Connectivity: PAC File Management Service (EP)

The Web Security Service provides a Proxy Auto Configuration (PAC) File Management interface to facilitate the Explicit Proxy connectivity method. This system allows you to create more than one PAC file, assign them to different locations, and customize them to allow or bypass specific web destinations. Then you can create WSS policy based on these locations or traffic routed from specific PAC files.

You can also create PAC files for roaming endpoints. For example, you plan to integrate the Symantec Endpoint Protection (SEP) with the WSS. You want a separate PAC file to be used only for the SEP agent connections.

Technical Requirements

  • Know the single static public egress IP address.
  • Browsers and operating systems are able to accept and use PAC files.
  • Firewall rules:

    • Open port 443.
    • If your firewall allows white-listing by DNS, white-list pfms.wss.symantec.com; this is the preferred method.
    • If your firewall does not allow white-listing by DNS, allow the following static IP addresses.

      • 35.155.165.94
      • 35.162.233.131
      • 52.21.20.251
      • 52.54.167.220
      • 199.247.42.187
      • 199.19.250.187
  • The WSS supports up to 100 different PAC files.
  • The PAC File Management feature supports existing, supported authentication methods (Auth Connector, SAML, Captive Portal).

Technical Limitations

  • Use Firefox 57.0.2+; older versions of Firefox may not apply PAC file correctly. This is third-party limitation with the Firefox browser.
  • Internet Explorer versions 11, Edge, and newer might cache old PAC file execution results for a particular host. If this occurs, restart Internet Explorer.
  • If the browser does not accept cookies or PAC files, supportability becomes difficult.
  • If the user agent is unable to process the PAC file, there will be no protection or exceptions.

Example Procedure—New PAC File

One option is to duplicate the default PAC file and modify it.

To demonstrate the PAC File Management feature, the following steps create a new PAC file and designate its use for the SEP test Explicit Proxy location (previously entered on the Network > Locations page).

  1. In the WSS portal, select Service mode > Mobility > PAC File Management.
  2. Click New File. The portal switches to the PAC File Editor.

    1. Name the PAC file.
    2. (Optional) Describe the purpose of this PAC file.
    3. Include WSS Bypass adds any IP addresses or domains that were previously added to the portal bypass lists (Service mode > Network > Bypassed Sites). You can click the expander to view those entries; however, you cannot edit those entries here.

      Tip:  Bypass lists cannot exceed 256 KB in size.

    4. Include Office 365 Bypass adds all of the currently known Microsoft Office web application domains.
  3. Click Save.

    PAC URL

    The portal generates an explicit PAC File URL. You can copy this URL and use it for an explicit proxy configuration to guarantee that this PAC is used. For example, you can send this to the Admin who is configuring the SEP clients to direct traffic to the WSS.

  4. Continuing with the example, click the Locations tab.

    1. Click Edit Locations.

    2. Select a Location that is to connect through this PAC file. This example selects a previously added Explicit Proxy Location created to test SEP integration.

      Tip: You can have more than one location that uses the same PAC file. For more information about the Roaming Endpoints, see About the Roaming Location.

    3. Click Add and Save.
  5. Click the PAC Files link (or the Up arrow icon next to the PAC file name). The portal now displays the newly-created PAC file.

    PAC Location ID