We have recently implemented a new TMG 2010 server which sits on the edge of our network. We have offices in several countries, all of which are on separate sub-domains within an Active Directory forest. All offices are on different subnets of 10.0.0.0 (e.g. 10.1.0.0 for the UK, 10.2.0.0 for the US, etc.). The whole of the 10.0.0.0 network is defined as an address range on the Internal network. Auto-discovery is enabled and we have a WPAD entry in DNS for our sub-domain. The problem is that firewall clients and web browsers in overseas offices are detecting this new TMG server, not their local one. In most cases all that needs to be done is add a WPAD entry to the DNS of the branch sub-domain which points at their local proxy server. however, not all branches use a proxy server.
So the problem we are facing is how do we stop the overseas clients detecting our TMG server? We don't want to disable auto-detect, as all of the UK clients need to use it. We have tired restricting the Internal network range to just UK subnets, but then UK users lose access to services in other offices (as TMG tries to send the traffic externally and times out). I did think about creating a second Internal network in TMG, but this would require a separate IP address for the TMG server so wouldn't work.
There are a couple of other workarounds we have asked the other offices to use (e.g. disabling proxy auto-detect in group policy, implementing a proxy server), but ideally we would like to restrict our TMG server to just giving out proxy settings to UK clients.
Any suggestions would be greatly appreciated!
Other recent topics
