cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
eelsasser
McAfee Retired
McAfee Retired
Report Inappropriate Content
Message 1 of 5

MWG Coaching Page with Comments

I've had 2 different customers from 2 different countries in 2 days ask for the same thing, so i figured I'd post it here.

When you use a coaching page, have a Business Justification comments field that gets logged.

When the coaching page is displayed, there is an extra field:

capture.png

You must enter something or a JavaScript form validation warns you:

capture2.png

After a comment has been entered, it adds an entry to a Coaching.log:

[17/Jun/2013:15:21:59 +0000] "user1" 192.168.2.2 173.194.43.1 0 "GET http://www.youtube.com/ HTTP/1.1" "Streaming Media, Media Sharing" "Minimal Risk" "-" 0 0 "300" "I have to watch a training video."

The process involves a rule set for coaching:

Coaching with Comments
[This ruleset contains rules for coaching for urls, user and ip. This ruleset will not be exectued if SSL is disabled and a HTTPS request has been done.]
Enabled
Applies to Requests: True / Responses: False / Embedded Objects: False
1: SSL.ClientContext.IsApplied equals true
2: OR Command.Name does not equal "CONNECT"
Coaching With URL Configuration
Enabled
Applies to Requests: True / Responses: True / Embedded Objects: True
1: URL.Categories<Default> at least one in list URL Category Blocklist for Coaching
2: OR Quota.Coaching.IsActivationRequest.Strict<URL Category Configuration> equals true
EnabledRuleActionEventsComments
EnabledRedirecting After Starting New Coaching Session
1: Quota.Coaching.IsActivationRequest equals true
Redirect<Redirection After Coaching Session Activation>Set Redirect.URL = String.Base64Decode(String.ReplaceAll(URL.GetParameter("Quota-URL"),"%3D","="))
Set User-Defined.Coaching.Business.Justification = String.Base64Decode(URL.GetParameter("comments"))
Set User-Defined.Coaching.Business.Justification = String.ReplaceAll(User-Defined.Coaching.Business.Justification,""","'")
Set User-Defined.Coaching.Business.Justification = String.ReplaceAll(User-Defined.Coaching.Business.Justification,String.CRLF,"|")
Set User-Defined.Coaching.Business.Justification = String.ReplaceAll(User-Defined.Coaching.Business.Justification,String.LF,"|")
Set User-Defined.Coaching.Business.Justification = String.ReplaceAll(User-Defined.Coaching.Business.Justification,"%20"," ")
Set User-Defined.notificationMessage =
     DateTime.ToWebReporterString +
     " "" +
     String.ReplaceIfEquals(Authentication.UserName,"","-") +
     "" " +
     String.ReplaceIfEquals(IP.ToString(Client.IP),"","-") +
     " " +
     String.ReplaceIfEquals(IP.ToString(URL.Destination.IP),"","-") +
     " " +
     String.ReplaceIfEquals(Number.ToString(Response.StatusCode),"","-") +
     " "" +
     String.ReplaceIfEquals(Command.Name,"","GET") +
     " " +
     String.ReplaceIfEquals(String.Base64Decode(URL.GetParameter("Quota-URL")),"",URL) +
     " " +
     String.ReplaceIfEquals(Request.ProtocolAndVersion,"","HTTP/1.1") +
     "" "" +
     String.ReplaceIfEquals(List.OfCategory.ToString(URL.Categories<Default>),"","-") +
     "" "" +
     String.ReplaceIfEquals(URL.ReputationString<Default>,"","-") +
     "" "" +
     String.ReplaceIfEquals(MediaType.ToString(MediaType.FromHeader),"","-") +
     "" " +
     String.ReplaceIfEquals(Number.ToString(BytesToClient),"","-") +
     " " +
     String.ReplaceIfEquals(Number.ToString(BytesFromClient),"","-") +
     " "" +
     String.ReplaceIfEquals(Number.ToString(Block.ID),"","-") +
     "" "" +
     String.ReplaceIfEquals(User-Defined.Coaching.Business.Justification,"","-") +
     """
FileSystemLogging.WriteLogEntry(User-Defined.notificationMessage)<Coaching.log>
This rule redirects the user back to the requested url after the user started a new session by pushing the button in the HTML Session template.
EnabledCheck If Coaching Session Has Been Exceeded
1: Quota.Coaching.SessionExceeded<URL Category Configuration> equals true
Block<ActionCoachingBlockedWithComments>This rule shows a block html site for Coaching after the session for Coaching has been exceeded and one of the urls is in the url blocklist.

And a modifications to the ActionCoachingBlocked template:

capture4.png

Create a new template called ActionCoachingBlockedWithComments, copy the entire original HTML from the ActionCocahingBlocked page to it, and remove the previous <table> and <form> and replace with above.

The rules and partial template with the replacement html is attached.

4 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 5

Re: MWG Coaching Page with Comments

This is awesome, and exactly the type of rule I'm looking to implement in my organization.

I've started some initial testing with this rule, and have run into some issues when using Chrome.  When activating the session, I get the error below.6-26-2013 5-49-31 PM.jpg

I'm new to the coaching ruleset, but we do use redirection for for authentication so I'm not sure what causes this.  any insight?

Thanks

eelsasser
McAfee Retired
McAfee Retired
Report Inappropriate Content
Message 3 of 5

Re: MWG Coaching Page with Comments

I just tested this with

Google Chrome27.0.1453.116 (Official Build 206485) m

I do not see the same results. I works as i would expect.

Does the default ruleset for coaching work with chrome?

What is technically supposed to happen is when you submit, it is supposed to send a HTTP 302 redirect with a Location header of the original site. It also includes the html body you see as a message before the redirection is supposed to occur.

The redirection header should have something like this:

HTTP/1.1 302 redirected

Location: http://www.theoriginalsite.com/

Content-Type: text/html

Cache-Control: no-cache

Content-Length: 5846

Proxy-Connection: Keep-Alive

<html> body of the message you saw</html>

It sounds like the location header didn't come through properly or the browser is not honoring the redirect.

Take a wireshark of the client and see what the location header actually displays.

You can send it to my email instead of posting it because there could be sensitive info in it you may not want public.

erik_elsasser @ mcafee.com

Former Member
Not applicable
Report Inappropriate Content
Message 4 of 5

Re: MWG Coaching Page with Comments

I get errors sometimes with this and on IE 11 it just sits on the coaching page, never does the redirect. IE9 works fine, but IE11 no redirect. Chrome acts funny, I get either no redirect or an error. Any fix for this yet?

Re: MWG Coaching Page with Comments

Hi!

It looks like from version 10.2.9 on this rule set stops working. Does anyone have any idea on fixing that?
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community