19 October 2010

TMG Auto Proxy Configuration Part III - Using DNS

In part one of this post I highlighted why it is important to use proxy auto configuration.  There are various way to get your clients to use your auto configuration. In this part I will go through using DNS and a WPAD entry.

This is probably the simplest way of deploying your auto configuration but there are a few things to be aware of.

If you want to use DNS for auto configuration the configuration MUST be available on port 80 

Step 1 - Verify

  • Verify that your TMG server is publishing the auto configuration script.
  • Using your browser connect to http://proxyaddress/wpad.dat  and http://proxyIP/wpad.dat
  • If you are promtped to download the file you know it is working.
  • Test this by opening the Internet options, click lan setting from the connections tab
  • Make sure only the "Use Automatic configuration script" is checked and then enter the tested url from above.
  • Test for internet connectivity etc.
Step 2 - Configure DNS

  • From the DNS server's DNS mmc console
  • Right click the forward lookup zone of your domain
  • You can now either create an Alias (CNAME) or Host (A record)
  • Specify the FQDN or the IP of the proxy 

Step 3 - Windows 2008 DNS and 2003 DNS after MS09-008
If you are not using these as your DNS server have a look at http://support.microsoft.com/kb/934864

To reduce vulnerabilities associated with Dynamid DNS update a new feature has been introduced call the the  DNS Block list.  Basically it just blocks request for the DNS names that are blocked.  By default two entries are blocked ISATAP and WPAD. ISATAP  provides a transition between networks that are based on Internet Protocol version 4 (IPv4) and networks that are based solely on the newer IP version 6 (IPv6)

Server 2008
The following need to be performed form the command prompt on every authoritative DNS server
  • dnscmd /info /globalqueryblocklist - To show which entries are in the block list
  • dnscmd /config /globalqueryblocklist isatap - This updates the list to only block isatap

Server 2003 post MS09-008
The following need to be performed on every authoritative DNS server
  • Edit the following registry entry
  • HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\GlobalQueryBlockList
  • Remove the WPAD entry

To see if this entry is now being allowed you can do an nslookup wpad.yourdomain.com if you get an error despite there being an WPAD entry you know it is still being blocked.

Step 4 - Test

  • Log onto a client machine that is not defined in a DHCP scope with a WPAD setting
  • Open Internet explorer and make sure that only the "Automatically detect settings" check box is checked.
  • Restart IE
  • Test for internet connectivity.


  • A DHCP WPAD entry will take precedence if there is also a WPAD DNS entry.
  • In IE - Specifying "Automatically detect settings" will take precedence over  "Use Automatic configuration script"
  • In IE - The automatic automatic configurations will take precedence over manual configuration

No comments:

Post a Comment