Good morning all;
I Have one server Forefront TMG 2010 and one Appliance McAfee Web Gateway 7.2 working together.
On TMG, I have install McAfee Web chaining plugin to foward authentification information to Web Gateway like X-Authenticated-User and X-Authenticated-Groups.
on Web gateway, i verify if header have X-Authenticated-Groups information with Header.Request.exist(X-Authenticated-Groups).
The problem is that, I need to filter the group informations to autorized only a group like "IT GROUP" to access some sites like "community.mcafee.com, developpez.com, ...".
1 - How to compare groups information send to web gateway by TMG to the group name that i want to compare with.
Note: Web gateway is not join to the domaine but TMG is join to the domaine and the group it send to Web gateway is pick from domain controller.
2 - The internet connection is very slow wen transited from TMG -- McAfee Web gateway -- Internet. How optimize internet connectivity to have best result went loading a web site page.
Thank you for your feedback
TMG will send you the username and group membershits in the two X- headers you named, so there is no need for MWG to talk to the domain controller. You should have a quick look at how the X-Authenticated-Groups headers value look like (or maybe someone else can share this information). It is a Base64 encoded string, after decoding it should look like:
Domain Users, Administrators, IT GROUP, ...
so the group memberships is a string containing the groups, and the groups are comma-separated.
Once you understood how the decoded string looks you can manually perform authentication on MWG by setting the properties accordingly. Use an Event -> Set Property Value to do so.
You can use user-defined properties to make the process more readable, as follows:
User-Defined.Username = Header.Request.Get("X-Authenticated-User") # Property now contains Base64 encodeed value from X-Authenticated-User header
User-Defined.Username = String.Base64Decode(User-Defined.Username) # Property now contains decoded value, which is the username in plain text
Authentication.Username = User-Defined.Username # Wrote the username from your user-defined property to the "real" property MWG uses
For the group memberships this is a little more complicated:
User-Defined.Groups = Header.Request.Get("X-Authenticated-Groups") # Property now contains Base64 encoded value from X-Authenticated-Groups header
User-Defined.Groups = String.Base64Decode(User-Defined.Groups) # Decode Base64 string, property now contains groups like "group A, group B, group C"
Authentcation.Groups = String.ToStringList(User-Defined.Groups, ', ', '') # Use property to turn string into a list of strings, write strings to the "real" property MWG uses
And finally tell MWG authentication has happened:
Authentication.IsAuthenticated = true
Once this is performed MWG will act like if "real" authentication has happened. You will see usernames in the logs and so on. To make a decision as described above you can use "Authentication.Groups contains"... and match against "IT GROUP" or whatever group you like. There should be tons of examples in the community how to allow/block a URL based on group memberships.
good morning Andre and thank you for your answer.
I do like you described and now bloc to compare groups list value pick from X-header with my define list group.
I remarq that, list group take from X-header is format in column like this :
TESTLAB/Group Policy Creator Owners
But, the list I define like String list is format in line like this :
TESTLAB/Domain Users, BUILTIN/Users, .......
Please can you help me to convert X-Header groups column format into line format to be able to apply my policy to a specific group.
I try some function like String.toStringList but any change.
can you send me an example X-Authetnicated-Groups header? Please provide the header exactly as it gets into MWG, including Base64 encoding etc.
You could do a packet capture to obtain the header or add a block rule on MWG which prints the header. Then I can try if I can get the right rules together.
I believe the rule set 'ISA Chaining" found in the Authentication section of the rule set library accounts for this. Go ahead and import it by going to Policy > Rule Sets > Add > Top Level rule set > import rule set from rule set library. It is using 'String.LF' as the group delimeter rather than ',' and also strips off the 'WinNT://".
Andre, I have setup my rule set like "get header from downstream proxy".Next, string up a rule with criteria : header.request.get(X-authenticatedGroups) exist - TRUE.
in Event : authentication.usersgroup # string.ofstringlist(string.64decode(Header.request.get(X-Authenticated-Groups)),",","").
if I replace "," by "String.LF", can I get a best formated group list, to be able to compare with my defined string list?
I try with string.LF and all thing work fine. But some group is not visble in web gateway. What can I do to saw all for an user in we gateway? What type of group can I use to do it?
thank you again for your feedback.
all groups should be available for mapping that are part of the header. So the question is now where the problem is:
1.) Copy the header from the ISA server and base64 decode it manually. Is the desired group available here?
2.) If the group is available in the header you should check the list you have created from the header. Just create a block page and Use List.OfString.ToString to print the list to a website in plaintext. Is the desired group there?
3.) If 1 and 2 are true (so the group is in the list) the rule you use for mapping does not work... in this case most likely there is something wrong with wildcards or similar. Rule engine tracing could help you to find out why your rule does not match.
all the group are not in ISA server (desired group), anly Domain USer, BUILTIN/Users and SophosUser not my defined group. but these user are in this group.