Greetings,
This post applies only to users whose sites are large
enough to have a proxy server, but small enough not to
want to use Software Update Services for Automatic
Updates. Also, if your proxy requires authentication, SUS
or temporarily bypassing the proxy are the only solutions.
For those with XP pro workstations, you need only manually
configure the Local System context to use your proxy. See
the thread begun by Geus November 13, 2003 1:52AM or
at "http://groups.google.com/groups?
q=auto+update+proxy&start=20&hl=en&lr=lang_en&ie=U TF-
8&oe=UTF-8&selm=0ed901c3aa03%243d8adb80%24a401280a%
40phx.gbl&rnum=22".
Manual proxy configuration of the System context does not
work with Windows 2000. After configuration as described
in the link above, if you force an update and use netstat
you will see that Automatic Updates ignores the settings
and attempts a direct connection to Microsoft. Nothing is
logged as a System Event or in "Windows Update.log". If
you set the Automatic Updates Service to log on as an
administrator instead of as Local System, it will use your
proxy to determine what updates are needed, but it fails
to download and again logs no error. Apparently even the
Microsoft professionals who monitor this and similar
newsgroups are not aware of this difference in the
implementation of Automatic Updates for the two operating
systems.
With Windows 2000 you must "Automatically detect settings"
for your proxy in the Local System context for Automatic
Updates to work. Because this is the default behavior,
you should not have to configure it. This selection
invokes Web Proxy Auto Discovery. Systems Administrators
for large enterprises use WPAD as a matter of course with
DNS or DHCP to avoid manual configuring many
workstations. Of course, they will also be using SUS for
automatic updates, and, of course, they don't need help
from someone like me who had never heard of WPAD.
If you rely on your ISP for DNS and don't use DHCP, it is
still possible to use WPAD with only a web server. You
need to write a small java script to configure your proxy
settings. See examples
at "http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/pr
oxy-live.html". Simplest case to use your proxy for the
Internet but exempt you LAN is something like:
function FindProxyForURL(url, host)
{
if (isPlainHostName(host) || dnsDomainIs
(host, ".franklin.lib.oh.us"))
return "DIRECT";
else
return "PROXY proxy.yourdomain.com:8080; DIRECT";
}
If you don't have DNS for your proxy, you can use the IP
address. Name the script "wpad.dat" and place in the web
root of your server. The same file named "proxy.pac" with
the "Use automatic configuration script" setting in IE
won't work. Has to be "wpad.dat" for Automatic Updates,
although you should be able to make that a redirect
to "proxy.pac" if you already have one. You may need to
add an entry to MIME types, something like ".dat
application/x-ns-proxy-autoconfig", though apparently this
is not vital to IIS and IE. If you are using URL Scan to
secure IIS, you must comment out the line in urlscan.ini
that by default prevents your server from
delivering ".dat" files and restart the World Wide Web
Service.
If your 2000 workstation does not get the location of
wpad.dat from DNS or DHCP, the auto discovery process
generates it by adding "wpad" to the domain name on your
2000 workstation, beginning with the lowest level and
subtracting subdomains up to the third level. If your
network is peer-to-peer, you will have to configure a DNS
suffix in "System Properties\Network
Identification\Properties\More\Primary DNS suffix of this
computer" or a connection-specific suffix for you NIC
in "Local Area Connection\Properties\Internet Protocol
(TCP/IP)\Properties\Advanced\DNS\DNS suffix for this
connection". If you have a web server with a DNS entry,
you have a domain name: just subtract the first part,
say "www.", from the URL. Or you can make one up. The
last step is to add an entry to "%SystemRoot%\System32
\Drivers\etc\hosts" for your web server's IP address
giving the host name as "wpad." followed by your DNS
suffix. That is what the auto discovery process will look
for. Any other method of establishing this DNS
correspondence would work as well. Once it works for
Automatic Updates, WPAD is nice to have anyway.
The effort to configure all of this was nothing compared
to that required to figure out that it was necessary. A
few lines of documentation from Microsoft for Automatic
Updates with Windows 2000 or with Service Pack 3 would
have saved me several hours of research and trial-and-
error.
Franklin
