Showing results for 
Search instead for 
Did you mean: 
Level 9

PAC File Hosting

We host our pac files on a WAN server but I have considered moving them to the proxies themselves. Is there a native way to mirror the files across all five of my proxies? (Version, upgrading soon.)

If there isnt I will just write a script. Anyone have a unique method they use and willing to share? Thanks!

0 Kudos
5 Replies
McAfee Employee

Re: PAC File Hosting

See this post from Erik:

This will work assuming there isnt a lot of changes to the file.



Level 10

Re: PAC File Hosting

We use our 12 Gateways to propagate our PAC-Files.

We build the Pac-Files dynamicly using some Lists and defining the proxy statement  in dependency of the requested


So we have only to administer the lists. It's a littel bit tricky but it works.

There is one disadvantage. IF you have some misconfigures APPs they might fetch the pac file more the 2000 times /s

this is like a DoS to the proxy. We count the requests using PDs and block such request if it's greater than a predefined value (we use 1000r/s ).

I will add our rules on Thursday since i'm not in the office now.



Level 9

Re: PAC File Hosting

Thank you both!

Frank, I would love to have a look at that rule, I appreciate the help.

Jon, I am not sure how I didnt turn up that post in my search.   I did however have a look at my system and cant seem to locate that screen, I assume that's on 7.3.x?

EDIT: Found it, under Configuration / Central Management Configuration / Advanced Scheduled Jobs

          Not exactly out in the open.

Message was edited by: consoul on 4/30/13 1:12:18 PM CDT
0 Kudos

Re: PAC File Hosting

Another solution to propagate the pac file over WebGateway is with rsync on command line.

One WebGateway is Master and all other sync the pac file to their node after your configured time.

We use this, because we have more than one pac file in use.

And with Webgateway Fileserver we deliver the pac file with port 80.

If you wish to get more info write me a message.

I think the best solution is the dynamic pac file.

0 Kudos
Level 10

Re: PAC File Hosting


Ok here is what we do with our WebGateway - it's a little complex.... We use Version 7.2 but I expect this should work also in any 7.x version.

First of all create an empty file  (we call it proxy2.pac) and upload it to all devices. (Troubleshooting - Files)1.png

Enable HTTP Connector Port on each Device:


We also have to define a NHP to


Now you are ready to define the Rules

Be sure to define the rule before Authentication. We created a Top Level Rule Set called PAC-File handling direct after some housekeeping Rules.


You have to use This Part for Request and Response Cycle.

In GLB_FQNPROXIES you should define all IP-Adresses and hostnames the proxy should response with a pac-file (Normally all proxies ip-addresses)

We use http://<ipproxy>/proxy.pac and http://<ipproxy>/multi.pac to retrieve 2 different pac-files.

The first rules blocks all requests to filenames we do not expect. In our case we allow proxy.pac, multi.pac and test.pac. (ProxyPac-URLPath)


Here we deny requests to normal proxy.pac from some networks (define in GLB_MULTINET). Clients in this network are not allowed to use this pac-files.

Now we come to the tricky configuration

In Request Cycle define a NHP to the proxy itself


For each requested PAC-File stored the name in a user defined variable to have the information im response cycle. We loose the information in the last

step. There we set the path to the dummy file we uploaded on the device and finshed the Request Cycle.

Now the Response Cycle


For each pac-File we use a single rule set

Here is an example for our normal proxy.pac File

We store the whole Pac-File in a User Defined Variable




You can see we use some lists to file the Pac-File

There is a list GLB_PAC_USE_LOCAL_PROXY with host the client should use a dedicated proxy

also you can see 3 lists (GLB_INTRANET_IP (Pattern), GLB_INTRANET_DOMAINS, GLB_INTRANET_HOSTS) where you can define

ip ranges, hosts, domains the client can reach without using the proxy.

also we use a list (GLB_PAC_USE_127.0.0.1)  for targets where the client should not send out any paket (specially

in the next rule we replace the empty body from the locally stored file with the content we've defined and set also some header variables.


Now you the gateway send the client a pac-files.

To prevent some client to request  to many PAC-Files per second we added an additional Rule (This might happened with some misconfigured Browser Plugins or other Apps on the Client - we found clients requesting the PAC-File 10000/sec... - this is like an DoS Attack)

To prevent this we use the LocalPDs. There we count any request to the PAC-File and if the number exceeds a predefined threshold we send a block page.

This 403 HTTP Code stops requesting the PAC-File


You may ask me if you have any further questions.