Answer
What is WPAD and how does it work?
- Extensive WPAD troubleshooting techniques can be found at: http://technet.microsoft.com/en-us/library/cc302643.aspx
- If using Microsoft Server 2008 or newer, WPAD is automatically on the DNS block list. To remove WPAD from the DNS block list, refer to: https://technet.microsoft.com/en-gb/library/cc995158.aspx
Additional notes and techniques which can assist in further troubleshooting WPAD related problems:
- Test if a client is going through the GFI WebMonitor Proxy by connecting to http://www.lagado.com/proxy-test from a client machine
- When setting proxy settings, there is an option to use "Automatically Detect Settings" or "Use a proxy server for your LAN" - IP & Port. If the latter setting is used and the computer is a laptop that goes home with the user, the user will have problems getting to the internet (because the computer will be sending the http traffic to the IP Address and port specified). In these cases it is better to use "Automatically Detect Settings" which should discover the proxy server when on the local network, and when on a different network it will not detect the proxy server, resulting in use of the default gateway
- Note: Do not use BOTH Automatically Detect AND "Use a proxy server for this LAN" - The browser will try WPAD first and when that fails, it will use the "Use proxy server" setting and will not be able to get out to the internet when a user is outside of the local network
- When a web browser has its proxy setting set to "Automatically Detect Settings", the WPAD protocol is used to find a web server that will serve up a configuration script called wpad.dat
- Each web browser can do this differently. All web browsers try to connect to http://wpad/wpad.dat
- Note: In order to connect to http://wpad/wpad.dat, the machine must first find a host on the network called "WPAD" and resolve its IP address. Once it finds the IP address of the host named "WPAD", it uses http to request the document called wpad.dat
- The difficulty comes when trying to find a host called WPAD. Internet Explorer will use the following order to determine the host:
- DHCP request (DHCP Option 252)
- DNS query
- NetBIOS
- The Webmonitor server broadcasts that it is the WPAD host using NetBIOS. However, many organizations block NetBIOS broadcasts across routers, so if the client machine is on the other side of one of these routers it may not be able to resolve the host (unless it can use the other options)
- Many browsers (such as Firefox) only support NetBIOS and DNS. All browsers support DNS however, so adding a DNS alias record is preferred
- To troubleshoot the ability of a client machine (in a subnet on your network) to resolve the WPAD script use these steps:
- Open the IE browser (uncheck all proxy settings so that the browser does not cache the script)
- Test to see if Webmonitor is serving the wpad.dat script by typing into the browser: http://Webmon_IP_Address/wpad.dat (Note: Substitute WebMon_IP_Address with the actual IP address of the WebMonitor Server)
- If Step 2 above is successful, test to see if the browser can find the WPAD server by typing into the browser: http://wpad/wpad.dat
- If this is successful, WPAD will work for the computer this browser is on. Alternately, from the command line you can use the "ping WPAD" command to see if it resolves the IP address
- If http://wpad/wpad.dat does not return a script, you know that the client machine cannot resolve the IP of the WPAD host
- Type into the browser: http://<WebmonHostName>/wpad.dat to ensure that DNS can resolve the GFI WebMonitor server (Note: Substitute WebMonHostName with the name of the GFI WebMonitor Server).
- If http://<WebmonHostName>/wpad.dat works, but http://wpad/wpad.dat still does not, then the client cannot resolve the WPAD hostname's IP Address. In this case there are 3 options:
- Add DNS Records for the WPAD Server. This will be an A record for the GFI WebMonitor server and an alias (CNAME) record for WPAD. Here is how to do this: http://technet.microsoft.com/en-us/library/cc995062.aspx
- Note: This opion is preferred since some browsers (Firefox) do not support resolution by DHCP
- Add a DHCP 252 Option: http://technet.microsoft.com/en-us/library/cc940962(WS.10).aspx
- If all else fails, you can add an entry in the Windows\System32\Drivers\Etc\hosts file
- If Step 2 above is successful, test to see if the browser can find the WPAD server by typing into the browser: http://wpad/wpad.dat
- Note: If http://Webmon_IP_Address/wpad.dat resolves from the client machine, another option is to set the Browser Proxy Settings for that machine to "Use automatic configuration script" with the Address of: http://Webmon_IP_Address/wpad.dat (Note: Substitute WebMon_IP_Address with the actual IP address of the WebMonitor Server) instead of using "Automatically detect settings"
Notes:
- GFI WebMonitor uses port 80 to serve up the wpad.dat script to the browser. Additionally, If IIS is running, and uses port 80 for the default (or other) websites, GFI WebMonitor will not be able to use the port. Disable IIS or change the ports in use for the web site(s)
- GFI WebMonitor takes the script (located in the GFI WebMonitor install directory, Proxypac.pac file) and serves it as wpad.dat
- The port GFI Webmonitor uses to publish WPAD cannot be edited
- If Windows Firewall is enabled, add an exception for port 80 (additionally, add 8080 as a firewall exception, since 8080 is the default proxy port for GFI WebMonitor)
Additional Notes:
- How to exclude websites from passing through the GFI WebMonitor proxy
- Internet Explorer caches the proxy in its Automatic Proxy Result Cache. This can cause some problems (especially with complex WPAD scripts) and is covered well in the following article: https://jdebp.eu/FGA/web-browser-auto-proxy-configuration.html
- Internet Explorer is unable to retrieve a new wpad.dat configuration
- Disabling Automatic Proxy Result Caching for testing purposes OR permanently is covered in Microsoft article: http://support.microsoft.com/kb/271361