Right now we use MWG 7.2 as an explicit proxy via a proxy.pac file on the end user desktops. Authentication is done via LDAP (Windows AD). We'd like to have all our wireless devices go through MWG 7.2 as well. We'd also like for the user to authenticate either via pass through auth if the device supports it or via a pop up prompt. Can this be done and what is the best method?
Right now, just point the devices at the proxy is an issue for two reasons. First some devices do not support a proxy.pac file which means all web traffic is going through MWG, which is not what we desire (internal traffic should not be proxied, along with some external sites). Second, some devices (cough, apple, cough) do not seem to behave well with proxy auth, with users being prompted over and over again for credentials.
Again if anyone can shed some light on the best way (or better way) to accomplish our goals, we'd be very appreciative.
Thank you - John.
maybe someone else can help you with complete instructions, but here is what I can tell from my (limited) tests:
- Some of the Apps respect the proxy settings, some do not. I would recommend to setup a transparent proxy for your wireless devices. You could plug MWG between the access point and next hop router in one of the transparent mode. By doing so no one needs to apply settings to his device and most likely more Apps will work.
- I would recommend to use one of the authentication server methods. I would assume that Cookie Auth also would not work with everything, so most likely the IP/Session based authentication will give you the best results. In this case the first request you do is authenticated and MWG will remember the client IP address and the user using the IP until a configurable time runs out. Then authentication is required again.
- I would definitely have the wireless devices in a seperated network segment, e.g. assign different IP addresses to wireless devices. On MWG I would apply a different rule set to all clients coming with these source IP addresses, I believe you may require rules that differ very much from what you use for your "normal" computers.
- I would ensure that the DHCP server serving the wireless devices has a pretty long lease time. This will help avoiding problems when using the IP/Session based authentication. Cookie Authentication would be even better, but may cause trouble.
I hope this gives you some ideas to start.
Thanks for the guidance. I'm thinking setting up another instance of MWG7 in transparent mode is probably the best way. We've never done this though, nor have we used IP/Session auth. IP/Session auth seems like it would create some problems though since multiple devices could end up reusing the same ip address via DHCP although as you point out a longer lease time would help, but I am not sure that's an option here. Can MWG validate by IP and MAC address?
We are curious if McAfee has a best practices or whitepaper on using mobile devices with MWG 7. Since BYOD is such a huge topic right now, it would seem like there would be a ton of guidance on this. Perhaps we will try our account manager as well to see if he can find anything.
I've been trying to figure out how to get the MWG CA cert into the iPad for SSL scanning.
I see there is an iPhone configuration utility.
It appears that this will get the CA cert installed into i* devices, and let you specify proxy settings for wireless or VPN connections.
Have you tried this yet?
I don't do Apple, so i have no idea if it will help manage the devices. Can you give me some feedback if you try it?
I am currently working with the import tool as well and having (not much) success. What it appears is that it will let you import 'Personal' certificate stores but not the Root Auth stores.
Still working on this one - keep us posted!
I just got it to work as far as the McAfee certificate being installed on the Ipad (and clearing that issue)
Let me see if I can duplicate my steps and hopefully help someone else in the near future
It appears that the Root Certificate install is good for the native browser (Safari) - With apps like Google Chrome it appears to be still an issue.
(Investigating even further)Message was edited by: shaneg on 8/16/12 10:41:09 AM CDT