cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 8

MCP - Can I redirect traffic only when users are at work?

Hello all, quick question. My current McAfee Client Proxy policy has the following traffic redirection setting:

MCP_Traffic_Redirection.JPG

Now based on the wording of the options, it seems my choices are either

1. Have MCP agent try to send traffic to the proxy ONLY when users are not at work, OR

2. Have MCP agent try to send traffic to the proxy ALL of the time (when users are at work AND when users are offsite)

These two options leave me wondering if there's anyway I can only have traffic forwarded when users are onsite. MWG is primarily to meter user's bandwidth usage so while users are at home with their laptops, I'd not want to police that (not just yet anyway). Is there any way I can achieve onsite only traffic redirection? (I'm also asking because I've seen where a user's laptop always tries to make TCP connections to proxy and so sometimes causes issues.)

7 Replies
smasnizk
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: MCP - Can I redirect traffic only when users are at work?

You can use the first option and setup as example google.com on port 80. When it's reachable the MCP wont redirect traffic. What means when user is at home the traffic is not redirected.

Requirement: direct access to google.com:80 should be blocked in your office. (you can use any other services on the internet)

-Sergej

Best Regards,
Sergej


If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
Former Member
Not applicable
Report Inappropriate Content
Message 3 of 8

Re: MCP - Can I redirect traffic only when users are at work?

This is a good idea. I'm going to try it out with the public IP addresses of some of our hosted sites. Those are completely blocked from inside (inside uses the private address) but available form outside. I think trying to actually load the HTTPS page via its IP address will fail so I hope MCP agent just needs the IP address to do a basic response.

Troja
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 8

Re: MCP - Can I redirect traffic only when users are at work?

Hm,

you may can do this with time based rules in the Firewall?

So, if MCP is not able to connet to a Proxy it will disable itself automatically. Maybe time based rules will really help.

Cheers

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 8

Re: MCP - Can I redirect traffic only when users are at work?

Always redirect means that MCP will redirect always assuming the proxy is reachable.

If you put in a hostname like proxy.kbolt.com, then they will likely not be able to reach that DNS name from home (unless you have it on public DNS).

So I'd suggest configuring it with Always Redirect and just specify the proxy hostname. I suggest hostname because failure to resolve in DNS is quick, where as failure to connect to an IP (SYN SYN SYN) is a bit slower.

Best Regards,

Jon

Former Member
Not applicable
Report Inappropriate Content
Message 6 of 8

Re: MCP - Can I redirect traffic only when users are at work?

So if a PC is off of the corporate network, the MCPservice.exe will be unable to contact the proxy server (e.g. proxy.kbolt.com) and will then allow all traffic to flow as normal, sans proxy. This is what I initially thought would happen with MCP, and based on some TCP dumps I captured with a laptop on and then off the corporate network it does seem to be the case. However, I've found the odd one or two exceptions where the attempt to connect to the proxy seems to take a long time before failing. I'll consider your suggestion of using the proxy's hostname and push that to a test group. Thank you for the feedback.

Former Member
Not applicable
Report Inappropriate Content
Message 7 of 8

Re: MCP - Can I redirect traffic only when users are at work?

In the off-network tcpdumps, did you just see SYN SYN SYN (a connection attempt, but it failed) or did you see the three way handshake? If you saw the handshake, then some network device must be taking the handshake (like a captive portal).

Using the DNS name should fail faster than using an IP as mentioned above because only your corp network should resolve proxy.kbolt.com (I'd guess).

Troja
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 8 of 8

Re: MCP - Can I redirect traffic only when users are at work?

Just some other questions.

  • Which version of MCP you are unsing?
  • Which proxy port are you using?
  • Any other McAfee security products installed on your endpoint?

If you are using SaaS proxies (maybe) take a look at https://trust.mcafee.com.

SANS Proxy -> do you mean the McAfee SaaS proxies?

We are using MCP at several customers. I saw your problem with slow proxy selection with older MCP versions and many proxy entries in the policy. But this is also fixed with newer versions. So, your problem looks unusual.

Our latest tests are showing, MCP is really disabling itself automatically if no configured proxy system is available. Also, if the user enters a proxy in the browser settings, MCP disables itself automatically and absolutely fast.

Just another question. Are you using Interface Bonding with your internal McAfee Proxy systems?

Cheers

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community