2 Replies Latest reply on Jan 27, 2015 3:12 AM by equipereseau

    Traffic going through wrong web gateway

    ygaudet

      Hello,

       

      We are using a pacfile which assigns MWG_A or MWG_B based on the user's IP address.  This is working for the majority of traffic, however, I see that when users try to access certain websites, they do not go out the proper MWG.

       

      These websites appear to be add-ons,widgets, etc.  Examples are dss1.siteadvisor.com, www.google-analytics.com, crl.microsoft.com, crl.entrust.net, etc.  I don't understand why the bulk of the traffic goes through the proper MWG and some of it leaks over to the other MWG.

       

      Any ideas?

       

      Thanks

        • 1. Re: Traffic going through wrong web gateway
          Jon Scholten

          Hi Ygaudet,

           

          I don't have an answer as to why these URLs may be leaking over to the other MWG, however in the past I have seen inconsistency with how the "myIPaddress" function evaluates. Perhaps for the underlying applications that are evaluating this function, they get a different result IP address (127.0.0.1 for example) than what the browser gets.

           

          See this discussion regarding the pitfalls of it, and suggestions for alternatives:

          Re: PAC Client-IP Load Balancing, myipaddress() inconsistencies, IPv6 and more

           

          Best Regards,

          Jon

          • 2. Re: Traffic going through wrong web gateway
            equipereseau

            It's quite difficult to be accurate with proxy.pac file.

             

            I first try to use the client IP address, but as you, 10% of traffic goes on bad proxy. The reason is simple, there is more than one NIC on computers, if the computer have two or more IP (Wifi IP, Lan IP, VPN IP, VMWare Workstation...), the main IP address returns by script will change.

             

            I'm now using DNS to redirect traffic in proxy.pac, example:

             

            On each DC of each AD site, i create a local zone (do not share it in AD) with only one entry for DC IP himself: (DC01.mydns.localisation.lan = 172.20.0.1)

            Example: if i want a specific proxy for my users in the subnet 172.20.0.0/16

             

            var MyDCIP = dnsResolve("mydns.localisation.lan");

            var PROXY1 = "PROXY srvproxy1.xxxx.xxx:8080; PROXY srvproxy3.xxxx.xxx:8080";

             

            // Check the DNS result of mydns.localisation.lan for specific proxy

                if (isInNet(MyDCIP, "172.20.0.0", "255.255.0.0")) {

                    return PROXY1;

                }

             

            The problem with this method is the behaviour of the DNS client in Windows or MacOS

            - Windows: the first DNS server is use, but if it doesn't answer just one time, so the second DNS server will be use until the restart of DNS client service. In this case, the wrong proxy will be use if the second DNS server match an other subnet in the proxy.pac.

            - MacOS: it's more complicated, the choice of DNS server in the list provided by DHCP is use with a routine, it's possible to modify the DNS configuration to use them sequentially.

             

            Sorry for my bad English