How to configure Forefront TMG 2010 as WPAD server (Auto Proxy Discovery)—Step by Step


WPAD stands for Web Proxy Auto-Discovery Protocol. WPAD contains the information proxy settings for clients. Windows client uses WPAD protocol to obtain proxy information from DHCP and DNS server. Clients query for WPAD entry and returns with address of WPAD server in which WPAD.dat or Wspad.dat is stored. WPAD server can be a Forefront TMG server or an separate IIS server holding WPAD.dat or wspad.dat URL. Configuring a WPAD server is pretty simple as described in the following steps:

  1. Select and configure an automatic discovery mechanism.
  2. Implement a WPAD server and DNS or Implement a WPAD Server and DHCP.
  3. Configure automatic discovery through GPO for Windows client computers

What’s in WPAD.dat and WSPAD.dat file? The Wpad.dat file is a Microsoft JScript® file used by the Web client browser to set browser settings. Wpad.dat contains the following information:

  • The proxy server that should be used for client requests.
  • Domains and IP addresses that should be accessed directly, bypassing the proxy.
  • An alternate route in case the proxy is not available.
  • TMG Enterprise Server, Wpad.dat provides a list of all servers in the array

In the TMG Server WSPAD implementation uses the WPAD mechanism, and constructs the Wspad.dat file to provide the client with proxy settings, and some additional Firewall client configuration information not required for automatic detection. The relevant automatic detection entries in Wspad.dat are the server name and port name.

Configure WPAD Entry in an authoritive DHCP Server:

Click Start, point to All Programs, point to Administrative Tools, and then click DHCP.

In the console tree, right-click the applicable DHCP server, click Set Predefined Options, and then click Add.
Windows Server 2012 Step by Step
 12    

In Name, type WPAD. In Code, type 252. In Data type, select String, and then click OK.

3

In String, type http://Computer_Name:Port/wpad.dat where Port is the port number on which automatic discovery information is published. You can specify any port number. By default, Forefront TMG publishes automatic discovery information on port 8080. Ensure that you use lowercase letters when typing wpad.dat. Forefront TMG uses wpad.dat and is case sensitive.

46

Right-click Scope Options, and then click Configure options. Confirm that Option 252 is selected.

57

Note: Assign the primary domain name to clients using DHCP. A DHCP server can be configured with a DHCP scope option to supply DHCP clients with a primary domain name. You can use port 8080 if you are using DHCP to deliver WPAD. Most corporate uses port for so many web application or primary web site. My preferred method is to deliver WPAD using DHCP.

Configuring WPAD Entry in Active Directory DNS (AD DS):

Click Start, point to All Programs, point to Administrative Tools, and then click DNS.

In the console tree, right-click the forward lookup zone for your domain, and click New Alias (CNAME).

 8

In Alias name, type WPAD.

 9

In Fully qualified name for target host, type the FQDN of the WPAD server. If the Forefront TMG computer or array already has a host (A) record defined, you can click Browse to search the DNS namespace for the Forefront TMG server name.

10

Note: If clients belong to multiple domains, you will need a DNS entry for each domain. Firewall clients should be configured to resolve the WPAD entry using an internal DNS server. For WPAD entries obtained from DNS, the WPAD server must listen on port 80. Do NOT configure CNAME entry in AD DS if you are using DHCP to deliver WPAD.

Important! Use ONLY one deliver method that means either DNS or DHCP
Configuring TMG Server as the WPAD Server: You can configure Forefront TMG as the WPAD server as follows

In the console tree of Forefront TMG Management, click Networking. In the details pane, click the Networks tab, and then select the network on which you want to listen for WPAD requests from clients (usually the default Internal network).

 22

On the Tasks tab, click Edit Selected Network.

On the Auto Discovery tab, select Publish automatic discovery information.

In Use this port for automatic discovery requests, specify the port on which the Forefront TMG WPAD server should listen for WPAD requests from clients.

 23 

Click on Forefront TMG Client Tab, Check Enable Forefront TMG Client Support for this network, by default TMG server name will selected in this option, for TMG Enterprise Edition, you can select any Array Member hosting WPAD. Check Automatically Detect Settings, Check Use Automatic configuration script and select Use Default URL, Check Use a web proxy server. You may select one of the following:

24

  • Use default URL. Forefront TMG provides a default configuration script at the location http://FQDN:8080/array.dll?Get.Routing.Script, where the FQDN is that of the Forefront TMG computer. This script contains the settings specified on the Web Browser tab of the network properties.
  • Use custom URL. As an alternative to the default script, you can construct your own Proxy Auto-Configuration (PAC) file and place it on a Web server. When the client Web browser looks for the script at the specified URL, the Web server receives the request and returns the custom script to the client.

25

Apply Changes, Click ok.

To run the AD Marker tool for automatic detection:  Use this tools if you use active directory as deliver mechanism.

To store the marker key in Active Directory, at the command prompt, type:

TmgAdConfig.exe add -default -type winsock -url <service-url> [-f] where:

The service-url entry should be in the format http://<TMG Server Name>:8080/wspad.dat.

The following parameters can be used in the commands:

To delete a key from Active Directory, at a command line prompt, type:TmgAdConfig.exe del -default -type winsock

To configure the Active Directory marker for a specific site, use the –site command line parameter.

For a complete list of options, type TmgAdConfig.exe -?

For detailed usage information, type TmgAdConfig.exe <command> -help

The TmgAdConfig tool creates the following registry key in Active Directory: LDAP://Configuration/Services/Internet Gateway(“Container”) /Winsock Proxy(“ServiceConnectionPoint”)

The key’s server binding information will be set to <service-url>. This key will be retrieved by the Forefront TMG Client and will be used to download the wspad configuration file.

Configuring an Alternative WPAD Server: An alternative configuration is to place the Wpad.dat and Wspad.dat files on another computer instead of on the TMG Server computer. For example, you can place the files on a server running IIS. In such a configuration, the DNS and DHCP entries point to the computer running IIS, and this computer acts as a dedicated redirector to provide WPAD and WSPAD information to clients. The simplest way to download the Wpad.dat and Wspad.dat files is to connect to the TMG Server computer through a Web browser and obtain the files from the following URLs:

 3132

33

Configuring Internet Explorer for Automatic Discovery in a single computer: Configure WPAD for automatic detection for DHCP delivery method as follows:

  1. In Internet Explorer, click the Tools menu, and then click Internet Options.
  2. On the Connections tab, click LAN Settings.
  3. On the Local Area Network (LAN) Settings tab, select Automatically detect settings.

image

Enabling browsers for automatic detection using a static/custom configuration script

  1. In Internet Explorer, click the Tools menu, and then click Internet Options.
  2. On the Connections tab, click LAN Settings.
  3. On the Local Area Network (LAN) Settings tab, select Use automatic configuration script. Enter the script location as http://fqdnserver:port/array.dll?Get.Routing.Script. Where fqdnserver is the fully qualified domain name (FQDN) of the Forefront TMG server. The configuration script location can be specified in each browser, or it can be set for all clients who use Group Policy.

1920 

 21

To export the settings from your computer to an .ins file using IEM

In Group Policy, double-click Local Computer Policy, double-click User Configuration, and then double-click Windows Settings.

 28 

Right-click Internet Explorer Maintenance, and then click Export Browser Settings.

29

Enter the location and name of the .ins file that you want to use.

30

Copy this WPAD.INS file and host this in a separate IIS server.

Configure Automatic Detection through GPO for entire Windows fleet

Log on to Domain Controller as an administrator.

Open Group Policy Object Management Console, Select desired Organisational Unit, Right Click, Click on Create a GPO in this Domain and in it here

Type the Name of the GPO, Click ok

 1112

Right mouse click on newly created GPO, Click on Edit,

Expand GPO editor to User Configuration>Windows Settings>Internet Explorer Maintenance>Connections>Double Click Automatic Browser Configuration

1314

If you decide to use DHCP as WPAD.dat delivery method then check Automatic Detect Configuration Settings.

15 

If you decide to default Routing Script from TMG server

16

If you want to deliver wpad.dat through DNS server use the following option

 17

For WPAD.INS deployment use the following option

18

In the automatic configure every ~ minutes, you can setup time and type 0 (zero) for auto update after restart.

Testing Automatic Detection

To test DHCP delivery method, Log on to a client machine. Open IE8 and setup IE Proxy settings as Automatically detect setting

Run GPUPDATE.exe /Force and reboot computer 

21

Browse any websites to test proxy is detected by browser.

27

For a WPAD entry in DNS, you can test the automatic discovery mechanism by typing the following in the Web browser:

For a WPAD entry in DHCP, you specify the FQDN of the WPAD server. For example, if the WPAD DHCP entry is available on an TMG Server computer, type the following:

To test that the automatic configuration script is being retrieved as expected, type the following in the Web browser:

 

Relevant Articles:

Forefront TMG 2010 Tools & Software Development Kit

Install and configure Forefront TMG step by step

Forefront Threat Management Gateway (TMG) 2010

Configure 3-leg perimeter using TMG 2010 step by step

Configure back to back perimeter step by step

Configure reverse proxy step by step

Publish Exchange Anywhere

Publish Exchange OWA

 

About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
This entry was posted in Windows Server and tagged , , , , , , , , . Bookmark the permalink.

19 Responses to How to configure Forefront TMG 2010 as WPAD server (Auto Proxy Discovery)—Step by Step

  1. chris says:

    Great Blog keep it up!!!!!

    Like

  2. Pingback: Configure custom HTML error message on Forefront TMG 2010 and redirect users to corporate notice | MicrosoftGURU

  3. John says:

    I’m bit confused. You said that “Do NOT configure CNAME entry in AD DS if you are using DHCP to deliver WPAD.
    Important! Use ONLY one deliver method that means either DNS or DHCP”

    And MS Team including Dr. Tom Shinder says in their book:

    Many system administrators think that if they configure DHCP to provide WPAD information they don’t need to configure DNS. This is a misconception; you must still define a DNS record for a host named wpad.contoso.com because of the name resolution process that will follow the DHCP NFORM request. When the client receives the URL from the DHCP server, the client will start a name resolution process to resolve the host name wpad.contoso.com. If you don’t have an entry on your DNS for this name, the client may try to contact WINS Server or send a NetBIOS broadcast for name resolution. Again, this will depend on the client’s
    NetBIOS node type.

    Who should I believe?

    Like

  4. John says:

    Thanks! Now I got it:) and also Thanks for great blogging…

    Like

  5. Intunericitu says:

    Thanks, very helpful.

    Like

  6. Alessandro Proenca says:

    Great Article!!

    A doubt Is possible delivery proxy to users from a client-vpn and site-to-site vpn?

    best regards.

    Like

  7. Frode Slettum says:

    Hei, nice article!

    I have implemented this a while ago, but run into some problems. It’s my understanding that only IE supports the DHCP delivery method, so with many different browsers and operating systems, DNS would be a better approach. Do you agree?

    The problem in my scenario is that not all clients seems to care about the automatically configuration. The browsers is configured to be automatically configured, they can resolve the wpad entry (ping wpad…) and all computers and browsers works fine with proxy settings manually entered. Some computers works, some don’t. I haven’t found any system in this mess, looks random.

    Another thing. You refer to article http://technet.microsoft.com/en-us/library/cc995261.aspx , but this article states: Consider the following criteria when deciding whether to use a DHCP WPAD entry, a DNS entry, or both.

    It clearly says “both”. Why do you mean you can’t have both? Any experience?

    Like

    • thanks for visiting my site. i should have said you shouldnt have both not you cant have both. I alwasy believe technology works better when it is simple and achievable. from that point of view yes you shouldnt have both.

      I would recommend you use one method not both. Why? Say you left your company or in annual leave new guy come in and had some issue with WPAD. it would be easy for him to troubleshoot one.

      I never had trouble with WPAD. its easy and achievable. If WPAD is complex than you GPO to configure IE Proxy instead of Autodiscover options.

      I hope I explained.

      Like

  8. Abdul Basit Mamalan says:

    Mr.Raihan Al-Beruni
    thank you so much for Great Article
    her I have couple of questions
    is it enough to get good result if I do the next configuration only
    1-Configure WPAD Entry in an authoritive DHCP Server
    2-Configure Automatic Detection through GPO for domain clients as you explained

    and whats the advantage to Configuring TMG Server as the WPAD Server

    thank you again for your time

    Like

  9. Ali Mukhtar says:

    Dear Raihan,
    Your blog is very helpful, I have a problem I have a small but proper network, but our structure of work is little flexible due to business needs, our staff members are allowed to use there laptop at home for business needs, We are using TMG for firewall & bandwidth controlling. but few users are bypassing by unchecking “automatic proxy”.

    I want to add all setting on automatic way. Skype, outlook must work. I did one thing, in DHCP i removed router(default gate way) but by this Skype, outlook stop working.

    can you advise me a best & easiest way?
    regards
    Ali Mukhtar

    Like

  10. Kljuka says:

    Hello!

    Thank you for a great post!

    I have one question. I have TMG implemented on four locations (all locations are in the same AD domain, but different AD sites) and I would like to implement WPAD (WPAD is for now implemented only on primary location using DNS record). I guess the right way to go is to enable WPAD on all for locations for every local TMG server and change WPAD discovery to use DHCP instead of DNS, because we use the same DNS server on all four locations and only DHCP can have separated configuration for every location. Is this correct?

    Will we need to edit web proxy rules on every location or can we edit them on one location and somehow transfer it to other three locations?

    Thank you!

    Best wishes,
    Marko

    Like

    • WPAD is auto proxy configuration. if all your sites go via primary sites and client Internet explorer configured and pointing to primary sites then primary WPAD is ok for everybody. if this is not the case then you need to configure WPAD in DHCP in all location. your second questions sounds like all other site’s TMG as as proxy as well. so you need to configure WPAD in all locations.

      Right click on Firewall Policy and Export the policies from primary location and import into secondary location then delete whatever rules you dont need in sites.

      Like

      • Kljuka says:

        Hello,

        We have now successfully enabled proxy and WPAD on a secondary location but we have another problem. We would like to configure TMG so that users that don’t use proxy, can’t access any web sites. For example, if user doesn’t use Automatically detect settings option in Internet Explorer or if he uses Mozilla Firefox without manually configuring proxy address, he shouldn’t be able to access any web sites. Can you give me an advice hot to configure TMG to achieve this?

        Thank you!

        Best wishes!

        Like

  11. Kljuka says:

    Thank you for your answer. I have managed now to implement WPAD on other sites but I have problem with importing Web Access Policy rules from primary location to other. I right click on rule on primary and select Export Selected, then I go to secondary location server, right click on Web Access Policy and select Import. Then I select exported XML file and when i try to import I get this error:

    Import Failed

    The file cannot be imported because the array NEWSERVER is of version (null) in the exported file and version (null) in the stored configuration.

    The error occurred on object ‘PolicyRules of class ‘Policy Rules’ in the scope of array ‘NEWSERVER’.

    I guess this happens because versions are not the same (old server has SP2, new Sp1 for now but I will upgrade it now)? Is it even possible to export and import single rule? Are From and To properties also exported (let say list of computers URL addresses, etc.)?

    Thank you!

    Best wishes,
    Marko

    Like

  12. Kljuka says:

    Hello,

    We have now successfully enabled proxy and WPAD on a secondary location but we have another problem. We would like to configure TMG so that users that don’t use proxy, can’t access any web sites. For example, if user doesn’t use Automatically detect settings option in Internet Explorer or if he uses Mozilla Firefox without manually configuring proxy address, he shouldn’t be able to access any web sites. Can you give me an advice hot to configure TMG to achieve this?

    Thank you!

    Best wishes!

    Like

  13. Kljuka says:

    Hello,

    I have solved the problem. I have created a new access rule with new procol (port 80 TCP) and denied it. Then I have put it on top of other access rule and users that do not use TMG proxy can’t access web sites.

    Best wishes,
    Marko

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s