Troubleshooting Automatic Detection
Microsoft Internet Security and Acceleration (ISA) Server 2004 supports automatic detection for Web Proxy clients. You can enable such clients to automatically detect client proxy settings by means of a Web Proxy Automatic Discovery (WPAD) entry in Domain Name System (DNS) or Dynamic Host Configuration Protocol (DHCP). In addition, or as an alternative, you can specify a static location at which clients can find a file containing client configuration settings. For more information, see Automatic Discovery for Firewall and Web Proxy Clients at the Microsoft TechNet Web site, and Automatic Discovery Concepts in ISA Server 2006 at the Microsoft TechNet Web site.
This troubleshooting guide describes common issues encountered when configuring and managing automatic discovery in ISA Server. It also details actions you can take to resolve these issues.
This document is divided into these sections:
- DHCP WPAD issues
- DNS issues
- Mobile client issues
- WPAD file issues
If you have a suggestion for a troubleshooting tip that should be added to this document, contact ISA Server Documentation Feedback at Microsoft.
This section describes issues you might encounter when configuring WPAD in DHCP.
A WPAD entry is configured in DHCP, but only users logged on as local administrators can successfully detect settings.
This is a known issue. In Microsoft Windows® 2000 Server, automatic discovery functionality using a WPAD entry in DHCP is only supported for users who are members of the Administrators or Power Users group. In Windows XP with Service Pack 2 (SP2), the Network Configuration Operators group also has permission to issue DHCP queries.
For hotfix details for computers running Windows 2000 Server, see the Microsoft Knowledge Base article 312864, "Automatic Proxy Discovery in Internet Explorer with DHCP requires specific permissions."
For Windows XP, the issue was fixed in Service Pack 2. For more information, see the Microsoft Knowledge Base article 811113, "List of fixes included in Windows XP Service Pack 2."
Web Proxy clients cannot detect automatic proxy settings.
This can occur if the scope on the DHCP server points to "Wpad.dat" instead of "wpad.dat." The ISA Server WPAD implementation is case sensitive.
Configure the DHCP entry as wpad.dat using lowercase letters.
Clients are experiencing delays of up to 10 seconds when making a request for a Web page, and using DHCP for automatic discovery. This is especially noticeable for Web requests from clients that are not configured as Firewall clients.
This is a problem in the Wininet.dll file.
For hotfix information, see the Microsoft Knowledge Base article 907455, "Internet Explorer may delay up to 10 seconds before it starts for the first time in Windows XP."
Clients cannot retrieve settings using WPAD. The DHCP option is configured correctly as wpad.dat, but when Microsoft Internet Explorer® gets the Wpad.dat file, it strips off the last character in the Get request, for example, wpad.da instead of wpad.dat.
This may occur when Internet Explorer is set up for automatic detection, and the WPAD entry is in DHCP. The Microsoft DHCP server adds a trailing NULL character (00) to the Option string, and in some cases Internet Explorer may expect this NULL character, and strip it out automatically. On third-party DHCP servers that do not add a NULL character, this behavior may result in the last character in the string being stripped. You can check this by running a Network Monitor capture. Start Internet Explorer and request a page. Wait until the page begins to load and stop the trace. Then view the trace by filtering the HTTP and DHCP protocols. Look for a DHCP ACK entry and a WPAD request in the trace. If a trailing NULL character is included, the length field will include it. Otherwise, it will not be included in the length field.
As a workaround, add a white or blank space after the string (by pressing the SPACEBAR), so that the string will include an extra character. The space will have no effect on the URL because Internet Explorer will ignore it, allowing a GET request for the WPAD location.
VPN Clients Cannot Retrieve Configuration Information When the DHCP Relay Agent Is Running on the ISA Server Computer
A WPAD entry in DHCP cannot be retrieved by virtual private network (VPN) clients.
This can occur when all the following conditions are true:
- The DHCP client and the DHCP server belong to different subnets.
- The DHCP relay agent is configured on a computer running Windows Server® 2003.
- ISA Server 2004 and the DHCP relay agent are installed on the same computer.
- VPN client support is not enabled in ISA Server.
This behavior occurs because ISA Server controls the Routing and Remote Access service, which is not started if VPN client access is not enabled.
To resolve this behavior, do any of the following:
- Use a DHCP relay agent on the default gateway for the subnet, or on a computer not running ISA Server. Then remove the DHCP relay agent from the computer running ISA Server.
- If you must run the DHCP relay agent and ISA Server on the same computer, enable the Enable VPN Client Access option in ISA Server Management to ensure that the Routing and Remote Access service is running. For more information, see the Microsoft Knowledge Base article 911072, "The DHCP clients may not obtain the configuration script when you use DHCP Option 252 to automatically configure Internet Explorer."
This section describes issues you might encounter when configuring WPAD in DNS.
Clients cannot retrieve automatic detection information from DNS.
ISA Server may not be listening for automatic discovery requests on the correct port. When using DNS, ISA Server must listen for WPAD requests on port 80.
To use DNS WPAD entries, check that automatic discovery is enabled for port 80 on the ISA Server computer. To verify this, in ISA Server Management, click the Networks node. Right-click the network on which you want to enable automatic discovery, and then click Properties. On the Auto Discovery tab, verify that Publish automatic discovery information is selected, and that port 80 is specified in Use this port for automatic discovery requests. Note that you cannot configure ISA Server to listen for Web proxy requests and automatic discovery requests on the same port.
By default, the automatic discovery mechanism checks for a WPAD entry in DHCP, and then DNS. How can it be configured to check only DNS?
There may be some circumstances in which you want to skip the DHCP check, for example, to increase response times.
You can configure Internet Explorer to use only DNS for automatic discovery. To do this, navigate to the following registry location:
- HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Then add the following value:
- DWORD: AutoProxyDetectType. Set the value to 2 to force DNS only.
When ISA Server and Internet Information Services (IIS) are co-located, a port conflict may occur that prevents WPAD from working as required.
For WPAD entries in DNS, ISA Server must be configured to listen for automatic detection requests on port 80 (required for DNS WPAD entries). However an IIS Web site running on the ISA Server computer may be using the same port. The issue occurs even if Web sites can be restricted to a specific IP address and port, because the ISA Server automatic detection feature listens on its assigned port using all IP addresses assigned to the interface. This creates a conflict with Web sites using those IP addresses and port combinations.
There are two workarounds available, as follows:
- Use only DHCP for WPAD configuration. DHCP Option 252 can be configured for any port. Just ensure that the port specified in the option entry is the same as the port configured for automatic discovery in ISA Server Management. You can configure Internet Explorer to use only DNS for automatic discovery.
- There is an unsupported tool available that configures IIS to send client automatic detection requests to the ISA Server computer. This tool should only be run when ISA Server and IIS are co-located on the same computer. You configure an IIS Web site that contains the Wpad.dat and Wspad.dat files, and add a DNS entry to ensure that the location can be found. When implementing the tool, ensure that the DNS host record is created accurately, and that clients have the proper DNS configuration to use the new host record. Download the tool SBS_Wpad_2.zip from the ISA Server Tools Repository.
This section describes mobile client issues you might encounter.
Clients cannot contact the ISA Server computer that they should use as a proxy.
Check whether clients are configured to reference a specific ISA Server computer, or to reference an automatic configuration script at a specific location.
Set up a WPAD entry in DNS for automatic discovery, to ensure that clients obtain correct proxy settings when moving between different locations and networks. DNS entries enable automatic detection on computers with both LAN-based and dial-up connections. Note that DNS WPAD entries can only be used by client computers that belong to a domain, and clients must be configured to resolve DNS names. DNS WPAD entries must be configured for every domain containing clients enabled for automatic discovery.
This section describes WPAD file issues you might encounter.
A search on the ISA Server computer does not locate the Wpad.dat file.
The Wpad.dat file does not exist as a physical file on the ISA Server computer. It is created when ISA Server services start up, and is held in memory.
To view the contents of the Wpad.dat and Wspad.dat files on an ISA Server computer, connect to the ISA Server computer through a Web browser and obtain the files from the following URLs:
- https://computer_name:port/wpad.dat
- https://computer_name:port/wspad.dat
How can you configure a request for a specific protocol? For example, how do you specify that File Transfer Protocol (FTP) requests should go through a specific proxy, or not go through a proxy at all.
You cannot customize the ISA Server Wpad.dat and Wspad.dat files to define a per-protocol proxy configuration.
You can create a custom WPAD script to solve this issue, and then maintain it on a server running IIS. For more information, see Using Automatic Configuration, Automatic Proxy, and Automatic Detection at the Microsoft TechNet Web site.
The Wpad.dat file has been updated to point to a different ISA Server computer, but clients are still retrieving old settings.
Internet Explorer may cache the Wpad.dat file, and clients may retrieve old settings.
In Internet Explorer, clear the Automatically detect settings check box, and save the changes. Then restart Internet Explorer, select the Automatically detect settings check box, and restart Internet Explorer again. This forces a refresh of the Wpad.dat file. For more information, see the Microsoft Knowledge Base article 312864, "Automatic Proxy Discovery in Internet Explorer with DHCP requires specific permissions." As a workaround, delete the following HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections registry key entries:
- DefaultConnectionSettings. This entry specifies the configuration of the default connection used by Internet Explorer.
- SavedLegacySettings. This entry is a copy of DefaultconnectionSettings, and specifies the configuration used by network connections other than the default connection.
When Internet Explorer is launched and gets the Wpad.dat file, it flags the value DefaultconnectionSettings at the offset 59 with the value 05. This offset is designed to indicate that Internet Explorer should send a DHCP Inform to get the Wpad.dat file, and changes the offset 59 of the value DefaultConnectionSettings to 05. To force Internet Explorer to get the new URL to the Wpad.dat file, the offset 59 should be set to 01. The Autoproxutil tool is used to do this. To run the Autoproxutil tool, execute the command:
- Autoproxutil /f:3
This command forces Internet Explorer to send a DHCP Inform the next time it is launched.
Other workarounds:
- Clear or select the Automatically detect settings option.
- Execute the Autoproxutil tools in a logon script.
- Delete the DefaultConnectionSettings and SavedLegacySettings registry keys.