Issue downloading a PAC file hosted on the ProxySG in a NAT environment.
ProxySG can host two different PAC files: proxy_pac_file and accelerated_pac_base.pac.
Only the second one can be edited. For more information about this topic, see the following KB: https://kb.bluecoat.com/index?page=content&id=KB1395
In this example, the ProxySG has an interface configured with IP 10.91.22.2 and we will use CURL (with -H argument to modify the HTTP Header to IP 184.108.40.206) to perform some tests.
The two PAC files are accessible at these URLs via HTTP and HTTPS, on both management and non-management ports. For example:
The connection on port 80 and port 8080 will be established only if the ProxySG is configured to intercept traffic on those ports.
The connection on port 8081 and 8082 will be established only if the HTTP and HTTPS management is enabled on those ports. (Management on HTTP 8081 is disabled by default.)
If a browser requests a PAC file to a non-management port (either port 80 or 8080; it doesn’t make any difference), with a host header content different from the ProxySG IP, the ProxySG will generate an exception.
A typical example is a NATed environment, where the destination IP is changed from a public to a private one, but the host header still contains the public IP.
From a PCAP, we can see the REQUEST with the “wrong” host header:
The same example works fine on a management port. We will use the "--insecure" CURL argument in order to bypass untrusted certificate errors.
As you can see in the following scenario, also with a different host header, the PAC file can be downloaded.
Considerations and workarounds in a NATed environment:
As you can see, the request now works fine:
The NAT device, if smart enough, can be used to completely remove the value of the host header. As you can see, the request now works fine:
If the certificate is invalid, when Firefox (v 7.0.1) tries to download the PAC file, it will generate a certificate error. From this error window, it is not possible to install the certificate.
You can easily import the certificate browsing the management GUI (https://10.91.22.2:8082 in our example) and installing it when the certificate error pops up. Then after you close and reopen the browser, the PAC file should be downloaded correctly.
IE 8 will silently drop the PAC file if the certificate is invalid. You can install the certificate using the following procedure:
The certificate should now be trusted, and the PAC file correctly downloaded.
Rate this Page
Please take a moment to complete this form to help us better serve you.