cancel
Showing results for 
Search instead for 
Did you mean: 

Web Gateway: Hosting the proxy.pac/wpad.dat

Web Gateway: Hosting the proxy.pac/wpad.dat

Overview

A popular deployment method of MWG is using Proxy Mode along with a proxy.pac or wpad.dat files. MWG has the ability to host your proxy.pac and wpad.dat files. This article will help explain the methods available to host each type of file. While MWG can host the files for you, the contents and functionality of the files are the responsiblity of the customer, as the MWG Support Group does not create or troubleshoot these files. Please reference the resource section for additional information about the creation of proxy.pac and wpad.dat files.

Hosting Methods

Hosting a wpad.dat file

When using a wpad.dat file, you need to take a few things into consideration when hosting it on the MWG:

    • The wpad.dat file must be served over port 80 (port 80 is assumed and you cannot specify a different one).
    • The wpad.dat file must not contain a folder path. It must be served from the root of the web server. For example: http://PROXY-IP/wpad.dat will work, while http://PROXY-IP/files/wpad.dat would not work.
    • The wpad.dat file must be served over HTTP.

1.  Create a wpad.dat file using a text editor other than notepad. Note: If you need assistance creating the wpad file, please see the resource section below.

2.  Next upload the wpad.dat file to the MWG using the Troubleshooting > Files >Upload section of the MWG user interface. The uploaded wpad.dat file can also be found in the /opt/mwg/files directory via command line. Note: It is recommended to always use the MWG Interface for uploading to preserve file permissions.

3.  Enable a File Server port listener. You can do this under Configuration > File server > HTTP Connector Port. In this example, we've enabled the HTTP listener port 4713.

4.  Create a port forwarding rule located at Configuration > Appliances > Port Forwarding. This will forward your client's requests for the wpad.dat file on port 80 to port 4713, where the file is actually stored.

Source Host: Enter in the network range of your clients that will be trying to obtain the wpad file.

Target Port: 80

Destination Host: 127.0.0.1

Destination Port: 4713

Browser configuration:

Internet Explorer: Tools > Internet Options > Connections tab > LAN Settings > enable the checkbox for "Automatically detect settings" .

Firefox: Tools > Options > Network > Settings > select the radio button for "Auto-detect proxy settings for this network".  (NOTE: Firefox does not support DHCP WPAD.)

Hosting a Proxy.pac file

When hosting a proxy.pac file on the MWG, the file will be hosted at this address:

http://PROXY-IP:4713/files/proxy.pac

    1. First create a proxy.pac file using a text editor (preferably not notepad).  Note: If you need assistance creating the wpad file, please see the resource section below.
    2. Next upload the proxy.pac file to the MWG using the Troubleshooting > Files >Upload section of the MWG user interface. The uploaded proxy.pac file can also be found in the /opt/mwg/files directory via command line.
      Note: It is recommended to always use the MWG Interface for uploading to preserve file permissions.
    3. Enable a File Server port listener. You can do this under Configuration > File server > HTTP Connector Port. In this example, we've enabled the HTTP listener port 4713.
    4. At this point the proxy.pac file is now ready to be served from the MWG on port 4713.

Browser Configuration:

Internet Explorer: Go to: Tools > Internet Options > Connections > LAN Settings > Enable the Check-box for "Use Automatic configuration script" and then place the proxy.pac URL in the Address field. Address field example = http://PROXY-IP:4713/files/proxy.pac

Firefox: Go to: Tools > Options > Network > Settings > select the radio button for "Automatic proxy configuration URL"  and then place the proxy.pac URL in the Address field. URL field example = http://PROXY-IP:4713/files/proxy.pac

Using rule sets to serve the proxy.pac from a different URL path and/or a different port

Another method to host a proxy.pac or wpad file is to utilize the Rule Engine. In certain cases, you may have a requirement that the pac file be served from a specific URL or URL path other than what the MWG file server offers. For example, when migrating from McAfee Web Gateway version 6.x to McAfee Web Gateway version 7.x you may decide to continue using the MWG 6.x proxy.pac request method of http://PROXY-IP:9999/proxy.pac instead of the MWG7 method of http://PROXY-IP:4713/files/proxy.pac to avoid changes to your end-user's browser settings.

Here are the steps to serve a proxy.pac file without using ”/files” in the path and served from a different port. Note: This is just one example of using this method -  you can always modify the settings to suit your specific needs.

1.  Upload your proxy.pac file to the MWG7 file server located under Troubleshooting > Files > Upload

2.  Configure the port to serve the proxy.pac from located in Configuration > Appliance > File Server - Enable dedicated file server port over HTTP and add port 4713 to the field provided.

3.  Enable a listener for the new port that you want the file to be accessible on (9999) by clicking Configuration > Appliances > Proxies > HTTP Proxy - Add an an entry for 0.0.0.0:9999

     Note: Leave all other default values

4. Add a Next Hop Proxy engine with the following Criteria:

    Note: We will reference this engine in a rule we create later.

          1. Click Policy, Settings, Engines, Next Hop Proxy, Add.
          2. Name the Next Hop Proxy InternalFileServer. Leave default values of Round Robin and Proxy Style Request.
          3. Click Add to add the Next Hop Proxy Server definition.
          4. Click OK and Edit.
          5. Add the following list entry: host: 127.0.0.1 Port: 4713. Leave the other default values.
          6. Click OK.

5.  Under Policy > Rule Sets, Create a top level rule set called Proxy.pac file handling that applies to Requests and has criteria of Proxy.port equals 9999. Move the new rule to the top of the other rule sets.

6.  Create two nested rule sets under Proxy.pac file handling called Serve Proxy.pac file and Prevent open Proxy. Both rule sets have criteria of always and applies to Requests.

7.  Add a rule to the Serve Proxy.pac file rule set with the following criteria:

          • Name: Rewrite Pac File URL
          • Rule Criteria: URL.Path equals "/proxy.pac"
          • Action: Stop Cycle
          • Events: Add two Events and one Set Property Value:
            Event #1: "Enable Proxy Control <No Persistent Client Connections>"
            Event #2: "Enable Next Hop Proxy <InternalFileServer>"

Set the Property Value:

Choose URL.Path from the property drop-down box.
Click Add below the drop-down menu (not to the right) and add the following Parameter Value: /files/proxy.pac

8.  Add a rule to the Prevent open Proxy rule set with the criteria of Always with an action of Block. This prevents anyone from using the new listener (9999) to do anything other than obtain the proxy.pac file.

9.  The proxy.pac will now be hosted from the following URLs:

http://PROXY-IP:9999/proxy.pac

http://PROXY-IP:4713/files/proxy.pac

Browser Configuration:

Internet Explorer: Replace x.x.x.x with your MWG IP address. Go to: Tools > Internet Options > Connections tab > LAN Settings button > enable the checkbox for "Use Automatic configuration script" and then place the proxy.pac URL in the Address field. Address field example = http://PROXY-IP:9999/proxy.pac

Firefox: Replace x.x.x.x with your MWG IP address. Go to: Tools > Options > Network tab > Settings button > select the radio button for "Automatic proxy configuration URL"  and then place the proxy.pac URL in the Address field. URL field example =  http://PROXY-IP:9999/proxy.pac

Troubleshooting

Web Gateway's duty is to simply serve a file; you can manually request the URL in your browser to confirm if the PAC/WPAD file is hosted correctly.

Type http://PROXY-IP:4713/files/proxy.pac into the client's browser address bar and press enter.

Type http://PROXY-IP/wpad.dat into the client's browser address bar and press enter.

If you see you're prompted to view or download the pac file, the MWG is properly serving up the proxy.pac successfully.

Or you can run the following from the DOS prompt of the client computer:

telnet x.x.x.x 4713
GET /files/proxy.pac

Hit ENTER twice after the GET command.

If you see your proxy.pac contents the MWG is properly serving up the proxy.pac.

Resources

Using PAC files with Web Gateway: http://kc.mcafee.com/corporate/index?page=content&id=KB67177

Ultimate resource for creating/understanding the Proxy.pac or WPAD.dat file: findproxyforurl.com

Comments
renata.petrasov

I'm using wpad.dat , but the proxy forwarding rule isn't working (I configured everything as you described it). So users have to enter port 4713, otherwise they cannot download the wpad.dat file. We're using 7.2.0.5.0, is there a bug in this version?

mreco

We have implemented this in our environment. We have a limit for 150 requests per minute per client for this file. Sometimes we see a client requesting the proxy.pac file 150 times in a few seconds and then hits the limit. Clients then have a connectivity issue, since they cannot connect to requested site. Has anyone seen this? How could wel resolve this?

DBO

WW6.9 was using port 9090 to share proxy.pac.  Could the current procedure use port 9090 instead of port 9999 and what would be the necessary modifications to have the minimum impact?  I am new to 7.6 and there is a lot to learn...

Thank you

Version history
Revision #:
1 of 1
Last update:
‎04-30-2013 01:24 PM
Updated by: