This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Behavior Chrome vs IE with Web Appliance

Good morning
I'm having a pretty weird situation. I'm using Sophos web appliance in Explicit mode with the use of the .dat file. In the .dat file all internal networks have been excluded but when I point to an internal IP address with Internet Explorer it cannot display it correctly, while with Chrome the display is correct. By removing the proxy the site is correctly displayed. I tried to see all the security settings of IE I checked the configuration of the .dat file, the link to the internal site is direct. I don't understand how proxy configuration can affect an internal site and above all because it works with Chrome. What are the differences?
Thanks for any help
Best regards
Franco



This thread was automatically locked due to age.
  • Hi Franco,

    As a general rule .pac and .dat files are pretty much the same.. except in the way that you host them and the dns requirements.

    Generally I would recommend hosting a .pac file and going with that. If your bent on the wpad.dat file the big gotcha is to ensure dns works both forward and backwards.

    It sounds like perhaps there may also be an error in the file its self.. in most cases if a non ie browser fails to enact the proxy it may default to just sending the traffic out the gateway.. or visa versa..  if this happens traffic for an internal site may end up on the rong side of the firewall.

    Some easy things to check

    Ensure the appliance and .dat host are resolvable both forwards and back long and short name.

    Configure the browser to only use the ip and ensure ‘do not proxy local traffic’ is checked off.. then use the dat file

    Ensure you do all testing with private browser tabs to make sure the pages are not cached

    Under the options menu ensure caching is disabled, if its enabled clear it and disable it

    A trace-route may show different paths to the same site.. if your into wire-shark compare pcaps

    Also export the sophos log to a syslog server.. you should not see your ip in the logs if the request is going direct

    Here is a sample to some other goodies regarding .pac files

  • Hello,

    I understand your situation

    There are two files  .pac and .dat files They are just similar.. except within the means that you simply host them and therefore the DNS necessities.

    Generally, I might advocate hosting a .pac file and going with. If your dead set the wpad.dat file the massive gotcha is to confirm DNS works each forward and backwards.

    It appears like maybe there may additionally be miscalculation within the file its self.. in most cases if a non i.e.browser fails to enact the proxy it should default to merely causation the traffic out the entree.. or visa versa.. if this happens traffic for an interior web site might find yourself on the wrong aspect of the firewall.

    Hope this will help you

    Thanks

  • Hi 

    thank you very much for the answer, we are testing again with new information. One thing we are noticing is that the site should work with Microsoft Silverlight. What do you know there are compatibility problems between the .dat or .pac file with Silverlight?

    Thank you very much for all information

    Best regards 

    Franco

  • Not much of a ms guy .. but from what I recall SL Is enforced at a lower level then the application.. ie if you have “use automatic settings “ checked off (even of you specify a proxy).. you get cases where ie will applythe automatic setting before the proxy settings where as chrome and ff enforce proxy first..

    Also make sure forward and revers dns works for the appliance both short and long name...as well ensure the appliance is listed in the zones configuration in ie