cancel
Showing results for 
Search instead for 
Did you mean: 
agl99
Level 7

How to have Active Directory User/Group Restriction in McAfee Web Gateway 7.0

Hi,

We’ve newly deployed McAfee Web Gateway 7.0 in VMWare to create and export rules so that we can deploy this version in our Appliance running with McAfee Web Gateway 6.8.6 build 6257 to reduce deployment/configuration downtime.

What we want to do is:

  • Group 1 (in Active Directory server) will have access in only certain web categories, i.e. “Finance / Banking” and “General News”
  • Group 2 will have access only “Stock Trading”
  • Group 3 will have access all categories but “Pornography / Nudity”
  • Remaining Active Directory users will have access only in “User defined category 1” and “User defined category 2”
  • IP based access for (no authentication required) Guest Laptop users will have access all sites but “Pornography / Nudity” and “Risk / Fraud / Crime”

Would you please guide us how to do it in McAfee Web Gateway 7.0?

I’ve done trying to migrate from McAfee Web Gateway 6.8, and done followings and need your help on the process:

  • Downloaded MWG7 listConverter Version 0.6.3.0
  • Downloaded backup from existing appliance (McAfee Web Gateway 6.8.6 build 6257)
  • When loading the backup file, got errors (attached)
  • Clicked continue
  • It’s running for last 1 hour

Is it okay to have mentioned errors? How long it should take to extract my 2.95 MB backup file?

on 8/2/10 4:06:18 PM BDT

on 8/2/10 4:07:57 PM BDT
5 Replies
eelsasser
Level 15

Re: How to have Active Directory User/Group Restriction in McAfee Web Gateway 7.0

Can you send me the .backup file to my McAfee email?

I don't know why it wouldn't load unless there is something in the back that is unexpected.

I'll take a look at it.

erik_elsasser@mcafee.com

0 Kudos
eelsasser
Level 15

Re: How to have Active Directory User/Group Restriction in McAfee Web Gateway 7.0

There are many ways to do what you describe. Here is one of them:

Image1.jpg

On the ones that have both an allow and block, that is because you did not specify what you wanted to do with Uncategorized sites. I am assuming you want to allow anything not categorized for Guests and Group 3. By putting the Allow (not blocked really) it will prevent getting to the Block Everything at the bottom.

You also didn't specify if there is ever a case when a user might be in two groups. I assumed they would not be in this example. The rules would be different if you are members of multiple groups and you would have to decide which group took precedence.

Message was edited by: Erik Elsasser on 8/2/10 8:45:55 AM CDT
0 Kudos
agl99
Level 7

Re: How to have Active Directory User/Group Restriction in McAfee Web Gateway 7.0

Hi Erik,

Thanks for your reply and helping me on this. I've sent you the backup file as requested. I feel I'm very close to what I need. I tried to create rules using your help. Would you please check attached snapshots and let me know what why it’s not working?

Here's the access.log entry:

[05/Aug/2010:05:36:06 -0600] "" 192.168.110.24 403 "GET http://www.google.com/ HTTP/1.1" "" - "" 0 "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.125 Safari/533.4" "" "10"

Yes, there would be users in multiple Active Directory groups. I wanted to create simpler rules first.

0 Kudos
agl99
Level 7

Re: How to have Active Directory User/Group Restriction in McAfee Web Gateway 7.0

Hi Erik,

I was searching the community pages and this https://community.mcafee.com/message/135128 thread helped a lot.

My simple rule (earlier post) worked and I think I can create more rules mapped with other Active Directory groups. Please check attached snapshots to see how I did it.

I will try to add users in multiple AD groups and waiting for your tips on this.

0 Kudos
ittech
Level 13

Re: How to have Active Directory User/Group Restriction in McAfee Web Gateway 7.0

I solved my problems with users in multiple AD groups in this fashion

1.png

As you can see I have a different filter for the "CIU" & "Admins" Groups and also the "Kiosk" user. These are followed by a filter for the "Domain Users" (which I called Default Deland Group). In order to keep users in the CIU & Admins groups for getting the Default DeLand Group's (the most strict policy) filter, I created a set of Criteria to be met in order for the Default Deland Group's filter to be applied.

1.png

So, basically the Domain Users (Default DeLand Policy) is applied as long as the user is in the Domain Users group, but not in the CIU or Admins groups and also not the Kiosk user.

Hope that helps

0 Kudos