This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
H2-F1
Participant
‎2020-09-25 11:21 PM

IPSEC VPN and proxy PAC

When connecting using the Endpoint Security Client, I am receiving a proxy PAC file from the DC. while I have modified the PAC file to allow my VPN subnet to go direct this isn't working as expected. I am able to access all internal resource but cannot browse the internet, disabling the pac file works straight away.

Here is a snippet of the pac file

function FindProxyForURL(url, host) {
// our local URLs from the domains below example.com don't need a proxy:
if (dnsDomainIs(host, "*.office.com")) return "DIRECT";
if (dnsDomainIs(host, "*.office365.com"))return "DIRECT";
if (dnsDomainIs(host, "*.teams.microsoft.com"))return "DIRECT";
if (dnsDomainIs(host, "*.lync.com")) return "DIRECT";
if (dnsDomainIs(host, "*.broadcast.skype.com")) return "DIRECT";
if (dnsDomainIs(host, "*.skypeforbusiness.com")) return "DIRECT";

// If the requested website is hosted within the internal network, send direct.
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
isInNet(dnsResolve(host), "172.0.0.0", "255.0.0.0") ||
isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") ||
isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
return "DIRECT";

// subnet, send to a specific proxy.
if (isInNet(myIpAddress(), "172.16.0.0", "255.255.255.0"))
return "DIRECT";

// Proxy Addresses
return "PROXY 10.0.0.1:8080";
}

While this is not a Checkpoint issue. I would like to know if it is possible to tell the firewall or Endpoint Security Client to block the pac file from being downloaded and installed on the client machine 

0 Kudos
4 Replies
funkylicious
Advisor
‎2020-09-26 01:11 AM

Hi,

I would try and configure the proxy.pac file to check if the host is any other subnet other than the one allocated for RemoteAccess and exempt it from using the proxy server.

Also, are you using split tunnel ?

0 Kudos
H2-F1
Participant
‎2020-09-26 05:27 AM
In response to funkylicious

The host is a mapped to a different vlan/subnet when in the office, would this matter when it connects over the vpn? yes split tunnelling is enabled.

0 Kudos
funkylicious
Advisor
‎2020-09-26 06:23 AM
In response to H2-F1

When the user/device is in the office, I would expect the normal behaviour is to use the proxy in order to be granted internet access.

When it's at home/other location with Internet access, to use that in order to be granted Internet access and not having to use the proxy located in the office/datacenter.

For this, in the configuration of the proxy.pac that is downloaded on the client's machine, to have another check of see if the computer IP is in the subnet/range assigned for Office Mode / Remote Access and return DIRECT and not "PROXY 10.0.0.1:8080"

0 Kudos
AlanDias
Explorer
‎2021-10-08 07:30 AM
In response to funkylicious

Ok, someone knows witch code works in PAC file, to realy identify the computer IP. 

This "if (isInNet(myIpAddress(), " doesnt work. I dont know much about JS, but in my tries all I got is the IP 127.0.0.1, even with others fuctions.

 

0 Kudos