Explicit Proxy with PAC and Roaming PAC files

book

Article ID: 168771

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

The following users are categorized into three types

  1.  Users in a corporate office with a LAN or WiFi connection that has a fixed egress IP address.
  2.  Users in remote locations (3G/LTE) that have random egress IP addresses from a cellular ISP.
  3.  Users that are in both of the above locations and sometimes are the in corporate office and sometimes on remote 3G/LTE connection.

The use of PAC file of each of the above categories varies.

Resolution

  1. Users in the corporate office
    • Configured in the ThreatPulse portal as a Location in the ThreatPulse portal; clients know that they are from this location. Users from a location that has egress IP configured in portal use https://portal.threatpulse.com/pac as its PAC file because the traffic requires direction to the Blue Coat datacenters at proxy.threatpulse.net:8080
  2. Users on remote locations (3G/LTE)
    • Considered as roaming users, which cannot have egress IP configured in the portal, use https://portal.threatpulse.com/roaming.Use this PAC file because the traffic requires direction to the Blue Coat datacenters at proxy.threatpulse.net:8880
  3. Users that access from either location must switch to use the appropriate PAC or Roaming PAC differently, yet because of the difference of proxy ports for each of the locations, there is, unfortunately, no current mechanism to redirect the traffic to 8080 from 8880.

Workaround

Customized PAC is a workaround

Because all sites configured in the portal are bypassed for these explicit users and are updated in both PAC files (PAC and ROAMING), setting a custom PAC to decide which WSS proxy port to direct to (8080 or 8880) based on the location (LAN or 3G) ignores what has configured as Bypassed Sites in the portal. If custom PAC is used, your administrator must maintain the PAC after the update occurs.