Hosting a proxy.pac and wpad.dat file on the MWG.

Version 2


    Overview

     

    A popular deployment method of MWG is using Proxy Mode along with a proxy.pac or wpad.dat files. MWG has the ability to host your proxy.pac and wpad.dat files. This article will help explain the methods available to host each type of file. While MWG can host the files for you, the contents and functionality of the files are the responsiblity of the customer, as the MWG Support Group does not create or troubleshoot these files. Please reference the resource section for additional information about the creation of proxy.pac and wpad.dat files.

     

    Hosting Methods

     

    Hosting a wpad.dat file

     

    When using a wpad.dat file, you need to take a few things into consideration when hosting it on the MWG:

     

    -The wpad.dat file must be served over port 80 (port 80 is assumed and you cannot specify a different one).

    -The wpad.dat file must not contain a folder path. It must be served from the root of the web server. For example: http://[proxyIP]/wpad.dat will work, while http://[proxyIP]/files/wpad.dat would not work.

    -The wpad.dat file must be served over HTTP.

     

     

    1.  Create a wpad.dat file using a text editor. Note: If you need assistance creating the wpad file, please see the resource section below.

    2.  Next upload the wpad.dat file to the MWG using the Troubleshooting > Files >Upload section of the MWG user interface. The uploaded wpad.dat file can also be found in the /opt/mwg/files directory via command line. Note: It is recommended to always use the MWG Interface for uploading to preserve file permissions.

     

    3.  Enable a File Server port listener. You can do this under Configuration > File server > HTTP Connector Port. In this example, we've enabled the HTTP listener port 4713.

     

    4.  Create a port forwarding rule located at Configuration > Appliances > Port Forwarding. This will forward your client's requests for the wpad.dat file on port 80 to port 4713, where the file is actually stored.

     

     

    Source Host: Enter in the network range of your clients that will be trying to obtain the wpad file.

    Target Port: 80

    Destination Host: 127.0.0.1

    Destination Port: 4713

     

     

    1 - proxy_pac.png

     

     

     

     

     

    Browser configuration:

     

    Internet Explorer:

    Tools > Internet Options > Connections tab > LAN Settings > enable the checkbox for "Automatically detect settings" .

     

    Firefox:

    Tools > Options > Network > Settings > select the radio button for "Auto-detect proxy settings for this network".  (NOTE: Firefox does not support DHCP WPAD.)

     

     

    Hosting a Proxy.pac file

     

    When hosting a proxy.pac file on the MWG, the file will be hosted at this address:

     

    http://[proxyIP]:4713/files/proxy.pac

     

      1. First create a proxy.pac file using a text editor.  Note: If you need assistance creating the wpad file, please see the resource section below.
      2. Next upload the proxy.pac file to the MWG using the Troubleshooting > Files >Upload section of the MWG user interface. The uploaded proxy.pac file can also be found in the /opt/mwg/files directory via command line.
        Note: It is recommended to always use the MWG Interface for uploading to preserve file permissions.
      3. Enable a File Server port listener. You can do this under Configuration > File server > HTTP Connector Port. In this example, we've enabled the HTTP listener port 4713.
      4. At this point the proxy.pac file is now ready to be served from the MWG on port 4713.

     

    Browser Configuration:

     

    Internet Explorer:

    Go to: Tools > Internet Options > Connections > LAN Settings > Enable the Check-box for "Use Automatic configuration script" and then place the proxy.pac URL in the Address field. Address field example =  http://[proxyIP]:4713/files/proxy.pac

     

     

    Firefox:

    Go to: Tools > Options > Network > Settings > select the radio button for "Automatic proxy configuration URL"  and then place the proxy.pac URL in the Address field. URL field example =  http://[proxyIP]:4713/files/proxy.pac

     

     

    Using rule sets to serve the proxy.pac from a different URL path and/or a different port

    Another method to host a proxy.pac or wpad file is to utilize the Rule Engine. In certain cases, you may have a requirement that the pac file be served from a specific URL or URL path other than what the MWG file server offers. For example, when migrating from McAfee Web Gateway version 6.x to McAfee Web Gateway version 7.x you may decide to continue using the MWG 6.x proxy.pac request method of http://[proxyIP]:9999/proxy.pac instead of the MWG7 method of http://[proxyIP]:4713/files/proxy.pac to avoid changes to your end-user's browser settings.

     

    Here are the steps to serve a proxy.pac file without using ”/files” in the path and served from a different port. Note: This is just one example of using this method -  you can always modify the settings to suit your specific needs.

     

     

     

     

     

     

     

    1.  Upload your proxy.pac file to the MWG7 file server located under Troubleshooting > Files > Upload

     

    2 - proxy_pac.png

     

     

    2.  Configure the port to serve the proxy.pac from located in Configuration > Appliance > File Server - Enable dedicated file server port over HTTP and add port 4713 to the field provided.

     

    3 - proxy_pac.png

     

     

     

    3.  Enable a listener for the new port that you want the file to be accessible on (9999) by clicking Configuration > Appliances > Proxies > HTTP Proxy - Add an an entry for 0.0.0.0:9999

         Note: Leave all other default values

     

    4 - proxy_pac.png

     

     

    4. Add a Next Hop Proxy engine with the following Criteria:

        Note: We will reference this engine in a rule we create later.

     

            1. Click Policy, Settings, Engines, Next Hop Proxy, Add.
            2. Name the Next Hop Proxy InternalFileServer. Leave default values of Round Robin and Proxy Style Request.
            3. Click Add to add the Next Hop Proxy Server definition.
            4. Click OK and Edit.
            5. Add the following list entry: host: 127.0.0.1 Port: 4713. Leave the other default values.
            6. Click OK.

     

    5.  Under Policy > Rule Sets, Create a top level rule set called Proxy.pac file handling that applies to Requests and has criteria of Proxy.port equals 9999. Move the new rule to the top of the other rule sets.

     

    5 - proxy_pac.png

     

     

     

    6.  Create two nested rule sets under Proxy.pac file handling called Serve Proxy.pac file and Prevent open Proxy. Both rule sets have criteria of always and applies to Requests.

     

    7.  Add a rule to the Serve Proxy.pac file rule set with the following criteria:

     

            • Name: Rewrite Pac File URL
            • Rule Criteria: URL.Path equals "/proxy.pac"
            • Action: Stop Cycle
            • Events: Add two Events and one Set Property Value:
                     
                    
              Event #1: "Enable Proxy Control <No Persistent Client Connections>"
                     Event #2: "Enable Next Hop Proxy <InternalFileServer>"

                    
                     Set the Property Value:

     

            Choose URL.Path from the property drop-down box.
            Click Add below the drop-down menu (not to the right) and add the following Parameter Value:
           
            /files/proxy.pac

     

    proxy_pac1.png

     

     

    8.  Add a rule to the Prevent open Proxy rule set with the criteria of Always with an action of Block. This prevents anyone from using the new listener (9999) to do anything other than obtain the proxy.pac file.

     

     

    8 -proxy_pac.png

     

     

     

     

     

    9.  The proxy.pac will now be hosted from the following URLs:


    http://[proxyIP]:9999/proxy.pac
    http://[proxyIP]:4713/files/proxy.pac

     

     

     

     

     

     

     

    Browser Configuration:


    Internet Explorer:


    (replace x.x.x.x with your MWG IP address)
    Go to: Tools > Internet Options > Connections tab > LAN Settings button > enable the checkbox for "Use Automatic configuration script" and then place the proxy.pac URL in the Address field. Address field example =  http://[proxyIP]:9999/proxy.pac

     

    Firefox:

    (replace x.x.x.x with your MWG IP address)
    Go to: Tools > Options > Network tab > Settings button > select the radio button for "Automatic proxy configuration URL"  and then place the proxy.pac URL in the Address field. URL field example =  http://[proxyIP]:9999/proxy.pac

     

     

    Troubleshooting

     

    MWG's duty is to simply serve a file; you can manually request the URL in your browser to confirm if the PAC/WPAD file is hosted correctly.

     

     

    Type http://[proxyIP]:4713/files/proxy.pac into the client's browser address bar and press enter.

    Type http://[proxyIP]/wpad.dat into the client's browser address bar and press enter.

     

    If you see you're prompted to view or download the pac file, the MWG is properly serving up the proxy.pac successfully.

     

    Or you can run the following from the DOS prompt of the client computer:

     

    telnet x.x.x.x 4713
    GET /files/proxy.pac

    Hit ENTER twice after the GET command.

     

    If you see your proxy.pac contents the MWG is properly serving up the proxy.pac.

     

     

    Resources

     

    Using PAC files with Web Gateway
    http://kc.mcafee.com/corporate/index?page=content&id=KB67177

     

    Creating Proxy.pac information

    findproxyforurl.com