The question is often asked: which takes precedence McAfee Client Proxy (MCP) or Proxy Auto Configuration (PAC) file? The answer is “yes!” 😉 Technically the answer is MCP, but only if it is properly configured to do so. A PAC file operates at the application layer, so a PAC file has the first chance to alter an application’s traffic flow, IF the application honors the PAC file. MCP operates at the network level, so MCP has the last chance to redirect traffic FOR ANY application (whether proxy-aware or not), IF it is configured to intercept the destination/port combination. MCP can be used to redirect traffic to McAfee solutions with or without a PAC file and PAC files can be used to redirect traffic to any proxy, with or without MCP. With the multiple redirection options supported for MWG and WGCS (UCE and WPS) there is flexibility to use the appropriate methods for each system and any of their possible operating environments.

PAC files are usually only required in environments that don’t resolve external DNS and/or clients do not have a default Internet route. They also may be required if the logic for selecting the proper proxy is exceedingly complex such that it cannot be supported by MCP Policy alone. PAC files are also useful for handling systems that do not have MCP. Lastly, combining use of MCP with PAC files can be helpful in testing or transitioning to MVISION UCE in environments where PAC files are currently in use.

The Basics of PAC Files

PAC files (and WPAD, an automated distribution method for PAC files) are wonderful tools for working in explicit proxy environments and with applications that can be configured to use them. PAC files have been in use since 1996 and are well documented. PAC files operate at the application layer.

Pros

• Most flexible solution allows you to granularly determine what traffic should be directed to which proxies and what traffic should go direct
• Supports secure network environments where there is no external DNS resolution and no default route
• Most browsers are configured by default to automatically use a PAC file if the environment is configured for Web Proxy Auto Deployment (WPAD)
• Allows for granular proxy selection with different fallback options for each scenario and can even support intelligent load balancing to enhance caching performance of local proxy caches
• Supported by most browsers regardless of operating system
• Can be configured to failover, fail open, or fail closed
• Supports redirection of any port

Cons

• Only works for applications and TCP protocols that are PAC file aware and honor the PAC file
• If the PAC file cannot be reached on application start (e.g. captive portal environments) the browser or application will need to be restarted after the PAC file can be reached
• PAC file changes only get reflected when the application is restarted
• Easily bypassed or subverted unless there are compensating controls that may also impact operation in uncontrolled environments
• Does not pass any context about the client to the destination proxy
• PAC files can be complicated and difficult to maintain, syntax errors can break operation and it is easy to implement incorrect logic that results in unexpected operation
• PAC files used alone cannot transparently authenticate to a cloud proxy
• PAC files can not add encryption, some ISPs will block unencrypted proxy CONNECT requests
• Proxy selection cannot be configured for fastest response time
• Use of HTTP3/QUIC will bypass the PAC file unless the network blocks UDP on 443 and 80

The Basics of MCP

The MCP agent is also a wonderful redirection method for explicit proxy environments. Introduced by McAfee in 2014, MCP remains the most robust endpoint redirection agent available. The agent operates as a transparent web proxy for all applications. All vendor supported Windows and Mac operating system versions can utilize MCP. As previously stated, MCP operates at the network layer.

Pros

• Completely application agnostic
• Supplies prompt-less user and group information to the proxy without need for a directory connection or synch
• Highly tamper resistant, not easily bypassed, administrative controlled bypass and uninstall
• Allows for alternate proxy and bypass based on destination port, domain, IP, and process name
• Adds additional context for filtering decisions, policy name, process name, OS, OS version, system name, and more
• Can be configured to failover, fail open, or fail closed (when internet is available, but no proxies can be reached)
• Network aware, operation can be adjusted based on network location
• Redirection policy automatically updated on all clients within a few minutes of change
• When using cloud service will automatically select best proxy based on geolocation of client
• Can be used with Web Gateway Cloud Service and McAfee Web Gateway simultaneously
• Can intercept any configured port
• Proxy selection can be based on fastest response time or first available
• Can add encryption for unencrypted protocols
• MCP Policy can block HTTP3/QUIC so that this traffic doesn’t bypass the proxy

Cons

• Requires installation of an agent that only runs on Windows and Mac operating systems
• Needs to have routing to a supported proxy (cloud, or on premise)
• Requires standard DNS resolution for domain-based redirection decisions
• MCP through version 4.2 only supports redirection of HTTP and HTTPS protocols
• Through 4.2 only supports redirection of IPv4 traffic (can block use of IPv6 to force use of IPv4)
• Through 4.2 only intercepts configured ports
• Selection of the optimal cloud proxy requires DNS resolution of McAfee cloud proxy domains

Getting the Best of Both Worlds

As can be seen from the above, many of the advantages of one solution are disadvantages of the other. Systems using PAC files can coexist with systems using MCP and utilize the same services on the same network. In some situations, it may be advantageous to utilize both methods actively on the same system, or to utilize different methods in different network environments, and different systems. MCP can work with a PAC file without alterations to the existing PAC file and without alterations to any browser settings!

Please keep the following things in mind when using MCP with PAC files

• MCP can easily forward proxied requests from an application using a PAC file IF it is configured to intercept the proxy port AND the proxy address is not in the bypass list
• When MCP forwards a proxied request, bypasses and alternate proxy by domain and original destination IP will not work. Bypass and alternate proxy by process name and port will work.
• For sites that must be accessed directly, the PAC file is configured to send it DIRECT AND (MCP is configured to bypass by port (80,443), OR by destination IP, OR by process).
• For mobile systems using MCP, it is not advisable to bypass by ports 80 and 443 or by process unless you can have different MCP policies that can be applied when off net.

The attached PDF includes the information above and further details and example configurations

Useful Links

• Community Article: Using MCP in Environments with PAC Files
• KB Article: How to use Proxy Automatic Configuration with Web Gateway
• KB Article: How to host a Proxy Auto Config file (proxy.pac) on Web Gateway
• McAfee Client Proxy 4.1 Product Guide
• Mozilla Proxy Auto-Configuration (PAC) File
• Wikipedia Proxy auto-config
• Wikipedia Proxy Auto-Discovery Protocol
• Community Article: How Can MCP Policy be Changed Dynamically Based on Network Location
• Community Article: Transparent Proxy Solution for Sites with No Default Route and/or No Public DNS Resolution