How do I distribute the PAC file URL to my users?


How do I distribute the PAC file URL to my users?

If your organization uses Active Directory and Internet Explorer, Google Chrome, Safari or Firefox, you can use the Active Directory Group Policy Object (GPO) feature to distribute the PAC file URL to all devices in your organization. When you configure Internet Explorer to use a PAC file, Google Chrome, Opera, and Safari use the same PAC file configuration as well. Firefox requires a separate configuration. To use GPO to distribute the PAC file URL to Firefox browsers, use FirefoxADM, which can be downloaded from the repository SourceForge: http://sourceforge.net/projects/firefoxadm.

Using GPO to Deploy PAC Files

The following procedure describes how to create a new GPO to distribute a PAC file URL to devices in your organization. It assumes that the Group Policy Management Console (GPMC) is installed. For information on Active Directory GPO and GPMC, refer to the Windows Active Directory and GPMC documentation.

To create a new GPO and distribute the PAC file URL:

  1. Log in to the Active Directory server as the Administrator.
  2. Open the GPMC.
  3. In the Group Policy management tree, navigate to the domain or Organization Unit to which you are applying the GPO.
  4. Right-click the domain or OU and select Create a GPO in this domain, and Link it here….
  5. In the New GPO dialog, enter a name and leave the Source Starter GPO field blank.
  6. Click OK to exit the dialog box.
  7. Expand the Group Policy Objects item, select the newly created GPO, right-click and select Edit.
  8. Depending on whether you are applying the GPO to computers or users, expand either Computer Configuration or User Configuration.  
  9. Navigate to Policies > Windows Settings > Internet Explorer Maintenance > Connection, and then double-click Automatic Browser Configuration.
  10. In the Automatic Browser Configuration dialog, do the following and click OK:
    • Select Enable Automatic Configuration.
    • In the Automatic proxy URL field, enter the URL of the PAC file.

In the following figure, the Zscaler default PAC file is specified.

You can use the Group Policy Results wizard to verify the policy settings of the users or computers in the domain.

Using GPO to Enforce the PAC File Setting

Using GPO to Enforce the PAC File Setting

Additionally, you can enforce the PAC File setting so your users will not be able to change it even when they're logged in as Administrator.

To enforce the PAC file setting:

  1. Open the GPMC.
  2. In the Group Policy management tree, navigate to the domain or Organization Unit to which you applied the GPO.
  3. Expand the Group Policy Objects item, select the newly created GPO, right-click and select Edit.
  4. Go to User Configuration > Policies > Administrative Template > Windows Components > Internet Explorer.
  5. From the list of settings on the right panel double-click Disable changing Automatic Configuration settings, as shown in the figure below.

  1. When the dialog appears, click Enabled and OK.

  1. From the list of settings on the right panel, double-click Disable changing proxy settings, and when its dialog appears, click Enabled and OK.

The user will not be able to change the proxy setting as shown below.

Depending on your authentication configuration, your users will have to log in to the service at least once before the service can start protecting their web traffic. Note that if a user logs into a captive portal, such as Starbucks or MacDonald’s, the user must close the browser and open it again to reload the PAC file. The browser tries to fetch the PAC file only when there is a PAC URL timeout.