by
Etienne Liebetrau
Using your Sophos UTM in Standard proxy mode has a few advantages over using it in Transparent mode. One of these is the ability to use a proxy configuration script, normally called wpad.dat.
These scripts not only allow you to instruct the browser which proxy to use, but also when to use it and when not to. Typically you would not want a client machine on your internal network to use the proxy when accessing sites within the network itself.
You could of course manually specify the proxy per user and add a list of exclusions, but using a proxy configuration script makes sure all clients are configured in the same manner. If you ever need to make a change, then it can be made in one place and distributed centrally.
This article takes you through the three simple steps to deploy auto proxy configuration with Sophos UTM.
You can create the proxy configuration script manually if you really want to, but there is a tool that makes the script creation a simple process. It is called PAC Magic and is available from Alan Toews' great UTM Tools website.
Update: Unfortunately the UTM Tools website no longer exists, but Alan Toews has kindly given us permission to make the PAC Magic tool available here. Alternatively, you can access the PAC Magic tool on the internet archive wayback machine.
PAC Magic allows you to quickly and easily specify the options that you want such as:
At the bottom of the screen you can test a few URLs see wither the your browser will use the proxy or not based on the settings.
Once you are happy with your settings, you can go to the Script Testing tab and click the Copy PAC Script to Clipboard button so you are ready to paste it into the Sophos UTM.
Sophos UTM can serve as the host for your WPAD file and it is recommended to do so. When the wpad file is downloaded from the UTM, the ${asg_hostname} variable is replaced by the UTM's specified hostname. If you decide to host the wpad.dat file on a separate web server you need to manually replace this with the UTM's hostname or IP address in the script.
To host your WPAD script on the UTM:
We are now ready to test our proxy configuration from a browser.
The file will always be hosted on http://utmhostname:8080/wpad.dat (replace utmhostname with your actual UTM's hostname). If enter this URL into your browser, it will download the file. Open the file in a text editor and confirm that ${asg_hostname} variable has been replaced with the actual UTM's hostname.
Next, you should manually configure your browser to use the auto configuration script. This allows you to test that everything is working as expected before you roll this out.
Open Internet Explorer and go to Internet Options | Connections | LAN Settings. Only check the box for "Use Automatic Configuration script" and enter http://utmhostname:8080/wpad.dat (again, replace utmhostname with your actual hostname).
Now that your script is configured and Sophos UTM is set up to serve it, you can roll it out to the rest of your network environment. There are a few ways of doing this, but the most effective, is to use DHCP as this works across all browsers.
Any machine that is configured to "Automatically Detect Proxy Settings" will now discover the WPAD script automatically via DHCP. This will take effect the next time the IP lease is renewed. The "Automatically detect" setting will take preference over all of the other proxy configuration settings.
For other options of rolling out the auto proxy configuration script, see the 'Further Reading' section below.
Proxy auto configuration scripts are a great way to optimize client request routing for when and when not to use the proxy. The scripts can also be extended to include other elements such as a secondary backup proxy.
If you would like to know more about other methods of distributing the configuration script, I have written some previous articles that you can help you. They are focused on Microsoft Forefront TMG, but the concepts are true for any proxy configuration.
https://fixmyitsystem.com/2010/10/tmg-auto-proxy-configuration-part-i.html https://fixmyitsystem.com/2010/10/tmg-auto-proxy-configuration-part-ii.html https://fixmyitsystem.com/2010/10/tmg-auto-proxy-configuration-part-iii.html https://fixmyitsystem.com/2010/10/tmg-auto-proxy-configuration-part-iv.html
If you want to expand on your proxy configuration script, there are a range of PAC functions available to use:
Hostname based conditions:
Related utility functions:
URL/hostname based conditions:
Time based conditions:
For more info on using these PAC Functions, see
Or
Download our FREE 30-day trial, or schedule a demo and we'll show you how it works.
How To Allow Skype Through Sophos UTM in Standard Proxy Mode
How to Configure Multiple Site-to-Site SSL VPNs with Sophos UTM