cancel
Showing results for 
Search instead for 
Did you mean: 
kbolt
Level 10
Report Inappropriate Content
Message 1 of 8

MCP - Can I redirect traffic only when users are at work?

Hello all, quick question. My current McAfee Client Proxy policy has the following traffic redirection setting:

MCP_Traffic_Redirection.JPG

Now based on the wording of the options, it seems my choices are either

1. Have MCP agent try to send traffic to the proxy ONLY when users are not at work, OR

2. Have MCP agent try to send traffic to the proxy ALL of the time (when users are at work AND when users are offsite)

These two options leave me wondering if there's anyway I can only have traffic forwarded when users are onsite. MWG is primarily to meter user's bandwidth usage so while users are at home with their laptops, I'd not want to police that (not just yet anyway). Is there any way I can achieve onsite only traffic redirection? (I'm also asking because I've seen where a user's laptop always tries to make TCP connections to proxy and so sometimes causes issues.)

7 Replies
Highlighted
McAfee Employee smasnizk
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: MCP - Can I redirect traffic only when users are at work?

You can use the first option and setup as example google.com on port 80. When it's reachable the MCP wont redirect traffic. What means when user is at home the traffic is not redirected.

Requirement: direct access to google.com:80 should be blocked in your office. (you can use any other services on the internet)

-Sergej

kbolt
Level 10
Report Inappropriate Content
Message 3 of 8

Re: MCP - Can I redirect traffic only when users are at work?

This is a good idea. I'm going to try it out with the public IP addresses of some of our hosted sites. Those are completely blocked from inside (inside uses the private address) but available form outside. I think trying to actually load the HTTPS page via its IP address will fail so I hope MCP agent just needs the IP address to do a basic response.

Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 4 of 8

Re: MCP - Can I redirect traffic only when users are at work?

Hm,

you may can do this with time based rules in the Firewall?

So, if MCP is not able to connet to a Proxy it will disable itself automatically. Maybe time based rules will really help.

Cheers

McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 5 of 8

Re: MCP - Can I redirect traffic only when users are at work?

Always redirect means that MCP will redirect always assuming the proxy is reachable.

If you put in a hostname like proxy.kbolt.com, then they will likely not be able to reach that DNS name from home (unless you have it on public DNS).

So I'd suggest configuring it with Always Redirect and just specify the proxy hostname. I suggest hostname because failure to resolve in DNS is quick, where as failure to connect to an IP (SYN SYN SYN) is a bit slower.

Best Regards,

Jon

kbolt
Level 10
Report Inappropriate Content
Message 6 of 8

Re: MCP - Can I redirect traffic only when users are at work?

So if a PC is off of the corporate network, the MCPservice.exe will be unable to contact the proxy server (e.g. proxy.kbolt.com) and will then allow all traffic to flow as normal, sans proxy. This is what I initially thought would happen with MCP, and based on some TCP dumps I captured with a laptop on and then off the corporate network it does seem to be the case. However, I've found the odd one or two exceptions where the attempt to connect to the proxy seems to take a long time before failing. I'll consider your suggestion of using the proxy's hostname and push that to a test group. Thank you for the feedback.

McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 7 of 8

Re: MCP - Can I redirect traffic only when users are at work?

In the off-network tcpdumps, did you just see SYN SYN SYN (a connection attempt, but it failed) or did you see the three way handshake? If you saw the handshake, then some network device must be taking the handshake (like a captive portal).

Using the DNS name should fail faster than using an IP as mentioned above because only your corp network should resolve proxy.kbolt.com (I'd guess).

Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 8 of 8

Re: MCP - Can I redirect traffic only when users are at work?

Just some other questions.

  • Which version of MCP you are unsing?
  • Which proxy port are you using?
  • Any other McAfee security products installed on your endpoint?

If you are using SaaS proxies (maybe) take a look at https://trust.mcafee.com.

SANS Proxy -> do you mean the McAfee SaaS proxies?

We are using MCP at several customers. I saw your problem with slow proxy selection with older MCP versions and many proxy entries in the policy. But this is also fixed with newer versions. So, your problem looks unusual.

Our latest tests are showing, MCP is really disabling itself automatically if no configured proxy system is available. Also, if the user enters a proxy in the browser settings, MCP disables itself automatically and absolutely fast.

Just another question. Are you using Interface Bonding with your internal McAfee Proxy systems?

Cheers

McAfee ePO Support Center Plug-in
Check out the new McAfee ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.