In Forefront Threat Management Gateway (TMG) 2010 vernacular, there are three types of clients – SecureNAT, Web Proxy, and TMG Firewall clients. A client accessing resources via the TMG firewall can be any one of these or potentially all three; they are not mutually exclusive. Each client type has its own advantages and disadvantages.
Many network engineers choose SecureNAT clients when designing a TMG firewall deployment because they are easy to configure. All that is required is to make a change to the client workstation’s default gateway and possibly the network’s routing tables. Although SecureNAT clients are easy to configure, they impose some serious limitations in terms of security and performance. SecureNAT clients cannot be authenticated because there is no authentication mechanism in IP packets. In addition, as I demonstrated in a previous ISAserver.org article, SecureNAT clients consume significantly more system resources which can reduce the amount of traffic a TMG firewall can process.
From a security and performance perspective, Web Proxy clients are the ideal choice. When clients are configured to use the TMG firewall as a web proxyserver explicitly, we gain the ability to authenticate the user and reduce the demand for system resources on the firewall. The disadvantage is that it requires making configuration changes on the client.
Configuring Web Proxy Clients
Configuring aWeb Proxy client is simple and straightforward. Using Internet Explorer as an example, open the web browser and from the pull down menus select Tools/Internet Options/Connections/LAN Settings. Check the Use a proxy server for your LAN option and enter the hostname or IP address of your TMG proxy and specify the port on which the web proxy listener is configured (port 8080 by default).
Once complete, the web browser will send each request directly to the web proxy server specified. With the client configured in this manner, user and group authentication can be enforced and load will be reduced on the TMG firewall.
Automatic Web Proxy Discovery and Client Configuration
Manually configuring web proxy settings on each client can be cumbersome if your networking environment includes more than a handful of workstations. In most cases you’ll need an alternative that scales more efficiently and requires no manual intervention. The solution is to use Web Proxy Auto Discovery (WPAD). WPAD is a method by which a Web Proxy client discovers a proxy server without requiring manual configuration. Most web browsers today are configured to automatically detect a proxy by default.
WPAD can be configured using one of two mechanisms – DNS or DHCP. A Web Proxy client that is configured to use automatically detect a proxy server will attempt to locate a web proxy server first by looking for option 252 in the settings it received from its DHCP server, then by querying DNS for a host called WPAD as shown in the following network trace.
Once the client locates a proxy server it will connect and retrieve the automatic configuration script, a file named WPAD.DAT, from the TMG firewall at the IP address the WPAD entry resolves to. This automatic configuration script includes information about the proxy server(s) configured and how to process the request. Information contained in this script is dynamically built from the web proxy and network configuration settings defined in the TMG management console. The configuration script does not reside anywhere on the TMG firewall’s file system. It is stored only in memory and is dynamically updated any time an administrator makes changes to the TMG firewall configuration.
Enabling Auto Discovery
To enable automatic proxy discovery, open the TMG management console, highlight the Web Access Policy node in the navigation tree, then click the Configure Web Proxy link in the tasks pane.
Select the Auto Discovery tab and check the box next to Publish automatic discovery information for this network. If you plan to use DNS for WPAD you must leave the default port set to 80. It can be changed if DHCP is used for WPAD, however.
WPAD using DNS
Using DNS for WPAD is the easiest automatic detection option for Web Proxy clients. On the DNS server, create an A resource record named WPAD that points to the IP address of your TMG firewall’s internal network interface. If you have an array of TMG firewalls serving as a web proxy server, you can create a CNAME record named WPAD that points to the A resource records for each individual array member, or you can choose to create multiple A resource records called WPAD that resolve to each array member’s internal IP address.
In most cases the DNS server will not respond to queries for the WPAD record by default. This is a security feature included in Windows Server 2008 and 2008 R2 designed to prevent man-in-the-middle attacks where an attacker might configure a rogue proxy server on a network and surreptitiously register the name WPAD using dynamic DNS or other means. This feature is also enabled in Windows Server 2003 DNS servers with the MS09-008 update installed.
To enable a Windows Server 2008 or 2008 R2 DNS server to respond to queries for WPAD, open an elevated command prompt on the DNS server and enter the following command:
dnscmd /config /globalqueryblocklist isatap
If you have configured and deployed DirectAccess, ISATAP may be required in your environment. If so, omit ISATAP from the preceding command.
To enable a Windows Server 2003 DNS server with the MS09-009 security update installed to respond to queries for WPAD, edit the following registry key and remove the WPAD entry:
Using DNS for WPAD works well for networks that have only a single gateway or egress point. If there are multiple gateways on the network, DNS can still work but will require a geographic load balancing service (e.g. F5 Global Traffic Manager).
WPAD using DHCP
For complex networks with multiple gateways or egress points, DHCP is a better option than using DNS. With DHCP, a web proxy can be configured as a scope option, allowing for the assignment of a unique proxy server on a per-subnet basis. This ensures that users will be configured to use a proxy server that is nearest to their physical location.
To configure WPAD using DHCP, open the DHCP management console, right-click IPv4, then choose Set Predefined Options….
Select the DHCP Standard Options class and choose Add…. Enter WPAD for the name, select String for the data type, specify252 for the code, and enter Web Proxy Auto Discovery for the description.
Select a DHCP scope to configure WPAD for, right-click Scope Options, and then choose Configure Options….
Scroll to the bottom of the list and select Option 252 WPAD. For the String value: enter the name of the appropriate web proxy server or array for this subnet in the following format:
Repeat these steps for each DHCP scope in your network.
TMG Firewall Client Automatic Configuration
TMG Firewall clients leverage the same DHCP and DNS automatic configuration mechanisms as Web Proxy clients. In addition, TMG Firewall clients can also use the Active Directory (AD) marker. The AD marker automatic configuration option is more secure than using DNS or DHCP, but is limited exclusively to the TMG Firewall client. Click here for more information about configuring the Active Directory marker.
Web Proxy clients provide distinct advantages in security and performance when accessing the TMG web proxy server. Although changes to the browser settings on each desktop accessing the Internet are required, leveraging automatic configuration using DNS or DHCP can simplify the deployment and eliminate the need for manual intervention. For networks with a single egress point, enabling WPAD using DNS is a quick and effective way to configure Web Proxy clients. For complex networks with multiple egress points, enabling WPAD using DHCP allows the administrator to define different gateways for different subnets, ensuring that clients are using the nearest web proxy server regardless of where they are located.