20 October 2010

TMG Auto Proxy Configuration Part IV - Configuring the clients

In the previous parts of this article we explored how to setup your environment so that your clients can make use of the auto detection.  To understand how to build in some fault tolerance you need to understand which setting take preference.

When "Automatically detect setting" is check the following order will be used to determine the proxy.

  • DHCP 
  • DNS  

If both DHCP and DNS detection fails and the "Use automatic configuration script" is checked then it will retrieve the script directly from the specified address.

If "Automatically detect" is not checked but "Use automatic configuration script" is checked it will not auto detect and just retrieve the script directly.

Either of the automatically detect setting will take precedence over a manually specified proxy server.

Group Policy
The recommended method for configuring the clients is via a group policy.  Without going into a lot of detail, the setting is normally a user setting. and there are options that correspond with the internet explorer LAN connection options.

I want to also highlight another policy.  Disable caching of Auto-Proxy scripts. This policy is under User Configuration > Administrative templates > Windows Components > Internet Explorer

The idea here is simple - unless the hostname of the auto detect changes, use the cache script.  This is great in an environment where you are not making any changes.  If however you have more of a dynamic configuration you may want to enable this policy

As an example - you may add another exclusion in your auto configuration script, but if the browser is using a cached version the change will not be applied.  To make things worse.  If you log onto the same machine and test it will work, if you have never logged on and retrieved a script before...

Since a lot of the proxy setting are stored in the registry you can manipulate the registry and affect the required proxy changes.  Below is an image of a machine that is configured with all four check boxes checked.  You can see that it is a lot of entries.  Fortunately making the change in IE reflect immediately in the registry (if you remember to refresh )  This makes it fairly easy to build  your desired registry setting that can be exported as a .reg file.

Internet Explorer
Users can also set their proxy setting in their browser.  This may be handy for troubleshooting but it is generally not a scalable solution in any shape or form.

TMG Client
If the user is using the TMG client (previously the ISA firewall client) this can also be configured to auto configure the browser proxy.  The client can also be configured using Active Directory (http://technet.microsoft.com/en-us/library/ee658145.aspx)

There are many different way to configure the client to make use of the automatic proxy configuration.  The client can also be configured to have a fail over configuration by specifying multiple settings.  All these are great if things are working but any of these could be a potential problem area when trying to troubleshoot.

Pick one method to configure your client and make that the standard and prevent users from being allowed to change their settings, or at least reinforce your setting with a group policy.

No comments:

Post a Comment