8 Replies Latest reply on Mar 13, 2012 2:27 AM by asabban

    Log Access to proxy.pac

    slayer977

      Hello,

       

      as described here KB68998 it is possible to host the proxy.pac file on a web gateway. /opt/mwg/files...

      Is it possible to log all clients accessing and downloading the proxy.pac from the web gateway?

      If so, how?

       

      Best Regards

      - slaYer977-

        • 1. Re: Log Access to proxy.pac
          asabban

          Hello,

           

          I think if you want to log accesses to the proxy pac you will have to change the setup to see requests to the pac file in the rule engine. I don´t think we have logging for the file server portion of the GUI. Basically you could do the following:

           

          - You create a new proxy port such as port 81 on MWG and make sure it accepts transparent (non-proxy style) requests

          - You point your browser to http://mwg:81/proxy.pac instead of http://mwg/files/proxy.com

          - In the policy you create a rule that catches requests coming in on port 81 into a separate rule set

          - In the rule set you verify that /proxy.pac was requested, and if so, load the proxy.pac from the local file server

           

          A sample ruel set may look like this (I have used port 80 in my example):

           

          Auswahl_335.png

          To see why I had to use the "Enable Next-Hop Proxy Event" look at https://kc.mcafee.com/corporate/index?page=content&id=KB74168 .

           

          Now accesses to the proxy.pac will also go through the logging cycle and show up in the access.log. If you want you can use an Event to point to a different Log cycle, which will allow you to create a custom log for requests to the proxy.pac.

           

          Best,

          Andre

          1 of 1 people found this helpful
          • 2. Re: Log Access to proxy.pac
            slayer977

            Hi Andre,

             

            thank you very much for your answer.

            It was very very helpful. I do understand all necessary configuration steps.

            I tried to set it up in my lab. But it is not working. And I do not know why.

             

            - I created a new proxy port just for the proxy.pac connections

             

             

            - I put a new RuleSet at the top of all of my RuleSets

             

            - I created those Rules

             

            - I also tried this one, without the Next Hop Proxy Event

             

             

            - When I trie to get the proxy.pac directly from a browser it is not working.

             

            So there seems to be something wrong with my proxy 8088 or with the redirection from 8088 to local file server 4713

             

            - I can reach the proxy.pac directly through the file server listening on port 4713

             

            How can I troubleshoot my problem?

            I could not find any log in the access.log so far.

             

            Best Regards,

            -slaYer977-

            • 3. Re: Log Access to proxy.pac

              I cannot see the images you posted, but a setting that iws often missed is in the Proxies section, way down at the bottom in the Advanced Settings collapsible section:

              Capture.jpg

              • 4. Re: Log Access to proxy.pac
                slayer977

                Hello,

                 

                I checked the configuration under proxies > advanced. But this did not solve my problem.

                 

                Here are my screenshots.

                 

                 

                snap000495.jpg

                - I created a new proxy port just for the proxy.pac connections

                 

                 

                snap000496.jpg

                - I put a new RuleSet at the top of all of my RuleSets

                 

                snap000498.jpg

                - I created those Rules

                 

                snap000499.jpg

                - I also tried this one, without the Next Hop Proxy Event

                 

                 

                snap000501.jpg

                - When I try to get the proxy.pac directly from a browser it is not working.

                 

                So there seems to be something wrong with my proxy 8088 or with the redirection from 8088 to local file server 4713

                 

                snap000500.jpg

                - I can reach the proxy.pac directly through the file server listening on port 4713

                 

                 

                Best Regards,

                -slaYer977-

                • 5. Re: Log Access to proxy.pac

                  You cannot use 127.0.0.1:4713 any more wiht the latest update. you have to use the Ip address of the NIC instead:

                   

                  Set URL = "http://"
                  + IP.ToString (Proxy.IP)
                  + ":4713/files/proxy.pac"


                  • 6. Re: Log Access to proxy.pac
                    slayer977

                    Hi eelsasser,

                     

                    thank you very much for your help.

                     

                    As you can see in my screenshots I have configured a rule set without the redirect rule.

                    Set URL = "http://192.168.111.210:4713/files/proxy.pac"

                     

                    Here I use the ip address of the NIC. But still it is not working.

                    Any ideas?

                    Or how can I troubleshoot it?

                     

                    best regards

                    -slaYer977-

                    • 7. Re: Log Access to proxy.pac

                      The only thing I can say with any certainty is this rule set works for me:

                       

                      Proxy.pac
                      Enabled
                      Applies to Requests: True / Responses: False / Embedded Objects: False
                      1: URL.Path matches */proxy.pac
                      2: OR URL.Path matches */wpad.dat
                      EnabledRuleActionEventsComments
                      EnabledRedirect
                      Always
                      ContinueSet URL =
                           "http://" +
                           IP.ToString(Proxy.IP) +
                           ":4713/files/proxy.pac"
                      When a request is made to /proxy.pac or /wpad.dat, redirect it to the internally hosted proxy.pac file. This could also be redirected to another URL hosted on a web server.
                      EnabledChange timeout (if necessary)
                      Always
                      ContinueHeader.RemoveAll("Cache-Control")
                      Header.Add("Cache-Control","max-age=1800")
                      Optional. By default, the TTL for the PAC file is 3600 seconds: Cache-Control: max-age=3600
                      EnabledEnd
                      Always
                      Stop CycleRequests for the PAC file should not be processed by the rest of the policy rules.

                       

                      I don't have the condition for the Proxy.Port that you do, but without it it should work for any listening port you have.

                       

                      Try this out first and see it works for you.

                      • 8. Re: Log Access to proxy.pac
                        asabban

                        Hello,

                         

                        is there any useful error message shown in the browser when you manually try to access the proxy.pac on port 8088?

                         

                        A packet capture could be helpful to see what MWG does with the request. You could create one in the troubleshooting section of the GUI and post it here.

                         

                        Best,

                        Andre