Forum Discussion

Jeff-678's avatar
Jeff-678
Copper Contributor
May 12, 2020

Edge Application Guard Proxy via PAC file

Looking for some more docs/help on WDAG setting for Edge. I can't get application guard to utilize my proxy PAC file for edge chromium. The old Edge will detect and use the PAC file when in applicati...
Scott_Sheehan's avatar
Scott_Sheehan
Icon for Microsoft rankMicrosoft
May 12, 2020

Jeff-678 Hi! The ApplicationGuardContainerProxy GPO is brand new (not in Stable channel yet), so the documentation for it is still being worked on.

 

For a PAC script, that GPO should be set to something like the following: {"ProxyMode":"pac_script","ProxyPacUrl":"http://example.com/wdag_pac_script.js"} (including the braces).

 

Note this policy is only if you want a *different* PAC script for WDAG (vs the host). If this policy isn't set, WDAG will pick up and use whatever proxy is configured for the host.

 

Also, if the PAC script resolves to a proxy, it needs to resolve to a named proxy (not an IP) -- this applies with or without the ApplicationGuardContainerProxy policy configured.

Jeff-678's avatar
Jeff-678
Copper Contributor
May 12, 2020

Scott_Sheehan 

 

Yes, 

   I am using your syntax for GPO. "ProxyMode":"pac_script","ProxyPacUrl":"http://example.com/wdag_pac_script.js"}.  When you look at the setting within the edge://application-guard-internals#host it shows  {"pac_url" : "http://path-to-pac-file.pac/" }.   So the GPO and what edge shows is slightly different. 

 

Basically ,  I can't get it to work with this GPO settings for container only, or use auto setting to pick up from host.   I am looking for some type of more logging information to troubleshoot.  

 

It Works fine with the old edge, just not the new edge ( Stable for older GPO settings, and DEV, for the ApplicationGuardContainerProxy GPO)

 

  • Scott_Sheehan's avatar
    Scott_Sheehan
    Icon for Microsoft rankMicrosoft
    May 12, 2020

    Jeff-678 Does your PAC script return a proxy by name and not IP (this is a new requirement of the new Edge that didn't apply to Legacy Edge)?

     

    edge://application-guard-internals/#utilities ("Proxy configuration" section) shows the proxy configuration (need to go to this page in WDAG to see what configuration the container is picking up). If it is the configuration you expect, then it is something with the proxy itself.

     

    You can generate a log at edge://net-export, but diagnosing issues from that isn't trivial.

    • Jeff-678's avatar
      Jeff-678
      Copper Contributor
      May 12, 2020

      Scott_Sheehan   ahh, Thanks for the info "this is a new requirement of the new Edge that didn't apply to Legacy Edge)"  

      It was a Zscaler PAC file issue. Zscaler will return the nearest proxy based upon geolocation/etc, but returns in IP format.   Update the PAC file to send FNDN proxy by changing the $GATEWAY to $GATEWAY_HOST in proxy PAC.    Looks like it is working based upon initial testing. 

Resources