Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Configuring Web Settings > Configure General settings > Proxy auto-configuration (PAC)
Proxy auto-configuration (PAC)
We recommend that for all web browsers that will connect directly to the cloud proxy, you use the PAC file configured within the cloud service. This file contains a number of global settings and allows you to enter exclusions of your own (for example, intranet sites) that should not use the cloud service proxy (see Proxy bypass).
The exact mechanism for configuring a user's browser to use the PAC file depends on the browser and your network environment. For example, if you are using Microsoft Active Directory and Internet Explorer or Mozilla Firefox, you might want to automate the process by using group policies.
There are a number of different URLs you can use to retrieve a service-generated PAC file. The URL you choose determines which version of the PAC file is retrieved. Different variants of the PAC file are suited to different network environments.
Default and alternate PAC file addresses
PAC file addresses can be located on the Web > General page and on the General tab of a policy. In both locations, a default and alternate address is listed.
Both default and alternate PAC files can be retrieved via HTTP, or over a secure HTTPS connection. Select the HTTP or HTTPS URL as required. See Accessing PAC files over HTTPS.
Default PAC file addresses
Default PAC file URLs are in the following format:
The default PAC file address retrieves the PAC file over port 8082 (or 8087 for HTTPS). Web browsing is performed via port 8081.
This URL should be used where ports 8081 and 8082/8087 are permitted, such as your corporate network.
For more information on which ports are required to use the cloud service, see Configuring your firewall to connect to the cloud service.
Alternate PAC file addresses
Alternate PAC file URLs are in the following format:
Alternate PAC file URLs use the standard ports for web browsing: port 80 for HTTP traffic, and port 443 for HTTPS. This is useful for users who connect from locations (such as guest or public networks) where non-standard ports may be locked down.
For locations where ports 8081 and 8082/8087 are locked down, use the alternate PAC file address to ensure that users can retrieve the PAC file and browse via the cloud service.
Standard and policy-specific PAC files
Your account has two locations that list PAC file URLs:
Standard (account-wide) PAC file URL (found on the Web > General page). This URL is an account-wide PAC file URL. This fetches a policy-specific PAC file on connections from recognized IP addresses, and the standard, global PAC file from unrecognized addresses.
Policy-specific PAC file URL (found on the General tab of a policy). This URL includes a policy identifier, which ensures that the PAC file specific to the policy is always retrieved. This can be useful to ensure that remote users always get the PAC file for a particular policy.
See the sections below for further information, and guidance on when to use each option.
Standard PAC file
The URLs for the standard account-wide PAC file is found on the Web > Settings > General page.
When the cloud service receives a request for the standard PAC file, if it knows which policy the requester is using, it delivers the PAC file for that policy; otherwise it delivers a global PAC file.
Remote users whose browsers are configured to use the standard PAC file URL will receive a global PAC file for the cloud service.
Policy-specific PAC file
Policy-specific PAC file URLs are in the following form:
Here, xxxxxx is a unique identifier for your policy.
Your Policy Specific PAC File Address is shown on your policy's General tab. To access this screen, go to the Web > Policy Management > Policies page, then click the name of the policy.
You should use the policy-specific PAC file in the following circumstances:
Remote users should also use the alternate policy-specific PAC file address if requesting access from a network that has port 8081 locked down. Even if they can access the PAC file on port 8082 or 8087, port 8081 is the standard required port to be able to use the cloud service.
The policy-specific PAC file allows remote users to always use the correct PAC file for their policy, although this is not always appropriate, because bypass destinations may not be relevant for the remote users' locations.
For additional security, use the HTTPS PAC file URL. Forcepoint also recommends disabling the Automatically detect settings option in your LAN automatic configuration settings.
Accessing PAC files over HTTPS
Both standard and policy-specific PAC files can be accessed via HTTP or HTTPS URLs. Accessing PAC files over HTTPS provides an additional level of security. The standard PAC file HTTPS URL retrieves the PAC file over port 8087. Browsing is performed via port 8081.
For users accessing the service via networks where these ports are locked down, the alternate HTTPS PAC file URL should be used. This uses port 443 to access the PAC file, and port 80 for browsing.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Configuring Web Settings > Configure General settings > Proxy auto-configuration (PAC)
Copyright 2020 Forcepoint. All rights reserved.