Web Gateway Cloud Service: Deploying and managing McAfee Client Proxy with ePO Cloud

Version 4

     

    Introduction

    McAfee Client Proxy (MCP) is software which will help protect your endpoints by redirecting web traffic to proxies of your choosing. MCP is compatible with both Windows and Mac. This guide is written to assist you in deploying MCP for use with the Web Gateway Cloud Service and managed from ePO Cloud. This guide is based off of the previous version, found here: Best Practices: Setting up McAfee Client Proxy with Web Gateway.

     

     

    Video Walkthrough

    Here is a quick video end to end demo of what's explained in this guide (9 minutes). The video walks you through MCP policy creation, ePO Cloud deployment creation, installation & Web Gateway Cloud Service user experience.

     

     

    If you have problems watching the video, it can be downloaded here.

     

     

    How MCP Works

    McAfee Client Proxy performs a number of checks to determine whether or not is should be redirecting web traffic. Below is a summary of the checks depending on the configuration.

    1. Checks if a proxy server can be contacted, top down until it receives first response.
    2. If "Always redirect" is enabled, check if the corporate network assets can be reached. All servers are contacted at once, to prevent any long delays failing down the list.
    3. Check for a captive portal, commonly used in hotels, airports, or internet cafes. If a captive portal is detected MCP stands down, allowing the user to accept the terms of service.

     

     

    Configure MCP policy in ePO Cloud

    From ePO Cloud we must configure an MCP policy before we deploy the software. ePO Cloud can be found at https://manage.mcafee.com.

     

    Define your proxy

    MCP redirects web traffic to the Web Gateway Cloud Service, so we need to define the proxy. You will likely be using some variation of cXXXXXXX.saasprotection.com on port 8080.

     

     

    Order based preference

    Order based preference is typically used by on-premise deployments where you want MCP to follow the list 100% of the time.

     

    Example proxies list: proxy.tangomark.com:9090 (my local proxy), c111111111.saasprotection.com:8080 (Web Gateway Cloud Service proxy)

     

    Response time based preference

    Response time based preference is typically used by cloud only deployments where you have specified multiple cloud proxies and simply want the fastest one to be used:

     

    Example proxies list: de.c111111111.saasprotection.com:8080 (home country Web Gateway Cloud Service proxy), eu.c111111111.saasprotection.com:8080 (regional Web Gateway Cloud Service proxy), c111111111.saasprotection.com:8080 (Web Gateway Cloud Service proxy)

     

     

    Shared password

    Under Client Configuration, a password is shared between MCP and the Web Gateway Cloud Service because MCP encrypts information which the Web Gateway Cloud Service will decrypt.

     

    IMPORTANT: If you are configuring the shared password for the first time, generate a strong password and store it in a password manager.

     

     

     

    Traffic redirection options

    McAfee Client Proxy is configured to "stand up" (i.e. redirect web traffic) when the right circumstances are met. There are two modes found in the MCP Policy under Client Configuration:

     

     

    "Redirect when"

    Using the "Redirect when" option, means MCP will stand down when in your corporate network, but stand up when we fail to detect corporate assets AND the defined proxies are reachable.

     

    "Always redirect"

    Using the "Always redirect" option, means that MCP will always stand up if the proxy is reachable. Corporate Network Detection and Corporate VPN Detection options do no apply when "Always redirect" is enabled.

     

     

    Groups Filter

    McAfee Client Proxy sends group information to the defined proxies. As such, MCP has the ability to filter the groups which are sent to the Cloud. This is useful when you are only interested in internet access related groups. In the example below we're filtering for any groups in the domain "tangomark" where the group name starts with the word "internet". The resulting filter is "tangomark\\internet.*".

     

     

    Bypass list

    Bypasses can be configured in MCP so that traffic destined for certain domains, IPs, or ports may be exempted. You can also configure bypasses based on the process name.

     

     

    Deploy MCP

    To deploy McAfee Client Proxy from ePO Cloud we must create a deployment.

     

    This can be done from the main menu in ePO Cloud under Software > Getting Started, then click "Customize Installation".

     

     

     

    On the "Customize Software Installation" page, chose the software you want deployed. For the example, we're only concerned about deploying McAfee Client Proxy. The McAfee Agent and the Data Exchange Layer (DXL) client are included by default. The McAfee Agent acts as the software manager and the DXL client acts as a message bus between the client and ePO Cloud.

     

     

    On the last step, click "Install Protection on Other Computers" and this will present you with a link to install. You can use the link to download the SmartInstaller which installs the McAfee Agent, and subsequently MCP and the DXL client.

     

    To monitor the deployment progress, go to the main menu under Software > Product Deployment then click on the recently created deployment.