Manage Umbrella's PAC File
When configuring Umbrella's secure web gateway (SWG), you have several choices as to how you can send web traffic to Umbrella. One of those choices is to integrate a proxy auto-config (PAC) file URL into the browser that you use to reach destinations.
What is a PAC file?
A proxy auto-config (PAC) file defines the proxy server that a browser must use to fetch a URL.
After you deploy a PAC file in a browser, all traffic from that browser is redirected to Umbrella's secure web proxy. When deploying the SWG with a PAC file, Umbrella DNS policies are not enforced for traffic generated in the web browser. DNS policies apply to non-web browser traffic, which bypasses the PAC file.
To download the Umbrella PAC file or custom PAC files to user devices, connect to Umbrella on a Registered Network or Network Tunnel. A roaming user device that has the Cisco Secure Client with the Umbrella Roaming security module deployed can also connect to Umbrella and download PAC files. For more information, see Requirements for Downloading PAC Files to User Devices.
Table of Contents
- Requirements for Downloading PAC Files to User Devices
- Supported Versions of the Secure Client for PAC Files
- Managing PAC File Deployments
Requirements for Downloading PAC Files to User Devices
To download the Umbrella PAC file or custom PAC files on a user device in the organization, the device must either:
- Connect to Umbrella on a Registered Network or Network Tunnel, or
- Deploy the Cisco Secure Client with the Umbrella Roaming Security module on the user device.
Supported Versions of the Secure Client for PAC Files
You must have a version of the Cisco Secure Client that supports the integration of PAC Files. The Secure Access PAC file and custom PAC files integrate with the Cisco Secure Client version 5.1.8.105 and newer. For information about downloading the Cisco Secure Client software packages, see How to: Download Cisco Secure Client.
Managing PAC File Deployments
You can use the default Umbrella PAC file or custom PAC files. For more information about deploying, customizing, or uploading a PAC file, see:
- Deploy Umbrella's PAC File for Windows
- Deploy Umbrella's PAC File for Mac
- Customize Umbrella's PAC File
- Upload Custom PAC Files to Umbrella
Note: Microsoft has deprecated PAC file support for the file:// and ftp:// protocols in Windows 10 on Edge. Hosting the PAC file on the local machine does not work on the Microsoft Edge browser. For more information, see Windows 10 does not read a PAC file referenced by a file protocol.
To connect efficiently to Umbrella's SWG, allow the following CIDRs in your firewalls over TCP on ports 80 and 443:
- 67.215.64.0/19
- 146.112.0.0/16
- 151.186.0.0/16
- 155.190.0.0/16
- 185.60.84.0/22
- 204.194.232.0/21
- 208.67.216.0/21
- 208.69.32.0/21
We recommend that you bypass the following domains directly to allow all traffic over TCP on ports 80 and 443:
- ocsp.int-x3.letsencrypt.org
- isrg.trustid.ocsp.identrust.com
- *.cisco.com
- *.opendns.com
- *.umbrella.com
- *.okta.com
- *.oktacdn.com
- *.pingidentity.com
- secure.aadcdn.microsoftonline-p.com
Note: When using an SSL-VPN, add the IP address of the VPN head-end to the external domains settings. For more information, see Manage Domains.
Test SSL Decryption < Manage Umbrella's PAC File > Deploy Umbrella's PAC File for Windows
Updated about 14 hours ago