TMG Web Proxy Client Concepts and Configuration (Part 2)

By /

If you would like to read the first part in this article series please go to TMG Web Proxy Client Concepts and Configuration (Part 1).

Introduction

In part 1 of this two part series on the Web Proxy client, we began our discussion of the web proxy client configuration and some of the many options available to you when you deploy a web proxy client on your network. In this, part 2 of the series, we’ll complete our discussion of the web proxy client.

Click on the Web Browser tab. On this tab you’ll see the following options:

  • Bypass proxy for Web servers in this network. Selecting this option informs the web proxy client that if the user enters a single label name in the address bar of the web browser, then the request will not be handled by the web proxy client configuration. Instead, the client will use the Firewall client configuration (if it’s configured as a Firewall client) or its SecureNAT client configuration (if it’s configured as a SecureNAT client). Many people misunderstand this option, thinking that the web proxy client is bypassed when the server is on the intranet or the same network; that is not true.
  • Directly access computers specified in the Domains tab. This option has nothing to do with the new feature included with Windows 7 and Windows Server 2008 R2 (DirectAccess). Instead, this is the old “direct access,” which means that the web proxy client configuration is bypassed (i.e., the web proxy client connects directly with the server and doesn’t go through the web proxy client configuration). The “Domains tab” is actually meant for the Firewall client configuration, but the Direct access computers specified in the Domains tab option allows you to take advantage of this list and apply it to web proxy clients too.
  • Directly access computers specified in the Addresses tab. This option allows the web proxy client to bypass the web proxy service on the TMG firewall when it connects to addresses that are listed on the Addresses tab. Remember that the Addresses tab contains the addresses for all of the machines for a particular Network, so it makes sense that you don’t want to bounce off the TMG firewall to reach machines that are on the same Network as the web proxy client.
  • Directly access these servers or domains. This option allows you to add a custom list of servers or domains that you can use in addition to, or instead of, those listed on the Domains tab.

The last option is especially interesting: If Forefront TMG is unavailable, use this backup route to connect to the Internet. You have two choices:

  • Direct access. No, once again this doesn’t mean that the web proxy client is going to use DirectAccess to connect to the Internet. Instead, this means that the web proxy client will bypass the web proxy client configuration to reach the Internet. If the client is configured as a Firewall client, then it will try to use that. If not, it will try to use its SecureNAT client configuration. The key takeaway here is that if the TMG firewall is not available, the web proxy client will use any other method it has available to reach the Internet server.
  • Alternative Forefront TMG. When you select this option, you tell the web proxy client that it can use some other TMG firewall for its web proxy server. When you select this option, you’ll need to enter the FQDN of the TMG firewall or TMG firewall array. The web proxy client will then try the alternative TMG firewall to use a web proxy server.

As you can see, there a number of options on this tab and you should consider which ones you want to use. I typically use all of them in a production environment, so you might consider doing the same.


Figure 1

Click the Auto Discovery tab. On this tab, you enable and configure delivery of the autoconfiguration script to the web proxy and Firewall clients. The autoconfiguration script delivers to the web proxy and Firewall clients all the settings you’re configuring on the TMG firewall to deliver to the web proxy and Firewall clients.

Note that publishing autodiscovery information is not enabled by default. If you want the TMG firewall to publish autodiscovery information, you need to put a checkmark in the Publish automatic discovery information for this network checkbox and then choose a port on which to publish this information. Make sure that there is no device between the clients and the TMG firewall that blocks the port you specified in the Use this port for automatic discovery requests text box.

There are two ways that the web proxy or Firewall client can obtain the location for gettingautodiscovery information:

  • Query DNS for the name WPAD
  • Receive a DHCP option that provides the WPAD information

What does WPAD mean? You probably already know the answer to that: “Web Proxy Auto Discovery.”

Note the warning in the dialog box regarding the port number you use on the TMG firewall to publish the autoconfiguration script. If you publish the location of the autoconfiguration script using DNS, then you must use TCP port 80. If you choose to use DHCP, you have more flexibility and can use any port you like. Also, note that the TMG firewall is not hosting a web server; the only file hosted by the TMG firewall on this port is the autoconfiguration script.


Figure 2

Note in the figure above that it says To configure Forefront TMG Client [Firewall client] computers to use automatic discovery, enable automatic detection for settings on the Forefront TMG Client tab. Let’s take a look at the configuration options available on that tab now.

Click on the Forefront TMG Client tag. As the name implies, the configuration of the Firewall client configuration is done on this page. However, you can also configure the web browser on the machines that are configured as Firewall clients when you install the Firewall client software on the client operating system.

Note the section Client Computer Web Browsing Configuration section. Here you have the following options:

  • Automatically detect settings. This tells the Firewall client computer to configure the browser to obtain autodiscovery information by using either DNS or DHCP and if WPAD isn’t available, then the web proxy will fail back to using direct access (that is to say, it won’t use a web proxy server and will use any other method available to connect to the resource on the Internet).
  • Use automatic configuration script. When you select this option, the web browser on the Firewall client computer will be configured to use either the Use default URL or the Use customer URL. The default URL is the name included in the Forefront TMG name or IP address text box. By default, this is a single label name. I recommend that you always change it to a FQDN. The Use custom URL allows you to use a URL that isn’t the default URL. You might want to do this if you don’t want to change the default name, but want to use a FQDN to connect to the TMG firewall (again, this is highly recommended) or if you want to host the autoconfiguration script on another machine, such as a web server. This is often done if you want to host a custom proxy .pac file for the clients to use to obtain web proxy client configuration information.
  • Use a Web proxy server. This option allows you to configure the web browser on the firewall client machine to use the name or address of the TMG firewall as its web proxy server. Note that while this option enables the browser to act as a web proxy client to the TMG firewall, it does not enable the browser to obtain autoconfiguration information.

In general, the best option is usually the Automatically detect settings option. When you use autoconfiguration, the web proxy client will try to use WPAD in DNS or DHCP to furnish the location of the TMG firewall and autoconfiguration script and if it can’t find it, then it will fall back to direct access and use any other method it can to reach the Internet. In contrast, if you select the Use automatic configuration script or Use a Web proxy server options, and the browser can’t connect to the TMG firewall, then the connection attempt fails and the client doesn’t fail back to using any other method available to connect to the Internet.


Figure 3

On the Web Proxy tab, you enable or disable web proxy client connections for the network. Web proxy client connections are enabled by default for all internal and perimeter Networks. This is controlled by the Enable Web Proxy client connections for this network checkbox, and the Enable HTTP option is enabled by default. The default web proxy port that is used to accept connections from web proxy clients is TCP port 8080. However, you can change this if you like.

Note that there is an SSL section. This might give you the impression that the web proxy clients can connect to the web proxy listener on the TMG firewall by using SSL instead of HTTP. While that would be a pretty cool feature, that isn’t what the SSL section is about. Instead, when you select the Enable SSL checkbox, you make it possible for the TMG firewall to act as a web proxy client to another TMG web proxy server. That is, this option makes it possible for you to use SSL between the proximal and distal web proxy servers (the proximal web proxy server is the one closer to your client and the distal web proxy server is the one closer to the Internet) in a web proxy chaining scenario.

You can also configure the type of authentication that will be accepted by the web listener for this network. By default, Integrated authentication is accepted. You can choose other methods and the TMG firewall will negotiate the appropriate authentication method with the client.


Figure 4

The CARP tab allows you to configure CARP exceptions. You need to do this when traffic to web sites require that the client IP address presented to the server remain the same for the entire session.


Figure 5

The figure below shows the final tab, the NLB tab, which has nothing to do with web proxy client configuration, so that’s for another article on another day 🙂


Figure 6

Summary

In this two part series on web proxy client configuration, we examined the configuration on the server for a number of web proxy client options. We also demonstrated how you can configure the web proxy client when the Firewall client is installed on the client system. I hoped you liked this series and if you have any questions, make sure to ask them on the web boards. Thanks! –Deb.

If you would like to read the first part in this article series please go to TMG Web Proxy Client Concepts and Configuration (Part 1).

About The Author

Debra Littlejohn Shinder is a technology and security analyst and author specializing in identity, security and cybercrime, utilizing her past experience as a police officer and police academy/criminal justice instructor. She has written numerous books and articles for web and print publications and has been awarded the Microsoft MVP designation for fourteen years in a row.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top