cancel
Showing results for 
Search instead for 
Did you mean: 

Does McAfee Web Gateway 7.2 support WebSocket ??

Jump to solution

My environment has a McAfee web gateway 7.2.0.1.0 installed and a specific application is connecting using web sockets . My proxy is configured to work as a HTTP/HTTPS proxy and from what I understand, Web Socket's handshake is similar to HTTP.

Also I read Websocket WS:// doesn't mostly work with proxy unless its WebSocket Secure connection WSS://. Can somone throw some light on WebGateways compatiiblity with WebSocket ?

Also pease do note that I use NTLM authentication which I guess doesn't go well with WebSocket.

Cheers

Srini

1 Solution

Accepted Solutions
Highlighted
cnewman
Level 10
Report Inappropriate Content
Message 4 of 6

Re: Does McAfee Web Gateway 7.2 support WebSocket ??

Jump to solution

I see  the problem here. The initial problem lies with how the request looks to the proxy. In my testing using direct proxy when I attempted to connect, the browser generated a connect method to the proxy (this is by design)

[03/Sep/2013:13:07:43 -0400] "chris" XXXXX XXXXXX 173 500 TCP_MISS "CONNECT echo.websocket.org:80 HTTP/1.1" "Internet Services" "Minimal Risk" "-" 1710 0 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0" "-" "-" "103" "" "-"

The documentation for Web Sockets actually explicitly states that they will use a connect to establish the connection.

Many rulesets limit the ports allowed for connect to 443:

ws.png

However, if we assume that anything with a connect is SSL, we'll either ignore it (no SSL scanning) or break it. At the moment, you cannot do non SSL web sockets through MWG and you cannot perform SSL scanning on web sockets. 

As web sockets become more prevalent, we may need to implement directly.

Regards,

on 9/3/13 4:17:41 PM CDT

View solution in original post

5 Replies

Re: Does McAfee Web Gateway 7.2 support WebSocket ??

Jump to solution

I am behind the same gateway and if I go to this web page:


http://www.websocket.org/echo.html

and press Connect button, I can't connect with either ws:// or wss://

Thus, I would tend to answer 'no' to your question, but let's wait for a more authoritative response.


From my understanding, NTLM, being 'just' an authentication protocol, shouldn't affect WebSocket. Authentication happens before the connection to the target host is established.

Re: Does McAfee Web Gateway 7.2 support WebSocket ??

Jump to solution

Hi Tony,

The authentication part  I learnt from another site where they were discussing similar interoperability. Thanks for the Websocket test site, I did test the same in my environment and like I had stated,  WS:// doesn't work, but WSS:// works perfectly fine even with NTLM authentication in place. The Browsers web socket messages do provide some insight on what's happening , though I am not sure whether the WS:// failure is due to compatibility issue with the product or with my config.

Hope to hear from someone who is more familiar with this.

Cheers

Srini

Highlighted
cnewman
Level 10
Report Inappropriate Content
Message 4 of 6

Re: Does McAfee Web Gateway 7.2 support WebSocket ??

Jump to solution

I see  the problem here. The initial problem lies with how the request looks to the proxy. In my testing using direct proxy when I attempted to connect, the browser generated a connect method to the proxy (this is by design)

[03/Sep/2013:13:07:43 -0400] "chris" XXXXX XXXXXX 173 500 TCP_MISS "CONNECT echo.websocket.org:80 HTTP/1.1" "Internet Services" "Minimal Risk" "-" 1710 0 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0" "-" "-" "103" "" "-"

The documentation for Web Sockets actually explicitly states that they will use a connect to establish the connection.

Many rulesets limit the ports allowed for connect to 443:

ws.png

However, if we assume that anything with a connect is SSL, we'll either ignore it (no SSL scanning) or break it. At the moment, you cannot do non SSL web sockets through MWG and you cannot perform SSL scanning on web sockets. 

As web sockets become more prevalent, we may need to implement directly.

Regards,

on 9/3/13 4:17:41 PM CDT

View solution in original post

Re: Does McAfee Web Gateway 7.2 support WebSocket ??

Jump to solution

Hi,

Are there any recent developments on this topic ? Does McAfee/Intel plan to support rfc 6455 websocket communication ?

Today, even with the latest controlled release (7.6.2.1), the only way to allow websockets communication seems to be disabling "ssl inspection". During handshake, the websocket client issues a CONNECT request to the proxy (even when it does not intend to use TLS). If I allow the CONNECT (including for port tcp/80) *and* disable "ssl inspection", the proxy "looks the other way" and lets the traffic pass through. As the proxy doesn't even check for a tls handshake, you can allow any traffic this way (I think).

Of course, this isn't safe at all.

Regards,

Sergio

Re: Does McAfee Web Gateway 7.2 support WebSocket ??

Jump to solution

I see that KB84052 confirms what I wrote above. However, the release notes for 7.6.0 say that "WebSockets traffic can be detected and tunneled or blocked depending on its content.".

Looks promising.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community