- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
When connecting using the Endpoint Security Client, I am receiving a proxy PAC file from the DC. while I have modified the PAC file to allow my VPN subnet to go direct this isn't working as expected. I am able to access all internal resource but cannot browse the internet, disabling the pac file works straight away.
Here is a snippet of the pac file
function FindProxyForURL(url, host) {
// our local URLs from the domains below example.com don't need a proxy:
if (dnsDomainIs(host, "*.office.com")) return "DIRECT";
if (dnsDomainIs(host, "*.office365.com"))return "DIRECT";
if (dnsDomainIs(host, "*.teams.microsoft.com"))return "DIRECT";
if (dnsDomainIs(host, "*.lync.com")) return "DIRECT";
if (dnsDomainIs(host, "*.broadcast.skype.com")) return "DIRECT";
if (dnsDomainIs(host, "*.skypeforbusiness.com")) return "DIRECT";
// If the requested website is hosted within the internal network, send direct.
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
isInNet(dnsResolve(host), "172.0.0.0", "255.0.0.0") ||
isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") ||
isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
return "DIRECT";
// subnet, send to a specific proxy.
if (isInNet(myIpAddress(), "172.16.0.0", "255.255.255.0"))
return "DIRECT";
// Proxy Addresses
return "PROXY 10.0.0.1:8080";
}
While this is not a Checkpoint issue. I would like to know if it is possible to tell the firewall or Endpoint Security Client to block the pac file from being downloaded and installed on the client machine
Hi,
I would try and configure the proxy.pac file to check if the host is any other subnet other than the one allocated for RemoteAccess and exempt it from using the proxy server.
Also, are you using split tunnel ?
The host is a mapped to a different vlan/subnet when in the office, would this matter when it connects over the vpn? yes split tunnelling is enabled.
When the user/device is in the office, I would expect the normal behaviour is to use the proxy in order to be granted internet access.
When it's at home/other location with Internet access, to use that in order to be granted Internet access and not having to use the proxy located in the office/datacenter.
For this, in the configuration of the proxy.pac that is downloaded on the client's machine, to have another check of see if the computer IP is in the subnet/range assigned for Office Mode / Remote Access and return DIRECT and not "PROXY 10.0.0.1:8080"
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY