Glasswall Proxy Exclusion Configuration Guide (PAC)
    • PDF

    Glasswall Proxy Exclusion Configuration Guide (PAC)

    • PDF

    Article summary

    Overview

    During internal testing of our ICAP proxy implementation on macOS and Windows, we identified a key limitation in how browser-level and system-level proxy exclusions are handled:

    • Character Limits: Both platforms impose a maximum character count for the local exclusion list (the “Bypass Proxy For” field).
    • Impact: When this limit is exceeded, some systems silently fall back to bypassing the proxy entirely, creating serious gaps in policy enforcement.

    To avoid this issue, we recommend managing proxy exclusions centrally using a PAC (Proxy Auto-Config) file rather than relying on per-device configurations.


    What is a PAC File?

    A Proxy Auto-Config (PAC) file is a JavaScript-based configuration script that dynamically defines proxy behavior based on request URLs, domains, IPs, or other parameters.

    Benefits

    BenefitDescription
    ✅ Centralized ControlAll clients reference one centrally hosted PAC file. Update once, and all clients receive the change.
    🚫 No Character LimitA PAC file can contain hundreds of exclusions and logic far beyond what's possible in a GUI field.
    🔄 Dynamic RoutingDefine conditional logic (e.g. “use proxy for everything except these domains”).
    🔐 Policy IntegrityEnsures all clients apply the same exclusion logic without risking proxy bypass.

    Implementation Steps

    1. Create a PAC File

    Use the following example as a base:

    function FindProxyForURL(url, host) {
      // Domains to bypass proxy
      if (dnsDomainIs(host, "internal.glasswall.com") ||
          shExpMatch(host, "*.corpnet.glasswall.local") ||
          isInNet(host, "10.0.0.0", "255.0.0.0")) {
        return "DIRECT";
      }
    
      // Everything else goes through ICAP proxy
      return "PROXY proxy.glasswall.com:3128";
    }
    

    Customize domain patterns and subnet IPs as needed.


    2. Host the PAC File

    Place it in a network-accessible location:

    • Internal Web Server (e.g. https://intranet.glasswall.com/proxy.pac)
    • Network share (macOS-compatible SMB path or DFS)

    Ensure it is:

    • Secure (HTTPS preferred)
    • Readable by all endpoints
    • Version controlled

    3. Configure Clients to Use PAC

    Windows

    • Use Group Policy (GPO) or Intune:
      • Set Automatic proxy configuration to the hosted PAC URL.
      • Disable manual exclusions to prevent character limit misuse.

    macOS

    • Use your Apple MDM Provider
      • Enable proxy auto-config via .mobileconfig:
    <key>ProxyAutoConfigURLString</key>
    <string>https://intranet.glasswall.com/proxy.pac</string>
    

    4. Test the Configuration

    • Open a browser and verify proxy behavior:
      • Access external sites (should route via ICAP).
      • Access excluded domains/IPs (should go direct).

    Notes from Internal Testing

    • Edge cases where browser extensions or third-party apps apply additional proxy rules may override the PAC file.
    • Browser hardcoded exclusions (e.g. localhost, 127.0.0.1) are still respected.

    🔧 Troubleshooting

    SymptomLikely CauseResolution
    All traffic bypasses proxyCharacter limit reached in exclusion listUse PAC file
    PAC file not respectedURL is unreachable or misconfiguredConfirm URL is accessible from client machine
    App ignores PACApp does not use system proxy settingsConfigure app separately or enforce via firewall rules

    Summary

    Switching to a PAC file for managing proxy exclusions:

    • Solves platform limits
    • Centralizes policy updates
    • Reduces misconfiguration risks
    • Ensures security controls stay intact

    For help with deploying this at scale, contact the IT Infrastructure or Security Engineering team.


    Was this article helpful?