icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Distributing a PAC File URL to Users

If your organization uses Active Directory along with Microsoft Internet Explorer, Microsoft Edge, Google Chrome, Mozilla Firefox, or Opera, you can use Group Policy Objects (GPOs) to distribute a PAC file URL to all Windows (Professional, Enterprise, Education, and Ultimate Editions Only) and Windows Server devices in your organization. When you configure Internet Explorer to use a PAC file, browsers such as Microsoft Edge, Google Chrome, and Opera follow the same configuration. However, Mozilla Firefox requires a separate method of configuration. To distribute a PAC file URL to Firefox browsers using GPOs, download the ADMX templates for Firefox at https://support.mozilla.org/en-US/kb/customizing-firefox-using-group-policy-windows.

Distributing a PAC File URL To Mozilla Firefox

To distribute a PAC file URL to Mozilla Firefox:

  • Mozilla Firefox does not follow the system proxy configuration like the other browsers do. You must download and install separate Group Policy templates for Firefox to use GPOs to deploy and enforce the PAC file setting.

      1. Log in to a domain-joined Windows 10 client as a user with administrative permissions on the domain.
      2. Open a remote PowerShell session into your domain controller.
      3. Execute the following PowerShell commands:
      Invoke-WebRequest -Uri https://github.com/mozilla/policy-templates/archive/master.zip -OutFile .\master.zip
Expand-Archive -Path .\master.zip -DestinationPath .\master
Copy-Item -Path .\master\policy-templates-master\windows\*.admx -Destination C:\Windows\PolicyDefinitions
Copy-Item -Path .\master\policy-templates-master\windows\en-US\*.adml -Destination C:\Windows\PolicyDefinitions\en-US

      If you are using a Group Policy Central Store, replace the file path in the Destination parameter with that of your Central Store.

      Close
      1. Log in to your domain controller with administrative permissions on the domain.
      2. Open the Start Menu > Windows PowerShell folder. Right-click on Windows PowerShell and select Run as administrator.
      3. Execute the following PowerShell commands:
      Invoke-WebRequest -Uri https://github.com/mozilla/policy-templates/archive/master.zip -OutFile .\master.zip
Expand-Archive -Path .\master.zip -DestinationPath .\master
Copy-Item -Path .\master\policy-templates-master\windows\*.admx -Destination C:\Windows\PolicyDefinitions
Copy-Item -Path .\master\policy-templates-master\windows\en-US\*.adml -Destination C:\Windows\PolicyDefinitions\en-US

      If you are using a Group Policy Central Store, replace the file path in the Destination parameter with that of your Central Store.

      Close
    Close

  • You can use the Group Policy Management Console (GPMC) to create a new GPO for distributing a PAC file URL to the Windows devices in your organization. To access the GPMC on a Windows Server Core, you need a Windows client machine (Professional, Enterprise, Education, and Ultimate Editions Only) that is installed with Remote Server Administration Tools (RSAT).

    Ensure that your client machine is compatible with your server version and has the appropriate administrative permissions on your domain.
    On a Windows Server with Desktop Experience, the GPMC is already installed.

    To create a new GPO:

    1. Open the GPMC.
    2. In the Group Policy management tree, navigate to the forest, domain or organizational unit to which you are applying the GPO.
    3. Right-click on the forest, domain or organizational unit and select Create a GPO in this domain, and Link it here.

    The New GPO window appears.

    1. In the New GPO window, provide a name for the GPO and leave the Source Starter GPO field blank.
    2. Click OK.

    A new GPO is created under your domain or organizational unit.

    1. Right-click on the newly created GPO and then select Link Enabled.

    1. Select your forest, domain or organizational unit and then move the new GPO to Link order 1 under the Linked Group Policy Objects tab.

    It may take up to 20 minutes for the GPO to be replicated to your Windows client machine.

    Close

  • To deploy and enforce the PAC file setting for Mozilla Firefox:

    1. Open the GPMC.
    2. Navigate to the domain or organizational unit to which you applied the GPO and expand it.
    3. Right-click on the newly created GPO and select Edit.
    4. To apply the policy to the entire computer, navigate to Computer Configuration > Policies > Administrative Templates > Mozilla > Firefox.

    1. To apply the policy only for the domain users, navigate to User Configuration > Policies > Administrative Templates > Mozilla > Firefox.

    1. From the Firefox folder, double-click Proxy Settings.

    The Proxy Settings window appears.

    1. Under Proxy Settings, select Enabled.
    2. Under Options, configure the following fields:

    • Don’t allow proxy settings to be changed: Select this option to enforce the PAC file settings.
    • Connection Type: Select Manual proxy configuration to configure your custom proxy settings. To use the proxy configured in your system, choose Use system proxy settings.
    • SOCKS Version: Select SOCKS v5.
    • Automatic proxy configuration URL: Enter the PAC file URL in this field if you selected Manual proxy configuration in the Connection Type field.
    1. Click OK.

    Users can no longer modify the proxy settings in Mozilla Firefox.

    Close

Distributing a PAC File URL To Other Browsers

To distribute a PAC file URL using browsers other than Mozilla Firefox, such as Microsoft Internet Explorer, Microsoft Edge, Google Chrome, or Opera:

  • You can use the GPMC to create a new GPO for distributing a PAC file URL to the Windows devices in your organization. To access GPMC from a Windows server core, you need a Windows client machine (Professional, Enterprise, Education or Ultimate Editions Only) that is installed with Remote Server Administration Tools (RSAT).

    Ensure that your client machine is compatible with your server version and has the appropriate administrative permissions on your domain.
    On a Windows server with Desktop Experience, the GPMC is already installed.

    To create a new GPO:

    1. Open the GPMC.
    2. In the Group Policy management tree, navigate to the forest, domain or organizational unit to which you are applying the GPO.
    3. Right-click on the forest, domain or organizational unit and select Create a GPO in this domain, and Link it here.
      The New GPO window appears.
    4. In the New GPO window, provide a name for the GPO and leave the Source Starter GPO field blank.
    5. Click OK.
    Close

  • To distribute the PAC file URL using the GPO:

    1. Open the GPMC.
    2. Navigate to the domain or organizational unit to which you applied the GPO and expand it.
    3. Right-click on the newly created GPO and select Edit.
    4. Navigate to User Configuration > Preferences > Control Panel Settings.
    5. Right-click on Internet Settings and select New > Internet Explorer 10.

    1. From the Connections tab, click LAN settings.

    1. Enter the PAC file URL in the Address field.

    If you see a red dotted underline in the Address field, ensure to place your cursor in the text box and press the F6 function key. This enables the field and is indicated by a solid green underline.

    1. Click OK.
    2. (Optional) If you want to apply the GPO to the entire computer irrespective of the signed in user:
      1. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer in the GPMC.
      2. From the Internet Explorer folder, double-click Make proxy settings per-machine (rather than per-user).
        The Make proxy settings per-machine (rather than per-user) window appears.
      3. Under Make proxy settings per-machine (rather than per-user), select Enabled and click OK.

    You can use the Group Policy Results wizard to verify the policy settings of the users or computers in the domain.

    Close

  • You can enforce the PAC file setting so that the users in your organization cannot modify it even when logged in as an administrator.

    To enforce the PAC file setting:

    1. Open the GPMC.
    2. Navigate to the domain or organizational unit to which you applied the GPO and expand it.
    3. Right-click on the newly created GPO and select Edit.
    4. To apply the policy to the entire computer, navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer.
    5. To apply the policy only for the domain users, navigate to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer.
    6. From the Internet Explorer folder, double-click Disable changing Automatic Configuration settings.

    The Disable changing Automatic Configuration settings window appears.

    1. Under Disable changing Automatic Configuration settings, select Enabled and click OK.

    1. Double-click Prevent changing proxy settings.
      The Prevent changing proxy settings window appears.
    2. Under Prevent changing proxy settings, select Enabled and click OK.

    Users can no longer change the proxy settings.

    Based on your authentication configuration, your users must log in to the service at least once for the service to start protecting their web traffic. If the users log into a captive portal, such as those present on public Wi-Fi networks (e.g. Starbucks and McDonalds), they must close the browser and open it again to reload the PAC file. The browser tries to fetch the PAC file only when there is a PAC URL timeout.

    Close
Related Articles
Writing a PAC FileBest Practices for Writing PAC FilesFirewall Requirements for Using PAC FilesUsing Default PAC Files to Forward Traffic to ZIAUsing Custom PAC Files to Forward Traffic to ZIAForwarding Traffic Based on User's Location Using PAC FilesLoad Balancing for PAC Forwarded TrafficDistributing a PAC File URL to UsersConfiguring Internet Explorer to Use a PAC FileConfiguring Google Chrome to Use a PAC FileConfiguring Mozilla Firefox to Use a PAC FileConfiguring Safari to Use a PAC FileIdentifying the PAC File on a Device Using Browsers