Internet Related/Filtering/Firewall Thread, Squid, negotiate and WPAD.dat in Technical; I am currently in the process of setting up a squid server to replace our TMG server.
I have got ...
5th June 2013, 10:28 AM #1
Squid, negotiate and WPAD.dat
I am currently in the process of setting up a squid server to replace our TMG server.
I have got Squid up and running, on Windows Server 2008 R2 (this is done to try and keep as much of a 'standard' platform in school as possible for future years).
I have it working with negotiate - if I put the proxy in the manual proxy details boxes. It logs my username against my web browsing as it should. However, if I enter the details in our WPAD.dat file (replacing the IP of the existing TMG server), I get prompted to log in!
Any idea why it'd be prompting me there but not when its defined manually?
5th June 2013, 03:25 PM #2
Can you see the request for the WPAD file in the access log? IE does some goofy things with caching the WPAD script and I don't believe IE sends credentials with WPAD gets. I would try two things: first, disable caching of WPAD through GPO, and second, edit the WPAD file to instruct the browser to connect to whatever web server is hosting the WPAD file directly.
User Configuration>Administrative Templates>Windows>Components>Internet Explorer: Disable caching of Auto-proxy scripts
if shExpMatch (url, "http://webhost/wpad.dat") return "DIRECT";
5th June 2013, 03:44 PM #3
How would the request be in the access log? The access log would only log requests for things after the wpad had been downloaded - as the browser doesn't know anything about the proxy until it gets it (directly)?
5th June 2013, 03:59 PM #4
Does accessing the wpad.dat require authentication?
5th June 2013, 04:00 PM #5
Nope. Its hosted on our ruckus controller.
5th June 2013, 04:06 PM #6
I was thinking about consecutive requests for the WPAD script once it has already been cached by IE. I actually had an issue where I forgot to add the web server hosting the WPAD file to exceptions and had this happen. So I was curious if it was subsequent gets for WPAD triggering a request for credentials or whatever the start-up page your browser is set to.
Originally Posted by localzuk
The only other thing I could think of is if you're using the Kerberos helper in Squid then the proxy has to be called out by its FQDN instead of by IP. It will continually prompt for credentials if this were the case.
5th June 2013, 04:10 PM #7
Ah! That sounds like it could very well be the issue. I use the IP in the WPAD file, but the name when entering it manually. I shall test and see.
Originally Posted by Duke5A
5th June 2013, 08:50 PM #8
i know where you're coming from there, its a tricky decision to make, especially if you use DPM for backups
Originally Posted by localzuk
6th June 2013, 08:12 AM #9
Kerberos *definitely* needs the proxy accessed by FQDN, and if I am not mistaken you need to access the WPAD file by FQDN too.
6th June 2013, 08:23 AM #10
WPAD seems happily to be accessed by IP - the device its hosted on doesn't have a FQDN as its a wireless controller. I'll be experimenting today, once I figure out why our DNS servers have suddenly decided 'nah, not gonna replicate'...
By PatRamsden in forum Wired Networks
Last Post: 3rd December 2013, 11:14 AM
By victory2012 in forum Wired Networks
Last Post: 8th April 2013, 07:08 PM
By towen in forum Educational Software
Last Post: 12th March 2008, 02:02 PM
By k-strider in forum Coding
Last Post: 4th July 2007, 03:12 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)