About selecting an automatic discovery mechanism

Automatic discovery can be implemented by using the Web Proxy Automatic Discovery (WPAD) protocol, or by using a static configuration script. With WPAD, Web proxy clients (usually the client Web browser) use the WPAD protocol to obtain a WPAD entry from a Dynamic Host Configuration Protocol (DHCP) or Domain Name System (DNS) server. With a configuration script, clients connect to the location specified in the script to retrieve proxy settings.

The decision whether to implement a WPAD mechanism or a static configuration script depends on client requirements and network infrastructure. Consider the following:

  • Check client requirements for the WPAD mechanism. For more information, see About preparing clients for automatic detection.
  • For mobile clients, referencing a configuration script at a specific location can cause discovery issues. By using a WPAD entry in DNS or DHCP, clients can obtain correct proxy settings when moving between different locations and networks.
  • If you use an automatic configuration script without WPAD, you can use Group Policy to point clients directly to the Forefront TMG computer that contains the automatic configuration script.

Clients can use either of these methods, or both methods together. If both methods are used, WPAD is attempted first and the static script is used if WPAD detection fails.

Automatic configuration script

Forefront TMG provides a default configuration script at the location https://fqdn:8080/array.dll?Get.Routing.Script, where fqdn is the fully qualified domain name (FQDN) of the Forefront TMG server. The configuration script location can be specified in each browser, or it can be set for all clients who use Group Policy.


WPAD is configured by means of a WPAD entry in DHCP or DNS. Clients make a WPAD request to the DNS server or the DHCP server, and the information return points clients to a location from which the Wpad.dat and Wspad configuration files can be obtained. The client then makes a request to that location for the appropriate configuration file.

Using WPAD, Web Proxy clients locate the configuration settings, as follows:

  1. Clients use the WPAD protocol to obtain a WPAD entry from a DHCP or DNS server.
    The DHCP automatic discovery process is as follows:
    • DHCP clients send DHCPINFORM messages to query DHCP for the location of the WPAD server containing the WPAD entry.
    • DHCP provides the address of the server on which the WPAD information is located during the allocation process, or obtains the information as required.
    • Clients request WPAD information from this address.
      The DNS automatic discovery process is as follows:
    • The Web proxy client makes a DNS query.
    • The DNS server responds to the query with the IP address of the WPAD server.
  2. The WPAD URL returned to the client contains the address of a WPAD server on which the Wpad.dat file and Wspad.dat file are located.

The client computer connects to the WPAD server, as follows:

  1. Web Proxy clients request the automatic configuration script by using a URL with the format https://wpad/wpad.dat to retrieve a WPAD entry from DNS, or with the format https://Computer_FQDN:Port/wpad.dat to retrieve a WPAD entry from DHCP. Computer_FQDN is the fully qualified domain name (FQDN) of the WPAD server.
  2. Web Proxy clients running on Firewall client computers request the automatic configuration script by using a URL with the format https://wpad/wspad.dat for DNS entries, or by using https://Computer_FQDN:Port/wspad.dat to retrieve WPAD entries from DHCP servers. Computer_FQDN is the FQDN of the WPAD server on which the Wpad.dat file will be generated. The port specified in the DHCP entry should match the port number on which automatic discovery information is available.
  3. The Forefront TMG computer is used to service Winsock connections for all applications on the Firewall client computer. For Web Proxy clients, Internet Explorer® connects to the Forefront TMG computer specified for Web requests.
  4. If automatic detection fails, clients can fall back on a SecureNAT configuration if the client computer has a suitably configured default gateway.


Web Proxy clients request the Wpad.dat file from the WPAD server by using a URL with the format https://wpad/wpad.dat. The Wpad.dat file is a Microsoft JScript® file used by the Web client browser to set browser settings. This file contains the following information:

  • The proxy server that should be used for client requests.
  • Domains and IP addresses that should be accessed directly, bypassing the proxy.
  • An alternate route in case the proxy is not available.


Web Proxy applications running on Firewall client computers request the Wspad.dat file using a URL with the format https://wpad/wspad.dat.

The Forefront TMG WSPAD implementation uses the WPAD mechanism and constructs the Wspad.dat file to provide the client with proxy settings, along with additional Firewall client configuration information not required for automatic detection. The Firewall client uses the server name and port to connect, and then retrieves Firewall client configuration settings from the specified server. Only port 1745 is supported. The relevant entries in the Wspad.dat file are as follows:

  • [Common]
  • Port=1745
  • [Servers IP Addresses]Name = DNS_Entry
  • The [Servers IP Addresses] section can contain either the IP address of the Forefront TMG computer or a single DNS name.