Scenario 1 – no captive portal
In this scenario, the user is not required to complete a network enrollment or payment page when accessing the Internet. The roaming user’s browser is configured with the standard PAC file on port 8082.
- The user requests www.google.de.
- The browser first requests the PAC file from webdefence.global.blackspider.com over port 8082. One of the following may apply:
- If the firewall of the hotel does not block port 8082, then the browser will obtain the PAC file. The user will get the “You are connecting from an unrecognized location” logon page. Once they log on, the appropriate policy is applied.
- If the firewall of the hotel blocks port 8082, then the browser will not be able to obtain the PAC file.
The browser will continue to try to obtain the PAC file over port 8082 until it times out. (By default, Internet Explorer will time out after 20 seconds.)
Once the browser times out trying to obtain the PAC file, it will then attempt to follow the proxy server setting, if configured.
If this is blank, the browser will connect via port 80.
The hotel firewall does not block port 80, so the roaming user will connect to www.google.de over port 80.
As such the user will be connecting to the Internet directly, instead of via the cloud service – the browser is not using the PAC file to direct traffic to the cloud proxy. No policy enforcement will be applied. The user will not be able to use the cloud service, as port 8082 is blocked.
For guidance on resolving this issue for roaming users, see the recommendations detailed in the section Recommendations for roaming users.