cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 1 of 3

Using MCP In Environments with PAC Files?

Jump to solution

How can I use MCP in environments with existing PAC files or in secure networks where there is no default route and/or no external DNS resolution?

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?
1 Solution

Accepted Solutions
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Using MCP In Environments with PAC Files?

Jump to solution

The question is often asked: which takes precedence McAfee Client Proxy (MCP) or Proxy Auto Configuration (PAC) file? The answer is “yes!” 😉 Technically the answer is MCP, but only if it is properly configured to do so. A PAC file operates at the application layer, so a PAC file has the first chance to alter an application’s traffic flow, IF the application honors the PAC file. MCP operates at the network level, so MCP has the last chance to redirect traffic FOR ANY application (whether proxy-aware or not), IF it is configured to intercept the destination/port combination. MCP can be used to redirect traffic to McAfee solutions with or without a PAC file and PAC files can be used to redirect traffic to any proxy, with or without MCP. With the multiple redirection options supported for MWG and WGCS (UCE and WPS) there is flexibility to use the appropriate methods for each system and any of their possible operating environments.

PAC files are usually only required in environments that don’t resolve external DNS and/or clients do not have a default Internet route. They also may be required if the logic for selecting the proper proxy is exceedingly complex such that it cannot be supported by MCP Policy alone. PAC files are also useful for handling systems that do not have MCP. Lastly, combining use of MCP with PAC files can be helpful in testing or transitioning to MVISION UCE in environments where PAC files are currently in use.

The Basics of PAC Files

PAC files (and WPAD, an automated distribution method for PAC files) are wonderful tools for working in explicit proxy environments and with applications that can be configured to use them. PAC files have been in use since 1996 and are well documented. PAC files operate at the application layer.

Pros

  • Most flexible solution allows you to granularly determine what traffic should be directed to which proxies and what traffic should go direct
  • Supports secure network environments where there is no external DNS resolution and no default route
  • Most browsers are configured by default to automatically use a PAC file if the environment is configured for Web Proxy Auto Deployment (WPAD)
  • Allows for granular proxy selection with different fallback options for each scenario and can even support intelligent load balancing to enhance caching performance of local proxy caches
  • Supported by most browsers regardless of operating system
  • Can be configured to failover, fail open, or fail closed
  • Supports redirection of any port

Cons

  • Only works for applications and TCP protocols that are PAC file aware and honor the PAC file
  • If the PAC file cannot be reached on application start (e.g. captive portal environments) the browser or application will need to be restarted after the PAC file can be reached
  • PAC file changes only get reflected when the application is restarted
  • Easily bypassed or subverted unless there are compensating controls that may also impact operation in uncontrolled environments
  • Does not pass any context about the client to the destination proxy
  • PAC files can be complicated and difficult to maintain, syntax errors can break operation and it is easy to implement incorrect logic that results in unexpected operation
  • PAC files used alone cannot transparently authenticate to a cloud proxy
  • PAC files can not add encryption, some ISPs will block unencrypted proxy CONNECT requests
  • Proxy selection cannot be configured for fastest response time
  • Use of HTTP3/QUIC will bypass the PAC file unless the network blocks UDP on 443 and 80

The Basics of MCP

The MCP agent is also a wonderful redirection method for explicit proxy environments. Introduced by McAfee in 2014, MCP remains the most robust endpoint redirection agent available. The agent operates as a transparent web proxy for all applications. All vendor supported Windows and Mac operating system versions can utilize MCP. As previously stated, MCP operates at the network layer.

Pros

  • Completely application agnostic
  • Supplies prompt-less user and group information to the proxy without need for a directory connection or synch
  • Highly tamper resistant, not easily bypassed, administrative controlled bypass and uninstall
  • Allows for alternate proxy and bypass based on destination port, domain, IP, and process name
  • Adds additional context for filtering decisions, policy name, process name, OS, OS version, system name, and more
  • Can be configured to failover, fail open, or fail closed (when internet is available, but no proxies can be reached)
  • Network aware, operation can be adjusted based on network location
  • Redirection policy automatically updated on all clients within a few minutes of change
  • When using cloud service will automatically select best proxy based on geolocation of client
  • Can be used with Web Gateway Cloud Service and McAfee Web Gateway simultaneously
  • Can intercept any configured port
  • Proxy selection can be based on fastest response time or first available
  • Can add encryption for unencrypted protocols
  • MCP Policy can block HTTP3/QUIC so that this traffic doesn’t bypass the proxy

Cons

  • Requires installation of an agent that only runs on Windows and Mac operating systems
  • Needs to have routing to a supported proxy (cloud, or on premise)
  • Requires standard DNS resolution for domain-based redirection decisions
  • MCP through version 4.2 only supports redirection of HTTP and HTTPS protocols
  • Through 4.2 only supports redirection of IPv4 traffic (can block use of IPv6 to force use of IPv4)
  • Through 4.2 only intercepts configured ports
  • Selection of the optimal cloud proxy requires DNS resolution of McAfee cloud proxy domains

Getting the Best of Both Worlds

As can be seen from the above, many of the advantages of one solution are disadvantages of the other. Systems using PAC files can coexist with systems using MCP and utilize the same services on the same network. In some situations, it may be advantageous to utilize both methods actively on the same system, or to utilize different methods in different network environments, and different systems. MCP can work with a PAC file without alterations to the existing PAC file and without alterations to any browser settings!

Please keep the following things in mind when using MCP with PAC files

  • MCP can easily forward proxied requests from an application using a PAC file IF it is configured to intercept the proxy port AND the proxy address is not in the bypass list
  • When MCP forwards a proxied request, bypasses and alternate proxy by domain and original destination IP will not work. Bypass and alternate proxy by process name and port will work.
  • For sites that must be accessed directly, the PAC file is configured to send it DIRECT AND (MCP is configured to bypass by port (80,443), OR by destination IP, OR by process).
  • For mobile systems using MCP, it is not advisable to bypass by ports 80 and 443 or by process unless you can have different MCP policies that can be applied when off net.

The attached PDF includes the information above and further details and example configurations

Useful Links

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?

View solution in original post

2 Replies
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Using MCP In Environments with PAC Files?

Jump to solution

The question is often asked: which takes precedence McAfee Client Proxy (MCP) or Proxy Auto Configuration (PAC) file? The answer is “yes!” 😉 Technically the answer is MCP, but only if it is properly configured to do so. A PAC file operates at the application layer, so a PAC file has the first chance to alter an application’s traffic flow, IF the application honors the PAC file. MCP operates at the network level, so MCP has the last chance to redirect traffic FOR ANY application (whether proxy-aware or not), IF it is configured to intercept the destination/port combination. MCP can be used to redirect traffic to McAfee solutions with or without a PAC file and PAC files can be used to redirect traffic to any proxy, with or without MCP. With the multiple redirection options supported for MWG and WGCS (UCE and WPS) there is flexibility to use the appropriate methods for each system and any of their possible operating environments.

PAC files are usually only required in environments that don’t resolve external DNS and/or clients do not have a default Internet route. They also may be required if the logic for selecting the proper proxy is exceedingly complex such that it cannot be supported by MCP Policy alone. PAC files are also useful for handling systems that do not have MCP. Lastly, combining use of MCP with PAC files can be helpful in testing or transitioning to MVISION UCE in environments where PAC files are currently in use.

The Basics of PAC Files

PAC files (and WPAD, an automated distribution method for PAC files) are wonderful tools for working in explicit proxy environments and with applications that can be configured to use them. PAC files have been in use since 1996 and are well documented. PAC files operate at the application layer.

Pros

  • Most flexible solution allows you to granularly determine what traffic should be directed to which proxies and what traffic should go direct
  • Supports secure network environments where there is no external DNS resolution and no default route
  • Most browsers are configured by default to automatically use a PAC file if the environment is configured for Web Proxy Auto Deployment (WPAD)
  • Allows for granular proxy selection with different fallback options for each scenario and can even support intelligent load balancing to enhance caching performance of local proxy caches
  • Supported by most browsers regardless of operating system
  • Can be configured to failover, fail open, or fail closed
  • Supports redirection of any port

Cons

  • Only works for applications and TCP protocols that are PAC file aware and honor the PAC file
  • If the PAC file cannot be reached on application start (e.g. captive portal environments) the browser or application will need to be restarted after the PAC file can be reached
  • PAC file changes only get reflected when the application is restarted
  • Easily bypassed or subverted unless there are compensating controls that may also impact operation in uncontrolled environments
  • Does not pass any context about the client to the destination proxy
  • PAC files can be complicated and difficult to maintain, syntax errors can break operation and it is easy to implement incorrect logic that results in unexpected operation
  • PAC files used alone cannot transparently authenticate to a cloud proxy
  • PAC files can not add encryption, some ISPs will block unencrypted proxy CONNECT requests
  • Proxy selection cannot be configured for fastest response time
  • Use of HTTP3/QUIC will bypass the PAC file unless the network blocks UDP on 443 and 80

The Basics of MCP

The MCP agent is also a wonderful redirection method for explicit proxy environments. Introduced by McAfee in 2014, MCP remains the most robust endpoint redirection agent available. The agent operates as a transparent web proxy for all applications. All vendor supported Windows and Mac operating system versions can utilize MCP. As previously stated, MCP operates at the network layer.

Pros

  • Completely application agnostic
  • Supplies prompt-less user and group information to the proxy without need for a directory connection or synch
  • Highly tamper resistant, not easily bypassed, administrative controlled bypass and uninstall
  • Allows for alternate proxy and bypass based on destination port, domain, IP, and process name
  • Adds additional context for filtering decisions, policy name, process name, OS, OS version, system name, and more
  • Can be configured to failover, fail open, or fail closed (when internet is available, but no proxies can be reached)
  • Network aware, operation can be adjusted based on network location
  • Redirection policy automatically updated on all clients within a few minutes of change
  • When using cloud service will automatically select best proxy based on geolocation of client
  • Can be used with Web Gateway Cloud Service and McAfee Web Gateway simultaneously
  • Can intercept any configured port
  • Proxy selection can be based on fastest response time or first available
  • Can add encryption for unencrypted protocols
  • MCP Policy can block HTTP3/QUIC so that this traffic doesn’t bypass the proxy

Cons

  • Requires installation of an agent that only runs on Windows and Mac operating systems
  • Needs to have routing to a supported proxy (cloud, or on premise)
  • Requires standard DNS resolution for domain-based redirection decisions
  • MCP through version 4.2 only supports redirection of HTTP and HTTPS protocols
  • Through 4.2 only supports redirection of IPv4 traffic (can block use of IPv6 to force use of IPv4)
  • Through 4.2 only intercepts configured ports
  • Selection of the optimal cloud proxy requires DNS resolution of McAfee cloud proxy domains

Getting the Best of Both Worlds

As can be seen from the above, many of the advantages of one solution are disadvantages of the other. Systems using PAC files can coexist with systems using MCP and utilize the same services on the same network. In some situations, it may be advantageous to utilize both methods actively on the same system, or to utilize different methods in different network environments, and different systems. MCP can work with a PAC file without alterations to the existing PAC file and without alterations to any browser settings!

Please keep the following things in mind when using MCP with PAC files

  • MCP can easily forward proxied requests from an application using a PAC file IF it is configured to intercept the proxy port AND the proxy address is not in the bypass list
  • When MCP forwards a proxied request, bypasses and alternate proxy by domain and original destination IP will not work. Bypass and alternate proxy by process name and port will work.
  • For sites that must be accessed directly, the PAC file is configured to send it DIRECT AND (MCP is configured to bypass by port (80,443), OR by destination IP, OR by process).
  • For mobile systems using MCP, it is not advisable to bypass by ports 80 and 443 or by process unless you can have different MCP policies that can be applied when off net.

The attached PDF includes the information above and further details and example configurations

Useful Links

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?

View solution in original post

jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 3

Re: Using MCP In Environments with PAC Files?

Jump to solution

For those interested in how MCP works with DNS, this article will be a useful reference:

MCP Domain Based Redirection and Alternate Proxy - Working with DNS Based Filters like Umbrella 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community