Connectivity: PAC File Management Service (EP)
The Web Security Service provides a Proxy Auto Configuration (PAC) File Management interface to facilitate the Explicit Proxy connectivity method. This system allows you to create more than one PAC file, assign them to different locations, and customize them to allow or bypass specific web destinations. Then you can create WSS policy based on these locations or traffic routed from specific PAC files.
You can also create PAC files for roaming endpoints. For example, you plan to integrate the Symantec Endpoint Protection (SEP) with the WSS. You want a separate PAC file to be used only for the SEP agent connections.
- Know the single static public egress IP address.
- Browsers and operating systems are able to accept and use PAC files.
- Open port 443.
- If your firewall allows white-listing by DNS, white-list pfms.wss.symantec.com; this is the preferred method.
If your firewall does not allow white-listing by DNS, allow the following static IP addresses.
- The WSS supports up to 100 different PAC files.
The PAC File Management feature supports existing, supported authentication methods (Auth Connector, SAML, Captive Portal).
- Use Firefox 57.0.2+; older versions of Firefox may not apply PAC file correctly. This is third-party limitation with the Firefox browser.
- Internet Explorer versions 11, Edge, and newer might cache old PAC file execution results for a particular host. If this occurs, restart Internet Explorer.
- If the browser does not accept cookies or PAC files, supportability becomes difficult.
- If the user agent is unable to process the PAC file, there will be no protection or exceptions.
Example Procedure—New PAC File
One option is to duplicate the default PAC file and modify it.
To demonstrate the PAC File Management feature, the following steps create a new PAC file and designate its use for the SEP test Explicit Proxy location (previously entered on the Network > Locations page).
- In the WSS portal, select Service mode > Mobility > PAC File Management.
Click New File. The portal switches to the PAC File Editor.
- Name the PAC file.
- (Optional) Describe the purpose of this PAC file.
Include WSS Bypass adds any IP addresses or domains that were previously added to the portal bypass lists (Service mode > Network > Bypassed Sites). You can click the expander to view those entries; however, you cannot edit those entries here.
Tip: Bypass lists cannot exceed 256 KB in size.
- Include Office 365 Bypass adds all of the currently known Microsoft Office web application domains.
The portal generates an explicit PAC File URL. You can copy this URL and use it for an explicit proxy configuration to guarantee that this PAC is used. For example, you can send this to the Admin who is configuring the SEP clients to direct traffic to the WSS.
Continuing with the example, click the Locations tab.
Click Edit Locations.
Select a Location that is to connect through this PAC file. This example selects a previously added Explicit Proxy Location created to test SEP integration.
Tip: You can have more than one location that uses the same PAC file. For more information about the Roaming Endpoints, see About the Roaming Location.
- Click Add and Save.
Click the PAC Files link (or the Up arrow icon next to the PAC file name). The portal now displays the newly-created PAC file.
With the possibility of multiple PAC files, the WSS evaluates and connects according to the following hierarchy.
- Full custom PAC File URL—The connection always uses the parameters in this PAC file.
- Locations—The WSS checks to see if the Location has an assigned PAC file. If yes, the connection proceeds with those parameters.
Default PAC File—If no Location is assigned to the connection, the WSS uses the default PAC file (http://portal.threatpulse.com:8080/pac).
Note: The default PAC file behavior is fail open. If for some reason the client cannot connect to the WSS, it falls back and goes DIRECT.
- If you configure a connection to use the PAC File URL only up to the customer ID portion (see screenshot), then the WSS follows the Locations/Default hierarchy described in the previous two bullets.
The PFMS provides a Location called Roaming Endpoints. You can create a PAC file that applies to WSS Agents and mobile devices that access the internet when outside of the corporate network. This is available on the Locations tab of the PAC File dialog.
After the traffic reaches the WSS, your configured Authentication method is triggered (Authentication > Auth Connector > Roaming Captive Portal option or SAML).
During the creation phase or any time after, you can Edit a PAC file to change the parameters. Be advised that this requires a moderate knowledge of network connections.
Note: PAC file edits might experience up to a one minute delay for world-wide propagation.
You can Duplicate an existing PAC file and modify it for another purpose. For example, you want to test a configuration update before implementing it.
If you have created PAC files in text files, you can Import them for use in the WSS.
- Verify the browser can download the PAC file.
- Confirm provided PAC file is the correct one for the situation (Location, Roaming).
- Verify issue applies to all browsers.
- Confirm if the issue is related to one webserver or several.
Create three troubleshooting test policies.
- Public URL with no auth required.
- URL requiring Auth no policy.
- URL with Auth policy.