29 February 2012

OS X Lion and TMG array auto proxy configuration script

Getting your OS X device to play nice with a TMG proxy can be tricky.  After going through this for a while and having finally got a solution that works nicely I thought it be good to share.

There is not really any problem when you have a single TMG proxy server.  The problem comes in when you have an array that contains two or more nodes that are load balanced.  This introduces a few issues for the OS X devices.
The default proxy configuration script explicity maps each array members IP address.  This forces the client to connect to one of the hosts.  Credentials can then be stores in the keycain and used for subsequent authentication requests for that array member.  If however the client connect to another array member the the authentication process is repeated.  This is especially an issue if you are using CARP for caching.

To avoid all this this there are a few steps required.


  • Configure the TMG array to use Kerberos authentication
  • Edit the default wpad.dat file
  • Publish the edited wpad.dat file
  • Configure the clients


Configure the TMG array to use Kerberos authentication
I have already covered this in a previous article
http://fixmyitsystem.com/2012/02/how-to-enable-kerberos-authentication.html


Edit the default wpad.dat file
To be able to make use of the Kerberos authentication you need to address the SPN or NLB hostname
This was also covered in the previous article but...

Here is the portion of the file that needs to be edited


DirectNames=new MakeNames();
cDirectNames=2;
HttpPort="8080";
cNodes=2;
function MakeProxies(){
this[0]=new Node("10.40.22.6",1409863761,1.000000);
this[1]=new Node("10.40.22.5",3630121203,1.000000);


You will notice that it is single IP addresses for each node and not the NLB IP or name.
You can change this using just the NLB name which will allow for Kerberos authentication

DirectNames=new MakeNames();
cDirectNames=1;
HttpPort="8080";
cNodes=1;
function MakeProxies(){
this[0]=new Node("proxynlbname.domain.com",1409863761,1.000000);


Publish the edited wpad.dat file
The best way to distribute the wpad file is to place it on a fault tolerant web server.
Create a new web site in IIS
Copy your edited wpad.dat file to the physical path of the site
Add another MIME types for the site
File name extension *
MIME type */*


IMPORTANT
Technically you should only require to add .dat as application/x-ns-proxy-autoconfig  and this worked fine for Snow Leopard.  However with Lion this does not work.  Bizarrely it seem like Safari request a different MIME type...

Configure the clients
There are some issues with specifying a file so you should always use the URL

  • Open system preferences
  • Select the network
  • Advanced
  • Proxies
  • Make sure that only "Automatic Proxy configuration" is checked
  • Specify the url of the site configured earlier.
  • OK
  • Apply
  • Launch Safari

Conclusion
Going through this process will not only allow your OS X machines to work properly with TMG but there is also a performance benefit here for Windows machines.  You can point them to the same proxy configuration file, in fact you have to if you want to use Kerberos - which is where the performance advantage lies.






No comments:

Post a Comment