All the endpoints in my environment are making HTTP requests with the IP address, rather then the domain name for cloud.gti.mcafee.com. At the time of this post, we are seeing 10's of thousands of http requests every day to https://188.8.131.52/ and https://184.108.40.206/. When cloud.gti.mcafee.com starts resolving to different IP addresses, I expect to see HTTP requests continuing to go to these IP addresses for a few days after it has changed.
We believe this is a problem because those IP addresses are the ones creating a lot of up open connections on the firewall whenever the IP addresses for cloud.gti.mcafee.com change. My theory is that there is some sort of caching mechanism going on. If it attempts to make an HTTP request using the domain, which is obviously failing, it then falls back to making HTTP requests with the IP address. It must attempt to use a cached fallback IP address for a few days, even after the IP address for cloud.gti.mcafee.com changes.
Why is it failing? I assume it has something to do with the fact that its the one of the domains that McAfee has decided to try and prevent MITM attacks by using a self signed certificate with a root authority that isn't trusted. We don't seem to have this problem with domains that has a proper ssl certificate. Yes, we are using McAfee Web Gateway, but we don't do SSL inspection.
My GTI_error.log is filled with these errors:
[E] [0x3730] HttpRequest::Send: HttpRequest::Send WinHttpSendRequest result ERROR_WINHTTP_TIMEOUT 12002 [E] [0x3730] HttpRequest::ValidateServerCert: Unable to get certificate context from request. Error: ERROR_WINHTTP_INCORRECT_HANDLE_STATE [E] [0x3730] HttpRequest::AcceptResponse: HttpRequest::AcceptResponse WinHttpReceiveResponse result ERROR_WINHTTP_INCORRECT_HANDLE_STATE 12019
Is anyone else seeing this issue?
EDIT: I also see that tunnel.web.trustedsource.org resolves to those IP addresses as well, but I see my machine making dns lookups for cloud.gti.mcafee.com but has never made an http request using that domain name.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.