We use our 12 Gateways to propagate our PAC-Files.
We build the Pac-Files dynamicly using some Lists and defining the proxy statement in dependency of the requested
So we have only to administer the lists. It's a littel bit tricky but it works.
There is one disadvantage. IF you have some misconfigures APPs they might fetch the pac file more the 2000 times /s
this is like a DoS to the proxy. We count the requests using PDs and block such request if it's greater than a predefined value (we use 1000r/s ).
I will add our rules on Thursday since i'm not in the office now.
Thank you both!
Frank, I would love to have a look at that rule, I appreciate the help.
Jon, I am not sure how I didnt turn up that post in my search. I did however have a look at my system and cant seem to locate that screen, I assume that's on 7.3.x?
EDIT: Found it, under Configuration / Central Management Configuration / Advanced Scheduled Jobs
Not exactly out in the open.
Another solution to propagate the pac file over WebGateway is with rsync on command line.
One WebGateway is Master and all other sync the pac file to their node after your configured time.
We use this, because we have more than one pac file in use.
And with Webgateway Fileserver we deliver the pac file with port 80.
If you wish to get more info write me a message.
I think the best solution is the dynamic pac file.
Ok here is what we do with our WebGateway - it's a little complex.... We use Version 7.2 but I expect this should work also in any 7.x version.
Enable HTTP Connector Port on each Device:
We also have to define a NHP to 127.0.0.1:9999
Now you are ready to define the Rules
Be sure to define the rule before Authentication. We created a Top Level Rule Set called PAC-File handling direct after some housekeeping Rules.
You have to use This Part for Request and Response Cycle.
In GLB_FQNPROXIES you should define all IP-Adresses and hostnames the proxy should response with a pac-file (Normally all proxies ip-addresses)
The first rules blocks all requests to filenames we do not expect. In our case we allow proxy.pac, multi.pac and test.pac. (ProxyPac-URLPath)
Here we deny requests to normal proxy.pac from some networks (define in GLB_MULTINET). Clients in this network are not allowed to use this pac-files.
Now we come to the tricky configuration
In Request Cycle define a NHP to the proxy itself
For each requested PAC-File stored the name in a user defined variable to have the information im response cycle. We loose the information in the last
step. There we set the path to the dummy file we uploaded on the device and finshed the Request Cycle.
Now the Response Cycle
For each pac-File we use a single rule set
Here is an example for our normal proxy.pac File
We store the whole Pac-File in a User Defined Variable
You can see we use some lists to file the Pac-File
There is a list GLB_PAC_USE_LOCAL_PROXY with host the client should use a dedicated proxy
also you can see 3 lists (GLB_INTRANET_IP (Pattern), GLB_INTRANET_DOMAINS, GLB_INTRANET_HOSTS) where you can define
ip ranges, hosts, domains the client can reach without using the proxy.
also we use a list (GLB_PAC_USE_127.0.0.1) for targets where the client should not send out any paket (specially groove.microsoft.com).
in the next rule we replace the empty body from the locally stored file with the content we've defined and set also some header variables.
Now you the gateway send the client a pac-files.
To prevent some client to request to many PAC-Files per second we added an additional Rule (This might happened with some misconfigured Browser Plugins or other Apps on the Client - we found clients requesting the PAC-File 10000/sec... - this is like an DoS Attack)
To prevent this we use the LocalPDs. There we count any request to the PAC-File and if the number exceeds a predefined threshold we send a block page.
This 403 HTTP Code stops requesting the PAC-File
You may ask me if you have any further questions.