Use of PAC file with Explicit ProxySG/EdgeSWG
search cancel

Use of PAC file with Explicit ProxySG/EdgeSWG

book

Article ID: 368616

calendar_today

Updated On:

Products

ISG Proxy Advanced Secure Gateway Software - ASG ASG-S200 ASG-S400 ASG-S500 ProxySG Software - SGOS

Issue/Introduction

Configuration of PAC file for controlling traffic flow to direct traffic to Proxy and bypass certain services that might not work well with proxied traffic (Microsoft Office 365, Cisco Webex, Zoom etc.)

Environment

SGOS 6.7.x/7.3.x/7.4.x

Cause

A PAC file is a universal/standardized JavaScript file with a .pac extension that contains instructions on when and whether the Web browser should use the ProxySG appliance appliance for retrieving requested content. Network administrators like to use PAC files because they are centrally administered, and easy to update.

 

Resolution

  • If you have an Explicit Proxy then a PAC file can be useful to manage what destination requests, source hostnames goes to the Proxy and which ones should be routed directly to the Gateway.
  • The PAC file is used only with PROXY Explicit deployment
  • PAC file config can be hosted on simple HTTP server (ex. open source solutions like Apache, nginx) or HTTP server set on Win Server AD that is accessible by the users subnet ex. http://<ip-address>/proxy.pac and can be centrally managed. It's recommended for file to be accessible over HTTP port 80 in internal network.
  • The PAC file needs to be written by the customer according to their needs on which part of the source IP or destinations should go directly to Gateway and which should go to Proxy for filtering.

 

EXAMPLE CONFIG: test.pac 

 

function FindProxyForURL(url, host) {
 
// If the hostname matches, send direct. Hostname or domains are send
// directly to the Gateway without being checked by Proxy. 
if (dnsDomainIs(host, "support.broadcom.com") ||
shExpMatch(host, "(*.broadcom.com|broadcom.com)"))
return "DIRECT";
 
// If the protocol or URL matches, send direct to Gateway.
if (url.substring(0, 4)=="ftp:" ||
shExpMatch(url, "http://broadcom.com/folder/*"))
return "DIRECT";
 
// If the requested website is hosted within the internal
// network subnets, send direct to Gateway.
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||
isInNet(dnsResolve(host), "192.168.0.0",  "255.255.0.0") ||
isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
return "DIRECT";
 
// If the IP address of the local machine is within a defined
// subnet, send to a specific proxy.
if (isInNet(myIpAddress(), "192.168.1.20", "255.255.255.0"))
return "PROXY 1.2.3.4:8080";
 
// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
return "PROXY 4.5.6.7:8080; PROXY 7.8.9.10:8080";
 
}

 

You can modify last part of the PAC file, so if even Proxies are down for specific traffic, users will be connected exceptionally via PAC stored on external HTTP server.

// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
return "PROXY 4.5.6.7:8080; PROXY 7.8.9.10:8080; DIRECT";

 

 

#################################

WINDOWS CLIENT IMPLEMENTATION

#################################

 

On Windows, the support for Proxy Autoconfiguration (PAC) appears seamless due to the integration with the WinHTTP client, which resides in a DLL accessible to all applications through a public API. Many applications on Windows leverage WinHTTP, simplifying the implementation of proxy autoconfiguration.

Windows > Control Panel > Network & Internet > Proxy > Automatic proxy setup

  • (ENABLE) Use setup script
  • Script address: http://<server-ip-address>/test.pac

 

WINDOWS CLIENT CONFIGURATION: https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/edge-swg/7-3/authentication_co/IWA_configure_st/IWA_Direct_st/IWA_browser_config_ta/explicit_proxy_browser_config_st/set_up_a_PAC_file_ta.html

AFTER PAC implementation on client TRAFFIC FLOW looks as follows: CLIENT REQUEST >> PAC FILE >> DIRECT ROUTE OR PROXY >> GATEWAY >> INTERNET

 

############################

LINUX CLIENT CONFIGURATION

############################

 

Most of the Linux distros have an option to pass the traffic to the specified Proxy, but commands can differ from each Linux flavor.

In contrast to Windows PAC file implementation, on Linux, individual applications often handle their own socket calls and employ their unique HTTP protocol implementations. While there are HTTP libraries available, it is less common for applications on Linux to include a JavaScript interpreter required for processing a Proxy Autoconfiguration (PAC) file.

Implementation of the PAC file can differ from each LINUX distribution and might take additional steps to implement if you’d like to differentiate what resources can be accessed by Linux client directly or which requires a connection via Proxy. This would require check on specific Linux documentation in order to achieve.

If the PAC file is not applicable this can be achieved also by setting static routes to specific websites on switch between client & proxy that would omit Proxy connection.

 

 

#################################################################################

PLEASE NOTE: Universal PAC file creation, customization and implementation on client machines are up to customer itself and it’s not a part of Technical Support activities. If customer requires help in implementation, customization of a PAC file in their existing environment to control traffic flow going to Proxies, additional help of Professional Service for implementation purposes is needed - https://www.broadcom.com/support/fibre-channel-networking/services/professional-services 

#################################################################################

 

Additional Information

Powered by Wolken Software