none
Direct Access and Proxy server... RRS feed

  • Question

  • I've followed the step-by-step instructions for demonstrating UAG DA in a test lab. It all works fine.

    Now I've configured TMG on the UAG server to act as a web access proxy and created a group policy to apply the proxy settings. It seems that the DA Client applies this policy and tries to use the proxy server for internet access when outside of the Intranet. How do I configure group policy to force the client to use the web proxy when connected to the Intranet, but not when outside the Intranet and connected using DA?

    Thanks all,

    Neil

    Friday, March 26, 2010 10:12 AM

Answers

  • Thanks Jason/Thomas

    I've abandoned trying to get group policy to do the job - I was clearly barking up the wrong tree!

    WPAD however definitely does work...and works a treat. My Win 7 client machine can now seamlessly use the proxy when on the Corporate LAN, and use the local link when outside. I figured that I'd need to add wpad to the NRPT on the UAG as an exclusion.

    Live pilot is next up...

    Thanks again.

     

    • Marked as answer by Erez Benari Wednesday, March 31, 2010 7:10 PM
    Wednesday, March 31, 2010 2:53 PM

All replies

  • Using TMG on UAG for forward proxy is not supported...
    Jason Jones | Forefront MVP | Silversands Ltd
    Friday, March 26, 2010 4:42 PM
    Moderator
  • Jason,

    Point taken - I obviously wouldn't do that in a production environment, I'm just trying to get my head around some of the issues that arise when using DirectAccess as opposed to our curretn VPN solution. Looking beyond the fact that my sandpit hasn't got a separate proxy server, the question remains:

    If my user is roaming, connecting via the corporate network or over the web via DirectAccess, how do I configure Group Policy so that he uses a proxy server (whatever it may be) when connected at the office, and then not using a proxy when connected via DirectAccess?

    In fact, the general principle of the question applies to any settings that you want to be different depending on how they are connected.

    Thanks again,

    Neil

     

    Monday, March 29, 2010 11:58 AM
  • Hi Neil,

    I don't think you'll be able to bounce back through the UAG server that the DA client is connected to, since the TMG configuration required isn't with support boundaries.

    However, you can configure the DA clients to use another TMG firewall on your network to connect to the Internet through the Web proxy. You will need to take advantage of the DNS64/NAT64 on the UAG server to connect to the FQDN of the outbound web proxy listener on the TMG firewall. That will translate the IPv6 request to a IPv4 request, and since the TMG firewall's web proxy will perform name resolution on behalf of the client, then client doesn't need to worry about that.

    That's how it's supposed to work. I'll try to stand this up in the lab and see what it works in practice.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Monday, March 29, 2010 3:04 PM
    Moderator
  • If you add the proxy server FQDN to the NRPT bypass list, clients will not be able to access the internal proxy via DA.

    If you combine the above with WPAD or an autoconfig script that falls back to "direct" when the proxy it not available, this should produce your desired results...well, it works in our setup ;)

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd
    Monday, March 29, 2010 3:54 PM
    Moderator
  • Hi Jason,

    That's is correct, and that's why we recommend that you make exceptions for WPAD in the NRPT. That recommendation is made with the fact that split tunneling is the default configuration. You don't want the web requests to be made through the tunnel -we want the client to connect to the web over the local link.

    But it sounded like he wanted to force the web requests over the DA connection. In that case, you will want to allow wpad throught the DA connection and provide the FQDN of the TMG web proxy listener. Then the connections can be made through that device - with the exception that it can't be the device that the DA client is connected to - it has to be another TMG web proxy somewhere else on the network.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Tuesday, March 30, 2010 2:09 PM
    Moderator
  • Thanks Jason/Thomas

    I've abandoned trying to get group policy to do the job - I was clearly barking up the wrong tree!

    WPAD however definitely does work...and works a treat. My Win 7 client machine can now seamlessly use the proxy when on the Corporate LAN, and use the local link when outside. I figured that I'd need to add wpad to the NRPT on the UAG as an exclusion.

    Live pilot is next up...

    Thanks again.

     

    • Marked as answer by Erez Benari Wednesday, March 31, 2010 7:10 PM
    Wednesday, March 31, 2010 2:53 PM
  • Cool :)
    Jason Jones | Forefront MVP | Silversands Ltd
    Wednesday, March 31, 2010 3:14 PM
    Moderator
  • I have our UAG setup with TMG acting as a Proxy and even PPTP VPN.  We use a DHCP WPAD entry so when clients are internal they get the proxy settings via DHCP and of course when external they are using a different DHCP Server so they don't get the proxy settings.  Works fine for us we just have to remember each to we make a config change in UAG and activate it to make sure it doesn't wipe out the TMG settings which it tends to do so I am guessing this is why it isn't supported.
    Wednesday, March 31, 2010 5:35 PM
  • Hi Dan,

    Yes, that and other reasons as well. It you want to force the DA clients to use an internal proxy (which seems like a good thing to do), then configure another device on the network as a TMG firewall and set the wpad entry for that device. That's fully supported and I suspect that performance might be better as well.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Thursday, April 1, 2010 1:36 PM
    Moderator
  • Resolve:

    1. Add wpad host to NRTP table like exception, while DA connected this host can not resolve.

    2. Add GPO for DA Client:

    disable WPAD cache for IE https://support.microsoft.com/kb/271361 

    set autoconfiguration proxy enable

    3. Apply policy and restart DA Client

    While DA connected, client can not download wpad and IE use not corporate proxy, while client in corp network IE can load wpad and use corp proxy.

    IE every time reload wpad.

    Thursday, February 12, 2015 7:05 AM