Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Configuring Web Settings > Configure General settings > Proxy auto-configuration (PAC)
Proxy auto-configuration (PAC)
We recommend that for all web browsers that will connect directly to the cloud proxy, you use the PAC file configured within the cloud service. This file contains a number of global settings and allows you to enter exclusions of your own (for example, intranet sites) that should not use the cloud service proxy (see Proxy bypass).
The exact mechanism for configuring a user's browser to use the PAC file depends on the browser and your network environment. For example, if you are using Microsoft Active Directory and Internet Explorer or Mozilla Firefox, you might want to automate the process by using group policies.
There are a number of different URLs you can use to retrieve a service-generated PAC file. The URL you choose determines which version of the PAC file is retrieved. Different variants of the PAC file are suited to different network environments.
Default and alternate PAC file addresses
PAC file addresses can be located on the Web > General page and on the General tab of a policy. In both locations, a default and alternate address is listed.
*
Default PAC file address: the PAC file is retrieved over port 8082 by default, or 8087 for HTTPS. Browsing with this PAC file is performed via port 8081.
*
Alternate PAC file addresses: the PAC file is retrieved over port 80 by default, or 443 for HTTPS. Web browsing is also performed via ports 80/443. Useful for locations where non-standard ports are locked down.
Both default and alternate PAC files can be retrieved via HTTP, or over a secure HTTPS connection. Select the HTTP or HTTPS URL as required. See Accessing PAC files over HTTPS.
Default PAC file addresses
Default PAC file URLs are in the following format:
http://pac.webdefence.global.blackspider.com:8082/proxy.pac
https://pac.webdefence.global.blackspider.com:8087/proxy.pac
The default PAC file address retrieves the PAC file over port 8082 (or 8087 for HTTPS). Web browsing is performed via port 8081.
This URL should be used where ports 8081 and 8082/8087 are permitted, such as your corporate network.
For more information on which ports are required to use the cloud service, see Configuring your firewall to connect to the cloud service.
Alternate PAC file addresses
Alternate PAC file URLs are in the following format:
http://pac.webdefence.global.blackspider.com/proxy.pac
https://pac.webdefence.global.blackspider.com:443/proxy.pac
Alternate PAC file URLs use the standard ports for web browsing: port 80 for HTTP traffic, and port 443 for HTTPS. This is useful for users who connect from locations (such as guest or public networks) where non-standard ports may be locked down.
For locations where ports 8081 and 8082/8087 are locked down, use the alternate PAC file address to ensure that users can retrieve the PAC file and browse via the cloud service.
Standard and policy-specific PAC files
Your account has two locations that list PAC file URLs:
*
Standard (account-wide) PAC file URL (found on the Web > General page). This URL is an account-wide PAC file URL. This fetches a policy-specific PAC file on connections from recognized IP addresses, and the standard, global PAC file from unrecognized addresses.
*
Policy-specific PAC file URL (found on the General tab of a policy). This URL includes a policy identifier, which ensures that the PAC file specific to the policy is always retrieved. This can be useful to ensure that remote users always get the PAC file for a particular policy.
See the sections below for further information, and guidance on when to use each option.
Standard PAC file
The URLs for the standard account-wide PAC file is found on the Web > Settings > General page.
When the cloud service receives a request for the standard PAC file, if it knows which policy the requester is using, it delivers the PAC file for that policy; otherwise it delivers a global PAC file.
Remote users whose browsers are configured to use the standard PAC file URL will receive a global PAC file for the cloud service.
 
* 
Note 
If you have already deployed a standard cloud PAC file that uses a different URL than the one displayed on the page, there is no need to change it unless you wish to. PAC file URLs provided with earlier versions of your web product will continue to work.
Policy-specific PAC file
Policy-specific PAC file URLs are in the following form:
http://pac.webdefence.global.blackspider.com:8082/proxy.pac?p=xxxxxx
https://pac.webdefence.global.blackspider.com:8087/proxy.pac?p=xxxxxx
Here, xxxxxx is a unique identifier for your policy.
Your Policy Specific PAC File Address is shown on your policy's General tab. To access this screen, go to the Web > Policy Management > Policies page, then click the name of the policy.
You should use the policy-specific PAC file in the following circumstances:
*
You cannot use a proxied connection on your policies. (You do not need to use a policy-specific URL when connecting from an IP address configured as a proxied connection in a policy, since the policy-specific PAC file is automatically served.)
*
A remote user needs to access bypass destinations specified in the policy-specific PAC file, but is able to access these destinations directly, for example, via a VPN client.
*
A remote user requests access from a network that has port 8082 locked down (or port 8087 for HTTPS). In this case, use the alternate PAC file address listed on the policy's General tab. This accesses the PAC file via port 80 (port 443 for HTTPS).
Remote users should also use the alternate policy-specific PAC file address if requesting access from a network that has port 8081 locked down. Even if they can access the PAC file on port 8082 or 8087, port 8081 is the standard required port to be able to use the cloud service.
The policy-specific PAC file allows remote users to always use the correct PAC file for their policy, although this is not always appropriate, because bypass destinations may not be relevant for the remote users' locations.
 
* 
Important 
There is a security implication related to the use of PAC files. If someone could guess your unique policy identifier and download it, that person would know what sites were not protected by the cloud service and could, in theory, use them as an attack vector. To prevent this, PAC file identifiers are generated as non-sequential alphanumeric strings. Users cannot assume that the number on either side of their PAC file identifier is valid.
For additional security, use the HTTPS PAC file URL. Forcepoint also recommends disabling the Automatically detect settings option in your LAN automatic configuration settings.
Accessing PAC files over HTTPS
Both standard and policy-specific PAC files can be accessed via HTTP or HTTPS URLs. Accessing PAC files over HTTPS provides an additional level of security. The standard PAC file HTTPS URL retrieves the PAC file over port 8087. Browsing is performed via port 8081.
For users accessing the service via networks where these ports are locked down, the alternate HTTPS PAC file URL should be used. This uses port 443 to access the PAC file, and port 80 for browsing.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Configuring Web Settings > Configure General settings > Proxy auto-configuration (PAC)
Copyright 2024 Forcepoint. All rights reserved.