Automatic Detection Concepts in ISA Server 2006

  • Article

Automatic detection of Web proxy settings is supported by Microsoft® Internet Security and Acceleration (ISA) Server 2006 using the following methods:

  • Point Web Proxy clients to a specific ISA Server computer that hosts an automatic configuration script containing Web proxy settings.
  • Enable automatic discovery to allow clients to automatically discover the location of the server on which the ISA Server dynamically generated automatic configuration scripts (Wpad.dat and Wspad.dat) are available. Automatic discovery is configured by means of a Web Proxy Automatic Discovery (WPAD) entry in Dynamic Host Configuration Protocol (DHCP) or Domain Name System (DNS). ISA Server uses the Wpad.dat file to provide configuration information to Web Proxy clients. ISA Server Winsock Proxy Autodetect (WSPAD) constructs the Wspad.dat file to provide information to Firewall clients.

Deployment Considerations

The decision to implement a WPAD mechanism or a static configuration script is dependent upon client requirements and network infrastructure. Consider the following:

  • For mobile clients, referencing a configuration script at a specific location may cause discovery issues. Using a WPAD entry in DNS or DHCP allows clients to obtain correct proxy settings when moving between different locations and networks.
  • You can use an automatic configuration script without WPAD and use Group Policy to point clients directly to the ISA Server computer that contains the automatic configuration script.
  • For Firewall clients, ISA Server provides an easy method of specifying Web browser configuration settings, including automatic detection settings. On the properties page of the network for which Firewall client access is enabled, you can specify Web browser settings to be propagated to Firewall clients on the network. For Web Proxy clients that are not running on Firewall client computers, you can set automatic detection options in each client browser, or configure Group Policy to set client browser settings. This is only an option for client computers that belong to a domain.
  • WPAD entries in DNS can only be used by client computers that belong to a domain, and clients must be configured to resolve DNS names.
  • When implementing WPAD with a DNS server, entries must be configured for every domain containing clients enabled for automatic discovery.
  • Client computers must be configured as DHCP clients to use WPAD in DHCP.
  • WPAD in DHCP is limited to specific user groups on some client computer operating systems. For more information, see the Microsoft Knowledge Base article 312864, "Automatic Proxy Discovery in Internet Explorer with DHCP requires specific permissions."
  • Generally, using DHCP servers with automatic detection works best for local area network (LAN)-based clients, while DNS servers enable automatic detection on computers with both LAN-based and dial-up connections. Although DNS servers can handle network and dial-up connections, DHCP servers provide faster access to LAN users and greater flexibility. If you configure both DHCP and DNS, clients will attempt to query DHCP for automatic discovery information first, and then query DNS.

Client Support for Automatic Discovery

Before implementing an automatic discovery strategy, it is important to understand client support for WPAD entries in DNS and DHCP. The following table summarizes support for various operating systems.

Operating system Web Proxy clients (Windows® Internet Explorer® 7, Internet Explorer 6, or Internet Explorer 5) Firewall Client 2000 Firewall Client 2004 Firewall Client for ISA Server 4.0 (in ISA Server 2006)

Microsoft Windows Server™ 2003 with Service Pack 1 (SP1)

All users (DNS and DHCP)

All users (DNS)

Administrators only (DHCP)

All users (DNS and DHCP)

All users (DNS and DHCP)

Windows 2000 Server

All users (DNS)Admin users only (DHCP)

All users (DNS)Admin users only (DHCP)

All users (DNS and DHCP)

All users (DNS and DHCP)

Windows NT® Server 4.0

All users (DNS and DHCP)

All users (DNS only)

All users (DNS only)

All users (DNS only)

Windows XP

All users (DNS and DHCP)

All users (DNS)Admin users only (DHCP)

All users (DNS and DHCP)

All users (DNS and DHCP)

Windows XP with Service Pack 2 (SP2)

All users (DNS and DHCP)

All users (DNS and DHCP)

All users (DNS and DHCP)

All users (DNS and DHCP)

Windows Millennium Edition

All users (DNS and DHCP)

All users (DNS only)

All users (DNS only)

All users (DNS only)

Windows 98 (Second Edition)

All users (DNS and DHCP)

All users (DNS only)

All users (DNS only)

All users (DNS only)

Windows 98

All users (DNS and DHCP)

All users (DNS only)

No Firewall client support

No Firewall client support

Windows 95

All users (DNS and DHCP)

All users (static DNS only)

No Firewall client support

No Firewall client support

For Web Proxy clients in Windows 2000 Server, automatic discovery functionality using a WPAD entry in DHCP is only supported for users who are members of the Administrators or Power Users group. In Windows XP, the Network Configuration Operators group also has the permissions needed to issue DHCP queries. For more information, see the Microsoft Knowledge Base article 312864, "Automatic Proxy Discovery in Internet Explorer with DHCP requires specific permissions." The article includes hotfix details for computers running Windows 2000 Server. For Windows XP, the issue was fixed in Service Pack 2.

Automatic Discovery with WPAD

The next sections explain the Wpad.dat and Wspad.dat files, and explain the WPAD discovery process. Information about configuring WPAD entries in DHCP, configuring WPAD entries in DNS, deploying a WPAD server, and configuring clients for automatic discovery is provided.

Wpad.dat and Wspad.dat

Wpad.dat and Wspad.dat files are obtained from a WPAD server. The WPAD server can be an ISA Server computer that is configured to listen for automatic discovery requests, and generates the Wpad.dat and Wspad.dat files dynamically. Alternatively, the WPAD server can be hosted on another computer such as a computer running Internet Information Services (IIS). Clients configured to automatically discover proxy settings get information about the location of the WPAD server from the WPAD entry obtained from a DHCP or DNS server. Clients then connect to the specified location and retrieve the settings contained in the following files:

  • Wpad.dat. The Wpad.dat file is a Microsoft JScript® file used by the Web client browser to set browser settings. Wpad.dat contains the following information:
    • The proxy server that should be used for client requests.
    • Domains and IP addresses that should be accessed directly, bypassing the proxy.
    • An alternate route in case the proxy is not available.
    • In ISA Server 2006 Enterprise Edition, Wpad.dat provides a list of all servers in the array, so that if one is not available, the client can make a request to others. The Cache Array Routing Protocol (CARP) algorithm is used to provide cache distribution to clients. For more information, see "Caching Concepts with CARP in ISA Server 2006 Enterprise Edition" at the Microsoft TechNet Web site.
  • Wspad.dat. The ISA Server WSPAD implementation uses the WPAD mechanism, and constructs the Wspad.dat file to provide the client with proxy settings, and some additional Firewall client configuration information not required for automatic detection. The relevant automatic detection entries in Wspad.dat are the server name and port name. If you implement Wspad.dat on a server running IIS, these are the entries that you must specify. The Firewall client uses the server name and port to connect, and then retrieves Firewall client configuration settings from the specified server. Only port 1745 is supported. The relevant entries in Wspad.dat are as follows:

[Common]

Port=1745

[Servers IP Addresses] Name = DNS_Entry

  • The [Servers IP Addresses] section may contain the IP address of the ISA Server computer (or computers) in the array, or a single DNS name.

WPAD Discovery Process

Using WPAD, Web Proxy clients locate configuration settings as follows:

  1. Clients use the WPAD protocol to obtain a WPAD entry from a DHCP or DNS server.
  2. The WPAD URL returned to the client contains the address of a WPAD server on which the Wpad.dat and Wspad.dat files are located.

The client computer connects to the WPAD server, as follows:

  1. Web Proxy clients request the automatic configuration script using a URL with the format https://wpad/wpad.dat to retrieve WPAD entries from DNS servers, or https://Computer_FQDN:Port/wpad.dat, where Computer_FQDN is the fully qualified domain name (FQDN) of the computer or ISA Server computer on which the Wpad.dat file will be generated.
  2. Web Proxy clients running on Firewall client computers request the automatic configuration script using a URL with the format https://wpad/wspad.dat for DNS entries, or https://Computer_FQDN:Port/wspad.dat to retrieve WPAD entries from DHCP servers. Computer_FQDN is the FQDN of the WPAD server on which the Wpad.dat file will be generated. Port should match the port number on which automatic discovery information is available.
  3. The ISA Server computer is used to service Winsock connections for all applications on the Firewall client computer. For Web Proxy clients, Internet Explorer connects to the ISA Server computer specified for Web requests.
  4. If automatic detection fails, clients can fall back on a SecureNAT configuration if the client computer has a suitably configured default gateway.

Configuring WPAD Entries in DHCP

To set up a WPAD entry in DHCP, ensure the following:

  • A valid DHCP server is installed.
  • Clients enabled for automatic discovery are configured as DHCP clients.

Configure the DHCP entry as follows:

  • Configure a WPAD entry to the DHCP server by means of a DHCP option 252 entry. DHCP provides a number of predefined options, and option 252 is a predefined DHCP option with a string value, typically used as a registration and query point for discovery of printers, Web proxies (through WPAD), time servers, and other network services. In the string value for the option, you specify the URL of the WPAD server (where the Wpad.dat and Wspad.dat files are located) with the format https://Computer_Name:Port/wpad.dat. For Firewall clients, the URL specified in option 252 is retrieved, and wspad.dat is substituted for the file name.
    Note the following:
    • ISA Server recognizes wpad.dat, so ensure that the entry is specified in lowercase letters. The Wpad.dat file must be in the root folder, and you should not modify the file name.
    • For WPAD entries obtained from a DHCP server, the WPAD server can listen on any port for requests.
  • Define a DHCP scope for each subnet containing client computers. A DHCP scope is an administrative grouping of computers for each physical subnet. The scope will include a range of possible IP addresses that can be assigned to DHCP clients. You assign a unique subnet mask to specify the subnet related to a specific IP address, and you can set exclusion ranges to exclude IP addresses within the range that should not be leased. For example, for a large network, you might define the scope using the entire range of consecutive IP addresses for the local IP subnet, and then set exclusion ranges for hosts that have static IP addresses that are included in the scope.
  • Add the option 252 entry to the appropriate scope, even if there is only a single scope.

The DHCP automatic discovery process is as follows:

  1. DHCP clients send DHCPINFORM messages to query DHCP for the location of the WPAD server containing the WPAD entry.
  2. DHCP provides the address of the server on which the WPAD information is located during the allocation process, or fetches the information as required.
  3. Clients request WPAD information from this address.

For more information about deploying DHCP, and setting up scopes, see "Dynamic Host Configuration Protocol for Windows Server 2003" at the Microsoft TechNet Web site.

In Internet Explorer 6 running on Windows XP, there may be some delay when detecting proxy settings through DHCP. There is a hotfix available to address this issue. For more information, see the Microsoft Knowledge Base article 907455, "Internet Explorer may delay up to 10 seconds before it starts for the first time in Windows XP."

Configuring WPAD Entries in DNS

To set up a WPAD entry in DNS, ensure the following:

  • Clients must belong to a domain.
  • Clients must be configured to resolve DNS names.

Configure the DNS entry as follows:

  • Configure a host (A) record for the WPAD server, and then create an alias (CNAME) record to point at the host record. If the ISA Server computer that will service client requests is also your WPAD server, there must be a host record for the ISA Server computer. Note that the host record must exist before creating the alias entry, and must be in the DNS zone to which clients belong (or are configured with). Web Proxy clients request the automatic configuration script using a URL with the format https://wpad/wpad.dat. For Firewall clients, the URL is constructed as a regular WPAD call, with wspad.dat at the end of the URL, as follows: https://wpad/wspad.dat.
    Clients must be able to resolve the alias name. Clients are not aware of the domain containing the WPAD entry or alias, and rely on the operating system to provide this information. Clients are aware of the host name, but the operating system must provide the correct domain name (domain suffix) to append to the host name (WPAD) before sending a query to the WPAD server. By default, the domain used is the client's primary domain suffix (the domain in which the client is located, or is configured to use). If the primary domain suffix does not work, the connection-specific DNS suffix is tried. If the WPAD server is not found in the domain, subdomains are removed from the domain until a WPAD server is located, or until the third-level domain is reached. For example, in the a.b.microsoft.com domain, attempts to contact the following hosts will be made:
  • wpad.a.b.microsoft.com
  • wpad.b.microsoft.com
  • wpad.microsoft.com

If a WPAD server is not located by the third-level domain, automatic discovery fails. The domain suffix is generally assigned to clients by one of these methods:

  • Assign the primary domain name to clients using DHCP. A DHCP server can be configured with a DHCP scope option to supply DHCP clients with a primary domain name.
  • Manually configure the IP properties of the client computer with the correct domain suffix.
  • If clients belong to multiple domains, you will need a DNS entry for each domain. Firewall clients should be configured to resolve the WPAD entry using an internal DNS server. For WPAD entries obtained from DNS, the WPAD server must listen on port 80. By default, ISA Server acting as a WPAD server listens on port 80.

Deploying a WPAD Server

The WPAD server is the server on which the Wpad.dat and Wspad.dat configuration files are located. In most scenarios, you will use the ISA Server computer as the WPAD server, but in some circumstances you may want to host the Wpad.dat or Wspad.dat file on an alternative computer such as a server running IIS. Consider the following points when setting up a WPAD server:

  • The main advantage of using the ISA Server computer as the WPAD server is that the Wpad.dat and Wspad.dat files are automatically updated when Web proxy settings are modified in the ISA Server Management snap-in.
  • If ISA Server is acting as a WPAD server and is unavailable, clients cannot request WPAD (Web Proxy clients) or WSPAD (Firewall clients) information.
  • To update the WPAD server location, you update the DHCP or DNS WPAD entries that point to the server. Information is cached on DHCP or DNS servers, and the WPAD entry returned may not contain the most up-to-date ISA Server information.
  • By maintaining the WPAD and WSPAD files on a computer running IIS, you can avoid cache latency issues that can occur when you consistently modify WPAD entries to point to alternative ISA Server computers.
  • Configuring WPAD and WSPAD files on a computer running IIS can provide some failover capabilities. You can configure multiple Web servers in IIS, and place different WPAD and WSPAD files in each Web server. The active Web server will be the one containing WPAD and WSPAD information for the currently active ISA Server computer.
  • If you are not using the ISA Server computer as a WPAD server, you do not need to publish automatic discovery information, because ISA Server does not need to listen for automatic discovery requests. This may be an advantage when IIS is co-located on the ISA Server computer, and port conflicts can occur.
  • The main disadvantage in placing WPAD and WSPAD files on a computer running IIS is that the file content needs to be updated manually.

Configuring ISA Server as the WPAD Server

To use an ISA Server computer as a WPAD server for automatic discovery requests, you configure the network on which clients are located to publish automatic discovery information, and specify the port number on which the ISA Server computer should make automatic discovery information available. By default, ISA Server publishes automatic discovery information on port 8080. If you are using a WPAD entry in DNS, you must publish on port 80. WPAD entries in DHCP can use any port, but ensure that the port you specify in ISA Server Management for use with DHCP matches the port specified in DHCP option 252.

Configuring an Alternative WPAD Server

An alternative configuration is to place the Wpad.dat and Wspad.dat files on another computer instead of on the ISA Server computer. For example, you can place the files on a server running IIS. In such a configuration, the DNS and DHCP entries point to the computer running IIS, and this computer acts as a dedicated redirector to provide WPAD and WSPAD information to clients. The simplest way to obtain the Wpad.dat and Wspad.dat files is to connect to the ISA Server computer through a Web browser and obtain the files from the following URLs:

The Wpad.dat and Wspad.dat files should be placed as follows:

  • For DHCP entries, the files can be located anywhere as long as option 252 points to the correct location, and not just to the root folder of the published Web server. The name of the Wpad.dat file can be modified, but you should not change the name of the Wspad.dat file. The Web server can be published on any port.
  • For DNS entries, the files must be located in the root folder of the published Web server, and the Web server must be published on port 80.

In all cases, the Wspad.dat file should be placed in the same folder as the Wpad.dat file.

Configuring Clients for Automatic Discovery

For ease of deployment, when you configure Firewall client support on an ISA Server network, you can configure the network’s properties to enable Web browsers on Firewall client computers in the network to use automatic discovery. To do this, you enable Automatically detect settings on the Firewall Client tab of the network properties.

These settings are applied when Firewall Client is installed on client computers. If you later make changes to Firewall client configuration settings on the ISA Server computer, ISA Server automatically updates configuration settings each time that Firewall Client is restarted, each time that Detect Now or Test Server is clicked on the Settings tab in the Microsoft Firewall Client for ISA Server dialog box, and every six hours after the previous refresh. Settings are applied to all users on the Firewall client computer.

For Web Proxy clients not running on computers with Firewall Client installed, you can enable automatic discovery in the browser properties. Automatic detection is supported in Internet Explorer 7, Internet Explorer 6, and Internet Explorer 5. To enable automatic detection, in Internet Explorer, click the Internet Options menu. Click the Connections tab, and then click LAN Settings. On the Local Area Network (LAN) Settings tab, click Automatically detect settings to enable automatic detection using WPAD.

Automatic Detection with an Automatic Configuration Script

Web Proxy clients can use a configuration script to automatically update browser settings. Clients can use such a configuration script in addition to WPAD automatic discovery, or as an alternative.

ISA Server provides a default configuration script at the location https://FQDN:8080/array.dll?Get.Routing.Script, where FQDN is the FQDN of the ISA Server computer. This script contains the settings specified on the Web Browser tab of the network properties. Web Proxy clients will be automatically updated with this information if their settings are enabled to use the configuration script.

Alternatively, you can construct your own Proxy Auto-Configuration (PAC) file and place it on a Web server. When a Web browser looks for the configuration script at the URL that you specify, the Web server receives the request and returns the custom automatic configuration script to the browser.

If both WPAD is enabled and a script is configured, the script location will be used if WPAD detection fails.

Configure clients to use the automatic configuration script as follows:

  • ISA Server allows you to specify that all Firewall client browsers on a specific network should use an automatic configuration script. On the network properties pages, click the Firewall Client tab. Select the Use automatic configuration script settings.
  • For Web Proxy clients not running on Firewall client computers, you configure the Web browser properties to use a configuration script. To do this, in Internet Explorer, click the Internet Options menu. Click the Connections tab, and then click LAN Settings. On the Local Area Network (LAN) Settings tab, click Use automatic configuration script to specify the location of the configuration script. Alternatively, you can use Group Policy to specify the location of the script.

Failover for Web Proxy Clients in ISA Server 2006 Enterprise Edition

In ISA Server 2006 Enterprise Edition, you have some proxy failover capabilities with client-side CARP capability, and Network Load Balancing (NLB) configuration. Consider the following:

  • CARP provides load balancing and cache distribution, but does not provide a true failover solution. For example, Internet Explorer caches the configuration script (Wpad.dat or Isa.routing.script) for 50 minutes by default, and new Web browser sessions will first check the cache for the script. If an ISA Server array member specified in the script becomes unavailable, the client may still try to connect to it with the cached script.
  • The configuration script is client-based, and the CARP implementation depends on the client’s interpretation of the state of a specific server. This is less resilient to error than an NLB server-based solution.
  • Implementing NLB and CARP together provides some failover capabilities by ensuring that the automatic configuration script is highly available. If you have NLB configured, you can specify the NLB cluster’s virtual IP address in the location of the automatic configuration script, or by specifying the virtual IP address in the DNS or DHCP WPAD entry. NLB will only forward the request for the script to the available members of the array. The client-side CARP algorithm in the script then ensures that the URL request is handled by the most appropriate array member.
  • For true failover capabilities, clients would connect to the array virtual IP address instead of using client-side CARP capabilities in the automatic configuration script.

Client-Side CARP

In ISA Server Enterprise Edition, the configuration script includes a list of all the array members, so that clients can use any of the array members. It addition, the automatic configuration script implements the CARP algorithm for selecting the Web proxy that can serve a request for a specific URL. CARP caches distribution in accordance with load factors that you can configure between array members, reducing the number of hops required for clients to access a cached Web page.

Client-side CARP is implemented as follows:

  1. For each URL requested, the Web browser selects a Web proxy to use, either using the information in the Wpad.dat file if automatic detection is enabled, or from the configuration script if the automatic configuration script is enabled.
  2. The CARP algorithm implemented in the script computes a prioritized list of array members that the Web browser should contact to retrieve the object specified by the URL being requested.
  3. The Web browser connects to the first server in the list and requests that it retrieve the page. If the first server does not respond, the next server in the list is contacted, and so on until the object can be retrieved.
  4. The script always returns the same server list for any specified URL, ensuring each URL is cached on one array member only.

The CARP algorithm in ISA Server 2006 Enterprise Edition uses the host name to determine which array member handles the request. CARP assigns all of the requests for a particular host, such as www.fabrikam.com, to a specific array member. This ensures that requests and responses are handled by a single array member, maintaining the context of the session.

You can specify CARP exceptions for sites that you want to be distributed among all array members, rather than handled by a specific array member. This is useful for sites that experience high volumes of traffic that are too large to be handled by a single array member. For example, you may add the Microsoft Update site to the list of CARP exceptions, ensuring that a single array member is not overloaded during periods of peak activity.

NLB

To use NLB functionality together with the CARP mechanism provided by the routing script, you can do the following:

  • Configure the WPAD entry to point to the virtual IP address of the array.
  • Alternatively, configure the configuration script URL to point to the virtual IP address of the array, or to a DNS record that resolves to the array virtual IP address. Use the following syntax: https://ISA_ArrayName/array.dll?Get.Routing.Script

ISA_ArrayName is the DNS entry that resolves to the array virtual IP address.

Testing Automatic Detection

For a WPAD entry in DNS, you can test the automatic discovery mechanism by typing the following in the Web browser:

For a WPAD entry in DHCP, you specify the FQDN of the WPAD server. For example, if the WPAD DHCP entry is available on an ISA Server computer, type the following:

To test that the automatic configuration script is being retrieved as expected, type the following in the Web browser:

  • https://ISA_Server_FQDN /array.dll?Get.Routing.Script

In all instances, you should be prompted to save the file.

Additional Resources

For troubleshooting information, see "Troubleshooting WPAD in ISA Server" at the Microsoft TechNet Web site.

For information about ISA Server clients, see "Internal Client Concepts in ISA Server 2006" at the Microsoft TechNet Web site.