Configuring WPAD Support for ISA Firewall Web Proxy and Firewall Clients
The Web Proxy Autodiscovery Protocol (WPAD) can be used to allow Web browsers and the Firewall client application to automatically discover the address of the ISA firewall. The client can then download autoconfiguration information from the firewall after the Web Proxy or Firewall client discovers the address.
WPAD solves the problem of automatically provisioning Web browsers. The default setting on Internet Explorer is to autodiscover Web proxy client settings. When this setting is enabled, the browser can issue a DHCPINFORM message or a DNS query to find the address of the ISA firewall from which it can download autoconfiguration information. This greatly simplifies Web browser setup so that it automatically uses the firewall to connect to the Internet.
The ISA firewall’s Firewall client application can also use the wpad entry to find the ISA firewall and download Firewall client configuration information.
In this article we will discuss the following procedures:
- Configure DHCP WPAD support
- Configure DNS WPAD support
After the wpad information is entered into DHCP and DNS, Web Proxy and Firewall clients will not require manual configuration to connect to the Internet through the ISA firewall.
Configure DHCP WPAD Support
The DHCP scope option number 252 can be used to automatically configure Web Proxy and Firewall clients. In order for the DHCP wpad method to work, the Web Proxy or Firewall client computer must be configured as a DHCP client, and the logged on user must be a member of the local administrators group or Power users group (for Windows 2000). On Windows XP systems, the Network Configuration Operators group also has permission to issue DHCP queries (DHCPINFORM messages).
For more information about the limitations of using DHCP for autodiscovery for Internet Explorer 6.0, please see KB article Automatic Proxy Discovery in Internet Explorer with DHCP Requires Specific Permissions at http://support.microsoft.com/default.aspx?scid=kb;en-us;312864 However, if you’ve been good and upgraded to Windows XP SP2, this is no longer a problem. I assume that the problem remains “fixed” in Windows Vista, but I don’t know that for sure. I also assume that the Windows XP SP2 fix also enables Internet Explorer 7.0 to work correct without requiring administrator permissions.
Perform the following steps at the DHCP server to create the custom DHCP option:
- Open the DHCP console from the Administrative Tools menu and right click your server name in the left pane of the console. Click the Set Predefined Options command.
- In the Predefined Options and Values dialog box, click the Add button.
- In the Option Type dialog box, enter the following information:
Data type: String
Description: wpad entry
- In the Value frame, enter the URL to the ISA firewall in the String text box. The format for this value is:
The default autodiscovery port number is TCP 80. You can customize this value in the ISA Firewall console. We will cover this subject in more detail later in this document.
In the current example, enter the following into the String text box:
Make sure to enter wpad.dat in all lower case letters. For more information on this problem, please refer to KB article "Automatically Detect Settings" Does Not Work if You Configure DHCP Option 252
- Right click the Scope Options node in the left pane of the console and click the Configure Options command.
- In the Scope Options dialog box, scroll through the list of Available Options and put a checkmark in the 252 wpad checkbox. Click Apply and then click OK.
- The 252 wpad entry now appears in the right pane of the console under the list of Scope Options.
- Close the DHCP console.
At this point DHCP clients will be able to use DHCP wpad support to automatically discover the ISA firewall and subsequently autoconfigure itself. However, the ISA firewall must be configured to support publishing autodiscovery information, which we will do later in this article.
Configure DNS WPAD Support
Another method that can be used to deliver autodiscovery information to Web Proxy and Firewall clients is DNS. You can create a wpad alias entry in DNS and allow browser clients to use this information to automatically configure themselves. DNS is a viable option, but you have to be aware that if you have multiple networks, each with it’s own ISA Firewall, then you’ll need to have different wpad entries for each network. While you can support multiple networks and multiple ISA Firewalls using DNS by taking advantage of netmask ordering, most companies perform to use DHCP wpad to support local networks, since they need to use local DHCP server anyway to assign local clients addressing information.
Name resolution is a pivotal component to making this method of Web Proxy and Firewall client autodiscovery work correctly. In this case, the client operating system must be able to correctly fully qualify the name wpad. The reason for this is that the Web Proxy and Firewall client only knows that it needs to resolve the name wpad; it does not know what specific domain name it should append to the query to resolve the name wpad. We will cover this issue in detail later in this document.
In contrast to the DHCP method of assigning autodiscovery information to Web Proxy and Firewall clients, you do not have the option to use a custom port number to publish autodiscovery information when using the DNS method. You must publish autodiscovery information on TCP 80 when using the DNS method.
You need to perform the following steps to configure DNS support for Web Proxy and Firewall client autodiscovery of the ISA firewall:
- Create the wpad entry in DNS
- Configure the client to use the fully qualified wpad alias
- Configure the client browser to use autodiscovery
Create the Wpad Entry in DNS
The first step is to create a wpad alias entry in DNS. This alias (also known as a CNAME record) points to a Host (A) record for the ISA Server 2004 firewall. The Host (A) record resolves the name of the ISA Server 2004 firewall to the internal IP address of the firewall. I should note her that you don’t have to use a CNAME record, you can use an A record if you like, but CNAME records have some management advantages.
The Host (A) record must be created before you create the CNAME record. If you enable automatic registration in DNS, the ISA firewall’s name and IP address will already be entered into a DNS Host (A) record. If you have not enabled automatic registration, you will need to create the Host (A) record for the ISA firewall yourself.
In the following example, the ISA firewall has automatically registered itself with DNS because the internal interface of the ISA firewall is configured to automatically register with DNS and the DNS server is configured to accept unsecured dynamic registrations. In a production environment, I’d recommend that you only accept secure DNS registrations. This won’t be a problem for your ISA Firewall, since it should be a member of the domain for security reasons.
Perform the following steps on the DNS server on the domain controller on the internal network:
- Click Start and select Administrative Tools. Click the DNS entry. In the DNS management console, right click on the forward lookup zone for your domain and click the New Alias (CNAME) command.
- In the New Resource Record dialog box, enter wpad in the Alias name (uses parent domain if left blank) text box. Click the Browse button.
- In the Browse dialog box, double click on your server name in the Records list.
- In the Browse dialog box, double click on the Forward Lookup Zone entry in the Records frame.
- In the Browse dialog box, double click on the name of your forward lookup zone in the Records frame.
- In the Browse dialog box, select the name of the ISA firewall in the Records frame. Click OK.
- Click OK in the New Resource Record dialog box.
- The CNAME (alias) entry appears in the right pane of the DNS management console.
- Close the DNS Management console.
Configure the Client to Use the Fully Qualified wpad Alias
The Web Proxy and Firewall client needs to be able to correctly resolve the name wpad. Both the Web Proxy and Firewall client configurations are not aware of the domain containing the wpad alias. The Web Proxy and Firewall client operating system must be able to provide this information to the Web Proxy and Firewall client.
DNS queries must be fully qualified before the query is sent to the DNS server. A fully qualified request contains a host name and a domain name. The Web Proxy and Firewall client only know the host name portion. The Web Proxy and Firewall client operating system must be able to provide the correct domain name, which it appends to the wpad host name, before it can send a DNS query to the DNS server.
There are a number of methods you can use to insure that a proper domain name is appended to wpad before the query is sent to the DNS server. Two popular methods for doing this include:
- Using DHCP to assign a primary domain name
- Configuring a primary domain name in the client operating system’s network identification dialog box.
We already configured a primary DNS name to assign DHCP clients when we configured the DHCP scope. The following steps demonstrate how to set the primary domain name to append to unqualified DNS queries:
You do not need to perform these steps on the client machine on the Internal network in our example network. The reason for this is that the client is a member of the Active Directory domain on the internal network. However, you should go through the following steps to see how the primary domain name can be configured on non-domain member computers.
- Right click the My Computer icon on the desktop and click the Properties command.
- In the System Properties dialog box, click the Network Identification tab. Click the Properties button.
- In the Identification Changes dialog box, click the More button.
- In the DNS Suffix and NetBIOS Computer Name dialog box, enter the domain name that contains your wpad entry in the Primary DNS suffix of this computer text box. This is the domain name that the operating system will append to the wpad name before sending the DNS query to the DNS server. By default, the primary domain name is the same as the domain name the machine belongs to. If the machine is not a member of a domain, then this text box will be empty. Note the Change primary DNS suffix when domain membership changes is enabled by default. In the current example, the machine is not a member of a domain.
Cancel out of each of the dialog boxes so that you do not configure a primary domain name at this time.
Note that if you have multiple domains and clients on your internal network that belong to multiple domains, then you will need to create wpad CNAME alias entries for each of the domains.
Configure the Client Browser to Use Autodiscovery
The next step is to configure the browser to use autodiscovery. If you have not already done so, perform the following steps to configure the Web browser to use autodiscovery to automatically configure itself to use the ISA firewall’s Web Proxy service:
- Right click on the Internet Explorer icon on the desktop and click Properties.
- In the Internet Properties dialog box, click the Connections tab. Click the LAN Settings button.
- In the Local Area Network (LAN) Settings dialog box, put a checkmark in the Automatically detect settings checkbox. Click OK.
- Click Apply and then click OK in the Internet Properties dialog box.
The next step is to configure the ISA firewall to publish autodiscovery information for autodiscovery Web Proxy and Firewall clients.
Configuring the ISA Firewall to Publish Autodiscovery Information
The DHCP and DNS wpad entries are designed to point the Web proxy and Firewall client applications to the IP address and port that the ISA Firewall uses to provide autodiscovery information to the clients. However, by default autodiscovery publishing on the ISA Firewall is disabled. It’s your job to enable this setting on each ISA Firewall Network that contains Web proxy and Firewall clients.
- In the ISA Firewall console, expand the server name in the left pane of the console and then expand the Configuration node in the left pane. Click on the Networks node.
- In the Networks node, click on the Networks tab in the middle pane of the console. Double click the ISA Firewall Network that you want to enable autodiscovery publishing. In this example, we’ll enable autodiscovery publishing for the default Internal ISA Firewall Network.
- In the Internal Properties dialog box, click on the Auto Discovery tab. Put a checkmark in the Publish automatic discovery information for this network checkbox. By default, the ISA Firewall will listen for requests from Web Proxy and Firewall clients on TCP port 80. If you’re using DHCP wpad entries, then you can change this port. However, if you use DNS based wpad support, then you must leave the value at its default, TCP port 80.
- Click Apply and then click OK.
- Click Apply to save the changes and update the firewall policy.
At this point you can close all browser windows and open them. The new settings will work at this point and the Web browsers will be able to get autoconfiguration information from the ISA firewall. For the Firewall clients, you can wait for about six hours for the update, or you can manually configure them to update their configuration. Right click on the Firewall client icon in the system tray and select the Automatically detect ISA Server option and click Detect Now.
Click OK to save the settings.
In this article we discussed how to automatically configure the Web proxy and Firewall clients to use wpad entries to automatically discover the ISA Firewall and automatically configure themselves. We went over the two methods you an use for autodiscovery: DHCP and DNS. We also demonstrated how to configure the client to correctly qualify the unqualified wpad name and how to configure the ISA Firewall to publish autodiscovery information on the appropriate ISA Firewall Networks that contain clients that wish to use autodiscovery.