markwilson.it

Author: Mark Wilson

  • Configuring web proxy auto discovery for Internet Explorer clients

    Over the last few weeks, I’ve been looking at using web proxy auto discovery (WPAD) to let a client’s PCs automatically discover the location of their Microsoft ISA Server 2000 web proxy servers through the Internet Explorer client. Note that WPAD is used by web proxy clients and firewall clients use winsock proxy auto detection (WSPAD).

    Microsoft knowledge base article 296591 gives background information on WPAD (for WSPAD see Microsoft knowledge base article 260210) but basically, what is involved is:

    • A properly configured web proxy client (i.e one which has automatically detect settings checked in the Internet Explorer LAN connection settings) queries the DHCP server for option 252, which identifies an HTTP address for a file called wpad.dat which is ISA Server’s dynamically generated proxy auto configuration (PAC) file.
    • If a DHCP server does not respond with option 252, the web proxy client attempts to access http://wpad.domainsuffix:80/wpad.dat (or http://wpad.domainsuffix:80/wspad.dat for the firewall client). To locate this URL, the remote client queries its configured DNS servers for wpad.domainsuffix – obviously issues with incorrectly configured domain suffixes will prevent automatic discovery from working. Microsoft knowledge base article 307502 also indicates that the WPAD address is case sensitive.

    It should be noted that WPAD is not supported for clients that connect to the LAN with any type of dial-up connection.

    To set up WPAD, three steps are involved, as detailed in Microsoft knowledge base article 309814 (Windows 2000) and Microsoft knowledge base article 816320 (Windows Server 2003):

  • The web proxy servers must publish automatic discovery information (which might require the web proxy service to be restarted).
  • DHCP (and optionally, DNS) needs to be configured to send the WPAD URL to the web proxy client (as detailed in Microsoft knowledge base article 252898).
  • Finally, the clients need to be set to automatically detect settings.

    • We planned to roll out WPAD on a site-by-site basis, using DHCP (adding a DNS entry would affect all clients) and everything looked good using DHCP alone (no DNS installed) in my test environment; however the existing route used for production clients to access the Internet is direct via the firewall, and so the clients failed to use the DHCP-assigned WPAD information as the direct path was working (that’s the theory – it is difficult to diagnose the DHCP traffic to that level of certainty, other than using a network monitor and examining packets).

    One possibility for the failure is described in Microsoft knowledge base article 312864 but I could not replicate this behaviour in testing and as it is only linked from the Windows Server 2003 version of the knowledge base article describing configuration of firewall and web proxy client auto discovery, I am not convinced that the article applies to clients using Windows 2000 DHCP servers.

    The current plan is to use a group policy object, filtered by group membership, to manipulate client proxy settings and use http://proxyarray.domainname.suffix/wpad.dat as an automatic configuration script. This has the advantage that we can control who can access the Internet (take a user out of the group to remove their proxy access – once the direct path has been removed), but does not use WPAD at all.

    One comment which my client made was that the wpad.dat file which ISA Server uses looks complex compared to the .PAC files used by the parent company’s web proxy servers. We could have used a simple .PAC file, but the major advantage of wpad.dat is that it is updated dynamically to reflect changes in the proxy server configuration.

  • Searching for a Visio stencil or template?

    A couple of nights back, I was documenting the rack configuration for a client’s data centre. Easy enough using a rack configuration tool from one of the major hardware vendors, except that most of us have multi-vendor rack contents and use Microsoft Visio to record the details. Enter the index of Visio download sites. Using this I was able to locate and download Visio stencils for Compaq/HP hardware, although Visio stencils for Dell servers seem to be a bit thin on the ground…

  • We are not afraid: photo blogging at its best

    This is a technology blog and as such, I don’t cover politics. I do sometimes work in London though. As do many of my friends and family. And I do like it when somebody uses technology to push home a message – like that WE’RE NOT AFRAID of terrorism.

    We are not afraid

    Here are some of my favourites from the galleries on the We’re Not Afraid photo blog site.

    We are not afraid
    We are not afraid
    We are not afraid
    We are not afraid
    We are not afraid
    We are not afraid
    We are not afraid
    We are not afraid

    Get the message?

    Links

    Wikipedia
    London bomb victims book of condolence
    British Red Cross London Bombings Appeal

  • Announcing Windows Vista

    Microsoft have announced the name for the next version of Windows (formerly codenamed Longhorn) – Windows Vista.

    Windows VistaI’m not overly impressed with the name (how about Windows 2006?) but looks like they are going with it. What’s not clear is whether this is just the client version, or the next Windows server release too. Perhaps I’ll find out more when I finally get access to the beta in a couple of weeks time.

  • IPv6 – so what’s it all about?

    A few weeks back, I was at a Microsoft TechNet UK event, where Steve Lamb discussed Microsoft’s implementation of the Internet Protocol v6 (IPv6), available in Windows 2000 service pack 3 or later, Windows XP service pack 1 or later, or Windows Server 2003. This is a new version of IP (also known as IP next generation – IPng), intended to overcome some of the limitations of the present version (v4), namely:

    • Exhaustion of available addresses – not such a major issue now that network address translation (NAT) is so common, but potentially a future issue as more and more devices are IP-enabled.
    • Large routing tables in backbone routers (the average ISP has 90,000 entries under IPv4).
    • A need for simpler, stateless configuration.
    • A need for better support of real-time data delivery (QoS)

    IPv6 provides a 128-bit address space (compared with IPv4’s 32-bit implementation), and instead of being represented using four octets in dotted decimal notation, IPv6 addresses use eight groups of four hexadecimal digits, which incorporate the media access control (MAC) address of the client, for example, 21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A

    I’m told that there was an IPv5 (presumably with a 64-bit address space?), but it took too long to ratify. The IPv6 addressing scheme gives a vast number of possible combinations (about 340 undecillion – that’s more than 340000000000000000000000000000000000000!) and allows for faster routing due to its simplified header.

    Like most protocols in the TCP/IP suite, IP is made up on an number of sub-protocols and IPv6 is actually formed of five core protocols:

    • Internet protocol (IP).
    • Internet control message protocol (ICMP).
    • Multicast listener discovery (MLD).
    • Neighbor discovery (ND).
    • Top level aggregator (TLA).

    (Yes, there really is a three latter acronym called TLA!)

    In terms of application support, Microsoft’s IPv6 implementation is as per the IETF RFCs (i.e. not extended in any way). The tools look similar to the IPv4 versions, apart from the different addresses. DNS and RPC are both supported by the IPv6 stack, as are sockets interface extensions; however IPSec on IPv6 is only partly functional. There is also support for an IPv6 IP Helper API.

    So what are the barriers to IPv6 adoption? For a start, businesses will need to see some benefit first, and although IPv6 addresses are available now, the initial worries about a lack of IPv4 addressing space have been alleviated (for the time being) with the use of network address translation (NAT) and private IP address ranges. Organisations implementing IPv6 do not need to drop IPv4 and convert overnight – it is possible to mix and match there is a world-wide IPv6 test network backbone; however, many organisations are using NAT as a line of defence in their security model and so firewall configurations will need to be re-examined if an IPv6 migration is performed. Add to that the fact that IPv4 is well understood by administration staff (IPv6 is not), a critical mass must build up before most organisations will be ready to make the move, although the the US government is mandating that all federal agencies must use IPv6 by 2008 – maybe that will start the ball rolling.

    In summary, IPv6 is here today, but many organisations will not be in a rush to migrate. The next generation of Windows (codenamed Longhorn) is expected to include a new networking stack that supports both the IPv6 and IPv4 networking standards and I would expect IPv6 to gain some momentum around about the time of it’s expected release (2006-7). Until then, IPv6 will remain something to look at in our labs. Wikipedia has more information about IPv6 for those who wish to learn more.

  • Best practices for managing automatic IP addressing with DHCP

    Dynamic host configuration protocol (DHCP) is often taken for granted – we expect it to work; however there are a few items which need to be considered and this post is intended as a general discussion of DHCP best practice.

    Most administrators will be familiar with the overall DHCP concept – basically a database of IP addresses allocated to clients dynamically, allowing centralised IP address management; however, most of the organisations I see still need to use static addresses for some devices (e.g. servers). Whilst there is nothing wrong with this and I would still suggest using fixed IP addresses for networking equipment and the DHCP server itself, reservations can be useful to reserve particular addresses for certain clients, based on their media access control (MAC) address. The main drawback of this approach is that if the NIC in the computer changes, so does the MAC, although reprogramming the MAC address is possible (as is setting up a new reservation).

    If there are static addresses in use which fall within the an IP address range intended for DHCP, exclusions can be configured (much easier than configuring several scopes to cover the fragmented IP range). Exclusions can be configured for a single address, or for a range of IP addresses.

    Lease duration is another area to consider (i.e. the amount of time before a client needs to renew its DHCP address) – if this is set too long, and there are a large number of mobile clients, there is a risk of running out of available IP addresses as these mobile clients join the network, lease an address and then leave again without releasing it; conversely, too short and there is a large amount of renewal traffic as the DHCP client attempts to renew its lease at the half life. For most environments, I find that an 80:20 rule can be applied – i.e. provide 20% more addresses than are expected to be in use at any one time (to cater for mobile clients) and set the lease time to 1 day but for a subnet with largely static PCs, then longer leases may be appropriate.

    DHCP includes a number of pre-defined options that can be set on a client:

    • Server options apply to all scopes on a server (e.g. 006 DNS servers, 015 DNS Domain Name).
    • Scope options apply to a single scope (e.g. 003 Router).
    • Class options can be applied to a specific type of device.
    • Reservation options apply to specific reservations.

    Occasionally it may be necessary to configure custom options – e.g. 060 for a pre-boot execution environment (PXE) client or 252 for web proxy auto-discovery (WPAD).

    If there are multiple DHCP servers on a subnet, then the client will be allocated an address by the first one to answer – hence the reason for Windows 2000 and later DHCP servers supporting DHCP authorisation in Active Directory (hence preventing the use of rogue DHCP servers); however this will not affect non-AD DHCP servers (such as the one in Virtual Server, or on an ADSL router). When a client issues a DHCP request, all listening servers respond with an offer and the client will respond to the first answer received. Because DHCP requests are broadcast-based, they typically cannot traverse routers and so DHCP relaying must be configured to overcome this where clients are remote from the DHCP server.

    To configure DHCP for redundancy, it is generally advised to configure two DHCP servers and to split the scope using a 50:50 or 80:20 ratio (50:50 works well where both DHCP servers are on the same site; 80:20 may be often appropriate where a remote site is providing redundancy for a local server) so, for example, if I want to allocate addresses on the network 192.168.1.0/24, I might reserve the top 10 or so addresses for static devices and create two scopes on two DHCP servers – one for 192.168.1.1-120 and the other for 192.168.1.121-240. This provides 240 potentially available addresses but if one server is unavailable then the other can answer. Of course, this scenario only provides for 120 clients (96 taking into account my earlier recommendations for dealing with mobile devices). It is also possible to cluster DHCP servers for redundancy.

    Superscopes can be used to group several scopes into one for management purposes, but when I tried to implement these in a live environment, we found that they did not work well and had to revert to individual scopes for each subnet.

    Since Windows 2000, the Microsoft DHCP server implementation has included DNS integration. Set on the scope properties, this allows three options for updating A and PTR records in DNS as IP addresses are leased to DHCP clients:

    • Enable DNS dynamic updates, either always, or if requested (by Windows 2000 or later clients).
    • Discard DNS records when the lease is deleted (i.e. clean up afterwards).
    • Dynamically update DNS for legacy clients that do not request updates (e.g. Windows NT 4.0).

    In terms of new features, Windows Server 2003 improves on Windows 2000 Server by allowing backup and restoration of the DHCP database from the DHCP console. It also provides for both user- and vendor-specified option classes. Potentially the greatest area of improvement is integration of DHCP commands within the netsh command shell.

    Finally, DHCP servers use a JET database and may be busy. At a recent Microsoft TechNet UK event, John Howard recommended that every now and again, the service is stopped and jetpack.exe is used to perform database maintenance, improving performance (as described in Microsoft knowledge base article 145881).

  • Performance tips for Microsoft Virtual Server 2005

    A few days back, I blogged about the performance issues I’d experienced with Microsoft’s virtualisation products. John Howard’s blog reports that Microsoft knowledge base article 903748 was released today, featuring a whole load of performance tips for Virtual Server 2005.

  • Microsoft acquires FrontBridge

    Back in March, I wrote about some new e-mail message continuity services from FrontBridge. Well, according to a press release just received from Microsoft, FrontBridge is about to become Microsoft’s latest acquisition as it steps up its systems management and security capabilities. With the purchase of Giant Company (anti-spyware), Sybari (anti-virus) and now FrontBridge (anti-spam and message continuity), Microsoft’s security arsenal is starting to look good. It will be interesting to see how these purchases shape up and whether they are integrated into Windows, retained on an application service provider (ASP) basis, or developed into one or more new products, perhaps as part of the System Center family, or (in the case of FrontBridge) maybe we will see some of the new technology integrated into Exchange 12?

  • Find out what the moon is made of using Google maps

    Today is the 36th anniversary of the Apollo 11 moon landings (thought by some to be a hoax, and by others to be a fantastic scientific achievement on the part of mankind). To celebrate this, Google has added some NASA imaging to Google Maps and if you zoom in really close, you can really see what the moon is made of! The Google Moon FAQ has more details of Google’s plans for expanding Internet search features beyond the boundaries of planet earth!

  • A WYSIWYG CSS editor for SharePoint sites and some useful webparts

    I just picked up a great tip from my colleague Jonathan Bradshaw‘s blog. James Milne has developed a WYSIWYG CSS generator for SharePoint sites along with some other interesting SharePoint webparts like a page toolbar and a spell checker.