I'm attempting to restrict web traffic from my internal ePO 4.6 Server out through a Cisco ASA to the Internet. My internal ePO server is in a VLAN that is denied all connectivity with the Internet via port 80 (or any other port for that matter) by default.
I need to establish some ACL's to allow outbound traffic to the external (Internet) sites that ePO uses to pull down updates and to get threat information from Avert Labs.
I've already configured the port 80 traffic to McAfee's HTTP repository - that was easy.
Now, I need to configure a rule for myavert.avertlabs.com (http://myavert.avertlabs.com:8801).
In order to configure the ACL in a semi-restrictive / safe way, I'd like to restrict http traffic from the ePO server and only allow traffic to authorized McAfee (known good) netblocks.
This would prevent a spoofed or unauthorized server from pretending to be myavert.avertlabs.com. It's a pretty standard, straight-forward request.
Problem: McAfee Gold Support doesn't seem to be able to provide me with a list of known-good netblocks or IP ranges for myavert.avertlabs.com
I've been able to ping several IP's in several ranges over time when I ping myavert.avertlabs.com - the two most common IP's returned are:
However, I've also seen other IP's pop in from time to time...
I've created a ticket with McAfee Gold support for this issue, but all they seem to want to give me are the hostname of the server and the URL; both of which are all well and good, but NOT what I'm looking for here.
Has anyone else out there created a restrictive ACL for myavert.avertlabs.com via port 8801 to a known set of netblocks / CIDRblocks / IP Ranges / etc?
I have a hard time believing that I'm the only person on the planet that's trying to accomplish this task (and that McAfee Gold Support has never been asked this question before).
I apologize for the frustrated tone of this post; it's indicative of my current level of frustration.
There is a KB that addresses this type of issue; although, I don't agree with the position:
My sources tell me that the decsion to not provide fixed IPs or NetBlocks was made due to numerous issues with customers complaining about connectivity issues when the IP's changed.
While understandable, it's surprising to me that this response is the best that McAfee's support organization can do.