Guest

Cisco Web Security Appliance

What is a PAC file and where is it located on WSA?

Document ID: 118082

Updated: Jul 25, 2014

Contributed by Erick Mechler and Siddharth Rajpathak, Cisco TAC Engineers.

   Print

Question:

What is a PAC file? Where can I host a PAC file on Cisco Web Security appliance?

Environment: Cisco Web Security appliance (WSA)

This Knowledge Base article references software which is not maintained or supported by Cisco. The information is provided as a courtesy for your convenience. For further assistance, please contact the software vendor.

A PAC, short for proxy auto-confg, file is a language to inform web browsers how to leverage proxies on their network.  Netscape owns the definition of the PAC file format. More details on this can be found at
http://findproxyforurl.com/netscape-documentation/

Microsoft browsers also support PAC file auto-detection, which is outlined at
http://technet.microsoft.com/en-us/library/dd361918.aspx

We can host the PAC file on WSA under GUI > Security Services > PAC file hosting. By default, the proxy PAC file would be hosted on port 9001.

When using WSA to host PAC files, by default, we need to point the browser to the following location

http://WSA_IP:9001/pacfile.pac


If the default port is changed in the PAC file hosting settings, then we would need to change the port accordingly in the above URL.

How it works:


The PAC file checks the local IP subnet address of the PC and then makes a decision based on IF / ELSE statement/s. If the PC is located in a subnet that matches, a proxy server is used. If the PC is on any other subnet, a direct connection is used instead of the proxy.

function FindProxyForURL(url, host)
{
         if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0"))
                 return "PROXY 192.168.1.1:8080";
         else
                 return "DIRECT";
}

In the example, we check that the host is in the 192.168.1.0/24 subnet. If it is, then we tell the browser to use a proxy at IP address 192.168.1.1, using port 8080. We may need to change the subnet, subnet mask and proxy address/port according to the LAN configuration.

Updated: Jul 25, 2014
Document ID: 118082