where the climate is very dry, my passlock would play up maybe once every couple of months or so and with one reset the problem would be gone until next time. During a trip to Anchorage where there is a lot more humidity, the passlock required a reset every morning, and at least one 30 min reset while we were there.

Finding the solution


Upon searching for answers there are many endless forum threads about it:
  • Bypass the passlock module it self with a fixed value resister.
  • Completely replace the module at a much higher cost.
  • Car alarm systems with/or remote start systems bypass the passlock.
WARNING: Bypassing the passlock also effectively disables this security feature, so just be aware of that. Most of the cars with this system are now 10+ years old, they're probably not at a great risk of being unlawfully “borrowed” as they were when new.

The passlock is connected to the BCM via three wires, yellow, black and white. All you need to do is cut the yellow wire from the BCM to the passlock, and place a fixed value resister (say 2k2 Ω) between the end FROM the BCM and the black wire, the black wire must remain joined. The yellow going TO the passlock is left disconnected. Once the new value is learned, the passlock issue should never return. Simple as that, the hard part is accessing the wires.

If you look hard enough there are some detailed instructions around, like this article for the Pontiac Grand Am. But nothing detailed for the Impala on how to get at the passlock wires. The BCM looks the same as the one shown in on Grand Am linked above. But connectors C2 and C3 are wired quite differently with different colors, and unused pins in different places. My BCM had 4 sets of numbers on it, the one that seems to identify it as an Impala BCM is 10445875, the other numbers didn't turn up much. None of the schematics I found online matched mine.

It's debatable if doing this fix on the BCM end would be any easier since you'd be cutting, stripping, soldering wires in-between two bunches of 24 wire connectors while laying upside down in the drivers side foot well. Removing a couple of extra panels and having easier access to the wires at the ignition end will be much easier, and this way you know you're dealing with the right wires.

For what it's worth I used my multimeter find out where the yellow and black actually goto on the BCM end of the loom. The BLACK wire came out on C3 (the pink connector) pin B12, and the yellow on C2 (the middle grey connector) pin B3. If you're going to do this on the BCM end, be sure you have the right wires, otherwise the magic smoke might leak out of something.

Bypassing the Passlock


This will take a couple of hours from start to finish. You'll need some basic tools, and know how to solder. If you're not into soldering you can use a solderless method such as this.

First disconnect the battery negative terminal!

Tools I used


Remove the drivers side kick panel - this holds the floor light.

Then remove the steering column filler panel as above, remove the two screws at back above the pedals then pull the panel towards the seat, it'll just pop out of the clips that hold it. Carefully remove the plug from the boot/trunk release button - use a small flat screw driver to lift the one green clip which holds it in place and wriggle it out, not the smaller white ones.


This will reveal the aluminum panel that is screwed and bolted with 4 10mm bolts - to get these undone you'll need a socket set and will have to get right down into the foot well upside down.





With all that out of the way you can now easily access the passlock wires where they come out from the back of the ignition barrel.


These are the three yellow, white and black wires that are of a much thinner gauge. Did you disconnect the negative terminal from the battery?


The other cabling to the steering wheel makes for a handy flashlight holder..
  • The yellow wire is easy, just snip it.
  • The black wire you could also just snip and rejoin, but I chose to carefully remove a section of insulation.
  • The 2k2 Ω resister goes between the back wire and the yellow wire FROM the BCM.
  • The yellow TO the passlock module is left disconnected.
  • Now the BCM will always see the fixed value resister we installed.

Resister installation. One end connected to the yellow from the BCM, I put some heat shrink down over it once I had soldered the yellow wire end. The other end of the resister will attach to the black where the insulation is removed.

I slid the heat shrink back up, I didn't bother “shrinking it”. Used the exiting insulation tape and pulled it back down over the solder joins and cable tied it twice to keep it all in place.


Reconnect the battery.

I had to do the 30 minute reset process, the car started on the 3rd attempt.

3 months after doing this mod, I have had no passlock issues!


Note: The wiring to the drivers side ABS/wheel speed sensor is broken, so the ABS and traction control system disables it self - is why the ABS and track off lights are (always) on.. I actually prefer those two nanny features to be off, especially on Alaska's iceroads.

10 and 30 Minute Learn Procedure:
  1. Turn ON the ignition, with the engine OFF.
  2. Attempt to start the engine, then release the key to ON (vehicle will not start).
  3. Observe the SECURITY telltale, after approximately 10 minutes the telltale will turn OFF.
  4. Turn OFF the ignition, and wait 5 seconds, then try and start the car.
  5. If it does not start repeat steps 1 through 4, 2 more times for a total of 3 cycles/30 minutes.
  6. The vehicle is now ready to relearn the Passlock Sensor Data Code and/or passwords on the next ignition switch transition from OFF to CRANK.
  7. IMPORTANT: The vehicle learns the Passlock Sensor Data Code and/or password on the next ignition switch transition from OFF to CRANK. You must turn the ignition OFF before attempting to start the vehicle.
  8. Start the engine. The vehicle has now learned the Passlock Sensor Data Code and/or password.

Friday, May 3, 2013

Squid with Antivirus and Traffic Shaping

This is not a gateway/firewall setup, for that my personal favorite is pfSense.

Edit: Jan 30 2019 - This info is probably getting out of date, most http traffic these days is over https, so using Squid to do caching has become largely redundant, and the AV scanning wont work unless you goto the effort of pushing your own root cert to every machine on the LAN, and implementing some form of SSL interception to inspect the traffic. However, the traffic shaping part of this still may be useful in solving a problem. Thou the days of having to engineer stuff like this at work places is largely a thing of the past with large amounts of cheap bandwidth and cloud services a plenty, the average small business would be better off employing a trusted 3rd party service to filter their internet traffic, monitor their network and generally do all this and more for a yearly fee - prices might still seem steep, but it makes it someone else's problem, and shifts the liability to them, in that light its not so bad for piece of mind.
I had the slightly unique situation at a previous work place where, we had only 4mbps symmetrical DSL,  our firewall was not capable of managing bandwidth - the problem we were having is that a single download would consume all the bandwidth and cause latency to increase which would impact VPN and remote desktop sessions. I also wanted to filter HTTP traffic for viruses and malware.
The solution was to run a proxy server for web traffic, filter it for virus and malware, and apply some traffic shaping on both the downstream and upstream to keep things fair. And provide a way to transparently configure computers on the network to use it.
First I investigated delay pools in Squid, which didn't work terribly well. I looked at TC on Linux and this is way too complex to get working properly.
Finally I looked at FreeBSD, and found it's ipfw firewall has traffic shaping baked right into it in the form of pipes and queues. This turned out to be surprisingly simple and easy to get working based an example I found here: FreeBSD ipfw Traffic Shaping Firewall Script

Software Used

Installing FreeBSD

Go with the defaults except:
  • Deselect ports, and games.
  • Manual IP, no IPv6.
  • Yes to sshd, ntp.
  • No crash dumps.
  • Add an account for your self, add the wheel group (allows su -).

Post Installation Configuration

Install Ports Collection

First time:
portsnap fetch
portsnap extract
portsnap update
Keeping ports up-to-date - run this before installing any new programs:
portsnap fetch
portsnap update

Setup firewall and traffic shaping

Enable firewall and start it.
echo 'firewall_enable="YES"' >> /etc/rc.conf
echo 'firewall_type="OPEN"' >> /etc/rc.conf
/etc/rc.d/ipfw start
ipfw.rules traffic shaping script:
# Based on http://bash.cyberciti.biz/security/freebsd-ipfw-traffic-shaping-firewall-script/
# This is simplified and adapted to allow free flow of LAN traffic, but to manage
# upstream and downstream to and from anything outside of of the LAN subnet.

#firewall command
fwcmd="/sbin/ipfw"
 
#interfaces
wire=em0
internal="10.1.21.0/24"


# Force a flush and reload.
# See /etc/rc.firewall for default rules and tweak that as needed.
# Since were internal only run in open mode.
/etc/rc.d/ipfw restart
kldload -nv dummynet
 
# Setup incoming and outgoing pipes to 75% of internet link speed.
# External In
$fwcmd pipe 10 config bw 3Mbit/s
# External Out
$fwcmd pipe 20 config bw 3Mbit/s

################################################################################
#No shaping between internal networks
################################################################################
 
$fwcmd add 2000 skipto 64000 ip from $internal to $internal in via ${wire}
$fwcmd add 2100 skipto 64000 ip from $internal to $internal out via ${wire}
 
################################################################################
# Setup bandwidth shaping queues
# Higher weight, high priorities
################################################################################
 
# High priority queue for tcp ACK
$fwcmd queue 10 config pipe 20 weight 90
 
# Low priority queue for other users
$fwcmd queue 20 config pipe 10 weight 25
$fwcmd queue 30 config pipe 20 weight 25
 
################################################################################
#Traffic shaping
################################################################################

#TCP ACK
$fwcmd add 3000 queue 10 ip from any to any out via ${wire} tcpflags ack iplen 52
 
#General traffic low priority
$fwcmd add 3100 queue 20 ip from any to $internal in via ${wire}
$fwcmd add 3200 queue 30 ip from $internal to any out via ${wire}

echo 'Traffic shaping rules loaded'
Copy to /root/ipfw.rules and execute, this will restart the firewall and then add the shaping rules:
sh ipfw.rules
 This was how I was testing the shaping rules, rather than edit rc.firewall, it was easier to put the shaping rules into different file and have it reload the firewall to flush everything and add the (updated) shaping rules.
So ideally this needs to be tidied up appropriately on a production system..
I think the shaping rules need to go in-to /etc/rc.firewall so they are loaded on bootup.

Software Installation

SSMTP

Replace sendmail with ssmtp and configure to relay email to the company email server so it winds up in an inbox that gets read by someone, probably you.
This breaks it because no one can read the config file! So I chmodded the dir to 755, files to 644. This needs a little more work to get the process of setting up ssmtp and its config just right..
http://log.brandonthomson.com/2010/10/freebsd-use-gmail-instead-of-sendmail.html - The from name for root appears as “Charlie &” or maybe some other weird name. As root run chpass and change the Full Name field to something more useful like “Root at <server_name>”
echo 'sendmail_enable="NO"' >> /etc/rc.conf
echo 'sendmail_submit_enable="NO"' >> /etc/rc.conf
echo 'sendmail_outbound_enable="NO"' >> /etc/rc.conf
echo 'sendmail_msp_queue_enable="NO"' >> /etc/rc.conf

killall sendmail
cd /usr/ports/mail/ssmtp
make install replace clean
 Insert config file

Squid

cd /usr/ports/www/squid32
make install clean
Enable ICAP client.
Configure the cache directory.
chown -R squid:squid /var/squid/cache
squid -z
Configure Squid /usr/local/etc/squid/squid.conf
Make config file writable:
chmod +w /usr/local/etc/squid/squid.conf
Uncomment cache_dir ufs /var/squid/cache/squid 100 16 256 line if needed, if left commented out, Squid will use default settings.
  1. On production change to 1000 or something larger.
  2. On test VM leave at say 100mb and change/add cache_mem 100 MB.
Our own additions:
visible_hostname change.this.to.dns.name.of.server
cache_mgr admin.email@your.mail.server
request_header_access X-Forwarded-For deny all
Test the config file for errors.
squid -f /usr/local/etc/squid/squid.conf -k parse
Enabe Squid at bootup
echo 'squid_enable="YES"' >> /etc/rc.conf
Start squid
/usr/local/etc/rc.d/squid start
Test squid by manually configuring Firefox to use it as a proxy server on port 3128.

Install ClamAV

cd /usr/ports/security/clamav
make install clean
Start ClamAV at bootup:
echo 'clamav_freshclam_enable="YES"' >> /etc/rc.conf
echo 'clamav_clamd_enable="YES"' >> /etc/rc.conf
Configure /usr/local/etc/freshclam.conf
It's not writable by default, so do this:
chmod +w /usr/local/etc/freshclam.conf
Configure a local database mirror, see http://www.iana.org/cctld/cctld-whois.htm for a list of the two letter country codes.
If you're in the US:
echo 'DatabaseMirror db.US.clamav.net' >> /usr/local/etc/freshclam.conf
Update the database:
/usr/local/etc/rc.d/clamav-freshclam start && tail -f /var/log/clamav/freshclam.log
Can take a while if you hit a slow mirror. Once it updates you'll get this error have not started clamav yet ..
WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.sock
Start ClamAV
/usr/local/etc/rc.d/clamav-clamd start

Install SquidClamAV

cd /usr/ports/www/squidclamav
make install clean
c-icap is a dependecy, and will also get installed:
  1. Deselect IPv6 support - otherwise it listens on IPv6 only!
  2. Enable-large-files.
/usr/local/etc/c-icap/squidclamav.conf
clamd_local /var/run/clamav/clamd.sock

/usr/local/etc/c-icap/c-icap.conf
ServerAdmin sys.admin@your.company
ServerName dns.name.of.this.server
Enable c-icap at bootup
echo 'c_icap_enable="YES"' >> /etc/rc.conf
/usr/local/etc/rc.d/c-icap start
icap config for Squid, add this to /usr/local/etc/squid/squid.conf
# icap config
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
adaptation_access service_resp allow all

Lighttpd

cd /usr/ports/www/lighttpd
make install clean
  1. Add BZIP2
  2. Del IPv6
Create the directories
mkdir /usr/local/www/data
mkdir /usr/local/www/data/cgi-bin
cd /usr/local/www/data/cgi-bin
ln -s /usr/local/libexec/squidclamav/clwarn.cgi clwarn.cgi
chown www:wheel /usr/local/www/data
There are a couple of goofups (does anyone actually test this stuff?) in the config file /usr/local/etc/lighttpd/lighttpd.conf
  1. Change server.use-ipv6 = “enable” to server.use-ipv6 = “disable”
  2. Comment out this line: $SERVER[“socket”] == “0.0.0.0:80” { }
Next enable cgi and the squidclamav warning page when a virus is detected.
http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModCGI
/usr/local/etc/lighttpd/lighttpd.conf
server.modules += ( "mod_cgi" ) 
   cgi.assign = ( ".pl"  => "/usr/bin/perl", ".cgi" => "/usr/bin/perl" )
Enable lighttpd at bootup and start it
echo 'lighttpd_enable="YES"' >> /etc/rc.conf
/usr/local/etc/rc.d/lighttpd start

Testing Things Out

  1. Create /usr/local/www/data/index.html with one line of text, or something fancy if you're in to HTML. Point a web browser at the server to test it out.
  2. Using a web browser confifured to use the server as a proxy go-to http://www.eicar.org/85-0-Download.html and when you try and download the test files you should get redirected to the warning page.

Auto config browser

In the examples given the proxy server is using 10.1.21.252, change this to suit your network.

DHCP Option 252

To create a WPAD entry in the DHCP Server service (Windows Server 2008):
  1. Log on to the server running the DHCP role as a domain administrator.
  2. Click Start, point to Administrative Tools, and then click DHCP.
  3. Expand the name of the Management Server, right-click IPv4, and then click Set Predefined Options.
  4. In the Predefined Options and Values dialog box, click Add.
  5. In the Option Type dialog box, do the following:
    • In Name, type WPAD.
    • In Code, type 252.
    • In Data type, select String, and then click OK.
    • In String, type enter the URL of the wpad.dat file, e.g. if you're hosting it from the proxy server: http://10.1.21.252/wpad.dat, and then click OK.
  6. In the console tree, expand the DHCP scope for which you want to configure WPAD, right-click Scope Options, and then click Configure Options.
  7. Click Advanced, and then in Vendor Class, click Standard Options.
  8. In Available Options, select 252 WPAD, and then click OK.

WPAD.DAT

Create wpad.dat on an internally accessible web server.
Here we instruct the browser to go direct for localhost/loopback addresses, plain hostnames, RFC 1918 private IP addresses, and any specific domain exclusions for broken sites where the devs could not be bothered.
function FindProxyForURL(url, host)
{
    if (dnsDomainIs(host, "localhost")) return "DIRECT";
    if (isInNet(host, "127.0.0.0", "255.0.0.0")) return "DIRECT";
    if (isPlainHostName(host)) return "DIRECT";
    if (isInNet(host, "10.0.0.0", "255.0.0.0")) return "DIRECT";
    if (isInNet(host, "172.16.0.0", "255.240.0.0")) return "DIRECT";
    if (isInNet(host, "192.168.0.0", "255.255.255.0")) return "DIRECT";
    if (dnsDomainIs(host, ".example_domain_to_exclude.com")) return "DIRECT";
    return "PROXY 10.1.21.252:3128";
}

Windows Internet Settings

Enable Internet explorer Automatically detect connection settings using registry key and group policy to apply it.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

Monitoring Activity

Watch the requests in real time:
tail -f /var/log/squid3/access.log
You can also filter the log file by piping it through grep, e.g. to see requests from a specific machine:
tail -f /var/log/squid3/access.log | grep "10.1.21.99"
If Munin is installed on the same host, it'll make some simple graphs of Squid's activity and cache hits.

Enhancements

  • Investigate user authentication with AD so usernames show in the logs and internet access controlled via group membership. This is a little involved, the added complexity may not be worth it in a small environment. To track someone down we can do a reverse lookup on the clients IP address recorded in the squid log file (/var/log/squid3/access.log) to get the PC name, see who that PC is assigned to.

References