cancel
Showing results for 
Search instead for 
Did you mean: 
dkalmaz
Level 7

How to encrypt all communication between client and MWG

How to encrypt communication between client and MWG?

We can see the clear credientials of the client when authenticating and also see cookies

0 Kudos
8 Replies
georgec
Level 13

Re: How to encrypt all communication between client and MWG

If you're using the MWG for mobile users, try using the McAfee Client Proxy software. I believe it uses encryption for at least authentication.

0 Kudos
McAfee Employee

Re: How to encrypt all communication between client and MWG

George is correct correct, MCP encrypts the credentials.

dkalmaz, how are you currently deployed and with what type of authentication? At the moment there isnt a way to encrypt all communication between the client and the MWG.

Best,

Jon

0 Kudos
dkalmaz
Level 7

Re: How to encrypt all communication between client and MWG

We dont want to use any other client cause there are lots of applications in our clients laptops.

We are using PAC settings in our clients browsers,so clients can access internal and external MWGs when they are inside or outside the company.

Inside we use ntlm and no problem at all.

We want use Radius-Otp in this external access scenario and can see username and users otp in clear format and also after authentication we can see the cookies and can use this cookies for bypassingf the authentication

So need encryption to all traffic or at least want the authentication columns are encoded like ntlm base64 encoding.

0 Kudos
McAfee Employee

Re: How to encrypt all communication between client and MWG

Thank you for that information, so your focus is on the outside clients.

How are you authenticating the external users (what ruleset)? If it's the authentication server, then we can do that. But we cant do anything about the cookies if the connection is HTTP. Are you using the MWG in a reverse proxy scenario for external users?

Best,

Jon

0 Kudos
dkalmaz
Level 7

Re: How to encrypt all communication between client and MWG

Normal proxy,not reverse proxy

Ruleset

authenticate and authorize

authenticate with radius

Engines

Authentication

Radius

rad.JPG

radius.JPG

Message was edited by: dkalmaz on 7/4/12 8:31:00 AM CDT
0 Kudos
McAfee Employee

Re: How to encrypt all communication between client and MWG

Got it.

At the moment, no, with Radius authentication in a direct proxy scenario it is not possible to encrypt the Proxy-Authorization header (I believe you were referring to it as the 'cookie'). The credentials are simply base64 encoded. Is there a reason you are not using NTLM instead?

The only possibility I could see it setting up a time based session for the external user, rather than using direct proxy authentication.

This would require modification to the rules and PAC file. In the end this would mean MWG stores who the user is (in an internal database), rather than the user authenticating for every new connection (and sending the credentials each time).

This would be kind of a big change.

~jon

0 Kudos
McAfee Employee

Re: How to encrypt all communication between client and MWG

I just now see your screenshots and I see that "cookie auth" is included.

So this may not be a big change for your configuration.

If you open a case with support, I can take it over, just let me know the SR # and submit a feedback (Troubleshooting > Feedback). DO NOT POST THE FEEDBACK HERE.

We can then post the results here if you like.

~jon

0 Kudos
dkalmaz
Level 7

Re: How to encrypt all communication between client and MWG

we can see also the credetials in clear format,when analyzing tcpdump

SR already opened 3-2266945391

Thanks for yoru support

0 Kudos