3

I am gonna throw this problem out into the wild.

We have just started using a proxy to log users internet usage against login names. This is setup on ISA Server 2004 (which is on our Internet gateway server). Integrated and basic forms of authentication are enabled along with reuiqring all users to authenticate. I have ticked and enabled an array of settings on ISA so that it ignores internal addresses and domains.

To point our users to our Proxy server I have used a Detect with DHCPINFORM on our DHCP server to point clients at the network location of the proxy.pac file (Described here). I also have setup the wpad.dat in the same area as the proxy.pac (both files are identical).

Current proxy.pac file I am playing around with:

function FindProxyForURL(url, host)
{       
// Trying to save localhost
   if (localHostOrDomainIs(host, "localhost")) return "DIRECT";
   if shExpMatch (url, "http://localhost*") return "DIRECT";
// If specific URL needs to bypass proxy, send traffic direct.
var resolved_ip = dnsResolve(host);
if (isInNet(resolved_ip, "172.22.145.0",  "255.255.255.0") ||
    isInNet(resolved_ip, "192.168.1.0", "255.255.255.0") ||
    isInNet(resolved_ip, "127.0.0.1", "255.255.255.255"))
return "DIRECT";
return "PROXY ^gatewaynamehere^.baytech.local:8080; DIRECT";
}

(Our internal IP is the 172.22.145.* range)

Now the issues I am having is that the proxy.pac file makes the browser go to the proxy whenever localhost or 127.0.0.1 is requested. I can see the requests on the ISA Server when I monitor my IP address. I can request other servers in our Intranet and it doesn't touch the proxy (which is correct). But I suspect that this because of settings on ISA Server and not because of the proxy.pac file (I could be wrong).

A side issue is that we need to point Firefox to the proxy.pac file manually to make it work for Firefox. Also a minority of IE users also need to be pointed manually as well. The best thing to have is to set our browsers to auto detect (Both IE and FF) and have everything just work no matter where the user is.

Setting it manually via group policy or browser settings is not ideal because it causes problems for people who have laptops that get taken home.

I have also tried disabling the IE proxy cache as described here: http://support.microsoft.com/kb/271361

Some Proxy info sites I have looked at:

Thanks in advance.

alanc
  • 1,500
  • 9
  • 12
Qwerty
  • 1,504
  • 2
  • 15
  • 24

4 Answers4

1

I've not tried it but according to the sun.com docco, the IsInNet function takes a host, not an IP as the first param.

so I think that this:

if (isInNet(resolved_ip, "172.22.145.0",  "255.255.255.0") ||
        isInNet(resolved_ip, "192.168.1.0", "255.255.255.0") ||
        isInNet(resolved_ip, "127.0.0.1", "255.255.255.255"))
return "DIRECT";

should be changed to this:

if (isInNet(host, "172.22.145.0",  "255.255.255.0") ||
        isInNet(host, "192.168.1.0", "255.255.255.0") ||
        isInNet(host, "127.0.0.1", "255.255.255.255"))
return "DIRECT";
Jason Tan
  • 2,742
  • 2
  • 17
  • 24
1

Tip: for debugging pac files in firefox you can use alert("blah") for debugging messages and then look in the Error Console (Tools menu) where they will be printed.

Duncan Smart
  • 330
  • 2
  • 8
  • 1
    Yeah I have tried putting alerts into it but they do not show. I starting to think it is not even getting run. – Qwerty Jul 01 '09 at 07:05
1

Ok, I think I have this running now...

My actual problem was that it was never being run in the first place. Also if the proxy.pac file has an error it decides to die silently. So I went back to basics and tried to run one locally on my machine using a really bare bones proxy.pac file. (I got a shock when my alerts started showing up for the first time).

Once I had that working I built it up line by line until I had something that worked for my network.

Also some more important info for all future readers of this thread!

I then moved it back to the server I had it originally on and then encountered problems with the auto detect for both FF and IE. After a bit of research it seems that IE7 and IE8 handle pac files differently when auto detect is turned on. (The proxy pickup method I am using is DHCP). So IE8 seems to require a ipconfig /renew to acquire a new one, while IE7 requires a ipconfig /renew and a ipconfig /flushdns

Also: Firefox only reported the alerts I had in the Error console (Ctrl+Shift+J), while IE used a pop up for alerts.

After a few days the DHCP 252 option spread to all workstations. However FF seems to still have difficulties with the auto detect so I just use the manual point or the FoxyProxy add-on as a work around.

Thanks for everyone's input!

Qwerty
  • 1,504
  • 2
  • 15
  • 24
0

Mozilla based browsers allow you to use a file: URL, which makes it much easier to prototype and test your .pac file.

I haven't tried this in IE.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
benc
  • 663
  • 1
  • 5
  • 13