Chapter 5: Configuring DNS and DHCP Support for Web Proxy and Firewall Client Autodiscovery
The Web Proxy Autodiscovery Protocol (WPAD) can be used to allow Web browsers and the Firewall client application to automatically discover the address of the ISA Server 2004 firewall. The client can then download autoconfiguration information from the firewall after the Web Proxy or Firewall client discovers the address.
WPAD solves the problem of automatically provisioning Web browsers. The default setting on Internet Explorer 6.0 is to autodiscover Web proxy client settings. When this setting is enabled, the browser can issue a DHCPINFORM message or a DNS query to find the address of the ISA Server 2004 from which it can download autoconfiguration information. This greatly simplifies Web browser setup so that it automatically uses the firewall to connect to the Internet.
The ISA Server 2004 Firewall client can also use the wpad entry to find the ISA Server 2004 firewall and download Firewall client configuration information.
In this ISA Server 2004 Configuration Guide document, we discuss how to:
- Configure DHCP WPAD support, and
- Configure DNS WPAD support
After the wpad information is entered into DHCP and DNS, Web Proxy and Firewall clients will not require manual configuration to connect to the Internet through the ISA Server 2004 firewall machine.
Configure DHCP WPAD Support
The DHCP scope option number 252 can be used to automatically configure Web Proxy and Firewall clients. The Web Proxy or Firewall client must be configured as a DHCP client, and the logged on user must be a member of the local administrators group or Power users group (for Windows 2000). On Windows XP systems, the Network Configuration Operators group also has permission to issue DHCP queries (DHCPINFORM messages).
For more information about the limitations of using DHCP for autodiscovery with Internet Explorer 6.0, please see KB article Automatic Proxy Discovery in Internet Explorer with DHCP Requires Specific Permissions at http://support.microsoft.com/default.aspx?scid=kb;en-us;312864
Perform the following steps at the DHCP server to create the custom DHCP option:
- Open the DHCP console from the Administrative Tools menu and right-click your server name in the left pane of the console. Click the Set Predefined Options command.
- In the Predefined Options and Values dialog box, click Add.
- In the Option Type dialog box, enter the following information:
Data type: String
Description: wpad entry
- In the Value frame, enter the URL to the ISA Server 2000 firewall in the String text box. The format for this value is:
The default autodiscovery port number is TCP 80. You can customize this value in the ISA Management console. We will cover this subject in more detail later.
In the current example, enter the following into the String text box:
Make sure to enter wpad.dat in all lowercase letters. For more information on this problem, please refer to KB article "Automatically Detect Settings" Does Not Work if You Configure DHCP Option 252 at http://support.microsoft.com/default.aspx?scid=kb;en-us;307502
- Right-click the Scope Options node in the left pane of the console and click the Configure Options command.
- In the Scope Options dialog box, scroll through the list of Available Options and put a check mark in the 252 wpad check box. Click Apply and then click OK.
- The 252 wpad entry now appears in the right pane of the console under the list of Scope Options.
- Close the DHCP console.
At this point a DHCP client that has a logged on user who is a local administrator will be able to use DHCP wpad support to automatically discover the ISA Server 2004 firewall and subsequently autoconfigure itself. However, the ISA Server 2004 firewall must be configured to support publishing autodiscovery information. We will do this configuration later in this ISA Server 2004 Configuration Guide.
Configure DNS WPAD Support
Another method that used to deliver autodiscovery information to Web Proxy and Firewall clients is DNS. You can create a wpad alias entry in DNS and allow browser clients to use this information to automatically configure themselves. This is in contrast to the situation we saw with the DHCP method, where the logged-on user needed to be a member of a specific group in the Windows operating system.
Name resolution is a pivotal component to make this method of Web Proxy and Firewall client autodiscovery work correctly. In this case, the client operating system must be able to fully qualify the name wpad because the Web Proxy and Firewall client only knows that it needs to resolve the name wpad. It does not know what specific domain name it should append to the query to resolve the name wpad. We will cover this issue in detail later in the chapter.
In contrast to the DHCP method of assigning autodiscovery information to Web Proxy and Firewall clients, you do not have the option to use a custom port number to publish autodiscovery information when using the DNS method. You must publish autodiscovery information on TCP 80 when using the DNS method.
You need to perform the following steps to configure DNS support for Web Proxy and Firewall client autodiscovery of the ISA Server 2004 firewall:
- Create the wpad entry in DNS
- Configure the client to use the fully qualified wpad alias
- Configure the client browser to use autodiscovery
Create the Wpad Entry in DNS
The first step is to create a wpad alias entry in DNS. This alias (also known as a CNAME record) points to a Host (A) record for the ISA Server 2004 firewall. The Host (A) record resolves the name of the ISA Server 2004 firewall to the Internal IP address of the firewall.
Create the Host (A) record before you create the CNAME record. If you enable automatic registration in DNS, the ISA Server 2004 firewall’s name and IP address will already be entered into a DNS Host (A) record. If you have not enabled automatic registration, you will need to create the Host (A) record for the ISA Server 2004 firewall yourself.
In the following example, the ISA Server 2004 firewall has automatically registered itself with DNS because the Internal interface of the ISA Server 2004 firewall is configured to do so, and the DNS server is configured to accept unsecured dynamic registrations.
Perform the following steps on the DNS server on the domain controller on the Internal network:
- Click Start and select Administrative Tools. Click the DNS entry. In the DNS management console, right-click the forward lookup zone for your domain and click the New Alias (CNAME) command.
- In the New Resource Record dialog box, enter wpad in the Alias name (uses parent domain if left blank) text box. Click the Browse button.
- In the Browse dialog box, double-click your server name in the Records list.
- In the Browse dialog box, double-click the Forward Lookup Zone entry in the Records frame.
- In the Browse dialog box, double-click the name of your forward lookup zone in the Records frame.
- In the Browse dialog box, select the name of the ISA Server 2000 firewall in the Records frame. Click OK.
- Click OK in the New Resource Record dialog box.
- The CNAME (alias) entry appears in the right pane of the DNS management console.
- Close the DNS Management console.
Configure the Client to Use the Fully Qualified wpad Alias
The Web Proxy and Firewall client need to be able to resolve the name wpad. The Web Proxy and Firewall client configurations are not aware of the domain containing the wpad alias. The Web Proxy and Firewall client operating system must be able to provide this information to the Web Proxy and Firewall client.
DNS queries must be fully qualified before sending the query to the DNS server. A fully qualified request contains a host name and a domain name. The Web Proxy and Firewall client only know the host name portion. The Web Proxy and Firewall client operating system must be able to provide the correct domain name, which it appends to the wpad host name, before it can send a DNS query to the DNS server.
There are a number of methods you can use to insure that a proper domain name is appended to wpad before the query is sent to the DNS server. Two popular methods for doing this include:
- Using DHCP to assign a primary domain name
- Configuring a primary domain name in the client operating system’s network identification dialog box.
We already configured a primary DNS name to assign DHCP clients when we configured the DHCP scope. The following steps demonstrate how to set the primary domain name to append to unqualified DNS queries:
You do not need to perform these steps on the client machine on the Internal network in our example network. The reason for this is that the client is a member of the Active Directory domain on the Internet network. However, you should go through the following steps to see how the primary domain name is configured on nondomain member computers.
- Right-click My Computer on the desktop and click Properties.
- In the System Properties dialog box, click the Network Identification tab. Click the Properties button.
- In the Identification Changes dialog box, click the More button.
- In the DNS Suffix and NetBIOS Computer Name dialog box, enter the domain name that contains your wpad entry in the Primary DNS suffix of this computer text box. The operating system will append this domain name to the wpad name before sending the DNS query to the DNS server. By default, the primary domain name is the same as the domain name the machine belongs to. If the machine is not a member of a domain, then this text box will be empty. Note the Change primary DNS suffix when domain membership changes is enabled by default. In the current example, the machine is not a member of a domain.
Cancel out of each of the dialog boxes so that you do not configure a primary domain name at this time.
Note that if you have multiple domains and clients on your Internal network that belong to multiple domains, you will need to create wpad CNAME alias entries for each of the domains.
Configure the Client Browser to Use Autodiscovery
The next step is to configure the browser to use autodiscovery. To configure the Web browser to use autodiscovery to automatically configure itself to use the ISA Server 2000 firewall’s Web Proxy service:
- Right-click the Internet Explorer icon on the desktop and click Properties.
- In the Internet Properties dialog box, click the Connections tab. Click the LAN Settings button.
- In the Local Area Network (LAN) Settings dialog box, put a check mark in the Automatically detect settings check box. Click OK.
- Click Apply and then click OK in the Internet Properties dialog box.
The next step is to configure the ISA Server 2000 firewall publish autodiscovery information for autodiscovery Web Proxy and Firewall clients.
In this ISA Server 2004 Configuration Guide document we discussed the uses of a Microsoft Internet Authentication Server and how to install and configure the IAS server on the domain controller on the Internal network. Later in this guide, we will use this IAS server to authenticate incoming Web and VPN client connections.