LI Nick X.com
Blog |Follow Nick on Twitter| About
 

Recently I've been involved with a bluecoat install; one of the requirements I've been faced with was helping the client with was removing fixed proxy settings within their browsers.

For how-to references a combination of google, wikipedia and this post are good places to start; I intend to document my experience you may find some overlap.

The 1st thing to understand is that Firefox (FF) and Internet Explorer (IE) both support an "automatically detect proxy" setting, but they are implement in different ways. Both FF & IE use a proxy.pac (also known as wpad.dat) for their configuration, they just "look for it" in different ways.

The proxy pac file is a java script that tells the browsers (both FF & IE) how to connect, there's some good pac file examples here, this is what I did...

function FindProxyForURL(url, host)
{
    // The 1st if function tests if the URI should be by-passed
    // Proxy By-Pass List
    if (
        // ignore RFC 1918 internal addreses
        isInNet(host, "10.0.0.0", "255.0.0.0") ||
        isInNet(host, "172.16.0.0", "255.240.0.0") ||
        isInNet(host, "192.168.0.0", "255.255.0.0") ||

        // is url is like http://server by-pass
        isPlainHostName(host) ||

        // localhost!!
        localHostOrDomainIs(host, "127.0.0.1") ||

        // by-pass internal URLS
        dnsDomainIs(host, ".mycompany.com") ||
        dnsDomainIs(host, ".mycompany.local")
        )

        // If True, tell the browser to go direct
        return "DIRECT";

        // If False, its not on the by-pass then Proxy the request if you fail to connect to the proxy, try direct.

return "PROXY 10.10.10.10:8080;DIRECT";

}

Once you're happy with what you've written you need to "publish" the pac file on a webserver for your clients to download it... I've decided to use the bluecoat proxy SG.

Now you can't upload the pac file via the GUI, you need to get down and dirty with the command line, below is an example ssh session...

Proxy> enable
Proxy# conf t
Proxy# inline accelerated-pac 123
....... Paste the contents of proxy.pac .......
123
Proxy#

Before going any further log into you're bluecoat, make sure that under Services -> Proxy Services, HTTP 80 & 8080 are set to Intercept. Next check that Services -> Management services, HTTP-Console 8081 is enabled... this service will be used to get the pac file, leave HTTPS-Console 8082 on as using the 8081 for administrator access would be a bad idea.

You will now hopefully be able to download your pac file from the following url http://10.10.10.10:8081/accelerated_pac_base.pac .. change the IP as necessary.

Once that works we're going to add some proxy policy to make that url (a) nicer (b) compatible with Firefox. In the Bluecoat GUI under policy (not the visual policy manager) make sure that the local policy is read 1st... at the top of the file list. The following ssh session of policy, re-writes the pac file for a variety of names, basically I've tried to capture every combination that a user might try.....

Proxy> enable
Proxy# conf t
Proxy# inline policy local 123
<proxy>
url=http://proxy.mycompany.local/proxy.pac authenticate(no)
url=http://proxy.mycompany.local/wpad.dat authenticate(no)
url=http://wpad.mycompany.local/wpad.dat authenticate(no)
url=http://www.wpad.com/wpad.dat authenticate(no)
url=http://proxy.mycompany.local:8081/accelerated_pac_base.pac authenticate(no)
url=http://10.10.10.10:8081/accelerated_pac_base.pac authenticate(no)

<cache>
url.domain=http://proxy.mycompany.local/proxy.pac cache(no)
url.domain=http://proxy.mycompany.local/wpad.dat cache(no)
url.domain=http://wpad.mycompany.local/wpad.dat cache(no)
url.domain=http://www.wpad.com/wpad.dat cache(no)
url.domain=http://proxy.mycompany.local:8081/accelerated_pac_base.pac cache(no)
url.domain=http://10.10.10.10:8081/accelerated_pac_base.pac cache(no)

<proxy>
url=http://proxy.mycompany.local/proxy.pac action.rewrite_pac(yes)
url=http://proxy.mycompany.local/wpad.dat action.rewrite_pac(yes)
url=http://wpad.mycompany.local/wpad.dat action.rewrite_pac(yes)
url=http://www.wpad.com/wpad.dat action.rewrite_pac(yes)
url=/wpad.dat action.rewrite_pac(yes)

define action rewrite_pac
rewrite(url,"(.*)","http://10.10.10.10:8081/accelerated_pac_base.pac")
end

123
Proxy#

Phew, thats the bluecoat side of things sorted, now we need to get clients to download the file! This is where the browser have different approaches....

Internet explorer uses DCHP Option 252 to detect the proxy, you can set the option of any of the URLS you're re-writing on the bluecoat, I chose http://wpad.mycompany.local/wpad.dat .

Firefox uses DNS to detect the proxy, so you're going to need to create some records... The bluecoat was called "proxy" so an A record for proxy.mycompany.local already existed, we created a CNAME record for wpad.mycompany.local pointing to proxy.mycompany.local ... if your dns domain is something like uk.mycomany.local you'll need to add cname records wpad.uk.mycompany.local& wpad.mycompany.local and add the necessary lines to the bluecoat rewire code above.

Once done you can set either browser to "automatically detect" and finger's cross all will work!

 

 
Nick Bettison ©