Automatic Discovery for Firewall and Web Proxy Clients

Overview

Microsoft Internet Security and Acceleration (ISA) Server 2004 supports automatic discovery to allow Firewall clients and Web Proxy clients to automatically locate an ISA Server computer to use for client requests.

ISA Server uses the Web Proxy Automatic Discovery (WPAD) protocol, which allows automatic discovery of Web Proxy servers. ISA Server uses WPAD to provide a mechanism for clients to locate a WPAD entry containing a URL that points to a server on which the Wpad.dat and Wspad.dat files are generated. The Wpad.dat file is a Java script file containing a default URL template, constructed by Internet Explorer. The Wpad.dat file is used by Web Proxy clients for automatic discovery information. The ISA Server WinSock Proxy Autodetect (WSPAD) implementation uses the Wpad.dat file, and creates a Wspad.dat file to provide automatic discovery information to Firewall clients. For more information about the WPAD protocol, see the Web Proxy Auto-Discovery Protocol document.

Concepts and Procedures

This section includes:

  • Configuring automatic discovery
  • Web Proxy clients
  • Firewall clients
  • Client support
  • Configuring WPAD entries
  • Configuring a WPAD server
  • References

Configuring Automatic Discovery

There are a number of configuration steps involved in setting up automatic discovery support for clients:

  • Configure Web Proxy clients and Firewall clients for automatic discovery.
  • Create WPAD entries containing a URL that points to a WPAD server on which the Wpad.dat and Wspad.dat files are located. You can create a WPAD entry in DNS, in DHCP, or in both.
  • Configure a WPAD server. The URL specified in the WPAD entry points to the WPAD server, which is the computer on which the WPAD and WSPAD files can be located. There are a number of possible configurations for the WPAD server:
    • In the simplest configuration, the WPAD server is located on the ISA Server computer that will service client requests.
    • Alternatively, the WPAD server might be located on a computer separate from the ISA Server computer.
  • If the ISA Server computer will act as the WPAD server, configure ISA Server to listen for automatic discovery requests, by publishing automatic discovery information on a specified port.

These configuration steps are outlined in detail in the sections that follow.

Web Proxy Clients

For Web Proxy clients, Internet Explorer uses the WPAD protocol to locate a WPAD entry in DHCP or DNS that contains the location of the Wpad.dat script file. When found, Internet Explorer connects to the ISA Server computer specified in the Wpad.dat file for Web requests. Web browser clients make a call to https://wpad:port/wpad.dat, where port is the port listening for automatic discovery requests. For DNS entries, you must listen on port 80. DHCP can listen on any port. (By default ISA Server listens on port 8080). You can type this URL (specify the appropriate port) into the Web browser to view the proxy settings for the specified client, and a list of domain names configured for direct access.

In Internet Explorer, you can enable automatic discovery, or you can specify manually a proxy server that Web Proxy clients should use. On Firewall Client computers, you can configure the Web Proxy settings for the Firewall client in the Firewall Client dialog box.

If automatic discovery fails, Web Proxy clients can fall back on a SecureNAT configuration if the client computer has a suitably configured default gateway. Automatic discovery is supported for Internet Explorer 5 and later.

Enable Web Proxy Automatic Discovery in Internet Explorer

On Web Proxy client computers running Internet Explorer 5 or later, do the following:

  1. On the Tools menu, click Internet Options.

  2. Click the Connections tab.

  3. Click LAN Settings.

  4. Click to select the Automatically detect settings check box, and then click OK two times.

Enable Web Proxy Automatic Discovery on Firewall Client for ISA Server 2004 Computers

To enable Web Proxy automatic discovery on a Firewall client, do the following:

  1. In the Web Browser tab of the Microsoft Firewall Client for ISA Server 2004 dialog box, select Enable Web browser automatic configuration.

  2. To apply settings immediately, click Configure now.

Firewall Clients

To implement automatic discovery for Firewall clients, ISA Server uses the WPAD protocol to locate a WPAD entry in DHCP or DNS. If a Firewall Client computer has automatic discovery enabled, the following occurs:

  1. When the client makes a Winsock request, the client connects to the DNS or DHCP server.
  2. The WPAD entry URL returned to the client contains the address of a WPAD server (a server on which the Wpad.dat and Wspad.dat files are located).
  3. The client computer requests the automatic configuration information held in Wspad.dat, with a call to https://wpad:port/wspad.dat on the WPAD server, where port is the port listening for automatic discovery requests. For DNS entries, you must listen on port 80. DHCP can listen on any port. (By default ISA Server listens on port 8080). You can manually type this URL into the Firewall Client browser to check that Firewall Client settings on the ISA Server computer are displayed as expected.
  4. The ISA Server computer identified in the Wspad.dat file is then used to service Winsock connections for all applications on the client computer configured to use the Firewall Client.

In addition to configuring Firewall clients for automatic detection, the automatic discovery process can be initiated manually on Firewall Client computers, by clicking Detect Now in the Firewall Client properties dialog box. If automatic detection fails, Firewall clients can fall back on a SecureNAT configuration if the client computer has a suitably configured default gateway.

Enable Automatic Discovery for Firewall Clients in ISA Server 2004

To enable automatic discovery for Firewall clients for ISA Server 2004, do the following:

  1. In the console tree of ISA Server Management, click Configuration, and then click Networks.

  2. In the details pane, click the Networks tab.

  3. On the Tasks tab, click Edit Selected Network.

  4. On the Firewall Client tab, select Automatically detect settings, if the client computer should automatically attempt to find the ISA Server computer.

Enable Automatic Discovery for Firewall Clients in ISA Server 2000

To enable automatic discovery for Firewall clients for ISA Server 2000, do the following:

  1. In ISA Server Management, click the ISA Server computer name, and then click Client Configuration.

  2. In the details pane, right-click Firewall Client and then click Properties.

  3. On the General tab, select Enable automatic discovery in Firewall Clients.

Client Support

The following table summarizes automatic discovery support for Firewall and Web Proxy clients for various operating systems, such as Microsoft Windows Server„2003, Windows® XP, Windows 2000, Windows NT® Server 4.0, Windows Millennium Edition, Windows 98, and Windows 95.

Operating system Internet Explorer 5 and later Firewall Client 2000 Firewall Client 2004

Windows Server 2003

All users

All users (DNS)

Admin users only (DHCP)

All users

Windows XP

All users

All users (DNS)

Admin users only (DHCP)

All users

Windows 2000

All users (DNS)

Admin users only (DHCP)

All users (DNS)

Admin users only (DHCP)

All users

Windows NT 4.0

All users

All users (DNS only)

All users (DNS only)

Windows Me

All users

All users

All users

Windows 98 (Second Edition)

All users

All users

All users

Windows 98

All users

All users

All users

Windows 95

All users

All users (DNS static only)

No Firewall Client support

Note

In ISA Server 2000, the following DHCP limitation applies: Web Proxy clients on computers running Windows 2000 can only use automatic discovery for users who are members of the Administrators or Power Users group. In Windows XP, the Network Configuration Operators group also has permission to issue DHCP queries. For more information, see article 307502, "Automatically Detect Settings Does Not Work if You Configure DHCP Option 252," in the Microsoft Knowledge Base.

Configuring WPAD Entries

You can create WPAD entries in DHCP, DNS, or both. There are advantages and disadvantages to both approaches:

  • To use DNS, ISA Server must publish automatic discovery information (listen for automatic discovery requests) on port 80. Using DHCP, you can specify any port. Note that by default the ISA Server computer listens on port 8080 for automatic discovery requests.
  • If clients are spread over multiple domains, you need to configure a DNS entry for each domain containing clients with automatic discovery enabled.
  • Clients enabled for automatic discovery must be able to directly access or query the DHCP server for option 252. Remote access and VPN clients cannot access the DHCP server to directly obtain option 252. If automatic discovery is configured using DHCP only, remote access clients will not be able to use this feature.
  • Generally, using DHCP servers with automatic detection works best for local area network (LAN)€“based clients, while DNS servers enable automatic detection on computers with both LAN-based and dial-up connections. Although DNS servers can handle network and dial-up connections, DHCP servers provide faster access to LAN users and greater flexibility.

If you configure both DNS and DHCP, clients will attempt to query DHCP for automatic discovery information first, and then query DNS.

DHCP

To configure automatic discovery using DHCP, check the following:

  • Ensure you have a valid DHCP server, and that there is a DHCP scope defined for each subnet containing client computers.
  • Add a WPAD entry to the DHCP server by means of a DHCP Option 252 entry. Option 252 is typically used as a registration and query point for discovery of printers, Web proxies (through WPAD), time servers, and many other network services. The Option 252 entry is a string value indicating the URL of the WPAD server.
  • Configure the Option 252 entry for the appropriate scope, even if there is only a single scope.
  • Ensure that client computers are configured as DHCP clients.

DHCP information is supplied as follows:

  • DHCP provides WPAD information to DHCP clients during the allocation process, or fetches the information as required.
  • On Firewall client computers, when you click Detect Now, the Firewall client queries the DHCP client for WPAD information.
Create an Option 252 Entry in DHCP

To create an Option 252 entry in DHCP, do the following:

  1. Click Start, point to Programs, point to Administrative Tools, and then click DHCP.

  2. In the console tree, right-click the applicable DHCP server, click Set Predefined Options, and then click Add.

  3. In Name, type WPAD.

  4. In Code, type 252.

  5. In Data type, select String, and then click OK.

  6. In String, type https://Computer_Name:Port/wpad.dat where:

    • Computer_Name is the fully qualified domain name of the ISA Server computer.
    • Port is the port number on which automatic discovery
    • \information is published. You can specify any port number. By default ISA Server publishes automatic discovery information on port 8080.
  7. Right-click Server options, and then click Configure options.

  8. Confirm that the Option 252 check box is selected.

Notes

  • When you specify the Option 252 string, be sure to use lowercase letters when typing wpad.dat. For example, if you type https://isaserver:8080/Wpad.dat, the request will fail. ISA Server uses wpad.dat and is case-sensitive. For more information, see article 252898, "HOW TO: Enable Proxy Autodiscovery in Windows 2000," in the Microsoft Knowledge Base.
  • You do not need to create anything specifically for Wspad.dat. Wspad.dat uses the same 252 option as wpad.dat, and modifies the wpad.dat name to Wspad.dat as required.
Configure Option 252 for a DHCP Scope

To configure an Option 252 entry for a DCHP scope, do the following:

  1. Click Start, point to Programs, point to Administrative Tools, and then click DHCP. Right-click Scope Options, and then click Configure Options.

  2. Click Advanced, and then in Vendor Class, click Standard Options.

  3. In Available Options, select the 252 Proxy Autodiscovery check box, and then click OK.

DNS

To configure a DNS server to provide a WPAD entry to clients, you must create a DNS entry. This entry can be configured in a number of ways:

  • Configure a host (A) record for your WPAD server, and then create an alias (CNAME) record to point at the host record. If the ISA Server computer that will service client requests is also your WPAD server, there must be a host record for the ISA Server computer. Note that the host record must exist before creating the alias entry, and must be in the DNS zone to which clients belong (or are configured with).
  • As an alternative, configure a computer with the name WPAD, and add a host entry specifying the IP address or addresses for this computer, avoiding the need to resolve an alias.

After the entry is added and the database file is propagated to the DNS server, the DNS name wpad.domain.com should resolve to the same computer name as the WPAD server. Web Proxy clients and Firewall clients are not aware of the domain containing the WPAD entry or alias, and rely on the operating system to provide this. The operating system must provide the correct domain name (domain suffix), to append to the host name (WPAD) before sending a query to the WPAD server. By default the domain used is the client€™s primary domain suffix (the domain in which the client is located, or is configured to use). If the primary domain suffix does not work, the connection-specific DNS suffix is tried. If the WPAD server is not found in the domain name, subdomains are removed from the domain until a WPAD server is located, or until the third-level domain is reached. For example, in the a.b.microsoft.com domain, the following searches will be made:

  • wpad.a.b.microsoft.com
  • wpad.b.microsoft.com
  • wpad.microsoft.com

If a WPAD server is not located by the third-level domain, automatic discovery fails.

The domain suffix is generally assigned to clients by one of these methods:

  • Assign the primary domain name to clients using DHCP.
  • Manually configure the IP properties of the client computer with the correct domain suffix.

Note that you should configure Firewall clients to resolve the WPAD entry using an internal DNS server.

Create a WPAD Entry in DNS

To create a WPAD entry in DNS, do the following:

  1. Click Start, point to Programs, point to Administrative Tools, and then click DNS.

  2. In the console tree, right-click the applicable forward lookup zone and click New Alias.

  3. In Alias name, type WPAD.

  4. In Fully qualified name for target host, type the fully qualified domain name (FQDN) of the WPAD server.

    Note

    The ISA Server computer or array needs a host (A) record defined before you can create an Alias entry. If a host (A) record is defined, you can click Browse to search the DNS namespace for the ISA Server computer.

Configuring a WPAD Server

This sections explains WPAD and WSPAD files, a standard configuration, and an alternative configuration.

WPAD and WSPAD Files

The Wpad.dat file is a JScript file containing a default URL template, constructed by Internet Explorer. ISA Server constructs the Wspad.dat file to keep Firewall clients informed of all available ISA Server computers, and additional parameters such as a load factor and a state flag to aid the server selection. The Wspad.dat CFILE contains an explicit Time to Live (TTL) entry. After the TTL period expires, the WinSock Proxy client purges the CFILE and attempts to retrieve a new CFILE. The format of the CFILE is the same as the Firewall client configuration file. In the Common section of the file, the following 3 entries are displayed:

  • [Common]
  • Port=1745
  • [Servers Ip Addresses]
  • Name=ISAServer.microsoft.com

Standard Configuration

In a single computer configuration, the WPAD server will run on the ISA Server computer used to service client requests. Note the following in such a configuration:

  • If the ISA Server computer is unavailable, clients cannot make requests to the ISA Server computer, or request WPAD or WSPAD information. The effect of this is that you cannot update the WPAD or WSPAD file to point to an alternative ISA Server computer.
  • To update the WPAD server, you update the DHCP or DNS WPAD entries that point to the server. However, information is cached on DNS or DHCP servers, and the WPAD entry returned by DCHP or DNS may not contain the most up-to-date ISA Server information.
  • The advantage of using the ISA Server computer as the WPAD server is that the Wpad.dat and Wspad.dat files are updated automatically according to the ISA Server configuration.
  • In the standard configuration when using a DHCP option entry, you should keep the URL structure in the following format: https://ISA:port/wpad.dat. The Wpad.dat file must be in the root folder, and you should not modify the file name.
Publish Automatic Discovery Information

To use an ISA Server computer as a WPAD server for automatic discovery requests, you need to enable automatic discovery for the ISA Server computer, and specify the port number on which the ISA Server computer should listen for WPAD and WSPAD requests. By default, ISA Server publishes automatic discovery information on port 8080. If you are using the DHCP method of automatic discovery, you can specify any port. For DNS, you must publish on port 80. Remember that the port you specify in ISA Server Management for use with DHCP must match the port specified in the DHCP 252 option.

Enable and Configure ISA Server 2004 to Listen for Automatic Discovery Requests

To enable and configure ISA Server 2004 to listen for automatic discovery requests, do the following:

  1. In the console tree of ISA Server Management, click Firewall Policy.

  2. In the details pane, select the applicable network (usually Internal).

  3. On the Tasks tab, click Edit Selected Network.

  4. On the Auto Discovery tab, select Publish automatic discovery information.

Enable and Configure ISA Server 2000 to Listen for Automatic Discovery Requests

To enable and configure ISA Server 2000 to listen for automatic discovery requests, do the following:

  1. In the console tree of ISA Server Management, right-click the ISA Server computer name, and then click Properties.

  2. On the Auto Discovery tab, select the Publish automatic discovery information check box.

  3. In Use this port for automatic discovery requests, type the appropriate port number.

Alternative Configuration

An alternative configuration is to place the Wpad.dat and Wspad.dat files on another computer, for example a server running Internet Information Services (IIS). In such a configuration, the DNS and DHCP entries point to the computer running IIS, and this computer acts as a dedicated redirector to provide Web Proxy and Firewall clients with WPAD and WSPAD information. Note the following:

  • Using this method, you maintain WPAD and WSPAD files on the computer running IIS. This avoids cache latency issues that can occur when you consistently modify WPAD entries to point to alternative ISA Server computers.
  • Such a configuration provides some failover possibilities. You can configure multiple Web servers in IIS, and place different WPAD and WSPAD files in each Web server. The active Web server will be the one containing WPAD and WSPAD information for the currently active ISA Server computer.
  • If you are not using the ISA Server computer as a WPAD server, you do not need to publish automatic discovery information, because ISA Server does not need to listen for automatic discovery requests.
  • The drawback to this approach is that the files on the server running IIS need to be updated manually.

On the server running IIS, you must set up files called Wpad.dat and Wspad.dat, to deliver the contents of the automatic configuration file to Firewall and Web Proxy clients. The simplest way to obtain these files on your computer running IIS is to connect to the ISA Server computer through a Web browser and download the files from the following URLs:

  • https://servername:port/wpad.dat
  • https://servername:port/wspad.dat

Where port depends on where the server is listening for such requests.

Place the Wpad.dat and Wspad.dat files as follows:

  • For DHCP entries, the files can be located anywhere as long as option 252 points to the correct location, not just in the root folder of the published Web server. The name of the Wpad.dat file can be modified, but you should not change the name of the Wspad.dat file. The Web server can be published on any port.
  • For DNS entries, the files must be located in the root folder of the published Web server, and the Web server must be published on port 80.
  • In all cases the Wspad.dat file should be placed in the same folder as the Wpad.dat file.

References

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

260210 Description of WinSock Proxy Auto Detect Support

296591 A Description of the Automatic Discovery Feature

284690 The "Automatically Detect ISA Server" Option in the Firewall Client Is Unavailable

295388 Access Violation Occurs in Your Firewall Client When It Is Under a High Load and Is Using WSPAD