• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Configuring Virtual IP in WPAD.DAT file as web proxy server

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> Configuring Virtual IP in WPAD.DAT file as web proxy server Page: [1]
Login
Message << Older Topic   Newer Topic >>
Configuring Virtual IP in WPAD.DAT file as web proxy se... - 2.Feb.2009 9:02:11 AM   
Suneel.sharma

 

Posts: 15
Joined: 29.Apr.2008
Status: offline
Hi ,
2 ISA servers are configured in NLB with CARP and Virtual IP is 10.113.26.80,
Dedicated IPs : 10.113.26.48 ,& 10.113.26.49
earlier there was only single proxy configured in lan which was 10.113.26.80 and I have lot of Isoloted ODCs in network and thier firewall is managed by only client so i dont want to send any change request to client for allow IPs.

WPAD is configured in DHCPs with NLB IP but WPAD returns dedicated IPs of proxies if i use" Automatic Configuration Detect Setting on client " and Dedicated IPs are not allowed for LAN ..
but if i use manual Proxy setting for that NLB IP all works fine .
is there any way to change Proxy IP in WPAD.dat file on ISA server if WPAD is discoveredon ISA .
where WPAD.DAT file exists in ISA ?
//Copyright (c) 1997-2006 Microsoft Corporation
BackupRoute="DIRECT";
UseDirectForLocal=true;
function MakeIPs(){
}
DirectIPs=new MakeIPs();
cDirectIPs=0;
function MakeCARPExceptions(){
this[0]="*.windowsupdate.com";
this[1]="windowsupdate.microsoft.com";
this[2]="*.windowsupdate.microsoft.com";
this[3]="*.update.microsoft.com";
this[4]="download.windowsupdate.com";
this[5]="download.microsoft.com";
this[6]="*.download.windowsupdate.com";
this[7]="wustat.windows.com";
this[8]="ntservicepack.microsoft.com";
}
CARPExceptions=new MakeCARPExceptions();
cCARPExceptions=9;
function MakeNames(){
this[0]="myhcl.in";
this[1]="hclt.corp.hcl.in";
}
DirectNames=new MakeNames();
cDirectNames=2;
HttpPort="3128";
cNodes=1;
function MakeProxies(){
this[0]=new Node("10.113.26.49",1369906838,1.000000);
this[1]=new Node("10.113.26.48",13899006848,2.000000);
}
Proxies = new MakeProxies();
function Node(name, hash, load){
this.name = name;
this.hash = hash;
this.load = load;
this.score = 0;
return this;
}
function FindProxyForURL(url, host){
var hash=0, urllower, i, fIp=false, ip, nocarp=false, skiphost=false;
var list="", pl, j, score, ibest, bestscore;
urllower = url.toLowerCase();
if((urllower.substring(0,5)=="rtsp:") ||
  (urllower.substring(0,6)=="rtspt:") ||
  (urllower.substring(0,6)=="rtspu:") ||
  (urllower.substring(0,4)=="mms:") ||
  (urllower.substring(0,5)=="mmst:") ||
  (urllower.substring(0,5)=="mmsu:"))
return "DIRECT";
if(UseDirectForLocal){
if(isPlainHostName(host))
  fIp = true;}
for(i=0; i<cDirectNames; i++){
if(shExpMatch(host, DirectNames)){
  fIp = true;
  break;}
if(shExpMatch(url, DirectNames))
  return "DIRECT";
}
if(cDirectIPs == 0){
if(fIp)
  return "DIRECT";}
else{
ip = host;
if(fIp)
  ip = dnsResolve(host);
var isIpAddr = /^(\d+.){3}\d+$/;
if(isIpAddr.test(ip)){
  for(i=0; i<cDirectIPs; i += 2){
   if(isInNet(ip, DirectIPs, DirectIPs[i+1]))
    return "DIRECT";}}
else if(isPlainHostName(host))
  return "DIRECT";
}
if(cCARPExceptions > 0){
for(i = 0; i < cCARPExceptions; i++){
  if(shExpMatch(host, CARPExceptions)){
   nocarp = true;}
  if(shExpMatch(url, CARPExceptions)){
   nocarp = true;
   skiphost = true;
   break;
}}}
if(!skiphost)
hash = HashString(host,hash);
if(nocarp)
hash = HashString(myIpAddress(), hash);
pl = new Array();
for(i = 0; i<cNodes; i++){
Proxies.score = Proxies.load * Scramble(hash ^ Proxies.hash);
pl = i;
}
for(j = 0; j < cNodes; j++){
bestscore = -1;
for(i = 0; i < cNodes-j; i++){
  score = Proxies[pl].score;
  if(score > bestscore){
   bestscore = score;
   ibest = i;
}}
list = list + "PROXY " + Proxies[pl[ibest]].name + ":" + HttpPort + "; ";
pl[ibest] = pl[cNodes-j-1];
}
list = list + BackupRoute;
return list;
}
var h_tbl = new Array(0,0x10D01913,0x21A03226,0x31702B35,0x4340644C,0x53907D5F,0x62E0566A,0x72304F79,0x8680C898,0x9650D18B,0xA720FABE,0xB7F0E3AD,0xC5C0ACD4,0xD510B5C7,0xE4609EF2,0xF4B087E1);
function HashString(str, h){
for(var i=0; i<str.length; i++){
  var c = str.charAt(i);
  if(c ==':' || c == '/') break;
  c = CharToAscii(c.toLowerCase());
  h = (h >>> 4) ^ h_tbl[(h ^ c) & 15];
  h = (h >>> 4) ^ h_tbl[(h ^ (c>>>4)) & 15];
  h = MakeInt(h);
}
return h;
}
function Scramble(h){
h += ((h & 0xffff) * 0x1965) + ((((h >> 16) & 0xffff) * 0x1965) << 16) + (((h & 0xffff) * 0x6253) << 16);
h = MakeInt(h);
h += (((h & 0x7ff) << 21) | ((h >> 11) & 0x1fffff));
return MakeInt(h);
}
var Chars =" !\"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~???????????????????????? ­ ";
function CharToAscii(c){
return Chars.indexOf(c) + 32;
}
function MakeInt(x){
x %= 4294967296;
if(x < 0)
x += 4294967296;
return x;
}

_____________________________

Suneel Kumar harma
MCSA,CCNA,ITIL,Check Point.
Post #: 1
RE: Configuring Virtual IP in WPAD.DAT file as web prox... - 2.Feb.2009 10:59:30 AM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
Check http://technet.microsoft.com/en-us/library/bb794779.aspx and http://technet.microsoft.com/en-us/library/cc713344.aspx 

When a client sends a request to DHCP server for WPAD then DHCP server sends the IP address of the server which holds the WPAD and WSPAD files. Make sure that you have a DNS entry for your NLB IP and that is being used in DHCP entry 252 for creating a wpad request.

Moreover, make sure in the ISA nodes under internal network properties you have the DNS name underFirewall Clients which points to the IP address of the NLB IP

Hope that helps

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to Suneel.sharma)
Post #: 2
RE: Configuring Virtual IP in WPAD.DAT file as web prox... - 2.Feb.2009 12:56:33 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
You would need to host the WPAD.DAT file on a separate web instance and then update DHCP to use this new location. You can then edit the file to return your chosen vlaues. I think there is an article on here that explains hosting the WPAD.DAT external to ISA - you do lose ISA integration though

I notice that you .48 server has a higher load factor than .49 - is this on purpose?

Microsoft claim that client-side CARP and NLB work together, but as you have found, they don't really

You may find the following thread useful for a good overview: http://www.freelists.org/post/isapros/Web-Proxy-with-NLB-Back-to-basics,7

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to inderjeet)
Post #: 3
RE: Configuring Virtual IP in WPAD.DAT file as web prox... - 3.Feb.2009 1:39:47 AM   
Suneel.sharma

 

Posts: 15
Joined: 29.Apr.2008
Status: offline
Thanks Inderjeet to look out on this issue, I am not using DNS name in DHCP using NLB IP for wpad server .. all web proxy clients are able to browse internet /intranet sites with Automatic configuration is same network (10.113.0.0/16).
problem is only for Isolated ODCs as only Virtual IP is allowed in these LANs if they use automatic configuration WPAD IP (NLB IP,26.80) returns both proxies to client for making connections ,, I want to use NLB IP as proxy IP in WPAD.DAT replacing following boths in 26.80
this[0]=new Node("10.113.26.49",1369906838,1.000000);
this[1]=new Node("10.113.26.48",13899006848,2.000000

what is the location of WPAD.DAT file in ISA ?
What is your contact no. you may call me @ +91-9999002753.





_____________________________

Suneel Kumar harma
MCSA,CCNA,ITIL,Check Point.

(in reply to Jason Jones)
Post #: 4
RE: Configuring Virtual IP in WPAD.DAT file as web prox... - 3.Feb.2009 2:00:00 AM   
Suneel.sharma

 

Posts: 15
Joined: 29.Apr.2008
Status: offline
Thanks Jason , if I deploy wpad.dat file on any other web instance i need get that IP allowed in all ISOLATED lans, so is there any way to change wpad.dat file on ISA itself only ? please suggest .


_____________________________

Suneel Kumar harma
MCSA,CCNA,ITIL,Check Point.

(in reply to Suneel.sharma)
Post #: 5
RE: Configuring Virtual IP in WPAD.DAT file as web prox... - 3.Feb.2009 4:35:30 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Nope, ISA generates it internally.

If you read my link you will see you have a few options:

1) Host the WPAD.DAT on an external web server and modify it to use the VIP address - this is not ideal though as NLB and CARP have no integration hence NLB *could* send you to a server that doesn't have the correct cache content and hence negate the benefit of CARP. 

2) Live without client-side CARP and manage exceptions using Group Policy and IE exceptions. You then define a specific proxy server using the NLB VIP.

3) Do option 2 but enable server-side CARP to regain some caching benefit. 

None of the options are ideal, as discussed in my conversation with Tom and Jim in the link I sent you...

At the end of the day, you need to decide which is more important, High Availability (NLB) of Caching performance (CARP). Option 3 is the "best of both" if you cannot decide...

Cheers

JJ 

< Message edited by Jason Jones -- 3.Feb.2009 4:37:23 AM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to Suneel.sharma)
Post #: 6
RE: Configuring Virtual IP in WPAD.DAT file as web prox... - 3.Feb.2009 9:39:23 AM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
quote:


what is the location of WPAD.DAT file in ISA ?


As Jason said, WPAD.DAT file is generated automatically by ISA internally. You may access that using the URL http://Computer_FQDN:Port/wpad.dat from any client machine. Once you get the WPAD.DAT file then you can edit and make use of it. But, everytime you make a change, you have to manually download it again and edit it as per your need.

How many ODCs are there? If they are just handful of them and the purpose is only to access internet, why not make them web proxy clients....

Moreover, AFAIK, whatever entries you get in the WPAD.DAT file, the automatic configuration script is going to use the VIP of the NLB for proxying the requests.....Am i correct Jason?



< Message edited by inderjeet -- 3.Feb.2009 9:55:30 AM >


_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to Suneel.sharma)
Post #: 7
RE: Configuring Virtual IP in WPAD.DAT file as web prox... - 4.Feb.2009 7:34:41 AM   
Suneel.sharma

 

Posts: 15
Joined: 29.Apr.2008
Status: offline
Thanks, Inderjeet & Jason !!
I will enable server side CARP after adding one new ISA server in the same array ..
Whatever I understood by this forum that we can not edit WPAD.DAT file on ISA. am i correct ?
if I want to make any changes in wpad.dat file then I need to deploy that wpad.dat file on another web server..
Jason if i installed IIS on any ISA server and deploy wpad.dat file on NLB IP would it work ? pls suggest.
Jason if u say 2) live without client-side CARP and manage exceptions using Group Policy and IE exceptions. You then define a specific proxy server using the NLB  can u pls explain it details ?
Inderjeet,  AFAIK, whatever entries you get in the WPAD.DAT file, the automatic configuration script is going to use the VIP of the NLB for proxying the requests.....Am i correct Jason? no it is not correct bcoz when we use automatic script, script gives us any proxy IP which one is ready to handle our requests ,calculating by ISA algoritham.
but when we use VIP of NLB manulay for web proxy clients all proxying happen through VIP only .
 
 

_____________________________

Suneel Kumar harma
MCSA,CCNA,ITIL,Check Point.

(in reply to inderjeet)
Post #: 8
RE: Configuring Virtual IP in WPAD.DAT file as web prox... - 4.Feb.2009 9:03:10 AM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
quote:


1. Whatever I understood by this forum that we can not edit WPAD.DAT file on ISA. am i correct ?

2. if I want to make any changes in wpad.dat file then I need to deploy that wpad.dat file on another web server..

Thanks for your answer Sunil

1. That's correct if you are referring to editing the WPAD.DAT on ISA. Since the file isnt there physically, you cant edit.

2. Correct. But, i would not recommend IIS on ISA because it is going to give issues in near future with Port mappings

Cheers

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to Suneel.sharma)
Post #: 9
RE: Configuring Virtual IP in WPAD.DAT file as web prox... - 5.Feb.2009 6:05:05 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: Suneel.sharma

Thanks, Inderjeet & Jason !!
I will enable server side CARP after adding one new ISA server in the same array ..
Whatever I understood by this forum that we can not edit WPAD.DAT file on ISA. am i correct ?
if I want to make any changes in wpad.dat file then I need to deploy that wpad.dat file on another web server..
Jason if i installed IIS on any ISA server and deploy wpad.dat file on NLB IP would it work ? pls suggest.
Jason if u say 2) live without client-side CARP and manage exceptions using Group Policy and IE exceptions. You then define a specific proxy server using the NLB  can u pls explain it details ?
Inderjeet,  AFAIK, whatever entries you get in the WPAD.DAT file, the automatic configuration script is going to use the VIP of the NLB for proxying the requests.....Am i correct Jason? no it is not correct bcoz when we use automatic script, script gives us any proxy IP which one is ready to handle our requests ,calculating by ISA algoritham.
but when we use VIP of NLB manulay for web proxy clients all proxying happen through VIP only .
 
 


Hi Suneel,

Apologies for the delay

Yep, the WPAD.DAT is internally created by ISA and you cannot amend the elements you describe. The file will always have the ISA Server dedicated (real) IP addresses and not the NLB VIP - that is how client-side CARP works.

If you want a custom WPAD.DAT then you should do this on an web server separate from ISA - putting any apps on ISA is not good security practice.

Yep - if you go for option 2, you then just define a proxy server address and use the NLB VIP or a DNS alias to this IP address (I think you already tried this step).

I'm not sure if you read the link I sent, but to summarise.

When you WPAD or automatic configuration script and define this using the NLB VIP, NLB is only providing faul tolerance and load balancing for obtaining this script. As soon as the client obtains the script, it will start using the CARP alogrith whcih will refeence the ISA Server dedicated IP address and not the NLB VIP. This doesn't really provide a good high availability solution, but you do get the script benefits and CARP performance.

If you want a HA solution first and then you lose the benefits of the script and have to achieve this some other way IE GPOs etc. You can then configure all clients to use the NLB VIP as their static proxy server definition in IE. NLB will then provide proper load balancing and failover, but you will have duplicate cache content on both (or all) array members as CARP is not being used. You can go someway to solve this issue with server-side CARP as this will make array members aware of who has what cache content and retrieve it from each other as opposed to the Internet.

So =>

If you are primarily concerned with performance:

Web Proxy Client is supported by CARP

If you are primarily concerned with high availability:

Web Proxy Client is supported by NLB

If you are primarily concerned with high availability but want to maintain
distributed caching:

Web Proxy Client is supported by NLB and Server-side CARP (accepting additional intra-array traffic)

Hope this helps...

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to Suneel.sharma)
Post #: 10
RE: Configuring Virtual IP in WPAD.DAT file as web prox... - 6.Feb.2009 3:04:37 AM   
Suneel.sharma

 

Posts: 15
Joined: 29.Apr.2008
Status: offline
Hi !
Jason & Inderjeet Thank you very much to help me on this.
 
I would go through option no.3rd and CARP will be enabled on Servers & NLB ip will be configured in DHCP for wpad.dat .. it is providing HA & CARP functionality as well.
 
Thanks again for clearing my concept of NLB with CARP enabled.
 








_____________________________

Suneel Kumar harma
MCSA,CCNA,ITIL,Check Point.

(in reply to Jason Jones)
Post #: 11
RE: Configuring Virtual IP in WPAD.DAT file as web prox... - 6.Feb.2009 3:44:45 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Cool

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to Suneel.sharma)
Post #: 12
RE: Configuring Virtual IP in WPAD.DAT file as web prox... - 6.Feb.2009 8:52:50 AM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
Nice...

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to Suneel.sharma)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> General >> Configuring Virtual IP in WPAD.DAT file as web proxy server Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts