If after updating your iOS-based device to iOS 10.2, the proxy.pac proxy settings are no longer enforced, leaving users going directly to the Internet rather than being filtered, you need to re-enforce proxy settings on your iOS devices.
iOS 10.2 now requires the proxy.pac file to be served over HTTPS. If you use the auto-configuration URL over HTTP, this redirects to HTTPS on port 443 which is not where the proxy.pac file is hosted.
Additionally, the root Certificate Authority (CA) must be installed in its certificate store before it downloads the proxy.pac file.
Procedure
-
Export the certificate that is being used for User-facing HTTPS services. Ensure you select Certificate when exporting, not Certificate and chain as iOS devices cannot import
p7b
files.- If you are using Dynamic certificates, export the root CA instead.
- Email the certificate to the device for manual installation or deploy the certificate using an Apple MDM system.
- Configure the Devices' Wireless Settings:
- The URL of the proxy.pac file you enter into the device's wireless settings should be in the format as follows. If you still get certificate errors, the certificate downloaded might not have the IP address of the Smoothwall listed as an alternative name:
- If using the fully qualified domain name (FQDN) for the URL:
https://<FQDN_of_the_Smoothwall>:442/proxy.pac
- If using the IP address for the URL:
https://<IP_address_of_the_Smoothwall>:442/proxy.pac
- If using the fully qualified domain name (FQDN) for the URL:
- The URL of the proxy.pac file you enter into the device's wireless settings should be in the format as follows. If you still get certificate errors, the certificate downloaded might not have the IP address of the Smoothwall listed as an alternative name:
The Smoothwall is set to identify itself by its IP address by default, but if this is not the case:
- Change from hostname to IP address, see our help topic, Changing the system's host name and how it identifies itself to the network.
- Download the certificate for User-facing HTTPS services again.