cancel
Showing results for 
Search instead for 
Did you mean: 

Integrate McAfee Web Gateway and Web Gateway Cloud Service with Menlo Security Isolation Platform

McAfee Web Protection Integration with Menlo Security Isolation Platform

With the Menlo Security integration, McAfee Web Gateway can set up policies and dynamically route sessions of uncategorized or unknown websites to the Menlo Security Isolation Platform (MSIP). The MSIP platform executes the web session in a remotely containerized environment, and only safe visual components are mirrored to the user’s browser. Native browser features, such as cut-and-paste as well as print, are maintained seamlessly from a user standpoint, while any active content is isolated from user devices. The result is that the user has a seamless experience with their native browser, and the enterprise is protected from any potential web threats—all without burdening IT

 

Technical Description

In essence the core part of the integration is the dynamic routing of information between McAfee’s Web Protection Products and Menlo’s Secure Isolation Platform. The information for dynamic routing is determined by leveraging GTI’s assessment of a URL.

During the look of GTI information, McAfee Web Protection products receive 2 types of information – URL Categorization and URL Reputation. Based on the value of these vectors, McAfee Web Protection gateways will decide to block a request, forward the request to MSIP or send them to the destination server.

 

(view in My Videos)

Implementation detail

Access Modes to the MSIP

The MSIP knowns two modes of access – Proxy Mode and Prepend mode. In proxy mode, the gateway will forward the request to the MSIP as a next hop proxy request, which remains transparent to the end user.

In prepend mode, the gateway will rewrite the URL and prepend it with the host of the MSIP. This mode is visible to the end-user, due to the change in the URL.

In McAfee Web Protection’s gateway, not all deployment modes support each of the access modes.

 

WGCS

MWG

Proxy Mode

Not supported

Supported

Prepend Mode

Supported

Supported

 

Policy for McAfee Web Protection gateways

The basis for the integration is McAfee Web Protection’s Hybrid mode, which uses the MWG policy UI to implement the respective rules, which then are synchronized to the cloud service.

A prerequisite is a URL Filtering rule set that performs GTI lookups and gather the necessary information for the selection of routing or applying action.

In the following rules, this information is used a entry criteria to any of the Menlo rule sets

Example URL Filtering rule set:

Menlo1.png

Proxy Mode

  1. Open the McAfee Admin interface and go to Policy-> Rule Sets.
    Select Add Rule to create a new rule for Menlo isolation. Enter a name and description for the isolation function. Press Next > to continue.

Menlo2.png 

  1. Select the Rule Criteria to use when deciding which users, groups, or sites should be isolated. Any of the McAfee Web Gateway match criteria to confirm the selection and then Next > to continue.
  2. To validate the integration, select a category with predictable domains, like “Education”. Press OK to confirm the selection and then Next > to continueMenlo3.png

     

    Menlo3.png
  3. Next, select the Actionfield and set it to Continue. This allows the connection to proceed into Menlo Security isolation. Press Next > to continue.Menlo5.png

     

  4. Click the Add button to add a Enable Next Hop Proxy event that will take place immediately. This allows the session via the Menlo Security proxy.Menlo6.png

     

  5. Click the Add Settings button (or Edit if “Chain_Menlo” already exists) and add the Menlo proxy hostnames and port number. Proxy port numbers are determined by authentication and SSL inspection settings. The most common proxy port numbers are:
    3131: SAML SSO
    3129: Not using SAML authentication
    Note:
    The proxy hostnames are in a format similar to proxy0-nnnnnnnnnn.menlosecurity.com. Add both proxy hostnames to enable proxy high availability. You can retrieve these via admin.menlosecurity.com in the Preview of the PAC file (Settings -> Proxy Auto Config -> PAC File Actions -> Preview).Menlo7.png

     

  1. If HTTPS Scanningi s in use in the McAfee Web Gateway, the Menlo Security CA certification must be installed in the Certificate Chain Filters area for SSL inspection trust. Download the Menlo CA Security evaluation certificate from the Menlo admin console
    Note
    Contact Menlo Security support for the production certificate after testing. 
  1. Set the Next Hop Proxy Server as Sticky. This ties each client to a next-hop proxy. Multiple clients are load balanced across all the proxies in the proxy list.Picture8.png
  2. Click OK to apply changes and then test the isolation. Load a URL that matches the rule created earlier (e.g., “Education” category web page) and confirm that the request is directed into isolation.

 

Prepend Mode

The rule set needs to be placed at the bottom of the policy as the URL will be changed and it needs to be assured that during filtering in MWG the real URL is present and that the redirection to the prepended URL doesn’t happen too soon.

  1. Open the McAfee Admin interface and go to Policy-> Rule SetsSelect Add Rule Set  to create a new rule set for Menlo isolation in prepend mode. Enter a name and description for the isolation function. As criteria, add a URL category or reputation based criteria for which traffic shall be sent to the MISP. Press Next > to continue.Picture9.png

     

  2. Within the rule set, add a new rule with the criteria set to always and the action set to continue. Under events, choose ADD > Set Property Value. Choose the property “Redirect.URL” and Add the Parameter Value https://safe.menlosecurity.com/ followed by adding the property.Picture10.png

     

  3. Confirm all entries with OK and close the wizard with Next > Finish
  4. Within the rule set, Add New Rule with the criteria set to always and the action set to Redirect. As settings choose Default.
  5. Confirm the rule with OK and close the wizard with Finish

 

This rule set is cloud compatible and can be used with Web Gateway Cloud Service.

 

 

Comments
Clear and instructive. Very valuable. Easy implementation for power gain in security!
Contributors
Version history
Revision #:
6 of 6
Last update:
‎07-11-2019 01:43 PM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community