We've already got wpad working on our domain, but I like the thought of it being on the controller, and a different file for each wlan.
I've setup wpad to be delivered via DNS to test and this works fine for firefox and and internet explorer via a wired connection however it only seems to work for firefox via wireless which i'm slightly baffled by. The wireless WLAN i'm testing with has no ACL configured, no Enable captive portal/Web authentication or Client Isolation so i cant workout whats teh cause. The ZoneDirector auto config i still cant get to work for firefox or IE though.
Isn't DHCP the preferred choice these days? I believe most things support this. The DNS method was not preferred as someone could easily bring their own machine named WPAD into a domain and cause some interesting problems with your network!!!
The DNS method is more widely supported across browsers apparently. You would have to have a machine joined to the domain called wpad, have removed the DNS exclusion for wpad and not have an existing record wpad in DNS for that exploit to work surely?
Web Proxy Autodiscovery Protocol - Wikipedia, the free encyclopedia
You are correct on that DHCP only really supported by IE and Chrome! Looks like the DNS method is still insecure though.
DNS lookup removes the first part of the domain name (presumably the client identifier) and replaces it with wpad. Then, it "moves up" in the hierarchy by removing more parts of the domain name, until it finds a WPAD PAC file or leaves the current organisation.
Well i've ascertained that there is nothing up with either of my two wpad.dat files anyway so the problem looks to be with the ruckus delivery to the clients.
i know this isnt useful but i used a transparent proxy between the clients and the NGFL proxy wich works nicely. uthenticated users use one vlan (Enterprise security) and unathenticated (WPA-PSK) is vlaned to the transparent proxy wich ports them directly to NGFL so they cant see our internal anything, and get fully filterd. As unauthenticated users they will need to get information from dhcp as they need corect ip addresses to function so not allowing them access to some form of dhcp is a desatrous idea.
If I'm wrong then I apologies.
I havent had a chance to try this yet, will be trying tomorrow when I am on site.
I have a feeling some people will have Android devices, I know some have Blackberrys. How would I go about setting up a transparent proxy?
hi if it helps i have the same setup @PatRamsden
I am using the latest 22.214.171.124 build 15, i have hosted the wpad.dat file on the ZoneDirector,
created a DHCP entry for 252 and in the string value i entered the zonedirector ip and dat file i.e. "http://x.x.x.x/wpad.dat"
then unblcked the wpad from DNS, created a cname entry for the server hosting this wpad with WPAD and the server ip addresss
i have just try this and works fine on windows laptops!
just having trouble with android now, somehow need them to authenticate with the zone director so they can get the wpad file.