It was almost 6:00 pm on Friday evening and I was setting my mind on what to do with my weekend when suddenly the phone rings.
“Hey Uilson, please help us! We are getting an error to access the internet!”
OK! Time to stop dreaming about weekend plans and find out what is going on!
I quickly confirmed from my notebook that internet access was down and Internet Explorer was returning the error message below:
Error FW-1 at fw6057: Access denied.
Requests were being redirected to our edge firewall.
The network used two Forefront TMG in Network Load Balanced (NLB) configuration and all browsers received proxy details via WPAD.DAT script, delivered by GPO from our Active Directory servers.
When setting the web proxy details manually in Internet Explorer using the IP and port of the Forefront TMG proxy server, Internet access was restored! This narrowed the problem down to an issue with the WPAD.DAT script.
I went to Internet Explorer and tried to download the WPAD script by typing its address into my browser:
I found I could not access this link. Then, remembering some advice I received from one of our Field Analysts, I tried accessing the script via port 8080:
Success! I could download script.
I tried manually setting one of the workstations to download the script using port 8080, and it was able to access the internet again!
OK my friends! I’ve found what was wrong! The Forefront TMG Server was refusing requests to the WPAD.dat script on port 80.
The reason why Internet access suddenly dropped was that someone made a change to Forefront TMG’s Internal network properties and disabled the access via port 80 by unchecking the “Publish automatic discovery information for this network” option, as shown in the image below:
When checking this option again, all users got their Internet access back!
About Web Proxy Auto Discovery (WPAD)
The ‘Publish automatic discovery information for this network’ option in Forefront TMG allows access to the Web Proxy Automatic Discovery (WPAD) protocol. All you need to do is configure a host record in DNS called WPAD that resolves to the IP address of your Forefront TMG’s internal network interface.
The WPAD method can pose potential security issues, so Microsoft added WPAD to the default Global Query Block List in Windows Server 2008. This means that the DNS service will not respond to WPAD queries by default. It is possible to turn this method on by following some steps that my friend Richard Hicks describes in his post: DNS Security Enhancements and Proxy Auto Discovery.
The best way to deploy the WPAD script is keeping the default link provided by Forefront TMG. In case you want to set up a customized link, always create it using port 8080 as default. For example: http://proxy.uilson.com:8080/wpad.dat
Using an address like the one above won’t impact users if someone unchecks the Automatic Discovery publishing option.
You also need to be sure the script address on Forefront TMG matches what you have specified in Active Directory GPO.
Further WPAD Troubleshooting
Luckily, my issue was easily solved by re-publishing the Auto Discovery service on Forefront TMG. If you are having other issues with WPAD on Forefront TMG and this article does not help, here are some other WPAD troubleshooting resources you may find useful:
Troubleshooting Automatic Detection (Forefront Operations Documentation)
Forefront TMG Web Proxy Auto Detect Fails (Richard Hicks)
Troubleshooting Windows Proxy Auto Discover – WPAD (Infratalk)
Automatic Discovery Woes (Forefront TMG Product Team Blog)
WPAD is Working Or Not (Suraj Singh MSFT)