This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WPAD Configuration - weird behaviour

Hello Community,

we have a Sophos UTM SG330 Appliance running on version: 9.508

In the section: "Web Protection-> Filtering Options -> Misc" we use the following proxy auto configuration:

=======================================================================

function FindProxyForURL(url, host) {
var resolved_ip = dnsResolve(host);
//Don't proxy connections to the UTM web interface
if (shExpMatch(url, "proxy.xxx.local:4444/*")) return "DIRECT";
//Exclude non-fqdn hosts from being proxied
if (isPlainHostName(host)) return "DIRECT";
//Don't proxy Connections to Legacy NGA Net
if ((shExpMatch(url, "^http://194.150.1.*")) ||
(shExpMatch(url,"^https://194.150.1.*"))) return "DIRECT";
if ((shExpMatch(url, "^http://194.150.0.*")) ||
(shExpMatch(url,"^https://194.150.0.*"))) return "DIRECT";
if (shExpMatch(url, "mobile.xxx.net")) return "PROXY 10.46.0.34:8080";

//Don't proxy connections to the exempted URL matches
if (shExpMatch(url, "xxx.net")) return "DIRECT";
if (shExpMatch(host, "citrix.xxx.net")) return "DIRECT";
if (shExpMatch(host, "owa.xxx.net")) return "DIRECT";
if (shExpMatch(host, "autodiscover.xxx.net")) return "DIRECT";
if (shExpMatch(host, "autodiscover.xxx.ch")) return "DIRECT";
if (shExpMatch(host, "viewer.xxx.net")) return "DIRECT";
if (shExpMatch(host, "transfer.xxx.net")) return "DIRECT";
if (shExpMatch(host, "hotspot.xxx.net")) return "DIRECT";
if (shExpMatch(host, "remote.xxx.net")) return "DIRECT";
if (shExpMatch(host, "meeting.xxx.net")) return "DIRECT";
if (shExpMatch(host, "outlook.xxx.local")) return "DIRECT";
if (shExpMatch(host, "*.xxx.local/*")) return "DIRECT";
if (shExpMatch(host, "xxx.local")) return "DIRECT";
//Don't proxy connections to private IP addresses
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") ||
isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||
isInNet(resolved_ip, "127.0.0.0", "255.255.255.0") ||
isInNet(resolved_ip, "xxx.xx.xxx.xxx", "255.255.255.255"))
return "DIRECT";
return "PROXY 10.46.0.34:8080";
}

 =======================================================================

 

Now we have sometimes a weired behaviour on the client pcs while accessing some websites.

For example:

1. Proxy- Configuration in Internet Explorer:  Just ticked the checkbox: Automatic detect proxy settings 

Then if we navigate to: https://www.icloud.com it isn't possible to access the website. 

Thats why we have an exception defined in: "Web Protection -> Filtering Options":

But the access is still not possible.

 

Now if we change the proxy settings in Internet Explorer to this:

All is working good. 

 

Can one explain this?

 

Thanks so far!

 

 

 

 

 



This thread was automatically locked due to age.
  • Perhaps not picking up the wpad file? We use DHCP option 252 and an A record wpad.ourdomain.local  to serve this via one of our webservers and don't have any issue.

    There is no guarantee that your clients will pick the WPAD file up and since win2k8, windows DNS resticts wpad resolution too so you have to make exceptions if using windows dns.

    I think there is a script floating around the net that can show you what your browsers are doing eg if they are picking up the wpad file for certain URLs etc.

  • Yes, iCloud is one of the applications which needs an other exception because of certificate pinning.

    Please have a look at

    I use these

    ^https?://[A-Za-z0-9.-]*icloud.com/

    ^https?://[A-Za-z0-9.-]*windows.net/

    Best

    Alex

    -

  • I always recommend against selecting 'Automatically detect proxy settings'.

    Also, use an FQDN instead of a numeric IP.  See Configuring HTTP/S proxy access with AD SSO.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Problem with that Bob is if you have clients eg laptops, tablets etc that travel outside of your network. A GPO would set the proxy to whatever you set and then the clients can't access the internet when taken away from the network.

    We're using a WPAD file via an IIS server and it works wonderfully. We can thrown our network clients where ever we wish eg out of gateway A or B and have gateway C as a backup.

    For clients we don't control eg guests etc, we just use transparent proxy.

  • Agreed, Louis.  That link was for an explanation of why one should use an FQDN instead of a numeric IP.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • For WPAD, it's definitely advisable to use an FQDN as I'm sure firefox only uses a DNS lookup to get the file. Good thing with an FQDN is that you can then have multiple servers usng a round robin etc to issue the WPAD file. Ours works brilliantly.

  • Thank you for the answers.

    - Yes we also use a FQDN for the proxy address. (for the test and the screenshots I used the ip^^)

    - for the WPAD delivery we use also a FQDN "wpad.xxx.xxx"

     

    I've changed the PAC- File:

    =======================================================

    function FindProxyForURL(url, host) {
    var resolved_ip = dnsResolve(host);
    //Don't proxy connections to the UTM web interface
    if (shExpMatch(url, "proxy.xxx.local:4444/*")) return "DIRECT";
    //Exclude non-fqdn hosts from being proxied
    if (isPlainHostName(host)) return "DIRECT";
    //Don't proxy Connections to Legacy NGA Net
    if ((shExpMatch(url, "^http://194.150.1.*")) ||
    (shExpMatch(url,"^https://194.150.1.*"))) return "DIRECT";
    if ((shExpMatch(url, "^http://194.150.0.*")) ||
    (shExpMatch(url,"^https://194.150.0.*"))) return "DIRECT";
    if (shExpMatch(url, "mobile.xxxxx.xxx")) return "PROXY proxy.xxx.local:8080";

    //Don't proxy connections to the exempted URL matches
    if (shExpMatch(url, "xxxxx.xxx")) return "DIRECT";
    if (shExpMatch(host, "citrix.xxxxx.xxx")) return "DIRECT";
    if (shExpMatch(host, "owa.xxxxx.xxx")) return "DIRECT";
    if (shExpMatch(host, "autodiscover.xxxxx.xxx")) return "DIRECT";
    if (shExpMatch(host, "autodiscover.xxx.ch")) return "DIRECT";
    if (shExpMatch(host, "viewer.xxxxx.xxx")) return "DIRECT";
    if (shExpMatch(host, "transfer.xxxxx.xxx")) return "DIRECT";
    if (shExpMatch(host, "hotspot.xxxxx.xxx")) return "DIRECT";
    if (shExpMatch(host, "remote.xxxxx.xxx")) return "DIRECT";
    if (shExpMatch(host, "meeting.xxxxx.xxx")) return "DIRECT";
    if (shExpMatch(host, "outlook.xxx.local")) return "DIRECT";
    if (shExpMatch(host, "*.xxx.local/*")) return "DIRECT";
    if (shExpMatch(host, "xxx.local")) return "DIRECT";
    //Don't proxy connections to private IP addresses
    if (isPlainHostName(host) ||
    shExpMatch(host, "*.local") ||
    isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
    isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") ||
    isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||
    isInNet(resolved_ip, "127.0.0.0", "255.255.255.0") ||
    isInNet(resolved_ip, "195.50.158.164", "255.255.255.255"))
    return "DIRECT";
    return "PROXY proxy.xxx.local:8080";
    }

    =======================================================

    But "https://www.icloud.com" isn't working.

     

    Now i downloaded a Tool: "autproxy" 

    https://blogs.msdn.microsoft.com/askie/2014/02/07/optimizing-performance-with-automatic-proxyconfiguration-scripts-pac/ )

    With this tool you can check the auto proxy configuration function against URLs:

     

    The proxy returned correctly but the website shows an error:

     

    But in the Web Filter Log i don't find anything about "icloud" or requests against "icloud" from my IP address.

    If i navigate to "www.google.de", "www.facebook.de" etc. i get logfile entries...

     

    In the Web Filtering Exception i checked the logging options:

     

     

     

     

  • I'm not that familiar with iCloud and that message isn't precise about whether the iCloud server ran into an error or the iCloud client did.  Can we see the Web Filtering log lines when that error occurred?  I bet you will need to skip the Proxy, but the log should tell us.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hmm we didn't find an solution. The icloud website only works if we put in the ip address instead of setting the checkbox for WPAD configuration in the proxy settings.