Table Of Contents
Manually Configure a Browser to Use a PAC File
Windows Network Share Hosted PAC Files
Proxy Auto-Config Files
Revised: July 15, 2010Overview
Proxy Auto-Configuration (PAC) is a method used by Web browsers to select a proxy for a given URL. The method for choosing a proxy is written as a JavaScript function contained in a PAC file. This file can be hosted locally or on a network. Browsers can be configured to use the file either manually or, in Microsoft Windows environments, automatically using Group Policy Objects. This appendix explains the basics of using PAC files.
How PAC Files Work
A PAC file is referenced each time a new URL is loaded. The host, for example cnn.com, the URL, for example cnn.com/images/logo.jpg, and other information such as the local machine IP address can be evaluated and rules based on this information used to determine whether to send the traffic via a proxy or direct to the Internet.
The following example compares the URL requested by the user, with the URL ipcheckit.com/data/. If the URLs match, the PAC file will instruct the browser to send the request direct to the Internet. This can be used if you need to exception a section of a Web site from going via Cloud Web Security; if the user had requested only ipcheckit.com, this rule would not apply:
if (shExpMatch(url,"ipcheckit.com/data/*"))return "DIRECT";In the next example the local IP address of the machine making a Web request is evaluated. If the IP address falls within the IP address range 10.10.1.* then the PAC file will send the request to proxy182.scansafe.net. If this proxy is unavailable it will then failover to proxy137.scansafe.net. This can be used if you have different office locations using different IP address ranges with a Cloud Web Security proxy or Connector specific to each location:
if (isInNet(myIpAddress(), "10.10.1.0", "255.255.255.0"))return "PROXY proxy182.scansafe.net:8080; PROXY proxy137.scansafe.net:8080";Although a PAC file can have any name, normally it should be called proxy.pac.
PAC File Deployment
There are three ways to deploy a PAC file:
•Local PAC: in some cases it may be appropriate to host the file on the local machine, this can be useful if the machine is likely to leave the network and doesn't have Anywhere+ installed. Rules can be specified in the PAC file to allow direct Internet access when off-network.
•Share PAC: the file can be hosted on a Windows share, assuming that the share is accessible to the machine and that the correct permissions have been applied. If the location of the PAC file is password protected then this is likely to prevent the browser from downloading the file.
•Hosted PAC: hosting the file on a Web server is the most popular and widely supported method. The only requirement is that the file be served by the Web server with a specific MIME type (application/x-ns-proxy-autoconfig).
Basic PAC File Examples
Direct all traffic through the first proxy. If it is unreachable, use the second proxy. If both are unavailable go direct:
function FindProxyForURL(url, host) {return "PROXY proxy1.my.com:8080; PROXYproxy2.my.com:8080; DIRECT"; }Direct HTTP traffic as in the first example, but send all HTTPS traffic direct:
function FindProxyForURL(url, host) {if (url.substring(0,6)=="https:") return"DIRECT"; else return "PROXYproxy1.my.com:8080; PROXYproxy2.my.com:8080; DIRECT"; }Direct all traffic as in the first example, but send traffic for a given domain direct:
function FindProxyForURL(url, host) {if (host=="my.com") return "DIRECT"; elsereturn "PROXY proxy1.my.com:8080; PROXYproxy2.my.com:8080; DIRECT"; }If the client computer is on the specified internal network, go through the proxy. Otherwise go direct:
function FindProxyForURL(url, host) {if (isInNet(myIPaddress(), "192.168.1.0","255.255.255.0")) return "PROXYproxy1.my.com:8080; PROXYproxy2.my.com:8080; DIRECT"; else return"DIRECT"; }Example PAC File
function FindProxyForURL(url, host) {// Web sites you wish to go to direct and not through Cloud Web Security. This list would include internally hosted Web sites, intranets, and so onif (shExpMatch(url,"*.somecompany.co.uk*") ||shExpMatch(url,"*.example.com*") ||shExpMatch(url,"*.anotherexample.com*")){ return "DIRECT"; }// Internal IP address ranges that you need to be able to go to directlyelse if(isInNet(host, "xxx.xxx.xxx.xxx","255.255.0.0") ||isInNet(host, "xxx.xxx.xxx.xxx","255.255.0.0") ||isInNet (host, "xxx.xxx.xxx.xxx","255.255.0.0")){ return "DIRECT"; }// Send all other HTTP HTTPS and FTP traffic to Web Serviceselse { return"PROXY proxy.example1.com:8080"; } }Manually Configure a Browser to Use a PAC File
With Firefox, in the Tools menu click Options. Click the Network tab then click Settings. Click Automatic Proxy Configuration URL. Enter the URL of the PAC file in the box then click OK to save the settings.
With Internet Explorer, in the Tools menu click Internet Options. Click the Connections tab then click LAN settings. Select "Use automatic configuration script". Enter the URL of the PAC file in the box then click OK to save the settings.
With Opera, in the Tools menu click Preferences. Click the Advanced tab then, in the left panel, click Network. Click Proxy Servers and select "use automatic proxy configuration". Enter the URL of the PAC file in the box then click OK to save the settings.
With Safari for Windows, in the Edit menu click Preferences. Click the Advanced tab then click Change settings. Click LAN settings. Select "Use automatic configuration script". Enter the URL of the PAC file in the box then click OK to save the settings.
Windows Network Share Hosted PAC Files
It is possible to host a PAC file on a Windows network share by using a VBScript to copy it to the local machine. This can be integrated with Windows logon scripting.
Step 1 Set a share directory on a file server that everyone has access to.
Step 2 Create the proxy.pac file in the shared directory.
Step 3 Create a script.vbs file to copy the proxy.pac file from the network share to the local machine, for example:
Const OverwriteExisting = TrueSet objFSO = CreateObject("Scripting.FileSystemObject")Set objName= CreateObject("wscript.network") objFSO.CopyFile "\\server_name\share_name\proxy.pac", "C:\proxy.pac",OverwriteExisting
Note Logon scripts run with the same permissions as the logged-on user, and may not have write permission for the root of C:\. Ensure the VBScript copies the PAC file to a location where the user has write permission. However, the PAC file should be write-protected to prevent users changing it.
Step 4 Open the Active Directory Users and Computers control panel.
Step 5 View the properties of the OU or Domain for which you want to apply the Group Policy.
Step 6 Edit the Group Policy.
Step 7 In the User Configuration area, expand Windows Settings and click Scripts (Logon/Logoff).
Step 8 Add a Logon Script.
Step 9 Browse to find the script.vbs file you created earlier, then click OK.
Table B-1 Local PAC URL Syntax
Table B-2 Share PAC URL Syntax