cancel
Showing results for 
Search instead for 
Did you mean: 
slayer977
Level 7

Log Access to proxy.pac

Hello,

as described here KB68998 it is possible to host the proxy.pac file on a web gateway. /opt/mwg/files...

Is it possible to log all clients accessing and downloading the proxy.pac from the web gateway?

If so, how?

Best Regards

- slaYer977-

0 Kudos
8 Replies
asabban
Level 17

Re: Log Access to proxy.pac

Hello,

I think if you want to log accesses to the proxy pac you will have to change the setup to see requests to the pac file in the rule engine. I don´t think we have logging for the file server portion of the GUI. Basically you could do the following:

- You create a new proxy port such as port 81 on MWG and make sure it accepts transparent (non-proxy style) requests

- You point your browser to http://mwg:81/proxy.pac instead of http://mwg/files/proxy.com

- In the policy you create a rule that catches requests coming in on port 81 into a separate rule set

- In the rule set you verify that /proxy.pac was requested, and if so, load the proxy.pac from the local file server

A sample ruel set may look like this (I have used port 80 in my example):

Auswahl_335.png

To see why I had to use the "Enable Next-Hop Proxy Event" look at https://kc.mcafee.com/corporate/index?page=content&id=KB74168 .

Now accesses to the proxy.pac will also go through the logging cycle and show up in the access.log. If you want you can use an Event to point to a different Log cycle, which will allow you to create a custom log for requests to the proxy.pac.

Best,

Andre

0 Kudos
slayer977
Level 7

Re: Log Access to proxy.pac

Hi Andre,

thank you very much for your answer.

It was very very helpful. I do understand all necessary configuration steps.

I tried to set it up in my lab. But it is not working. And I do not know why.

- I created a new proxy port just for the proxy.pac connections

- I put a new RuleSet at the top of all of my RuleSets

- I created those Rules

- I also tried this one, without the Next Hop Proxy Event

- When I trie to get the proxy.pac directly from a browser it is not working.

So there seems to be something wrong with my proxy 8088 or with the redirection from 8088 to local file server 4713

- I can reach the proxy.pac directly through the file server listening on port 4713

How can I troubleshoot my problem?

I could not find any log in the access.log so far.

Best Regards,

-slaYer977-

0 Kudos
eelsasser
Level 15

Re: Log Access to proxy.pac

I cannot see the images you posted, but a setting that iws often missed is in the Proxies section, way down at the bottom in the Advanced Settings collapsible section:

Capture.jpg

0 Kudos
slayer977
Level 7

Re: Log Access to proxy.pac

Hello,

I checked the configuration under proxies > advanced. But this did not solve my problem.

Here are my screenshots.

snap000495.jpg

- I created a new proxy port just for the proxy.pac connections

snap000496.jpg

- I put a new RuleSet at the top of all of my RuleSets

snap000498.jpg

- I created those Rules

snap000499.jpg

- I also tried this one, without the Next Hop Proxy Event

snap000501.jpg

- When I try to get the proxy.pac directly from a browser it is not working.

So there seems to be something wrong with my proxy 8088 or with the redirection from 8088 to local file server 4713

snap000500.jpg

- I can reach the proxy.pac directly through the file server listening on port 4713

Best Regards,

-slaYer977-

0 Kudos
eelsasser
Level 15

Re: Log Access to proxy.pac

You cannot use 127.0.0.1:4713 any more wiht the latest update. you have to use the Ip address of the NIC instead:

Set URL = "http://"
+ IP.ToString (Proxy.IP)
+ ":4713/files/proxy.pac"


0 Kudos
slayer977
Level 7

Re: Log Access to proxy.pac

Hi eelsasser,

thank you very much for your help.

As you can see in my screenshots I have configured a rule set without the redirect rule.

Set URL = "http://192.168.111.210:4713/files/proxy.pac"

Here I use the ip address of the NIC. But still it is not working.

Any ideas?

Or how can I troubleshoot it?

best regards

-slaYer977-

0 Kudos
eelsasser
Level 15

Re: Log Access to proxy.pac

The only thing I can say with any certainty is this rule set works for me:

Proxy.pac
Enabled
Applies to Requests: True / Responses: False / Embedded Objects: False
1: URL.Path matches */proxy.pac
2: OR URL.Path matches */wpad.dat
EnabledRuleActionEventsComments
EnabledRedirect
Always
ContinueSet URL =
     "http://" +
     IP.ToString(Proxy.IP) +
     ":4713/files/proxy.pac"
When a request is made to /proxy.pac or /wpad.dat, redirect it to the internally hosted proxy.pac file. This could also be redirected to another URL hosted on a web server.
EnabledChange timeout (if necessary)
Always
ContinueHeader.RemoveAll("Cache-Control")
Header.Add("Cache-Control","max-age=1800")
Optional. By default, the TTL for the PAC file is 3600 seconds: Cache-Control: max-age=3600
EnabledEnd
Always
Stop CycleRequests for the PAC file should not be processed by the rest of the policy rules.

I don't have the condition for the Proxy.Port that you do, but without it it should work for any listening port you have.

Try this out first and see it works for you.

0 Kudos
asabban
Level 17

Re: Log Access to proxy.pac

Hello,

is there any useful error message shown in the browser when you manually try to access the proxy.pac on port 8088?

A packet capture could be helpful to see what MWG does with the request. You could create one in the troubleshooting section of the GUI and post it here.

Best,

Andre

0 Kudos