Glasswall Proxy Exclusion Configuration Guide (PAC)

Article summary

Did you find this summary helpful?

Thank you for your feedback!

Overview

During internal testing of our ICAP proxy implementation on macOS and Windows, we identified a key limitation in how browser-level and system-level proxy exclusions are handled:

Character Limits: Both platforms impose a maximum character count for the local exclusion list (the “Bypass Proxy For” field).
Impact: When this limit is exceeded, some systems silently fall back to bypassing the proxy entirely, creating serious gaps in policy enforcement.

To avoid this issue, we recommend managing proxy exclusions centrally using a PAC (Proxy Auto-Config) file rather than relying on per-device configurations.

Recommended Approach: Use a PAC File

What is a PAC File?

A Proxy Auto-Config (PAC) file is a JavaScript-based configuration script that dynamically defines proxy behavior based on request URLs, domains, IPs, or other parameters.

Benefits

Benefit	Description
✅ Centralized Control	All clients reference one centrally hosted PAC file. Update once, and all clients receive the change.
🚫 No Character Limit	A PAC file can contain hundreds of exclusions and logic far beyond what's possible in a GUI field.
🔄 Dynamic Routing	Define conditional logic (e.g. “use proxy for everything except these domains”).
🔐 Policy Integrity	Ensures all clients apply the same exclusion logic without risking proxy bypass.

Implementation Steps

1. Create a PAC File

Use the following example as a base:

function FindProxyForURL(url, host) {
  // Domains to bypass proxy
  if (dnsDomainIs(host, "internal.glasswall.com") ||
      shExpMatch(host, "*.corpnet.glasswall.local") ||
      isInNet(host, "10.0.0.0", "255.0.0.0")) {
    return "DIRECT";
  }

  // Everything else goes through ICAP proxy
  return "PROXY proxy.glasswall.com:3128";
}

Customize domain patterns and subnet IPs as needed.

2. Host the PAC File

Place it in a network-accessible location:

Internal Web Server (e.g. https://intranet.glasswall.com/proxy.pac)
Network share (macOS-compatible SMB path or DFS)

Ensure it is:

Secure (HTTPS preferred)
Readable by all endpoints
Version controlled

3. Configure Clients to Use PAC

Windows

Use Group Policy (GPO) or Intune:
- Set Automatic proxy configuration to the hosted PAC URL.
- Disable manual exclusions to prevent character limit misuse.

macOS

Use your Apple MDM Provider
- Enable proxy auto-config via .mobileconfig:

<key>ProxyAutoConfigURLString</key>
<string>https://intranet.glasswall.com/proxy.pac</string>

4. Test the Configuration

Open a browser and verify proxy behavior:
- Access external sites (should route via ICAP).
- Access excluded domains/IPs (should go direct).

Notes from Internal Testing

Edge cases where browser extensions or third-party apps apply additional proxy rules may override the PAC file.
Browser hardcoded exclusions (e.g. localhost, 127.0.0.1) are still respected.

🔧 Troubleshooting

Symptom	Likely Cause	Resolution
All traffic bypasses proxy	Character limit reached in exclusion list	Use PAC file
PAC file not respected	URL is unreachable or misconfigured	Confirm URL is accessible from client machine
App ignores PAC	App does not use system proxy settings	Configure app separately or enforce via firewall rules

Summary

Switching to a PAC file for managing proxy exclusions:

Solves platform limits
Centralizes policy updates
Reduces misconfiguration risks
Ensures security controls stay intact

For help with deploying this at scale, contact the IT Infrastructure or Security Engineering team.

Was this article helpful?

What's Next

Change Proxy Address from DNS Name to IP Windows

Table of contents

Overview
Recommended Approach: Use a PAC File
Implementation Steps
Notes from Internal Testing
🔧 Troubleshooting
Summary