cancel
Showing results for 
Search instead for 
Did you mean: 
nate.hall
Level 9

How to Properly Authenticate MCP Traffic on MWG - Without SaaS Web Protection

Jump to solution

I am setting up a standalone MWG and all of the traffic coming to this MWG will be redirected using the MCP. We are not using the SaaS at all for this MWG, and we are just strictly using MCP to redirect traffic.

We only want authenticated traffic to be allowed to use this MWG, so the first couple rules will be to authenticate the traffic. If you are authenticated, continue. If you don't authenticated, you are blocked. I have the MWG added to the domain and I have the NTLM set up. If I change my IE settings to manually hit the proxy server (so I'm not using the MCP to redirect the traffic) it authenticates fine. If I remove that setting from IE, and I use MCP to redirect, it doesn't seem to authenticate properly.

In it's simplest form, whats the best/proper way to set up the authentication rule for MCP traffic?

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: How to Properly Authenticate MCP Traffic on MWG - Without SaaS Web Protection

Jump to solution

Its the shared key between MCP and MWG.

If the key used to encrypt the data doesnt match the key used to decrypt the data it will fail.

I talked about this here:

https://community.mcafee.com/docs/DOC-4996#Configuring_Web_Gateway

Best,

Jon

0 Kudos
7 Replies
McAfee Employee

Re: How to Properly Authenticate MCP Traffic on MWG - Without SaaS Web Protection

Jump to solution

Hi Nate,

You should have a separate proxy port setup (which I believe you do), then beyond that what I describe here is all that would be required:

https://community.mcafee.com/docs/DOC-4384#McAfee_Client_Proxy_MCP

Best,

Jon

0 Kudos
nate.hall
Level 9

Re: How to Properly Authenticate MCP Traffic on MWG - Without SaaS Web Protection

Jump to solution

Thanks Jon.

If I'm only using MCP do I need to setup a different port? I went through that document earlier and I set the proxy port to "Transparent common name handling for proxy style requests" but it still doesn't seem to be trying to authenticate.

0 Kudos
McAfee Employee

Re: How to Properly Authenticate MCP Traffic on MWG - Without SaaS Web Protection

Jump to solution

If you have NTLM AND MCP configured, it could have strange behavior. Therefore I recommend the different ports as the guide talks about. Plus it never hurts to be able to compare MCP vs direct proxy using NTLM.

What behavior are you seeing? What do you see in a rule trace when using MCP through MWG? How are you determing it doesnt seem to be trying to authenticate?

MCP adds encrypted headers for the MWG to decrypt and get the user information. If MWG cannot decrypt those headers then there is a shared key issue, so you need to ensure that the key used by MCP and MWG are the same otherwise authentication will fail.

Best,

Jon

0 Kudos
nate.hall
Level 9

Re: How to Properly Authenticate MCP Traffic on MWG - Without SaaS Web Protection

Jump to solution

I have something set up incorrectly. So here's my port setup (9090 is the MCP port due to our firewalls):

Proxy Ports.jpg

My Policies are rather simplistic at this point (imported from your document):

Policy1.jpg

Policy2.jpg

Here is the rule trace:

Trace1.jpg

Trace2.jpg

I guess it's trying to authenticate, it's just not for some reason? I'm not sure what I should look at next.

0 Kudos
McAfee Employee

Re: How to Properly Authenticate MCP Traffic on MWG - Without SaaS Web Protection

Jump to solution

Its the shared key between MCP and MWG.

If the key used to encrypt the data doesnt match the key used to decrypt the data it will fail.

I talked about this here:

https://community.mcafee.com/docs/DOC-4996#Configuring_Web_Gateway

Best,

Jon

0 Kudos
nate.hall
Level 9

Re: How to Properly Authenticate MCP Traffic on MWG - Without SaaS Web Protection

Jump to solution

Thanks Jon, but I already entered my Customer ID and Shared Password. The only caveat is that I don't remember the shared password so I simply exported the EPO XML and opened that file in notepad to extract the password. Is that the correct password or is it encrypted?

Message was edited by: nate.hall on 3/13/14 1:39:22 PM EDT
0 Kudos
McAfee Employee

Re: How to Properly Authenticate MCP Traffic on MWG - Without SaaS Web Protection

Jump to solution

Its encrypted, you'll need to work with the saas team to reset it then deploy it to all the MCP clients again...

Best,

Jon

0 Kudos