none
Direct Access clients not picking up the WPAD file RRS feed

  • Question

  • Hello,

    I'm struggling to set up Direct Access to allow it's clients to pick up the WPAD file. It works ok for the LAN clients, but not for DA ones.

    Some information about our setup:

    1) Force tunneling is used

    2) There is a WPAD entry in the DNS table set up as an Alias pointing to the FQDN of our web server hosting the WPAD file. (somehow I think this might be a problem and we should use an A record for that)

    3) Local name resolution is set to least-restrictive (use local DNSfor any kind of DNS resolution errors). 

    4) Windows 7

    The problem I am having is that my browser can't pick up the WPAD file using Direct Access. And it does not matter if I use "Automatically Detect Settings" or "Use Automatic Configuration Script". I clear the browser cache, re-open it and the WPAD file is not picked up. I do the same thing on a Client on the LAN and it works like a charm.

    This is also not a firewall problem because I can download the WPAD file when typing the "Auto-config script" address in the address bar. 

    Does anyone have any ideas? Something needs to be done in the NRPT table? The WPAD alias should be changed to a host record?

    Kind regards,

    Wojciech

    EDIT:

    To add some more confusion to this topic, something about WPAD is working. 

    We have 2 WPAD files:

    1) Production one with the Alias in the DNS

    2) Test one without a DNS entry that needs to be manually specified as the "auto-config script"

    At this moment the only difference between the two is the entry for the Proxy server. The production one has it set by IP address, the test one by FQDN. And what I am unable to understand is why MS Teams are working fine with the test one, but do not work with the production one...

    And why MS Teams are actually looking at the WPAD file and IE is not...

    • Edited by rozanw Wednesday, October 24, 2018 9:01 AM
    Wednesday, October 24, 2018 8:51 AM

Answers

  • I'm no expert on WPAD files, but after reading over your post an important piece of information that may be relevant here is that you can never expect to be able to contact LAN IPv4 addresses over a DirectAccess connection.

    DA traffic is all IPv6 traffic. While you don't need anything inside your network to be IPv6, all traffic moving from the DA laptop to the DA server is always IPv6, and so if something on your laptop (you, a piece of software, or a proxy config) tries to call for "10.10.10.100" - that will never work over DirectAccess. Your applications have to call for DNS names, so that those DNS names can then be resolved by the DA environment into IPv6 addresses, which the client then uses for communication to the resource inside the LAN.

    The DA server then changes those packets back down to IPv4 to give to the actual server inside the network, but the traffic must leave the laptop as IPv6 in the first place or it will never make it to your network.

    I hope that helps steer your troubleshooting!

    • Marked as answer by rozanw Saturday, November 10, 2018 4:30 PM
    Friday, November 9, 2018 11:41 AM

All replies

  • I'm no expert on WPAD files, but after reading over your post an important piece of information that may be relevant here is that you can never expect to be able to contact LAN IPv4 addresses over a DirectAccess connection.

    DA traffic is all IPv6 traffic. While you don't need anything inside your network to be IPv6, all traffic moving from the DA laptop to the DA server is always IPv6, and so if something on your laptop (you, a piece of software, or a proxy config) tries to call for "10.10.10.100" - that will never work over DirectAccess. Your applications have to call for DNS names, so that those DNS names can then be resolved by the DA environment into IPv6 addresses, which the client then uses for communication to the resource inside the LAN.

    The DA server then changes those packets back down to IPv4 to give to the actual server inside the network, but the traffic must leave the laptop as IPv6 in the first place or it will never make it to your network.

    I hope that helps steer your troubleshooting!

    • Marked as answer by rozanw Saturday, November 10, 2018 4:30 PM
    Friday, November 9, 2018 11:41 AM
  • Hello,

    Yes, that makes perfect sense. 

    I'll be doing some more testing soon, but for now I think this topic can be closed.

    Kind regards,

    Wojciech

    Saturday, November 10, 2018 4:30 PM