We do have isInNet() in use. The problem is that staff can log onto both staff & student wired subnets, where students can only log onto student wired subnets. At elementary sites, this happens all the time, and if a staff member was determined by the IP they come from, they could not use Youtube as needed--it would send them to the proxy for whitelist only (or not allow it at all). At secondary (grades 6 to 12), staff logging onto student wired IPs is not allowed in general, but is available in certain specially IP addressed student labs where trainings happen at regular intervals. Cutting those ranges out would be possible, but would make the pac file extremely long, and it doesn't fix the elementary issue (they are normally summarized in a larger range for student addresses).
So in other words, knowing the IP they come from isn't enough for us to know who it is in our current setup. We have to be able to assign that by actual users, which is why we're using two .pac files. Our network admin had tossed in the alerting as well so we could see when things were working, and that was very useful. BTW, we couldn't get it to work on Win8.1 machines with IE 11--do you know of a way, or is it just IE 11? They are discussing transparent proxy and looking at various appliances, but money for what is needed doesn't come in until next year (after September), assuming it can be afforded. I'm sure it will eventually happen though--too many exceptions for cloud-based apps & sites (like Itunes). A lot of things have been changing rapidly as we passed a bond last year to deploy district-wide wireless, and that is still being installed. Prior to the bond, wireless availability was very limited and only set up & locked for specific systems (such as POS stations on carts for serving breakfast & lunch). Thanks for all the tips, tricks, and ideas! I'm just glad we can make it work now with Java, and we need to get upgraded anyway, so this is pushing that. -B -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Joseph L. Casale Sent: Thursday, April 23, 2015 5:52 AM To: '[email protected]' Subject: RE: [NTSysADM] RE: Java and proxy.pac > Over the years, it's a pain as staff have to toggle proxy off when > they take devices like laptops home, as well as modify multiple policies when > adding a new bypass setting. I mitigate this with isInNet(). The ruleset makes the distinction for the user. I distribute proxy settings via dhcp/dns and when a remote vpn user without their gateway redirected acquires an ip on their tunnel interface, their browser would otherwise redirect without this. > then the kids take it off on purpose and complain it doesn't work to > get out of classwork Lol, no matter what you do, someone will find a way, however a transparent proxy could help this. Kids... > We need two separate sets of settings for one DNS domain, so wpad > publishing just isn't the best option for us. Well, obviously I don't know your environment as well you, however I would suggest revisiting the plethora of potential rulesets you can setup in the pac file, you may just be surprised at what you can automate which would greatly simplify things imho. When I am testing changes or complex rulesets, if the control flow isn't obvious I'll throw in alert() calls then as the browser is processing the ruleset, message boxes appear. jlc
