Using SCP with Existing PAC Files
A PAC file operates at the application layer, so a PAC file has the first chance to change traffic flow of an application, provided the application honors the PAC file. SCP operates at the network level, so SCP has the final chance to redirect traffic for any application (whether proxy-aware or not), provided it is configured to intercept the destination/port combination. SCP can be used to redirect traffic to Skyhigh solutions with or without a PAC file. PAC files can be used to redirect traffic to any proxy, with or without SCP. With the multiple redirection options supported for SWG and WGCS (SSE and WPS) there is flexibility to utilize the appropriate methods for each system and any of their possible operating environments.
Generally PAC files are required under the following conditions:
- Environments that don’t resolve external DNS
- For clients that do not have a default internet route
- If the logic of choosing the proper proxy is increasingly complex such that it cannot be supported by SCP Policy alone
- Handling systems that do not have SCP
Combining use of SCP with PAC files can be helpful in testing or transitioning to Skyhigh Security Service Edge (SSE) in environments where PAC files are currently in use.
About PAC Files
PAC files (and WPAD, an automated distribution method for PAC files) are excellent tools for working in explicit proxy environments and with applications that can be configured to use them.
|Granular determination of what traffic should be directed to which proxies and what traffic should go directly.||Operates only for applications and TCP protocols that are aware of PAC file and honor it.|
|Granular proxy selection with different fallback options for each scenario.||Browser or application needs to be restarted in case the PAC file cannot be reached on application start (e.g. captive portal environments). Changes to the PAC file only get reflected when the application is restarted.|
|Supports intelligent load balancing to enhance caching performance of local proxy caches.||PAC files can not add encryption, some ISPs will block unencrypted proxy CONNECT requests. Also, PAC files when used alone cannot transparently authenticate to a cloud proxy.|
|If the environment is configured for Web Proxy Auto Deployment (WPAD), most browsers automatically use a PAC file by default.||Complicated and difficult to maintain, syntax errors can break operation and it is easy to implement incorrect logic that results in unexpected operation.|
|Flexibility in terms of configuration to failover, fail open, or fail closed.||Can't be configured for fastest response time.|
|Supports redirection of any port.||Easily bypassed or subverted unless there are compensating controls that may also impact operation in uncontrolled environments.|
|Supported by most browsers irrespective of operating system.||Does not pass any context about the client to the destination proxy.|
|Supports secure network environments where there is no external DNS resolution and no default route.||Use of HTTP3/QUIC will bypass the PAC file unless the network blocks UDP on 443 and 80.|
SCP is a robust redirection software for explicit proxy environments. It operates as a transparent web proxy for all applications. All vendor supported Windows and Mac operating system versions can utilize SCP.
|Application agnostic, highly tamper resistant, not easily bypassed, administrative controlled bypass and uninstall.||Requires installation of an agent that only runs on Windows and Mac operating systems.|
|Supplies prompt-less user and group information to the proxy without need for a directory connection or synch.||Needs to have routing to a supported proxy (cloud, or on premise).|
|Allows for alternate proxy and bypass based on destination port, domain, IP, and process name.||Requires standard DNS resolution for domain-based redirection decisions.|
|Adds additional context for filtering decisions, policy name, process name, OS, OS version, system name etc. Can also be configured to failover, fail open, or fail closed (when internet is available, but no proxies can be reached).||SCP through version 4.2 only supports redirection of HTTP and HTTPS protocols.|
|Network aware, operation can be adjusted based on network location. Redirection policy automatically updated on all clients within a few minutes of change.||Through 4.2 only supports redirection of IPv4 traffic (can block use of IPv6 to force use of IPv4).|
|When using cloud service, it will automatically select best proxy based on geolocation of client. Can also be used with Web Gateway Cloud Service and Skyhigh Secure Web Gateway simultaneously.||Through 4.2 only intercepts configured ports.|
|Can intercept any configured port. Proxy selection can be based on fastest response time or first available.||Selection of the optimal cloud proxy requires DNS resolution of Skyhigh cloud proxy domains.|
|Can add encryption for unencrypted protocols. SCP Policy can block HTTP3/QUIC so that this traffic doesn’t bypass the proxy.|
Best of SCP and PAC Files
As evident from above examples, many of the advantages of one solution are disadvantages of the other. Systems that use PAC files can simultaneously exist with systems using SCP and utilize the same services on the same network. For some scenarios, it may be beneficial to utilize both methods actively on the same system, or to utilize different methods in different network environments, and different systems. SCP can work with a PAC file without alterations to the existing PAC file or to any browser settings.
Remember the following when using SCP with PAC files:
- SCP can easily forward proxied requests from an application using a PAC file provided it is configured for intercepting the proxy port and the proxy address is not in the bypass list.
- When SCP forwards a proxied request, bypasses and alternate proxy by domain and original destination IP will not work. Bypass and alternate proxy by process name and port will work.
- For sites that must be accessed directly, the PAC file is configured to send it direct and (SCP is configured to bypass by port (80,443), or by destination IP, or by process).
- For mobile systems using SCP, it is not advisable to bypass by ports 80 and 443 or by process unless you can have different SCP policies that can be applied when off net.