Well, if a tool, doesn't respect proxy settings, than this is clearly a problem - as you recognized. For those tools you could deploy MWG in a transparent fashion to catch that traffic. I would recommend to only do this for a limited amount of users. Or you could create a redirection rule on your firewall to redirect traffic to MWG transparently... Up to others if they have some smarter ideas.
We have some users from an outside company on a restricted segment in our corp network using the proxy to do VPN-SSL and it will not work with the PAC file but work with a direct proxy config in IE. Look like a conflict between the local IP address and the IP address the client is negociating from the remote connection. Base on the IP, the PAC file return either direct connection or proxy usage and IE is confuse...
PS: This is with 6.8.7
Were you ever able to get this set up properly? We have the same setup - pac files and firewall set to drop if traffic comes from client vs proxy. We see some traffic from apps (java) that tries to go direct. How do we set this up in the proxy to accept traffic from firewall ?
I believe that michael_schneider response cleared it up the most for me. if a tool or application does not supprot proxy settings or PAC files then there is not much we can do.
I have stopped using PAC files as there is too many issues with these, personally.