Showing results for 
Show  only  | Search instead for 
Did you mean: 

Best Practices: Whitelisting Citrix and Webex from the SSL Scanner

No ratings


This article describes McAfee Maintained Subscribed Lists and how to use them to allow Citrix and Webex through the SSL Scanner on the McAfee Web Gateway . This is done through bypassing the IP address ranges used by Webex and Citrix for their SSL connections. This guide will focus on adding a McAfee Maintained Subscribed List to bypass these applications from the SSL Scanner.


Although this topic will cover Citrix and Webex, there are many other McAfee Maintained Subscribed Lists that can be useful for your policy. Examples include:

  • Known Certificate Authorities (Find more info here)
  • Windows Update Servers
  • Office 365 (Exchange, Lync, ProPlus, SharePoint, Federation and Yammer)
  • Amazon Cloud Services
  • Antimalware Update Servers (AVG, Symantec, ESET, Trendmicro, etc…)
  • Linux distribution specific update servers


The list creation instructions covered below will also apply to these lists above.



Why do we need to bypass this traffic from the SSL Scanner?

The MWG is an HTTP proxy and inspects HTTP/HTTPS based traffic. Some applications will encrypt their proprietary protocol traffic with SSL. When the SSL Scanner is enabled, the MWG opens up the SSL tunnel to look at the traffic inside. Instead of finding normal HTTP traffic, it finds non-HTTP traffic, which causes the MWG to reset the connection. To prevent this from happening, we will want to bypass this traffic from the SSL Scanner using McAfee Maintained Subscribed Lists.



What is a McAfee Maintained Subscribed List?

This is a list which is maintained off box from the Web Gateway by McAfee. This feature is meant to reduce administrative overhead for ever-changing web applications. McAfee maintains these lists for you and your MWG appliance can update them automatically on a specified schedule.


The maintained lists in this example will include a variety of IP addresses for a specific application that you can use in your ruleset as criteria for bypassing from the SSL Scanner. This is a benefit for administrators so they do not need to monitor and maintain changes to the WebEx or Citrix IP ranges used for their products.


Another example is the "Trusted Certificate Authorities" maintained list. As new Authorities become certified and trusted, the MWG automatically adapts and administrators do not need manually add anything.



How do I add a McAfee Maintained Subscribed List?

Note: This example shows how to add a list for WebEx, you can substitute this list for the application of your choice.


Follow along with the screenshots below the instructions.

    1. Select Policy
    2. Select “Lists” From the tabs on the left.
    3. Select the green add button (see screenshot)
    4. Enter in a name for the list, in my testing I used “WebEx Subscribed List”. You can substitute it for whatever list name you want to give.
    5. Select “List content is managed remotely”
    6. Select radio button for McAfee Maintained List
    7. Select choose and select your respective list you want to add. In this example I am doing the WebEx IP Ranges. (see screenshot)
    8. Click OK on all the dialog boxes then save changes.
    9. You can verify the list is updated from Policy>Lists>Subscribed Lists > IPRange > WebEx Subscribed List (McAfee maintained). This will contain a list of IP ranges. (see screenshot)


Note: If the list is not populated, see the troubleshooting section further below.



How can I use this list in my policy?

We will use the list as criteria to bypass from the SSL Scanner.


Follow along with the screenshot

    1. Go to your SSL Scanner ruleset: SSL Scanner> Handle Connect Call
    2. Add Rule
    3. Name: SSL Bypass (Can be whatever you want though)
    4. Rule Criteria: URL.Destination.IP Is in range list WebEx Subscribed List
    5. Action: Stop Rule Set
    6. Save Changes.


Test out the application to verify the rule is working correctly.


Note: This ruleset specifically bypasses these IP ranges from the SSL Scanner ONLY. If you have any other rules below your SSL Scanner which may block these ranges. You should change the rule to a Stop Cycle Action.





What if the application still doesn’t work after creating the bypass?

You will want to take a network capture while reproducing the issue. Send this capture in to support along with a feedback. Include the client IP that you tested with when reproducing the issue. Instructions for the capture can be found at:


Feedback can be generated from Troubleshooting > Feedback > Create Feedback File.


What if I need to add to a subscribed list?

You can contact Technical Support to suggest additions to a Subscribed List.


What if my maintained list does not update?

This list is handled by the same update process as your URL filter and AV DAT updates. As such, the maintained lists will use update proxy settings if there are any defined. Its best to start troubleshooting by examining the update.log file. The update.log file is located under Troubleshooting > Log Files > update. Look for any error message related to updating the maintained list.

If you cannot determine the source of the issue from the update logs, generate a feedback and take a packet capture while reproducing the issue. Lastly, contact technical support with this data.


Note: You’ll want to filter the capture for port 443 to minimize the size of the capture. (Troubleshooting > Packet Tracing) You can use these command line parameters to capture this content:

-s 0 -i any port 443

Labels (1)

Office 365 now available in the subscribed list section. 🙂


Vendors are now putting their Citrix servers in public clouds which means that we will have to whitelist large IP ranges for their Citrix-based application. These IP ranges may contain other applications and/or web sites resulting in loss of visibility and control.

I'd like to have better options than to simply whitelist IP ranges.

Will there be any subscription list for Team Viewer Application? As checked I dint find any list.

Hi ,

Team Viewer ist available as an application and can be whitelisted this way. SSL scanning must be in place, otherwise MWG cannot detect Team Viewer.


Hi, somehow the maintained list doesn't match the request. I've used the Fedora Mirrors maintained list (URL.Host matches in list) which contains* but when client request following the rule doesn't match -

Any Idea what might be wrong?


Br. Ales

If we use our own citrix server, how can we detect them?

Version history
Revision #:
2 of 2
Last update:
‎03-20-2018 01:11 PM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community