Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 1357 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Accessing Astaro using Auto Pac / WPAD

chrisbli
I have just implemented WPAD into our network, browsers are now being assigned the proxy details and can access web pages however im unable to access the astaro admin. When manually configuring the browsers i could add the ip address as an exception and it worked great however it no longer does. Obviously the PAC file is configured incorrectly so i was hoping someone could give me some insight into this. Pac file below: 

function FindProxyForURL(url, host) {



// If URL has no dots in host name, send traffic direct.

	if (isPlainHostName(host))

		return "DIRECT";



// If IP address is internal or hostname resolves to internal IP, send direct.



	var resolved_ip = dnsResolve(host);



	if (isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||

		isInNet(resolved_ip, "172.16.0.0",  "255.240.0.0") ||

		isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||

		isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))

		return "DIRECT";



// All other traffic uses below proxies, in fail-over order.

	return "PROXY 192.168.y.z:8080; DIRECT";

	

}


Thanks
Chris


This thread was automatically locked due to age.
  • 0
    The first thing that stands out for me as being potentially problematic are the "||" marks.  

    Not related to your issue, but you're being too broad in the scope of networks that are allowed to bypass the proxy, unless your internal IP addressing scheme covers the 10.0.0.0, 192.168.0.0, and 172.16.0.0 network ranges.

    In WebAdmin, go to the web proxy area.  On the Advanced Tab, scroll down to the Proxy Auto Configuration section to see a good short PAC file.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0
    Chris, I don't see anything wrong there.  Have you checked the Proxy Settings in your browser to confirm that the proper configuration was done?  Have you confirmed in the 'Content Filter (HTTP/S)' log that the proxy sees these accesses?  If it's not seeing them, then check the 'Intrusion Prevention' log.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    I have redcued the information in the file and it seems to be working ok now, should have done that before posting. Here is the final one, very simple: 


    function FindProxyForURL(url, host) {

    

    	if (isPlainHostName(host))

    	return "DIRECT";

    

    	var resolved_ip = dnsResolve(host);

    

    	if (isInNet(resolved_ip, "192.168.z.y", "255.255.255.0"))

    	return "DIRECT";

    

    	return "PROXY 192.168.z.y:8080; DIRECT";

    }
  • 0
    Glad to hear that it's working better for you now.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0
    Chris,

    You may have to consider the extra dns resolving steps. I've used a script like yours and my internal DNS server couldn't handle all the requests.

    A list of the domains that eventually resolve to internal address can reduce the lag.

    function FindProxyForURL(url, host) {

    // Exception for plain hosts
    if ( isPlainHostName(host) ){return "DIRECT";}

    // Exception for internal zones
    if (   shExpMatch(host, "*.internal.domain")
        || shExpMatch(host, "*.zone.tld")
    )
    {
     var resolved_ip = dnsResolve(host);
     if (   isInNet(resolved_ip, "10.0.0.0",    "255.0.0.0")
         || isInNet(resolved_ip, "172.16.0.0",  "255.240.0.0")
         || isInNet(resolved_ip, "192.168.0.0", "255.255.0.0")
         || isInNet(resolved_ip, "127.0.0.0",   "255.0.0.0")
         )
         {return "DIRECT";}
    }

    // Exception based on the src IP
    //if (myIpAddress() == "999.999.999.999") {return "DIRECT";}

    // Expection based on the proto (need to adjust lenght)
    //if (url.substring(0, 6) == "https:") {return "DIRECT";}

    if (shExpMatch(url,"passthrough.fw-notify.net*/*")) {return "DIRECT";}

    return "PROXY 192.168.1.1:8080";
    }


    The exception for passthrough.fw-notify.net solved a "save" download problem.

    Best regards,
    Marcos
  • 0
    Excellent, Marcos, Thanks!  I've added your DNS-saver and passthrough tricks to my tool  kit!

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Cookie Information Banner