You can use the basic proxy auto-configuration (PAC) file that ships with the Symantec ProxySG or Advanced Secure Gateway (ASG) appliance. However, if you want to create custom PAC settings for your deployment, you can edit the accelerated PAC file.
NOTE: It may be required that you select notepad as the application type to view the default PAC file. The proxy PAC file (default PAC file) is not configurable. The Accelerated PAC file is configurable and is blank. The proxy has port 8081 configured, but generally, it is not enabled. In SGOS 5.x, go into the Management Console > Configuration tab > Services > Management Services. Look for the HTTP Console server. See if there is a check next to the service in the Enabled column. If not, highlight it, click on the Edit button, and put a check into the "Enabled" button. Save your changes and click on Apply. Then you can go back to the URL and try again.
For those wishing to use the "wpad.dat" method of acquiring a PAC file from the ProxySG, add policy that returns a "302 Redirect" to the browser, which a browser will follow and ultimately be served.
See How to create a custom exception page using the ProxySG command line interface for a good overview of how to create exception pages using the CLI method. Simply replace the HTML text with a raw, unaltered PAC file.
When choosing to use browser "auto config," the Network Administrator has several options for configuring the browser to request its PAC file, whether that PAC file is served from the ProxySG or not.
The steps above prepare the ProxySG to serve PAC files; however, the client also needs to know to request the PAC file from the ProxySG.Using the example rules above, if a request for "/proxy_pac" comes to the ProxySG from a client on the 10.10.10.0 subnet, that client will be served PAC file "A". The ProxySG will serve PAC file "B" for incoming requests, to the same URL (/proxy_pac)... from clients on the 10.20.20.0 subnet. Remember, in the VPM example above, it's the Layer-Guard that defines the URL "/proxy_pac".
Choose what incoming URL string to be used, and adjust the policy rules accordingly. Do not use "accelerated_pac_base.pac", since that's already defined and available from the ProxySG without any special policy. Of course, it can be used as the "default" PAC file to serve, regardless of incoming client-subnet.
Browsers that support "Automatically Detect Settings" (as IE calls the feature), can utilize DHCP option 252 to retrieve the URL for which the browser will use to retrieve its PAC file. For this example, configure" _pac" within option 252 on the DHCP server.IE Example:
For hosts that utilize the DNS hostname lookup "wpad" to find the host that will serve a PAC file (the SG in this example), and thenmake a request for "/wpad.dat", adjust the policy rule(s) or layer-guard as shown:
The following scripts provide examples of how a '.pac' file could be used to specify an auto-proxy URL. To use these functions, you must change the proxy names, port numbers, and IP addresses.
Use PAC or WPAD files to manage network requests that are associated with Microsoft 365 but don't have an IP address. Typical network requests that are sent through a proxy or perimeter device increase latency. While SSL Break and Inspect creates the largest latency, other services such as proxy authentication and reputation lookup can cause poor performance and a bad user experience. Additionally, these perimeter network devices need enough capacity to process all of the network connection requests. We recommend bypassing your proxy or inspection devices for direct Microsoft 365 network requests.
PowerShell Gallery Get-PacFile is a PowerShell script that reads the latest network endpoints from the Microsoft 365 IP Address and URL Web service and creates a sample PAC file. You can modify the script so that it integrates with your existing PAC file management.
The PAC file is deployed to web browsers at point 1 in Figure 1. When using a PAC file for direct egress of vital Microsoft 365 network traffic, you also need to allow connectivity to the IP addresses behind these URLs on your network perimeter firewall. This is done by fetching the IP addresses for the same Microsoft 365 endpoint categories as specified in the PAC file and creating firewall ACLs based on those addresses. The firewall is point 3 in Figure 1.
Where PAC files aren't used for direct outbound traffic, you still want to bypass processing on your network perimeter by configuring your proxy server. Some proxy server vendors have enabled automated configuration of this as described in the Microsoft 365 Networking Partner Program.
We understand that you might still require manual processing for network endpoint changes that come through each month. You can use Power Automate to create a flow that notifies you by email and optionally runs an approval process for changes when Microsoft 365 network endpoints have changes. Once review is completed, you can have the flow automatically email the changes to your firewall and proxy server management team.
We only provide IP addresses for the Microsoft 365 servers you should route directly to. This isn't a comprehensive list of all IP addresses you'll see network requests for. You'll see network requests to Microsoft and third-party owned, unpublished, IP addresses. These IP addresses are dynamically generated or managed in a way that prevents timely notice when they change. If your firewall can't allow access based on the FQDNs for these network requests, use a PAC or WPAD file to manage the requests.
Multiple specifications provide a fall-back when a proxy fails to respond. The browser fetches this PAC file before requesting other URLs. The URL of the PAC file is either configured manually or determined automatically by the Web Proxy Auto-Discovery Protocol.
To use it, a PAC file is published to a HTTP server, and client user agents are instructed to use it, either by entering the URL in the proxy connection settings of the browser or through the use of the WPAD protocol. The URL may also reference a local file as for example: file:///etc/proxy.pac.
The myIpAddress function has often been reported to give incorrect or unusable results, e.g. 127.0.0.1, the IP address of the localhost.It may help to remove on the system's host file (e.g. /etc/hosts on Linux) any lines referring to the machine host-name, while the line 127.0.0.1 localhost can, and should, stay.
Another issues about pac file is the typical implementation involve clear text http retrieval, which does not include any security features such as code signing or web certificates. Attacker can perform man-in-middle spoofing attack easily.
Tells Microsoft Edge to use the PAC file at the specified URL. For example, --proxy-pac-url=" " tells Microsoft Edge to resolve proxy information for URL requests using the proxy.pac file.
If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file to the application settings in the Admin Portal. You also upload the public key certificate in a .cer or .pem file to the web application.
The authentication profile is where you define the authentication methods. If you have not created the necessary authentication profile, select the Add New Profile option. See Create authentication profiles.
With the PAC file in place containing do not proxy for bestcasinosites.net, the request was sent direct via the native port 443, not 8080, and therefore was not sent down the tunnel to the forward proxy and blocked. This resulted in access to the site, as well as no log entry in Skope IT.
Simplification is a great use case for explicit proxy; rather than listen on all three ports, listening on one port simplifies the config on both the host and the router/firewall. As in this case, the PAC file often already exists, theres no need to change the configuration if already using 8080.
This script will access updated information to create a PAC file to prioritize Microsoft 365 Urls for better access to the service. This script will allow you to create different types of files depending on how traffic needs to be prioritized.
The PAC file generally deals with required DNS entires for Office 365 services. There is a maintained list of IPs/CIDR Ranges that should be applied at the Firewall. A complete list can be found at -us/office365/enterprise/urls-and-ip-address-ranges
When I look into the ticketviewer I see that there is a valid kerberos ticket. I am able to use SMB with SSO. As soon as I login I see a proxy authentication prompt on my Mac. When I launch the browsers (Chrome, Safari) I get prompted again for the proxy authentication.
I ran pcap and see that kerberos errors "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN ". I verified the reverse PTR records of the proxy servers in the pac file and they all seem to resolve to a valid hostname. Only difference is multiple IPs resolving to the same hostname.
We have Kerberos up and running with Bluecoat in our shop. I can't tell you what version we are on, but I think it is a pretty current release (I will check with our Proxy Admin). In our environment though we are using WCCP to direct the clients on our network to the proxy and not using a PAC file. 2b1af7f3a8