search cancel

Unified Agent - Expected behavior when configuring a workstation to leverage a PAC File from a local ProxySG

book

Article ID: 174157

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

How does Unified Agent behave, when Windows is configured to connect to the internet via a PAC File hosted from a local server or ProxySG?

What does the workstation ultimately send to the WSS vs. the local ProxySG, and how to configure UA to accommodate the local ProxySG for specific sites?

Requests that should go direct to the on-premise ProxySG are still being sent to the WSS by Unified Agent.

Cause

When Unified Agent is running on a Windows-based workstation that is explicitly pointed at a server for a PAC File, that ultimately points to an on-premise ProxySG, all requests that egress the workstation are going to be sent to the on-premise ProxySG.  This is inclusive of Unified Agent's CTC check and tunnel establishment.  If the server or proxy hosting the PAC File in the environment is not bypassed in threatpulse, then Unified Agent will perform it's CTC Check and establish it's connections with the WSS through the on-premise ProxySG, as induced by the PAC File.  This results in a needless leg being added, within the footprint of Unified Agent's connection to the WSS.

Furthermore, the on-premise ProxySG would identify only the tunnel from the workstation going to the WSS, as well as the initial CTC Check.  After UA establishes its tunnel to the WSS, everything on the workstation would be funneled into that by default.  Any request attempting to use the local proxy (via PAC File, or direct) after the tunnels are established, will be forced through the WSS by Unified Agent.  This is done on purpose, to prevent users from circumventing the WSS/UA by using a localhost-based or local-network-based proxy.  

Environment

Workstation:  Windows 7+

Unified Agent:  v4.10.3+

Server: HTTP server hosting a PAC File (can also be the ProxySG)

ProxySG:  Explicit configuration

Resolution

The solution to using the local ProxySG for specific requests, and UA for the rest, is simple:

    1.)  Bypass the server hosting the PAC File, by IP Address, in threatpulse "bypassed sites"

    2.)  Bypass the local ProxySG, by IP Address, in threatpulse "bypassed sites"

If the server hosting the PAC File pointing traffic to the on premise ProxySG is also the ProxySG, then just bypassing the proxies IP Address would suffice.  This would require maintaining the on-premise ProxySG PAC File, exclusive from the WSS Configuration, to determine what sites to proxy locally vs using Unified Agent and the WSS.