I've setup wpad to be delivered via DNS to test and this works fine for firefox and and internet explorer via a wired connection however it only seems to work for firefox via wireless which i'm slightly baffled by. The wireless WLAN i'm testing with has no ACL configured, no Enable captive portal/Web authentication or Client Isolation so i cant workout whats teh cause. The ZoneDirector auto config i still cant get to work for firefox or IE though.
Isn't DHCP the preferred choice these days? I believe most things support this. The DNS method was not preferred as someone could easily bring their own machine named WPAD into a domain and cause some interesting problems with your network!!!
The DNS method is more widely supported across browsers apparently. You would have to have a machine joined to the domain called wpad, have removed the DNS exclusion for wpad and not have an existing record wpad in DNS for that exploit to work surely?
Web Proxy Autodiscovery Protocol - Wikipedia, the free encyclopedia
You are correct on that DHCP only really supported by IE and Chrome! Looks like the DNS method is still insecure though.
DNS lookup removes the first part of the domain name (presumably the client identifier) and replaces it with wpad. Then, it "moves up" in the hierarchy by removing more parts of the domain name, until it finds a WPAD PAC file or leaves the current organisation.
Well i've ascertained that there is nothing up with either of my two wpad.dat files anyway so the problem looks to be with the ruckus delivery to the clients.
i know this isnt useful but i used a transparent proxy between the clients and the NGFL proxy wich works nicely. uthenticated users use one vlan (Enterprise security) and unathenticated (WPA-PSK) is vlaned to the transparent proxy wich ports them directly to NGFL so they cant see our internal anything, and get fully filterd. As unauthenticated users they will need to get information from dhcp as they need corect ip addresses to function so not allowing them access to some form of dhcp is a desatrous idea.
If I'm wrong then I apologies.
I havent had a chance to try this yet, will be trying tomorrow when I am on site.
I have a feeling some people will have Android devices, I know some have Blackberrys. How would I go about setting up a transparent proxy?
There are currently 1 users browsing this thread. (0 members and 1 guests)