Sophos Web Appliance: Creating a proxy.pac File to Provide Location Awareness

  • Article ID: 38787
  • Updated: 04 Mar 2013
  1. Using a basic text editor, such as Notepad, create a file with the following content:

    function FindProxyForURL(url, host) {  // basic function; do not change
    if (isPlainHostName(host) || // 2 lines: tests endpoints' domain
    dnsDomainIs(host, ".example.com")) // for FQDN match to "example.com".
    return "DIRECT"; // If true, sets "DIRECT" connection
    else // If not true...
    return "PROXY YOURPROXY.COM:8080"; // sets connection through Web Appliance.
    }

  2. Change the example.com segment of the script above to match the domain name of your DNS server.
  3. Change the YOURPROXY.COM segment of the script above to match the domain name of your Web Appliance.
  4. Save this file as proxy.pac.
  5. Test the file by choosing the "configuration from a file" option on the "connect to the internet using a web proxy" page, using a web browser currently configured to connect directly to the internet. To access this option:
    • In Internet Explorer, select Tools > Internet Options > Connections > LAN Settings: Use automatic configuration script
    • In Firefox, select Tools > Options > Advanced > Network > Connection Settings: Automatic proxy configuration URL
  6. Also, test whether you correctly fail to a DIRECT connection to the internet. To do this, go to the TCP Advanced Settings page, select the DNS tab, and set the DNS name for this connection to "TEST" (do not set it to register in DNS). Click Apply, and then try to navigate to a known blocked site. You should now be accessing the internet directly and have access to the site.
  7. Deploy the tested proxy.pac file to your users by any one of the following methods:
    1. Distribute the tested proxy.pac file either by emailing it to your users or by posting it on an internal web server.

      Note: If you post the proxy.pac file on an internal web server, the link to it will be displayed as a text file unless unless you set the MIME type in your web server configuration:

      • For Apache 1.x, edit your /etc/apache/httpd.conf file by adding the following line:
        AddType application/x-javascript-config pac
        Then restart the Apache web server.

      • For Apache 2.x, edit your /etc/apache2/mods-available/mime.conf file by adding the following line:
        AddType application/x-javascript-config pac
        Then restart the Apache web server.

      • For IIS:
        1. In IIS Manager, right-click the website or website directory for which you want to add a MIME type, and click Properties.
        2. Click the HTTP Headers tab.
        3. Click Mime Types.
        4. Click New.
        5. In the Extension box, enter the file name extension: pac.
        6. In the MIME type box, enter the MIME type description: application/x-javascript-config.
        7. Click OK and then restart the IIS service.

      This option (a., using a proxy.pac file) requires the most work for the users in your network.

      Note: By default, when a connection is established through a proxy server, the hostname of the site and the proxy server name are cached. On future attempts to access the hostname in the same session, Internet Explorer has cached information about which proxy to use. Therefore, all subsequent connections to the host are tried through the proxy that was used previously. This means that if the proxy server name that is cached is unavailable during the same session, the automatic proxy configuration script is not re-processed, and you receive a "Page Cannot Be Displayed" error message in Internet Explorer.

      You may want to disable the Automatic Proxy Result Cache to provide the proxy redundancy that you require. This will result in client-side processing of every GET request that is issued by Internet Explorer. As a result, Internet Explorer performance may be impacted, depending on the logic of the Automatic Proxy Configuration Script and its size. The procedure for doing this is documented in the Microsoft Knowledgebase article http://support.microsoft.com/kb/271361.

    2. Distribute the configuration as a wpad.dat file, which is documented in the Publishing Proxy Information as a wpad.dat File Knowledgebase article.

      This method lets you maintain more control over the proxy configuration process, but still requires that your users set the "automatic proxy configuration" option in their browsers.

    3. Enforce the proxy configuration by Creating a Group Policy Object (GPO) on your Active Directory server.

      This requires that you have an Active Directory server but allows you to enforce your users' browser configuration to use the Web Appliance.


Support for problems with third-party products that this article discusses may be provided by the manufacturer of that product. Sophos does not support such third-party products. The third-party products that this article discusses are manufactured by companies that are independent of Sophos. Sophos makes no warranty, implied or otherwise, about the performance or reliability of these products.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments