My current MWG configuration sees me using an explicit proxy configuration with WPAD and DHCP option 252 in order to ensure that devices on my network are redirected to the proxy before going out to the Internet. The authentication is done via NTLM. That has been successful to some extent but it seems that Mozilla Firefox, one of our accepted web browsers, does not honor the DHCP option 252 and as such it bypasses the proxy or causes an error. My first question is this, has anyone been able to force Firefox to accept the DHCP option? I'm aware of the DNS option for WPAD but then that forces us to have all devices go to the proxy. That's not favorable at the moment as we're doing a gradual roll-out. Please correct me if I'm going about this incorrectly.
My alternative to the above issue was the use of McAfee Client Proxy (MCP) which would eliminate the need of the 252 option. Tests have shown that Firefox behaves as it should with the use of MCP however, for those devices that we can't deploy MCP to, we're left missing the DHCP option and WPAD. Mobile phones and personal computers won't have MCP and its policies installed. Which leads me to wonder if it would be best to have the following:
let MCP be the default mode of authentication (set a user defined property "MCP_Good" whether or not this authentication is successful)
configure NTLM + WPAD + DHCP as a secondary mode of authentication
use the user defined property "MCP_Good" as a criteria for secondary authentication
So if MCP is not sending user credentials and ad groups, then MWG uses secondary authentication to proceed. Would this be a feasible way to proceed? Would it be best practice? I would appreciate any assistance you can offer.