Issue: Autodetect opton in proxy settings in browser does not work, when configured users can not access internet through TMG server.

As per http://technet.microsoft.com/en-us/library/cc713344.aspx

ISA Server uses the Web Proxy Automatic Discovery (WPAD) protocol, which allows automatic discovery of Web Proxy servers. ISA Server uses WPAD to provide a mechanism for clients to locate a WPAD entry containing a URL that points to a server on which the Wpad.dat and Wspad.dat files are generated. The Wpad.dat file is a Java script file containing a default URL template, constructed by Internet Explorer. The Wpad.dat file is used by Web Proxy clients for automatic discovery information. The ISA Server WinSock Proxy Autodetect (WSPAD) implementation uses the Wpad.dat file, and creates a Wspad.dat file to provide automatic discovery information to Firewall clients. For more information about the WPAD protocol, see the Web Proxy Auto-Discovery Protocol document.

Above article also explains how WPAD option is configured in DHCP as well as in DNS and how browser uses WPAD to get wpad.dat which had the script that tells the browser who is the proxy server and how to route the web requests through proxy server and when to by pass the proxy server.

This post is about when you know that you have configured your DHCP server with option 252 and whenever you use autodetect as proxy setting in your  browser its not able to access internet(in case the client machine is not secureNAT client).

In order to find out if WPAD option is configured properly and the client machine is able to get the option 252 from the DHCP server we can use FWC tool that comes TMG/ISA firewall client and its located at "C:\Program Files (x86)\Forefront TMG Client"

above is the sample when we are able find WPAD and WSPAD. Lets also have a look at this Scenario when Browser is not able to detect the WPAD and we can use FWCtool to find out whats going on

If we take network monitor trace while doing this test we will see following DHCP inform packet with request for WPAD

and reply from DHCP server does not have the option 252 for WPAD

Resolution

In this particular scenario we had to reconfigure DHCP option 252 and after that issue got resolved.

Issue: Windows update fails with error 80072f8f on TMG server.

Scenario : Admin was trying to do windows update on the TMG server and it was failing with error 80072f8f.

Troubleshooting Approach and Resolution

1. We know windows update uses http , so first checked the browser's proxy settings , if its configured with a proxy or not if yes then is it using itself as proxy or some other device/machine as a proxy. We found that browser was configured with proxy settings and proxy was a third party server.

2. Tested  internet access i.e tried to access bing.com without proxy in the browser, we had a test access rule on TMG server to allow access between localhost and external for http Our test gave us page could not be displayed. Then tested with TMG server as proxy server, that failed as well, then tested with the proxy server that customer was using and we got the page prperly.

3. That explained that TMG server could not access internet directly and we have to configure webchaining making the third party proxy server as the upstream proxy server. Then after configuring web chaining we tested by trying to do windows update and it worked.

Reference about how to configure webchaining : http://technet.microsoft.com/en-us/library/cc984471.aspx

My new blog post on Technet wiki http://social.technet.microsoft.com/wiki/contents/articles/site-to-site-ipsec-tunnel-between-tmg-2010-and-cisco.aspx and its about Site to site IPsec Tunnel between TMG2010 installed on VMware machine and Cisco.