Figure 1
When fully configured, the browser sends a request directly to the specified web proxy server. With this client configuration, we can authenticate users and user groups, reducing the load on the TMG firewall.
Manually configuring web proxy settings on each client can take a lot of time and effort if the organization has a number of clients. In most cases, you need to use another method to make it more efficient and able to configure automatically. The solution here is to use Web Proxy Auto Discovery (WPAD). WPAD is the method where the Web Proxy client will find the proxy server without manual configuration. Most current web browsers are configured to automatically detect the default proxy.
Figure 2
WPAD can be configured using either mechanism - DNS or DHCP. When the Web Proxy client is configured to automatically detect the proxy server, it will try to find the web proxy server first by searching for options 252 in the settings received from the DHCP server, then by querying DNS to find The host is named WPAD as shown in the network monitoring tool below.
Figure 3
When the client finds the proxy server, it will connect and retrieve the automatic configuration script, a file called WPAD.DAT, from the TMG firewall at the IP address resolved by WPAD. This automatic configuration script will have information about the proxy servers configured and how to handle the request. The information contained in this scenario is dynamically built from the web proxy settings and network configuration set in the TMG management console. The configuration script does not reside on the TMG firewall file system. It is only stored in memory and dynamically upgraded whenever an administrator makes changes to the TMG firewall configuration.
To enable automatic proxy search mode, open the TMG management console, select the Web Access Policy button in the interface tree, then click the Configure Web Proxy link in the task pane.
Figure 4
Select the Auto Discovery tab and check the checkbox next to Publish automatic discovery information for this network . If you plan to use DNS for WPAD, you must leave the default port at 80. This default port may be changed if you use DHCP for WPAD.
Figure 5
Using DNS for WPAD is the simplest automatic detection option for Web Proxy clients. On the DNS server side, create an A resource record named WPAD that points to the IP address of your TMG firewall's internal network interface. If there is a firewall array that serves as a web proxy server, you can create a CNAME record named WPAD that points to resource records A for each array, or you can create multiple A resource records to resolve the address. Internal IP only of each array.
Figure 6
In most cases, the DNS server will not respond to queries about WPAD records by default. This is a security feature built into Windows Server 2008 and 2008 R2 designed to prevent 'man-in-the-middle' attacks, the type of attack that an attacker can configure a fake proxy server on the network. and secretly register WPAD names with dynamic DNS or other techniques. This feature is also enabled in Windows Server 2003 DNS servers installed with MS09-008 upgrade.
To allow a Windows Server 2008 or 2008 R2 DNS server to respond to WPAD queries, open a command prompt on the DNS server and enter the following command:
dnscmd / config / globalqueryblocklist isatap
Note : If you have configured and deployed DirectAccess, ISATAP may be required in the environment. If so, skip ISATAP from the previous command.
To allow the Windows Server 2003 DNS server to install the security upgrade MS09-009 in response to WPAD queries, edit the following registry key and uninstall WPAD entry:
HKLMSystemCurrentControlServerServicesDNSParametersGlobalQueryBlockList
Using DNS for WPAD works well on networks with only one gateway. If there are multiple gateways on the network, DNS may still work but requires a weighted load balancing service (eg F5 Global Traffic Manager).
For complex networks with multiple gateways or entry points, DHCP is a better option than DNS. Now the user will be configured to use the proxy server closest to their geographical location.
To configure WPAD using DHCP, open the DHCP management console, right-click IPv4 , and then select Set Predefined Options… .
Figure 7
Select the DHCP Standard Options layer and select Add . Enter WPAD name, select String data type, specify 252 code and enter Web Proxy Auto Discovery description .
Figure 8
Select a DHCP to configure WPAD, right-click Scope Options then select Configure Options .
Figure 9
Look at the bottom of the list and select Option 252 WPAD . With String value: enter the name of the appropriate web proxy server or array of subnets in the following format:
http:////wpad.dat
Repeat these steps for each DHCP in the network.
Figure 10
In addition to the above issues, TMG Firewall clients can also use Active Directory (AD) markers. The AD marker automatic configuration option is safer than using DNS or DHCP, but it has many limitations for the TMG Firewall client. Please refer here for more information on configuring Active Directory markers.
Web Proxy clients offer many different security and performance advantages when accessing the TMG web proxy server. However, with changes to browser settings on each desktop that require Internet access, configuring automatically using DNS or DHCP can simplify deployment as well as eliminate the need for manual intervention. For networks that have only one access point, enabling WPAD using DNS is an effective way of configuring Web Proxy clients. For complex networks with multiple access points, enabling WPAD using DHCP will allow administrators to define multiple gateways for different subnets, ensuring that clients use the nearest web proxy server without care about their position.