Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 1 reply
  • Subscribers 0 subscribers
  • Views 9279 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Implementing Web Gateway - Need Proxy File Help

JeffK

I'm in process if implementing the Web Gateway as an Explicit Proxy. We chose to use proxy.pac/wpad.dat vs. GPO because I would like to have internal network destinations not get proxied, and also have a couple other subnets use a different instance of the proxy (we are using VMs by the way). Does anyone have suggestions on the following:

I wrote the following, which worked to route traffic to the proxy, but was not granular enough to keep internal traffic un-proxied.

function FindProxyForURL(url, host)


 if (host =="domain.com") return "DIRECT";
  else return "PROXY sophos.domain.com:8080";
}

I then did the following and now nothing is routing to the proxy.

function FindProxyForURL(url, host) {

// If the hostname matches, send direct.
    if (dnsDomainIs(host, ".domain.com") ||
        shExpMatch(host, "(*.domain.com|domain.com)"))
        return "DIRECT";
 
// If the requested website is hosted within the internal network, send direct.
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "10.1.0.0", "255.255.0.0")
        return "DIRECT";
 
// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
    return "PROXY sophos.domain.com:8080";
}

:47565


This thread was automatically locked due to age.
Parents
  • 0

    How about this for an example...

    // 1. If destination IP address is internal or hostname resolves to internal IP, send direct.
    var resolved_ip = dnsResolve(host);
    if (isInNet(resolved_ip, "127.0.0.0", "255.255.255.0") ||
    isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
    isInNet(resolved_ip, "192.168.1.0", "255.255.255.0"))
    return "DIRECT";

    // 2. If the destination URL is in the list below, send direct.
    if (shExpMatch(url, "www.justanotherwayofchecking.com*"))
    if (shExpMatch(url, "www.justanotherwayofchecking2.com*"))
    return "DIRECT";

    // 3. If destination domain is .contoso.com, send direct.
    if (dnsDomainIs(host, ".consoso.com"))
    return "DIRECT";

    // 4. If destination URL is FTP, send direct.
    if (shExpMatch(url, "ftp:*"))
    return "DIRECT";

    // 5. If this machine IP is in local subnet return proxy.
    if (isInNet(myIpAddress(), "172.16.1.0", "255.0.0.0") ||
    isInNet(myIpAddress(), "172.16.2.0", "255.255.255.0"))
    return "PROXY sophos.domain.com:8080";

    // 6. Catch all to go direct.
    return "DIRECT";

    1-3: are saying that you explicitly want to go direct

    4: Says that you want to go direct for FTP

    5. Is saying that you will only go via the proxy if the client is in one of your corporate subnets. - Great for laptops that roam outside of your office subnets. 

    6. catch-all

    TIPS: 

    1. It's always best to put your explicit rules at the top to save on processing. 

    2. Don't forget to apply the suggest GPO for Sophos when working with proxies. it's in the admin guide I believe. Something about caching

    3. IE11 and above I believe only support proxy pac string in http:// and no longer file:// format

    4. Don't enable automatically detect settings in your browsers proxy settings - this is a DHCP proxy mechanism and open to attack.

    5. Different browsers support different settings in the proxy pac files. So test test test - You might need to combine things. It is JAVA after all. Yuk!

    Sorry, I'm in a rush, so not a well worded reply.

    Good luck!

    John 

    :48376
Reply
  • 0

    How about this for an example...

    // 1. If destination IP address is internal or hostname resolves to internal IP, send direct.
    var resolved_ip = dnsResolve(host);
    if (isInNet(resolved_ip, "127.0.0.0", "255.255.255.0") ||
    isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
    isInNet(resolved_ip, "192.168.1.0", "255.255.255.0"))
    return "DIRECT";

    // 2. If the destination URL is in the list below, send direct.
    if (shExpMatch(url, "www.justanotherwayofchecking.com*"))
    if (shExpMatch(url, "www.justanotherwayofchecking2.com*"))
    return "DIRECT";

    // 3. If destination domain is .contoso.com, send direct.
    if (dnsDomainIs(host, ".consoso.com"))
    return "DIRECT";

    // 4. If destination URL is FTP, send direct.
    if (shExpMatch(url, "ftp:*"))
    return "DIRECT";

    // 5. If this machine IP is in local subnet return proxy.
    if (isInNet(myIpAddress(), "172.16.1.0", "255.0.0.0") ||
    isInNet(myIpAddress(), "172.16.2.0", "255.255.255.0"))
    return "PROXY sophos.domain.com:8080";

    // 6. Catch all to go direct.
    return "DIRECT";

    1-3: are saying that you explicitly want to go direct

    4: Says that you want to go direct for FTP

    5. Is saying that you will only go via the proxy if the client is in one of your corporate subnets. - Great for laptops that roam outside of your office subnets. 

    6. catch-all

    TIPS: 

    1. It's always best to put your explicit rules at the top to save on processing. 

    2. Don't forget to apply the suggest GPO for Sophos when working with proxies. it's in the admin guide I believe. Something about caching

    3. IE11 and above I believe only support proxy pac string in http:// and no longer file:// format

    4. Don't enable automatically detect settings in your browsers proxy settings - this is a DHCP proxy mechanism and open to attack.

    5. Different browsers support different settings in the proxy pac files. So test test test - You might need to combine things. It is JAVA after all. Yuk!

    Sorry, I'm in a rush, so not a well worded reply.

    Good luck!

    John 

    :48376
Children
No Data
Unfiltered HTML