Planning automatic Web proxy detection

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

Internal computers in networks protected by Forefront TMG can automatically detect the location of the Forefront TMG server they should use as a Web proxy.

This topic is designed to help you plan for automatic Web proxy detection. It provides information on the following:

  • Detection methods

  • Considerations for selecting detection methods

  • Considerations for hosting the configuration file

  • Considerations for implementing detection with DHCP and DNS

Detection methods

Forefront TMG supports several automatic detection methods:

  • Client computers running Forefront TMG Client can connect to Active Directory Domain Services (AD DS) to retrieve the Web proxy settings. This is the recommended detection method.

  • Client computers running earlier versions of Firewall client, or a Web proxy client, can access the Dynamic Host Configuration Protocol (DHCP) or Domain Name System (DNS) server to retrieve the Web proxy settings. This method can also be used in deployments where AD is not updated with the automatic detection information. The settings are held in a configuration file, typically on the Forefront TMG server; for more information, see Considerations for hosting the configuration file.

    Note

    For security reasons, DHCP or DNS are not used as backup in deployments where AD DS was configured with Web proxy information. In these deployments, if the location of the configuration file can’t be obtained from AD DS (for example, if an unexpected error occurs during the AD DS query), access will fail.

  • Automatic configuration script—Client computers connect to the location specified in the script to retrieve the Web proxy settings. This method can be used as a fallback when the retrieval of Web proxy settings from AD DS, or from DHCP or DNS fails.

Considerations for selecting detection methods

You should consider the following when selecting which detection method (or methods) to use:

  • The use of automatic detection from DHCP or DNS is recommended for client computers that move between networks, such as mobile devices.

  • The following limitations apply to the implementation of automatic detection with AD DS:

    • Supported only on Forefront TMG Clients; not supported on earlier versions of Firewall client, on Web proxy clients, or on SecureNAT clients.

    • Not supported in Forefront TMG workgroup deployments.

  • For client computers running Forefront TMG Client or earlier versions of Firewall client, you can apply the selected method (or methods) via the Forefront TMG Management console. Settings are applied as follows:

    • Each time the Forefront TMG Client or Firewall client is restarted.

    • Each time a user clicks Detect Now or Test Server on the Settings tab in the Forefront TMG Client dialog box.

    • Every six hours.

  • For client computers that are running both a Web proxy client and the Forefront TMG Client, or earlier versions of the Firewall client, you can apply the selected method (or methods) to the Web proxy client, via the Forefront TMG Client or Firewall client.

  • For client computers running Web proxy without running the Forefront TMG Client, or earlier versions of Firewall client, and for SecureNAT clients, you might need to apply the selected method (or methods) yourself, as follows:

    • If you select to use DHCP or DNS, Internet Explorer browsers are configured by default to automatically detect settings, and no further client-side configuration is required. For other browsers, consult the relevant product documentation.

    • If you select to use the automatic configuration script, you must apply the configuration to all the client computers.

    You can use Group Policy to apply configuration settings across client computers.

Considerations for hosting the configuration file

When you implement automatic detection with DHCP or DNS, Web proxy settings are held in a configuration file. You can host the configuration file on Forefront TMG, or on an alternative Web server, such as a computer running Internet Information Services (IIS). When planning the placement of the configuration file, consider the following:

  • The main advantage of hosting the file on Forefront TMG is that the file is automatically updated when Web proxy settings are modified in the Forefront TMG Management console, and there is no need to update it manually. Putting the file on a different server requires the file content to be updated manually.

  • Hosting the configuration files on a computer running IIS can provide some failover capabilities. You can configure multiple Web servers in IIS and put different configuration files in each Web server. The active Web server will be the server that contains the Web proxy settings for the currently active Forefront TMG computer.

  • If you are not hosting the file on Forefront TMG, you do not need to publish automatic discovery information, because Forefront TMG does not need to listen for automatic discovery requests. This may be an advantage when IIS is co-located on the Forefront TMG computer, and port conflicts could occur.

Considerations for implementing detection with DHCP and DNS

When implementing automatic detection with DHCP, DNS, or both, consider the following:

  • In both DHCP and DNS implementations, the configuration file must be published on port 80.

  • Entries in DNS can only be used by client computers that are configured to resolve DNS names.

  • When implementing detection with DNS, entries must be configured for every domain that contains client computers that are enabled for automatic discovery.

  • To implement DHCP, a valid DHCP server must be installed on the same network as the client computers.

  • DHCP is limited to specific user groups on some client computer operating systems. For more information, see the article Automatic Proxy Discovery in Internet Explorer with DHCP requires specific permissions (https://go.microsoft.com/fwlink/?LinkID=69274).

  • If you configure or remove automatic detection after you deploy the DNS server role on a server running Windows Server 2008, you must update the block list on all the DNS servers that host the zones affected by the change. The affected zones are those where you registered the servers.

  • Generally, using DHCP servers with automatic detection works best for local area network (LAN)-based clients, whereas DNS servers enable the automatic detection on computers with both LAN-based and dial-up connections. Although DNS servers can handle network and dial-up connections, DHCP servers provide faster access to LAN users and greater flexibility. If you configure both DHCP and DNS, clients will attempt to query DHCP for automatic discovery information first and then query DNS.

Concepts

About firewall client computers
Installation design guide for Forefront TMG