Citrix SD-WAN

Dynamic PAC file customization

With the increase in enterprise adoption of mission-critical SaaS applications and distributed workforce, it becomes highly critical to reduce latency and congestion. Latency and congestion are inherent in traditional methods of backhauling traffic through the Data Center. Citrix SD-WAN allows direct internet break out of SaaS applications such as Office 365. For more information, see Office 365 Optimization.

If there are explicit web proxies configured on the enterprise deployment all traffic are steered to the web proxy making it difficult for classification and direct internet breakout. The solution is to exclude SaaS application traffic from getting proxied by customizing the enterprise PAC (Proxy Auto-Config) file.

Citrix SD-WAN 11.0 allows proxy bypass and local Internet breakout for Office 365 application traffic by dynamically generating and serving custom PAC file. PAC file is a JavaScript function that defines whether web browser requests go directly to the destination or to a web proxy server.

How PAC file customization works

Ideally, the enterprise network host PAC file on the internal web server, these proxy settings are distributed via group policy. The Client browser requests for PAC files from the enterprise web server. The Citrix SD-WAN appliance serves the customized PAC files for sites where Office 365 breakout is enabled.

Localized image

  1. Citrix SD-WAN periodically requests and retrieves the latest copy of the enterprise PAC file from the enterprise web server. The Citrix SD-WAN appliance patches office 365 URLs to the enterprise PAC file. The enterprise PAC file is expected to have a placeholder (SD-WAN specific tag) where the Office 365 URLs are seamlessly patched.

  2. The Client browser raises a DNS request for enterprise PAC file host. Citrix SD-WAN intercepts the request for the proxy configuration file FQDN and responds with the Citrix SD-WAN VIP.

  3. The Client browser requests for the PAC file. Citrix SD-WAN appliance serves the patched PAC file locally. The PAC file includes enterprise proxy configuration and Office 365 URL exclusion policies.

  4. On receiving a request for Office 365 application, the Citrix SD-WAN appliance performs a direct internet breakout.

Prerequisites

  1. The enterprises should have a PAC file hosted.

  2. The PAC file should have a placeholder SDWAN_TAG or one occurrence of findproxyforurl function for patching Office 365 URLs.

  3. The PAC file URL should be domain based and not IP based.

  4. The PAC file is served only over the trusted identity VIPs.

  5. Citrix SD-WAN appliance should be able to download enterprise PAC file over its management interface.

Configure PAC file customization

You can enable PAC file customization globally or at site level.

Note

The Office 365 breakout option must be enabled for dynamic PAC file customization. For information on how to enable Office 365 breakout, see Office 365 Optimization.

To configure dynamic PAC file customization globally for all sites, in the configuration editor navigate to Global > Proxy Auto-config settings.

Localized image

Select Enable dynamic PAC file customization. In the PAC file URL field, enter the URL of the enterprise PAC file server. The Office 365 breakout rules are dynamically patched to the enterprise PAC file.

To configure dynamic PAC file customization for a site, navigate to Sites > [Site] > Proxy Auto-config settings. You can also choose to override global PAC file server settings, and specify a different PAC file server URL.

Localized image

Troubleshooting

You can download the customized PAC file from the Citrix SD-WAN appliance for troubleshooting. Navigate to Configuration > Appliance Settings > Logging/Monitoring > Application and click Download.

Localized image

You can also view the PAC file patching status in the Events section, navigate to Configuration > System Maintenance > Diagnostics, click Events tab.

Localized image

Limitations

  • HTTPS PAC file server requests are not supported.

  • Multiple PAC files in a network are not supported, including PAC files for routing domains or security zones.

  • Generating PAC file on Citrix SD-WAN from scratch is not supported.

  • WPAD through DHCP is not supported.

Dynamic PAC file customization