Configure the ProxySG to serve multiple PAC files
search cancel

Configure the ProxySG to serve multiple PAC files


Article ID: 166036


Updated On:


Advanced Secure Gateway Software - ASG ProxySG Software - SGOS


SGOS provides two Proxy Automatic Configuration (PAC) files natively:

For those wishing to use the "wpad.dat" method of acquiring a PAC file from the ProxySG, add policy that returns a "302 Redirect" to the browser, which a browser will follow and ultimately be served.

See How to create a custom exception page using the ProxySG command line interface for a good overview of how to create exception pages using the CLI method. Simply replace the HTML text with a raw, unaltered PAC file.


While exception pages are normally used for displaying HTML rendered within a browser, they can also be used to simply serve data -- in this case, the PAC file contents.

Call it "pacA"


So far the custom exception pages have only been defined (which happen to contain PAC files "A" and "B"). The following steps will utilize them via policy. 

  • Since browsers expect a PAC file to have a specific MIME type, this must be set in the <Exception> layer, which is not editable in Visual Policy Manager (VPM); therefore, the following Content Policy Language (CPL) must be added to the Local (or Central or Forward) Policy File:

<Exception>"user-defined.pacA" action.setpacheader(yes)"user-defined.pacB" action.setpacheader(yes)

define action setpacheader
  set( exception.response.header.Content-Type, "application/x-ns-proxy-autoconfig" )


  • Next, add policy rules that trigger the "Force Exception" action:

[The following CPL can be added directly to the Local/Central/Forwarding Policy File or added via VPM; choose one method or the other, not both]

CPL Method:

;; Tab: [Web Access Layer, Return different PAC file based on source subnet, incoming URL /proxy_pac]
 client.address= url.path.exact="/proxy_pac" force_exception(user-defined.pacA) ; Return PAC file A
 client.address= url.path.exact="/proxy_pac" force_exception(user-defined.pacB) ; Return PAC file B


VPM Method:

  • Create "Return Exception" objects, one for PAC file "A", and one for PAC file "B":

PACa object:

The "Return Exception" objects created will be used in the "Action" column of the rules.


  • Create rules, with different "Subnet" objects in the "Source" column.


  • Create a "Layer Guard" so these rules are only evaluated if the incoming URL is "/proxy_pac".   The two images below show the creation of the Layer Guard, and the URL-Path object that will be used in the "Destination" column of the Layer Guard.


Final VPM example:




Client setup:

When choosing to use browser "auto config," the Network Administrator has several options for configuring the browser to request its PAC file, whether that PAC file is served from the ProxySG or not.

The steps above prepare the ProxySG to serve PAC files; however, the client also needs to know to request the PAC file from the ProxySG.

Using the example rules above, if a request for "/proxy_pac" comes to the ProxySG from a client on the subnet, that client will be served PAC file "A". The ProxySG will serve PAC file "B" for  incoming requests, to the same URL (/proxy_pac)... from clients on the subnet. Remember, in the VPM example above, it's the Layer-Guard that defines the URL "/proxy_pac".

Choose what incoming URL string to be used, and adjust the policy rules accordingly. Do not use "accelerated_pac_base.pac", since that's already defined and available from the ProxySG without any special policy. Of course, it can be used as the "default" PAC file to serve, regardless of incoming client-subnet.

Often, one of the desired goals is to configure the clients as little as possible. Consider using a common, company standard for the incoming URL (in the example above:  /proxy_pac).

Microsoft Windows environments may take advantage of Group Policy to configure browsers.

Internet Explorer (IE) Example:


Browsers that support "Automatically Detect Settings" (as IE calls the feature), can utilize DHCP option 252 to retrieve the URL for which the browser will use to retrieve its PAC file. For this example, configure
"http://<proxyhostname>/proxy_pac" within option 252 on the DHCP server.

IE Example:


For hosts that utilize the DNS hostname lookup "wpad" to find the host that will serve a PAC file (the SG in this example), and then
make a request for "/wpad.dat", adjust the policy rule(s) or layer-guard as shown:

...and configure the DNS hostname "wpad" to resolve the IP address of the ProxySG


This FAQ describes only a few of the many ways to utilize PAC files.

Below find this description as a PDF document (includes user-defined exception definitions).


ProxySG-Multiple-PAC.pdf get_app