Before implementing an automatic discovery strategy, it is important to understand client support for WPAD entries in DNS and DHCP. The following table summarizes support for various operating systems.

For Web Proxy clients in Windows 2000 Server, automatic discovery functionality using a WPAD entry in DHCP is only supported for users who are members of the Administrators or Power Users group. In Windows XP, the Network Configuration Operators group also has the permissions needed to issue DHCP queries. For more information, see the Microsoft Knowledge Base article 312864, "Automatic Proxy Discovery in Internet Explorer with DHCP requires specific permissions." The article includes hotfix details for computers running Windows 2000 Server. For Windows XP, the issue was fixed in Service Pack 2.

Wpad.dat and Wspad.dat files are obtained from a WPAD server. The WPAD server can be an ISA Server computer that is configured to listen for automatic discovery requests, and generates the Wpad.dat and Wspad.dat files dynamically. Alternatively, the WPAD server can be hosted on another computer such as a computer running Internet Information Services (IIS). Clients configured to automatically discover proxy settings get information about the location of the WPAD server from the WPAD entry obtained from a DHCP or DNS server. Clients then connect to the specified location and retrieve the settings contained in the following files:

• Wpad.dat. The Wpad.dat file is a Microsoft JScript® file used by the Web client browser to set browser settings. Wpad.dat contains the following information:
  
  • The proxy server that should be used for client requests.
    
  • Domains and IP addresses that should be accessed directly, bypassing the proxy.
    
  • An alternate route in case the proxy is not available.
    
  • In ISA Server 2006 Enterprise Edition, Wpad.dat provides a list of all servers in the array, so that if one is not available, the client can make a request to others. The Cache Array Routing Protocol (CARP) algorithm is used to provide cache distribution to clients. For more information, see "Caching Concepts with CARP in ISA Server 2006 Enterprise Edition" at the Microsoft TechNet Web site.
    
• Wspad.dat. The ISA Server WSPAD implementation uses the WPAD mechanism, and constructs the Wspad.dat file to provide the client with proxy settings, and some additional Firewall client configuration information not required for automatic detection. The relevant automatic detection entries in Wspad.dat are the server name and port name. If you implement Wspad.dat on a server running IIS, these are the entries that you must specify. The Firewall client uses the server name and port to connect, and then retrieves Firewall client configuration settings from the specified server. Only port 1745 is supported. The relevant entries in Wspad.dat are as follows:
  

[Common]

Port=1745

[Servers IP Addresses] Name = DNS_Entry

• The [Servers IP Addresses] section may contain the IP address of the ISA Server computer (or computers) in the array, or a single DNS name.
  

Using WPAD, Web Proxy clients locate configuration settings as follows:

1. Clients use the WPAD protocol to obtain a WPAD entry from a DHCP or DNS server.
   
2. The WPAD URL returned to the client contains the address of a WPAD server on which the Wpad.dat and Wspad.dat files are located.
   

The client computer connects to the WPAD server, as follows:

1. Web Proxy clients request the automatic configuration script using a URL with the format http://wpad/wpad.dat to retrieve WPAD entries from DNS servers, or http://Computer_FQDN:Port/wpad.dat, where Computer_FQDN is the fully qualified domain name (FQDN) of the computer or ISA Server computer on which the Wpad.dat file will be generated.
   
2. Web Proxy clients running on Firewall client computers request the automatic configuration script using a URL with the format http://wpad/wspad.dat for DNS entries, or http://Computer_FQDN:Port/wspad.dat to retrieve WPAD entries from DHCP servers. Computer_FQDN is the FQDN of the WPAD server on which the Wpad.dat file will be generated. Port should match the port number on which automatic discovery information is available.
   
3. The ISA Server computer is used to service Winsock connections for all applications on the Firewall client computer. For Web Proxy clients, Internet Explorer connects to the ISA Server computer specified for Web requests.
   
4. If automatic detection fails, clients can fall back on a SecureNAT configuration if the client computer has a suitably configured default gateway.
   

To set up a WPAD entry in DHCP, ensure the following:

• A valid DHCP server is installed.
  
• Clients enabled for automatic discovery are configured as DHCP clients.
  

Configure the DHCP entry as follows:

• Configure a WPAD entry to the DHCP server by means of a DHCP option 252 entry. DHCP provides a number of predefined options, and option 252 is a predefined DHCP option with a string value, typically used as a registration and query point for discovery of printers, Web proxies (through WPAD), time servers, and other network services. In the string value for the option, you specify the URL of the WPAD server (where the Wpad.dat and Wspad.dat files are located) with the format http://Computer_Name:Port/wpad.dat. For Firewall clients, the URL specified in option 252 is retrieved, and wspad.dat is substituted for the file name.
  Note the following:
  
  • ISA Server recognizes wpad.dat, so ensure that the entry is specified in lowercase letters. The Wpad.dat file must be in the root folder, and you should not modify the file name.
    
  • For WPAD entries obtained from a DHCP server, the WPAD server can listen on any port for requests.
    
• Define a DHCP scope for each subnet containing client computers. A DHCP scope is an administrative grouping of computers for each physical subnet. The scope will include a range of possible IP addresses that can be assigned to DHCP clients. You assign a unique subnet mask to specify the subnet related to a specific IP address, and you can set exclusion ranges to exclude IP addresses within the range that should not be leased. For example, for a large network, you might define the scope using the entire range of consecutive IP addresses for the local IP subnet, and then set exclusion ranges for hosts that have static IP addresses that are included in the scope.
  
• Add the option 252 entry to the appropriate scope, even if there is only a single scope.
  

The DHCP automatic discovery process is as follows:

1. DHCP clients send DHCPINFORM messages to query DHCP for the location of the WPAD server containing the WPAD entry.
   
2. DHCP provides the address of the server on which the WPAD information is located during the allocation process, or fetches the information as required.
   
3. Clients request WPAD information from this address.
   

For more information about deploying DHCP, and setting up scopes, see "Dynamic Host Configuration Protocol for Windows Server 2003" at the Microsoft TechNet Web site.

In Internet Explorer 6 running on Windows XP, there may be some delay when detecting proxy settings through DHCP. There is a hotfix available to address this issue. For more information, see the Microsoft Knowledge Base article 907455, "Internet Explorer may delay up to 10 seconds before it starts for the first time in Windows XP."

To set up a WPAD entry in DNS, ensure the following:

• Clients must belong to a domain.
  
• Clients must be configured to resolve DNS names.
  

Configure the DNS entry as follows:

• Configure a host (A) record for the WPAD server, and then create an alias (CNAME) record to point at the host record. If the ISA Server computer that will service client requests is also your WPAD server, there must be a host record for the ISA Server computer. Note that the host record must exist before creating the alias entry, and must be in the DNS zone to which clients belong (or are configured with). Web Proxy clients request the automatic configuration script using a URL with the format http://wpad/wpad.dat. For Firewall clients, the URL is constructed as a regular WPAD call, with wspad.dat at the end of the URL, as follows: http://wpad/wspad.dat.
  Clients must be able to resolve the alias name. Clients are not aware of the domain containing the WPAD entry or alias, and rely on the operating system to provide this information. Clients are aware of the host name, but the operating system must provide the correct domain name (domain suffix) to append to the host name (WPAD) before sending a query to the WPAD server. By default, the domain used is the client's primary domain suffix (the domain in which the client is located, or is configured to use). If the primary domain suffix does not work, the connection-specific DNS suffix is tried. If the WPAD server is not found in the domain, subdomains are removed from the domain until a WPAD server is located, or until the third-level domain is reached. For example, in the a.b.microsoft.com domain, attempts to contact the following hosts will be made:
  
• wpad.a.b.microsoft.com
  
• wpad.b.microsoft.com
  
• wpad.microsoft.com
  

If a WPAD server is not located by the third-level domain, automatic discovery fails. The domain suffix is generally assigned to clients by one of these methods:

• Assign the primary domain name to clients using DHCP. A DHCP server can be configured with a DHCP scope option to supply DHCP clients with a primary domain name.
  
• Manually configure the IP properties of the client computer with the correct domain suffix.
  
• If clients belong to multiple domains, you will need a DNS entry for each domain. Firewall clients should be configured to resolve the WPAD entry using an internal DNS server. For WPAD entries obtained from DNS, the WPAD server must listen on port 80. By default, ISA Server acting as a WPAD server listens on port 80.
  

The WPAD server is the server on which the Wpad.dat and Wspad.dat configuration files are located. In most scenarios, you will use the ISA Server computer as the WPAD server, but in some circumstances you may want to host the Wpad.dat or Wspad.dat file on an alternative computer such as a server running IIS. Consider the following points when setting up a WPAD server:

• The main advantage of using the ISA Server computer as the WPAD server is that the Wpad.dat and Wspad.dat files are automatically updated when Web proxy settings are modified in the ISA Server Management snap-in.
  
• If ISA Server is acting as a WPAD server and is unavailable, clients cannot request WPAD (Web Proxy clients) or WSPAD (Firewall clients) information.
  
• To update the WPAD server location, you update the DHCP or DNS WPAD entries that point to the server. Information is cached on DHCP or DNS servers, and the WPAD entry returned may not contain the most up-to-date ISA Server information.
  
• By maintaining the WPAD and WSPAD files on a computer running IIS, you can avoid cache latency issues that can occur when you consistently modify WPAD entries to point to alternative ISA Server computers.
  
• Configuring WPAD and WSPAD files on a computer running IIS can provide some failover capabilities. You can configure multiple Web servers in IIS, and place different WPAD and WSPAD files in each Web server. The active Web server will be the one containing WPAD and WSPAD information for the currently active ISA Server computer.
  
• If you are not using the ISA Server computer as a WPAD server, you do not need to publish automatic discovery information, because ISA Server does not need to listen for automatic discovery requests. This may be an advantage when IIS is co-located on the ISA Server computer, and port conflicts can occur.
  
• The main disadvantage in placing WPAD and WSPAD files on a computer running IIS is that the file content needs to be updated manually.
  

Configuring ISA Server as the WPAD Server

Configuring an Alternative WPAD Server

For ease of deployment, when you configure Firewall client support on an ISA Server network, you can configure the network’s properties to enable Web browsers on Firewall client computers in the network to use automatic discovery. To do this, you enable Automatically detect settings on the Firewall Client tab of the network properties.

These settings are applied when Firewall Client is installed on client computers. If you later make changes to Firewall client configuration settings on the ISA Server computer, ISA Server automatically updates configuration settings each time that Firewall Client is restarted, each time that Detect Now or Test Server is clicked on the Settings tab in the Microsoft Firewall Client for ISA Server dialog box, and every six hours after the previous refresh. Settings are applied to all users on the Firewall client computer.

For Web Proxy clients not running on computers with Firewall Client installed, you can enable automatic discovery in the browser properties. Automatic detection is supported in Internet Explorer 7, Internet Explorer 6, and Internet Explorer 5. To enable automatic detection, in Internet Explorer, click the Internet Options menu. Click the Connections tab, and then click LAN Settings. On the Local Area Network (LAN) Settings tab, click Automatically detect settings to enable automatic detection using WPAD.

In ISA Server Enterprise Edition, the configuration script includes a list of all the array members, so that clients can use any of the array members. It addition, the automatic configuration script implements the CARP algorithm for selecting the Web proxy that can serve a request for a specific URL. CARP caches distribution in accordance with load factors that you can configure between array members, reducing the number of hops required for clients to access a cached Web page.

Client-side CARP is implemented as follows:

1. For each URL requested, the Web browser selects a Web proxy to use, either using the information in the Wpad.dat file if automatic detection is enabled, or from the configuration script if the automatic configuration script is enabled.
   
2. The CARP algorithm implemented in the script computes a prioritized list of array members that the Web browser should contact to retrieve the object specified by the URL being requested.
   
3. The Web browser connects to the first server in the list and requests that it retrieve the page. If the first server does not respond, the next server in the list is contacted, and so on until the object can be retrieved.
   
4. The script always returns the same server list for any specified URL, ensuring each URL is cached on one array member only.
   

The CARP algorithm in ISA Server 2006 Enterprise Edition uses the host name to determine which array member handles the request. CARP assigns all of the requests for a particular host, such as www.fabrikam.com, to a specific array member. This ensures that requests and responses are handled by a single array member, maintaining the context of the session.

You can specify CARP exceptions for sites that you want to be distributed among all array members, rather than handled by a specific array member. This is useful for sites that experience high volumes of traffic that are too large to be handled by a single array member. For example, you may add the Microsoft Update site to the list of CARP exceptions, ensuring that a single array member is not overloaded during periods of peak activity.

To use NLB functionality together with the CARP mechanism provided by the routing script, you can do the following:

• Configure the WPAD entry to point to the virtual IP address of the array.
  
• Alternatively, configure the configuration script URL to point to the virtual IP address of the array, or to a DNS record that resolves to the array virtual IP address. Use the following syntax: http://ISA_ArrayName/array.dll?Get.Routing.Script
  

ISA_ArrayName is the DNS entry that resolves to the array virtual IP address.