Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 8 subscribers
  • Views 9992 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WPAD Configuration - weird behaviour

Bepo

Hello Community,

we have a Sophos UTM SG330 Appliance running on version: 9.508

In the section: "Web Protection-> Filtering Options -> Misc" we use the following proxy auto configuration:

=======================================================================

function FindProxyForURL(url, host) {
var resolved_ip = dnsResolve(host);
//Don't proxy connections to the UTM web interface
if (shExpMatch(url, "proxy.xxx.local:4444/*")) return "DIRECT";
//Exclude non-fqdn hosts from being proxied
if (isPlainHostName(host)) return "DIRECT";
//Don't proxy Connections to Legacy NGA Net
if ((shExpMatch(url, "^http://194.150.1.*")) ||
(shExpMatch(url,"^https://194.150.1.*"))) return "DIRECT";
if ((shExpMatch(url, "^http://194.150.0.*")) ||
(shExpMatch(url,"^https://194.150.0.*"))) return "DIRECT";
if (shExpMatch(url, "mobile.xxx.net")) return "PROXY 10.46.0.34:8080";

//Don't proxy connections to the exempted URL matches
if (shExpMatch(url, "xxx.net")) return "DIRECT";
if (shExpMatch(host, "citrix.xxx.net")) return "DIRECT";
if (shExpMatch(host, "owa.xxx.net")) return "DIRECT";
if (shExpMatch(host, "autodiscover.xxx.net")) return "DIRECT";
if (shExpMatch(host, "autodiscover.xxx.ch")) return "DIRECT";
if (shExpMatch(host, "viewer.xxx.net")) return "DIRECT";
if (shExpMatch(host, "transfer.xxx.net")) return "DIRECT";
if (shExpMatch(host, "hotspot.xxx.net")) return "DIRECT";
if (shExpMatch(host, "remote.xxx.net")) return "DIRECT";
if (shExpMatch(host, "meeting.xxx.net")) return "DIRECT";
if (shExpMatch(host, "outlook.xxx.local")) return "DIRECT";
if (shExpMatch(host, "*.xxx.local/*")) return "DIRECT";
if (shExpMatch(host, "xxx.local")) return "DIRECT";
//Don't proxy connections to private IP addresses
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") ||
isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||
isInNet(resolved_ip, "127.0.0.0", "255.255.255.0") ||
isInNet(resolved_ip, "xxx.xx.xxx.xxx", "255.255.255.255"))
return "DIRECT";
return "PROXY 10.46.0.34:8080";
}

 =======================================================================

 

Now we have sometimes a weired behaviour on the client pcs while accessing some websites.

For example:

1. Proxy- Configuration in Internet Explorer:  Just ticked the checkbox: Automatic detect proxy settings 

Then if we navigate to: https://www.icloud.com it isn't possible to access the website. 

Thats why we have an exception defined in: "Web Protection -> Filtering Options":

But the access is still not possible.

 

Now if we change the proxy settings in Internet Explorer to this:

All is working good. 

 

Can one explain this?

 

Thanks so far!

 

 

 

 

 



This thread was automatically locked due to age.
Parents
  • 0

    I always recommend against selecting 'Automatically detect proxy settings'.

    Also, use an FQDN instead of a numeric IP.  See Configuring HTTP/S proxy access with AD SSO.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Problem with that Bob is if you have clients eg laptops, tablets etc that travel outside of your network. A GPO would set the proxy to whatever you set and then the clients can't access the internet when taken away from the network.

    We're using a WPAD file via an IIS server and it works wonderfully. We can thrown our network clients where ever we wish eg out of gateway A or B and have gateway C as a backup.

    For clients we don't control eg guests etc, we just use transparent proxy.

  • 0 in reply to Louis-M

    Agreed, Louis.  That link was for an explanation of why one should use an FQDN instead of a numeric IP.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    For WPAD, it's definitely advisable to use an FQDN as I'm sure firefox only uses a DNS lookup to get the file. Good thing with an FQDN is that you can then have multiple servers usng a round robin etc to issue the WPAD file. Ours works brilliantly.

Reply
  • 0 in reply to BAlfson

    For WPAD, it's definitely advisable to use an FQDN as I'm sure firefox only uses a DNS lookup to get the file. Good thing with an FQDN is that you can then have multiple servers usng a round robin etc to issue the WPAD file. Ours works brilliantly.

Children
No Data
Unfiltered HTML