How to encrypt communication between client and MWG?
We can see the clear credientials of the client when authenticating and also see cookies
If you're using the MWG for mobile users, try using the McAfee Client Proxy software. I believe it uses encryption for at least authentication.
George is correct correct, MCP encrypts the credentials.
dkalmaz, how are you currently deployed and with what type of authentication? At the moment there isnt a way to encrypt all communication between the client and the MWG.
We dont want to use any other client cause there are lots of applications in our clients laptops.
We are using PAC settings in our clients browsers,so clients can access internal and external MWGs when they are inside or outside the company.
Inside we use ntlm and no problem at all.
We want use Radius-Otp in this external access scenario and can see username and users otp in clear format and also after authentication we can see the cookies and can use this cookies for bypassingf the authentication
So need encryption to all traffic or at least want the authentication columns are encoded like ntlm base64 encoding.
Thank you for that information, so your focus is on the outside clients.
How are you authenticating the external users (what ruleset)? If it's the authentication server, then we can do that. But we cant do anything about the cookies if the connection is HTTP. Are you using the MWG in a reverse proxy scenario for external users?
Normal proxy,not reverse proxy
authenticate and authorize
authenticate with radius
Message was edited by: dkalmaz on 7/4/12 8:31:00 AM CDT
At the moment, no, with Radius authentication in a direct proxy scenario it is not possible to encrypt the Proxy-Authorization header (I believe you were referring to it as the 'cookie'). The credentials are simply base64 encoded. Is there a reason you are not using NTLM instead?
The only possibility I could see it setting up a time based session for the external user, rather than using direct proxy authentication.
This would require modification to the rules and PAC file. In the end this would mean MWG stores who the user is (in an internal database), rather than the user authenticating for every new connection (and sending the credentials each time).
This would be kind of a big change.
I just now see your screenshots and I see that "cookie auth" is included.
So this may not be a big change for your configuration.
If you open a case with support, I can take it over, just let me know the SR # and submit a feedback (Troubleshooting > Feedback). DO NOT POST THE FEEDBACK HERE.
We can then post the results here if you like.