Pac File Bypass Proxy For Local Addresses

'Use a proxy server for your LAN (these settings will not apply to dial-up or VPN Connections)' 'Bypass proxy server for local addresses' I Would then need to enter my proxy address and port number. The home settings would need to remove both of the above boxes. Does anyone have any example scripts i could manipulate accordingly? How are proxy settings set in the Ubuntu gnome environment. These methods are not full proof and can break the configuration of the system. Making the network behave in an undesired way. AutoConfigUrl: (Mon Jun 10 02:24:29 PM) proxy auto-configuration script could not be downloaded (Mon Jun 10 02:24:29 PM) Falling back to DIRECT/NOPROXY. Setting WINHTTPACCESSTYPENAMEDPROXY flag in WINHTTPAUTOPROXYOPTIONS dwAccessType. This page includes a PAC file example which has been proven to be flexible, easy to update, while still providing accurate results. Proxy bypass rules for private IP networks, internal hostnames, and hosts with.local domain extension.

Configure the Proxy Auto Configuration (PAC) file

Before making any changes, compile a list of addresses that need to be exempted from connecting through LPS. The default PAC file hosted by LPS directs clients to send requests to internal (RFC1918, and APIPA) addresses, and plain hostname addresses directly instead of through LPS. Any resources hosted on a public IP address, or accessed by DNS name will need to be added to the PAC file. These can be specified either by Fully Qualified Domain Name (FQDN), IP address, or IP address range.

Note: See Verify a Proxy Auto Configuration file using Web Security Service PAC File Management to learn how to check the PAC file syntax before deployment.

Use the PAC File Management Service (PFMS) PAC file

  1. Add the required addresses to the Bypassed Sites in the WSS portal (see Add sites to the bypass list in Web Security Service for more information on configuring Bypassed Sites)
  2. To export the PFMS PAC file:
    1. Browse to http://portal.threatpulse.com and log in to your WSS account
    2. Click Service > Mobility > PAC File Management, click on the correctly configured PAC file, and click Download
    3. Save the file to an accessible folder as proxy.pac, and open the saved file in a text editor
    4. Locate the following line:
      return 'PROXY ';
    5. Replace the WSS DNS name/port, with the LPS DNS name/port (localhost:2968 by default)
    6. Save the changes to the proxy.pac

Replace the PAC file

SEP 14.3 introcued the ability to import a custom PAC file directly in the Integrations policy. Use this method for SEP 14.3 and newer clients managed by a SEP 14.3 or newer Symantec Endpoint Protection Manager (SEPM).

Import the PAC file into Integrations Policy

Local
  1. Locate the custom PAC file and open it in a text or PAC file editor
  2. Locate the LPS DNS name/portset in the steps above, and replace the LPS port with the following token:
    <<port>>
  3. Log in to the SEPM Console and click Policies > Network Traffic Mitigation > Integrations
    1. To edit an existing Integrations policy, select the policy and click Edit the policy
    2. To create a new Integrations policy, click Add a Integrations policy
  4. Check Enable LPS Custom PAC file and click Import
  5. Browse to the saved custom PAC file and click Import
  6. Click OK to save the policy

Note: The above configuration is only available in SEPM 14.3 or later. Additionally, Computers running pre 14.3 SEP clients will not make use of this setting. For pre-14.3 computers, use the Manual steps below.

Manually replace the PAC file

  1. Download LPSFlags.exe attached to this document to the same folder as the modified proxy.pac file
  2. Open a command-prompt as Administrator and change directories to the folder containing LPSFlags.exe and proxy.pac
  3. Enter the following command:
    LPSFlags.exe --pac-script proxy.pac --restart
  4. Download a copy of the LPS PAC file from http://localhost:2968/proxy.pac and confirm the changes

Most organizations will want to bypass their proxy server for local web servers (intranet, CMS,helpdesk, etc). You can manually add each new server to your exception list in your logon script orgroup policies or simply use this PAC script to determine if a server is local and bypass itautomatically!

You can use built in commands such as isInNet() which use potentially slow DNS lookups, but thismethod uses Regex queries instead.

With each URL request, a client’s browser will execute the FindProxyForURL() function and pass itthe URL string and domain host name for the request. The function needs to return a string tellingthe browser to connect directly, via SOCKS or via a Proxy.

Be sure to update the exception and proxy address appropriate to your needs.

The script can be found and configured automatically by most browsers if it is made available viaHTTP and advertised via DHCP or DNS. Firefox and Chrome (to my knowledge) don’t support the DHCPmethod, but most browsers support DNS.

To have your script found via DNS is must be made available athttp://wpad.mydomain.local/wpad.dat where mydomain.local, need I say it, is your local domain.To do this, I saved the script as ‘wpad.dat’ in the root directory of my intranet server andcreated a DNS CNAME record (alias) pointing to that server named wpad. You must also set the MIMEtype of the file to application/x-ns-proxy-autoconfig or the file won’t download (at least fromIIS in my case). See Configure MIME Type (IIS 6.0) on Technet.

If you do also want to advertise the script via DHCP (it can’t hurt), simply add Option 252 to yourscope options containing the URL of your script. According to this article, IE6 may require the URLto be NUL terminated.

Here’s another handy tip: if you want to test the functionality of the script, you can use thefollowing PHP script (if PHP is configured on your web server) to immediately test the result ofany specified host name. Save the following script as index.php in the same folder as your proxyscript and browse to http://wpad.mydomain.local.

Further Reading:

Pac File Bypass Proxy For Local Addresses

  • Wiki page with an overview: http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol

  • Microsoft examples for IE: http://technet.microsoft.com/en-us/library/dd361950.aspx

  • IE Proxy Result Caching: http://support.microsoft.com/kb/271361

  • Publishing via Apache: http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/web-browser-auto-proxy-configuration.html

  • Best Practices: http://www.websense.com/content/support/library/web/v76/pac_file_best_practices/PAC_best_pract.aspx