ProxySG & Advanced Secure Gateway

  • Private Community
 View Only

 Explicit proxy deployment issue with PAC file

Jump to  Best Answer
Abdul Razzaque's profile image
Abdul Razzaque posted Feb 28, 2021 11:48 AM
Hi,

I have a question regarding explicit proxy deployment. We need to deploy the explicit proxy setting in user browsers through PAC file. The users would not be able to alter the settings as a security measure.

My question is, what would happen if these users use the same laptop at home? I assume they will not get access to the internet. Also they would not be able to remove proxy settings due to restrictions from group policy. What is the solution in such case? We do not want users to change proxy settings every time.

I have read various post regarding the failover sequence as: return "PROXY proxy:8080; DIRECT"; 

Is it feasible? Some say it doesn't work or some application that do not support PAC file would fail to work.

Its an urgent query and would appreciate the quick response.
Mike John's profile image
Mike John posted Mar 01, 2021 10:39 AM  Best Answer
Yes, you can configure the PAC file to be "smart", and allow the user to go DIRECT if the proxy cannot be found. 

But instead of using GPO to push PAC settings to the client web browsers, I highly recommend pushing the PAC file out using DHCP WPAD or DNS WPAD. When you use this method your clients will only receive the PAC file instructions when they are on your corporate network (and have access to your DHCP or DNS server).  You will not change their browser settings and the browser will retain the "Automatically detect settings” option.  This way, when the user goes to their home network, they will not have any interruptions. 

Until you figure out how to get DHCP or DNS WPAD working, you can push the PAC file out with your original method.  But once you master WPAD, switch the user browser setting back to "“Automatically detect settings”.
Paul Riddington's profile image
Paul Riddington posted Mar 01, 2021 03:56 AM
Hello Abdul,

Yes, this will work but keep in mind the "DIRECT" instruction will also be triggered when the users are on the corporate network, if the proxy is not available for some reason. Alternatively, you could build some logic into the PAC file to only use the proxy for specific source subnets, other wise go direct.

Regards
Paul Riddington
Sakkarin Pichetskul's profile image
Sakkarin Pichetskul posted Mar 01, 2021 06:00 AM
Hi Abdul Razzaque,

Example the script PAC file about checking IP address at the clients.

// If the IP address of the local machine is within a defined
// subnet, send to a specific proxy.
	if (isInNet(myIpAddress(), "10.10.5.0", "255.255.255.0"))
		return "PROXY 1.2.3.4:8080";
refer : https://findproxyforurl.com/example-pac-file/

Have a good day!
Sakkarin Pichetskul