Knox PAC Support (Proxy Auto Config)

What is PAC?

PAC (Proxy Auto Config) is a text file that instructs a browser or an app to forward traffic to a certain proxy server, instead of directly to the destination website. It contains JavaScript that specifies the proxy server, and optionally, additional parameters that specify when and under what circumstances a browser forwards traffic to the proxy server.

For example: In a corporate network, an IT manager may enforce employees to type in the URL of the PAC file in the settings menu of their browsers. The browser would then connect to a proxy server first based on the routing logic stated in the PAC file.

*In Internet Explorer, this option can be found under Internet Options > Connection > LAN Settings > Auto Configuration Script 

Why are proxies needed?

Forwarding traffic to a proxy server instead of directly connecting to the destination server protects end devices from potential security threats by hiding their IP address, location, and other personal information. The destination server sees the traffic coming from the proxy server, instead of from the end devices.

Additionally, if an IT department mandates employees to connect to the Internet through proxy servers only, corporate-level and employee-level traffic history can be monitored and tracked from the proxy server. This can reduce network costs by reducing the amount of Internet traffic going in and out of the company. Frequently visited websites and content are stored in the proxy server for immediate delivery to the end devices.

 What's the benefit of PAC?

Large companies, especially in security sensitive industries (i.e. government, financial services, etc.) usually operate multiple proxy servers to balance and categorize traffic load. PAC can enable these large organizations to easily configure the forwarding rules on a single text file for all proxy servers.

The IT department can enforce the same Internet traffic rules for both mobile devices and PC's to better manage their security by white-listing which firewall ports are open or closed.

 How does Knox support Proxy and PAC?

There are two options to enable proxy or PAC function on Samsung devices:

1. Option 1: A user can type the proxy server address or the PAC URL on the settings menu of the device itself.
2. Option 2: An IT manager can seamlessly push the proxy or PAC profile to the device remotely.

To remotely push PAC profiles (Option 2), Knox provides a set of APIs for EMMs to configure proxy and PAC settings remotely through Knox SDK. Each EMM provider needs to develop the feature on their EMM server and client.

 Support for proxy and PAC:

Support for PAC varies by connection type and Knox version:

Global Type:

• Configuring proxy/PAC to all HTTP traffic from device (3G/4G, WiFi, VPN)
• Not able to configure proxy/PAC to traffic from the container or from individual apps

WiFi Type:

• Configuring proxy/PAC to all traffic via WiFi
• Not able to configure from the container or app-level

VPN Type:

• Configuring proxy/PAC to all traffic via VPN
• VPN tunneling from the device and VPN gateway right before reaching the proxy server
• Capable of configuring proxy/PAC to traffic from the container only or from particular apps only

Knox also supports basic and advanced authentication methods for access to proxy servers:

1. Basic Authentication is for a simple ID and password authentication method without any encryption
2. NTLMv1 and v2 are advanced authentication methods which encrypt ID and password information

 Knox feature availability for each proxy and PAC type

	Global	Wi-Fi	VPN
Manual Proxy Setup	v2.5.1	v2.5.1	v2.5.1
Automatic Proxy Setup via PAC	v2.7	v2.5.1	v2.5.1
Basic Authentication	v2.7	v2.7	v2.5.1
NTLMv1 Authentication	v2.7	v2.7	v2.5.1
NTLMv2 Authentication	N/A	N/A	v2.7

*Manual proxy settings for Browser are supported from v1.0. But Chrome browser is not supported from v2.6

Knox PAC is available in our mobile security solution: Knox Platform for Enterprise