cancel
Showing results for 
Search instead for 
Did you mean: 

Network Connect and PAC Files

Highlighted
Super Contributor

Network Connect and PAC Files

We configure our NC profiles to refer to a proxy PAC file which directs the user to an appropriate proxy server (based on their subnet address) and which has some rather complex logic about what is in our internal network (and, by inverse, what should be proxied to the Internet). If a user with a proxy PAC file setting in their browser logs into the SA, NC creates a "hybrid" PAC file called instantproxy.pac, writes it to the user's hard disk, and modifies the browser settings to point to this new PAC file. When NC terminates normally, the browser settings are reset to the settings before the NC startup.

If NC terminates abnormally, the proxy settings are left with the file://.....instantproxy.pac setting. If NC is then restarted, it recognizes that the settings were left in this state, does not modify them again, and resets them correctly when NC ends. Our problem arises if the user's next use of his/her computer is in the office. The file://....instantproxy.pac settings cause problems for the user in this case.

Is anyone else facing this problem? Any clever way to address it?

2 REPLIES 2
New Contributor

Re: Network Connect and PAC Files

I remember that I also ran into this "nasty" problem, but have no solution for you, sorry.

For testing purposes we also configured a PAC file in an NC profile one, back in OS 5.3 or something. In the end we decided to NOT use this feature, due to this unpredictable behaviour.

I am glad that we do not depend on this feature, as we configure the PAC on the client's internet explorer proxy settings.

Would this be a solution for your clients?

Highlighted
Super Contributor

Re: Network Connect and PAC Files

There are two use cases we need to address - the first is that of an employee, who normally works in a private network-connected office and has a PAC file set in their browser, who is now connecting from the Internet. Our PAC file is a CGI script which is dependent on the user's IP address to know whether to direct the user to a proxy for Internet access and to which proxy. When it is evaluated at NC start time, the PC has an Internet address, and the PAC file says to send everything direct. Once the user connects, though, we want the user to go direct only to internal web servers, and go through a proxy for Internet access while the tunnel is up.

The second case is that of an employee who works in a location which is in the private network of another enterprise. (My company has a lot of partnerships which cause this to be a common case.). In this case, the PAC file on the user's PC needs to be set to allow the user's PC to proxy out of the enterprise in which he or she sits. Once the tunnel is up, though, the following rules need to be applied -

  • Go through the other enterprise's proxy to reach the SA
  • Go direct to reach any web servers within our enterprise's network.
  • Go through our enterprise's proxy to reach the Internet.

This case, I think, absolutely needs the "merged proxy" function which the instantproxy.pac file provides.

I'll do some experimentation on the first case to see if there is a better NC proxy setting. Unfortunately, I don't think I have anyway to determine if a user falls into the first case or the second case when they logon.