configure "wpad " on DHCP

I found the following this link http://www.findproxyforurl.com/wpad_tutorial.html on how to configure WPAD, I want to know once it is configured on DHCP, how can I confirm that the WPAD has sent to dhcp user, and does it update the IE 7 too.
LVL 1
KANEWONGAsked:
Who is Participating?
 
mchkorgConnect With a Mentor Commented:
Hi, the solution based on DNS is easier than DHCP
You should :

1) add a DNS record called "wpad" (meaning, wpad.your.domain) pointing to an internal web server

2) on this machine (hosting a web server I said!), put a wpad.dat file in the web server's root, so that http://wpad.your.domain/wpad.dat (or http://wpad/wpad.dat) is available to everyone

3) this wpad.dat file must be a "PAC" script file (see below) that will tell a browser where is the proxy, when you need it (example: not for internal accesses, only for the internet)

4) configure your browsers (let say, IE) to "auto detect proxy settings", uncheck everything else. You might spread it via GPO's, reg netlogon files, whatever...
(For firefox, look here: http://sourceforge.net/projects/firefoxadm)

5) restart your browser: a browser will get the wpad.dat file once, for the very first request it'll perform. Restart IE and everything based on IE

6) check your web server's access log file, to see if your computer requested the wpad.dat file

7) check your proxy access log file to see if evertything goes well

If you want more info on PAC file, tell me. Wikipedia will give you the basis (and you dont need more). Same for WPAD, it will explain how browsers are using WPAD (in a few words, it's what I've told you)


Example of a simple PAC file attached


function FindProxyForURL(url, host)
  {
 
    if (isInNet(host, "192.168.0.0", "255.255.0.0")) {
      return "DIRECT";
    }
 
 
    else if (isInNet(host, "127.0.0.1", "255.255.255.255")) {
      return "DIRECT";
    }
 
    else {
      return "PROXY your_proxy:3128_or_whatever_port_its_listening_to";
    }
 
 
  }

Open in new window

0
 
amaru21Commented:
Make sure you have IE configured to automatically detect settings.  Go to Tools -> Internet Options -> Connections -> LAN Settings.

Once the browser is opened it should make a DHCPINFORM request to the DHCP server.  The server should return the URL for the WPAD location.

To see the actual DHCP queries/respones, you can use a packet sniffer such as Wireshark.

More info on WPAD:
http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol
0
 
KANEWONGAuthor Commented:
Does it mean, I have to complete the following steps

1. configure the dhcp for 252 code type entry.
2. configure the dns for adding "wpad" as a host name.
3. configure the IE for each computer (or using Group Policy to deploy the IE setting)

anything else missing?
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
KANEWONGAuthor Commented:
I added wpad as a host name "A" record to my dns but I cannot ping it.
0
 
KANEWONGAuthor Commented:
Regarding to the pac file, because it will look at the wpad.dat file on a web server, if I am using my laptop at home or at a hotel, what happen?  Would it affect me to browse internet directly from home or from a public network like WI-FI?

By the way, I added a Host (A) record of wpad to point to my server but it cannot resolve the name, any idea?  I added "wpad" to DNS and make it like wpad.company.local but when I ping either "wpad" or "wpad.w3.local", the message is "...could not find host wpad.company.local"
0
 
mchkorgCommented:
Hi,
Look here: http://en.wikipedia.org/wiki/Wpad
It says your browser will try:
http://wpad.department.branch.example.com/wpad.dat
http://wpad.branch.example.com/wpad.dat
http://wpad.example.com/wpad.dat
http://wpad.com/wpad.dat (in incorrect implementations, see note in Security below)
THEN : it'll give up.
Don't make that wpad.dat file available from the outside, it would be non-sense. Notice that wpad.com/wpad.dat does not exist, hopefully (look here: http://wpad.com/)

So, when in a hotel, it won't find the file and switch to a "no-proxy-at-all" configuration :) which is what you probably want :)

Regarding your DNS:
- You should create an entry like: wpad (CNAME) webserver.company.com.  (don't forget trialing dot)
- did you restart your DNS ? you might have some replication latency between your different DNS (if many)
- ping might not answer, depending on these servers firewall, you should first test your connectivity with (from cmd.exe) "nslookup wpad" or "nslookup your_web_server.company.com". Then maybe a "telnet one_server 80" to see if the web server is responding

ok ?
0
 
mchkorgCommented:
try to flush your DNS cache, just in case
cmd -> ipconfig /flushdns
0
 
KANEWONGAuthor Commented:
First of all, I remove my Host (A) record for wpad and adding it as a CNAME record and restart the DNS server service, also I flushed the dns on my workstation but still no help.

For wpad.dat file, I just need it on my local web server.  For those user who broght laptop to hotel or at home, they will go to internet site directly because the dhcp server from that network would not broadcast "252 wpad" record to client, right?
0
 
mchkorgCommented:
yes
When you say "local web server", you mean "one web server available to everyone in the company", or "some web server you installed locally on your computer to test some things" ? I hope it's the first one :)

Forget about the DHCP 252 stuff.
WPAD can be set up in 2 ways: via DHCP, via DNS
DNS solution is easier, because you just have to create a "wpad" entry in the DNS and make it point to a web server
If you've setup something in the DHCP related to WPAD, you should remove it to test my solution, I guess (afraid of side-effects if playing with both)

The CNAME trick is just to be more flexible:
- Either wpad points to an IP (A) record, your web server's IP
- either wpad points to an alias (CNAME), your web server's hostname. If your web server's IP changes one day (for some reason), your wpad DNS entry will still work, that's all.

In a hotel, if they're configured with DHCP, this hotel's DHCP server will assign whatever IP + DNS + optionnaly a WPAD entry + surely a credit-card web-interface :)
Don't bother, if you're entirely "automatic" ion your company (dhcp, dns, wpad, "auto detect proxy settings"), your computer will be configured the easiest way (and no user interaction should be required - no proxy modification, nothing)

Ok, see you tomorrow (7pm here) if it still doesn"t work

regards
0
 
KANEWONGAuthor Commented:
I am using an existing web server on local LAN to do my test which can be accessed by everyone in company.  On this web server, I added an ip address and a new site under IIS, mapping the new ip to the site, and I placed the wpad.dat file under C:\InetPub\wwwroot\wpad directory.

I have removed the 252 option under my DHCP server, and just using a new Host (A) record for "wpad" which mapped to my new ip on web server but still no luck to do name resolution.

Subject to your solution, if I just use either DNS method or DHCP method, not both, and I just configured my IE 7 for auto detect proxy settings under LAN setting right?  
0
 
KANEWONGAuthor Commented:
weird!

On DNS server, I use another host name "tw" as a Host (A) record and pointing to the same ip address as "wpad", it works fine for the name resolutiion and the ping.  However; when I ping "wpad", it does not work on each computer in LAN, looks like; it does not like this name.
0
 
KANEWONGAuthor Commented:
if wpad.company.local allowed?  I read some other sites, most of the FQDN of wpad is using .com domain, such as wpad.company.com

I have not clue why I cannot use wpad.company.local on my DNS, I am using Windows Server 2008 as my DNS server for AD.
0
 
mchkorgCommented:
Hi
I'm using a .mycomp.local FQDN, too. No problem.

You must have something wrong in your DNS, for sure.
I'll suppose your configuration in IIS is OK

Do these, it'll give us some clues:

- Did you restart it ?
- Do a test : name your entry "blah" (if you're afraid it's related to the name) and test. It'll tell us if it's a server-side problem, or on your computer's
- Test it all (at least the name resolution) from another computer
- Are you sure you don't have any network restriction on your computer ?
- Did you try "nslookup wpad" instead of ping (just to make the difference between DNS-pure problem and network problem)
- Check your c:\WINDOWS\system32\drivers\etc\hosts to see if wpad isn't bound to something strange
- Try http://ip.ad.dr.ess/ instead of the name - hoping IIS will allow an access by IP (I don't know IIS much. I'm generally using Apache and I'm thinking about VirtualHost that can matter when accessing by IP instead of names)
- if you already have DNS entries pointing to this IP, are you sure you don't mess up with reverse-DNS entries ?
- Does wpad CNAME -> tw help ? be careful, you have to enter its FQDN with a trailing dot : tw.comp.local.

(yes, you just have to configure IE 7 for auto detect proxy settings under LAN setting)
0
 
KANEWONGAuthor Commented:
I tried everything it works except using "wpad".
when I use "blah"  as a CNAME and pointing to tw.company.local, it works fine but when I mapped "blah" as a CNAME to wpad.company.local, it won't work.  Both wpad.company.local and tw.company.local are mapped to the same ip address.  And the ip address is working good.

I inspected the "hosts" file, nothing for "wpad"
0
 
mchkorgCommented:
You really mean you can't define something called wpad ?
O_o

I can't figure out why, sorry

At least, you might configure wpad.company.local in your c:\windows...\hosts file to force it to work from your computer. This way, you'll be able to see if everything works - except this DNS weird thing - which could be another question in EE ?

0
 
KANEWONGAuthor Commented:
hi;

I found this on Event Log

The global query block list is a feature that prevents attacks on your network by blocking DNS queries for specific host names. This feature has caused the DNS server to fail a query with error code NAME ERROR for wpad.company.local. even though data for this DNS name exists in the DNS database. Other queries in all locally authoritative zones for other names that begin with labels in the block list will also fail, but no event will be logged when further queries are blocked until the DNS server service on this computer is restarted. See product documentation for information about this feature and instructions on how to configure it.
0
 
KANEWONGAuthor Commented:
after update the globalblocklist by using this command, I can ping and do the name resolution on wpad.

dnscmd  dns_server /config /globalqueryblocklist isatap

this problem can be solved by reading this KB document, http://technet.microsoft.com/en-us/library/cc794902.aspx

Windows Server 2008 block wpad and isatap by default for security reason.
0
 
mchkorgCommented:
Remind me not to move to win server 2008...
Glad it finally works!
0
 
zygotesCommented:
An extra piece of information - I had the same problem with Server 2003. This support article describes how to disable the block list in Windows Server 2003.
http://support.microsoft.com/kb/968732
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.