6 Replies Latest reply on Feb 26, 2014 2:02 PM by eelsasser

    proxy.pac problems with IE9

    itsec

      Hi, I think this is more of a problem with IE 9 then anything else but I'm hoping someone may have experienced similar.

      Some background info:

       

      Our current setup is to serve the proxy.pac file as an .asp file from IIS.

      This uses a variable to get the IP address in order to push the client to the right proxy:

      var myip='<%=Request.ServerVariables("REMOTE_ADDR")%>';

      [If I capture a packet I can see the IP address of the client in the Response to the GET request for the proxy file.]

       

      I would like to move to using the MWG to serve the proxy file so have created a proxy.pac file and uploaded the file to /opt/mwg/files as the KB68998 directs.

       

      In testing, Chrome will read the file and go via the proxy.  I can see the GET and Reponse in packet captures.

      Firefox will also GET the proxy.pac file (although oddly seems to go direct for x3 frames before going via the proxy)

       

      IE9 does not do anything.  It does not even seem to attempt to GET the file and will just go direct.  If I change the auto configure url and take off /files/ or change the port then I can see an attempt to GET and a failure Response.

       

      I've tried enabling the file server in MWG and changing the port but this doesn't do anything either.

      I've tried using the file on IIS and get the same reponse (I've added the MIME type) yet when I use the asp file there is no problem.

       

      NB, I have the following variable instead of the asp one in the .pac file:

      var myip = myIpAddress();

      [If I capture a packet I cannot see the IP address in the Reponse if I am using Chrome or Firefox]

       

      Any thoughts anyone?

      thanks

        • 1. Re: proxy.pac problems with IE9

          Of course, make sure are uploading the file names specifically of proxy.pac or wpad.dat

           

          When you enter the URl directly into the address bar, does it prompt to download the file or error?

           

          http://192.168.2.230:4713/wpad.dat

          http://192.168.2.230:4713/files/proxy.pac

           

          If clearing IE's browser cache doesn't work, then I've had some weirdness in IE when switching from one proxy to another, especially if you are using WPAD (auto-detection)

          I had one machine that just refused to pull the wpad.dat file but all the others did.

           

          By renaming or deleting this key, i was able to get it working again.

          HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\Wpad

           

          To debug PACs i usually put an alert(myIpAddress()); in the PAC. IE pops up the dialog, but the developer's console in FF or Chrome should show the message as well.

           

           

          I'd love to get a hold of you .asp code (sanitized of course) if you are willing to share.

          • 2. Re: proxy.pac problems with IE9
            itsec

            Thanks Erik,

            I forgot to mention that I could download the file.

             

            As it was, adding the  alert(myIpAddress()); option into the proxy.pac was my saver so an excellent tip!  It turned out that it was reading the IP address of one of my VMWare virtual adapters.  This range isn't included in my proxy.pac file.

            So, to fix I ran

            > netsh int ip show config

            which displayed the metrics of the adapters.  Then I edited the relevant adapter interface metric so that it was higher than the others.  All is now working correctly.

             

            Re the asp code - I'm afraid it isn't anything special.  All I have done is simply replace var myip = myIpAddress(); with var myip='<%=Request.ServerVariables("REMOTE_ADDR")%>';

            The file than has a .asp extension as opposed to .pac

             

            thanks

             

            • 3. Re: proxy.pac problems with IE9

              I find that on PCs, the binding order of the NICs is important. And if you have IPv6 turned on.

              If you have multiple NICs (wired and wireless and VMnet, etc) all it returns is the first one in the binding order.

              Capture.png

              I have occasionaly seen myIpAddress return 127.0.01 or ::1 sometimes.

               

              That is why i like your .ASP method of use REMOTE_ADDR. When you host it on MWG, however, you don't have that dynamic web generation of the client IP address that is actually pulling the PAC file.

               

              Since you are a connessuer of PAC files, here's a trick. If you install a PAC onto the MWG's file service, you can actually have it delivered through the proxy process itself and scan the body of the PAC and replace content with $Client.IP$

               

              For example, if you have a PAC file that hamething in it like this:

               

              function FindProxyForURL(url, host) {
                  var CLIENTIP = "$Client.IP$";
                  //alert(myIpAddress());
                  if (CLIENTIP == "" || CLIENTIP == "$" + "Client.IP" + "$")
                  { CLIENTIP = myIpAddress(); }

                    ...
                  }

               

              And the file is hosted on MWG (or anywhere for that matter), you can have rules that do something like this in the events as the body is delivered from the proxy:

               

              Set User-Defined.Proxy.Pac = Body.ToString(0,Body.Size)

              Body.Remove(0,Body.Size)

              Set User-Defined.Proxy.Pac = String.ReplaceAll(User-Defined.Proxy.Pac,"$Client.IP$",IP.ToString(Client.IP))

              Body.Insert(0,User-Defined.Proxy.Pac)

               

              Basically MWG does a string replace of the string "$Client.IP$" with the actual Client.IP that the proxy sees from the client requesting the PAC so that in the end the PAC file gets delivered with the PAC file modified to this with the Ip address substituted:

               

              var CLIENTIP = "192.168.1.2";

               

              You can also do something similar to the RETURN values if the PAC has:

               

                  var PROXYLIST = "$Proxy.List$";

                  if (PROXYLIST == "" || PROXYLIST == "$" + "Proxy.List" + "$")

                  { PROXYLIST = "PROXY proxy.lordchariot.com:9090; DIRECT;"; } //default if not changed by MWG

                  return PROXYLIST;

               

              And you process the file through MWG:

               

              Client.IP is in range 192.168.2.0/24
              1: Client.IP is in range 192.168.2.0/24
              ContinueSet User-Defined.Proxy.List = "PROXY 192.168.2.222; PROXY 192.168.2.223; DIRECT;"
              Replace $Proxy.List$ and $Client.IP$
              Always
              ContinueSet User-Defined.Proxy.Pac = String.ReplaceAll(User-Defined.Proxy.Pac,"$Proxy.List$",User-Defined.Proxy.List)

               

               

               

              Clearly, this is an advanced technique that needs to be be considered appropriately when you design your infrastructure but it can be done.

              • 4. Re: proxy.pac problems with IE9
                itsec

                wow!  That's pretty cool and way above my level!  Might have a look into it in the future as I have had to ditch hosting the pac file on the proxies because of the problems with mutiple ip addresses and gone back to the asp method.

                thanks for the tip tho

                • 5. Re: proxy.pac problems with IE9
                  bornheim

                  Hi eelsasser,

                   

                  I would like to deploy this technique. I host a proxy.pac file on MWG and got a client to fetch it via a transparent Squid proxy. I do see the client getting the file in Squids access.log and I can provoke alert()s at the client. Surprisingly I do not see the client getting the file in MWGs access.log or in Rule tracing.

                   

                  But what I would like to know most desperately is: in which part of the Rule Sets would I insert those rules? There should be some criteria like "only do this when acting as file server, not when acting as proxy" and "only to this when file name is /files/proxy.pac".

                   

                  Kind regards,

                  Robert

                  • 6. Re: proxy.pac problems with IE9

                    When you are hosting the PAC files on MWG's files server (usually on port 4713), the request does not go through the rules or logs or rule tracing. It's completely seperate.

                     

                    You would have to get the PAC file from the proxy's listening port (9090) in order to modify the content as it's being delivered. and the Rules would then retrieve the files from itself on Proxy.IP:4713.