REFERENCE ARCHITECTURE GUIDE FOR ZIA
33©2024 Zscaler, Inc. All rights reserved.
PAC files as an older technology come with several limitations. This is a tool designed before most stations were mobile
and when computer systems generally only had a single network interface. So, Zscaler can only recommend the use of
PAC files where the traffic is all web-based, and no other forwarding option (Zscaler Client Connector, GRE, IPSec, or
dedicated proxy port) is feasible for the device.
Not all applications support PAC files. If you are using native non-web applications that access internet hosts, you
should check with your vendor on support for PAC files.
Custom PAC Files
Starting with the default PAC file found in the ZIA Admin Portal, Zscaler supports the upload of customized PAC files.
However, the creation of PAC files being a legacy technology requires that you spend time testing changes before pushing
them out to user. Additionally, there are tradeoffs to be made between size and speed of execution. The maximum
file size ZIA supports is 256 KB. A long PAC file takes time to parse, and a complex regex to save space can slow down
execution as well.
If you plan to customize your PAC file, Zscaler strongly encourages your JavaScript developers to follow our development
best practices. Your developers should be familiar with these practices before they begin writing code for the PAC file.
The following help documents should be shared with your development team:
● PAC file best practices (hps://help.zscaler.com/zia/best-practices-writing-pac-files)
● Writing a PAC file (hps://help.zscaler.com/zia/writing-pac-file)
In the ZIA Admin Portal, you can and should test the PAC file for syntax issues before saving and deploying. Aer you have
fully tested your PAC file, you can deploy it to your users. When the file is published, it takes effect for all users in your
organization. Zscaler recommends updating your PAC files during maintenance windows when possible.
Always test your PAC file before deploying it to your users, and make sure you have a backup of your previous file.
Using a version control system (VCS) such as Git can help you ensure that you can revert to a known good version
if a mistake is made. You must use a plain text editing tool to edit the files. You should not use word processors
such as Microso Word or Google Docs, as these introduce additional incompatible formaing in their file output.
The final piece of deploying a custom PAC file is obfuscating the URL of the PAC file. Because this file must be made
public for your users’ machines to access, this means anyone who has the URL can access the content. This can contain
information you don’t want to be public. The ZIA Admin Portal generates a URL for your use when you enable Obfuscate
URL. Zscaler strongly recommends enabling Obfuscate URL.
When you enable obfuscation, you need to update your client machines to the new URL location. Until that
occurs, your users use the default system PAC file. This can lead to issues with accessing resources until the client
device is updated with the new URL location.
Learn more about uploading a new PAC file (hps://help.zscaler.com/zia/using-custom-pac-file-forward-traffic-zia).
PAC File Summary
PAC files are a well supported but ultimately limited technology for forwarding traffic from web browsers to the Zscaler
proxy. It is an older technology that has limitations and complexities that you should understand before deploying them.
Zscaler recommends that PAC files only be used when another forwarding option is not usable by the client device.