A Business Technology Place

Proxy.pac for VPN, corporate, home, and public networks

This post is dedicated to those that take a laptop in-and-out of corporate networks, public networks, and VPN.

After years of changing proxy server settings (based on my location) for internet connectivity, I tried to create an automated solution this week. I have to change proxy server settings based on where and how I am connected online. While not difficult, it’s become a nuisance. Since I change locations often, I’m constantly updating settings. So I went on a search.

The goal
Regardless of location and regardless of browser, I should be able to connect to the internet without changing any settings and without having to key username/password for authentication.

Spoiler Alert: I was not able to find a completely automated solution. This post is documenting some of the steps I followed. +1, Like, and kudos for anyone that can provide assistance.

Pieces of the equation

  • I use multiple browsers (Chrome, Firefox, IE, and Safari)
  • The proxy server from work requires authentication with a domain account and password
  • I’m using a MacBook running Snow Leopard with Parallels running Windows 7
  • I have three environments:
  1. Corporate network (work)
  2. VPN (work via home / public)
  3. Home / Public network

Step 1: Create a proxy.pac file.
There are many sites that give examples of these files along with the supported functions. It’s essentially a javascript file that helps you define when to use and not use a proxy server. I was originally drawn to this type of configuration in hopes that I could configure each of my three locations within the file.

Right now I have the simplest of all configurations. It looks like this:

function FindProxyForURL(url, host)
{
return “PROXY MyProxyHost.MyProxyDomain.com:8080”;
}

More on my issues with this a bit later.

Step 2: Install Authoxy. This program runs on the local machine and serves as a proxy server intercept. It forwards requests to the proxy server along with username/password details that are defined. The reason for using this software is to get the username/password in a single location instead of multiple locations in the system preferences or browser specific proxy configuration.

Here’s the configuration found in the System Preferences area on the Mac. Notice I reference the proxy.pac created in step 1.

 

Step 3: Set Authoxy to start automatically. Do this in the System Preferences → Accounts → Login Items tab.

Step 4: Set the proxy settings in Systems Preferences → Network area for both the ethernet and Airport (wifi) interfaces. The trick here is to set the proxy destination to 127.0.0.1 (local hosts) because remember that the Authoxy program is running to act as a proxy to the proxy.

Step 5: Set the browser settings.  On the Mac, the Safari and Chrome browsers use the system proxy setting that is set in Step 4. So no further work is required for Safari and Chrome. For Firefox, there is a separate section in the Preferences → Network tab. Right now I have this set to “no proxy” but I could also point that to the system settings.

Firefox Proxy Settings

Results
In this setup, the Chrome and Safari browsers will work without further configuration if I am connected to the corporate network or to the corporate VPN. Those two browsers do not work if I am connected to a public or home network because the proxy server doesn’t exist on those networks. For this situation I have set Firefox to use no proxy.

Issues with Proxy.pac
As I mentioned before, I had hoped to configure the proxy.pac file to recognize all three of my environments. I tried three different techniques to solve this.

First Try: Use myIpAddress()

function FindProxyForURL(url, host)
{
//If machine on corporate network then use proxy
if (isInNet(myIpAddress(),”10.0.0.0″,”255.0.0.0″))
return “PROXY MyProxyHost.MyProxyDomain.local:8080”;

//Otherwise do not use proxy
return “DIRECT”;

}

This worked great while I was on the corporate network and I thought it would work with the VPN because the machine receives a 10.x.x.x address when on the VPN. The problem is the myIpAddress() function returns the first IP address from the system and that is my wireless adapter address when I’m on the VPN.

Second Try: Use return statement with multiple destinations

//alternative way to do this in one statement. Checks to see if proxy responds
//and if not then try the next destination.
return “PROXY atltmgp1.harlandclarke.local:8080;DIRECT”;

This solution works great for the corporate network and VPN. But when I’m on a public/home network I have to wait for the proxy destination to timeout. Sometimes the browser timeout occurs before the proxy timeout and so no page is served.

Third Try: Use isResolvable()
//if the proxy server is resolvable then machine is on the corporate network or VPN.
if (isResolvable(“MyProxy.MyProxyDomain.local”))
return “PROXY MyProxy.MyProxyDomain.local:8080”;
//Otherwise use no proxy
return “DIRECT”;
}

This never worked. I think the DNS check to resolve the host name exceeded the timeout for the browser.

At the end of the day and several hours of trying different combinations I didn’t reach my ultimate objective. But I did get a little closer. 😉

  • EricH

    We were not able to get a proxy pac file to work correctly with VPNs. Out situation was the user could be in one of three locations: Off Network, On Network Normal, On Network with VPN. We finally ended up having to use two .pac files. One pac file for on/off network normal, and another .pac for when using the VPN.