cancel
Showing results for 
Search instead for 
Did you mean: 

How Do You Properly Configure a Rule for a Workstation Using Aventail Connect Behind a McAfee 410F Firewall?

Jump to solution

Hello All,

I am using McAfee Firewall Enterprise (Sidewinder) Admin Console Version 4.10.  I would like to setup a Firewall rule that would allow workstations behind the McAfee 410F to connect to a remote network. I do not have any access or authorization on the remote network other than through the use of a VPN Client. I am nothing more than an end user and will not be able to make changes on the remote end. The workstations behind the McAfee 410F are using Aventail Connect v5.20 to connect to the remote network.

If I am correct the problem is that I am not properly configuring the rule to use SSL VPN. I had a rule in place befoer that worke but it was accidentally deleted. If someone can point me to a KB or provide me with the steps to properly configure the rule, it would be greatly appreciated.

Thank you all in advance for your directly related responses.

1 Solution

Accepted Solutions
PhilM
Level 14
Report Inappropriate Content
Message 6 of 7

Re: How Do You Properly Configure a Rule for a Workstation Using Aventail Connect Behind a McAfee 410F Firewall?

Jump to solution

Hi

I'm in the position of having worked with both MFE and with the Aventail products - so I know that what you are trying to achieve does work.

What does the Audit Viewer screen show when you are trying to establish a connection?

Just make sure that any HTTPS-level application inspection is disabled. While the Aventail client operates over port 443 it is not true HTTPS (it's a form of Socks over 443, if I recall), so if you are trying to pass it through the Firewall as real HTTPS, it will fail and you will find that the audit will contain protocol violation errors.

As sliedl has said, as long as the rule is positioned above deny all it should work. I would add to that suggestion that you make sure that you assign the "connection settings" application defense to the rule. This will ensure that it is operating as a packet fitler and it shouldn't be blocked.

Of course if you have an existing outbound HTTPS (SSL/TLS) rule which is inspecting the traffic and positioned further up the ACL list this will get in the way of your Aventail rule. What you could do is lock-down the Aventail rule to a specific destination host (this will be the IP address configured in the Connect Tunnel client), and place the rule above any pre-exisiting outbound rules allowing HTTPS. Your Aventail client traffic shoudl then pass out through this rule (and without being inspected), but your normal outbound HTTPS traffic will not match and will pass out through your normal Internet Services rule.

Hope that helps.

-Phil.

6 Replies
sliedl
Level 14
Report Inappropriate Content
Message 2 of 7

Re: How Do You Properly Configure a Rule for a Workstation Using Aventail Connect Behind a McAfee 410F Firewall?

Jump to solution

This is simply a port 443 SSL/TLS rule that you need to make to pass this traffic through the firewall.

Re: How Do You Properly Configure a Rule for a Workstation Using Aventail Connect Behind a McAfee 410F Firewall?

Jump to solution

Agreed. I am aware of that. But I am not able to figure out how to get it done. My best attempts have not been successful. Do you know of an existing KB or other post that has the step by step in how to get this done? If not would you be willing to share step by step knowledge in doing so?

Thank you.

sliedl
Level 14
Report Inappropriate Content
Message 4 of 7

Re: How Do You Properly Configure a Rule for a Workstation Using Aventail Connect Behind a McAfee 410F Firewall?

Jump to solution

Make rule with a Serive of HTTPS, Source burb Internal, Dest burb external, source/dest endpoints Any, NAT localhost, make sure it's above Deny All, and you should be good to go.

Re: How Do You Properly Configure a Rule for a Workstation Using Aventail Connect Behind a McAfee 410F Firewall?

Jump to solution

I did exactly just that.  Still no go.

PhilM
Level 14
Report Inappropriate Content
Message 6 of 7

Re: How Do You Properly Configure a Rule for a Workstation Using Aventail Connect Behind a McAfee 410F Firewall?

Jump to solution

Hi

I'm in the position of having worked with both MFE and with the Aventail products - so I know that what you are trying to achieve does work.

What does the Audit Viewer screen show when you are trying to establish a connection?

Just make sure that any HTTPS-level application inspection is disabled. While the Aventail client operates over port 443 it is not true HTTPS (it's a form of Socks over 443, if I recall), so if you are trying to pass it through the Firewall as real HTTPS, it will fail and you will find that the audit will contain protocol violation errors.

As sliedl has said, as long as the rule is positioned above deny all it should work. I would add to that suggestion that you make sure that you assign the "connection settings" application defense to the rule. This will ensure that it is operating as a packet fitler and it shouldn't be blocked.

Of course if you have an existing outbound HTTPS (SSL/TLS) rule which is inspecting the traffic and positioned further up the ACL list this will get in the way of your Aventail rule. What you could do is lock-down the Aventail rule to a specific destination host (this will be the IP address configured in the Connect Tunnel client), and place the rule above any pre-exisiting outbound rules allowing HTTPS. Your Aventail client traffic shoudl then pass out through this rule (and without being inspected), but your normal outbound HTTPS traffic will not match and will pass out through your normal Internet Services rule.

Hope that helps.

-Phil.

Re: How Do You Properly Configure a Rule for a Workstation Using Aventail Connect Behind a McAfee 410F Firewall?

Jump to solution

Sliedl and PhilM, thank you very much for your help!  You were both able to get me in the right direction. Both your answers were correct and I also found the KB Article at URL https://kc.mcafee.com/corporate/index?page=content&id=KB63186&cat=CORP_SIDEWINDER&actp=LIST very helpful.

It is all working now. Thanks again.