Guides
Secure Access Help Center

Manage PAC Files

Cisco Secure Access provides several client configuration options to manage the web traffic and internet security for the user devices in the organization. You can integrate a proxy auto-config (PAC) file URL for the browsers that you use to reach web resources.

A PAC file is used by browsers to select the correct proxy server that can fetch a requested URL. The browser-based traffic is proxied through the Secure Access secure web gateway (SWG). After you integrate a PAC file on a user device, all traffic that is sent from the browser is redirected to the SWG. Secure Access applies DNS-layer security to browser traffic for non-web resources only, which bypasses the PAC file.

To download the Secure Access PAC file or custom PAC files to user devices, connect to Secure Access on a Registered Network or Network Tunnel. A roaming user device that has the Cisco Secure Client with the Umbrella Roaming security module deployed can also connect to Secure Access and download PAC files. For more information, see Requirements for Downloading PAC Files to User Devices.

Table of Contents

Requirements for Downloading PAC Files to User Devices

To download the Secure Access PAC file or custom PAC files on a user device in the organization, the device must either:

  • Connect to Secure Access on a Registered Network or Network Tunnel, or
  • Deploy the Cisco Secure Client with the Umbrella Roaming Security module on the user device.

Supported Versions of the Secure Client for PAC Files

You must have a version of the Cisco Secure Client that supports the integration of PAC Files. The Secure Access PAC file and custom PAC files integrate with the Cisco Secure Client version 5.1.8.105 and newer. For information about downloading the Cisco Secure Client software packages, see Download Cisco Secure Client.

About Using the Secure Client with PAC Files

  • The Cisco Secure Client sends the username and IP of the user device for authentication to Secure Access. If authenticated, the user device can download the Secure Access PAC file or the organization's custom PAC files.
  • Secure Access PAC file—After you add bypass domains in Secure Access, you can download the Secure Access PAC file that includes the configured bypass domains. Then, when you deploy the Secure Access PAC file on the user device's browser, the browser and the Secure Client support the same bypass domains that are configured in Secure Access.
  • Custom PAC files—Unless you add bypass domains to a custom PAC file manually or create the custom PAC file from the Secure Access PAC file, the custom PAC file does not include the bypass domains that are configured in Secure Access. When you deploy a custom PAC file on the user device's browser, the browser only supports any bypass domains that you add to the custom PAC file.

For information about configuring bypass domains, see Manage Internet Security Bypass.

Managing PAC File Deployments

Integrating the Secure Access PAC file or custom PAC files on the user devices in your organization so that all browser-based traffic is proxied is straightforward. For more information, see:

Note: Microsoft has deprecated PAC file support for the file:// and ftp:// protocols in Windows 10 on Edge. Hosting the PAC file on the local machine with the Edge browser is not supported. For more information, see Windows 10 does not read a PAC file referenced by a file protocol.

We recommend that you bypass these domains in your environment for traffic with TCP on ports 80 and 443:

  • ocsp.int-x3.letsencrypt.org
  • isrg.trustid.ocsp.identrust.com
  • *.opendns.com
  • *.sse.com
  • *.umbrella.com
  • *.okta.com
  • *.oktacdn.com
  • *.pingidentity.com
  • secure.aadcdn.microsoftonline-p.com

Configure Cisco Secure Client Settings < Manage PAC Files > Deploy the Secure Access PAC File for Windows

Updated 8 days ago