What are the WPAD entries in my ISA2004 logs? (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> Logging and Reporting



Message

Arch Willingham -> What are the WPAD entries in my ISA2004 logs? (18.Mar.2006 10:26:59 PM)

I get thousands of entries like this in my ISA2004 server's web access logs...what are they?

192.168.1.4 anonymous - N 2006-03-18 16:20:27 w3proxy ISACOMPUTER - 192.168.1.7 192.168.1.7 0 2968 60 2569 http TCP GET http://192.168.1.7/wspad.dat - Inet 10061 0x0 Allow traffic from Internal network to local host - Internal Local Host 0x40 Failed


Thanks!

Arch



LLigetfa -> RE: What are the WPAD entries in my ISA2004 logs? (18.Mar.2006 10:37:10 PM)

They are FWC attempting to autodetect.  If they are being denied, you probably have not applied SP1 and SkipAuthenticationForRoutingInformation.
http://support.microsoft.com/default.aspx?scid=kb;en-us;885683



Arch Willingham -> RE: What are the WPAD entries in my ISA2004 logs? (18.Mar.2006 11:01:11 PM)

That was fast...thanks! I am running ISA 2004 with SP2. Also, I did what it said in the KB, rebooted the computer and the entries are still appearing.

Any ideas?

Arch



LLigetfa -> RE: What are the WPAD entries in my ISA2004 logs? (18.Mar.2006 11:08:29 PM)

Have you enabled WPAD on port 80?



Arch Willingham -> RE: What are the WPAD entries in my ISA2004 logs? (18.Mar.2006 11:14:06 PM)

I hate to be a dipstick but how would I check (I can't remember)??

Arch



LLigetfa -> RE: What are the WPAD entries in my ISA2004 logs? (18.Mar.2006 11:17:17 PM)

The simplest would be to type that URL in your browser.  It is enabled under the Network property in ISA.



Arch Willingham -> RE: What are the WPAD entries in my ISA2004 logs? (18.Mar.2006 11:24:14 PM)

If I put http://192.168.1.7/wspad.dat in a browser, it pops back with






The page cannot be displayed

Explanation: The Web server refused the connection, possibly because a service on the upstream server is inactive.

Technical Information (for support personnel)
    Error Code 10061: Connection refused
    Background: When the gateway or proxy server contacted the upstream (Web) server, the connection was refused. This usually results from trying to connect to a service that is inactive on the upstream server.



LLigetfa -> RE: What are the WPAD entries in my ISA2004 logs? (18.Mar.2006 11:37:27 PM)

Then it sounds like it's not enabled.



Arch Willingham -> RE: What are the WPAD entries in my ISA2004 logs? (19.Mar.2006 2:07:27 PM)

In reading an article on this, I found that DNS points at port 80 and DHC points at whatever port ISA is using. We use port 8080 so why is all the traffic going to port 80?

If this is not fixable, is there any way to tell it to stop logging that one request?

Thanks,

Arch



LLigetfa -> RE: What are the WPAD entries in my ISA2004 logs? (19.Mar.2006 3:50:56 PM)

I don't get what you're after.  Do you want to fix the reason for the error or do you just want it not to log?  If you fix it, then it will log success instead of failure, so the second obective would never be reached.  If you don't want to see it in the log, just set a filter to hide it.

Why did you change to WPAD port from 80 to 8080?  How are you serving up WPAD, by DNS or DHCP?  Are you actually using WPAD or is this just accidental?



Arch Willingham -> RE: What are the WPAD entries in my ISA2004 logs? (19.Mar.2006 4:08:42 PM)

I'd love to fix it! The only reason I mentioned the logging part was - if it was not fixable- I wanted to turn off logging of the probem.

With that said, I have the DHCP thingy turned on (252) and pointing to port 8080. I did find an entry DNS that was set a logn time ago. I just killed the DNS entry after reading it can only point at port 80.

Also, if it means anything, none of the XP machines do this....only the Server 2003 (SP1) machines make the inquiry. 

Arch



LLigetfa -> RE: What are the WPAD entries in my ISA2004 logs? (19.Mar.2006 4:16:24 PM)

quote:

only the Server 2003 (SP1) machines make the inquiry

ugh

FWC should not be installed on servers.  Is the server getting its IP from DHCP?  If not, it will not get the WPAD URL.



Arch Willingham -> RE: What are the WPAD entries in my ISA2004 logs? (19.Mar.2006 4:20:31 PM)

They are teminal servers and one domain contoller. Their IP's are static and the FWC has been told not to autodetect the ISA server....is name is entred manually.



LLigetfa -> RE: What are the WPAD entries in my ISA2004 logs? (19.Mar.2006 4:28:28 PM)

OK, I absolve your sin on the Terminal Server. [8D]



Arch Willingham -> RE: What are the WPAD entries in my ISA2004 logs? (19.Mar.2006 4:39:45 PM)

I'll be honset, I never heard you were not supposed to put it on a contoller!



Page: [1]