Showing results for 
Search instead for 
Did you mean: 
Level 7

Traffic going through wrong web gateway


We are using a pacfile which assigns MWG_A or MWG_B based on the user's IP address.  This is working for the majority of traffic, however, I see that when users try to access certain websites, they do not go out the proper MWG.

These websites appear to be add-ons,widgets, etc.  Examples are,,,, etc.  I don't understand why the bulk of the traffic goes through the proper MWG and some of it leaks over to the other MWG.

Any ideas?


0 Kudos
2 Replies
McAfee Employee

Re: Traffic going through wrong web gateway

Hi Ygaudet,

I don't have an answer as to why these URLs may be leaking over to the other MWG, however in the past I have seen inconsistency with how the "myIPaddress" function evaluates. Perhaps for the underlying applications that are evaluating this function, they get a different result IP address ( for example) than what the browser gets.

See this discussion regarding the pitfalls of it, and suggestions for alternatives:

Best Regards,


0 Kudos
Level 7

Re: Traffic going through wrong web gateway

It's quite difficult to be accurate with proxy.pac file.

I first try to use the client IP address, but as you, 10% of traffic goes on bad proxy. The reason is simple, there is more than one NIC on computers, if the computer have two or more IP (Wifi IP, Lan IP, VPN IP, VMWare Workstation...), the main IP address returns by script will change.

I'm now using DNS to redirect traffic in proxy.pac, example:

On each DC of each AD site, i create a local zone (do not share it in AD) with only one entry for DC IP himself: (DC01.mydns.localisation.lan =

Example: if i want a specific proxy for my users in the subnet

var MyDCIP = dnsResolve("mydns.localisation.lan");


// Check the DNS result of mydns.localisation.lan for specific proxy

    if (isInNet(MyDCIP, "", "")) {

        return PROXY1;


The problem with this method is the behaviour of the DNS client in Windows or MacOS

- Windows: the first DNS server is use, but if it doesn't answer just one time, so the second DNS server will be use until the restart of DNS client service. In this case, the wrong proxy will be use if the second DNS server match an other subnet in the proxy.pac.

- MacOS: it's more complicated, the choice of DNS server in the list provided by DHCP is use with a routine, it's possible to modify the DNS configuration to use them sequentially.

Sorry for my bad English

0 Kudos