topic IPSEC VPN and proxy PAC in SASE and Remote Access

IPSEC VPN and proxy PAC

H2-F1 — Sat, 26 Sep 2020 06:21:30 GMT

When connecting using the Endpoint Security Client, I am receiving a proxy PAC file from the DC. while I have modified the PAC file to allow my VPN subnet to go direct this isn't working as expected. I am able to access all internal resource but cannot browse the internet, disabling the pac file works straight away.

Here is a snippet of the pac file

function FindProxyForURL(url, host) {
// our local URLs from the domains below example.com don't need a proxy:
if (dnsDomainIs(host, "*.office.com")) return "DIRECT";
if (dnsDomainIs(host, "*.office365.com"))return "DIRECT";
if (dnsDomainIs(host, "*.teams.microsoft.com"))return "DIRECT";
if (dnsDomainIs(host, "*.lync.com")) return "DIRECT";
if (dnsDomainIs(host, "*.broadcast.skype.com")) return "DIRECT";
if (dnsDomainIs(host, "*.skypeforbusiness.com")) return "DIRECT";

// If the requested website is hosted within the internal network, send direct.
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
isInNet(dnsResolve(host), "172.0.0.0", "255.0.0.0") ||
isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") ||
isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
return "DIRECT";

// subnet, send to a specific proxy.
if (isInNet(myIpAddress(), "172.16.0.0", "255.255.255.0"))
return "DIRECT";

// Proxy Addresses
return "PROXY 10.0.0.1:8080";
}

While this is not a Checkpoint issue. I would like to know if it is possible to tell the firewall or Endpoint Security Client to block the pac file from being downloaded and installed on the client machine

Re: IPSEC VPN and proxy PAC

funkylicious — Sat, 26 Sep 2020 08:11:42 GMT

Hi,

I would try and configure the proxy.pac file to check if the host is any other subnet other than the one allocated for RemoteAccess and exempt it from using the proxy server.

Also, are you using split tunnel ?

Re: IPSEC VPN and proxy PAC

H2-F1 — Sat, 26 Sep 2020 12:27:50 GMT

The host is a mapped to a different vlan/subnet when in the office, would this matter when it connects over the vpn? yes split tunnelling is enabled.

Re: IPSEC VPN and proxy PAC

funkylicious — Sat, 26 Sep 2020 13:23:50 GMT

When the user/device is in the office, I would expect the normal behaviour is to use the proxy in order to be granted internet access.

When it's at home/other location with Internet access, to use that in order to be granted Internet access and not having to use the proxy located in the office/datacenter.

For this, in the configuration of the proxy.pac that is downloaded on the client's machine, to have another check of see if the computer IP is in the subnet/range assigned for Office Mode / Remote Access and return DIRECT and not "PROXY 10.0.0.1:8080"

Re: IPSEC VPN and proxy PAC

AlanDias — Fri, 08 Oct 2021 14:30:48 GMT

Ok, someone knows witch code works in PAC file, to realy identify the computer IP.

This "if (isInNet(myIpAddress(), " doesnt work. I dont know much about JS, but in my tries all I got is the IP 127.0.0.1, even with others fuctions.