Designing and implementing effective PAC file solutions

Copyright 2006 ScanSafe. All Rights Reserved.

This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form without prior consent in writing from ScanSafe. Every effort has been made to ensure the accuracy of this manual. However, ScanSafe makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. ScanSafe shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this document is subject to change without notice.

What is a PAC file?

A PAC file or Proxy Auto-Configuration file defines how web browsers can automatically select an appropriate proxy for accessing a given URL. The file is based on rules defined using Javascript, providing a scalable solution which can be powerful enough to meet the demands of almost every situation it may face.

Is it difficult to implement?

This is entirely dependant on the specification required for the PAC file and the chosen distribution method. PAC files can be extremely simple, a one line piece of code used to direct all traffic through a proxy, or they can be notoriously powerful, providing allowances for load balancing, multiple proxies and failovers etc. The market leading browsers - Opera, Firefox and Internet Explorer, all allow several levels of automation regarding the implementation of proxies: Manual proxy selection: simply specifying a hostname/IP address and a port number to be used for all URLs. Its possible to enter exceptions that will bypass the proxy. Proxy Auto-Configuration (PAC): Specify a location of a PAC file with Javascript defined rules that determines the appropriate proxy for each URL accessed. Web Proxy Auto-discovery Protocol (WDAP): A method of implementing the PAC file, this allows the browser to predict the location of the PAC file and retrieve the file without user intervention.

In this guide we shall cover the first two methods in-depth.

Which method should I use?

In this section we shall evaluate each method and their respective advantages and disadvantages.

3.1 Manual Proxy Selection

This method allows the use of a single defined proxy in the browser connection settings, its the simplest method and perhaps because of this, the more reliable choice.

Advantages:
Simple to configure, all that is required is the location of the proxy and the relevant port. Easy to exception sites that you might not wish to put through the proxy. In most situations, the more secure method.

Designing and implementing effective PAC file solutions. Copyright 2006 ScanSafe. All Rights Reserved.

Disadvantages:
Only one proxy can be specified, therefore the option of implementing failover proxies is unavailable. Put simply, a lack of flexibility. The proxy setting must be applied to each machine, with Internet Explorer this can be pushed out via Group Policies, however with browsers such as Opera and Firefox this would have to be amended manually for each browser.

3.2 Proxy Auto-Configuration

Likely to be the preferred method, the location of the PAC file must still be set in each browser (Manually or group policy), however the PAC file allows greater control and+ flexibility only limited by creators ability to code the file in Javascript, as well as the infrastructure available.

Advantages:
Ability to implement failover proxies, load balancing, fault tolerance etc. Scalable, can be as complex as the requirements that need to be met.

Disadvantages:
Potentially a basic understanding of programming may be necessary to create or amend PAC file scripts to meet requirements.

3.3 Web Proxy Auto-discovery Protocol

Advantages: It has the same advantages as a lone PAC file configuration. Requires the least amount of user/administrator intervention to setup each user.

Disadvantages:
Requires explicit requirements be met before it can function correctly. The system serving the PAC file must have a high uptime level. It has inherent security issues. Older browsers might not support WPAD (Pre-Internet Explorer 5).

Hopefully this has provided an overall insight into which method may best suit your requirements.

Examples

Each of the below examples include 3 return entries, two proxies and an instruction to go direct. The client browser will attempt the first proxy first, if unavailable it will try the next entry, the second proxy, again if unavailable it will then instruct the browser to go direct.

Designing and implementing effective PAC file solutions. Copyright 2006 ScanSafe. All Rights Reserved.

Example 1
function FindProxyForURL(url, host) { return "PROXY proxy.example1.com:8080; PROXY proxy.example2.com:8080; DIRECT"; }
Behaviour: simply directs all traffic through the example 1 proxy unless the proxy is unreachable, in which case it will attempt the second proxy, if both are unavailable, it will go direct.

Example 2
function FindProxyForURL(url, host) { if (url.substring(0, 6) == "https:") return "DIRECT"; else return "PROXY proxy.example1.com:8080; PROXY proxy.example2.com; DIRECT"; }
Behaviour: All https traffic goes direct, bypassing the proxy but still allowing http traffic to go via the proxy.

Example 3
function FindProxyForURL(url, host) { if (host =="mydomain.com") return "DIRECT"; else return "PROXY proxy.example1.com:8080; PROXY proxy.example2.com:8080; DIRECT"; }
Behaviour: If traffic is destined for mycompany.com it will go direct, otherwise all traffic will go through the proxy.

Example 4
function FindProxyForURL(url, host) { if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0")) return "PROXY proxy.example1.com:8080; PROXY proxy.example2.com:8080; DIRECT"; else return "DIRECT"; }
Behaviour: If the client computer is on the specified internal network, go through the proxy, otherwise go direct. Please note that each of these examples includes two proxy entries, and a failover value of going direct if the proxies are unavailable. Please amend as necessary if you do wish users to go direct if the proxies are unavailable.

Unfortunately we cant cover basic PAC file scripting in this guide, however the level of scripting in use should be accessible to anyone who has even a basic understanding of programming. A complete list of Javascript functions available for use can be found in a 1996 set of release notes for Netscape: http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html

Implementation / Deployment

5.1 Local Hosted PAC File

In comparison to deployment via WPAD, this is relatively simple with very few requirements. Hosted on the local file system of the machine, e.g. c:\windows\proxy.pac. However this would require that the file be copied onto each separate machine.

We encourage that the PAC file is permission protected to ensure that end-users cannot alter the PAC file.
Designing and implementing effective PAC file solutions. Copyright 2006 ScanSafe. All Rights Reserved. 3

The most popular browsers all implement this feature in a very similar way. Firefox: Tools > Options > General Tab > Connection Settings > Select Automatic Configuration URL > enter the location of the PAC file, in Firefox it would be: file:///c:/proxy.pac Opera: Tools > Preferences > Advanced tab > Select Network on the left-hand bar > Proxy Servers> Ensure that only Use Automatic proxy configuration is checked > Enter the location of the PAC file. E.g. file://c:/proxy.pac Internet Explorer: Tools > Internet Options > Connections tab > LAN Settings > Ensure everything under Proxy server is unchecked > Select Use automatic configuration script > Enter the location of the PAC file.
If the file is hosted on the local system the location of the PAC file would be as such: file://c:/proxy.pac

5.2 Network Hosted PAC File

This solution should be used when you would like to host the file on a network share and use a VBScript to copy the PAC file from the share to the local machine. The reason you have to copy the PAC file to the local machines is because it wont work if you host the file on a network share. So we suggest using a VBScript to initiate this process, as they work well with windows logon scripting. Create a Proxy.pac file. Copy this example into notepad and amend the relative details, once complete save it as a *.pac file, See example below:

function FindProxyForURL(url, host) { // Web sites you wish to go to direct and not through ScanSafe // This list would include internally hosted websites, // intranets etc if ( shExpMatch ( url, "*.somecompany.co.uk*") || shExpMatch (url, "*.example.com*") || shExpMatch (url, "*.anotherexample.com*")) { return "DIRECT"; } // Internal IP address ranges that you need to be able to go // directly to else if (isInNet ( host, "XXX.XXX.XXX.XXX", "255.255.0.0" ) || isInNet ( host, "XXX.XXX.XXX.XXX", "255.255.0.0") || isInNet ( host, "XXX.XXX.XXX.XXX", "255.255.0.0")) { return "DIRECT"; } // Send all other HTTP HTTPS and FTP traffic to ScanSafe else { return " PROXYXX.scansafe.net:8080"; } }

Designing and implementing effective PAC file solutions. Copyright 2006 ScanSafe. All Rights Reserved.

Set a share directory on a file server that everyone has access to, and store the Proxy.pac file there. Create a Script.vbs to copy the Proxy.pac file from the Share on the Server down to the local machine. Use this example, copy the text into Notepad and amend the relative details and save it as a VBScript file, create it on the domain controller as that is where you will need to use it, See Example below:

Const OverwriteExisting = True Set objFSO = CreateObject("Scripting.FileSystemObject") Set objName= CreateObject("wscript.network") objFSO.CopyFile "\\server_name\share_name\proxy.pac" , "C:\proxy.pac" , OverwriteExisting

Something to remember: As Login Scripts run with the same permissions as the logged in user, they dont always have the permissions to write to the root of C:\, so make sure that the VBScript is copying the PAC file to a location the user has read\write permissions on the local machine. Open Active Directory and select the Properties of the OU or the Domain you want to apply the Group Policy too, Select the GP tab and click edit.

Designing and implementing effective PAC file solutions. Copyright 2006 ScanSafe. All Rights Reserved.

Under User Setting expand Windows Settings and select Scripts

From the Logon Scripts window, click Add, in the Script Name dialog box, click Browse and paste the VBScript into that window. Click Ok.

That completes the setup of the VBScript process.

Designing and implementing effective PAC file solutions. Copyright 2006 ScanSafe. All Rights Reserved.

The next step is to create the Group Policy Object that will enforce the browser configuration using the PAC file. You should add this rule into the same policy that enforces the Login Script.

Open the Active Directory Users and Computers Administrative Tools Console. Right click on the Domain Name and click Properties. Click the Group Policy Tab. Select the Policy and click Edit. Expand User Configuration and browse to Internet Explorer Maintenance under the Windows Settings folder. Select Connections and open Automatic Browser Configuration Uncheck Automatically detect configuration settings. Check Enable Automatic Configuration. Choose a time value of your choice for Automatically configure every X minutes. Under Auto-Proxy URL put in the location of your PAC file. See example below:

We encourage that the PAC file is permission protected to ensure that end-users cannot alter the PAC file.

Designing and implementing effective PAC file solutions. Copyright 2006 ScanSafe. All Rights Reserved.