cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 1 of 10

How Can I Serve Different PAC or wpad.dat files on MWG Dependent on Presence of MCP?

Jump to solution

There are excellent articles here:

https://kc.mcafee.com/corporate/index?page=content&id=KB68998 

https://kc.mcafee.com/corporate/index?page=content&id=KB67177  

https://docs.mcafee.com/bundle/web-gateway-10.1.x-product-guide/page/GUID-7D16B672-2DE5-4AEE-ACF3-87...

But the best one is here (at least right now): 

https://community.mcafee.com/t5/Enterprise-Documents/Web-Gateway-Hosting-the-proxy-pac-wpad-dat/ta-p...

Even the last article doesn't fully describe how to host wpad.dat on port 80 at http://wpad.yourdomain.com/wpad.dat as required for certain implementations of Automatically Detect Settings. ;-( 

So the questions are: How do I serve different files based on whether I have MCP or not. And how do I configure wpad.dat to be served at http://wpad.mydomain.com/wpad.dat?

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?
2 Solutions

Accepted Solutions
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 10

Re: How Can I Serve Different PAC or wpad.dat files on MWG Dependent on Presence of MCP?

Jump to solution

Hosting wpad.dat on web gateway at http://wpad.mydomain.com:

Set up proxy to listen on port 80

WPAD4.PNG

 

 

 

Upload your PAC file to MWG using Troubleshooting > Files  (my filename is LocalNetMCPDirect.pac)

WPAD2.PNG

 

 

 

 


Enable the file server on port 4713 (default) or port of your choosing

WPAD3.PNG

 

 

 

 

 

 

 

 

 

Create a DNS A record pointing wpad.mydomain.com to the MWG (for testing you could modify etc/hosts with admin privileges.

At this point the file should be available at http://wpad.mydomain.com:4713/files/<filename in MWG>

Now create a next hop proxy and ruleset for proxy traffic on port 80 using persistent connections to next hop proxy and localhost on port 4713. Client should not use persistent connections. The ruleset will be entered whenever port 80 is hit on the proxy. Criteria: URL.Path = /wpad.dat Action: Stop Cycle 3 Events 1) Set proxy control to use non-persistent client connections. 2) Enable next hop proxy 3) Set property URL.Path Add a rule to block everything else coming in on port 80 Put the ruleset near the top of your rules. 

WPAD5.PNG

 

 

 

 

 

 

 

 

 

 

 

 

The PAC file should now be available from http://wpad.mydomain.com/wpad.dat!

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?

View solution in original post

jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 10

Re: How Can I Serve Different PAC or wpad.dat files on MWG Dependent on Presence of MCP?

Jump to solution

Serving a different PAC file based on presence of MCP:

As noted above this is quite a bit more complicated but does work. The flexibility of the rules engine allows you to use any available criteria to determine which PAC file to serve to a client. Many customers already use this capability to serve different PAC files simply based on the requesting client source address. For example the PAC file for clients with IP addresses at their APAC locations uses a default proxy cluster in their Singapore datacenter and clients with IP addresses at their North American locations get a PAC file that uses a default proxy cluster in their Chicago datacenter. If you really want to get tricky you could have a single PAC file with variables that are modified by the proxy on download. Sure you could also just host different PAC files on different clusters but there are other use cases as well for example using a PAC file with MCP to fix Windows NCSI status indication issues as described here: https://community.mcafee.com/t5/Web-Gateway-Cloud-Service/Why-Windows-10-O365-Application-Login-Fail...

Set up MWG to check and accept MCP authentication

Prerequisite is to set up MCP authentication to be able to authenticate to MWG. This is well documented elsewhere. One of the nice things about MCP authentication, is that you can apply it to any request without breaking access from clients that don't have MCP. You just need to alter the ruleset to continue if MCP authentication fails.

MCPPAC2.PNG

Another nice thing is the rules can be modified to accept multiple customerID/shared secret pairs as I've shown above.. 

Redirect PAC file request through MCP to MWG

Once MCP is set up to authenticate to MWG we need to make sure that the request for the PAC file gets redirected by MCP. I prefer to host the PAC file on port 80 so that I don't need to add MCP intercept ports. But that is not enough, if your MWG hosting the PAC file is on a private address then you also need to avoid using the bypass private addresses setting and instead customize your IP Bypass List in MCP Policy to exclude the proxy addresses.

MCPPAC8.PNG

MCPPAC6.PNGMCPPAC7.PNG

Most MCP policies are designed to use the cloud service as the primary proxy. So the Alternate Proxy list must include only proxies that host the PAC file. To get traffic destined for the internal addresses to be proxied by MCP and sent to MWG, you need to either address the PAC file location on MWG as a resolvable FQDN that resolves to an IP that is not in your bypass list and with a domain in your Alternate Proxy domain list. If you are using MCP 4.1 extension, or managing MCP policy from UCE then you can use the IP address in your alternate proxy IP list and you can address the PAC file location with either FQDN or IP.

MCPPAC5.PNG

MCPPAC3.PNG

MCPPAC4.PNG

Use authentication to determine which PAC file to send   

The hard parts are done. Now all you have to do is use the previously mentioned techniques to serve the PAC file based on MCP having authenticated to MWG. Obviously the ruleset needs to be placed after your MCP authentication ruleset

MCPPAC1.PNG

Criteria for the ruleset applies based on requested URL host being one of the MWG names or addresses and the proxy port matching MCP request or port 80. 8080 is the port I have MCP configured to use. 80 is the port clients without MCP would use. 9090 is the default port for proxy not necessary unless you also want to make PAC file available at http://<MWGAddress>:9090/<somepath ending in .dat or .pac> 

The first rule checks if the client has authenticated with MCP and is asking for a path that ends in .dat or .pac, if the rule matches, LocalNetMCPDirect.pac is served as the requested filename.

The second rule covers all other clients requesting the PAC file directly from MWG with a path that ends in .dat or .pac, if the rule matches, LocalNetLocalProxy.pac is served as the requested filename.

This setup should also work for selectively delivering PAC files even in a transparent router or bridge configuration for MWG, but I did not test.

If you would like to test without messing with DNS records, you can use the IP of the MWG directly or if you need to use domain name because you are using any form of ePO and don't have the MCP 4.1 extension you can use etc/hosts edit on Windows to map your custom FQDN to your test proxy IP

As always rule tracing is your friend when troubleshooting rulesets on MWG!

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?

View solution in original post

9 Replies
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 10

Re: How Can I Serve Different PAC or wpad.dat files on MWG Dependent on Presence of MCP?

Jump to solution

Hosting wpad.dat on web gateway at http://wpad.mydomain.com:

Set up proxy to listen on port 80

WPAD4.PNG

 

 

 

Upload your PAC file to MWG using Troubleshooting > Files  (my filename is LocalNetMCPDirect.pac)

WPAD2.PNG

 

 

 

 


Enable the file server on port 4713 (default) or port of your choosing

WPAD3.PNG

 

 

 

 

 

 

 

 

 

Create a DNS A record pointing wpad.mydomain.com to the MWG (for testing you could modify etc/hosts with admin privileges.

At this point the file should be available at http://wpad.mydomain.com:4713/files/<filename in MWG>

Now create a next hop proxy and ruleset for proxy traffic on port 80 using persistent connections to next hop proxy and localhost on port 4713. Client should not use persistent connections. The ruleset will be entered whenever port 80 is hit on the proxy. Criteria: URL.Path = /wpad.dat Action: Stop Cycle 3 Events 1) Set proxy control to use non-persistent client connections. 2) Enable next hop proxy 3) Set property URL.Path Add a rule to block everything else coming in on port 80 Put the ruleset near the top of your rules. 

WPAD5.PNG

 

 

 

 

 

 

 

 

 

 

 

 

The PAC file should now be available from http://wpad.mydomain.com/wpad.dat!

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?

View solution in original post

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 10

Re: How Can I Serve Different PAC or wpad.dat files on MWG Dependent on Presence of MCP?

Jump to solution

Maybe I'm missing something but how do you currently factor in the "presence" of MCP?

From my understanding you have to do some more, if you wanna check if MCP is present on the client. My take is the following:

1. On the proxies you need to have two deployments of proxy rules. One is listening on port 80 to catch all PAC-file requests without MCP and one is listening on the beginning of your proxy policy on the explicit proxy port (9090 /3128 / 8080 / whatever) with a filter on the /proxy.pac or similar. 

2.1 If you are serving PAC-files through on-premises proxies as files, the MCP policy needs to
a) exclude the proxies from the bypass (local addresses),
b) be pointed on the alternate redirection list to that proxies
c) the PAC-file request host needs to be entered into the alternate redirection list.

2.2 If you are serving the PAC-file directly out of the policy, you just need to make sure that the host from which you serve the PAC-file is intercepted as it doesn't matter if cloud/on-prem is serving the request.

3. Before/in the PAC-file deployment on your normal policy (for which MCP is intercepting) you read out/authenticate with the MCP headers

4. In the single PAC-File providing rules you add the Client.ProcessName Property for example with a hit on anything like regex(.*.) 

 

This way you:
- Can send a PAC-file with "DIRECT" statement only to clients which have a functioning MCP intercept
- Still reliably send out PAC-files with an explicit proxy statement, if MCP is either not installed or not functioning properly

jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 10

Re: How Can I Serve Different PAC or wpad.dat files on MWG Dependent on Presence of MCP?

Jump to solution

Glad you asked, documenting that was a project for today (I ran out of time last night and that is obviously the more complicated scenario). Your understanding is very good. Stay tuned.

 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 10

Re: How Can I Serve Different PAC or wpad.dat files on MWG Dependent on Presence of MCP?

Jump to solution

Serving a different PAC file based on presence of MCP:

As noted above this is quite a bit more complicated but does work. The flexibility of the rules engine allows you to use any available criteria to determine which PAC file to serve to a client. Many customers already use this capability to serve different PAC files simply based on the requesting client source address. For example the PAC file for clients with IP addresses at their APAC locations uses a default proxy cluster in their Singapore datacenter and clients with IP addresses at their North American locations get a PAC file that uses a default proxy cluster in their Chicago datacenter. If you really want to get tricky you could have a single PAC file with variables that are modified by the proxy on download. Sure you could also just host different PAC files on different clusters but there are other use cases as well for example using a PAC file with MCP to fix Windows NCSI status indication issues as described here: https://community.mcafee.com/t5/Web-Gateway-Cloud-Service/Why-Windows-10-O365-Application-Login-Fail...

Set up MWG to check and accept MCP authentication

Prerequisite is to set up MCP authentication to be able to authenticate to MWG. This is well documented elsewhere. One of the nice things about MCP authentication, is that you can apply it to any request without breaking access from clients that don't have MCP. You just need to alter the ruleset to continue if MCP authentication fails.

MCPPAC2.PNG

Another nice thing is the rules can be modified to accept multiple customerID/shared secret pairs as I've shown above.. 

Redirect PAC file request through MCP to MWG

Once MCP is set up to authenticate to MWG we need to make sure that the request for the PAC file gets redirected by MCP. I prefer to host the PAC file on port 80 so that I don't need to add MCP intercept ports. But that is not enough, if your MWG hosting the PAC file is on a private address then you also need to avoid using the bypass private addresses setting and instead customize your IP Bypass List in MCP Policy to exclude the proxy addresses.

MCPPAC8.PNG

MCPPAC6.PNGMCPPAC7.PNG

Most MCP policies are designed to use the cloud service as the primary proxy. So the Alternate Proxy list must include only proxies that host the PAC file. To get traffic destined for the internal addresses to be proxied by MCP and sent to MWG, you need to either address the PAC file location on MWG as a resolvable FQDN that resolves to an IP that is not in your bypass list and with a domain in your Alternate Proxy domain list. If you are using MCP 4.1 extension, or managing MCP policy from UCE then you can use the IP address in your alternate proxy IP list and you can address the PAC file location with either FQDN or IP.

MCPPAC5.PNG

MCPPAC3.PNG

MCPPAC4.PNG

Use authentication to determine which PAC file to send   

The hard parts are done. Now all you have to do is use the previously mentioned techniques to serve the PAC file based on MCP having authenticated to MWG. Obviously the ruleset needs to be placed after your MCP authentication ruleset

MCPPAC1.PNG

Criteria for the ruleset applies based on requested URL host being one of the MWG names or addresses and the proxy port matching MCP request or port 80. 8080 is the port I have MCP configured to use. 80 is the port clients without MCP would use. 9090 is the default port for proxy not necessary unless you also want to make PAC file available at http://<MWGAddress>:9090/<somepath ending in .dat or .pac> 

The first rule checks if the client has authenticated with MCP and is asking for a path that ends in .dat or .pac, if the rule matches, LocalNetMCPDirect.pac is served as the requested filename.

The second rule covers all other clients requesting the PAC file directly from MWG with a path that ends in .dat or .pac, if the rule matches, LocalNetLocalProxy.pac is served as the requested filename.

This setup should also work for selectively delivering PAC files even in a transparent router or bridge configuration for MWG, but I did not test.

If you would like to test without messing with DNS records, you can use the IP of the MWG directly or if you need to use domain name because you are using any form of ePO and don't have the MCP 4.1 extension you can use etc/hosts edit on Windows to map your custom FQDN to your test proxy IP

As always rule tracing is your friend when troubleshooting rulesets on MWG!

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?

View solution in original post

Former Member
Not applicable
Report Inappropriate Content
Message 6 of 10

Re: How Can I Serve Different PAC or wpad.dat files on MWG Dependent on Presence of MCP?

Jump to solution

As I have it configured in the same way, I have a short question, if you have found any trigger to re-apply the PAC-file to the Chrome browser? 

Background is that most of the times the connection to the VPN will be established and Chrome directly loads the PAC, but at that moment the MCP is not yet connected to the alternate proxy due to the health check probing intervall etc. 

The Chrome-Docs state more or less that it is the designed behaviour. 

Caching of successful PAC fetches
PAC URLs are always fetched from the network, and never from the HTTP cache. After a PAC URL is successfully fetched, its contents (which are used to create a long-lived Java Script context) will be assumed to be fresh until either:

The network changes (IP address changes, DNS configuration changes)
The response becomes older than 12 hours
A user explicitly invalidates PAC through chrome://net-internals#proxy
Once considered stale, the PAC URL will be re-fetched the next time proxy resolution is requested.

 

 So I'm not sure if there is any possible solution in such a scenario, besides user awareness to restart the browser and or not use a PAC any longer. 

jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 10

Re: How Can I Serve Different PAC or wpad.dat files on MWG Dependent on Presence of MCP?

Jump to solution

Excellent question. I will need to look into this further. Initial thought is you could detect this situation in your MWG rules and throw up a block page requesting that the user restart their browser or tells them how to invalidate or reload the PAC. That's not as elegant as it could be, but its the only solution I can think of off the top of my head.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?
Former Member
Not applicable
Report Inappropriate Content
Message 8 of 10

Re: How Can I Serve Different PAC or wpad.dat files on MWG Dependent on Presence of MCP?

Jump to solution

Yes and no. I don't think a block is the right way, because if you have a scenario in which you got cloud and on-prem proxies also in your primary list. You can simply not distinguish if the client is really connected with MCP to the cloud thus utilizing the "wrong"/fallback PAC or if it just has a connection issue to the cloud pop. 

I'm also searching for a way to push the "Re-apply settings" button under chrome://net-internals/#proxy, but I'm not sure if that will be possible as I'm not really deep into Chrome itself. 

 

jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 10

Re: How Can I Serve Different PAC or wpad.dat files on MWG Dependent on Presence of MCP?

Jump to solution

It is tricky and messy for sure. I'd have to map out all the scenarios, but you can easily determine whether traffic came from MCP or not, both in the cloud and on MWG (based on authentication). However, you are correct, you cannot tell if the client has MCP or not, if the connection came direct explicit to the proxy due to PAC file configuration.

If MCP is configured to intercept the proxy port and doesn't bypass for localmwg (configured in generic PAC). Then clients without MCP or clients where MCP is not yet gone out of bypass up will use localmwg, once MCP is out of bypass, it will intercept attempts on the proxy port and redirect, and then you can throw the block page because the traffic will be authenticated by MCP, if MCP is present and active. The trick in this scenario would be to identify that it was a proxy port interception vs an 80 or 443 interception and unfortunately I cannot think of an easy way to do that. 

Another thought is a daily "welcome page" for chrome users (based on user agent) that haven't authenticated with MCP, with instructions and a link to  chrome://net-internals/#proxy. This is probably the cleanest solution that I can come up with at the moment.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?
Former Member
Not applicable
Report Inappropriate Content
Message 10 of 10

Re: How Can I Serve Different PAC or wpad.dat files on MWG Dependent on Presence of MCP?

Jump to solution

Alright makes sense, just was curious if you had another approach but it seems to be the same one. 😉

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community