- Introduction
- Concept
- Configuration
- Gather network information
- Configure the Web Gateway Cloud Service
- Determine closest PoPs
- Configure On-Premise Firewall/Router
- Supported Devices
Introduction
With the December 2016 release of the Web Gateway Cloud Service site-to-cloud traffic redirection is now supported. Site-to-Cloud traffic redirection is made possible by using IPSec tunnels. This allows remote offices to securely redirect web traffic to the Web Gateway Cloud Service for filtering and policy enforcement.
Concept
Your on-premise firewall or router use policy based routing to send all externally bound web traffic (80, 443) over an IPSec tunnel to the Web Gateway Cloud Service to be filtered according to your organization's web policy.
IMPORTANT: Only externally bound port 80 and 443 traffic should be forwarded over the IPSec tunnel. Any other traffic forwarded may be dropped on the other side of the tunnel.
Configuration
Below we'll go over the basics of what you'll need in order to get your IPSec tunnel configured. We'll need information about your network like external IPs and internal subnet ranges. This information will be added in ePO Cloud so that the Web Gateway Cloud Service can identify your connections and assign the right policy. Once the Web Gateway Cloud Service is configured we can setup the IPSec tunnel in your on-premise firewall or router. This guide will include basic information to get the IPSec tunnel configured on your device, and vendor specific guides will be posted as they are written.
Gather network information
To configure the Web Gateway Cloud Service, we need your external IPs and your internal subnet ranges. Contact your network team if you have a number of IP ranges your organization owns, or simply ask Google "What is my IP?", if you have a single IP you want to test with.
Configure the Web Gateway Cloud Service
Now that you have your external IP and internal subnet, we can configure the Web Gateway Cloud Service. We will need to create a site-to-site definition in the authentication settings within ePO Cloud. We will need to give the cloud service four things:
- Site-to-Site Name - Helps you remember what location or office the definition is for.
- External IP - The Web Gateway Cloud Service uses this to identify any incoming IPSec connections in order to tie them to your settings.
- Local Network - This is used so the Web Gateway Cloud Service knows how to properly handle connections from your remote network.
- Pre-Shared Key - A shared key between the Web Gateway Cloud Service and your on-premise edge device who initiates the IPSec communication. You define this yourself and set it on your on-premise firewall or router.
Determine closest PoPs
To determine where you'll be redirecting traffic, you first need to find the IPs of the closest Web Gateway Cloud Service points of presence (PoPs) to your location. To find this, perform a DNS lookup using the following commands, and replace XXXXXXXXX with your customer ID. Be sure to perform the nslookups from the environment where the IPSec tunnel will be configured.
- Closest PoP
- nslookup 1.network.cXXXXXXXXX.saasprotection.com
- 2nd closest PoP
- nslookup 2.network.cXXXXXXXXX.saasprotection.com
This will give you the first and second closest points of presence. Take note of the IPs for later steps.
Configure On-Premise Firewall/Router
Once the Web Gateway Cloud Service is configured, it's ready to accept traffic from your network. Now we'll need to configure the on-premise device (firewall or router) to actually perform the traffic redirection. Below are details needed for configuring the IPSec tunnel and not policy based routing.
IMPORTANT: As noted above, policy based routing is not covered below. After configuring the IPSec tunnel, only external bound port 80 and 443 traffic should pass through through the IPSec tunnel. This configuration varies from device to device, but is required for good user experience.
IKE Phase 1
Details about phase 1:
- Key Exchange (IKE) Version: 1,2
- Remote Gateway: [Enter IP of closest PoP, example: 185.125.227.1]
- Lifetime: 28800 seconds (8 hours)
- Authentication
- Method: Mutual Pre-Shared Key (PSK)
- Identifier: [Your external IP address]
- Peer Identifier: Peer IP address
- Pre-Shared Key: [Use corresponding Pre-Shared Key configured in ePO Cloud]
- Encryption
- Encryption Algorithm: AES (128 bits*, 192 bits, 256 bits)
- Hashing Algorithm: SHA1**, SHA2 (SHA256*, SHA384, SHA512)
- Diffie-Hellman (DH) Group: 2 (1024 bit), 5 (1536 bit)*, 14 (2048 bit), 16 (4096 bit)
* Represents recommended setting.
* Only supported for IKEv1
IKE Phase 2
Details about phase 2:
- Local Network: [Your local subnet]
- NAT Translation: [Your local subnet]
- Remote Network: 0.0.0.0/0
- Enable Perfect Forward Secrecy
- Lifetime: 28800 seconds (8 hours)
- SA/Key Exchange
- Protocol: ESP
- Encryption Algorithms: AES (128 bits*, 256 bits, 512 bits)
- Hashing Algorithms: SHA1**, SHA256*, SHA384, SHA512
- Diffie-Hellman (DH) Group: 2 (1024 bit), 5 (1536 bit)*, 14 (2048 bit), 16 (4096 bit)
* Represents recommended setting.
* Only supported for IKEv1
Failover IPSec Connection
Repeat the above steps for the 2nd closest PoP that was noted when we determined the closest PoPs.
Supported Devices
There is a number of devices that McAfee has configured with the IPSec tunnel to the Web Gateway Cloud Service.
Community Help Hub
-
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.
- Find Forum FAQs
- Learn How to Earn Badges
- Ask for Help
Join the Community
-
Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:
- Get helpful solutions from McAfee experts.
- Stay connected to product conversations that matter to you.
- Participate in product groups led by McAfee employees.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA