When the Web Proxy Configuration is activated, Cloud Web Security automatically creates a default Proxy Auto-Config (PAC) file. Users can also create custom PAC file(s) based on their organization’s needs when connecting to the service.

Users can view or configure the PAC files in CWS by navigating to Cloud Web Security > Configure > Access Method > Web Proxy > PAC Files.

Default PAC File

The Default PAC File is read-only. To view the Default PAC file's configuration details, select the Default PAC File and then click the PREVIEW button.

While users do not need to concern themselves with creating the exact syntax, as the built-in wizard will guide them through PAC file configuration, it is useful to understand the directives in the file.

For example, if a matching block instructs the client to send the traffic DIRECT that means any traffic to those destinations will not go through the proxy. This is useful for several reasons. And traffic that is meant to go to the proxy will have the PROXY directive in its return statement. It could also have both PROXY followed by DIRECT. This means that if the proxy is unavailable, that traffic would still be permitted to go to the Internet.

Custom PAC File

To create a custom PAC file, perform the following steps:
  1. Navigate to Cloud Web Security > Configure > Access Method > Web Proxy > PAC Files.
  2. Click + NEW PAC on the PAC Files configuration page.
    The New/Edit PAC File page appears.
  3. In the PAC File Details page, enter the required PAC file details and click Next.
    • Name (required) - A unique name for the PAC file.
    • Description (optional) - Any additional information that would be useful for other administrators.
    • File Name (required) - The filename that VMware will host for your organization. This file name must end in ‘.dat’. A warning message will appear if the file name is not correctly formatted.
  4. The Proxy and Roaming Configuration page allows users to determine how their remote clients connect to the proxy service when using this PAC file by configuring actions based on the following parameters:
    • Proxy Inaccessible - Users can select either Connect Direct or Block Access options based on if clients should or should not be allowed to the Internet if the proxy is inaccessible.
    • Detect when within the corporate network - Toggle the button ON to determine if the client is within a corporate network.
    • If the client is within the corporate network, users can configure an action if the client should use the corporate network’s Internet access or be redirected to an on-premises proxy server by entering the following details:
      • Internal Server Name - The name of an internal server to be resolved. This server should only be resolvable on the private network.
      • IP Address - The expected internal IP that the server’s name should resolve to.
      • If the hostname is successfully resolved:
        • Connect Direct – Instruct the client to send outbound Web traffic from a browser using the private network.
        • Custom Proxies – Instruct the client to send outbound Web traffic to an on-premises web proxy accessible through the private network.
    • Click Next. The Default Proxy Bypass Configuration page appears.
  5. In the Default Proxy Bypass Configuration page, users can configure proxy bypass rules for predefined domains and subnet/IPs that should not be sent to the Web Proxy.
    • Click the Domain button and under the Exception State column, toggle the button to turn On or Off the domains that should be allowed or bypassed from proxy.
    • Under the Total Domain column, click the number link to view the domains associated to the application.
    • Click the Subnet/IP button to view the subnets excluded from Web Proxy.
    • Click Next. The Office 365 Bypass Configuration page appears.
  6. In the Office 365 Bypass Configuration page, configure bypass of Microsoft 365 domains and specific tenants and click Next.

    Microsoft Connectivity Principles recommend bypassing their endpoints from Web Proxy or SSL Inspection services. Microsoft encourages their customers to access their services direct over the Internet.

    • Bypass Office 365 - Toggle the button ON to allow easy bypass of Microsoft 365 domains. These domains will be added to the PAC file to be bypassed.
    • Tenants - Specify your company specific subdomains provided by Microsoft.
  7. In the Custom Proxy Bypass Configuration page, configure the proxy bypass rules for custom domains and subnets specific to the Enterprise.
    • To add a proxy bypass rule for custom domain, click Domain > + Add Rule and enter a valid domain name.
    • To add a proxy bypass rule for subnets, click Subnet/IP > + Add Rule and enter either the network address (subnet) or the IP address (host) and the appropriate subnet mask value.
    • To delete a rule that is no longer to be bypassed, select the rule and click Delete.
  8. Click Finish. The Custom PAC file is created and appears in the PAC File configuration table.