Best Practices: Setting up McAfee Client Proxy with Web Gateway

Version 18

     

    Introduction

     

    This document has been written in order to guide in the deployment of the McAfee Client Proxy (MCP). This document has been written primarily for Web Gateway deployments but some of the content will include other products that are commonly used. For those unfamiliar, McAfee client proxy (MCP) is an application that is installed or deployed via ePO on the client workstations. MCP is used to force workstation traffic to the proxies defined in MCP's settings. MCP is also used to forward user authentication information. This authentication information is included in encrypted HTTP headers with each request.

     

     

    Deployment options

     

    The McAfee client proxy can be used a multitude of different ways. Below are the most common scenarios for its use.

    MCP always active/redirecting (Web Gateway and SaaS Web Protection)

     

    In this scenario, it is assumed that you have Web Gateway and SaaS Web Protection. This will allow you to protect the users with the on-premise Web Gateway (in the network), and when they are off the network, they will be protected by the Web Protection Service. Note that this scenario could also apply if you always want to redirect to your web gateway (whether user is on or off premise) or always want to redirect to SaaS

    In network: MCP Active

    Outside network: MCP Active

    Network Detection settings: Always redirecting (ePO), Corporate Detection unchecked (SaaS)

     

    MCP redirection only on premise

     

    In this scenario we assume a Web Gateway only scenario, you are not using the SaaS Web Protection Service. MCP will only be active when the users are in the network and will redirect them to your local web gateway. Outside of the network, MCP will stand down.

    In network: MCP Active

    Outside network: MCP Inactive

    Network Detection settings: Always redirecting (ePO), Corporate Detection unchecked (SaaS)

     

    MCP redirection only off premise

     

    In this scenario we assume that you are using MCP only to redirect users, when they are outside your network. For example to make sure that laptop users still get filtering when through the SaaS Web Protection when they take their laptops home. When the users are on premise, they might be filtered by a Web Gateway in your network, but you do not have MCP redirect the users to it.

    In network: MCP Inactive

    Outside network: MCP Active

    Network Detection settings: Redirect network traffic when... (ePO), Corporate Detection checked (SaaS)

     

     

    How MCP Works (Technical Details)

     

    Below is a description of how the McAfee client proxy will check to see whether or not it should be redirecting traffic to the proxies specified in the configuration.

     

    1. Checks if a proxy server can be contacted, top down until it receives first response.
    2. Checks if the corporate network can be reached. All servers are contacted at once, to prevent any long delays failing down the list.
    3. Checks if there is a captive portal, common in hotel rooms or Internet cafes, which requires user interaction prior to gaining Internet access .

     

    Corporate detection / Traffic redirection settings

    Corporate detection (as referred to in SaaS) or Traffic redirection settings (as referred to in ePO), specifies what resources MCP should check for to see if it should redirect traffic. Typically if you do enable corporate detection, you should specify your ePO server, or another server using a port other than 80 or 443.

    Detection on

    If corporate detection is on, then MCP will attempt to reach the listed network servers or ports. If MCP is able to reach these specified server and ports, then MCP will stand down.

     

    Below screenshots show equal settings between ePO and the SaaS console:

     

    3.1.0.0_epo_corp-detect_on.png 3.1.0.1_saas_corp-detect_on.png

     

     

    Detection off

    If corporate detection if off, then this means that MCP will always be attempting to redirect traffic to the specified proxy servers (assuming all health checks pass).

     

    Below screenshots show equal settings between ePO and the SaaS console:

     

    3.1.1.0_epo_corp-detect_off.png 3.1.1.1_saas_corp-detect_off.png

     

     

    Proxy check

    MCP will attempt to contact the specified proxy servers in order to determine if it is reachable. If not, MCP will stand down.

    Captive check

    In some cases, the above health checks could be false positives. In certain cases users may be accessing the internet via their hotel room, which often require a login of sorts. This final check will help make sure that access to the internet is valid and the proxy redirection will occur properly.

     

     

    Prerequisites

     

    Prior to deploying MCP it is expected that you have the following setup and ready.

     

    Existing Software

      • ePolicy Orchestrator (ePO) 4.6.1+ - This makes it easier for deploying the MCP software (via the McAfee Agent). This is optional if you are not deploying using ePO.
      • McAfee Agent - If the McAfee Agent is installed on the workstation then this allows ePO to distribute the MCP software. This is optional if you are not deploying using ePO.
      • McAfee SaaS Web Protection - You must be able to access the control console via https://www.mcafeeasap.com/ or https://portal.mcafeesaas.com/, this will allow for downloading the "shared key". This is optional if you are not using the SaaS Web Protection Service.
      • McAfee Web Gateway - You must be able to access the Web Gateway user interface in order to add rules and also change settings.
      • Supported workstation to run MCP - Supported environments for McAfee Client Proxy - https://kc.mcafee.com/corporate/index?page=content&id=KB74182

     

    Files

      • Shared key/Secret key
        • The shared key or secret key is used by MCP to encrypt the authentication information, which is then decrypted by the Web Gateway or SaaS Web Protection Service when it recieves a users request.
        • Where it's obtained:
          • Web Protection Service UI
            • NOTE:  If utlizing SaaS Web Protection, the shared key file must be generated from within the Web Protection Service UI, not the Web Gateway UI.
          • Web Gateway UI
        • When it's needed: Depending on your deployment, the shared key file needs to be imported into ePO and/or Web Gateway.
      • McAfee Client Proxy aka MCP (extension and software)
        • Components:
          • Client - Piece that is installed on the client machine
          • Server - Piece that is used on ePO to manage MCP related policies and software
        • Where it's obtained:
        • Why it's needed: To deploy and configure on the client workstations.
      • OPG file (if not using ePO, created in SaaS console): The OPG file is the configuration file for MCP. It tells MCP what proxies to use, as well as other settings.

     

     

    Configuring the Web Protection Service

     

    This section is optional if you do not use the Web Protection Service. For configuring the Web Protection Service all that is required is to obtain the shared key / secret key. This will be used in later steps to configure the MCP policy.

     

    IMPORTANT: If you are configuring the secret key for the first time, it is important that you remember that password that you configure.

     

    1.1.0_sharedkey_saas.png

     

    Configuring Web Gateway

     

    In Web Gateway we need to import the authentication ruleset and import the secret key (use the same credentials that were used in the Web Protection Service if you have it).

     

    Importing the ruleset

     

    Go to Policy > Rule Sets > Add > Rule Set from Library > [Find "Authentication with McAfee Client Proxy"], import it. Disable it or modify the ruleset criteria to only apply to a specific test workstation.

     

    6.1.0_mwg-rulesetlibrary.png

     

    Configuring the shared key

     

    Go to Policy > Settings > Engines > Authentication > MCP

     

    If you have SaaS Web Protection Service use the Customer ID and Secret Key as specified in the SaaS console.  The SaaS Secret Key value should be placed in the MWG Shared password field.

     

    If you do not have the SaaS Web Protection Service, you can specify any Customer ID and Shared password (Ex Customer ID=123456). Be sure to remember the credentials you enter, these are used by MCP and MWG to encrypt/decrypt header information.

     

    6.2.0_mwg-mcp-settings.png

     

    Further Considerations

     

    Support Doc: Authentication Examples by Deployment Method: https://community.mcafee.com/docs/DOC-4384#jive_content_id_McAfee_Client_Proxy_M CP

     

     

    Configuring ePO and Deploying MCP

     

    Skip this if you are not using ePO to deploy MCP (read this instead - How to implement McAfee Client Proxy without ePolicy Orchestrator - https://kc.mcafee.com/corporate/index?page=content&id=KB74269, How to manually load a policy into McAfee Client Proxy - https://kc.mcafee.com/corporate/index?page=content&id=KB75230). Prior to working with MCP you must deploy the software to the workstations you wish to have MCP do its magic.

     

    Installing MCP extensions (ePO Package)

     

    In the MCP download, there should be a number of folders, Client, Documentation, and Server. The "Server" folder contains the ePO extension that will allow us to manage the MCP software once its deployed. Without this installed ePO will not know how to manage the MCP software.

     

    To install the extension login to ePO, navigate to Menu > Software > Extensions, then click "Install Extension" in the bottom left corner.

     

    7.1.0a_extension.png

     

     

    Installing MCP software into the Master Repository

     

    The "Client" folder should contain a number of folders, underneath you should find one called "Signed_Package", this contains the software package we need to check-in to ePO.

     

    To check-in the package, login to ePO, navigate to Menu > Software > Master Repository, then click "Check In Package". Then browse for the file in the "Signed_Package" folder.

     

    7.2.0a_master-repo.png

     

     

    Create a deploy software task for MCP

     

    In order to begin deploying the software you must have the McAfee agent installed on the workstations. This will assist in installing the software.

     

    In order to install the software to the workstations in your environment, a software task will need to be created. This task can be applied to a group of workstations, or a single workstation.

     

    Login to ePO, navigate to Menu > System > System Tree.

     

    Select a workstation or group of workstations to apply a task.

     

    Once the workstations are selected, click Actions > Agent > Run Client Task Now, this will open a new dialog (see below).

     

    7.3.0_epo-deploy.png 7.3.1_epo-deploy.png 7.3.2_epo-deploy.png

     

     

    Configure MCP Policy

     

    Now that MCP has been deployed to the workstation you can configure a policy for it.

     

    With ePO

     

    Login to ePO, navigate to Menu > Policy > Policy Catalog, then select "McAfee Client Proxy" from the "Product" dropdown.

     

    8.1.0_epo-mcp-policy.png

     

    Click edit for the "My Default" policy. This will be the policy that is pushed out to the clients.

     

    8.1.1a_epo-mcp-policy.png  8.1.2.0a_epo-mcp-policy.png8.1.2.1a_epo-mcp-policy.png 8.1.3a_epo-mcp-policy.png

    8.1.4a_epo-mcp-policy.png

     

    Without ePO (with SaaS Console)

     

    In order to configure the MCP policy within the SaaS console, you must navigate to Web Protection > Policies > McAfee Client Proxy Policies, then click New/Edit to configure a policy for download and use within MCP.

     

    2.1.0_saas-policy-settings.png 8.2.1y_saas-policy-settings.png  8.2.2_saas-policy-settings.png8.2.3_saas-policy-settings.png 8.2.4y_saas-policy-settings.png

     

    Deploy MCP Policy

     

    In order for your settings to take effect on MCP you must push them to the client, this is easiest done with ePO.

     

    With ePO

     

    To deploy the policy, you will need the McAfee Agent installed on the workstation as well as the MCP software. Assuming all of the prerequisites are met, then it is just a matter of waking up the agents.

     

    9.1.0a_epo-deploy-policy.png 9.1.1x_epo-deploy-policy.png

     

     

    The MCP policy file should now be on the workstation, and the configuration should be active. To verify, check you can check the McAfee Agent page or registry:

     

    9.2.0x_agent_about.png 9.2.1b_regedit_about.png

     

    Without ePO

     

    To deploy the policy without ePO check out the KB article on the matter: How to manually load a policy into McAfee Client Proxy - https://kc.mcafee.com/corporate/index?page=content&id=KB75230

     

     

    Troubleshooting

     

    Below is a list of common items that you may want to check for when using MCP.

     

    Checking policy version

    It is always a good idea to check the policy version in ePO, to make sure it is the same version that is on the client. If the client is not receiving the most up to date policy file, then they could be being directed to old proxies, or bypasses may not take effect as expected.

    In ePO

    To check the version information in ePO simply navigate to the MCP policy. This can be found by navigating to Menu > Policy > Policy Catalog, then select "McAfee Client Proxy" from the "Product" dropdown, then select your policy. In the bottom left corner there is an "Actions" button, this will allow you to export the policy or view the version. See screenshots below:

     

    10.1.1.0a_epo-policy-version.png 10.1.1.1a_epo-policy-version.png

     

    On the client

    Once you have checked the policy version in ePO, you should check the version on the client. This can be done in the McAfee Agent about page, or from the registry. See screenshots below:

     

    10.2.0a_agent_about.png10.2.1a_regedit_about.png

     

    How to view McAfee Client Proxy Status without the McAfee Agent - https://kc.mcafee.com/corporate/index?page=content&id=KB75223

     

    Log locations

     

    # MCP Log Files:
    -Mcp.log (McAfee Client Proxy main log file):
       %ALLUSERSPROFILE%\McAfee\MCP\Logs (WinXP/Vista/Win7)
       C:\Documents and settings\All Users\Application Data\McAfee\MCP\Logs (WinXP)
       C:\ProgramData\McAfee\MCP\Logs (Vista/Win7)
    
    -Mcp.log.1 (McAfee Client Proxy rollover log file):
       %ALLUSERSPROFILE%\McAfee\MCP\Logs (WinXP/Vista/Win7)
       C:\Documents and settings\All Users\Application Data\McAfee\MCP\Logs (WinXP)
       C:\ProgramData\McAfee\MCP\Logs (Vista/Win7)
    
    # MCP Policy Files (from client and ePO):
    -MCPPolicy.opg (Current policy file (protected by access protection))
       %ALLUSERSPROFILE%\McAfee\MCP\Policy (WinXP/Vista/Win7)
       C:\Documents and settings\All Users\Application Data\McAfee\MCP\Policy (WinXP)
       C:\ProgramData\McAfee\MCP\Policy (Vista/Win7)
    -MCPPolicy.opg (Temporary policy file (protected by access protection))
       %ALLUSERSPROFILE%\McAfee\MCP\Policy\Temp (WinXP/Vista/Win7)
       C:\Documents and settings\All Users\Application Data\McAfee\MCP\Policy\Temp (WinXP)
       C:\ProgramData\McAfee\MCP\Policy\Temp (Vista/Win7)
      

     

    McAfee Client Proxy sends group information to the proxy it is communicating to. In some cases a user may be apart of a large number of groups (which are not important for web filtering) OR MCP may not be able to determine the groups.

     

    Group inclusion/exclusion

    MCP has options to include important groups, or discard insignificant groups. This is configured in the "Client Configuration" section of the policy.

     

    Some companies create special group memberships which grant you specific types of access to the internet. So if "jsmith" is apart of "Internet Relaxed Users", then he receives different filtering from "jdoe" who is apart of "Internet Strict Users".

     

    To check the groups of a user one can run the command "whoami /groups" or "gpresult /R /SCOPE USER":

     

    >whoami /groups
    
    GROUP INFORMATION
    -----------------
    
    Group Name
    ============================================
    Everyone
    BUILTIN\Administrators
    BUILTIN\Users
    BUILTIN\Certificate Service DCOM Access
    BUILTIN\Pre-Windows 2000 Compatible Access
    NT AUTHORITY\REMOTE INTERACTIVE LOGON
    NT AUTHORITY\INTERACTIVE
    NT AUTHORITY\Authenticated Users
    NT AUTHORITY\This Organization
    LOCAL
    VEGAS\Internet Relaxed Users <------------- INTERESTED GROUP
    VEGAS\Group Policy Creator Owners
    VEGAS\Domain Admins
    VEGAS\Enterprise Admins
    VEGAS\Schema Admins
    VEGAS\Denied RODC Password Replication Group
    
     

     

     

    The below screenshot shows an example of inclusion, whereby we instruct MCP to only send groups which start with "VEGAS\Internet", using the regular expression "VEGAS\\Internet.*" in the filter.

     

    groupfilter_3.png

     

     

    The below screenshot shows an example of exclusion, whereby we instruct MCP to discard groups which start with "BUILTIN\", "NT AUTHORITY\", and "LOCAL", using the regular expressions of "BUILTIN\\.*", "NT AUTHORITY\\.*", and "LOCAL" in the filter.

     

    groupfilter_1.png

     

     

    Groups are not sent by MCP

     

    As stated, MCP will forward group membership information to the proxies that are configured in the policy. If the user has not logged into the corporate network recently, then MCP may not be able to resolve the users' group memberships. This can cause issues for the relying proxy if it performs filtering based on group membership.

     

    To resolve this, one must perform a group lookup based on the username given by MCP. See the following modified MCP ruleset from Support Doc: Authentication Examples by Deployment Method.

     

    For more information see: Web Gateway: Unable to filter on Active Directory groups after Client Proxy user disconnects from domain - https://kc.mcafee.com/corporate/index?page=content&id=KB76909

     

     

    Conclusion

     

    By reading this article you should now understand the use cases for MCP, how to deploy and configure the policy and troubleshoot MCP.

     

     

    Changelog

     

    2015-01-09 - Updated groups section to include notes about group inclusion/exclusion.

    2014-12-30 - Modified "further considerations" text. Added references to group membership lookup ruleset from authentication examples by deployment guide.

    2013-06-26 - Initial release.