[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

configure "wpad " on DHCP

Posted on 2009-04-21
19
Medium Priority
?
8,546 Views
Last Modified: 2012-05-06
I found the following this link http://www.findproxyforurl.com/wpad_tutorial.html on how to configure WPAD, I want to know once it is configured on DHCP, how can I confirm that the WPAD has sent to dhcp user, and does it update the IE 7 too.
0
Comment
Question by:KANEWONG
19 Comments
 
LVL 3

Expert Comment

by:amaru21
ID: 24200954
Make sure you have IE configured to automatically detect settings.  Go to Tools -> Internet Options -> Connections -> LAN Settings.

Once the browser is opened it should make a DHCPINFORM request to the DHCP server.  The server should return the URL for the WPAD location.

To see the actual DHCP queries/respones, you can use a packet sniffer such as Wireshark.

More info on WPAD:
http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 24201221
Does it mean, I have to complete the following steps

1. configure the dhcp for 252 code type entry.
2. configure the dns for adding "wpad" as a host name.
3. configure the IE for each computer (or using Group Policy to deploy the IE setting)

anything else missing?
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 24201260
I added wpad as a host name "A" record to my dns but I cannot ping it.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 7

Accepted Solution

by:
mchkorg earned 1000 total points
ID: 24202273
Hi, the solution based on DNS is easier than DHCP
You should :

1) add a DNS record called "wpad" (meaning, wpad.your.domain) pointing to an internal web server

2) on this machine (hosting a web server I said!), put a wpad.dat file in the web server's root, so that http://wpad.your.domain/wpad.dat (or http://wpad/wpad.dat) is available to everyone

3) this wpad.dat file must be a "PAC" script file (see below) that will tell a browser where is the proxy, when you need it (example: not for internal accesses, only for the internet)

4) configure your browsers (let say, IE) to "auto detect proxy settings", uncheck everything else. You might spread it via GPO's, reg netlogon files, whatever...
(For firefox, look here: http://sourceforge.net/projects/firefoxadm)

5) restart your browser: a browser will get the wpad.dat file once, for the very first request it'll perform. Restart IE and everything based on IE

6) check your web server's access log file, to see if your computer requested the wpad.dat file

7) check your proxy access log file to see if evertything goes well

If you want more info on PAC file, tell me. Wikipedia will give you the basis (and you dont need more). Same for WPAD, it will explain how browsers are using WPAD (in a few words, it's what I've told you)


Example of a simple PAC file attached


function FindProxyForURL(url, host)
  {
 
    if (isInNet(host, "192.168.0.0", "255.255.0.0")) {
      return "DIRECT";
    }
 
 
    else if (isInNet(host, "127.0.0.1", "255.255.255.255")) {
      return "DIRECT";
    }
 
    else {
      return "PROXY your_proxy:3128_or_whatever_port_its_listening_to";
    }
 
 
  }

Open in new window

0
 
LVL 1

Author Comment

by:KANEWONG
ID: 24206024
Regarding to the pac file, because it will look at the wpad.dat file on a web server, if I am using my laptop at home or at a hotel, what happen?  Would it affect me to browse internet directly from home or from a public network like WI-FI?

By the way, I added a Host (A) record of wpad to point to my server but it cannot resolve the name, any idea?  I added "wpad" to DNS and make it like wpad.company.local but when I ping either "wpad" or "wpad.w3.local", the message is "...could not find host wpad.company.local"
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 24206237
Hi,
Look here: http://en.wikipedia.org/wiki/Wpad
It says your browser will try:
http://wpad.department.branch.example.com/wpad.dat
http://wpad.branch.example.com/wpad.dat
http://wpad.example.com/wpad.dat
http://wpad.com/wpad.dat (in incorrect implementations, see note in Security below)
THEN : it'll give up.
Don't make that wpad.dat file available from the outside, it would be non-sense. Notice that wpad.com/wpad.dat does not exist, hopefully (look here: http://wpad.com/)

So, when in a hotel, it won't find the file and switch to a "no-proxy-at-all" configuration :) which is what you probably want :)

Regarding your DNS:
- You should create an entry like: wpad (CNAME) webserver.company.com.  (don't forget trialing dot)
- did you restart your DNS ? you might have some replication latency between your different DNS (if many)
- ping might not answer, depending on these servers firewall, you should first test your connectivity with (from cmd.exe) "nslookup wpad" or "nslookup your_web_server.company.com". Then maybe a "telnet one_server 80" to see if the web server is responding

ok ?
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 24206253
try to flush your DNS cache, just in case
cmd -> ipconfig /flushdns
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 24206710
First of all, I remove my Host (A) record for wpad and adding it as a CNAME record and restart the DNS server service, also I flushed the dns on my workstation but still no help.

For wpad.dat file, I just need it on my local web server.  For those user who broght laptop to hotel or at home, they will go to internet site directly because the dhcp server from that network would not broadcast "252 wpad" record to client, right?
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 24206850
yes
When you say "local web server", you mean "one web server available to everyone in the company", or "some web server you installed locally on your computer to test some things" ? I hope it's the first one :)

Forget about the DHCP 252 stuff.
WPAD can be set up in 2 ways: via DHCP, via DNS
DNS solution is easier, because you just have to create a "wpad" entry in the DNS and make it point to a web server
If you've setup something in the DHCP related to WPAD, you should remove it to test my solution, I guess (afraid of side-effects if playing with both)

The CNAME trick is just to be more flexible:
- Either wpad points to an IP (A) record, your web server's IP
- either wpad points to an alias (CNAME), your web server's hostname. If your web server's IP changes one day (for some reason), your wpad DNS entry will still work, that's all.

In a hotel, if they're configured with DHCP, this hotel's DHCP server will assign whatever IP + DNS + optionnaly a WPAD entry + surely a credit-card web-interface :)
Don't bother, if you're entirely "automatic" ion your company (dhcp, dns, wpad, "auto detect proxy settings"), your computer will be configured the easiest way (and no user interaction should be required - no proxy modification, nothing)

Ok, see you tomorrow (7pm here) if it still doesn"t work

regards
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 24206966
I am using an existing web server on local LAN to do my test which can be accessed by everyone in company.  On this web server, I added an ip address and a new site under IIS, mapping the new ip to the site, and I placed the wpad.dat file under C:\InetPub\wwwroot\wpad directory.

I have removed the 252 option under my DHCP server, and just using a new Host (A) record for "wpad" which mapped to my new ip on web server but still no luck to do name resolution.

Subject to your solution, if I just use either DNS method or DHCP method, not both, and I just configured my IE 7 for auto detect proxy settings under LAN setting right?  
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 24207235
weird!

On DNS server, I use another host name "tw" as a Host (A) record and pointing to the same ip address as "wpad", it works fine for the name resolutiion and the ping.  However; when I ping "wpad", it does not work on each computer in LAN, looks like; it does not like this name.
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 24210858
if wpad.company.local allowed?  I read some other sites, most of the FQDN of wpad is using .com domain, such as wpad.company.com

I have not clue why I cannot use wpad.company.local on my DNS, I am using Windows Server 2008 as my DNS server for AD.
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 24212172
Hi
I'm using a .mycomp.local FQDN, too. No problem.

You must have something wrong in your DNS, for sure.
I'll suppose your configuration in IIS is OK

Do these, it'll give us some clues:

- Did you restart it ?
- Do a test : name your entry "blah" (if you're afraid it's related to the name) and test. It'll tell us if it's a server-side problem, or on your computer's
- Test it all (at least the name resolution) from another computer
- Are you sure you don't have any network restriction on your computer ?
- Did you try "nslookup wpad" instead of ping (just to make the difference between DNS-pure problem and network problem)
- Check your c:\WINDOWS\system32\drivers\etc\hosts to see if wpad isn't bound to something strange
- Try http://ip.ad.dr.ess/ instead of the name - hoping IIS will allow an access by IP (I don't know IIS much. I'm generally using Apache and I'm thinking about VirtualHost that can matter when accessing by IP instead of names)
- if you already have DNS entries pointing to this IP, are you sure you don't mess up with reverse-DNS entries ?
- Does wpad CNAME -> tw help ? be careful, you have to enter its FQDN with a trailing dot : tw.comp.local.

(yes, you just have to configure IE 7 for auto detect proxy settings under LAN setting)
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 24215920
I tried everything it works except using "wpad".
when I use "blah"  as a CNAME and pointing to tw.company.local, it works fine but when I mapped "blah" as a CNAME to wpad.company.local, it won't work.  Both wpad.company.local and tw.company.local are mapped to the same ip address.  And the ip address is working good.

I inspected the "hosts" file, nothing for "wpad"
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 24216233
You really mean you can't define something called wpad ?
O_o

I can't figure out why, sorry

At least, you might configure wpad.company.local in your c:\windows...\hosts file to force it to work from your computer. This way, you'll be able to see if everything works - except this DNS weird thing - which could be another question in EE ?

0
 
LVL 1

Author Comment

by:KANEWONG
ID: 24218296
hi;

I found this on Event Log

The global query block list is a feature that prevents attacks on your network by blocking DNS queries for specific host names. This feature has caused the DNS server to fail a query with error code NAME ERROR for wpad.company.local. even though data for this DNS name exists in the DNS database. Other queries in all locally authoritative zones for other names that begin with labels in the block list will also fail, but no event will be logged when further queries are blocked until the DNS server service on this computer is restarted. See product documentation for information about this feature and instructions on how to configure it.
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 24218415
after update the globalblocklist by using this command, I can ping and do the name resolution on wpad.

dnscmd  dns_server /config /globalqueryblocklist isatap

this problem can be solved by reading this KB document, http://technet.microsoft.com/en-us/library/cc794902.aspx

Windows Server 2008 block wpad and isatap by default for security reason.
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 24231541
Remind me not to move to win server 2008...
Glad it finally works!
0
 

Expert Comment

by:zygotes
ID: 26181314
An extra piece of information - I had the same problem with Server 2003. This support article describes how to disable the block list in Windows Server 2003.
http://support.microsoft.com/kb/968732
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wondered why you had to use DHCP options (dhcp opt 60, 66 or 67) in order to use PXE? Well, you don't!
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
Integration Management Part 2
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question