Automatically Configuring Network Clients to use the BorderManager Proxy
Novell Cool Solutions: Trench
By Wallace Marks
Digg This -
Posted: 18 Sep 2003
We were having problems with Transparent Proxy. Access rules weren't working properly and BorderManager wasn't stable. The obvious solution was to disable Transparent Proxy, but before I could do that I needed some way of configuring everybody's workstations to use the proxy. To make matters worse, we have a LOT of outside consultants that routinely need Internet access.
The first solution was to push out the proxy settings via either ZENworks or a login script. Nothing complex, just use the proxy for all remote addresses. That got all of my workstations talking, but it caused performance problems for my mobile users and it didn't help the consultants a bit. Back to the drawing board.
Next I came across the Novell Appnote Managing Browser Configuration for Novell BorderManager Proxy Clients. That introduced me to using proxy.pac autoconfiguration files. Per Craig Johnson's Beginners Guide to BorderManager 3.x, I stuck the proxy.pac file on the BorderManager mini-webserver and again pushed out new proxy settings. That fixed the performance problems for the mobile users, but consultants were still a problem. Back to the drawing board again...
My next stab was to use DHCP option 252, as mentioned in the "Managing Browser Configuration..." Appnote. Unfortunately I couldn't get it to work. Some browsing in the Novell Knowledgebase turned up TID 10081836 which outlined some necessary tweaks, but they didn't help a bit. Back to the drawing board yet again...
I finally tried using the "well-known" DNS entry WPAD. According to the Appnote, if "Automatically detect settings" is enabled, IE will do a DNS query for WPAD. If it gets a positive response it'll look for a configuration file at http://wpad.domain.dom/wpad.dat. Note that wpad.dat file is just proxy.pac renamed.
At first I tried to use the BorderManager mini-server, but I couldn't figure out how to use port 1959. We needed a web server that would respond to standard HTTP port 80. For us, the best choice was our our GroupWise WebAccess server. I created an DNS entry "wpad" and pointed it to our mail server. Then I renamed proxy.pac to wpad.dat and copied it to the web server root, which for us was VOL1:\apache\htdocs\wpad.dat. If you use another web server you can test it by browsing to http://wpad.yourdomain.com/wpad.dat. If IE prompts you to open or save the file then it's working fine.
The final trick was to enable "Automatically detect settings" for everybody and clean up all the leftovers from my prior attempts. The attached registry entries do just that. They also change the IE proxy settings from per-user to per-machine, making configuration a LOT easier. Note that "=-" instructs REGEDIT to DELETE that entry.
Of course I still have to glance at consultant laptops from time to time, but that's rare. The vast majority have automatic configuration enabled. If they don't, it's a snap to turn it on.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\ Windows\CurrentVersion\Internet Settings]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\ Windows\CurrentVersion\Internet Settings\Connections]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Internet Settings]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Internet Settings\Connections]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ Windows\CurrentVersion\Internet Settings]
If you have any questions you may contact Wallace at Wallace.Marks@nationalvision.com
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com