Tuesday, March 15, 2011

How to Configure WPAD

WPAD stands for Web Proxy Auto-Discovery Protocol. WPAD contains the information proxy settings for clients. Windows client uses WPAD protocol to obtain proxy information from DHCP and DNS server. Clients query for WPAD entry and returns with address of WPAD server in which WPAD.dat or Wspad.dat is stored. WPAD server can be a Forefront TMG server or an separate IIS server holding WPAD.dat or wspad.dat URL. Configuring a WPAD server is pretty simple as described in the following steps:
  1. Select and configure an automatic discovery mechanism.
  2. Implement a WPAD server and DNS or Implement a WPAD Server and DHCP.
  3. Configure automatic discovery through GPO for Windows client computers
What’s in WPAD.dat and WSPAD.dat file? The Wpad.dat file is a Microsoft JScript® file used by the Web client browser to set browser settings. Wpad.dat contains the following information:
  • The proxy server that should be used for client requests.
  • Domains and IP addresses that should be accessed directly, bypassing the proxy.
  • An alternate route in case the proxy is not available.
  • TMG Enterprise Server, Wpad.dat provides a list of all servers in the array
In the TMG Server WSPAD implementation uses the WPAD mechanism, and constructs the Wspad.dat file to provide the client with proxy settings, and some additional Firewall client configuration information not required for automatic detection. The relevant automatic detection entries in Wspad.dat are the server name and port name.
Configure WPAD Entry in an authoritive DHCP Server:
Click Start, point to All Programs, point to Administrative Tools, and then click DHCP.
In the console tree, right-click the applicable DHCP server, click Set Predefined Options, and then click Add.
 1 2    
In Name, type WPAD. In Code, type 252. In Data type, select String, and then click OK.
3
In String, type http://Computer_Name:Port/wpad.dat where Port is the port number on which automatic discovery information is published. You can specify any port number. By default, Forefront TMG publishes automatic discovery information on port 8080. Ensure that you use lowercase letters when typing wpad.dat. Forefront TMG uses wpad.dat and is case sensitive.
46
Right-click Scope Options, and then click Configure options. Confirm that Option 252 is selected.
57
Note: Assign the primary domain name to clients using DHCP. A DHCP server can be configured with a DHCP scope option to supply DHCP clients with a primary domain name. You can use port 8080 if you are using DHCP to deliver WPAD. Most corporate uses port for so many web application or primary web site. My preferred method is to deliver WPAD using DHCP.
Configuring WPAD Entry in Active Directory DNS (AD DS):
Click Start, point to All Programs, point to Administrative Tools, and then click DNS.
In the console tree, right-click the forward lookup zone for your domain, and click New Alias (CNAME).
 8
In Alias name, type WPAD.
 9
In Fully qualified name for target host, type the FQDN of the WPAD server. If the Forefront TMG computer or array already has a host (A) record defined, you can click Browse to search the DNS namespace for the Forefront TMG server name.
10
Note: If clients belong to multiple domains, you will need a DNS entry for each domain. Firewall clients should be configured to resolve the WPAD entry using an internal DNS server. For WPAD entries obtained from DNS, the WPAD server must listen on port 80. Do NOT configure CNAME entry in AD DS if you are using DHCP to deliver WPAD.


Important! Use ONLY one deliver method that means either DNS or DHCP
Configuring TMG Server as the WPAD Server: You can configure Forefront TMG as the WPAD server as follows
In the console tree of Forefront TMG Management, click Networking. In the details pane, click the Networks tab, and then select the network on which you want to listen for WPAD requests from clients (usually the default Internal network).
 22
On the Tasks tab, click Edit Selected Network.
On the Auto Discovery tab, select Publish automatic discovery information.
In Use this port for automatic discovery requests, specify the port on which the Forefront TMG WPAD server should listen for WPAD requests from clients.
 23 
Click on Forefront TMG Client Tab, Check Enable Forefront TMG Client Support for this network, by default TMG server name will selected in this option, for TMG Enterprise Edition, you can select any Array Member hosting WPAD. Check Automatically Detect Settings, Check Use Automatic configuration script and select Use Default URL, Check Use a web proxy server. You may select one of the following:
24
  • Use default URL. Forefront TMG provides a default configuration script at the location http://FQDN:8080/array.dll?Get.Routing.Script, where the FQDN is that of the Forefront TMG computer. This script contains the settings specified on the Web Browser tab of the network properties.
  • Use custom URL. As an alternative to the default script, you can construct your own Proxy Auto-Configuration (PAC) file and place it on a Web server. When the client Web browser looks for the script at the specified URL, the Web server receives the request and returns the custom script to the client.
25
Apply Changes, Click ok.
To run the AD Marker tool for automatic detection:  Use this tools if you use active directory as deliver mechanism.
To store the marker key in Active Directory, at the command prompt, type:
TmgAdConfig.exe add -default -type winsock -url <service-url> [-f] where:
The service-url entry should be in the format http://<TMG Server Name>:8080/wspad.dat.
The following parameters can be used in the commands:
To delete a key from Active Directory, at a command line prompt, type:TmgAdConfig.exe del -default -type winsock
To configure the Active Directory marker for a specific site, use the –site command line parameter.
For a complete list of options, type TmgAdConfig.exe -?
For detailed usage information, type TmgAdConfig.exe <command> -help
The TmgAdConfig tool creates the following registry key in Active Directory: LDAP://Configuration/Services/Internet Gateway(“Container”) /Winsock Proxy(“ServiceConnectionPoint”)
The key’s server binding information will be set to <service-url>. This key will be retrieved by the Forefront TMG Client and will be used to download the wspad configuration file.
Configuring an Alternative WPAD Server: An alternative configuration is to place the Wpad.dat and Wspad.dat files on another computer instead of on the TMG Server computer. For example, you can place the files on a server running IIS. In such a configuration, the DNS and DHCP entries point to the computer running IIS, and this computer acts as a dedicated redirector to provide WPAD and WSPAD information to clients. The simplest way to download the Wpad.dat and Wspad.dat files is to connect to the TMG Server computer through a Web browser and obtain the files from the following URLs:
 31 32
33
Configuring Internet Explorer for Automatic Discovery in a single computer: Configure WPAD for automatic detection for DHCP delivery method as follows:
  1. In Internet Explorer, click the Tools menu, and then click Internet Options.
  2. On the Connections tab, click LAN Settings.
  3. On the Local Area Network (LAN) Settings tab, select Automatically detect settings.
image
Enabling browsers for automatic detection using a static/custom configuration script
  1. In Internet Explorer, click the Tools menu, and then click Internet Options.
  2. On the Connections tab, click LAN Settings.
  3. On the Local Area Network (LAN) Settings tab, select Use automatic configuration script. Enter the script location as http://fqdnserver:port/array.dll?Get.Routing.Script. Where fqdnserver is the fully qualified domain name (FQDN) of the Forefront TMG server. The configuration script location can be specified in each browser, or it can be set for all clients who use Group Policy.
1920 
 21
To export the settings from your computer to an .ins file using IEM
In Group Policy, double-click Local Computer Policy, double-click User Configuration, and then double-click Windows Settings.
 28 
Right-click Internet Explorer Maintenance, and then click Export Browser Settings.
29
Enter the location and name of the .ins file that you want to use.
30
Copy this WPAD.INS file and host this in a separate IIS server.
Configure Automatic Detection through GPO for entire Windows fleet
Log on to Domain Controller as an administrator.
Open Group Policy Object Management Console, Select desired Organisational Unit, Right Click, Click on Create a GPO in this Domain and in it here
Type the Name of the GPO, Click ok
 11 12
Right mouse click on newly created GPO, Click on Edit,
Expand GPO editor to User Configuration>Windows Settings>Internet Explorer Maintenance>Connections>Double Click Automatic Browser Configuration
13 14
If you decide to use DHCP as WPAD.dat delivery method then check Automatic Detect Configuration Settings.
15 
If you decide to default Routing Script from TMG server
16
If you want to deliver wpad.dat through DNS server use the following option
 17
For WPAD.INS deployment use the following option
18
In the automatic configure every ~ minutes, you can setup time and type 0 (zero) for auto update after restart.
Testing Automatic Detection

To test DHCP delivery method, Log on to a client machine. Open IE8 and setup IE Proxy settings as Automatically detect setting
Run GPUPDATE.exe /Force and reboot computer 
21
Browse any websites to test proxy is detected by browser.
27
For a WPAD entry in DNS, you can test the automatic discovery mechanism by typing the following in the Web browser:
For a WPAD entry in DHCP, you specify the FQDN of the WPAD server. For example, if the WPAD DHCP entry is available on an TMG Server computer, type the following:
To test that the automatic configuration script is being retrieved as expected, type the following in the Web browser:
  • http://ISA_Server_FQDN /array.dll?Get.Routing.Script

0 comments:

Post a Comment