Sei sulla pagina 1di 12

Automatic Discovery for Firewall and Web

Proxy Clients
19 out of 55 rated this helpful - Rate this topic
Overview

Microsoft Internet Security and Acceleration (ISA) Server 2004 supports automatic discovery
to allow Firewall clients and Web Proxy clients to automatically locate an ISA Server
computer to use for client requests.
ISA Server uses the Web Proxy Automatic Discovery (WPAD) protocol, which allows
automatic discovery of Web Proxy servers. ISA Server uses WPAD to provide a mechanism
for clients to locate a WPAD entry containing a URL that points to a server on which the
Wpad.dat and Wspad.dat files are generated. The Wpad.dat file is a Java script file containing
a default URL template, constructed by Internet Explorer. The Wpad.dat file is used by Web
Proxy clients for automatic discovery information. The ISA Server WinSock Proxy
Autodetect (WSPAD) implementation uses the Wpad.dat file, and creates a Wspad.dat file to
provide automatic discovery information to Firewall clients. For more information about the
WPAD protocol, see the Web Proxy Auto-Discovery Protocol document.
Concepts and Procedures

This section includes:
Configuring automatic discovery
Web Proxy clients
Firewall clients
Client support
Configuring WPAD entries
Configuring a WPAD server
References
Configuring Automatic Discovery
There are a number of configuration steps involved in setting up automatic discovery support
for clients:
Configure Web Proxy clients and Firewall
clients for automatic discovery.
Create WPAD entries containing a URL
that points to a WPAD server on which
the Wpad.dat and Wspad.dat files are
located. You can create a WPAD entry in
DNS, in DHCP, or in both.
Configure a WPAD server. The URL
specified in the WPAD entry points to the
WPAD server, which is the computer on
which the WPAD and WSPAD files can
be located. There are a number of possible
configurations for the WPAD server:
o In the simplest configuration, the
WPAD server is located on the
ISA Server computer that will
service client requests.
o Alternatively, the WPAD server
might be located on a computer
separate from the ISA Server
computer.
If the ISA Server computer will act as the
WPAD server, configure ISA Server to
listen for automatic discovery requests, by
publishing automatic discovery
information on a specified port.
These configuration steps are outlined in detail in the sections that follow.
Web Proxy Clients
For Web Proxy clients, Internet Explorer uses the WPAD protocol to locate a WPAD entry in
DHCP or DNS that contains the location of the Wpad.dat script file. When found, Internet
Explorer connects to the ISA Server computer specified in the Wpad.dat file for Web
requests. Web browser clients make a call to http://wpad:port/wpad.dat, where port is the port
listening for automatic discovery requests. For DNS entries, you must listen on port 80.
DHCP can listen on any port. (By default ISA Server listens on port 8080). You can type this
URL (specify the appropriate port) into the Web browser to view the proxy settings for the
specified client, and a list of domain names configured for direct access.
In Internet Explorer, you can enable automatic discovery, or you can specify manually a
proxy server that Web Proxy clients should use. On Firewall Client computers, you can
configure the Web Proxy settings for the Firewall client in the Firewall Client dialog box.
If automatic discovery fails, Web Proxy clients can fall back on a SecureNAT configuration
if the client computer has a suitably configured default gateway. Automatic discovery is
supported for Internet Explorer 5 and later.
Enable Web Proxy Automatic Discovery in Internet Explorer
On Web Proxy client computers running Internet Explorer 5 or later, do the following:
1. On the Tools menu, click Internet
Options.
2. Click the Connections tab.
3. Click LAN Settings.
4. Click to select the Automatically detect
settings check box, and then click OK
two times.
Enable Web Proxy Automatic Discovery on Firewall Client for ISA Server 2004
Computers
To enable Web Proxy automatic discovery on a Firewall client, do the following:
1. In the Web Browser tab of the Microsoft
Firewall Client for ISA Server 2004
dialog box, select Enable Web browser
automatic configuration.
2. To apply settings immediately, click
Configure now.
Firewall Clients
To implement automatic discovery for Firewall clients, ISA Server uses the WPAD protocol
to locate a WPAD entry in DHCP or DNS. If a Firewall Client computer has automatic
discovery enabled, the following occurs:
1. When the client makes a Winsock request,
the client connects to the DNS or DHCP
server.
2. The WPAD entry URL returned to the
client contains the address of a WPAD
server (a server on which the Wpad.dat
and Wspad.dat files are located).
3. The client computer requests the
automatic configuration information held
in Wspad.dat, with a call to
http://wpad:port/wspad.dat on the WPAD
server, where port is the port listening for
automatic discovery requests. For DNS
entries, you must listen on port 80. DHCP
can listen on any port. (By default ISA
Server listens on port 8080). You can
manually type this URL into the Firewall
Client browser to check that Firewall
Client settings on the ISA Server
computer are displayed as expected.
4. The ISA Server computer identified in the
Wspad.dat file is then used to service
Winsock connections for all applications
on the client computer configured to use
the Firewall Client.
In addition to configuring Firewall clients for automatic detection, the automatic discovery
process can be initiated manually on Firewall Client computers, by clicking Detect Now in
the Firewall Client properties dialog box. If automatic detection fails, Firewall clients can fall
back on a SecureNAT configuration if the client computer has a suitably configured default
gateway.
Enable Automatic Discovery for Firewall Clients in ISA Server 2004
To enable automatic discovery for Firewall clients for ISA Server 2004, do the following:
1. In the console tree of ISA Server
Management, click Configuration, and
then click Networks.
2. In the details pane, click the Networks
tab.
3. On the Tasks tab, click Edit Selected
Network.
4. On the Firewall Client tab, select
Automatically detect settings, if the
client computer should automatically
attempt to find the ISA Server computer.
Enable Automatic Discovery for Firewall Clients in ISA Server 2000
To enable automatic discovery for Firewall clients for ISA Server 2000, do the following:
1. In ISA Server Management, click the ISA
Server computer name, and then click
Client Configuration.
2. In the details pane, right-click Firewall
Client and then click Properties.
3. On the General tab, select Enable
automatic discovery in Firewall Clients.
Client Support
The following table summarizes automatic discovery support for Firewall and Web Proxy
clients for various operating systems, such as Microsoft Windows Server2003,
Windows XP, Windows 2000, Windows NT Server 4.0, Windows Millennium Edition,
Windows 98, and Windows 95.
Operating system
Internet Explorer 5
and later
Firewall Client 2000
Firewall
Client 2004
Windows Server 2003 All users
All users (DNS)
Admin users only
(DHCP)
All users
Windows XP All users
All users (DNS)
All users
Admin users only
(DHCP)
Windows 2000
All users (DNS)
Admin users only
(DHCP)
All users (DNS)
Admin users only
(DHCP)
All users
Windows NT 4.0 All users All users (DNS only) All users (DNS only)
Windows Me All users All users All users
Windows 98 (Second
Edition)
All users All users All users
Windows 98 All users All users All users
Windows 95 All users
All users (DNS static
only)
No Firewall Client
support
Note:
In ISA Server 2000, the following DHCP limitation applies: Web Proxy clients on computers
running Windows 2000 can only use automatic discovery for users who are members of the
Administrators or Power Users group. In Windows XP, the Network Configuration Operators
group also has permission to issue DHCP queries. For more information, see article 307502,
"Automatically Detect Settings Does Not Work if You Configure DHCP Option 252," in the
Microsoft Knowledge Base.
Configuring WPAD Entries
You can create WPAD entries in DHCP, DNS, or both. There are advantages and
disadvantages to both approaches:
To use DNS, ISA Server must publish
automatic discovery information (listen
for automatic discovery requests) on
port 80. Using DHCP, you can specify
any port. Note that by default the ISA
Server computer listens on port 8080 for
automatic discovery requests.
If clients are spread over multiple
domains, you need to configure a DNS
entry for each domain containing clients
with automatic discovery enabled.
Clients enabled for automatic discovery
must be able to directly access or query
the DHCP server for option 252. Remote
access and VPN clients cannot access the
DHCP server to directly obtain
option 252. If automatic discovery is
configured using DHCP only, remote
access clients will not be able to use this
feature.
Generally, using DHCP servers with
automatic detection works best for local
area network (LAN)based clients, while
DNS servers enable automatic detection
on computers with both LAN-based and
dial-up connections. Although DNS
servers can handle network and dial-up
connections, DHCP servers provide faster
access to LAN users and greater
flexibility.
If you configure both DNS and DHCP, clients will attempt to query DHCP for automatic
discovery information first, and then query DNS.
DHCP
To configure automatic discovery using DHCP, check the following:
Ensure you have a valid DHCP server,
and that there is a DHCP scope defined
for each subnet containing client
computers.
Add a WPAD entry to the DHCP server
by means of a DHCP Option 252 entry.
Option 252 is typically used as a
registration and query point for discovery
of printers, Web proxies (through
WPAD), time servers, and many other
network services. The Option 252 entry is
a string value indicating the URL of the
WPAD server.
Configure the Option 252 entry for the
appropriate scope, even if there is only a
single scope.
Ensure that client computers are
configured as DHCP clients.
DHCP information is supplied as follows:
DHCP provides WPAD information to
DHCP clients during the allocation
process, or fetches the information as
required.
On Firewall client computers, when you
click Detect Now, the Firewall client
queries the DHCP client for WPAD
information.
Create an Option 252 Entry in DHCP
To create an Option 252 entry in DHCP, do the following:
1. Click Start, point to Programs, point to
Administrative Tools, and then click
DHCP.
2. In the console tree, right-click the
applicable DHCP server, click Set
Predefined Options, and then click Add.
3. In Name, type WPAD.
4. In Code, type 252.
5. In Data type, select String, and then click
OK.
6. In String, type
http://Computer_Name:Port/wpad.dat
where:
o Computer_Name is the fully
qualified domain name of the ISA
Server computer.
o Port is the port number on which
automatic discovery
o \information is published. You can
specify any port number. By
default ISA Server publishes
automatic discovery information
on port 8080.
7. Right-click Server options, and then click
Configure options.
8. Confirm that the Option 252 check box is
selected.
Notes
When you specify the Option 252 string,
be sure to use lowercase letters when
typing wpad.dat. For example, if you
type http://isaserver:8080/Wpad.dat, the
request will fail. ISA Server uses wpad.dat
and is case-sensitive. For more
information, see article 252898, "HOW
TO: Enable Proxy Autodiscovery in
Windows 2000," in the Microsoft
Knowledge Base.
You do not need to create anything
specifically for Wspad.dat. Wspad.dat
uses the same 252 option as wpad.dat, and
modifies the wpad.dat name to Wspad.dat
as required.
Configure Option 252 for a DHCP Scope
To configure an Option 252 entry for a DCHP scope, do the following:
1. Click Start, point to Programs, point to
Administrative Tools, and then click
DHCP. Right-click Scope Options, and
then click Configure Options.
2. Click Advanced, and then in Vendor
Class, click Standard Options.
3. In Available Options, select the 252
Proxy Autodiscovery check box, and
then click OK.
DNS
To configure a DNS server to provide a WPAD entry to clients, you must create a DNS entry.
This entry can be configured in a number of ways:
Configure a host (A) record for your
WPAD server, and then create an alias
(CNAME) record to point at the host
record. If the ISA Server computer that
will service client requests is also your
WPAD server, there must be a host record
for the ISA Server computer. Note that the
host record must exist before creating the
alias entry, and must be in the DNS zone
to which clients belong (or are configured
with).
As an alternative, configure a computer
with the name WPAD, and add a host
entry specifying the IP address or
addresses for this computer, avoiding the
need to resolve an alias.
After the entry is added and the database file is propagated to the DNS server, the DNS name
wpad.domain.com should resolve to the same computer name as the WPAD server. Web
Proxy clients and Firewall clients are not aware of the domain containing the WPAD entry or
alias, and rely on the operating system to provide this. The operating system must provide the
correct domain name (domain suffix), to append to the host name (WPAD) before sending a
query to the WPAD server. By default the domain used is the clients primary domain
suffix (the domain in which the client is located, or is configured to use). If the primary
domain suffix does not work, the connection-specific DNS suffix is tried. If the WPAD
server is not found in the domain name, subdomains are removed from the domain until a
WPAD server is located, or until the third-level domain is reached. For example, in the
a.b.microsoft.com domain, the following searches will be made:
wpad.a.b.microsoft.com
wpad.b.microsoft.com
wpad.microsoft.com
If a WPAD server is not located by the third-level domain, automatic discovery fails.
The domain suffix is generally assigned to clients by one of these methods:
Assign the primary domain name to
clients using DHCP.
Manually configure the IP properties of
the client computer with the correct
domain suffix.
Note that you should configure Firewall clients to resolve the WPAD entry using an internal
DNS server.
Create a WPAD Entry in DNS
To create a WPAD entry in DNS, do the following:
1. Click Start, point to Programs, point to
Administrative Tools, and then click
DNS.
2. In the console tree, right-click the
applicable forward lookup zone and click
New Alias.
3. In Alias name, type WPAD.
4. In Fully qualified name for target host,
type the fully qualified domain name
(FQDN) of the WPAD server.
Note:
The ISA Server computer or array needs a host (A) record defined before you can
create an Alias entry. If a host (A) record is defined, you can click Browse to search
the DNS namespace for the ISA Server computer.
Configuring a WPAD Server
This sections explains WPAD and WSPAD files, a standard configuration, and an alternative
configuration.
WPAD and WSPAD Files
The Wpad.dat file is a JScript file containing a default URL template, constructed by Internet
Explorer. ISA Server constructs the Wspad.dat file to keep Firewall clients informed of all
available ISA Server computers, and additional parameters such as a load factor and a state
flag to aid the server selection. The Wspad.dat CFILE contains an explicit Time to Live
(TTL) entry. After the TTL period expires, the WinSock Proxy client purges the CFILE and
attempts to retrieve a new CFILE. The format of the CFILE is the same as the Firewall client
configuration file. In the Common section of the file, the following 3 entries are displayed:
[Common]
Port=1745
[Servers Ip Addresses]
Name=ISAServer.microsoft.com
Standard Configuration
In a single computer configuration, the WPAD server will run on the ISA Server computer
used to service client requests. Note the following in such a configuration:
If the ISA Server computer is unavailable,
clients cannot make requests to the ISA
Server computer, or request WPAD or
WSPAD information. The effect of this is
that you cannot update the WPAD or
WSPAD file to point to an alternative ISA
Server computer.
To update the WPAD server, you update
the DHCP or DNS WPAD entries that
point to the server. However, information
is cached on DNS or DHCP servers, and
the WPAD entry returned by DCHP or
DNS may not contain the most up-to-date
ISA Server information.
The advantage of using the ISA Server
computer as the WPAD server is that the
Wpad.dat and Wspad.dat files are updated
automatically according to the ISA Server
configuration.
In the standard configuration when using a
DHCP option entry, you should keep the
URL structure in the following format:
http://ISA:port/wpad.dat. The Wpad.dat
file must be in the root folder, and you
should not modify the file name.
Publish Automatic Discovery Information
To use an ISA Server computer as a WPAD server for automatic discovery requests, you
need to enable automatic discovery for the ISA Server computer, and specify the port number
on which the ISA Server computer should listen for WPAD and WSPAD requests. By
default, ISA Server publishes automatic discovery information on port 8080. If you are using
the DHCP method of automatic discovery, you can specify any port. For DNS, you must
publish on port 80. Remember that the port you specify in ISA Server Management for use
with DHCP must match the port specified in the DHCP 252 option.
Enable and Configure ISA Server 2004 to Listen for Automatic Discovery Requests
To enable and configure ISA Server 2004 to listen for automatic discovery requests, do the
following:
1. In the console tree of ISA Server
Management, click Firewall Policy.
2. In the details pane, select the applicable
network (usually Internal).
3. On the Tasks tab, click Edit Selected
Network.
4. On the Auto Discovery tab, select
Publish automatic discovery
information.
Enable and Configure ISA Server 2000 to Listen for Automatic Discovery Requests
To enable and configure ISA Server 2000 to listen for automatic discovery requests, do the
following:
1. In the console tree of ISA Server
Management, right-click the ISA Server
computer name, and then click
Properties.
2. On the Auto Discovery tab, select the
Publish automatic discovery
information check box.
3. In Use this port for automatic discovery
requests, type the appropriate port
number.
Alternative Configuration
An alternative configuration is to place the Wpad.dat and Wspad.dat files on another
computer, for example a server running Internet Information Services (IIS). In such a
configuration, the DNS and DHCP entries point to the computer running IIS, and this
computer acts as a dedicated redirector to provide Web Proxy and Firewall clients with
WPAD and WSPAD information. Note the following:
Using this method, you maintain WPAD
and WSPAD files on the computer
running IIS. This avoids cache latency
issues that can occur when you
consistently modify WPAD entries to
point to alternative ISA Server computers.
Such a configuration provides some
failover possibilities. You can configure
multiple Web servers in IIS, and place
different WPAD and WSPAD files in
each Web server. The active Web server
will be the one containing WPAD and
WSPAD information for the currently
active ISA Server computer.
If you are not using the ISA Server
computer as a WPAD server, you do not
need to publish automatic discovery
information, because ISA Server does not
need to listen for automatic discovery
requests.
The drawback to this approach is that the
files on the server running IIS need to be
updated manually.
On the server running IIS, you must set up files called Wpad.dat and Wspad.dat, to deliver
the contents of the automatic configuration file to Firewall and Web Proxy clients. The
simplest way to obtain these files on your computer running IIS is to connect to the ISA
Server computer through a Web browser and download the files from the following URLs:
http://servername:port/wpad.dat
http://servername:port/wspad.dat
Where port depends on where the server is listening for such requests.
Place the Wpad.dat and Wspad.dat files as follows:
For DHCP entries, the files can be located
anywhere as long as option 252 points to
the correct location, not just in the root
folder of the published Web server. The
name of the Wpad.dat file can be
modified, but you should not change the
name of the Wspad.dat file. The Web
server can be published on any port.
For DNS entries, the files must be located
in the root folder of the published Web
server, and the Web server must be
published on port 80.
In all cases the Wspad.dat file should be
placed in the same folder as the Wpad.dat
file.
References
For more information, click the following article numbers to view the articles in the
Microsoft Knowledge Base:
260210 Description of WinSock Proxy Auto Detect Support
296591 A Description of the Automatic Discovery Feature
284690 The "Automatically Detect ISA Server" Option in the Firewall Client Is Unavailable
295388 Access Violation Occurs in Your Firewall Client When It Is Under a High Load and
Is Using WSPAD