Glasswall proxy exclusion configuration guide (pac)
Overview
During internal testing of our ICAP proxy implementation on macOS and Windows, we identified a key limitation in how browser-level and system-level proxy exclusions are handled:
- Character limits: both platforms impose a maximum character count for the local exclusion list (the “bypass proxy for” field).
- Impact: when this limit is exceeded, some systems silently fall back to bypassing the proxy entirely, creating serious gaps in policy enforcement.
To avoid this issue, we recommend managing proxy exclusions centrally using a pac (proxy auto-config) file rather than relying on per-device configurations.
Recommended approach: use a pac file
What is a pac file?
A proxy auto-config (pac) file is a javascript-based configuration script that dynamically defines proxy behavior based on request urls, domains, ips, or other parameters.
Benefits
| Benefit | Description |
|---|---|
| ✅ Centralized control | All clients reference one centrally hosted pac file. update once, and all clients receive the change. |
| 🚫 No character limit | A pac file can contain hundreds of exclusions and logic far beyond what's possible in a gui field. |
| 🔄 Dynamic routing | Define conditional logic (e.g. “use proxy for everything except these domains”). |
| 🔐 Policy integrity | Ensures all clients apply the same exclusion logic without risking proxy bypass. |
Implementation steps
1. Create a pac file
Use the following example as a base:
function FindProxyForURL(url, host) {
// Domains to bypass proxy
if (dnsDomainIs(host, "internal.glasswall.com") ||
shExpMatch(host, "*.corpnet.glasswall.local") ||
isInNet(host, "10.0.0.0", "255.0.0.0")) {
return "DIRECT";
}
// Everything else goes through ICAP proxy
return "PROXY proxy.glasswall.com:3128";
}
Customize domain patterns and subnet ips as needed.
2. Host the pac file
Place it in a network-accessible location:
- Internal web server (e.g.
https://intranet.glasswall.com/proxy.pac) - Network share (macOS-compatible smb path or dfs)
Ensure it is:
- Secure (https preferred)
- Readable by all endpoints
- Version controlled
3. Configure clients to use pac
Windows
- Use group policy (gpo) or intune:
- Set
Automatic proxy configurationTo the hosted pac url. - Disable manual exclusions to prevent character limit misuse.
- Set
macOS
- Use your apple mdm provider
- Enable proxy auto-config via
.mobileconfig:
- Enable proxy auto-config via
<key>ProxyAutoConfigURLString</key>
<string>https://intranet.glasswall.com/proxy.pac</string>
4. Test the configuration
- Open a browser and verify proxy behavior:
- Access external sites (should route via ICAP).
- Access excluded domains/ips (should go direct).
Notes from internal testing
- Edge cases where browser extensions or third-party apps apply additional proxy rules may override the pac file.
- Browser hardcoded exclusions (e.g.
localhost,127.0.0.1) Are still respected.
🔧 Troubleshooting
| Symptom | Likely cause | Resolution |
|---|---|---|
| All traffic bypasses proxy | Character limit reached in exclusion list | Use pac file |
| Pac file not respected | Url is unreachable or misconfigured | Confirm url is accessible from client machine |
| App ignores pac | App does not use system proxy settings | Configure app separately or enforce via firewall rules |
Summary
Switching to a pac file for managing proxy exclusions:
- Solves platform limits
- Centralizes policy updates
- Reduces misconfiguration risks
- Ensures security controls stay intact
For help with deploying this at scale, contact the it infrastructure or security engineering team.