Welcome to ISAserver.org

WPAD in multiple sites

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Cache] >> Web Proxy client >> WPAD in multiple sites

Page: [1]

Message

<< Older Topic Newer Topic >>

WPAD in multiple sites - 4.Oct.2005 9:36:00 PM

jonsauter

Posts: 66
Joined: 8.Jul.2005
From: Dallas, TX
Status: offline

I have ISA set up as the edge firewall in multiple sites. ISA also serves as the proxy server for each site. Additionally, the sites are connected through a WAN linke from inside the firewall. All sites share a single domain and single DNS zone. I am attempting to set up proxy autodiscovery so that machines in each site will autodetect and use the proxy server in that site.

Using WPAD entries in the DHCP scopes servicing each site works great for autodiscovery with DHCP clients. However, I also have servers with static IP addresses at each site and VPN clients dialing into each site. The VPN users receive their IP address from a static pool.

The servers with static IPs and the VPN clients cannot use DHCP for WPAD. They can use DNS. However, only one Alias (CNAME) called WPAD can be entered into DNS.

How can I set up autodiscovery for multiple sites and clients that don't use DHCP?

Post #: 1

Featured Links*

RE: WPAD in multiple sites - 13.Oct.2005 1:29:00 PM

Mr_Do

Posts: 29
Joined: 10.Dec.2002
From: Michigan
Status: offline

Are you still looking for an answer to this one? I have a script (borrowed, of course) that looks at the IP subnet in which the client is and assigns a proxy server based on that. If I dig that out and post an example here, would that fit your need?

(in reply to jonsauter)

Post #: 2

RE: WPAD in multiple sites - 17.Oct.2005 6:32:00 PM

jonsauter

Posts: 66
Joined: 8.Jul.2005
From: Dallas, TX
Status: offline

Yeah, if a script is the only way to do it than by all means I'd be interested in going that route.

(in reply to jonsauter)

Post #: 3

RE: WPAD in multiple sites - 18.Oct.2005 8:45:00 AM

Mr_Do

Posts: 29
Joined: 10.Dec.2002
From: Michigan
Status: offline

This script assigns the proxy server address and port number based on what IP subnet the client is in. This allows you to use one wpad.dat file for your whole network while still enabling clients to find their nearest proxy server.

function FindProxyForURL(url, host)
{
if (isInNet(myIpAddress(), "10.2.0.0", "255.255.0.0"))
{
return "PROXY 10.2.0.1:8080";
}
if (isInNet(myIpAddress(), "10.4.0.0", "255.255.0.0"))
{
return "PROXY 10.4.0.1:8080";
}
if (isInNet(myIpAddress(), "192.168.0.0", "255.255.0.0"))
{
return "DIRECT";
}
return "PROXY 10.2.0.1:8080";
}

(in reply to jonsauter)

Post #: 4

RE: WPAD in multiple sites - 28.Nov.2005 2:08:38 PM

nofear

Posts: 95
Joined: 28.Nov.2005
Status: offline

hi
I want ask you
i have multiple sites also seperated by WAN links,and each with their own ISA standard 2004
ihave DNS Active directory integrated zone containing all records for all my network on all sites

i want to deploy the WPAD autodiscovery feature,but if i want to deploy it through the DHCP,then i need to configure the DHCP in each site,beside VPN users will not benifit from that

i need to deploy this feature in DNS
so i configured A records for WPAD pointing to the internal interface ofeach ISA in each site,and i want the DNS to return to the site the WPAD record that correspond to their subnet only.
how can your script help me and how to implement your script?

(in reply to Mr_Do)

Post #: 5

RE: WPAD in multiple sites - 29.Nov.2005 2:44:25 PM

Mr_Do

Posts: 29
Joined: 10.Dec.2002
From: Michigan
Status: offline

The short answer is that you need IIS on the computer referenced by the wpad entry in DNS, and at the root level of the web site you need to put the wpad.dat file with the desired script.

The more detailed explanation is this: When IE is set to automatically detect settings, it looks for the script at http://wpad.{domain}/wpad.dat where {domain} is the primary DNS suffix of the connection. So if the computer is a member of adomain.com then it will query http://wpad.adomain.com/wpad.dat and expect to find a configuration script there like the one referenced in my previous post. So you put your wpad entry in DNS, and on the server that it points to you configure IIS and on the root of that web site put the wpad.dat file. If it is set up right, you should be able to type that whole http://wpad.adomain.com/wpad.dat path (substituting your real domain name) in your browser and see the contents of the script.

If this isn't enough of an explanation, I am pretty sure there is a tutorial on the subject somewhere on this site and/or Microsoft Knowledge Base. Good luck.

(in reply to nofear)

Post #: 6

RE: WPAD in multiple sites - 30.Nov.2005 9:59:08 AM

nofear

Posts: 95
Joined: 28.Nov.2005
Status: offline

Hi
I want to mention thati have DNS infrastructure that is replicated to all sites,that means that each site will see the same "A" records ,so the problem is i want to configure a DNS recored for WPAD,mentioning that it will be seen by all sites,then what value of IP should assign the WPAD record.

my idea was that because the DNS zone is seen by all sites hosting their ISA servers,then i can make many wpad "A" record and each time i will assign the IP address for one of the Site's ISA server,so the DNS wil be containing many resolutions to and WPAD query that points to All ISA servers in all sites,and iam depending on a feature called(Subnet ordering) in the DNS to return the correct resolution (most closest) for wpad request in each site.

For example,suppose that i hvae 3 sites with 10.0.1.0/24 10.0.2.0/24 and 10.0.3.0/24 ,and all have their own ISAs,and they share the same database store,that is a secondary zone.

then i can create the following records in the primary DNS
       "A" record    : wpad >>>10.0.1.1
       "A" record    : wpad >>>10.0.2.1
       "A" record    : wpad >>>10.0.3.1
and the DNS has feature called (subnet ordering) that can be accesses form the advance tab of the DNS server properties,that works as follow
when a client in site 10.0.3.0/24 asks about WPAD the DNS will have 3 resolutions mentioned above,so he will return those record in subnet ordering like this:

     10.0.3.0
     10.0.2.0
     10.0.1.0
thus providing the client with the closest WPAD server (specifically:the own in his subnet)

---------------------------------------------------------------------------------
i think this will solve the problem

(in reply to Mr_Do)

Post #: 7

RE: WPAD in multiple sites - 30.Nov.2005 3:04:40 PM

Mr_Do

Posts: 29
Joined: 10.Dec.2002
From: Michigan
Status: offline

That approach will work if you have three different scripts, with IIS configured on each server referenced in the wpad entries and each one getting its own version of the script.

Keep in mind that when the client queries DNS for wpad and gets an IP back, it doesn't simply use that IP as its proxy setting. It uses that IP to ask for the wpad.dat file through HTTP, and then the contents of wpad.dat determine what proxy setting it uses.

We have nearly the exact setup you describe with multiple sites and multiple ISA servers but only one DNS infrastructure. We put one entry for wpad in DNS and on the server at that IP we have IIS serve up the wpad.dat file with a version of the script I posted earlier in this thread. The client always gets the nearest ISA Server that way. We have been using it for about five years.

(in reply to nofear)

Post #: 8

RE: WPAD in multiple sites - 1.Dec.2005 12:35:05 PM

nofear

Posts: 95
Joined: 28.Nov.2005
Status: offline

let me understand from you

man you need multiple DNS record pointing to the WPAD server in each site because the DNS zone is shared to all sites,in other world,all DNS servers replicates to each other.and the DNS will return the WPAD server nearest of the client.

In your senario i guess you have DNS in each site that have records not shared and replicated to DNS servers in other sites,yeh?

(in reply to Mr_Do)

Post #: 9

RE: WPAD in multiple sites - 1.Dec.2005 2:34:54 PM

Mr_Do

Posts: 29
Joined: 10.Dec.2002
From: Michigan
Status: offline

No. You use one DNS record for wpad in your whole domain. It points to one server with one script. So all clients on the domain get the same DNS resolution, use the same server to get the script, and then they all get the same script.

So all clients are treated the same up to the point where they run the script. The script then looks at what subnet they are in and assigns their proxy based on that. The sample script from my earlier post will accomplish that.

(in reply to nofear)

Post #: 10

RE: WPAD in multiple sites - 4.Dec.2005 8:19:55 AM

nofear

Posts: 95
Joined: 28.Nov.2005
Status: offline

dude seems nice but :

In a big company spanned in many far away sites all around the world,your solution is not practical at all,because if i put the script in one server in site A lets say,then all clients in all sites will tryto connect to this server frequently (bandwidth consuming).
Dont forget that each client needs to refresh his WPAD file each 50 minutes to take the new setttgins,the same is for the script.

(in reply to Mr_Do)

Post #: 11

RE: WPAD in multiple sites - 27.Apr.2006 9:47:09 PM

jonsauter

Posts: 66
Joined: 8.Jul.2005
From: Dallas, TX
Status: offline

Yeah, the best solution really is to use A records (not CNAMEs as all the documentation indicates) and create a DNS record for each site. Then, use netmask ordering and round robin in DNS. By setting the netmask ordering to use the appropriate number of bits based on your network infrastructure, this will provide consistent resolution to the local ISA server with redundancy to another site if the local ISA is down. This also allows you to use the default WPAD.dat files created dynamically by ISA so it is not necessary to create a custom script, nor is it necessary to host it on a seperate web server.

(in reply to nofear)

Post #: 12

RE: WPAD in multiple sites - 2.May2006 10:57:30 PM