WPAD.DAT with IIS and DNS

[IrritableTech]

Has anyone else got it working from the zonedirector yet?

Just downloaded the new firmware. Going to install it this weekend and give this feature a try.
We've already got wpad working on our domain, but I like the thought of it being on the controller, and a different file for each wlan.

[Tallwood_6]

I've setup wpad to be delivered via DNS to test and this works fine for firefox and and internet explorer via a wired connection however it only seems to work for firefox via wireless which i'm slightly baffled by. The wireless WLAN i'm testing with has no ACL configured, no Enable captive portal/Web authentication or Client Isolation so i cant workout whats teh cause. The ZoneDirector auto config i still cant get to work for firefox or IE though.

[Jamo]

Isn't DHCP the preferred choice these days? I believe most things support this. The DNS method was not preferred as someone could easily bring their own machine named WPAD into a domain and cause some interesting problems with your network!!!

[Tallwood_6]

The DNS method is more widely supported across browsers apparently. You would have to have a machine joined to the domain called wpad, have removed the DNS exclusion for wpad and not have an existing record wpad in DNS for that exploit to work surely?

[Jamo]

Web Proxy Autodiscovery Protocol - Wikipedia, the free encyclopedia

You are correct on that DHCP only really supported by IE and Chrome! Looks like the DNS method is still insecure though.

DNS lookup removes the first part of the domain name (presumably the client identifier) and replaces it with wpad. Then, it "moves up" in the hierarchy by removing more parts of the domain name, until it finds a WPAD PAC file or leaves the current organisation.

[Tallwood_6]

Well i've ascertained that there is nothing up with either of my two wpad.dat files anyway so the problem looks to be with the ruckus delivery to the clients.

[januttall]

i know this isnt useful but i used a transparent proxy between the clients and the NGFL proxy wich works nicely. uthenticated users use one vlan (Enterprise security) and unathenticated (WPA-PSK) is vlaned to the transparent proxy wich ports them directly to NGFL so they cant see our internal anything, and get fully filterd. As unauthenticated users they will need to get information from dhcp as they need corect ip addresses to function so not allowing them access to some form of dhcp is a desatrous idea.

[TechieWils]

They have only just got a wireless network so they now want to be able to use smartphones and the likes so this means that setting the proxy through GPO wont work.

From my experience only Ipones/Ipads can pick WPAD settings and apply them. If you using an Android (unless rooted) or blackberry you cannot set a proxy into them and your WPAD will be ignored. I ended up setting up a transparent proxy to allow basic access for smartphones.

If I'm wrong then I apologies.

[PatRamsden]

I havent had a chance to try this yet, will be trying tomorrow when I am on site.

I have a feeling some people will have Android devices, I know some have Blackberrys. How would I go about setting up a transparent proxy?