Configuring TMG Web Proxy Client Autodiscovery

Introduction


When you configure a Web proxy client to automatically detect the TMG firewall, the autodiscovery option is already selected by default. The problem is that many admins think that this is all they need to do to get it to work. Well, that’s true as far as configuring the client, but there is plenty more you need to do on the server side to get web proxy client autodiscovery to work.


The Web Proxy Automatic Discovery (WPAD) protocol is used to enable web proxy autodiscovery. WPAD was created by Microsoft and has been used by Internet Explorer since Internet Explorer 5. Microsoft submitted WPAD for IETF standardization, but the draft expired in 1999 without an official agreement on a standard. Nonetheless, Internet Explorer and other browsers are capable of using WPAD and taking advantage of the automatic configuration setting.


Enabling Autodiscovery on the TMG Firewall


You configure the TMG firewall to support automatic discovery on a per-network basis. If you have multiple networks configured on the firewall and you want to allow automatic discovery for only a subset of those networks, then you can enable autodiscovery on just the networks on which you need it to be available. The following steps demonstrate how to configure the TMG firewall’s default internal network for automatic discovery:




  1. On the TMG firewall, open the TMG firewall console.


  2. Click Forefront TMG (Server Name) in the left pane of the firewall console.


  3. Click Networking.


  4. Right-click Internal and then click Properties.


  5. Click the Auto Discovery tab and select Publish Automatic Discovery Information For This Network as seen in the figure below.

F15xx00x
Figure 1




  1. The TMG firewall uses port 80 for automatic discovery requests by default. Do not change this value; just click OK.


  2. Don’t forget to click Apply at the top of the middle pane in the TMG firewall console to save the changes to the firewall configuration.

After applying the changes, TMG firewall will provide access to the configuration file to web proxy clients that send properly formed requests received on port 80. The next step is to configure DHCP WPAD to support autodiscovery.


Autodiscovery Support and DHCP


You can use DHCP to support autodiscovery for web proxy clients. DHCP can be configured to support WPAD on a per-scope basis or on a per-server basis. If you want all clients to use the same TMG firewall regardless of the TMG Firewall Network on which the host is located, then you should configure the DHCP WPAD option as a server-level option. The following steps show you how to configure the WPAD option on the DHCP server for a particular scope:




  1. Click Start, point to Administrative Tools, and click DHCP.


  2. Expand the server name, right-click IPv4, and click Set Predefined Options.


Figure 2




  1. The Predefined Options and Values dialog box opens. Click Add as shown in the figure below.

F15xx02+marked
Figure 3




  1. In the Option Type dialog box, fill in the appropriate values as shown in the figure below.

F15xx03
Figure 4




  1. You’ll need to fill in the following fields:
    · Name – This is a friendly name for this record.
    · Data Type – This value is expected to be a string of printable characters that represent the complete WPAD URL
    · Code – For a WPAD option, the code should be set to 252.


  2. Click OK and type in the “String” field under “Value” the URL that clients will use to access the WPAD configuration file, as shown in the figure below. Use only lower case letters when entering the URL in the String text box. Click OK.

F15xx04+marked
Figure 5




  1. Right-click Server Options and then click Configure Options in the DHCP console, as shown in the figure below.


Figure 6




  1. In the Server Options dialog box, scroll down until you find the 252 WPAD option. Put a checkmark in the checkbox as seen in the figure below.

F15xx06+marked
Figure 7




  1. Click OK. The WPAD option will now appearin the in the right pane of the DHCP console, as seen in the figure below.

F15xx07+marked
Figure 8


After you complete this procedure, the DHCP Server is ready to provide WPAD option information when the client requests it.


WPAD Support with DNS


Many admins believe that if they configure DHCP to support autoconfiguration for web proxy clients, then they won’t need to configure DNS support for WPAD. This is not true; you still need to create a DNS record for a host to support name resolution for the DHCP INFORM request. When the client receives the URL that you configured on the DHCP server, the client will resolve the host name wpad.contoso.com. If you failed to create the DNS entry, then the client may try to contact WINS Server or send a NetBIOS broadcast to resolve the name. This depends on the NetBIOS node type you configured the web proxy clients to be.


If your organization has multiple TMG firewalls and they use NLB for high availability, then you may want to create a CNAME record for wpad.contoso.com that maps to the A record corresponding to the virtual IP address used by the TMG NLB array. In the configuration scenario we’re looking at here, we have a single firewall and therefore the wpad.contoso.com record should point to the A record of this TMG firewall. Perform the following steps to configure a CNAME record for wpad.contoso.com:




  1. Click Start, point to Administrative Tools, and click DNS.


  2. Expand the forward lookup zone and right-click the zone where you want to create the CNAME record. Click New Alias (CNAME) as shown in the figure below.


Figure 9




  1. In the New Resource Record window, type wpad in the Alias name and type the FQDN that resolves to the TMG NLB VIP in the FQDN record. Click OK to save the record.

DNS Security and Web Proxy Autodiscovery


The Windows DNS service supports dynamic updates, which makes it possible for DNS clients to dynamically update their records with a DNS server. This feature has been available with the Windows DNS server since Windows Server 2000. This feature reduces the need for manual updates and thus reduces administrative overhead for maintaining Host (A) and Pointer (PTR) records. But along with good things can come bad ones, and as is often the case, convenience comes at the cost of some security. This feature may provide an avenue of attack for malicious users. This is because attackers might be able to modify a particular host name and redirect certain types of network traffic to another user’s computer.


A malicious user could take advantage of the DNS automatic update feature and register itself as WPAD, by simply renaming his computer. What this will do is direct all autodiscovery to the computer named WPAD to obtain the configuration file. The good news is that, beginning with Windows Server 2003 SP2, a new security feature called the Global Query Block Listcan be used to mitigate the WPAD vulnerability.


This feature is enabled for all zones and all resource records by default. When enabled, the DNS server will ignore queries for wpad and isatap. You can see the records that are configured in the global query block list by using the dnscmd command. The default output will be similar to the one shown here:


C:\>dnscmd dctmg /info /globalqueryblocklist
Query result:
String: 
String:  isatap
Command completed successfully.
Query result:
String:  wpad
String:  isatap
Command completed successfully.


When the web proxy client tries to resolve wpad.contonso.com, the DNS server will return an error. The following is a network monitor trace from aweb proxy client that is sending a query for this name:


1. Client sends the DNS Query (see DNS header) to wpad.contoso.com:


10.10.10.2     10.10.10.1     DNS     DNS:QueryId = 0x3, QUERY (Standard query), Query  for wpad.contoso.com of type ALL on class Internet
– Dns: QueryId = 0x3, QUERY (Standard query), Query  for wpad.contoso.com of type ALL on class Internet
QueryIdentifier: 3 (0x3)
  + Flags:  Query, Opcode – QUERY (Standard query), RD, Rcode – Success
QuestionCount: 1 (0x1)
AnswerCount: 0 (0x0)
NameServerCount: 0 (0x0)
AdditionalCount: 0 (0x0)
  – QRecord: wpad.contoso.com of type ALL on class Internet
QuestionName: wpad.contoso.com
QuestionType: A request for all records, 255(0xff)
QuestionClass: Internet, 1(0x1)


2. DNS Server replies with a name error response:


10.10.10.1     10.10.10.2     DNS     DNS:QueryId = 0x3, QUERY (Standard query), Response – Name Error
– Dns: QueryId = 0x3, QUERY (Standard query), Response – Name Error
QueryIdentifier: 3 (0x3)
  + Flags:  Response, Opcode – QUERY (Standard query), AA, RD, RA, Rcode – Name Error
QuestionCount: 1 (0x1)
AnswerCount: 0 (0x0)
NameServerCount: 1 (0x1)
AdditionalCount: 0 (0x0)
  – QRecord: wpad.contoso.com of type ALL on class Internet
QuestionName: wpad.contoso.com
QuestionType: A request for all records, 255(0xff)
QuestionClass: Internet, 1(0x1)
  + AuthorityRecord: contoso.com of type SOA on class Internet: PrimaryNameServer: tmg.contoso.com, AuthorativeMailbox: admin.contoso.com


When the DNS Server sends this answer to the client, it also logs an event in the DNS System Log, as shown in the figure below.



Figure 10


You should set Windows to audit for this event, especially if your network doesn’t use autodiscovery. If you see this event logged, it means that someone is searching for the WPAD name. Of course, this can also be due to the fact that the default setting on Internet Explorer is configured to use autodiscovery.


Perform the following steps to unblock WPAD from the block list:




  1. Click Start, click Programs, click Accessories, right-click Command Prompt and click Run As Administrator.


  2. Enter the command dnscmd [<ServerName>] /config /globalqueryblocklist isatap. This will leave the name isatap in the DNS block list and will remove everything else that it is there. The output should look something like what appears below:

    C:\Users\Administrator>dnscmd tmg /config /globalqueryblocklistisatap
    Registry property globalqueryblocklist successfully reset.
    Command completed successfully.


  3. You can confirm that wpad is not in the block list by entering the command dnscmd<computer name>/info /globalqueryblocklist. The result should be similar to the one shown here:

    C:\Users\Administrator>dnscmd tmg /info /globalqueryblocklist
    Query result:
    String:  isatap
    Command completed successfully.


  4. You can confirm that the server is answering queries for wpad.contoso.com by using the command nslookup wpad.contoso.com. You should see something like what appears below:

    C:\Users\Administrator>nslookup wpad.contoso.com
    Server:  localhost
    Address:  ::1
    Name:    tmg.contoso.com
    Address:  10.10.10.3
    Aliases:  wpad.contoso.com


  5. Type exit to close command prompt.

Summary


In this article, we talked about how you can configure the TMG firewall to support web proxy client autodiscovery. Autodiscovery enables the web proxy client touse an autoconfiguration file to configure its web proxy client behavior. By default, Internet Explorer is configured to support autoconfiguration. However, you need to configure the TMG firewall to publish autodiscovery information and then you need to configure DHCP and DNS servers to support autodiscovery. When configuring the DNS server, you need to make sure that the name WPAD is removed from the DNS query block list. After that, the web proxy clients will be able to resolve the name WPAD to the internal IP address on the TMG firewall and obtain autoconfiguration information.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top