23 March 2011

Converting a TMG wpad file to a Apple MAC compatible pac file

TMG automatically creates a wpad file that contains all the setting you would want to specify as an administrator.
For more info on how this works and what it does check out the following:

http://fixmyitsystem.com/2010/10/tmg-auto-proxy-configuration-part-i.html
http://fixmyitsystem.com/2010/10/tmg-auto-proxy-configuration-part-ii.html
http://fixmyitsystem.com/2010/10/tmg-auto-proxy-configuration-part-iii.html
http://fixmyitsystem.com/2010/10/tmg-auto-proxy-configuration-part-iv.html


A WPAD files is a valid .pac file so no conversion is required.

Apple OS X  machines however do not work 100% with a WPAD file that uses a multi node  NLB array.  Typical problem that they would experience is constantly being prompted for credentials first by one node and the the other.  As the moves between the nodes it gives them problems.  As I am NOT an avid MAC user I can't go into too many details.  (If you are a MAC user please add a comment explaining the symptoms better.)

To resolve this issue there are a few line we need to change in the WPAD file.  

  • Download the wpad.dat file
  • Edit the file
  • Test with pacparser
  • Distribute to MACs

Download the wpad.dat file
To download the wpad file browse to  http://yourproxy/wpad.dat  or depending on the config http://yourproxy:8080/wpad.dat.

Edit the File
What I did was to only use the NLB IP instead of the two individual host IPs.  My wpad file contains 224 lines but we only need to edit the one section.  What I did was to only use the NLB ip insted of the two individual host IPs.

DirectNames=new MakeNames();
cDirectNames=2;
HttpPort="8080";
cNodes=2;
function MakeProxies(){
this[0]=new Node("x.x.x.x",1409863761,1.000000);
this[1]=new Node("y.y.y.y",3630121203,1.000000);


This needs to be changed to:

DirectNames=new MakeNames();
cDirectNames=1;
HttpPort="8080";
cNodes=1;
function MakeProxies(){
this[0]=new Node("z.z.z.z",1409863761,1.000000);

cDirectNames=   -- This indicates the number of nodes so change this to 1 since there is only one NLB IP
this[0]=new Node  -- Specify the NLB IP

I tired to find out what the number behind the comma is but no luck, so with a bit of trial and error I found that leaving the numbers untouched works.

Test with pacparser
You can use a utility called pacparser to test both your wpad.dat and wpad.pc files.  Download it from 

This command line utility will validate and show the result of your testing.  Direct indicates that it is the failover configuration and for internal network that it skips using a proxy (this is per the TMG config)

For the PAC file using the NLB
pactester.exe -p wpad.pac -u http://www.google.co.za
PROXY z.z.z.z:8080; DIRECT

For the PAC file using the NLB local network
pactester.exe -p wpad.pac -u http://intranet
DIRECT

For the wpad.dat file using two node IPs
pactester.exe -p wpad.dat -u http://www.google.com
PROXY x.x.x.x:8080; PROXY y.y.y.y:8080; DIRECT

For the wpad.dat file using two node IPs  local network
pactester.exe -p wpad.dat -u http://intranet
DIRECT

Distribute to MACs
Manually - Save the file as a .pac file and the MAC users can now specify this under setting / networks / 
proxies (This seems to cause issues with OSx Lion)

Publish on a webserver you will have to specify the urls as http://sitename/wpad.pac

I have not tried to get autodetect to work, but in theory you should be able to specify it in DHCP. (In my case the DHCP scope is shared with Windows Machines)

 ***  UPDATE for Lion ***
There has been some changes in Lion.  The wpad file still needs to be edit as listed above.  A stock standard array wpad file will simply not work.  (A single node TMG server will be fine without need to edit it.)

Additionally it seems that Safari's behavior for CARP is now different.  To prevent being prompted endlessly for credentials CARP needs to be turned off.

To find out more about Cache Array Routing Protocol check out http://msdn.microsoft.com/en-us/library/ff823958(v=vs.85).aspx

To configure the Mac for using this script you need to go to Settings - Network - Advanced - Proxies.
Only configure the field "Automatic Proxy Configuration"

This will prevent it form picking up the network default wpad file (that you want on PC.)  Furthermore if it is not able to retrieve the script it will revert to the manual configuration ( web proxy & secure web proxy) which if left blank or un-checked is to go direct.




No comments:

Post a Comment