Glasswall Proxy Exclusion Configuration Guide (PAC)

Prev Next

Overview

During internal testing of our ICAP proxy implementation on macOS and Windows, we identified a key limitation in how browser-level and system-level proxy exclusions are handled:

  • Character Limits: Both platforms impose a maximum character count for the local exclusion list (the โ€œBypass Proxy Forโ€ field).
  • Impact: When this limit is exceeded, some systems silently fall back to bypassing the proxy entirely, creating serious gaps in policy enforcement.

To avoid this issue, we recommend managing proxy exclusions centrally using a PAC (Proxy Auto-Config) file rather than relying on per-device configurations.

Recommended Approach: Use a PAC File

What is a PAC File?

A Proxy Auto-Config (PAC) file is a JavaScript-based configuration script that dynamically defines proxy behavior based on request URLs, domains, IPs, or other parameters.

Benefits

Benefit Description
โœ… Centralized Control All clients reference one centrally hosted PAC file. Update once, and all clients receive the change.
๐Ÿšซ No Character Limit A PAC file can contain hundreds of exclusions and logic far beyond what's possible in a GUI field.
๐Ÿ”„ Dynamic Routing Define conditional logic (e.g. โ€œuse proxy for everything except these domainsโ€).
๐Ÿ” Policy Integrity Ensures all clients apply the same exclusion logic without risking proxy bypass.

Implementation Steps

1. Create a PAC File

Use the following example as a base:

function FindProxyForURL(url, host) {
  // Domains to bypass proxy
  if (dnsDomainIs(host, "internal.glasswall.com") ||
      shExpMatch(host, "*.corpnet.glasswall.local") ||
      isInNet(host, "10.0.0.0", "255.0.0.0")) {
    return "DIRECT";
  }

  // Everything else goes through ICAP proxy
  return "PROXY proxy.glasswall.com:3128";
}

Customize domain patterns and subnet IPs as needed.

2. Host the PAC File

Place it in a network-accessible location:

  • Internal Web Server (e.g. https://intranet.glasswall.com/proxy.pac)
  • Network share (macOS-compatible SMB path or DFS)

Ensure it is:

  • Secure (HTTPS preferred)
  • Readable by all endpoints
  • Version controlled

3. Configure Clients to Use PAC

Windows

  • Use Group Policy (GPO) or Intune:
    • Set Automatic proxy configuration to the hosted PAC URL.
    • Disable manual exclusions to prevent character limit misuse.

macOS

  • Use your Apple MDM Provider
    • Enable proxy auto-config via .mobileconfig:
<key>ProxyAutoConfigURLString</key>
<string>https://intranet.glasswall.com/proxy.pac</string>

4. Test the Configuration

  • Open a browser and verify proxy behavior:
    • Access external sites (should route via ICAP).
    • Access excluded domains/IPs (should go direct).

Notes from Internal Testing

  • Edge cases where browser extensions or third-party apps apply additional proxy rules may override the PAC file.
  • Browser hardcoded exclusions (e.g. localhost, 127.0.0.1) are still respected.

๐Ÿ”ง Troubleshooting

Symptom Likely Cause Resolution
All traffic bypasses proxy Character limit reached in exclusion list Use PAC file
PAC file not respected URL is unreachable or misconfigured Confirm URL is accessible from client machine
App ignores PAC App does not use system proxy settings Configure app separately or enforce via firewall rules

Summary

Switching to a PAC file for managing proxy exclusions:

  • Solves platform limits
  • Centralizes policy updates
  • Reduces misconfiguration risks
  • Ensures security controls stay intact

For help with deploying this at scale, contact the IT Infrastructure or Security Engineering team.