PAC file and ASA

Hi eveyone,
I have PC  which has proxy configured and i can access all the websites with it.
Traffic goes via firewall and websense.
Another PC with no proxy configured i can not access some websites.
FW logs shows when the connection is not made
Apr 22 2013 15:03:28: %ASA-4-507003: tcp flow from  to outside:terminated by inspection engine, reason - inspector reset unconditionally.
Apr 22 2013 15:03:28: %ASA-6-302014: Teardown TCP connection 4984216 for outside:/443 to :/59557 duration 0:00:00 bytes 123 Flow closed by inspection
Apr 22 2013 15:03:28: %ASA-4-507003: tcp flow from /59557 to outside:/443 terminated by inspection engine, reason - inspector reset unconditionally.
Apr 22 2013 15:03:28: %ASA-5-304002: Access denied URL https://x.x.x.x/ SRC  DEST  on interface .
So need to know if connection is not made to those websites then traffic goes via firewall only?
it does not touch the websense?
When proxy is config on browser how hoes firewall handle the request then?
If someone can explain me traffic flow from PC to Websense please?
Thanks
MAhesh

Hello,
No , I dont,
I said that I am definelty not a websense expert but I will check the reports/logs on the websense appliance and then filter based on your client ip address having issues
regards

Similar Messages

  • Parse JavaScript '.pac' file and get proxy details using C# code

    Hi,
    I have PAC  file --> (A proxy auto-config (PAC) file defines how web browsers and other user agents can automatically choose the appropriate proxy server (access method) for a given URL (inbound request)).
    This PAC file contains a JavaScript function “FindProxyForURL(url, host)”. This function returns a string with one or more access method specifications. These specifications cause the user agent to use a particular proxy server or to connect directly.
    Eg:
    function FindProxyForURL(url, host)
                    // declare variable strings
                    //incorrect proxy value
                    var use_proxy_yes = "PROXY MyWrongServerAddress:8080";
                    //correct proxy value
                    //var use_proxy_yes = "PROXY MyCorrectServerAddress:8080";
                    var use_proxy_no = "DIRECT";
                    //we can keep adding all the url here for which we do not want proxy
                    if (shExpMatch(url, "*.MyWebsite.com*")) { return use_proxy_no; }
                    // Proxy anything else
                    return use_proxy_yes;
    } This method will be saved as 'proxy.pac' file.
    From C# code i have to parse the above 'proxy.pac' file and get the proxy value that it returns based some condition specified in above method.
    Please someone help me know how i can achieve the above requirement. Thanks in advance.
    Chetan Rajakumar

    Hi,
        HTTP Connection created in ECC is used for retrieving the SWC components of IR....but it cannot be used by PI for psoting the data to Proxy...
    so in this need to provide the needed details at XI adapter level ...
    chk the below blog which can give u an idea...
    /people/siva.maranani/blog/2005/04/03/abap-server-proxies
    Also for the above error check below threads
    SLD_NO_OWN_BS
    error: SLD_NO_OWN_BS, proxy scenario
    HTH
    Rajesh
    Edited by: Rajesh on Apr 15, 2010 12:04 PM

  • IronPort S160/ASA5510 integration - PAC file and blocking Port 80

    We have successfully integrated our ASA5510 and IronPort S160 appliance with Active Directory and eDirectory.  We've configured AD to push IE settings to use the IronPort proxy.pac file.  Now we need to "Block" un-configured IE access to Port 80 traffic.
    In my ASA i have a firewall exception for our WAN IP ranges (source) to any Destination port tcp/http, tcp/https and domain.  If I remove the tcp/http from the exception "ALL" port 80 traffic stops, including those PCs configured to use the IronPort Poxy.pac file.
    So where have I gone wrong?  I want to block un-configured IE access to Port 80, forcing all users to pass through the IronPort appliance.

    I hate this job.  About 11:10 PM as I was trying to get ready for bed, I had the same thought.  Of course I had to test it out, so back to the VPN connection I went and added the filter permit for port 80 for the Ironport's ip address and viola it worked.  Thanks for answering my post just the same.

  • FF unable to comprehend PROXY.PAC file with IPv4 and IPv6 rules in it

    My intranet setup involves users going through Squid proxy on a server discoverable by WPAD. Everything worked well until I introduced IPv6 into the network. Now I want their FFs to go IPv4 proxied and go IPv6 direct. I wrote proxy.pac ( http://pastebin.com/UFwVBzcN ) but FF8 throws "XPCSafeJSObjectWrapper is not defined" error. How can this be done?

    Hi guigs2,
    thanks for your response. As we only use myIpAddress once within our pac-File and only rely on dnsDomainIs(), ==-Comparisons and shExpMatch() and the sum of all pac-Executions was about 4 seconds compared to 40 seconds overall load time, I do not think that dns resolving is our issue.
    I checked the seetings of the configuration you mentioned above. It is set to "false", so the client would try the resolve the dns names. Our admin told, that we do not use socks-Proxies, only http-Proxies.
    Regarding sequential load of the contents included on www.bild.de from other web sites, I attached a screenthot.
    Please note the red highlights. These show the start time in milliseconds of the pac-execution. I added this as a kind of id which represents a unique identifier together with the URL if the log items are mixed. But they are not, instead they are cleanly ordered by URL (for all 360 pac-file calls).
    Moreover in the picture you can see the delay between the end of the last pac-file execution and the next one (blue timestamp in millisonds compared to the red timestamp of the next row saying "entered proxy.pac"). The delay sum up exactly to the 40 seconds the FF took to load the page completely.
    Alone the fragment shown represents a delay of 630ms between the pac-file executions. If the contents would be loaded in parallel, there should be no such delay.

  • Using a Pac File with the new Macbook Pros

    I have recently purchased a new Macbook pro and to access the internet at my college, I need to use a Pac File, and My class mate has the drop down option to select it due to their macbook pro is an older model and my new macbook doesn't, how do I get the "Using Pac File" option?
    Thanks people in advance for your help!

    OS X Lion is not being included as an install DVD with new Macs. (It does come pre-installed.) Apple is offering a $69 USB stick with Lion pre-installed for owners would like to own a solid state means of recovery. Lion is strictly internet based with its recovery features - in other words - Macs will need to be able to connect to the internet to restore a computer with HDD failure (or some other issue where you need to restore the system.)

  • Proxy.PAC file not working after upgrade to 10.9.2

    I have a local proxy.pac file and it was working happily before 10.9.2.
    It was loaded under "Network > Proxies > Automatic Proxy Configuration" and effective for all browsers (Chrome, Safari and Firefox).
    After upgrade to 10.9.2 seems like it's being totally ignored. I have a CNTLM proxy in my machine and can see the traffic coming in. Looking at logs, no traffic really comes in and all browsers try to access internet directly.
    If I set the proxy.pac directly in Firefox, it works but I want all my browsers and application. I want the same functionality as of 10.9.1 and before.

    I submitted a bug report to Apple. The problem is present since 10.9.2, now with 10.10 and iOS. I hope they will take this problem seriously.

  • Drop IE connection if PAC file not found

    When users are in the corporate network, their machines will grab the PAC file and use it.
    However, when they bring the machine back, since the machines are unable to grab the PAC file (without VPN), IE revert to direct connection, hence bypass PAC file settings and go to any sites they wanted.
    Is there a way to change the default settings of IE or the Windows to such that, if the PAC file is not present, no connect is allowed for IE.

    Hi Zacklu,
    As I know, when user leave the corporate network, it will be very hard to control the behavior of their actions, so I think it’s hard to achieve your goal.
    Could you please tell me why do you want to have this setting?
    Regards
    Yolanda
    TechNet Community Support

  • Performance degradation when using proxy.pac file with FF ESR 31

    With Bug 923458 many people complained about a performance issue compared to other browsers when a proxy.pac file is used.
    The issue initially reported with the bug was resolved for ESR25 according to the statistics, but the general performance issue remained.
    I had the same issue with ESR24 and ESR31.3 .
    I was testing with www.bild.de.
    It took about 40 seconds to load the content completely. Without the proxy.pac file it took about 10 seconds.
    I added a few alerts to the pac-File in order to get logs within the console for some analyses.
    I found the following:
    1. the pac.file is executed for every request, no matter if the host changed or not.
    With us the pac-File checks for IP-Adresses and host-names only.
    It is not necessary to execute the pac file for each and every request to the same remote host.
    So the question is, if we are able to disable this behaviour via about:config?
    2. the content referenced by www.bild.de seems to be loaded sequentially and with a delay
    The overall time consumed by the proxy.pac file executions was about 4 Seconds compared to the 40 seconds of overall load time.
    So I checked the delay between executions of the pac-file and found an overall delay of 40 seconds. I expect that the delay between the calls to the pac-file is caused by the retrieval of contents from the remote host.
    So why are the requests executed sequentially?
    Hint: Due to the times necessary for executing the pac-file and downloading the contents from the remote host, I would expect the logs generated by my alerts to be mixed (especially if myIpAddress took 1 Second). But the log is cleanly ordered by URL. (see attachment)

    Hi guigs2,
    thanks for your response. As we only use myIpAddress once within our pac-File and only rely on dnsDomainIs(), ==-Comparisons and shExpMatch() and the sum of all pac-Executions was about 4 seconds compared to 40 seconds overall load time, I do not think that dns resolving is our issue.
    I checked the seetings of the configuration you mentioned above. It is set to "false", so the client would try the resolve the dns names. Our admin told, that we do not use socks-Proxies, only http-Proxies.
    Regarding sequential load of the contents included on www.bild.de from other web sites, I attached a screenthot.
    Please note the red highlights. These show the start time in milliseconds of the pac-execution. I added this as a kind of id which represents a unique identifier together with the URL if the log items are mixed. But they are not, instead they are cleanly ordered by URL (for all 360 pac-file calls).
    Moreover in the picture you can see the delay between the end of the last pac-file execution and the next one (blue timestamp in millisonds compared to the red timestamp of the next row saying "entered proxy.pac"). The delay sum up exactly to the 40 seconds the FF took to load the page completely.
    Alone the fragment shown represents a delay of 630ms between the pac-file executions. If the contents would be loaded in parallel, there should be no such delay.

  • Java Verify and PAC Files

    We are have started using a PAC files to control how our Browsers connect to the Internet.
    What we have found out is Java won't use the PAC files when version Java version.
    Java installs just fine but fails on the "Verify Java Version".
    Here is the message you get: "We are unable to verify if Java is currently installed and enabled in your browser".
    If I un-check "Use automatic configuration script and check proxy server and point to the same web proxy IP used by the PAC file.  Java verifies.
    We found this issue when web applications started failing to open their java applets because it couldn't version the Java version.
    How do I get Java to use our PAC files?

    No. If you want to do that you should just use Access. mySQL files will not work without the mySQL server.

  • Coverage Zones and PAC files

    Just wondering if anybody has used coverage zones and PAC files to do auth browser configuration.
    I'm looking at a global deployment of Content Engines (ACNS 5.1) and would like to set each CE up as a PAC server to respond to a request and direct the user to the nearest CE. So if I'm in Milan I use the Milan CE and when I go to London I use the London CE.
    I'm trying to get my head round this in the lab at present and want to get away with not using a Content Router only CE's. Can this be done?
    Any experience will be really helpful and I'll post any findings back to this thread.
    Thanks
    Mark

    Here is something that I found. ACNS 5.1 has the new auto proxy-config option which combines coverage zones with a proxy pac file. Essentially, you create a pac file that contains a special macro, and configure the CE (through the CDM GUI) to use that pac file in conjunction with the coverage zone information. Then, when the client requests that pac file from the CE, the CE replaces that macro in the pac file with one (or more) CE names based on the coverage zone that matches the requesting client's IP address. Link to the configuration.
    http://www.cisco.com/univercd/cc/td/doc/product/webscale/uce/acns51/deploy51/51router.htm#wp1039339

  • How to install and verify the license file on ASA 5512-x

    Hi Friends,
    How to install and verify the license file on ASA 5512-x Firewall. I have lincese pak for CX and web security essential.
    What need to be done? can i install this lic file on firewall or need to be install on CX server.  Because i dont have the CX server right now.
    Please share me document for installation of this license.
    thx
    Ashish Kumar

    Hi,
    one possible solution is to use an intermediate array. The intermediate array should be used in the user interface. When new data is entered the VI should read each element and then compare to the elements in the stored array. If all elements are different then update the array, otherwise display a fault message.
    You could use asequence activated when the Enter button is pressed. In the first frame you would compare the First array with the stored array. it is probably best to use a Boolean indicator to show if the data is valid Make sure you declare this as a local variable.
    With the sequence you can perform the comparisons in several seperate frames or in one frame with a OR to link the results. For large numbers of comparisons I prefer to use m
    ultiple frames because otherwise the screen becomes a maze of wires and other programmers who may need to maintain the code in the future will find it hard to follow a single frame.
    Once all the data items have been compared then the following sequence should contain a CASE statement of type True/False. Link a readable copy of your local variable to the selector of this statement. Then in the FALSE case (Assuming you have linked the boolean to be false when no data is duplicated) copy the new array to the stored array. In the TRUE case bring up an error message.
    So long as your arrays are not too large and you do not use this technique in too many places in your code the processor overhead should not be badly affected. For frequent use of such a caomparison in several VIs you may want to create a dedicated subVI for the task. For very large arrays you should seek a different solution.
    Hope that helps a bit.
    Good luck,
    Shaf

  • Outlook and proxy PAC file

    Using Outlook 2010 SP2 connecting to Exchange 2013 SP 1 with a PAC file (configured under Internet Options).  When the PAC file is not available, Outlook fails to connect to Exchange initially, upon hitting the retry button (on server unavailable
    message), it connects just fine.  Not sure if this has to do with Outlook Anywhere or Outlook application in general, but it looks as if it does not fail open cleanly (like IE for example).  Is there a way to tell Outlook to connect to Exchange by
    ignoring/bypassing the system wide proxy config from Internet Options?  I want to ensure that if the PAC file is not available to Outlook, it connects to Exchange without issues.

    Thank you for the update.
    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
    Thank you for your understanding and support.
    Steve Fan
    Forum Support
    Come back and mark the replies as answers if they help and unmark them if they provide no help.
    If you have any feedback on our support, please click
    here

  • Transfer files between ASA and a host across a VPN

    Hello Guys,
    I have a Remote Access VPN between an ASA and a Windows PC, the issue that I'm seeing is that I can't transfer files between the ASA and my PC across the VPN.
    The first time I thought that because the size of the file and some issue with my ADSL service bandwidth could be the problem. However, I tried to copy the running config of the ASA to my PC and is also impossible. I received this error:
    ASA# copy running-config tftp:
    Source filename [running-config]?
    Address or name of remote host []? 10.10.10.2   ----> This is the address of my PC over the VPN tunnel
    Destination filename [running-config]? ASA-Config04032014
    Cryptochecksum: f5a9f8cb 9f63b2e5 e8c99e36 9498cb50
    %Error writing tftp://10.10.10.2/ASA-Config04032014 (Timed out attempting to connect)
    Does anybody had this kind of problem before?
    Thanks in advance,

    I was wondering if I transfer files between a PC and Mac via Ethernet cable can I reverse the transfer from a Mac to a Pc?
    Yes. Start Windows File Sharing on the Mac and then access it on the PC.
    (47464)

  • PAC file doesn't work in SAFARI 7.0.x

    Hi,
    To access the internet and emails at work I need to configure the proxy, which is done through pac file.
    I indicated the URL of the file to 'PREFERENCES' but it didn't work. As I am new to the Mac world, I searched at several places, but none of the tips solved my problem.
    I'm using Safari 7.0.x and Mavericks
    Can anyone help me?

    Probably the best bet is reading how those files are configured, and submit the settings through the System Preferences for Proxies
    http://en.wikipedia.org/wiki/Proxy_auto-config
    Textwrangler should be able to look at the file without modifying it and give you an idea of what commands need to be duplicated through the PRoxies settings in the System Preferences for Networking.

  • PAC file not working in IE 9

    I have the IE9 browser set to use the PAC file, but it does not send traffic to the WSA.  I have tried it locally from the C: drive and downloading it from the WSA PAC source.  Putting the link to the file opens it from either location.  It seems that it is not processing it.               
    Some document suggested to name it proxy.pac; this did not help.
    Here is the code to proxy when the WSA is available and go direct to the website when the WSA is not in the network the user is in (mobile users)
    function FindProxyForURL(url,host){
        return "PROXY 10.100.2.2:80;
        DIRECT;"

    I would highly recommend putting the WSA in the DNS resolution. Depending on what kind of authentication you are performing, you will need to resolve the hostname.
    Christian Rahl
    Customer Support Engineer
    Cisco Web Content Security Appliance
    Cisco Technical Assistance Center RTP

Maybe you are looking for