Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
H2-F1
Participant

IPSEC VPN and proxy PAC

When connecting using the Endpoint Security Client, I am receiving a proxy PAC file from the DC. while I have modified the PAC file to allow my VPN subnet to go direct this isn't working as expected. I am able to access all internal resource but cannot browse the internet, disabling the pac file works straight away.

Here is a snippet of the pac file

function FindProxyForURL(url, host) {
// our local URLs from the domains below example.com don't need a proxy:
if (dnsDomainIs(host, "*.office.com")) return "DIRECT";
if (dnsDomainIs(host, "*.office365.com"))return "DIRECT";
if (dnsDomainIs(host, "*.teams.microsoft.com"))return "DIRECT";
if (dnsDomainIs(host, "*.lync.com")) return "DIRECT";
if (dnsDomainIs(host, "*.broadcast.skype.com")) return "DIRECT";
if (dnsDomainIs(host, "*.skypeforbusiness.com")) return "DIRECT";

// If the requested website is hosted within the internal network, send direct.
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
isInNet(dnsResolve(host), "172.0.0.0", "255.0.0.0") ||
isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") ||
isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
return "DIRECT";

// subnet, send to a specific proxy.
if (isInNet(myIpAddress(), "172.16.0.0", "255.255.255.0"))
return "DIRECT";

// Proxy Addresses
return "PROXY 10.0.0.1:8080";
}

While this is not a Checkpoint issue. I would like to know if it is possible to tell the firewall or Endpoint Security Client to block the pac file from being downloaded and installed on the client machine 

0 Kudos
4 Replies
funkylicious
Advisor

Hi,

I would try and configure the proxy.pac file to check if the host is any other subnet other than the one allocated for RemoteAccess and exempt it from using the proxy server.

Also, are you using split tunnel ?

0 Kudos
H2-F1
Participant

The host is a mapped to a different vlan/subnet when in the office, would this matter when it connects over the vpn? yes split tunnelling is enabled.

0 Kudos
funkylicious
Advisor

When the user/device is in the office, I would expect the normal behaviour is to use the proxy in order to be granted internet access.

When it's at home/other location with Internet access, to use that in order to be granted Internet access and not having to use the proxy located in the office/datacenter.

For this, in the configuration of the proxy.pac that is downloaded on the client's machine, to have another check of see if the computer IP is in the subnet/range assigned for Office Mode / Remote Access and return DIRECT and not "PROXY 10.0.0.1:8080"

0 Kudos
AlanDias
Explorer

Ok, someone knows witch code works in PAC file, to realy identify the computer IP. 

This "if (isInNet(myIpAddress(), " doesnt work. I dont know much about JS, but in my tries all I got is the IP 127.0.0.1, even with others fuctions.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events