Condividi tramite


About implementing WPAD

Configuring the WPAD mechanism consists of the following steps:

  • Configure a WPAD server
  • Configure DNS or DHCP so that clients can present a query to discover the location of the WPAD server.

Configuring a WPAD server

Clients connect to DNS or DHCP to obtain information about the location of a WPAD server on which the Wpad.dat and Wspad.dat configuration files are located. Then clients connect to the server to obtain the automatic Web proxy settings.

You can use Forefront TMG as the WPAD server, or you can host the Wpad.dat or Wspad.dat file at an alternative location, such as a server running IIS. When planning for a WPAD server, consider the following:

  • The main advantage of using Forefront TMG as the WPAD server is that the Wpad.dat and Wspad.dat files are automatically updated when Web proxy settings are modified in the Forefront TMG Management console. Placing the WPAD and WSPAD files on a different server requires file content to be updated manually.
  • If Forefront TMG is acting as a WPAD server and is unavailable, clients cannot request WPAD information.
  • Maintaining the WPAD and WSPAD files on a computer running IIS avoids cache latency issues that can occur when you consistently modify WPAD entries to point to alternative Forefront TMG computers.
  • Configuring WPAD and WSPAD files on a computer running IIS can provide some failover capabilities. You can configure multiple Web servers in IIS and place different WPAD and WSPAD files in each Web server. The active Web server will be the one containing WPAD and WSPAD information for the currently active Forefront TMG computer.
  • If you are not using the Forefront TMG computer as a WPAD server, you do not need to publish automatic discovery information, because Forefront TMG does not need to listen for automatic discovery requests. This may be an advantage when IIS is co-located on the Forefront TMG computer and port conflicts can occur.
  • To update the WPAD server location, you update the DHCP or DNS WPAD entries that point to the server. Information is cached on DHCP or DNS servers, and the WPAD entry returned may not contain the most up-to-date Forefront TMG information.

Configuring the WPAD Server

To use a Forefront TMG computer as a WPAD server for automatic discovery requests, you configure the network on which clients are located to publish automatic discovery information and specify the port number on which the Forefront TMG computer should make automatic discovery information available. By default, Forefront TMG publishes automatic discovery information on port 8080. If you are using a WPAD entry in DNS, you must publish on port 80. WPAD entries in DHCP can use any port, but you should ensure that the port you specify in Forefront TMG Management for use with DHCP matches the port specified in DHCP option 252. For instructions, see Configuring a WPAD server.

Configuring an alternative WPAD server

As an alternative to configuring the Forefront TMG computer as the WPAD server, you can place the Wpad.dat and Wspad.dat files on another computer, such as a server running IIS. In this scenario, the DNS and DHCP entries point to the alternative server. This server acts as a dedicated redirector to provide WPAD and WSPAD information to clients. You can obtain the Wpad.dat and Wspad.dat file by connecting to the Forefront TMG server through a Web browser and by obtaining the files from the following URLs:

https://computer_name:port/wpad.dat

https://computer_name:port/wspad.dat

When placing the WPAD files on the server, for DHCP entries, you can locate the files anywhere as long as option 252 points to the correct location, and not just to the root folder of the published Web server. The name of the Wpad.dat file can be modified, but you must not change the name of the Wspad.dat file. The Web server can be published on any port. For DNS entries, you must locate the files in the root folder of the published Web server. The Web server must be published on port 80. In both cases, the Wspad.dat file must be located in the same folder as the Wpad.dat file.

Implementing DNS or DHCP

Consider the following criteria when deciding whether to use a DHCP WPAD entry, a DNS entry, or both:

  • WPAD entries in DNS can only be used by client computers that belong to a domain, and clients must be configured to resolve DNS names.
  • When implementing WPAD with a DNS server, entries must be configured for every domain containing clients enabled for automatic discovery.
  • A valid DHCP server must be installed.
  • When using DNS to publish WPAD, automatic discovery must be configured to use port 80. Alternatively, the outgoing Web requests must be configured to listen on port 80.
  • WPAD in DHCP is limited to specific user groups on some client computer operating systems. For more information, see the Microsoft Knowledge Base article 312864, "Automatic Proxy Discovery in Internet Explorer with DHCP requires specific permissions."
  • Generally, using DHCP servers with automatic detection works best for local area network (LAN)-based clients, while DNS servers enable automatic detection on computers with both LAN-based and dial-up connections. Although DNS servers can handle network and dial-up connections, DHCP servers provide faster access to LAN users and greater flexibility. If you configure both DHCP and DNS, clients will attempt to query DHCP for automatic discovery information first and then query DNS.

Windows Server 2008 DNS block list

Protocols such as WPAD use the DNS dynamic update feature, which enables DNS client computers to register and dynamically update resource records when clients change a network address or host name. The dynamic update feature makes clients vulnerable to hijacking. For example, a malicious user could register a computer as a WPAD server and direct all WPAD queries to it. No system administrator intervention is required.

The DNS Server role in Windows Server 2008 introduces a global query block list to reduce this vulnerability risk. This block list behaves as follows:

  • After installation or upgrade, the DNS Server service enumerates the zones for which it is authoritative. If it finds a host (A or AAAA) resource record for a host named wpad, the corresponding name is removed from the block list before the list is stored in the registry. This behavior does not affect clients using WPAD.
  • If you configure or remove WPAD after you deploy the DNS server role on a server running Windows Server 2008, you must update the block list on all DNS servers that host the zones affected by the change. The affected zones are those where you registered the WPAD servers.

For instructions, see Removing WPAD from DNS block list.