Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1278 Views 5 Replies Latest reply: May 2, 2013 4:00 AM by feickholt RSS
consoul Newcomer 35 posts since
Aug 18, 2011
Currently Being Moderated

Apr 30, 2013 12:12 PM

PAC File Hosting

We host our pac files on a WAN server but I have considered moving them to the proxies themselves. Is there a native way to mirror the files across all five of my proxies? (Version 7.2.0.2.0, upgrading soon.)

 

If there isnt I will just write a script. Anyone have a unique method they use and willing to share? Thanks!

  • Jon Scholten McAfee SME 856 posts since
    Nov 3, 2009
    Currently Being Moderated
    1. Apr 30, 2013 12:22 PM (in response to consoul)
    Re: PAC File Hosting

    See this post from Erik:

    https://community.mcafee.com/message/281031#281031

     

    This will work assuming there isnt a lot of changes to the file.

     

    Best,

    Jon

  • feickholt Apprentice 51 posts since
    Nov 16, 2012
    Currently Being Moderated
    2. Apr 30, 2013 12:32 PM (in response to consoul)
    Re: PAC File Hosting

    We use our 12 Gateways to propagate our PAC-Files.

    We build the Pac-Files dynamicly using some Lists and defining the proxy statement  in dependency of the requested

    proxy.

    So we have only to administer the lists. It's a littel bit tricky but it works.

    There is one disadvantage. IF you have some misconfigures APPs they might fetch the pac file more the 2000 times /s

    this is like a DoS to the proxy. We count the requests using PDs and block such request if it's greater than a predefined value (we use 1000r/s ).

     

    I will add our rules on Thursday since i'm not in the office now.

     

    Regards

    Frank

  • florian.hallas Newcomer 26 posts since
    Jul 26, 2011
    Currently Being Moderated
    4. May 2, 2013 2:02 AM (in response to consoul)
    Re: PAC File Hosting

    Another solution to propagate the pac file over WebGateway is with rsync on command line.

    One WebGateway is Master and all other sync the pac file to their node after your configured time.

     

    We use this, because we have more than one pac file in use.

    And with Webgateway Fileserver we deliver the pac file with port 80.

    If you wish to get more info write me a message.

     

    I think the best solution is the dynamic pac file.

  • feickholt Apprentice 51 posts since
    Nov 16, 2012
    Currently Being Moderated
    5. May 2, 2013 4:00 AM (in response to consoul)
    Re: PAC File Hosting

    10.png

    Ok here is what we do with our WebGateway - it's a little complex.... We use Version 7.2 but I expect this should work also in any 7.x version.

     

    First of all create an empty file  (we call it proxy2.pac) and upload it to all devices. (Troubleshooting - Files)1.png

    Enable HTTP Connector Port on each Device:

    2.png

    We also have to define a NHP to 127.0.0.1:9999

     

    5.png

     

    Now you are ready to define the Rules

    Be sure to define the rule before Authentication. We created a Top Level Rule Set called PAC-File handling direct after some housekeeping Rules.

    3.png

    You have to use This Part for Request and Response Cycle.

    In GLB_FQNPROXIES you should define all IP-Adresses and hostnames the proxy should response with a pac-file (Normally all proxies ip-addresses)

    We use http://<ipproxy>/proxy.pac and http://<ipproxy>/multi.pac to retrieve 2 different pac-files.

    The first rules blocks all requests to filenames we do not expect. In our case we allow proxy.pac, multi.pac and test.pac. (ProxyPac-URLPath)

    4.png

    Here we deny requests to normal proxy.pac from some networks (define in GLB_MULTINET). Clients in this network are not allowed to use this pac-files.

     

    Now we come to the tricky configuration

    In Request Cycle define a NHP to the proxy itself

    6.png

    For each requested PAC-File stored the name in a user defined variable to have the information im response cycle. We loose the information in the last

    step. There we set the path to the dummy file we uploaded on the device and finshed the Request Cycle.

     

    Now the Response Cycle

    7.png

    For each pac-File we use a single rule set

    Here is an example for our normal proxy.pac File

    We store the whole Pac-File in a User Defined Variable

    8.png

    9.png

     

    10.png

    You can see we use some lists to file the Pac-File

    There is a list GLB_PAC_USE_LOCAL_PROXY with host the client should use a dedicated proxy

    also you can see 3 lists (GLB_INTRANET_IP (Pattern), GLB_INTRANET_DOMAINS, GLB_INTRANET_HOSTS) where you can define

    ip ranges, hosts, domains the client can reach without using the proxy.

    also we use a list (GLB_PAC_USE_127.0.0.1)  for targets where the client should not send out any paket (specially groove.microsoft.com).

     

    in the next rule we replace the empty body from the locally stored file with the content we've defined and set also some header variables.

    11.png

     

    Now you the gateway send the client a pac-files.

     

    To prevent some client to request  to many PAC-Files per second we added an additional Rule (This might happened with some misconfigured Browser Plugins or other Apps on the Client - we found clients requesting the PAC-File 10000/sec... - this is like an DoS Attack)

    To prevent this we use the LocalPDs. There we count any request to the PAC-File and if the number exceeds a predefined threshold we send a block page.

    This 403 HTTP Code stops requesting the PAC-File

    12.png.

    You may ask me if you have any further questions.

More Like This

  • Retrieving data ...

Bookmarked By (2)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points