Kerberos for web proxy clients

I don't know exactly how you're splitting things with GTM (topology or geolocationing), but here's an example of sending out a "customized" PAC file based on an Address datagroup match:

when RULE_INIT {

 Set the contents of the PAC file to be delivered. Setting
 specific logic here is fine, although the "localized" proxy
 should be returned using the $selected_proxy variable... this
 variable will be filled in at the time the file is delivered
 with the value learned from the DataGroup.

set static::pacfile {
function FindProxyForURL(url, host) {

if (isPlainHostName(host))
return "DIRECT";

return "$selected_proxy";
}
}
}

when CLIENT_ACCEPTED {

 Create a DataGroup class called "proxy_regions" and populate it with
 the IP networks and their proxy value assignments:

 "10.0.0.0/8" := "proxy12.ad-domain.net:8080"

if { [class match [IP::client_addr] eq proxy_regions] } {
set selected_proxy "[class match -value [IP::client_addr] eq proxy_regions]"
} else {
set selected_proxy "DIRECT"
}
}

when HTTP_REQUEST {

 Return any request for "proxy.pac" with the determined content and the
 correct Content-Type.

switch [string tolower [HTTP::uri]] {
"/proxy.pac" {
HTTP::respond 200 content [subst $static::pacfile] "Content-Type" "application/x-ns-proxy-autoconfig" "Pragma" "no-cache"
}
}
}  

The data group created would look a little like this:

Name: proxy_regions
Type: Address
"10.0.0.0/255.0.0.0" := "proxy12.ad-domain.net:8080"
..etc..
"10.10.0.0/255.255.255.0" := "proxy13.ad-domain.net:8080"

So if the user's IP is 10.0.1.13, he'd go via proxy12, but if it was 10.10.0.244, he'd go to proxy13. This works fine for RFC-1918 networks; if you're looking to do the same based on geolocationing and public IP addresses, that'd be possible too -- just use whereis.