Automatic Discovery for Firewall and Web Proxy Clients
Published: June 28, 2004
Overview
Microsoft Internet Security and Acceleration (ISA) Server 2004
supports automatic discovery to allow Firewall clients and Web Proxy
clients to automatically locate an ISA Server computer to use for
client requests.
ISA Server uses the Web Proxy Automatic Discovery (WPAD) protocol,
which allows automatic discovery of Web Proxy servers. ISA Server
uses WPAD to provide a mechanism for clients to locate a WPAD entry
containing a URL that points to a server on which the Wpad.dat and
Wspad.dat files are generated. The Wpad.dat file is a Java script
file containing a default URL template, constructed by Internet
Explorer. The Wpad.dat file is used by Web Proxy clients for
automatic discovery information. The ISA Server WinSock Proxy
Autodetect (WSPAD) implementation uses the Wpad.dat file, and
creates a Wspad.dat file to provide automatic discovery information
to Firewall clients. For more information about the WPAD protocol,
see the Web
Proxy Auto-Discovery Protocol document.
Concepts and Procedures
This section includes:
| |
Configuring automatic discovery |
| |
Web Proxy clients |
| |
Firewall clients |
| |
Client support |
| |
Configuring WPAD entries |
| |
Configuring a WPAD server |
| |
References |
Configuring Automatic Discovery
There are a number of configuration steps involved in setting up
automatic discovery support for clients:
| |
Configure Web Proxy clients and
Firewall clients for automatic discovery. |
| |
Create WPAD entries containing a URL
that points to a WPAD server on which the Wpad.dat and
Wspad.dat files are located. You can create a WPAD entry in
DNS, in DHCP, or in both. |
| |
Configure a WPAD server. The URL
specified in the WPAD entry points to the WPAD server, which
is the computer on which the WPAD and WSPAD files can be
located. There are a number of possible configurations for
the WPAD server:
| |
In the simplest configuration,
the WPAD server is located on the ISA Server
computer that will service client requests. |
| |
Alternatively, the WPAD server
might be located on a computer separate from the ISA
Server computer. |
|
| |
If the ISA Server computer will act as
the WPAD server, configure ISA Server to listen for
automatic discovery requests, by publishing automatic
discovery information on a specified port.
These configuration steps are outlined in detail in the
sections that follow. |
Web Proxy Clients
For Web Proxy clients, Internet Explorer uses the WPAD protocol
to locate a WPAD entry in DHCP or DNS that contains the location of
the Wpad.dat script file. When found, Internet Explorer connects to
the ISA Server computer specified in the Wpad.dat file for Web
requests. Web browser clients make a call to http://wpad:port/wpad.dat,
where port is the port listening for automatic discovery
requests. For DNS entries, you must listen on port 80. DHCP can
listen on any port. (By default ISA Server listens on port 8080).
You can type this URL (specify the appropriate port) into the Web
browser to view the proxy settings for the specified client, and a
list of domain names configured for direct access.
In Internet Explorer, you can enable automatic discovery, or you
can specify manually a proxy server that Web Proxy clients should
use. On Firewall Client computers, you can configure the Web Proxy
settings for the Firewall client in the Firewall Client dialog box.
If automatic discovery fails, Web Proxy clients can fall back on
a SecureNAT configuration if the client computer has a suitably
configured default gateway. Automatic discovery is supported for
Internet Explorer 5 and later.
Enable Web Proxy Automatic Discovery in Internet Explorer
On Web Proxy client computers running Internet Explorer 5 or
later, do the following.
| 1. |
On the Tools menu, click Internet Options.
|
| 2. |
Click the Connections tab. |
| 3. |
Click LAN Settings. |
| 4. |
Click to select the Automatically detect settings
check box, and then click OK two times. |
Enable Web Proxy Automatic Discovery on Firewall Client for ISA
Server 2004 Computers
To enable Web Proxy automatic discovery on a Firewall client, do
the following.
| 1. |
In the Web Browser tab of the Microsoft Firewall
Client for ISA Server 2004 dialog box, select Enable Web
browser automatic configuration. |
| 2. |
To apply settings immediately, click Configure now. |
Firewall Clients
To implement automatic discovery for Firewall clients, ISA Server
uses the WPAD protocol to locate a WPAD entry in DHCP or DNS. If a
Firewall Client computer has automatic discovery enabled, the
following occurs:
| 1. |
When the client makes a Winsock request, the client
connects to the DNS or DHCP server. |
| 2. |
The WPAD entry URL returned to the client contains the
address of a WPAD server (a server on which the Wpad.dat and
Wspad.dat files are located). |
| 3. |
The client computer requests the automatic configuration
information held in Wspad.dat, with a call to http://wpad:port/wspad.dat
on the WPAD server, where port is the port listening
for automatic discovery requests. For DNS entries, you must
listen on port 80. DHCP can listen on any port. (By default
ISA Server listens on port 8080). You can manually type this
URL into the Firewall Client browser to check that Firewall
Client settings on the ISA Server computer are displayed as
expected. |
| 4. |
The ISA Server computer identified in the Wspad.dat file
is then used to service Winsock connections for all
applications on the client computer configured to use the
Firewall Client. |
In addition to configuring Firewall clients for automatic
detection, the automatic discovery process can be initiated manually
on Firewall Client computers, by clicking Detect Now in the
Firewall Client properties dialog box. If automatic detection fails,
Firewall clients can fall back on a SecureNAT configuration if the
client computer has a suitably configured default gateway.
Enable Automatic Discovery for Firewall Clients in ISA
Server 2004
To enable automatic discovery for Firewall clients for ISA
Server 2004, do the following.
| 1. |
In the console tree of ISA Server Management,
click Configuration, and then click Networks.
|
| 2. |
In the details pane, click the Networks tab. |
| 3. |
On the Tasks tab, click Edit Selected Network.
|
| 4. |
On the Firewall Client tab, select
Automatically detect settings, if the client computer
should automatically attempt to find the ISA Server
computer. |
Enable Automatic Discovery for Firewall Clients in ISA
Server 2000
To enable automatic discovery for Firewall clients for ISA
Server 2000, do the following.
| 1. |
In ISA Server Management, click the ISA Server computer
name, and then click Client Configuration. |
| 2. |
In the details pane, right-click Firewall Client
and then click Properties. |
| 3. |
On the General tab, select Enable automatic
discovery in Firewall Clients. |
Client Support
The following table summarizes automatic discovery support for
Firewall and Web Proxy clients for various operating systems, such
as Microsoft Windows Server2003, Windowsฎ XP, Windows 2000,
Windows NTฎ Server 4.0, Windows Millennium Edition, Windows 98, and
Windows 95.
|
Windows Server 2003 |
All users |
All users (DNS) Admin users only (DHCP) |
All users |
|
Windows XP |
All users |
All users (DNS) Admin users only (DHCP) |
All users |
|
Windows 2000 |
All users (DNS) Admin users only (DHCP) |
All users (DNS) Admin users only (DHCP) |
All users |
|
Windows NT 4.0 |
All users |
All users (DNS only) |
All users (DNS only) |
|
Windows Me |
All users |
All users |
All users |
|
Windows 98 (Second Edition) |
All users |
All users |
All users |
|
Windows 98 |
All users |
All users |
All users |
|
Windows 95 |
All users |
All users (DNS static only) |
No Firewall Client support |
Note
In ISA Server 2000, the following DHCP limitation applies: Web Proxy
clients on computers running Windows 2000 can only use automatic
discovery for users who are members of the Administrators or Power
Users group. In Windows XP, the Network Configuration Operators
group also has permission to issue DHCP queries. For more
information, see article 307502, "Automatically Detect Settings Does
Not Work if You Configure DHCP Option 252," in the
Microsoft
Knowledge Base.
Configuring WPAD Entries
You can create WPAD entries in DHCP, DNS, or both. There are
advantages and disadvantages to both approaches:
| |
To use DNS, ISA Server must publish
automatic discovery information (listen for automatic
discovery requests) on port 80. Using DHCP, you can specify
any port. Note that by default the ISA Server computer
listens on port 8080 for automatic discovery requests. |
| |
If clients are spread over multiple
domains, you need to configure a DNS entry for each domain
containing clients with automatic discovery enabled. |
| |
Clients enabled for automatic discovery
must be able to directly access or query the DHCP server for
option 252. Remote access and VPN clients cannot access the
DHCP server to directly obtain option 252. If automatic
discovery is configured using DHCP only, remote access
clients will not be able to use this feature. |
| |
Generally, using DHCP servers with
automatic detection works best for local area network
(LAN)based clients, while DNS servers enable automatic
detection on computers with both LAN-based and dial-up
connections. Although DNS servers can handle network and
dial-up connections, DHCP servers provide faster access to
LAN users and greater flexibility. If you configure both
DNS and DHCP, clients will attempt to query DHCP for
automatic discovery information first, and then query DNS. |
DHCP
To configure automatic discovery using DHCP, check the following:
| |
Ensure you have a valid DHCP server,
and that there is a DHCP scope defined for each subnet
containing client computers. |
| |
Add a WPAD entry to the DHCP server by
means of a DHCP Option 252 entry. Option 252 is typically
used as a registration and query point for discovery of
printers, Web proxies (through WPAD), time servers, and many
other network services. The Option 252 entry is a string
value indicating the URL of the WPAD server. |
| |
Configure the Option 252 entry for the
appropriate scope, even if there is only a single scope. |
| |
Ensure that client computers are
configured as DHCP clients. |
DHCP information is supplied as follows:
| |
DHCP provides WPAD information to DHCP
clients during the allocation process, or fetches the
information as required. |
| |
On Firewall client computers, when you
click Detect Now, the Firewall client queries the
DHCP client for WPAD information. |
Create an Option 252 Entry in DHCP
To create an Option 252 entry in DHCP, do the following.
| 1. |
Click Start, point to Programs, point to
Administrative Tools, and then click DHCP.
|
| 2. |
In the console tree, right-click the applicable DHCP
server, click Set Predefined Options, and then click
Add. |
| 3. |
In Name, type WPAD. |
| 4. |
In Code, type 252. |
| 5. |
In Data type, select String, and then
click OK. |
| 6. |
In String, type http://Computer_Name:Port/wpad.dat
where:
| |
Computer_Name is the
fully qualified domain name of the ISA Server
computer. |
| |
Port is the port number
on which automatic discovery |
| |
\information is
published. You can specify any port number. By
default ISA Server publishes automatic discovery
information on port 8080. |
|
| 7. |
Right-click Server options, and then click
Configure options. |
| 8. |
Confirm that the Option 252 check box is
selected. Notes
| |
When you specify the Option 252
string, be sure to use lowercase letters when typing
wpad.dat. For example, if you type
http://isaserver:8080/Wpad.dat, the request will
fail. ISA Server uses wpad.dat and is
case-sensitive. For more information, see article
252898, "HOW TO: Enable Proxy Autodiscovery in
Windows 2000," in the
Microsoft Knowledge Base. |
| |
You do not need to create
anything specifically for Wspad.dat. Wspad.dat uses
the same 252 option as wpad.dat, and modifies the
wpad.dat name to Wspad.dat as required. |
|
Configure Option 252 for a DHCP Scope
To configure an Option 252 entry for a DCHP scope, do the
following.
| 1. |
Click Start, point to Programs, point to
Administrative Tools, and then click DHCP.
Right-click Scope Options, and then click
Configure Options. |
| 2. |
Click Advanced, and then in Vendor Class,
click Standard Options. |
| 3. |
In Available Options, select the 252 Proxy
Autodiscovery check box, and then click OK. |
DNS
To configure a DNS server to provide a WPAD entry to clients, you
must create a DNS entry. This entry can be configured in a number of
ways:
| |
Configure a host (A) record for your
WPAD server, and then create an alias (CNAME) record to
point at the host record. If the ISA Server computer that
will service client requests is also your WPAD server, there
must be a host record for the ISA Server computer. Note that
the host record must exist before creating the alias entry,
and must be in the DNS zone to which clients belong (or are
configured with). |
| |
As an alternative, configure a computer
with the name WPAD, and add a host entry specifying the IP
address or addresses for this computer, avoiding the need to
resolve an alias. |
After the entry is added and the database file is propagated to
the DNS server, the DNS name wpad.domain.com should resolve
to the same computer name as the WPAD server. Web Proxy clients and
Firewall clients are not aware of the domain containing the WPAD
entry or alias, and rely on the operating system to provide this.
The operating system must provide the correct domain name (domain
suffix), to append to the host name (WPAD) before sending a query to
the WPAD server. By default the domain used is the clients primary
domain suffix (the domain in which the client is located, or is
configured to use). If the primary domain suffix does not work, the
connection-specific DNS suffix is tried. If the WPAD server is not
found in the domain name, subdomains are removed from the domain
until a WPAD server is located, or until the third-level domain is
reached. For example, in the a.b.microsoft.com domain, the following
searches will be made:
| |
wpad.a.b.microsoft.com |
| |
wpad.b.microsoft.com |
| |
wpad.microsoft.com |
If a WPAD server is not located by the third-level domain,
automatic discovery fails.
The domain suffix is generally assigned to clients by one of
these methods:
| |
Assign the primary domain name to
clients using DHCP. |
| |
Manually configure the IP properties of
the client computer with the correct domain suffix. |
Note that you should configure Firewall clients to resolve the
WPAD entry using an internal DNS server.
Create a WPAD Entry in DNS
To create a WPAD entry in DNS, do the following.
| 1. |
Click Start, point to Programs, point to
Administrative Tools, and then click DNS. |
| 2. |
In the console tree, right-click the applicable forward
lookup zone and click New Alias. |
| 3. |
In Alias name, type WPAD. |
| 4. |
In Fully qualified name for target host, type the
fully qualified domain name (FQDN) of the WPAD server.
Note
The ISA Server computer or array needs a host (A) record
defined before you can create an Alias entry. If a host (A)
record is defined, you can click Browse to search the
DNS namespace for the ISA Server computer. |
Configuring a WPAD Server
This sections explains WPAD and WSPAD files, a standard
configuration, and an alternative configuration.
WPAD and WSPAD Files
The Wpad.dat file is a JScript file containing a default URL
template, constructed by Internet Explorer. ISA Server constructs
the Wspad.dat file to keep Firewall clients informed of all
available ISA Server computers, and additional parameters such as a
load factor and a state flag to aid the server selection. The
Wspad.dat CFILE contains an explicit Time to Live (TTL) entry. After
the TTL period expires, the WinSock Proxy client purges the CFILE
and attempts to retrieve a new CFILE. The format of the CFILE is the
same as the Firewall client configuration file. In the Common
section of the file, the following 3 entries are displayed:
| |
[Common] |
| |
Port=1745 |
| |
[Servers Ip Addresses] |
| |
Name=ISAServer.microsoft.com |
Standard Configuration
In a single computer configuration, the WPAD server will run on
the ISA Server computer used to service client requests. Note the
following in such a configuration:
| |
If the ISA Server computer is
unavailable, clients cannot make requests to the ISA Server
computer, or request WPAD or WSPAD information. The effect
of this is that you cannot update the WPAD or WSPAD file to
point to an alternative ISA Server computer. |
| |
To update the WPAD server, you update
the DHCP or DNS WPAD entries that point to the server.
However, information is cached on DNS or DHCP servers, and
the WPAD entry returned by DCHP or DNS may not contain the
most up-to-date ISA Server information. |
| |
The advantage of using the ISA Server
computer as the WPAD server is that the Wpad.dat and
Wspad.dat files are updated automatically according to the
ISA Server configuration. |
| |
In the standard configuration when
using a DHCP option entry, you should keep the URL structure
in the following format: http://ISA:port/wpad.dat.
The Wpad.dat file must be in the root folder, and you should
not modify the file name. |
Publish Automatic Discovery Information
To use an ISA Server computer as a WPAD server for automatic
discovery requests, you need to enable automatic discovery for the
ISA Server computer, and specify the port number on which the ISA
Server computer should listen for WPAD and WSPAD requests. By
default, ISA Server publishes automatic discovery information on
port 8080. If you are using the DHCP method of automatic discovery,
you can specify any port. For DNS, you must publish on port 80.
Remember that the port you specify in ISA Server Management for use
with DHCP must match the port specified in the DHCP 252 option.
Enable and Configure ISA Server 2004 to Listen for Automatic
Discovery Requests
To enable and configure ISA Server 2004 to listen for automatic
discovery requests, do the following.
| 1. |
In the console tree of ISA Server Management, click
Firewall Policy. |
| 2. |
In the details pane, select the applicable network
(usually Internal). |
| 3. |
On the Tasks tab, click Edit Selected Network.
|
| 4. |
On the Auto Discovery tab, select Publish
automatic discovery information. |
Enable and Configure ISA Server 2000 to Listen for Automatic
Discovery Requests
To enable and configure ISA Server 2000 to listen for automatic
discovery requests, do the following.
| 1. |
In the console tree of ISA Server Management,
right-click the ISA Server computer name, and then click
Properties. |
| 2. |
On the Auto Discovery tab, select the Publish
automatic discovery information check box. |
| 3. |
In Use this port for automatic discovery requests,
type the appropriate port number. |
Alternative Configuration
An alternative configuration is to place the Wpad.dat and
Wspad.dat files on another computer, for example a server running
Internet Information Services (IIS). In such a configuration, the
DNS and DHCP entries point to the computer running IIS, and this
computer acts as a dedicated redirector to provide Web Proxy and
Firewall clients with WPAD and WSPAD information. Note the following:
| |
Using this method, you maintain WPAD
and WSPAD files on the computer running IIS. This avoids
cache latency issues that can occur when you consistently
modify WPAD entries to point to alternative ISA Server
computers. |
| |
Such a configuration provides some
failover possibilities. You can configure multiple Web
servers in IIS, and place different WPAD and WSPAD files in
each Web server. The active Web server will be the one
containing WPAD and WSPAD information for the currently
active ISA Server computer. |
| |
If you are not using the ISA Server
computer as a WPAD server, you do not need to publish
automatic discovery information, because ISA Server does not
need to listen for automatic discovery requests. |
| |
The drawback to this approach is that
the files on the server running IIS need to be updated
manually. |
On the server running IIS, you must set up files called Wpad.dat
and Wspad.dat, to deliver the contents of the automatic
configuration file to Firewall and Web Proxy clients. The simplest
way to obtain these files on your computer running IIS is to connect
to the ISA Server computer through a Web browser and download the
files from the following URLs:
| |
http://servername:port/wpad.dat |
| |
http://servername:port/wspad.dat |
Where port depends on where the server is listening for
such requests.
Place the Wpad.dat and Wspad.dat files as follows:
| |
For DHCP entries, the files can be
located anywhere as long as option 252 points to the correct
location, not just in the root folder of the published Web
server. The name of the Wpad.dat file can be modified, but
you should not change the name of the Wspad.dat file. The
Web server can be published on any port. |
| |
For DNS entries, the files must be
located in the root folder of the published Web server, and
the Web server must be published on port 80. |
| |
In all cases the Wspad.dat file should
be placed in the same folder as the Wpad.dat file. |
References
For more information, click the following article numbers to view
the articles in the Microsoft Knowledge Base:
260210
Description of WinSock Proxy Auto Detect Support
296591
A Description of the Automatic Discovery Feature
284690
The "Automatically Detect ISA Server" Option in the Firewall Client
Is Unavailable
295388
Access Violation Occurs in Your Firewall Client When It Is Under a
High Load and Is Using WSPAD