As noted in several sections above, several WPAD configurations in DNS, DHCP and in the file name of your wpad.dat file require lower case in some/most systems. Please check these areas carefully, silly as this may be, it will cause it to not work.
A lack of error checking in Internet Explorer and Firefox:
Internet Explorer may run a proxy.pac or wpad.dat file, but it won’t tell you if it ran across an error, it’ll just give up and go straight to the Internet. Test your scripts using the alerts as mentioned in
http://jcurnow.home.comcast.net/~jcurnow/
WritingEffectivePACFiles.html
Various Microsoft errors and bugs
See
http://technet.microsoft.com/en-us/library/cc302643.aspx
Firewalls
Your desktops and laptops must be able to get to your proxy server where the McAfee WDS Connector is running.
They will attempt to access it using port 3128. Because of this, the firewall configuration on these computers must allow port 3128 out to the proxy server.
The router and switches at your company between the clients and the proxy server must allow the desktops and laptops to talk to the proxy server on port 3128.
Your proxy server where the McAfee WDS Connector is installed must allow inbound port 3128 connections.
Your proxy server where WDS Connector is installed must allow A LOT of port 3128 connections. Any firewall or windows configuration that limits connections can reduce the number of machines that can proxy at once resulting in a situation where some machines are proxied and others are not.
Web Protection Setup Guide Common Configuration Issues
Finally the proxy server must be able to talk to McAfee on port 3128 (squid) to be able to filter requests. If a server firewall or border (Router) firewall is blocking this port the proxy will not be able to function.
WDS Connector Service issues:
Verify the WDS Connector service is running on the proxy server. In a WPAD environment, users will likely go directly to the Internet if this service is stopped or unavailable. In a hard-coded proxy config, or a PAC environment with no “DIRECT”, the Web Protection service being off will cause an page not found error.
NOTE: If using other authentication methods, ensure port 8080 is open for outbound connections.
Domain Controller and user issues
Your proxy server where the WDS Connector was installed must be able to communicate with the domain controller specified during the install. If this domain controller has been firewalled off, removed, uninstalled or otherwise is not available, users will get an authentication error. The WDS Connector cannot fail over to another domain controller at this time. If you need to reset or work on the domain controller that the WDS Connector is pointing to, we recommend stopping the connector service first if you are in a PAC or WPAD environment. If you are hard-coded to this proxy server, turning off the WDS Connector or working on the DC may cause an Internet Outage.
WDS Connector Domain user issues
The proxy server where the WDS Connector was installed must be able to communicate with the domain controller specified during the install using the user account specified during the setup process. If this user account was deleted, has expired or is locked out, users will get an authentication error.
User Not Setup on McAfee’s Console
If a user is not created on the McAfee Console and attempts to proxy through the WDS Connector they will get an Authentication error. All users should be setup in advance of installing the WDS Connector. Please consider using McAfee’s Directory Sync to automatically update your users between your Active Directory and the McAfee Console.
User Bad Password, account locked out, Account expired in Active Directory
The WDS Connector looks to your Active Directory for its user information. However if that user logged into a computer locally they will received a login prompt before logging into the network. Also if that users AD account is expired, locked out or has been deleted, this user will be asked to log in before getting a web page, and may receive an
Web Protection Setup Guide Common Configuration Issues
Non Domain Login
If a user logs in locally to a laptop or desktop, they will receive a login prompt before they are allowed to access a website, just like they would had they attempted to access a server resource.
Program issues
Some programs cannot authenticate using NTLM or do not like to be proxied and may cause the user to see a login box instead of an error message. We typically see this on non-business related Java Apps. Sometimes clicking several times will allow it to get past this. Other times an administrator may need to unselect auto-config on the proxy.
Windows Updates
While we recommend using WSUS to provide updates to your desktop and laptop computers, if you are attempting to go to update.microsoft.com you may find that the detection phase hangs and eventually returns an error message if you are going through the proxy. This is a known issue with the Microsoft Windows Update site and proxy servers including their own IAS server. The quick way around this is to turn off “automatically detect” before going to Windows Update. Another option is to exclude the Windows Update servers in your WPAD.DAT or Proxy.pac file. You can do this by using the shExpMatch(url, "website") command in your script to have it not proxy the following sites: • http://download.windowsupdate.com • https://*.windowsupdate.microsoft.com • http://*.windowsupdate.microsoft.com • http://*.update.microsoft.com • http://*.download.windowsupdate.com • http://update.microsoft.com • http://*.windowsupdate.com • http://download.microsoft.com • http://windowsupdate.microsoft.com • http://ntservicepack.microsoft.com • http://wustat.windows.com • https://*.update.microsoft.com • https://update.microsoft.com
The website that discusses this issue and provides a work around is
http://
support.microsoft.com/kb/885819
Web server not configured correctly
Test your ability to opening
http://webserver/wpad.dat
using your Internet browser. If your web browser asks you how you would like to open the wpad.dat, (AKA with Notepad) then you have completed this step correctly.]Web Protection Setup Guide Common Configuration Issues
PAC/WPAD File Errors
The PAC file contains a JavaScript function. Syntax errors in the JavaScript will prevent the PAC file from executing and will not set the proxy appropriately. The default behavior for most browsers is to set no proxy, so traffic will be direct to the Internet with no filtering. To test for syntax errors, use a JavaScript validation tool. A simple one can be found at
http://javascriptlint.com/online_lint.php
- simply copy and paste the contents of the PAC file into the text area and run the test. Warnings can generally be ignored, but any syntax or other errors must be addressed in order for the PAC file to function properly.Web Protection Setup Guide Sample Policy Sets