WPAD Setup

Web Proxy Autodiscovery Protocol (WPAD)

Automatic Discovery for Firewall and Web Proxy Clients
However be warned, there is a mistake in this Technet article, at least at the time I am writing this (March 2010).  The article at about the mid-way point claims that ISA/TMG listens for automatic discovery requests on port 8080.  This is not correct, ISA/TMG listens for Web Proxy Client requests on 8080 while listening for automatic discovery requests on port 80.  So the ISA/TMG defaults are already correct and do not need to be modified.
Keep in mind that the WPAD process does not automatically detect the proxy.  The WPAD process is how you automatically detect and retrieve the proxy detection script.  It is then the proxy detection script, after it is loaded and processed, that tells the browser how and when to use which proxy.  So the proxy autodetection process has two steps:
  1. Locate, Load, & Process the proxy detection script
  2. Locate and use the proxy based on the contents of the proxy detection script.

The order of configuration I will use here is:

  1. Configure DNS for WPAD
  2. Configure DHCP for WPAD
  3. Configure the proxy to publish the proxy detection configuration script (the WPAD Script)
  4. Configure the Winsock LSP (Firewall Client) for proxy autodetection
  5. Configure the web browser for proxy autodetection

1. Configure DNS

Create the CNAME record for wpad in the DNS Zone and point the CNAME at the Host (A) Record for the proxy server.

2. Configuring DHCP

I usually add this into the Server Options because I am always using a single ISA/TMG for the whole LAN.  But you could add this to the Scope Options if you wanted each scope to give the clients a different proxy.

  1. Right-click on the Server Name in the DHCP MMC and choose Set Predefined Options and then click the Add Button.
  2. In the Name field enter WPAD
  3. In the Code Field enter 252
  4. In the Data Type select String from the drop-down list and click OK
  5. In the String box enter the entire URL for the WPAD script.  I always base it on the wpad DNS CNAME created beforehand.  Since I always use the default port of 80 I don’t include the port in the URL.  So in this example it would be http://wpad.contoso.loc/wpad.dat
  6. Now that the DHCP Option 252 has now been created in the Predefined Options it can now be used.    In the DHCP MMC right-click on Server Options, or the Scope Options if you want to do it scope-by-scope, and add the Option 252 to your list of Options.

3. Configure ISA/TMG

Test the configuration script’s availability with a Client web browser by opening a browser to the URL that was used when creating the WPAD entry within DHCP’s Option 252.  Repeat the process using /wspad.dat.  In this example the URLs would be:


The browser should prompt you to either Save or Open. Choose Open and you should see the contents of the proxy script.  This script file does not physically exist, instead it is sitting live in RAM on the ISA/TMG, so you cannot simply go find the file and manually edit it.  These contents are dynamically modified whenever a change is made to the ISA/TMG so it is much more flexible than a statically created and modified proxy script text file.

4. Configure Web Browser

Configure for auto detection in browser connection settings

5. Configure Winsock LSP Client

Configure and test auto detection in the settings of the Winsock LSP Client


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: