This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
H2-F1
Participant
‎2020-09-25 11:21 PM

IPSEC VPN and proxy PAC

When connecting using the Endpoint Security Client, I am receiving a proxy PAC file from the DC. while I have modified the PAC file to allow my VPN subnet to go direct this isn't working as expected. I am able to access all internal resource but cannot browse the internet, disabling the pac file works straight away.

Here is a snippet of the pac file

function FindProxyForURL(url, host) {
// our local URLs from the domains below example.com don't need a proxy:
if (dnsDomainIs(host, "*.office.com")) return "DIRECT";
if (dnsDomainIs(host, "*.office365.com"))return "DIRECT";
if (dnsDomainIs(host, "*.teams.microsoft.com"))return "DIRECT";
if (dnsDomainIs(host, "*.lync.com")) return "DIRECT";
if (dnsDomainIs(host, "*.broadcast.skype.com")) return "DIRECT";
if (dnsDomainIs(host, "*.skypeforbusiness.com")) return "DIRECT";

// If the requested website is hosted within the internal network, send direct.
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
isInNet(dnsResolve(host), "172.0.0.0", "255.0.0.0") ||
isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") ||
isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
return "DIRECT";

// subnet, send to a specific proxy.
if (isInNet(myIpAddress(), "172.16.0.0", "255.255.255.0"))
return "DIRECT";

// Proxy Addresses
return "PROXY 10.0.0.1:8080";
}

While this is not a Checkpoint issue. I would like to know if it is possible to tell the firewall or Endpoint Security Client to block the pac file from being downloaded and installed on the client machine 

0 Kudos
Reply
3 Replies
funkylicious
Advisor
‎2020-09-26 01:11 AM

Hi,

I would try and configure the proxy.pac file to check if the host is any other subnet other than the one allocated for RemoteAccess and exempt it from using the proxy server.

Also, are you using split tunnel ?

0 Kudos
Reply
H2-F1
Participant
‎2020-09-26 05:27 AM
In response to funkylicious

The host is a mapped to a different vlan/subnet when in the office, would this matter when it connects over the vpn? yes split tunnelling is enabled.

0 Kudos
Reply
funkylicious
Advisor
‎2020-09-26 06:23 AM
In response to H2-F1

When the user/device is in the office, I would expect the normal behaviour is to use the proxy in order to be granted internet access.

When it's at home/other location with Internet access, to use that in order to be granted Internet access and not having to use the proxy located in the office/datacenter.

For this, in the configuration of the proxy.pac that is downloaded on the client's machine, to have another check of see if the computer IP is in the subnet/range assigned for Office Mode / Remote Access and return DIRECT and not "PROXY 10.0.0.1:8080"

0 Kudos
Reply