Internal computers in networks protected by Forefront TMG can automatically detect the location of the Forefront TMG server they should use as a Web proxy.
This topic is designed to help you plan for automatic Web proxy detection. It provides information on the following:
- Considerations for
selecting detection methods
- Considerations for hosting the
- Considerations for implementing
detection with DHCP and DNS
Forefront TMG supports several automatic detection methods:
- Client computers running Forefront TMG Client
can connect to Active Directory Domain Services (AD DS) to retrieve
the Web proxy settings. This is the recommended detection
- Client computers running earlier versions of
Firewall client, or a Web proxy client, can access the Dynamic Host
Configuration Protocol (DHCP) or Domain Name System (DNS) server to
retrieve the Web proxy settings. This method can also be used in
deployments where AD is not updated with the automatic detection
information. The settings are held in a configuration file,
typically on the Forefront TMG server; for more information, see
Considerations for hosting
the configuration file.
Note: For security reasons, DHCP or DNS are not used as backup in deployments where AD DS was configured with Web proxy information. In these deployments, if the location of the configuration file can’t be obtained from AD DS (for example, if an unexpected error occurs during the AD DS query), access will fail.
- Automatic configuration script—Client
computers connect to the location specified in the script to
retrieve the Web proxy settings. This method can be used as a
fallback when the retrieval of Web proxy settings from AD DS, or
from DHCP or DNS fails.
Considerations for selecting detection methods
You should consider the following when selecting which detection method (or methods) to use:
- The use of automatic detection from DHCP or
DNS is recommended for client computers that move between networks,
such as mobile devices.
- The following limitations apply to the
implementation of automatic detection with AD DS:
- Supported only on Forefront TMG Clients; not
supported on earlier versions of Firewall client, on Web proxy
clients, or on SecureNAT clients.
- Not supported in Forefront TMG workgroup
- Supported only on Forefront TMG Clients; not supported on earlier versions of Firewall client, on Web proxy clients, or on SecureNAT clients.
- For client computers running Forefront TMG
Client or earlier versions of Firewall client, you can apply the
selected method (or methods) via the Forefront TMG Management
console. Settings are applied as follows:
- Each time the Forefront TMG Client or
Firewall client is restarted.
- Each time a user clicks Detect Now or
Test Server on the Settings tab in the Forefront TMG Client
- Every six hours.
- Each time the Forefront TMG Client or Firewall client is restarted.
- For client computers that are running both a
Web proxy client and the Forefront TMG Client, or earlier versions
of the Firewall client, you can apply the selected method (or
methods) to the Web proxy client, via the Forefront TMG Client or
- For client computers running Web proxy
without running the Forefront TMG Client, or earlier versions of
Firewall client, and for SecureNAT clients, you might need to apply
the selected method (or methods) yourself, as follows:
- If you select to use DHCP or DNS, Internet
Explorer browsers are configured by default to automatically detect
settings, and no further client-side configuration is required. For
other browsers, consult the relevant product documentation.
- If you select to use the automatic
configuration script, you must apply the configuration to all the
- If you select to use DHCP or DNS, Internet Explorer browsers are configured by default to automatically detect settings, and no further client-side configuration is required. For other browsers, consult the relevant product documentation.
Considerations for hosting the configuration file
When you implement automatic detection with DHCP or DNS, Web proxy settings are held in a configuration file. You can host the configuration file on Forefront TMG, or on an alternative Web server, such as a computer running Internet Information Services (IIS). When planning the placement of the configuration file, consider the following:
- The main advantage of hosting the file on
Forefront TMG is that the file is automatically updated when Web
proxy settings are modified in the Forefront TMG Management
console, and there is no need to update it manually. Putting the
file on a different server requires the file content to be updated
- Hosting the configuration files on a computer
running IIS can provide some failover capabilities. You can
configure multiple Web servers in IIS and put different
configuration files in each Web server. The active Web server will
be the server that contains the Web proxy settings for the
currently active Forefront TMG computer.
- If you are not hosting the file on Forefront
TMG, you do not need to publish automatic discovery information,
because Forefront TMG does not need to listen for automatic
discovery requests. This may be an advantage when IIS is co-located
on the Forefront TMG computer, and port conflicts could occur.
Considerations for implementing detection with DHCP and DNS
When implementing automatic detection with DHCP, DNS, or both, consider the following:
- In both DHCP and DNS implementations, the
configuration file must be published on port 80.
- Entries in DNS can only be used by client
computers that are configured to resolve DNS names.
- When implementing detection with DNS, entries
must be configured for every domain that contains client computers
that are enabled for automatic discovery.
- To implement DHCP, a valid DHCP server must
be installed on the same network as the client computers.
- DHCP is limited to specific user groups on
some client computer operating systems. For more information, see
the article Automatic Proxy Discovery in Internet
Explorer with DHCP requires specific permissions
- If you configure or remove automatic
detection after you deploy the DNS server role on a server running
Windows Server 2008, you must update the block list on all the DNS
servers that host the zones affected by the change. The affected
zones are those where you registered the servers.
- Generally, using DHCP servers with automatic
detection works best for local area network (LAN)-based clients,
whereas DNS servers enable the automatic detection on computers
with both LAN-based and dial-up connections. Although DNS servers
can handle network and dial-up connections, DHCP servers provide
faster access to LAN users and greater flexibility. If you
configure both DHCP and DNS, clients will attempt to query DHCP for
automatic discovery information first and then query DNS.