Explicit Proxy with PAC and Roaming PAC files


Article ID: 168771


Updated On:


Web Security Service - WSS


The following users are categorized into three types

  1.  Users in a corporate office with a LAN or WiFi connection that has a fixed egress IP address.
  2.  Users in remote locations (3G/LTE) that have random egress IP addresses from a cellular ISP.
  3.  Users that are in both of the above locations and sometimes are the in corporate office and sometimes on remote 3G/LTE connection.

The use of PAC file of each of the above categories varies.


  1. Users in the corporate office
    • Configured in the ThreatPulse portal as a Location in the ThreatPulse portal; clients know that they are from this location. Users from a location that has egress IP configured in portal use https://portal.threatpulse.com/pac as its PAC file because the traffic requires direction to the Blue Coat datacenters at proxy.threatpulse.net:8080
  2. Users on remote locations (3G/LTE)
    • Considered as roaming users, which cannot have egress IP configured in the portal, use https://portal.threatpulse.com/roaming.Use this PAC file because the traffic requires direction to the Blue Coat datacenters at proxy.threatpulse.net:8880
  3. Users that access from either location must switch to use the appropriate PAC or Roaming PAC differently, yet because of the difference of proxy ports for each of the locations, there is, unfortunately, no current mechanism to redirect the traffic to 8080 from 8880.


Customized PAC is a workaround

Because all sites configured in the portal are bypassed for these explicit users and are updated in both PAC files (PAC and ROAMING), setting a custom PAC to decide which WSS proxy port to direct to (8080 or 8880) based on the location (LAN or 3G) ignores what has configured as Bypassed Sites in the portal. If custom PAC is used, your administrator must maintain the PAC after the update occurs.