5 Replies Latest reply: May 2, 2013 4:00 AM by feickholt RSS

    PAC File Hosting


      We host our pac files on a WAN server but I have considered moving them to the proxies themselves. Is there a native way to mirror the files across all five of my proxies? (Version, upgrading soon.)


      If there isnt I will just write a script. Anyone have a unique method they use and willing to share? Thanks!

        • 1. Re: PAC File Hosting
          Jon Scholten

          See this post from Erik:



          This will work assuming there isnt a lot of changes to the file.




          • 2. Re: PAC File Hosting

            We use our 12 Gateways to propagate our PAC-Files.

            We build the Pac-Files dynamicly using some Lists and defining the proxy statement  in dependency of the requested


            So we have only to administer the lists. It's a littel bit tricky but it works.

            There is one disadvantage. IF you have some misconfigures APPs they might fetch the pac file more the 2000 times /s

            this is like a DoS to the proxy. We count the requests using PDs and block such request if it's greater than a predefined value (we use 1000r/s ).


            I will add our rules on Thursday since i'm not in the office now.




            • 3. Re: PAC File Hosting

              Thank you both!


              Frank, I would love to have a look at that rule, I appreciate the help.


              Jon, I am not sure how I didnt turn up that post in my search.   I did however have a look at my system and cant seem to locate that screen, I assume that's on 7.3.x?





              EDIT: Found it, under Configuration / Central Management Configuration / Advanced Scheduled Jobs

                        Not exactly out in the open.


              Message was edited by: consoul on 4/30/13 1:12:18 PM CDT
              • 4. Re: PAC File Hosting

                Another solution to propagate the pac file over WebGateway is with rsync on command line.

                One WebGateway is Master and all other sync the pac file to their node after your configured time.


                We use this, because we have more than one pac file in use.

                And with Webgateway Fileserver we deliver the pac file with port 80.

                If you wish to get more info write me a message.


                I think the best solution is the dynamic pac file.

                • 5. Re: PAC File Hosting


                  Ok here is what we do with our WebGateway - it's a little complex.... We use Version 7.2 but I expect this should work also in any 7.x version.


                  First of all create an empty file  (we call it proxy2.pac) and upload it to all devices. (Troubleshooting - Files)1.png

                  Enable HTTP Connector Port on each Device:


                  We also have to define a NHP to




                  Now you are ready to define the Rules

                  Be sure to define the rule before Authentication. We created a Top Level Rule Set called PAC-File handling direct after some housekeeping Rules.


                  You have to use This Part for Request and Response Cycle.

                  In GLB_FQNPROXIES you should define all IP-Adresses and hostnames the proxy should response with a pac-file (Normally all proxies ip-addresses)

                  We use http://<ipproxy>/proxy.pac and http://<ipproxy>/multi.pac to retrieve 2 different pac-files.

                  The first rules blocks all requests to filenames we do not expect. In our case we allow proxy.pac, multi.pac and test.pac. (ProxyPac-URLPath)


                  Here we deny requests to normal proxy.pac from some networks (define in GLB_MULTINET). Clients in this network are not allowed to use this pac-files.


                  Now we come to the tricky configuration

                  In Request Cycle define a NHP to the proxy itself


                  For each requested PAC-File stored the name in a user defined variable to have the information im response cycle. We loose the information in the last

                  step. There we set the path to the dummy file we uploaded on the device and finshed the Request Cycle.


                  Now the Response Cycle


                  For each pac-File we use a single rule set

                  Here is an example for our normal proxy.pac File

                  We store the whole Pac-File in a User Defined Variable





                  You can see we use some lists to file the Pac-File

                  There is a list GLB_PAC_USE_LOCAL_PROXY with host the client should use a dedicated proxy

                  also you can see 3 lists (GLB_INTRANET_IP (Pattern), GLB_INTRANET_DOMAINS, GLB_INTRANET_HOSTS) where you can define

                  ip ranges, hosts, domains the client can reach without using the proxy.

                  also we use a list (GLB_PAC_USE_127.0.0.1)  for targets where the client should not send out any paket (specially groove.microsoft.com).


                  in the next rule we replace the empty body from the locally stored file with the content we've defined and set also some header variables.



                  Now you the gateway send the client a pac-files.


                  To prevent some client to request  to many PAC-Files per second we added an additional Rule (This might happened with some misconfigured Browser Plugins or other Apps on the Client - we found clients requesting the PAC-File 10000/sec... - this is like an DoS Attack)

                  To prevent this we use the LocalPDs. There we count any request to the PAC-File and if the number exceeds a predefined threshold we send a block page.

                  This 403 HTTP Code stops requesting the PAC-File


                  You may ask me if you have any further questions.