PAC file configuration

Procedure

1. On the Trend Vision One console, go to Zero Trust Secure Access → Secure Access Configuration → Internet Access Configuration.
2. On the PAC Files tab:
   • Create a new PAC file by clicking Add.
   • Edit an existing PAC file by clicking the Edit () icon in the Action column.
3. Specify a unique PAC file name and Description.
4. For customers who want to automatically populate the proxy bypass list for supported apps, enable the following:
   • Bypass proxy for network requests to Microsoft Office 365
   • Bypass proxy for network requests to Google
5. Choose how to edit the PAC file by selecting an Edit mode.
   • Basic mode adds domains to the file using the user interface and does not affect any other code.
     Supports multi-byte encoded and non-ASCII characters.
   • Advanced mode displays the complete contents of the file in an editable field.
     If you have an existing PAC file, copy the code, and paste into the field.

   Important When also using Zero Trust Secure Access Private Access, you must include but not modify the following arguments: isInNet(ip, "100.64.0.0", "255.255.0.0"); var DNSNeedResolve = true; The arguments ensure that Private Access traffic whose destination IP address falls in the 100.64.0.0 network segment after local DNS resolution is by-passed. When using your own PAC file, ensure that you add the Private Access by-pass code. The following example adds the network segment to bypass Private Access traffic forwarding to the Internet Access Gateway. if isInNet(dnsResolve(host), "100.64.0.0", "255.255.0.0") return 'DIRECT';

   Zero Trust Secure Access automatically adds the following domains to PAC files:

   • windowsupdate.microsoft.com
   • *.windowsupdate.microsoft.com
   • *.update.microsoft.com
   • *.windowsupdate.com
   • download.microsoft.com
   • ntservicepack.microsoft.com
   • officecdn.microsoft.com
   • officecdn.microsoft.com.edgesuite.net
6. (Optional) Add additional proxy FQDNs to your PAC file.

   Note Adding additional proxies requires editing the PAC file using advanced mode.

   1. Obtain the FQDNs or IP addresses of the proxy servers you want to include in your PAC file.
      Secure Access only allows the use of the following proxy FQDN or IP in PAC files:

      • Internet Access Cloud Gateway proxy

        Tip To see a list of the available cloud Internet Access Gateway proxy servers, go to Port and FQDN/IP address requirements and select your region.

      • Internet Access On-Premises Gateway proxy

        Tip Trend Micro recommends using the FQDN of on-premises proxy servers.

   2. Locate the return value of the function FindProxyForURL.
   3. Edit the return value of the function.
      The return value must be a string containing one or more of the following elements, separated by a semicolon.

      • PROXY <FQDN of proxy>:<port>
      • DIRECT

      Example:

      PROXY proxy1.mydomain.com:8088; PROXY proxy2.mydomain.com:8088; PROXY proxy3.mydomain.com:8088; DIRECT

      Note Use the following port numbers: Cloud Gateway: 80 On-Premises Gateway: 8088

   Note If the first proxy server in the list fails, Secure Access connects to the next proxy servers in the list one by one in sequential order.

7. Click Save.
8. (Optional) Apply the modified PAC file to the target devices with the Secure Access Module deployed.
   1. In the Applied platforms column, click the Apply () icon.
   2. Select the operating systems to apply the PAC file to.

      Note Each operating system can only have one applied PAC file.

   The PAC file replacement takes effect within a few minutes.

   You can also replace the PAC file in the Secure Access Module by individual endpoint or endpoint group in the Secure Access Module screen. For more information, see PAC File replacement.

   Note For a single endpoint, the PAC file applied by individual endpoint or endpoint group takes effect, regardless of the platform-based PAC file configured for the endpoint.