cancel
Showing results for 
Search instead for 
Did you mean: 
RayP
Level 7

MWG 7.1.6.1.0 SSL Scanner with a criteria for just 1 user

Jump to solution

Hi,

We're using the McAfee Web Gateway version 7.1.6.1.0

I want to add a criteria to the SSL Scanner ruleset.

The SSL Scanner must only be activated for 1 user. This is for testing some financial SSL applications.

I've enabled the SSL Scanner with this criteria:

Apply this rule set: If the following criteria is matched:

Property: Authentication.UserName

Operator:equals

Operand: <testuser>

Where <testuser> is the name of the user that's testing the SSL financial applications.

The <testuser> is correctly displayed within the access.log

For the other 2000+ users SSL Scanning must not be enabled.

If I logon with the <testuser> SSL Scanning isn't enabled..i still see the original certificate instead of the McAfee certificate.

Regards,

Ray

Message was edited by: RayP on 4/12/12 3:09:36 AM CDT

Message was edited by: RayP on 4/12/12 3:09:55 AM CDT
0 Kudos
1 Solution

Accepted Solutions
asabban
Level 17

Re: MWG 7.1.6.1.0 SSL Scanner with a criteria for just 1 user

Jump to solution

Hi Ray,

ah I see. Client IP would be bad in this case :-)

I do not expect that anything bad happens with moving the ruleset, because it is basically restricted to that single user. However usually SSL Scanner is called as the very first thing, so I am not sure if any of the other rules interfere with the SSL Scanner rule set.

I believe this one user is a "test user", so we shouldn´t cause any problems with that change.

Let me know how it goes.

Best,

Andre

0 Kudos
8 Replies
asabban
Level 17

Re: MWG 7.1.6.1.0 SSL Scanner with a criteria for just 1 user

Jump to solution

Hi Ray,

in a default policy SSL Scanner is usually the very first rule set. This means it is called before authentication is performed, in this case the username is not filled correctly when the SSL Scanner rule set is called. Do you have authentication placed on top of SSL Scanning?

Best,

Andre

0 Kudos
RayP
Level 7

Re: MWG 7.1.6.1.0 SSL Scanner with a criteria for just 1 user

Jump to solution

HI Andre,

U'r right. Authentication is below the SSL Scanner.

This is he ruleset:

1 Global Whitelist

2 SSL Scanner

3 Remove Headers

4 Common Rules

5 Enable Opener

6 Authenticate and Authorize

7 URL Filtering

8 Media Type Filtering

9 Gateway Anti-Malware

What is the best solution with minimum impact for end-users?

Moving "SSL Scanner" down below the "Authentication and Authorize"?

Regards,

Ray

0 Kudos
asabban
Level 17

Re: MWG 7.1.6.1.0 SSL Scanner with a criteria for just 1 user

Jump to solution

Hi Ray,

since this seems to be for testing purposes for one user only, do you think it is possible to enable SSL Scanner by this users Client IP? The Client IP is always available, and there won´t be any requirement to touch the order of the rule sets (which for me means the lowest possible impact).

If this is not a change I would move the SSL Scanner ruleset below authentication and see how that works.

Best,

Andre

0 Kudos
RayP
Level 7

Re: MWG 7.1.6.1.0 SSL Scanner with a criteria for just 1 user

Jump to solution

Hi Andre,

Client IP is not an option. All users working on a Citrix Farm.

When i use Client IP more users are involved.

I'll try to move the ruleset below the authentication ruleset.

Thanks.


Regards,

Ray

0 Kudos
asabban
Level 17

Re: MWG 7.1.6.1.0 SSL Scanner with a criteria for just 1 user

Jump to solution

Hi Ray,

ah I see. Client IP would be bad in this case :-)

I do not expect that anything bad happens with moving the ruleset, because it is basically restricted to that single user. However usually SSL Scanner is called as the very first thing, so I am not sure if any of the other rules interfere with the SSL Scanner rule set.

I believe this one user is a "test user", so we shouldn´t cause any problems with that change.

Let me know how it goes.

Best,

Andre

0 Kudos
Troja
Level 14

Re: MWG 7.1.6.1.0 SSL Scanner with a criteria for just 1 user

Jump to solution

Hi RayP,

we installed SSL Scanner and Authentication at a big envirionment with about 15000 Users. The policy design is -> fist authenticating and then assigning the right rules to the based on users names oder user groups. There are several different authentication authorities used.

This works fine without any trouble. Take a look at the screenshot.

I tested the ruleset with usern.name "equals" or "does not equal" my usernmae. Both variants worked fine in my envirionment.

Note, for testing, just wait a little bit between the tests or use different browsers, because you have to establish a completely new session to active the new settings for your username.

Cheers, Thorsten

Nachricht geändert durch Troja on 12.04.12 12:00:57 MESZ

Nachricht geändert durch Troja on 12.04.12 12:03:20 MESZ
0 Kudos
RayP
Level 7

Re: MWG 7.1.6.1.0 SSL Scanner with a criteria for just 1 user

Jump to solution

Hi Troja,

thx for your information.

It works...

Regards,
Ray

0 Kudos
RayP
Level 7

Re: MWG 7.1.6.1.0 SSL Scanner with a criteria for just 1 user

Jump to solution

HI Andre

I moved the SSL Scanner below the Authenticate and Authorize.

Just tested it and it works great...SSL is now only available for just 1 user within a Citrix Farm.

Thnx.

Regards,

Ray

0 Kudos