What is a PAC file?

A proxy auto-configuration (PAC) file is a text file that instructs a browser to forward traffic to a proxy server, instead of directly to the destination server. It contains JavaScript that specifies the proxy server and optionally, additional parameters that specify when and under what circumstances a browser forwards traffic to the proxy server. For example, a PAC file can specify on what days of the week or what hours of the day traffic is sent to a proxy, or for which domains and URLs traffic is not sent to a proxy.

All major browsers support PAC files. Browsers simply require the address of the PAC file so they can fetch the file from the specified address and execute the JavaScript in the file. PAC files can be hosted on a workstation, on an internal web server, or on a server outside the corporate network. The Zscaler service hosts a default PAC file that uses Geo-location technology to forward traffic to the nearest Zscaler Enforcement Node. You can also upload custom PAC files to the Zscaler service.

In the figure below, the URL of the Zscaler default PAC file is configured on the user's browser. So when the user opens the browser, it sends a request for the default PAC file. The Zscaler service uses Geo-location technology to find the ZENs that are closest to the user and inserts their IP addresses in the PAC file that is returned to the browser. The browser follows the instructions in the PAC file and forwards its web traffic to the primary ZEN.

Network diagram of the Zscaler PAC file process

Because it is the browser itself that is configured to retrieve the PAC file and forward traffic accordingly, traffic is forwarded to the Zscaler service, regardless of the user’s network.

Zscaler recommends that organizations use a combination of tunneling, PAC files, Surrogate IP, and Zscaler App to forward traffic to the Zscaler service. If your organization has an internal router, switch or firewall that supports GRE and its egress port has a static address, Zscaler recommends that you configure a GRE tunnel to forward all outbound traffic from your location to the Zscaler service. If your router or firewall does not support GRE or if you use dynamic IP addresses, you can use an IPsec VPN tunnel instead. Note that IPSec tunnels have additional processing overhead on your equipment, compared to GRE tunnels. Zscaler also recommends that organizations deploy mechanisms such as IP SLA to monitor tunnel health and enable fast failover. In addition to the GRE or IPSec VPN tunnel, Zscaler recommends that you install a PAC file for each user to ensure coverage outside the corporate network.

To learn more about how to use PAC files to forward traffic to the Zscaler service, see How do I use default PAC files to forward traffic? and How do I use a custom PAC file to forward traffic?