Skip navigation

Web Gateway

10 Posts authored by: Jon Scholten Expert
Jon Scholten

Pardon the Construction!

Posted by Jon Scholten Expert Dec 12, 2017

Hi Guru's,

 

Sorry for taking over the main page with document updates. I've been updating the docs with the new logo, as well as cleaning up the formatting. I'm hoping this will make it easier to read the Best Practices.

 

I hope to have most updated by the end of the year, I'll also be updating some of the videos included in the Best Practices.

 

Best Regards,

Jon

Hi Gurus!

 

The Olympics are just around the corner (August 5th - August 21st) and with that comes extra streaming! The Content and Categorization Team has been working on coverage for the past couple weeks to prepare for the event. I'll highlight some of the categories being used for Olympic related sites as well as some ideas you can use in your MWG to handle the traffic.

 

Related Categories

There are a number of categories that the team has been using to categorize the streaming sites related to the Olympics:

  • Streaming Media - Web pages that provide streaming media, or contain software plug-ins for displaying audio and visual data before the entire file has been transmitted.
  • Internet/Radio/TV - Web pages that provide software or access to continuous audio or video broadcasting, such as Internet radio, TV programming, or podcasting.
  • Potential Illegal Software - Web pages, which McAfee believes offer information to potentially 'pirated' or illegally distribute software or electronic media, such as copyrighted music or film, distribution of illegal license key generators, software cracks, and serial numbers.

 

Throughout the Olympics coverage will be added as sites pop up close to or during the event. Streaming Media and Internet/Radio/TV will be used to categorize sites that properly licence the content. Potential Illegal Software will be used to categorize sites which could potentially be hosting the streams illegally (i.e. "Watch for FREE" sites).

 

If you find a site which is not currently categorized, the quickest way is to use TrustedSource.org's URL submission process (sign up for an account to get higher priority).

 

 

Rule Examples

Depending on your organization's policies, you may want to be really restrictive, permissive, or want to play it safe. I'll detail some example rules that you can run with depending on your internal policies. I'm not going to cover the blocking the categories because that's something built into the policy already and can be done by checking some boxes.

 

Auto-Expire Coaching (on Aug 21)

Let's say you want to Coach or Quota users when they visit Streaming Media or Internet/Radio/TV, and you want that to expire on August 21st (when the Olympics end. This assumes Streaming Media is not blocked in your current policy. First, import the Coaching ruleset from the Ruleset Library, then we'll unlock and add a rule inside the top-level Coaching ruleset. The rule will be setup as follows:

      • Name: Apply ruleset from Aug 5th to Aug 21st 2016
      • Criteria: DateTime.ToNumber less than 1470355200 OR DateTime.ToNumber greater than 1471823999
      • Action: Stop Rule Set

 

 

Bandwidth Control for Categories (7.6.2+ -- Direct Proxy)

In 7.6.2, classful bandwidth control was added which allows MWG to prioritize traffic. This allow you to define a maximum bandwidth that certain types of traffic can consume (let's say... URL.Categories equals Streaming Media or Internet/Radio/TV). For more information on implementing Bandwidth Control check out the recently published guide: Web Gateway: Understanding and Configuring Bandwidth Control

 

 

Discussion Thread

If you have any thoughts, alternate ideas, cool rulesets, I've started a discussion thread in the MWG Community: Discussion: Web Protection and The 2016 Olympics

 

 

Content and Categorization Team Projects

Throughout the year the Content and Categorization team is working on proactive projects that are important to customers. They are working on providing accurate coverage for major events that matter to you.

 

Best Regards,

The Web Protection Team

 

References

Hi All!

 

Starting January 1, 2016 most browsers are phasing out trust of certificates signed using SHA1. Any certificates signed after January 1 will be untrusted in some way (it varies based on the browser), certificates signed before are still accepted.

 

With McAfee Web Gateway, it will issue certificates for the sites which are SSL scanned, so the signing date will be after January 1, 2016. To avoid any issues, please ensure that you are not using SHA1 in your SSL scanning settings (use SHA256 instead). If you migrated from older versions to newer versions, this setting will not be updated automatically.

 

This is configured under Policy > Settings > Engines > SSL Client Context with CA in the digest dropdown. Be sure to configure the digest in all settings containers for "SSL Client Context with CA".

 

2016-01-04_120359-2.jpg

 

Firefox actively blocks you from the site, Chrome will display a passive warning in the address bar. Below is a screenshot of the warnings.

 

2016-01-04_120451-2.jpg  2016-01-04_120635-2.jpg

 

If the Certificate Authority used in the McAfee Web Gateway was signed using SHA1, you should consider replacing it soon. At the moment the browsers will only complain if the web server certificate is signed using SHA1. However, the same may happen eventually for CA certs signed using SHA1.

 

For the time being, adjusting the settings above should suffice in avoiding browser errors.

 

Mozilla Firefox Announcement:

https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certi ficates/

 

Google Chrome Announcement:

http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html


Microsoft Announcement:

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforce ment-of-authenticode-code-signing-and-ti…


Best Regards,

Jon

Hi Gurus!

 

It appears that there is a bug in Chrome 47 causing problems with NTLM Authentication.

 

In the mean time it might be best to prevent it from being installed. A fix was mentioned to be ready by Friday, but I'm not clear if that's definitive.

 

Details on the bug can be found here:

Issue 544255 - chromium - Chrome asks for authentication on http sites on squid - An open-source project to help move…

 

A workaround has been discovered! (Dec 4th)

The issue has to do with Chrome receiving the HTTP response, and the HTTP response is too big for it's buffer. So if we reduce the size of the response, Chrome will behave in a better fashion.

 

To reduce the size of the response, we can change the MWG block page which is used for authentication. To do this, navigate to Policy > Settings, and click edit for any of the block templates. On the Template Editor screen, find the "Authentication Required" block page template and remove the contents of this blockpage (at least for now).

 

template.jpg change.jpg

 

Update Dec 8th - Create an empty collection

Some customers reported that the above workaround did not help. If you are using your own custom template collection, we will need to create an empty template collection. This can be done in four steps:

 

1. Create an "empty" template collection by clicking add next to the Collection dropdown, instead of OK and Edit:

 

2015-12-08_095821.jpg

 

 

2. Verify that the "empty" collection is selected:

 

2015-12-08_095952.jpg

 

3. Create an empty "Authentication Required" Template, and click OK:

 

2015-12-08_100331.jpg

 

4. Add a single space to the index template:

 

2015-12-08_101136.jpg

 

 

The only other workarounds would be to disable authentication or enable Kerberos authentication. Here is a link to the guide on setting up Kerberos: Web Gateway: Configuring Kerberos (simplified guide)

 

Best Regards,

Jon

Hi All!

 

With Web Gateway 7.5.x gaining steam it's important to note that it includes a 64-bit AV engine. With this improvement it is recommended to upgrade the RAM in your Web Gateway.

 

At a minimum it is recommended to have 8GB of RAM when Gateway Anti-Malware is used.

 

Minimum requirements for all platforms (virtual and appliance) have been updated in the latest Installation Guide: McAfee KnowledgeBase - Web Gateway 7.5.2 Installation Guide

 

Please check out our guide on for upgrading the memory: How To: Upgrade the memory on your B Model appliance

 

Older KB: Please check out the KB listed below about what kind of memory is supported in our B model appliances (4000B, 4500B, 5000B, 5500B). The KB includes specific memory modules which can be purchased.

McAfee KnowledgeBase - Web Gateway 7.5.0 recommended memory (RAM) upgrade

 

 

Best Regards,

Jon

Jon Scholten

Web Reporter Survey!

Posted by Jon Scholten Expert May 28, 2015

Hi Web Gateway and Web Reporter Gurus,

 

In case you didn't get the McAfee SNS, we're looking for input on Web Reporter.

 

Your input is needed! If you are the administrator of McAfee Web Reporter, we would like you to complete a short survey on how you use the product. The data from this survey will remain confidential to Intel Security and help shape our product investments.

 

If you see this post but do not administrate Web Reporter, please forward this link to your Web Reporter admin.

 

If you use Content Security Reporter, please disregard this request.

 

To begin the survey, go here https://www.surveymonkey.com/r/webreportersurvey, please only take it once!

 

Thank you to those who all participate!

 

Best Regards,

Jon

Hi Web Gateway Gurus!

 

We have a TechTalk this week, join if you can:

 

Snippet from Intel Security SNS Product Digest (May 2015)

 

Thu, May 21 | REGISTER

10am PT / 12pm CT / 1pm ET / 5pm GMT

Support engineers, Darin Shock, Jon Scholten, and Patrick Brickey, will provide insight into several aspects of Web Gateway. During the session, our experts will show and discuss a new ruleset for setting up proactive notifications, review key concepts for Web Hybrid deployments, and cover additional Web Gateway ProTips.

 

Hope you can make it!

 

Best Regards,

Jon

Recently in support we have seen a number of authentication issues caused by Apple's iCloud application, and the Dropbox client.

 

The is that the iCloud application or the Dropbox client will submit erroneous credentials to the proxy (username of None). These credentials are then forwarded by the Web Gateway to the Domain controller and the domain controller will take a long time to process the credentials.

 

dropbox-icloud.jpg

 

-Name: Check Proxy-Authorization Header for Bad Credentials

-Criteria:  Header.Request.Exists("Proxy-Authorization") equals true

  AND Header.Request.Get("Proxy-Authorization") equals "Basic Tm9uZTpOb25l"

-Action: Stop Rule Set

-Event: Set Authentication.UserName = "BadCredentials"

 

Best Regards,

Jon

Current Web Gateway Main: 7.7.2.7

 

Current Web Gateway Controlled: 7.8.0.2

 

Current Web Gateway Cloud Service: 7.8.0.x (highest version supported for sync)

 

Latest McAfee Client Proxy: 2.3.2

 

Release Highlights:

Web Protection

McAfee Web Gateway 7.7.x Release Highlights

McAfee Web Gateway 7.6.x Release Highlights

 

Release notes:

MainControlledMCP

McAfee Web Gateway 7.7.2.7 Release Notes

McAfee Web Gateway 7.7.2.6 Release Notes

McAfee Web Gateway 7.7.2.5 Release Notes

McAfee Web Gateway 7.7.2.4 Release Notes

McAfee Web Gateway 7.7.2.3 Release Notes***

McAfee Web Gateway 7.6.2.17 Release Notes

McAfee Web Gateway 7.6.2.16 Release Notes

McAfee Web Gateway 7.6.2.15 Release Notes

McAfee Web Gateway 7.6.2.14 Release Notes

McAfee Web Gateway 7.6.2.13 Release Notes

McAfee Web Gateway 7.6.2.12 Release Notes

McAfee Web Gateway 7.6.2.11 Release Notes

McAfee Web Gateway 7.6.2.10 Release Notes

McAfee Web Gateway 7.6.2.9 Release Notes

McAfee Web Gateway 7.6.2.8 Release Notes

McAfee Web Gateway 7.6.2.7 Release Notes

McAfee Web Gateway 7.6.2.6 Release Notes

McAfee Web Gateway 7.6.2.5 Release Notes

McAfee Web Gateway 7.6.2.4 Release Notes

McAfee Web Gateway 7.6.2.3 Release Notes

McAfee Web Gateway 7.6.2.2 Release Notes

McAfee Web Gateway 7.6.2.1 Release Notes***

McAfee Web Gateway 7.5.2.13 Release Notes

McAfee Web Gateway 7.5.2.12 Release Notes

McAfee Web Gateway 7.5.2.11 Release Notes

McAfee Web Gateway 7.5.2.10 Release Notes

McAfee Web Gateway 7.5.2.9 Release Notes

McAfee Web Gateway 7.5.2.8 Release Notes

McAfee Web Gateway 7.5.2.7 Release Notes

McAfee Web Gateway 7.5.2.6 Release Notes

McAfee Web Gateway 7.5.2.5 Release Notes

McAfee Web Gateway 7.5.2.4 Release Notes

McAfee Web Gateway 7.5.2.3 Release Notes

McAfee Web Gateway 7.5.2.2 Release Notes***

McAfee Web Gateway 7.4.2.11 Release Notes

McAfee Web Gateway 7.4.2.10 Release Notes

McAfee Web Gateway 7.4.2.9 Release Notes

McAfee Web Gateway 7.4.2.8 Release Notes

McAfee Web Gateway 7.4.2.7 Release Notes

McAfee Web Gateway 7.4.2.6 Release Notes

McAfee Web Gateway 7.4.2.5 Release Notes

McAfee Web Gateway 7.4.2.4 Release Notes

McAfee Web Gateway 7.4.2.3 Release Notes

McAfee Web Gateway 7.4.2.2 Release Notes

McAfee Web Gateway 7.8.0.2 Release Notes

McAfee Web Gateway 7.8.0.1 Release Notes

McAfee Web Gateway 7.8.0.0 Release Notes

McAfee Web Gateway 7.7.2.2 Release Notes

McAfee Web Gateway 7.7.2.1 Release Notes

McAfee Web Gateway 7.7.2.0 Release Notes

McAfee Web Gateway 7.7.1.5 Release Notes

McAfee Web Gateway 7.7.1.4 Release Notes

McAfee Web Gateway 7.7.1.3 Release Notes

McAfee Web Gateway 7.7.1.2 Release Notes

McAfee Web Gateway 7.7.1.1 Release Notes

McAfee Web Gateway 7.7.1.0 Release Notes

McAfee Web Gateway 7.7.0.3 Release Notes

McAfee Web Gateway 7.7.0.2 Release Notes

McAfee Web Gateway 7.7.0.1 Release Notes

McAfee Web Gateway 7.7.0.0 Release Notes

McAfee Web Gateway 7.6.2.0 Release Notes

McAfee Web Gateway 7.6.1.2 Release Notes

McAfee Web Gateway 7.6.1.1 Release Notes

McAfee Web Gateway 7.6.1.0 Release Notes

McAfee Web Gateway 7.6.0.1 Release Notes

McAfee Web Gateway 7.6.0.0 Release Notes

McAfee Web Gateway 7.5.2.1 Release Notes

McAfee Web Gateway 7.5.2.0 Release Notes

McAfee Web Gateway 7.5.1.2 Release Notes

McAfee Web Gateway 7.5.1.1 Release Notes

McAfee Web Gateway 7.5.1.0 Release Notes

McAfee Web Gateway 7.5.0.3 Release Notes

McAfee Web Gateway 7.5.0.2 Release Notes

McAfee Web Gateway 7.5.0.1 Release Notes

McAfee Web Gateway 7.5.0.0 Release Notes

McAfee Web Gateway 7.4.2.1 Release Notes

McAfee Web Gateway 7.4.2.0 Release Notes

McAfee Web Gateway 7.4.1.3 Release Notes

McAfee Web Gateway 7.4.1.2 Release Notes

McAfee Web Gateway 7.4.1.1 Release Notes

McAfee Web Gateway 7.4.1.0 Release Notes

McAfee Web Gateway 7.4.0.1 Release Notes

McAfee Web Gateway 7.4.0.0 Release Notes

McAfee Client Proxy 2.3.2 Release Notes

McAfee Client Proxy 2.3.1 Hotfix 1 Release Notes

McAfee Client Proxy 2.3.1 Release Notes

McAfee Client Proxy 2.3.0 Release Notes

McAfee Client Proxy 2.2.0 Release Notes

McAfee Client Proxy 2.1.3 Release Notes

McAfee Client Proxy 2.1.2 Release Notes

McAfee Client Proxy 2.1.1 Release Notes

McAfee Client Proxy 2.1.0 Release Notes

McAfee Client Proxy 2.0.0 Release Notes

McAfee Client Proxy 1.2.0 Release Notes

***Candidate to take over as latest Main release.

 

7.7.2.3 took over as the main release on Monday, August 14th, 2017.

 

 

Release Process Changeover

It's that time of year! A new main release is coming...

Upgrade Best Practices

Web Gateway: Upgrade Best Practices and Understanding Release Branches

Hi Web Gateway Gurus!

 

It's that time of year where the release cycle changeover will be happening. This mean's that 7.7.2 will take over as the main release! It also means that 7.6.2 will be retired from the main release branch.

 

Here is a good representation of what the McAfee Web Gateway release process looks like:

 

releaseprocess.jpg

 

 

When the changeover happens, what does this mean for me?

 

If you're on 7.7.x already, nothing will happen. You will upgrade as you normally would, and end up on the latest 7.7.x release.

 

If you're on 7.6.x or older, you would end up on the latest 7.7.2 release (unless configured otherwise).

 

 

What if I want to stay on 7.6.2.x?

 

No problem! To stay on the 7.6.2.x branch, you can run the "mwg-switch-repo --sticky 7.6.2" command to remain sticky to that release branch.

 

 

What if I change my mind and decide to upgrade to the latest main release (7.7.2)?

 

Easy! Switch the repository back to the main release with the command "mwg-switch-repo main".

 

 

When is the changeover?

 

The change over typically happens two weeks after the candidate has been released (in this case 7.7.2.3). We will update this post after the changeover occurs. For reference, the 7.6.2.x candidate was released on July 31st, 2016 and 7.6.2.x was push to the main release branch on August 18th, 2016.

 

 

Further Reading

 

Best Practices for upgrading and overview of branches: https://community.mcafee.com/docs/DOC-5036

Explanation of main and controlled releases in Web Gateway: https://kc.mcafee.com/corporate/index?page=content&id=KB77895

 

 

All the best!

Jon

Filter Blog

By date:
By tag: