18 October 2010

TMG Auto Proxy Configuration Part I - Manual or Auto ?

The ability to configure your environment so that machines can automatically detect their proxy settings is an extremely useful one.  However there is a lot of confusion when it comes to understanding what that magic "Automatically Detects Setting" check box does and how it works.

To really understand the  importance of the auto configuration let us compare the manual proxy configuration compared to an automatic configuration script.

When you manually specify a proxy server you get to specify the server name and the port number.  You can specify the same proxy to be used for all protocols.  Up to this point the only real problem comes is when the host name of your proxy server changes.

When specifying the exceptions the biggest limitation becomes obvious.  Some believe that checking the "Bypass proxy server for local addresses" is all that is required.  Sadly this is not the case.  Only a URL that do not have a domain specified is considered a local address.  Therefore if your intranet address is http://myinranet/ it is considered local.

If you access access the same site via a http://myintranet.mycompany.com FQDN then it is considered an Internet site. This means that request will then be routed through the proxy.

You can start to manage this by specifying exceptions but now you have to redo these whenever the environment changes.  And since this setting is per user you have a problem.

When you configure the proxy client settings in TMG you have a number of options available to you to specify when and when not to use a proxy.  You can also specify a backup proxy should the primary not be available.

You can make this make this configuration available to clients by checking the "Publish automatic discovery information for this network" check box.

The automatic proxy configuration script contains a lot of information.  It is then published as the WPAD.DAT file.  This file is normally hosted on your TMG servers but it can also be hosted on any other web server.

To check it out all you have to do is point your browser to the autodetect url and that is  http://proxyserver/wpad.dat or http://proxyserver:8080/wpad.dat  and for the TMG firewall client  it is http://proxyserver:8080/array.dll?Get.Routing.Script.  They all deliver the same configuration file that will be used by IE to determine how web resources are accessed.

If you take the time to examine the file you will see that there are many different setting that are specified.  To try and do this manually would simply not be practical, also if you take into consideration that that this file is generated for you it is free of "human" typo etc that would be very difficult to trace.

Effectively, if you are a big enough deployment to use a proxy, you need to be using auto configuration.  There a various ways to setup your clients to retrieve and use your auto configuration, and I will go into those in further posts on the subject.


Ken said...

Thanks, this series on autoproxy is exactly what I needed...easy to understand and good practical explanations

Etienne Liebetrau said...

Great to know! - Thanks for the comment.

Post a Comment