Proxy PAC Files, How to Use With Laptops and Local Bypass

March 30, 2009

 

First, I *HATE* proxy .pac files. With that said, here's some tips on setting up your file.

Here's the challenge. You have a web filter/proxy in your network and you need everyone to go through it. You also need to allow unfettered access to local resources, which can sometimes cause fits with your proxy. Some examples of such fits: not being able to route back to certain local resources, having issues with with special applications that install a local http server (Google Desktop comes to mind here), access to local webservers with certain programs (Microsoft Frontpage), or local webservers that run code that the proxy doesn't like (we have a site that does a lot of perl, designed for internal use only that the proxy just has issues with).

If your client machines are local desktops or Terminal Server sessions that don't leave the network, setting up bypasses for all of this with Group Policy is easy. Just put the IP address or subnet in the Exceptions part of the Proxy Settings configuration window. But what if your clients have laptops that leave the network? Forcing them to use the VPN for web traffic is one way to work around this; it forces all Internet usage on the company machine to be accounted for in the web filter and is easy to configure in their GPO. But what if management doesn't like this option; the clients have to be filtered while in the office but can hit whatever they want when they leave? The answer to this problem is to set up a proxy .PAC file.

The PAC file allows you to configure a user's proxy in many different ways. It's a text file that is referenced by the browser for proxy configuration, and uses a JavaScript function (FindProxyForURL(url, host)) to pull this off. In this post, I'm only going to focus on my requirements to build my PAC file: determining if the user is on the office network and bypassing local resources.

There's quite a few examples of PAC files on the Internet, and I'll provide links to these sites on the bottom of this post. They're all worth a look; considering the custom nature and the many configuration options to PAC files it's a good idea to see what everyone else is doing and develop your own configuration from there.

First, let's determine a way to figure out if you're on the local network or not. Some examples I've seen attempt to determine if the machine is part of the local subnet, then bases the configuration on that. If you're like me and have a lot of different subnets (either internal vlans or different sites), that may not work. So, what I do is configure the PAC file to determine if it can communicate with the proxy. If yes, it uses it. If not, then it goes "DIRECT" to the Internet. For me, it's a simple one-liner:

function FindProxyForURL(url,host) { return "PROXY 192.168.10.100:3128; DIRECT"; }

This will cause the web browser to look for the PROXY IP address (in the example 192.168.10.100:3128). If it finds it, then it uses it and you should see the traffic hit your logs. If it can't find it, it'll take a minute to time out then drop the user directly on the Internet with no proxy.

Ok, the first requirement is done; mobile users will be on the web filter while at the office and will be off of it away from the office. Now, we need to bypass local resources; a task that causes a little more fuss. Let me note that before I bash on web filters, or at least come off as bashing them, most of my local resources tested just fine with no further configuration. A lot of my monitoring tools, local wikis, etc had no issue. But some, such as our phone system configuration site, didn't work at all in testing. Your mileage may vary; for a lot of people stopping at this point would work for them just fine. But for those who do have issues, we'll continue.

Next determine the subnets you want to bypass. In this case, we'll use 10.10.1.x, 10.100.x.x, 192.168.10.x, and all local addresses 127.0.0.x).

function FindProxyForURL(url,host) {

if (
(isInNet(host,"10.10.1.0","255.255.255.0")) ||
(isInNet(host,"10.100.0.0","255.255.0.0")) ||
(isInNet(host,"192.168.10.0","255.255.255.0")) ||
(isInNet(host,"127.0.0.0","255.255.255.0"))
)
return "DIRECT";
else
return "PROXY 192.168.10.100:3128; DIRECT"; }


Now, when testing, any host that uses an IP address or resolves to an IP address in the subnets you're bypassing should not show up in your logs. All other traffic should show up just fine. Make sure you set the appropriate subnet mask. The || pipes mean "OR", so you can add as much as needed.

Now, lets say you have a specific site you want to bypass, on your network or not. For example, you want to bypass traffic to your external web site, or you use a hosted email solution that has issues in your web filter. Just add the following line within the "if ( )" statement:

(dnsDomainIs(host, ".bypassed_url.com")) ||

Note that there is no need to put anything more than the domain name; no need for http://, *://, or the full URL. Also, don't forget the OR (||) if you intend to put any more statements below it. Your last line in the if( ) should not have ||.

Now that all of our requirements are met it's time to save the file and test it. There are several methods of the PAC file placement involving web servers or network shares, but since the client is on a laptop I prefer to place the file locally. Save your PAC file on the local drive. Next, open Control Panel and Internet Options. Click the Connections tab and the LAN Settings button. Uncheck everything except "Use automatic configuration script". For the address, put in file://c:/PAC_file_location/name_ of_PAC_ file, example: file://c:/pxy/pxy.pac

In a future posting I'll go over how I deploy the PAC file via login script and how I use Group Policy to force my users to use the file. I may even do a write-up on blocking other browsers, such as Firefox, Chrome, Safari, and Opera.

A quick note: PAC files are read when the browser is opened. If your laptop user has an open browser then pulls their laptop off the network (hibernate) then attempts to use the same browser window off the network, it most likely will not work. They'll have to restart the browser. Same concept when they enter the network; if they were working in a browser window off the network unfiltered, the same browser window will remain in DIRECT configuration until it is restarted.

As promised, some useful links:

Wikipedia:Proxy_auto-config
Craig Johnson Consulting: Autoconfigure Scripts for Proxy Settings - good overview, but I couldn't get the if (shExpMatch(url, method to work..
Novell: Cool Solutions: Proxy Failover (without Clustering) - great article, the author dissects the code and explains it.
Jason Curnow: Writing Effective Proxy PAC Files - wow, I JUST found this site.. Read this.
Microsoft Technet: Using Automatic Configuration, Automatic Proxy, and Automatic Detection - lots of examples here.

11 comments:

Jerry's said...

Wow, it's cool tip!!!

Jerry's said...
This comment has been removed by the author.
Mike said...

Thanks for the tips.

BTW, Chrome (as of version 4 at least) use's IE's Proxy settings, so if it works for IE, it's already working for chrome.

Small Office Phone System said...

Nice workaround to make it work in laptop.

Anonymous said...

dicks

Anonymous said...

I just happened to run across this page - You've got a link to my "Writing Effective PAC Files" page that's quite old. That site has gone through several iterations, but the current incarnation is...

http://www.proxypacfiles.com

It has everything that the old one did and more!

nada elkelany said...

you can bypass the proxy without problems use wasel pro, it is open the blocked sites and protect your computer from viruses and also protect your id in the internet
http://www.waselpro.com

Unknown said...

Nice post with awesome points! Can’t wait for the next one.

Toshiba - 14" Satellite Laptop - 6GB Memory - 750GB Hard Drive - Champagne Silver

Toshiba - 15.6" Satellite Notebook - 4 GB Memory - 500 GB Hard Drive

Anonymous said...

Hi, I'm not sure if you are still getting notification for this old post, but if you could help share some insight for my situation that will be great help.

We have a customer reported an issue with the same PAC file working fine when it is hosted on a remote server, but not when it is placed on local laptop. The behavior is that the same operation fails when opening a file from an application -- it is successful when PAC file is on remote server. What is the best way of narrow down the potential cause (application code, PAC code, IE issue, etc.)?

Thank you in advance.

Used PC Supplier said...

Nice Blog Post !

Jogi Modi said...

The next time Someone said a weblog, I hope that pirate proxy doesnt disappoint me just as much as this.