PAC file is not applying correctly on 3.6.16

[bsossamon]

We are using Sophos Web Appliances in our environment. We currently have a GPO enforcing a .pac file on all IE browsers. Which puts the users into our eplicit filters for all domain users. We also have Transparent filters established for non domain users (MAC Users, Guests, etc.) The transparent filters are the most restrictive. The explicit filters have policies within the appliance to grant or deny access to the internet based on department. We have a gpo applying the mozilla.adm (computer) and firefox.adm (user) for a test OU. The policy applies successfully and it locks down the settings for the users and machine. The problem is that the Automatic Configuration URL appears to be applied to the connection settings but not routing the users correctly. The policies applied to that OU in our web filter are not being applied by the pac file. I have a userr account that has access to youtube but all other users do not. When i login with that account i can see that the gpo was applied but that user cannot access youtube with the pac file being enforced. If i manually proxy the user to a filter for example webfilter1.domain.com they are getting the correct policies and are able to access youtube. If i put the pac file url back in they stop getting the correct policies. It appears that the pac file does not know how to route Frontmotion or Frontmotion does not konw how to read the pac file. We are going to be deploying front motion to estimated 20,000 machines. Any help would be greatly appreciated.

[DraconPern]

please set network.proxy.type to 2 and network.proxy.autoconfig_url to your .pac file in the GPO. If you are doing a lockdown, you should set them in the computer section and not the user section.

[DraconPern]

Best way to check if policy is being applied is to go to about:config in firefox and see if that setting is correct.

[bsossamon]

The policy is being applied but when i open FM the browser it is not going through our Eplicit filters it is sending the traffice to our transparent filters which is for guests with the most restrictive web access. The Explicit filters give groups least or most restrictive access based on AD group membership. I am logging in the computer with a elevated user that has minmum web restriction. And opening FM but when i try to open facebook for example i am still getting the most restrictive policy as if the browser is not routing the .pac file correctly or the pac file is not able to work in FM. I hope this makes sense.

[bsossamon]

Just another note if i am using regular version of Firfox the pac file works fine.

[DraconPern]

Simple .pac files do work. For example,

Code: Select all

function FindProxyForURL(url, host)
{
if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0"))
return "PROXY 192.168.1.1:8080";
else
return "PROXY 192.168.1.2:8080";
}

I don't believe one .pac file supports routing based on ad group membership. At least not the normal .pac format. What you should do is create one .pac file for each filter policy that you have. Then assign those .pac file to the User section in the group policy. Note that the User section takes precedence over the Computer section. That way users will always get the right filter depending on their AD membership.

PM me the .pac if that's possible.

[bsossamon]

I have PM the pac we use. I do not think it is feasible for us to create a single pac for each individual policy. I have 10 or more groups now and to manage that many pac files is to much.