cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Edge Application Guard Proxy via PAC file

Jeff-678
Copper Contributor

‎May 12 2020 07:53 AM

‎May 12 2020 07:53 AM

Edge Application Guard Proxy via PAC file

Looking for some more docs/help on WDAG setting for Edge. I can't get application guard to utilize my proxy PAC file for edge chromium. The old Edge will detect and use the PAC file when in application guard mode.  

 

When you look at edge://application-guard-internals#host it shows it using a PAC file :

 {"pac_url" : "http://path-to-pac-file.pac" }

 

This is with version of edge 84 or higher and the GPO only applies to this version+ of edge to get the GPO settings in the admx file  : computer settings->admin settings>-edge->Application Gaurd.  This should set the proxy just for the application guard container.     I have also tired with the network isloation settings with ip literal address (confusing wording they used), and also auto settings and it appears not to use the pac file. 

 

If it help i am using Zscaler as my proxy. 

 

Is there any other log file anywhere for the application guard container. 

 

Has anyone else got a pac file to work in application guard container for chromium edge.  Can i see what GPO settings you have. 

5,818 Views
0 Likes
5 Replies
Reply
5 Replies
Scott_Sheehan

‎May 12 2020 08:41 AM

‎May 12 2020 08:41 AM

Re: Edge Application Guard Proxy via PAC file

@Jeff-678 Hi! The ApplicationGuardContainerProxy GPO is brand new (not in Stable channel yet), so the documentation for it is still being worked on.

 

For a PAC script, that GPO should be set to something like the following: {"ProxyMode":"pac_script","ProxyPacUrl":"http://example.com/wdag_pac_script.js"} (including the braces).

 

Note this policy is only if you want a *different* PAC script for WDAG (vs the host). If this policy isn't set, WDAG will pick up and use whatever proxy is configured for the host.

 

Also, if the PAC script resolves to a proxy, it needs to resolve to a named proxy (not an IP) -- this applies with or without the ApplicationGuardContainerProxy policy configured.

0 Likes
Reply
Jeff-678

‎May 12 2020 08:50 AM

‎May 12 2020 08:50 AM

Re: Edge Application Guard Proxy via PAC file

@Scott_Sheehan 

 

Yes,

  I have have that Syntax in my GPO "{"ProxyMode":"pac_script","ProxyPacUrl":"http://example.com/wdag_pac_script.js"} 

 

When you look at edge://application-guard-internals#host it shows it using a PAC file :

 {"pac_url" : "http://path-to-pac-file.pac" }      

 

They should clean this up so it show the same Syntax in both places.  

 

 

 I understand this GPO is only if you don't want to pass the host proxy settings. I would be fine pass the host settings, but it doesn't seem to work. And this GPO doesn't seem to work, even though it shows the proxy in the edge://application-guard-internals#host. 

 

There is something going wrong and i need more log insight?

 

 

 

 

 

0 Likes
Reply
Jeff-678

‎May 12 2020 09:02 AM

‎May 12 2020 09:02 AM

Re: Edge Application Guard Proxy via PAC file

@Scott_Sheehan 

 

Yes, 

   I am using your syntax for GPO. "ProxyMode":"pac_script","ProxyPacUrl":"http://example.com/wdag_pac_script.js"}.  When you look at the setting within the edge://application-guard-internals#host it shows  {"pac_url" : "http://path-to-pac-file.pac" }.   So the GPO and what edge shows is slightly different. 

 

Basically ,  I can't get it to work with this GPO settings for container only, or use auto setting to pick up from host.   I am looking for some type of more logging information to troubleshoot.  

 

It Works fine with the old edge, just not the new edge ( Stable for older GPO settings, and DEV, for the ApplicationGuardContainerProxy GPO)

 

0 Likes
Reply
Scott_Sheehan

‎May 12 2020 09:12 AM

‎May 12 2020 09:12 AM

Re: Edge Application Guard Proxy via PAC file

@Jeff-678 Does your PAC script return a proxy by name and not IP (this is a new requirement of the new Edge that didn't apply to Legacy Edge)?

 

edge://application-guard-internals/#utilities ("Proxy configuration" section) shows the proxy configuration (need to go to this page in WDAG to see what configuration the container is picking up). If it is the configuration you expect, then it is something with the proxy itself.

 

You can generate a log at edge://net-export, but diagnosing issues from that isn't trivial.

0 Likes
Reply
Jeff-678

‎May 12 2020 10:45 AM

‎May 12 2020 10:45 AM

Re: Edge Application Guard Proxy via PAC file

@Scott_Sheehan   ahh, Thanks for the info "this is a new requirement of the new Edge that didn't apply to Legacy Edge)"  

It was a Zscaler PAC file issue. Zscaler will return the nearest proxy based upon geolocation/etc, but returns in IP format.   Update the PAC file to send FNDN proxy by changing the $GATEWAY to $GATEWAY_HOST in proxy PAC.    Looks like it is working based upon initial testing. 

1 Like
Reply