• No results found

Designing and implementing effective PAC file solutions

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Designing and implementing effective PAC file solutions"

Copied!
8
0
0

Loading.... (view fulltext now)

Download now ( 8 Page )

Full text

(1)

Copyright © 2006 ScanSafe. All Rights Reserved.

This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form without prior consent in writing from ScanSafe. Every effort has been made to ensure the accuracy of this manual. However, ScanSafe makes no warranties with respect to this

documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. ScanSafe shall not be liable for any error or for incidental or consequential damages in connection with the furnishing,

performance, or use of this manual or the examples herein. The information in this document is subject to change without notice.

Designing and

implementing effective

PAC file solutions

(2)

1

What is a PAC file?

A PAC file or Proxy Auto-Configuration file defines how web browsers can automatically select an appropriate proxy for accessing a given URL.

The file is based on rules defined using Javascript, providing a scalable solution which can be powerful enough to meet the demands of almost every situation it may face.

2

Is it difficult to implement?

This is entirely dependant on the specification required for the PAC file and the chosen distribution method. PAC files can be extremely simple, a one line piece of code used to direct all traffic through a proxy, or they can be notoriously powerful, providing allowances for load balancing, multiple proxies and failovers etc.

The market leading browsers - Opera, Firefox and Internet Explorer, all allow several levels of automation regarding the implementation of proxies:

• Manual proxy selection: simply specifying a hostname/IP address and a port number to be used for all URLs. It’s possible to enter exceptions that will bypass the proxy.

• Proxy Auto-Configuration (PAC): Specify a location of a PAC file with Javascript defined rules that determines the appropriate proxy for each URL accessed.

• Web Proxy Auto-discovery Protocol (WDAP): A method of implementing the PAC file, this allows the browser to predict the location of the PAC file and retrieve the file without user intervention.

In this guide we shall cover the first two methods in-depth.

3

Which method should I use?

In this section we shall evaluate each method and their respective advantages and disadvantages.

3.1 Manual Proxy Selection

This method allows the use of a single defined proxy in the browser connection settings, it’s the simplest method and perhaps because of this, the more reliable choice.

Advantages:

- Simple to configure, all that is required is the location of the proxy and the relevant port.

- Easy to exception sites that you might not wish to put through the proxy. - In most situations, the more secure method.

(3)

Disadvantages:

- Only one proxy can be specified, therefore the option of implementing failover proxies is unavailable. Put simply, a lack of flexibility.

- The proxy setting must be applied to each machine, with Internet Explorer this can be pushed out via Group Policies, however with browsers such as Opera and Firefox this would have to be amended manually for each browser.

3.2 Proxy Auto-Configuration

Likely to be the preferred method, the location of the PAC file must still be set in each browser (Manually or group policy), however the PAC file allows greater control and+ flexibility only limited by creators ability to code the file in Javascript, as well as the infrastructure available.

Advantages:

- Ability to implement failover proxies, load balancing, fault tolerance etc. - Scalable, can be as complex as the requirements that need to be met. Disadvantages:

- Potentially a basic understanding of programming may be necessary to create or amend PAC file scripts to meet requirements.

3.3 Web Proxy Auto-discovery Protocol

Advantages:

- It has the same advantages as a lone PAC file configuration.

- Requires the least amount of user/administrator intervention to setup each user. Disadvantages:

- Requires explicit requirements be met before it can function correctly.

- The system serving the PAC file must have a high uptime level.

- It has inherent security issues.

- Older browsers might not support WPAD (Pre-Internet Explorer 5).

Hopefully this has provided an overall insight into which method may best suit your requirements.

4

Examples

Each of the below examples include 3 return entries, two proxies and an instruction to go direct. The client browser will attempt the first proxy first, if unavailable it will try the next entry, the second proxy, again if unavailable it will then instruct the browser to go direct.

(4)

Example 1

function FindProxyForURL(url, host)

{ return "PROXY proxy.example1.com:8080; PROXY proxy.example2.com:8080; DIRECT"; }

Behaviour: simply directs all traffic through the example 1 proxy unless the proxy is unreachable, in which case it will attempt the second proxy, if both are unavailable, it will go direct.

Example 2

function FindProxyForURL(url, host)

{ if (url.substring(0, 6) == "https:") return "DIRECT";

else return "PROXY proxy.example1.com:8080; PROXY proxy.example2.com; DIRECT"; }

Behaviour: All https traffic goes direct, bypassing the proxy but still allowing http traffic to go via the proxy.

Example 3

function FindProxyForURL(url, host)

{ if (host =="mydomain.com") return "DIRECT";

else return "PROXY proxy.example1.com:8080; PROXY proxy.example2.com:8080; DIRECT"; }

Behaviour: If traffic is destined for mycompany.com it will go direct, otherwise all traffic will go through the proxy.

Example 4

function FindProxyForURL(url, host)

{ if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0"))

return "PROXY proxy.example1.com:8080; PROXY proxy.example2.com:8080; DIRECT"; else return "DIRECT"; }

Behaviour: If the client computer is on the specified internal network, go through the proxy, otherwise go direct.

Please note that each of these examples includes two proxy entries, and a failover value of going direct if the proxies are unavailable. Please amend as necessary if you do wish users to go direct if the proxies are unavailable.

Unfortunately we can’t cover basic PAC file scripting in this guide, however the level of scripting in use should be accessible to anyone who has even a basic understanding of programming.

A complete list of Javascript functions available for use can be found in a 1996 set of release notes for Netscape: http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html

5

Implementation / Deployment

5.1 Local Hosted PAC File

In comparison to deployment via WPAD, this is relatively simple with very few requirements.

- Hosted on the local file system of the machine, e.g. c:\windows\proxy.pac. However this would require that the file be copied onto each separate machine.

We encourage that the PAC file is permission protected to ensure that end-users cannot alter the PAC file.

(5)

The most popular browsers all implement this feature in a very similar way.

Firefox:

Tools > Options > ‘General’ Tab > Connection Settings > Select ‘Automatic Configuration URL’ > enter the location of the PAC file, in Firefox it would be:file:///c:/proxy.pac

Opera:

Tools > Preferences > ‘Advanced’ tab > Select ‘Network’ on the left-hand bar > Proxy Servers> Ensure that only ‘Use Automatic proxy configuration’ is checked > Enter the location of the PAC file. E.g. file://c:/proxy.pac

Internet Explorer:

Tools > Internet Options > ‘Connections’ tab > LAN Settings > Ensure everything under ‘Proxy server’ is unchecked > ‘Select Use automatic configuration script’ > Enter the location of the PAC file.

If the file is hosted on the local system the location of the PAC file would be as such: file://c:/proxy.pac

5.2 Network Hosted PAC File

This solution should be used when you would like to host the file on a network share and use a VBScript to copy the PAC file from the share to the local machine. The reason you have to copy the PAC file to the local machines is because it won’t work if you host the file on a network share. So we suggest using a VBScript to initiate this process, as they work well with windows logon scripting.

- Create a Proxy.pac file. Copy this example into notepad and amend the relative details,

once complete save it as a *.pac file, See example below:

function FindProxyForURL(url, host) {

// Web sites you wish to go to direct and not through ScanSafe // This list would include internally hosted websites,

// intranets etc

if ( shExpMatch ( url, "*.somecompany.co.uk*") || shExpMatch (url, "*.example.com*") || shExpMatch (url, "*.anotherexample.com*")) {

return "DIRECT"; }

// Internal IP address ranges that you need to be able to go // directly to

else if (isInNet ( host, "XXX.XXX.XXX.XXX", "255.255.0.0" ) || isInNet ( host, "XXX.XXX.XXX.XXX", "255.255.0.0") || isInNet ( host, "XXX.XXX.XXX.XXX", "255.255.0.0")) {

return "DIRECT"; }

// Send all other HTTP HTTPS and FTP traffic to ScanSafe else

{

return " PROXYXX.scansafe.net:8080"; }

(6)

- Set a share directory on a file server that everyone has access to, and store the Proxy.pac

file there.

- Create a Script.vbs to copy the Proxy.pac file from the Share on the Server down to the

local machine. Use this example, copy the text into Notepad and amend the relative details and save it as a VBScript file, create it on the domain controller as that is where you will need to use it, See Example below:

Const OverwriteExisting = True

Set objFSO = CreateObject("Scripting.FileSystemObject") Set objName= CreateObject("wscript.network")

objFSO.CopyFile "\\server_name\share_name\proxy.pac" , "C:\proxy.pac" , OverwriteExisting

Something to remember:

As Login Scripts run with the same permissions as the logged in user, they don’t always have the permissions to write to the root of C:\, so make sure that the VBScript is copying the PAC file to a location the user has read\write permissions on the local machine.

- Open Active Directory and select the Properties of the OU or the Domain you want to apply

(7)

- Under “User Setting” expand “Windows Settings” and select “Scripts”

- From the Logon Scripts window, click Add, in the Script Name dialog box, click Browse and

paste the VBScript into that window. Click Ok.

(8)

The next step is to create the Group Policy Object that will enforce the browser configuration using the PAC file. You should add this rule into the same policy that enforces the Login Script.

- Open the “Active Directory Users and Computers” Administrative Tools Console. - Right click on the Domain Name and click “Properties”.

- Click the “Group Policy” Tab. - Select the Policy and click “Edit”.

- Expand “User Configuration” and browse to “Internet Explorer Maintenance” under the

“Windows Settings” folder.

- Select “Connections” and open “Automatic Browser Configuration” - Uncheck “Automatically detect configuration settings”.

- Check “Enable Automatic Configuration”.

- Choose a time value of your choice for “Automatically configure every X minutes”. - Under “Auto-Proxy URL” put in the location of your PAC file. See example below:

We encourage that the PAC file is permission protected to ensure that end-users cannot alter the PAC file.

References

Download now ( PDF - 8 Page - 432.17 KB )

Related documents

National Telemedicine Guidelines

iv. The adequacy of the Telemedicine interaction to meet the desired standard of care should be discussed with the patient and caregiver. The patient and caregiver should be

Baseline Report on HB State Council of Higher Education for Virginia

“develop a plan to establish and advertise a cooperative degree program whereby any undergraduate student enrolled at any two-year or four-year public or private, non-profit

LIBRARY À LA CARTE: OPEN SOURCE SOFTWARE FOR LIBRARY RESEARCH GUIDES

In 2006, Oregon State University (OSU) Libraries developed an open source software product called Library à la Carte that librarians can use to construct research guides easily

South Dakota Board of Medical and Osteopathic Examiners Regular Board Meeting

A motion for the staff to query the Board members to find a date for an telephone Board meeting in January to discuss the Federations of State Medical Board’s updated opioid

English Literature Mcqs Paper for Publice Service Exam(1)

89. Sylvia Plath married which English poet? a. Carl Sandburg ‘Planked whitefish’ contains what kind of imagery? a. Which influential American poet was born in Long Island in 1819?

NEW YORK UNIVERSITY Stern School of Business Auditing DRAFT Fall 2020

Please note that the class discussion is an important component for these assignments; thus, if you do not attend class on the date the cases are due, you will miss the opportunity

Metaheuristic algorithms in optimum design of reinforced concrete beam by investigating strength of concrete

The results show that using high strength material for high flex- ural moment capacity has lower cost than low stretch concrete since doubly rein- forced design is not an

Evaluating a Ninth Grade Transition Program : Link Crew

Effectiveness of the Link Crew transition program was determined by the program's impact on transitioning grade nine students at High School A: grade point average, school