pac_guide_v.1

8/2/2019 PAC_Guide_V.1

1/8

Copyright 2006 ScanSafe. All Rights Reserved.

This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to anyelectronic medium or machine-readable form without prior consent in writing from ScanSafe. Every effort has beenmade to ensure the accuracy of this manual. However, ScanSafe makes no warranties with respect to thisdocumentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. ScanSafeshall not be liable for any error or for incidental or consequential damages in connection with the furnishing,

performance, or use of this manual or the examples herein. The information in this document is subject to changewithout notice.

Designing andimplementing effectivePAC file solutions


2/8

Designing and implementing effective PAC file solutions. Copyright 2006 ScanSafe. All Rights Reserved. 1

1 What is a PAC file?

A PAC file or ProxyAuto-Configuration file defines how web browsers can automatically select an

appropriate proxy for accessing a given URL.The file is based on rules defined using Javascript, providing a scalable solution which can be

powerful enough to meet the demands of almost every situation it may face.

2 Is it difficult to implement?

This is entirely dependant on the specification required for the PAC file and the chosen distributionmethod. PAC files can be extremely simple, a one line piece of code used to direct all trafficthrough a proxy, or they can be notoriously powerful, providing allowances for load balancing,

multiple proxies and failovers etc.

The market leading browsers - Opera, Firefox and Internet Explorer, all allow several levels ofautomation regarding the implementation of proxies:

Manual proxy selection: simply specifying a hostname/IP address and a port number to beused for all URLs. Its possible to enter exceptions that will bypass the proxy.

Proxy Auto-Configuration (PAC): Specify a location of a PAC file with Javascript definedrules that determines the appropriate proxy for each URL accessed.

Web Proxy Auto-discovery Protocol (WDAP): A method of implementing the PAC file, this

allows the browser to predict the location of the PAC file and retrieve the file without userintervention.

In this guide we shall cover the first two methods in-depth.

3 Which method should I use?

In this section we shall evaluate each method and their respective advantages and disadvantages.

3.1 Manual Proxy SelectionThis method allows the use of a single defined proxy in the browser connection settings, its the

simplest method and perhaps because of this, the more reliable choice.

Advantages:

- Simple to configure, all that is required is the location of the proxy and the relevantport.

- Easy to exception sites that you might not wish to put through the proxy.- In most situations, the more secure method.


3/8


Disadvantages:

- Only one proxy can be specified, therefore the option of implementing failover proxiesis unavailable. Put simply, a lack of flexibility.

- The proxy setting must be applied to each machine, with Internet Explorer this can bepushed out via Group Policies, however with browsers such as Opera and Firefox thiswould have to be amended manually for each browser.

3.2 Proxy Auto-Configuration

Likely to be the preferred method, the location of the PAC file must still be set in each browser(Manually or group policy), however the PAC file allows greater control and+ flexibility only limitedby creators ability to code the file in Javascript, as well as the infrastructure available.

Advantages:

- Ability to implement failover proxies, load balancing, fault tolerance etc.- Scalable, can be as complex as the requirements that need to be met.

Disadvantages:

- Potentially a basic understanding of programming may be necessary to create or amendPAC file scripts to meet requirements.

3.3 Web Proxy Auto-discovery Protocol

Advantages:

- It has the same advantages as a lone PAC file configuration.- Requires the least amount of user/administrator intervention to setup each user.

Disadvantages:

- Requires explicit requirements be met before it can function correctly.- The system serving the PAC file must have a high uptime level.- It has inherent security issues.- Older browsers might not support WPAD (Pre-Internet Explorer 5).

Hopefully this has provided an overall insight into which method may best suit your requirements.

4 Examples

Each of the below examples include 3 return entries, two proxies and an instruction to go direct.The client browser will attempt the first proxy first, if unavailable it will try the next entry, thesecond proxy, again if unavailable it will then instruct the browser to go direct.


4/8


Example 1

function FindProxyForURL(url, host){ return "PROXY proxy.example1.com:8080; PROXY proxy.example2.com:8080; DIRECT"; }

Behaviour: simply directs all traffic through the example 1 proxy unless the proxy is unreachable, in which case it will

attempt the second proxy, if both are unavailable, it will go direct.

Example 2

function FindProxyForURL(url, host)

{ if (url.substring(0, 6) == "https:") return "DIRECT";else return "PROXY proxy.example1.com:8080; PROXY proxy.example2.com; DIRECT"; }

Behaviour: All httpstraffic goes direct, bypassing the proxy but still allowing http traffic to go via the proxy.

Example 3


{ if (host =="mydomain.com") return "DIRECT";else return "PROXY proxy.example1.com:8080; PROXY proxy.example2.com:8080; DIRECT"; }

Behaviour: If traffic is destined for mycompany.com it will go direct, otherwise all traffic will go through the proxy.

Example 4

function FindProxyForURL(url, host){ if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0"))

return "PROXY proxy.example1.com:8080; PROXY proxy.example2.com:8080; DIRECT";

else return "DIRECT"; }

Behaviour: If the client computer is on the specified internal network, go through the proxy, otherwise go direct.

Please note that each of these examples includes two proxy entries, and a failover value of going direct ifthe proxies are unavailable. Please amend as necessary if you do wish users to go direct if the proxies areunavailable.

Unfortunately we cant cover basic PAC file scripting in this guide, however the level of scripting inuse should be accessible to anyone who has even a basic understanding of programming.

A complete list of Javascript functions available for use can be found in a 1996 set of release notesfor Netscape: http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html

5 Implementation / Deployment

5.1 Local Hosted PAC File

In comparison to deployment via WPAD, this is relatively simple with very few requirements.

- Hosted on the local file system of the machine, e.g. c:\windows\proxy.pac. Howeverthis would require that the file be copied onto each separate machine.

We encourage that the PAC file is permission protected to ensure that end-users cannot alter thePAC file.


5/8


The most popular browsers all implement this feature in a very similar way.

Firefox:Tools > Options > General Tab > Connection Settings > Select Automatic Configuration URL >enter the location of the PAC file, in Firefox it would be:file:///c:/proxy.pac

Opera:Tools > Preferences > Advanced tab > Select Network on the left-hand bar > Proxy Servers>Ensure that only Use Automatic proxy configuration is checked > Enter the location of the PACfile. E.g. file://c:/proxy.pac

Internet Explorer:Tools > Internet Options > Connections tab > LAN Settings > Ensure everything under Proxyserver is unchecked > Select Use automatic configuration script > Enter the location of the PACfile.

If the file is hosted on the local system the location of the PAC file would be as such: file://c:/proxy.pac

5.2 Network Hosted PAC File

This solution should be used when you would like to host the file on a network share and use aVBScript to copy the PAC file from the share to the local machine. The reason you have to copy

the PAC file to the local machines is because it wont work if you host the file on a network share.So we suggest using a VBScript to initiate this process, as they work well with windows logon

scripting.

- Create a Proxy.pac file. Copy this example into notepad and amend the relative details,once complete save it as a *.pac file, See example below:


{// Web sites you wish to go to direct and not through ScanSafe

// This list would include internally hosted websites,

// intranets etcif ( shExpMatch ( url, "*.somecompany.co.uk*") ||

shExpMatch (url, "*.example.com*") ||shExpMatch (url, "*.anotherexample.com*"))

{

return "DIRECT";}

// Internal IP address ranges that you need to be able to go// directly to

else if (isInNet ( host, "XXX.XXX.XXX.XXX", "255.255.0.0" ) ||isInNet ( host, "XXX.XXX.XXX.XXX", "255.255.0.0") ||isInNet ( host, "XXX.XXX.XXX.XXX", "255.255.0.0"))

{

return "DIRECT";

}// Send all other HTTP HTTPS and FTP traffic to ScanSafe

else

{

return " PROXYXX.scansafe.net:8080";

}}


6/8


- Set a share directory on a file server that everyone has access to, and store the Proxy.pacfile there.

- Create a Script.vbs to copy the Proxy.pac file from the Share on the Server down to thelocal machine. Use this example, copy the text into Notepad and amend the relative detailsand save it as a VBScript file, create it on the domain controller as that is where you willneed to use it, See Example below:

Const OverwriteExisting = True

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objName= CreateObject("wscript.network")

objFSO.CopyFile "\\server_name\share_name\proxy.pac" , "C:\proxy.pac" , OverwriteExisting

Something to remember:

As Login Scripts run with the same permissions as the logged in user, they dont always have thepermissions to write to the root of C:\, so make sure that the VBScript is copying the PAC file to alocation the user has read\write permissions on the local machine.

- Open Active Directory and select the Properties of the OU or the Domain you want to applythe Group Policy too, Select the GP tab and click edit.


7/8


- Under User Setting expand Windows Settings and select Scripts

- From the Logon Scripts window, click Add, in the Script Name dialog box, click Browse andpaste the VBScript into that window. Click Ok.

- That completes the setup of the VBScript process.


8/8


The next step is to create the Group Policy Object that will enforce the browser configuration usingthe PAC file. You should add this rule into the same policy that enforces the Login Script.

- Open the Active Directory Users and Computers Administrative Tools Console.- Right click on the Domain Name and click Properties.

- Click the Group Policy Tab.

- Select the Policy and click Edit.- Expand User Configuration and browse to Internet Explorer Maintenance under the

Windows Settings folder.

- Select Connections and open Automatic Browser Configuration

- Uncheck Automatically detect configuration settings.- Check Enable Automatic Configuration.- Choose a time value of your choice for Automatically configure every X minutes.

- Under Auto-Proxy URL put in the location of your PAC file. See example below:

We encourage that the PAC file is permission protected to ensure that end-users cannot alter thePAC file.

pac_guide_v.1

Documents