Proxy pac file issues (Full Version)

All Forums >> [Threat Management Gateway (TMG) 2010] >> General


Crash28 -> Proxy pac file issues (20.Dec.2011 11:18:51 AM)

Seasons greetings everyone!!

We just implemented a proxy pac file which appeared to be working ok. That is until I tried to set my out of office in outlook. I receive the "Your automatic reply settings cannot be displayed because the server is currently unavailable. Try again later." error.

If I, in TMG console, Networking|Internal Properties|Forefront TMG Client, uncheck "Use automatic configuration script" and "Use a Web proxy server", and wait for the changes to apply, out of office works no problem.

Do I have a configuration issue within the proxy pac file? Anyone ran into this before? Please help as I'm sure by the end of the week people will try to set OOO before the holidays.


pwindell -> RE: Proxy pac file issues (20.Dec.2011 12:28:57 PM)

Why screw around with a ridgid inflexable PAC file when ISA builds its own script file on the fly and keeps it in sync with the ISA's settings.

WPAD Setup

Crash28 -> RE: Proxy pac file issues (20.Dec.2011 12:43:00 PM)

Is that the difference between checking "Use default URL" instead of "Use custom URL"?

pwindell -> RE: Proxy pac file issues (20.Dec.2011 12:46:38 PM)

Yes,...But you don't even need that at all.  Just leave it blank.  The only setting you need is the first check box that tell the browser to auto-detect.  Leave everything else blank.

1. The WPAD process tells the Client how to find the Script
2. The resulting Script tells the client how to find the proxy

It is a "two part" process.

Crash28 -> RE: Proxy pac file issues (20.Dec.2011 12:53:06 PM)

I'm not in a position to do that just yet. At least I don't think I am. We have our old proxy isa2004 still in production using wpad. I'd like to use wpad but can even have two wpad entries?

pwindell -> RE: Proxy pac file issues (20.Dec.2011 1:00:08 PM)

No you can't have two WPAD entries unless you divide the LAN into subnets. Then you can have a different one for each subnet via making it a Scope Option rather than a Server Option in DHCP.  However DNS is not flexable enough for thate so you couldn't use DNS with it (which is bad).

Now with DNS you should make a CNAME called "wpad" in all lower case.  In Server2003 or newer make sure you remove "wpad" from the Restricted DNS names list.  Then in the DHCP Settings you reference it via the "wpad" name (  This way when you change from the ISA2004 to the ISA2006 all you have to do is re-point the DNS CNAME to the new proxy and everything else is automatic.

But in the mean time you are stuck with manual PAC files or just manual proxy settings for your "testing" of the new ISA2006.

Crash28 -> RE: Proxy pac file issues (21.Dec.2011 5:36:43 PM)

Now I'm stuck. Through the process of elimination I've found the cause of my OOO issue. Using the automatic configuration script option, I copied the contents of the default script and saved it as proxy.pac. Both files are identical. If my custom url points to:

my OOO works no problem.

If I change the url to the proxy.pac file:


OOO does NOT work.

Is my custom url syntax correct when using a file based proxy pac file?


pwindell -> RE: Proxy pac file issues (22.Dec.2011 9:40:13 AM)



Don't monkey with the ports.  That would stay on 8080.  That is not a "script",...that is a command that tells it to use a script, not the same thing.

The actual WPAD script,..if you use the one generated by the ISA,... it is published over 80,..not 8080,...and never change that or DNS will fail to deal with it,...DNS will only work with WPAD over 80 and it cannot be changed,...that is an industry thing,..not an MS thing..


my OOO works no problem.

If I change the url to the proxy.pac file:


I belive it has to be a URL, not a UNC path.  So, has to sit on a Web Sever within a website that is reachable via URL.  Since you will not have a web Server running on the ISA you have to move the file to another machine that has a web server.  The dymanic WPAD script in ISA will publish from the ISA (just like if it was on a Web Server) because that ability is built into the ISA,...but you can't do that with a custom script, have to put it on a web server somewhere.

Page: [1]