I've been toying with the idea for some time and my only hesitation is that there must be something I am missing that would prevent it from working.
The idea is to create a rule on the MWG7 server that says is the request IP or URL is within our private space or domain, stop processing and let it go through. We would do this in addition to or instead of using exclusions in the proxy.pac file. The only negative I see is additional traffic to MWG.
you could simply add a rule at the top of your policy which calls "Stop Cycle" for specific URLs, client or server IP addresses. This would prevent MWG from filtering internal requests. Additionally you could call the HTTP Tunnel event to prevent more of the MWG features from being called.
Please note that adding something to the PAC file or adding a rule to MWG makes a big difference. If you exclude something in the PAC file the browser will talk to the web server directly. If you add a bypass rule on MWG the browser will talk to MWG. There is no way to configure MWG in a way to tell the browser to not use a proxy server, once the browser decided to use a proxy.
So what I am hearing seems like good news to me. If everything hit MWG and we use a rule based based on URL to STOP CYCLE, the traffic will pass through MWG untouched, correct? Which I realize is different the adding to a bypass in the .pac file but should have the same result, no? What would be the downside to doing it this way vs the .pac exlusion?
I'm not familare with "Additionally you could call the HTTP Tunnel event to prevent more of the MWG features from being called." Are you referring to the SSL tunnel event or is there another tunnel event?
The only downside to NOT having it pass through the MWG would be for logging (troubleshooting) purposes. When you set it to be excluded at the top level ruleset, MWG sees it and stops applying any other rules etc to it - but it logs it.
While Im not a lumberjack, I sure to appreciate me some logs.
In some cases not logging may actually be a benefit. I generally use pac file exclusions for primarily internal applications or other known and trusted sites. Especially if either:
A) MWG breaks the traffic due to non rfc compliance, routing, authentication or some other issue
B) There is a lot of traffic and I do not wish to have the load on the MWG or log it for that matter.In particular, if it's an internal app you could always check the logs on the actual server if need be. Things like time card systems, sharepoint, intranets, etc, would be common exclusions. Often I'll even do a DNS lookup at the top of the pac file and exclude all private IP space not to mention short names, etc.
Rarely will I bypass the proxy for external sites. In that case, you are better off trying the stop cycle and if need be, http tunnel first. Especially as bypassing the proxy for external should entail specific firewall exclusions...