## Overview
During internal testing of our ICAP proxy implementation on macOS and Windows, we identified a key limitation in how browser-level and system-level proxy exclusions are handled:
- **Character limits**: Both platforms impose a maximum character count for the local exclusion list (the "bypass proxy for" field).
- **Impact**: When this limit is exceeded, some systems silently fall back to bypassing the proxy **entirely**, creating serious gaps in policy enforcement.
To avoid this issue, we recommend managing proxy exclusions centrally using a **PAC (proxy auto-config) file** rather than relying on per-device configurations.
---
## Recommended approach: use a PAC file
### What is a PAC file?
A **proxy auto-config (PAC)** file is a JavaScript-based configuration script that dynamically defines proxy behavior based on request URLs, domains, IPs, or other parameters.
### Benefits
| Benefit | Description |
|-----------------------|-----------------------------------------------------------------------------|
| ✅ Centralized control | All clients reference one centrally hosted PAC file. Update once, and all clients receive the change. |
| 🚫 No character limit | A PAC file can contain hundreds of exclusions and logic far beyond what's possible in a GUI field. |
| 🔄 Dynamic routing | Define conditional logic (e.g. "use proxy for everything except these domains"). |
| 🔐 Policy integrity | Ensures all clients apply the same exclusion logic without risking proxy bypass. |
---
## Implementation steps
### 1. **Create a PAC file**
Use the following example as a base:
```javascript
function FindProxyForURL(url, host) {
// Domains to bypass proxy
if (dnsDomainIs(host, "internal.glasswall.com") ||
shExpMatch(host, "*.corpnet.glasswall.local") ||
isInNet(host, "10.0.0.0", "255.0.0.0")) {
return "DIRECT";
}
// Everything else goes through ICAP proxy
return "PROXY proxy.glasswall.com:3128";
}
```
Customize domain patterns and subnet IPs as needed.
---
### 2. **Host the PAC file**
Place it in a **network-accessible location**:
- Internal web server (e.g.`https://intranet.glasswall.com/proxy.pac`)
- Network share (macOS-compatible SMB path or DFS)
Ensure it is:
- Secure (HTTPS preferred)
- Readable by all endpoints
- Version controlled
---
### 3. **Configure clients to use PAC**
#### Windows
- Use **Group Policy (GPO)** or **Intune**:
- Set`Automatic proxy configuration`to the hosted PAC URL.
- Disable manual exclusions to prevent character limit misuse.
#### macOS
- Use your Apple MDM provider
- Enable proxy auto-config via`.mobileconfig`:
```xml
ProxyAutoConfigURLString
https://intranet.glasswall.com/proxy.pac
```
---
### 4. **Test the configuration**
- Open a browser and verify proxy behavior:
- Access external sites (should route via ICAP).
- Access excluded domains/IPs (should go direct).
---
## Notes from internal testing
- Edge cases where browser extensions or third-party apps apply **additional proxy rules** may override the PAC file.
- Browser hardcoded exclusions (e.g.`localhost`,`127.0.0.1`) are still respected.
---
## 🔧 Troubleshooting
| Symptom | Likely cause | Resolution |
|--------------------------------|---------------------------------------|------------------------------------------------|
| All traffic bypasses proxy | Character limit reached in exclusion list | Use PAC file |
| PAC file not respected | URL is unreachable or misconfigured | Confirm URL is accessible from client machine |
| App ignores PAC | App does not use system proxy settings | Configure app separately or enforce via firewall rules |
---
## Summary
Switching to a PAC file for managing proxy exclusions:
- **Solves platform limits**
- **Centralizes policy updates**
- **Reduces misconfiguration risks**
- **Ensures security controls stay intact**
For help with deploying this at scale, contact the IT infrastructure or security engineering team.