cancel
Showing results for 
Search instead for 
Did you mean: 
jspanitz
Level 7

MWG 7.1.6

Attempting to cut over from MWG 6.9 to MWG 7.1.6.  Running into a few issues.  BTW, we started with the Default template.

We have our MWG 6.9 setup using explicit proxy and WCCP.  Explicit proxy is authenticated against NTLM, transparently for Windows users and via a prompt for OSX users.   WCCP is set up to catch the users and devices that do not or can not have the explicit proxy set.  Explicit users are mapped to rules based on AD groups.  WCCP users are given a single restrictive group.

We implemented the "Web Mapping" rulsets as outlined here - https://community.mcafee.com/docs/DOC-2210.  So far so good.

But how to allow the proxy users that are not in a group (by default our lowest level users are not in a specific AD group but get mapped to a basic access mapping and how to allow unauthenticated WCCP users?

Also, what is the point / functionality of the Global Whitelist, as it doesn't appear to do anything by itself and is not referenced in any of the URL Filter rules / rulesets.

John

0 Kudos
2 Replies
eelsasser
Level 15

Re: MWG 7.1.6

One thing you probably are wondering is how to authenticate only explicit proxy users and not WCCP users.

Set up two listening proxy ports.

9090 for explicit and 8080 for WCCP. (or the other way around)

Then on the authentication rules, put a condition on the Rule Set for Proxy.Port equals 9090. Then only 9090 users will get authenticated.

If we use Jon's web-mapping method you describe, everyone will have a "default" policy unless they are explicitly in some other group that the mapping changes to. This includes Un-authenticated users (WCCP) because the User-defined.Policy variable has an initial value of "default" unless it gets changed.

A Global Whitelist does a Stop Cycle to let it all go through to that site, no matter what. If you don't have it in your default rule set, it's just a list of client IP addresses or URL.Host list that goes through.

This is similar to the ICAP bypass of 6.x.

Global Whitelist
[Ruleset to bypass filtering.]
Disabled
Applies to Requests: True / Responses: True / Embedded Objects: True
Always
EnabledRuleActionEventsComments
EnabledClient IP Is in List Allowed Clients
1: Client.IP is in list Allowed Clients
Stop CycleIf IP is in given list, filtering will be bypassed.
EnabledURL Host Matches in List Global Whitelist
1: URL.Host matches in list Global Whitelist
Stop CycleIf URL is in given list, filtering will be bypassed.

Message was edited by: eelsasser
typos on 1/6/12 5:00:54 PM EST
0 Kudos
eelsasser
Level 15

Re: MWG 7.1.6

Hmmm, i have another idea too. You can put a rule at the beginning of the Authentication Rule Set that says:

Condition: Proxy.Port equals 8080 

Action: Stop Rule Set

Event: Set User-Defined.Policy="wccp"

Then the Policy variable will be "wccp" and you can have a different policy set other than "default".

0 Kudos