PAC code not working

HI David,

Here are some resources to get you going

http://findproxyforurl.com/pac-functions/
community.sophos.com/.../38784
community.sophos.com/.../38787
community.sophos.com/.../38783
community.sophos.com/.../38788

something like this would be a good start for a default .pac file

function FindProxyForURL(url, host)
{

// variable strings to return
var proxy_yes = "PROXY 172.16.4.121:8080";
var proxy_no = "DIRECT";
if (shExpMatch(url, "www.mycompanywebsite.com*")) { return proxy_no; }
if (shExpMatch(url, "www.myotherwebsite.com*")) { return proxy_no; }
if (shExpMatch(url, "www.my3rdlocalsite.com*")) { return proxy_no; }
if (shExpMatch(url, "http://192.168.1.100*")) { return proxy_no; }
// Proxy if PC is on local LAN
if (isInNet(myIpAddress(), "192.168.0.0, "255.255.255.0"))
if (isInNet(myIpAddress(), "172.16.0.0", "255.255.255.0"))
if (isInNet(myIpAddress(), "10.10.10.10", "255.255.255.0"))
return "PROXY 172.16.4.121:8080";
else
return "DIRECT";
}

the above would essentially match some urls to skip and send all the rest of the traffic to the proxy. Just replace the networks with your own.

As for load balancing, yes the management appliance can do your load balancing for you.. just make sure all of the appliances have dns entries and the appliances are in the same subnet with nothing between them (ie firewall)

notes:

#1 always make sure your internal network is omitted from the .pac file as you do not want this traffic going to the appliance (its default gateway points to the WAN)

#2 it looks like your pac file is pointed directly to the appliances (you could dns load balance with the pac file, but that would require some host look ups that are not in your pac file)

have a look here and set up the VIP (it must be resolvable and not in use)  you could configure 10.1.0.100 on the management appliance VIP and remove the two appliances..

http://swa.sophos.com/webhelp/swa/tasks/ConfigNetLoadBalancing.html?hl=load%2Cbalance  then change your var proxy_yes = "PROXY 10.1.0.100:8080";

or if you want to use dns to load balance, keep both appliances as proxies.. and then use the below code to resolve the IP of the workstation.. and say .. if workstation ip = odd numbers send to x appliance if even send to that appliance.   (step 2 is the best option)

Here are a few examples of "fun" with "pac files"  

Detailed Functions of .PAC files

ShExpMatch:

Example
// Any requests with a hostname ending with the extension .local
// will be sent direct to the Internet.

if (shExpMatch(url, "*.local"))
return "DIRECT";

Example

// A request for the host vpn.domain.com or any request for a file or folder in the
// location http://abcdomain.com/folder/ will be sent direct to the Internet.

if (shExpMatch(host, "vpn.domain.com") ||
shExpMatch(url, "abcdomain.com/.../*"))
return "DIRECT";

The shExpMatch function is used in .pac files to match the current URL against any shell expression. In addition, shExpMatch is usually used to decide which proxy to use depending on the URL that is entered. In Internet Explorer, the support for shell expressions is limited to "?" and "*" in the expressions. This is by design.

Because .pac files support the entire JavaScript language, you can use a regular expression object and the test method to test a string against a regular expression. The following code sample illustrates the use of the regular expression object in a .pac file:

function FindProxyForURL(url, host)
{
// For instance, if the server has 4 alphabetic characters,
// such as "MSDN", route it through a specific proxy:

var regexpr = /[a-zA-Z]{4}.microsoft.com/;
if(regexpr.test(host))
return "PROXY w3proxy:8080; DIRECT";

// Or else connect directly:
return "DIRECT";
}

dnsDomainIs:

Example
// If the hostname matches or contains google.com (e.g. maps.google.com, www.google.com),
// send direct to the Internet.

if (dnsDomainIs(host, ".google.com"))
return "DIRECT";

dnsDomainIs()(host, domain)
The dnsDomainIs()() function detects whether the URL host name belongs to a given DNS domain. This function is useful when you are configuring the browser not to use proxies for the local domain, as illustrated in Example 1: Proxy All Servers Except Local Hosts and Example 2: Proxy Local Servers Outside the Firewall.

This function is also useful when you are using multiple proxies for load balancing in situations where the proxy that receives the request is selected from a group of proxies based on which DNS domain the URL belongs to. For example, if you are load balancing by directing URLs containing .edu to one proxy and those containing .com to another proxy, you can check the URL host name using dnsDomainIs()().

Examples
The following statement would be true:

dnsDomainIs("www.example.com", ".example.com")
The following statements would be false:

dnsDomainIs("www", ".example.com") dnsDomainIs("www.mcom.com",
".example.com")

isInNet:

Example
// If IP of requested website website falls within IP range, send direct to the Internet.

if (isInNet(dnsResolve(host), "172.16.0.0", "255.240.0.0"))
return "DIRECT";

isInNet()(host, pattern, mask)
The isInNet()() function enables you to resolve a URL host name to an IP address and test whether it belongs to the subnet specified by the mask. This is the same type of IP address pattern matching that SOCKS uses. See Example 4: Connect Directly to a Subnet.

Parameters:
host is a DNS host name or IP address. If a host name is passed, this function will resolve it into an IP address.

pattern is an IP address pattern in the dot-separated format

mask is the IP address pattern mask that determines which parts of the IP address should be matched against. A value of 0 means ignore; 255 means match. This function is true if the IP address of the host matches the specified IP address pattern.

Examples
This statement is true only if the IP address of the host matches exactly 198.95.249.79 exactly:

isInNet(host, "198.95.249.79", "255.255.255.255")

This statement is true only if the IP address of the host matches 198.95.*.*: isInNet(host, "198.95.0.0", "255.255.0.0")

myIpAddress:

// If the machine requesting a website falls within IP range,
// send traffic via proxy 10.10.5.1 running on port 8080.

if (isInNet(myIpAddress(), "10.10.1.0", "255.255.255.0"))
return "PROXY 10.10.5.1:8080";

DnsResolve:

Returns the IP address of the host machine.

Example
// If the machine requesting a website falls within IP range,
// send traffic via proxy 10.10.5.1 running on port 8080.

if (isInNet(myIpAddress(), "10.10.1.0", "255.255.255.0"))
return "PROXY 10.10.5.1:8080";

isPlainHostName:

This function will return true if the hostname contains no dots, e.g. http://intranet
Useful when applying exceptions for internal websites, e.g. may not require resolution of a hostname to IP address to determine if local.
Example

// If user requests plain hostnames, e.g. http://intranet/,
// http://webserver-name01/, send direct.

if (isPlainHostName(host))
return "DIRECT";

localHostOrDomainIs:

Evaluates hostname and only returns true if exact hostname match is found.

Example

// If the Host requested is "www" or "www.google.com", send direct.

if (localHostOrDomainIs(host, "www.google.com"))
return "DIRECT";
Example

// If the Host requested is "google.com" or a subdomain of google.com, e.g. "example.google.com", send direct.

if (localHostOrDomainIs(host, ".google.com"))
return "DIRECT";

isResolvable:

Attempts to resolve a hostname to an IP address and returns true if successful. WARNING – This may cause a browser to temporarily hang if a domain isn’t resolvable.

If the DNS inside the firewall recognizes only internal hosts, you can use the isResolvable()() function to test whether a host name is internal or external to the network. Using this function, you can configure the browser to use direct connections to internal servers and to use the proxy only for external servers. This function is useful at sites where the internal hosts inside the firewall are able to resolve the DNS domain name of other internal hosts, but all external hosts are unresolvable. The isResolvable()() function consults DNS, attempting to resolve the host name into an IP address. See Example 3: Proxy Only Unresolved Hosts

Example

// If the host requested can be resolved by DNS, send via proxy1.example.com.

if (isResolvable(host))
return "PROXY proxy1.example.com:8080";

dnsDomainLevels:

This function returns the number of DNS domain levels (number of dots) in the hostname. Can be used to exception internal websites which use short DNS names, e.g. http://intranet

dnsDomainLevels("www") returns 0.
dnsDomainIsomainLevels("www.example.com") returns 2.

Example

// If hostname contains any dots, send via proxy1.example.com, otherwise send direct.

if (dnsDomainLevels(host) > 0)
return "PROXY proxy1.example.com:8080";
else return "DIRECT";

weekdayRange:

Allows rules to be time based, e.g. only return a proxy during specific days.

Example

// If during the period of Monday to Friday, proxy1.example.com will be returned, otherwise
// users will go direct for any day outside this period.

if (weekdayRange("MON", "FRI")) return "PROXY proxy1.example.com:8080";
else return "DIRECT";

dateRange:

Allows rules to be time based, e.g. only return a proxy during specific months.

Example

// If during the period of January to March, proxy1.example.com will be returned, otherwise
// users will go direct for any month outside this period.

if (dateRange("JAN", "MAR")) return "PROXY proxy1.example.com:8080";
else return "DIRECT";

timeRange:

Allows rules to be time based, e.g. only return a proxy during specific hours.

Example

// If during the period 8am to 6pm, proxy1.example.com will be returned, otherwise
// users will go direct for any time outside this period.

if (timeRange(8, 18)) return "PROXY proxy1.example.com:8080";
else return "DIRECT";