SGOS provides two PAC files natively:
For those wishing to use the "wpad.dat" method of acquiring a PAC file from the ProxySG, you can add policy that returns a "302 Redirect" to your browser, which the browser will follow, and ultimately be served.
See FAQ1648 for a good overview of how to create excpetion pages using the CLI method. Simply replace the HTML text with your raw, un-altered PAC file.
While exception pages are normally used for displaying HTML rendered within a browser, we'll use them to simply serve data. In our case-- the PAC file contents.
Let's call it "pacA"
- Create a custom exception page with its content being the PAC file that you wish to serve to clients from subnet group "B".
Let's call it "pacB"
- Be sure to change the HTTP response-status code to "200" for each custom exception page, as described in FAQ1648.
So far we have only defined our custom exception pages (which happen to contain PAC files "A" and "B"). The following steps will utilize them via policy.
- Since browsers expect a PAC file to have a specific MIME type this must be set in the <Exception> layer, which is not editable in VPM. Therefore, the following Content Policy Language (CPL)
must be added to your local (or central, or forwarding) policy file:
define action setpacheader
set( exception.response.header.Content-Type, "application/x-ns-proxy-autoconfig" )
- Next, add policy rules that trigger the "Force Exception" action:
[The following CPL can be added directly to your local/central/forwarding policy file,
or added via VPM -choose one method or the other, not both]
;; Tab: [Web Access Layer, Return different PAC file based on source subnet, incoming URL /proxy_pac]
client.address=10.10.10.0/24 url.path.exact="/proxy_pac" force_exception(user-defined.pacA) ; Return PAC file A
client.address=10.20.20.0/24 url.path.exact="/proxy_pac" force_exception(user-defined.pacB) ; Return PAC file B
- Create your "Return Exception" objects, one for PAC file "A", and one for PAC file "B":
The "Return Exception" objects you create will be used in the "Action" column of your rules.
- Create rules, with different "subnet" objects in the "Source" column
- Create a "Layer Guard" so these rules are only evaluated if the incoming URL is "/proxy_pac". The two images below show the creation of the layer guard, and the URL-Path object -that will be used in the "Destination" column of the layer guard
Final VPM example:
When choosing to use browser "auto config," the Network Administrator has several options for configuring the browser to request its PAC file, whether that PAC file is served from the ProxySG or not.
The steps above prepare your ProxySG to serve PAC files, however the client also needs to know to request the PAC file from the ProxySG.
Using the example rules above, if a request for "/proxy_pac" comes to the ProxySG from a client on the 10.10.10.0 subnet, that client will be served PAC file "A". The ProxySG will serve PAC file "B" for incoming requests, to the same URL (/proxy_pac)... from clients on the 10.20.20.0
subnet. Remember, in the VPM example above, it's the Layer-Guard that defines the URL "/proxy_pac".
You will choose what incoming URL string you want to use, and you will need to adjust the policy rules accordingly. You probably do not want to use "accelerated_pac_base.pac", since that's already defined and available from the ProxySG without any special policy. Of course you could use that as your "default" PAC file to serve, regardless of incoming client-subnet.
Often, one of the desired goals is to configure the clients as little as possible. Consider using a common, company standard for the incoming URL (in the example above: /proxy_pac).
Microsoft Windows environments may take advantage of Group Policy to configure browsers.
Internet Explorer (IE) Example:
Browsers that support "Automatically Detect Settings" (as IE calls the feature), can utilize DHCP option 252
to retrieve the URL for which the browser will use to retrieve its PAC file. For this example, you would configure
"http://<proxyhostname>/proxy_pac" within option 252 on your DHCP server.
For hosts that utilize the DNS hostname lookup "wpad" to find the host that will serve a PAC file (the SG in our example), and then
make a request for "/wpad.dat", you will need to adjust the policy rule(s) or layer-guard as shown:
...and configure the DNS hostname "wpad" to resolve the IP address of your ProxySG
This FAQ describes only a few of the many ways to utilize PAC files.
Below find this description as a PDF document (includes user-defined exception definitions).