cancel
Showing results for 
Search instead for 
Did you mean: 
jebotha
Level 9

McAfee Client Proxy not working

Hi

I am currently doing a POC at a customer involving Web Gateway 7.4.2.2.0, ePO 5.1.1 and MCP 1.2. The Web Gateway is located in the DMZ but as far as I am aware all ports are open. When I configure the Web Gateway as proxy in the browser, it works perfectly. When I use the MCP though, it tells me No Connectivity and No Redirection

My ePO policy is set to always redirect and the proxy configured in the policy is the same as the one I have configured in the browser. What is strange is in the MCP logs I get the following entry time and time again:

09/30/14 : 16:36:07:735 - [VERBOSE] CNetworkManager::getUrlWebPage -  Getting url

09/30/14 : 16:36:07:766 - [VERBOSE] CNetworkManager::getUrlWebPage -  Finished getting url

09/30/14 : 16:36:07:766 - [VERBOSE] CNetworkManager::checkCaptivePortalMethod2 -  Captive portal detected, or no original page

09/30/14 : 16:36:07:766 - [VERBOSE] CNetworkManager::checkCaptivePortalConnectivity -  Captive portal detected or connection failed

I have done packet captures on the client and a tcpdump on the Web Gateway and from that it is clear that traffic is reaching the Web Gateway from the client and it looks normal. Does anyone have any ideas?

Many thanks

0 Kudos
6 Replies
McAfee Employee

Re: McAfee Client Proxy not working

Hi!

That message means that MCP is detecting a "captive portal". This is the equivalent of what you would get when you visit a starbucks or a hotel, when you need to click the "I accept button" for internet to work.

MCP will stand down when it detects a captive portal because if it doesnt, you cant actually click the button to "Accept".

Do you have a support case open?

Best Regards,

Jon

0 Kudos
jebotha
Level 9

Re: McAfee Client Proxy not working

Hi Jon

Many thanks for the reply. Is there any configuration I can change to not check for a Captive Portal? As far as I know there is none. When you open the browser it shows an access denied page from the firewall.

No, I have not opened a support case

Many thanks

Jacques

0 Kudos
McAfee Employee

Re: McAfee Client Proxy not working

Hi Jacques,

The idea is that if a captive portal is detected, that MCP needs to stand down, but it shouldnt do that if MCP is set to always redirect.

This is MCP 1.2? This sounds like MCP 1.1 (there was a bug where it failed to stand up).

Please open a support case and include the capture you ran so I can take a look.

Best,

Jon

0 Kudos
abolshakov
Level 7

Re: McAfee Client Proxy not working

Hello everyone!

I have the same situation as jebotha described - MCP policy is configured to "always redirect" but MCP still detects captive portal. And I'm using version 1.2 (1.2.0.8 as McAfee Agent says). It can be either a bug (but I thought it was fixed in 1.1 patch 1) or a feature (but in this case I think developers should provide an option to disable captive portal detection).

As known, MCP tries to connect some website and get data that is known, and if it gets another data than respected MCP thinks that it's a captive portal (something like that). Using wireshark I found that MCP tries to connect to McAfee servers (I will not list them here - they can be different from yours, check your wireshark log) by HTTP GET and request for some resource (usually / or /us or /MCP.txt).

As a workaround, I just allowed traffic to these destinations by HTTP for all (i.e. unauthorized) users, and now everthing is fine.

P.S.: I hope this little newbie post will help someone. =) However, I'll be waiting McAfee to fix this problem.

P.P.S.: Sorry for my english, unfortunately it's not my native language.

0 Kudos
Troja
Level 14

Re: McAfee Client Proxy not working

Hi abolshakov,

MCP does this test to detect if direct internet access is possible. This is necessary if you are in a hotel where you have to activate your WLAN access. In this situation no proxy server must be used.

The second possibiity where MCPdoes not use a proxy if you configure a proxy server in your browser settings.

I took a look to the MCP Log this morning, i cannot see any entry with "captive portal"....

Perhaps you want test my policy file, just change the proxy settings and the customer idetifyer.

Cheers,

Thorsten

0 Kudos
abolshakov
Level 7

Re: McAfee Client Proxy not working

Hi, Troja,

First of all, thanks for your reply! Secondary, I've just tried your policy file (changed customer ID and proxy settings) and I still get problems with captive portal detection:

10/30/14 : 11:11:42:829 - [VERBOSE] CNetworkManager::checkConnectivity -  Checking connectivity status

10/30/14 : 11:11:42:829 - [VERBOSE] CNetworkManager::checkProxyConnectivity -  Checking proxy connectivity

10/30/14 : 11:11:42:829 - [VERBOSE] CNetworkManager::checkProxyConnectivity -  Detected proxy connection at 0ms

10/30/14 : 11:11:42:829 - [VERBOSE] CNetworkManager::checkProxyConnectivity -  Using proxy policy order

10/30/14 : 11:11:42:829 - [VERBOSE] CNetworkManager::checkConnectivity -  Always redirecting, skipping corporate connectivity tests

10/30/14 : 11:11:42:829 - [VERBOSE] CNetworkManager::checkCaptivePortalConnectivity -  Testing captive portal

10/30/14 : 11:11:42:829 - [VERBOSE] CNetworkManager::getUrlWebPage -  Getting url

10/30/14 : 11:11:42:860 - [VERBOSE] CNetworkManager::getUrlWebPage -  Finished getting url

10/30/14 : 11:11:42:860 - [VERBOSE] CNetworkManager::checkCaptivePortalMethod1 -  Captive portal detected, or no original page

10/30/14 : 11:11:42:860 - [VERBOSE] CNetworkManager::getUrlWebPage -  Getting url

10/30/14 : 11:11:43:141 - [VERBOSE] CNetworkManager::getUrlWebPage -  Finished getting url

10/30/14 : 11:11:43:141 - [VERBOSE] CNetworkManager::checkCaptivePortalMethod2 -  Captive portal detected, or no original page

10/30/14 : 11:11:43:141 - [VERBOSE] CNetworkManager::checkCaptivePortalConnectivity -  Captive portal detected or connection failed

And MCP says "No redirection, No connectivity".

About need of captive detection - I don't have any clients outside of organization but I have some software that doesn't support proxy servers natively. That's why I need to use MCP instead of simple proxy settings in IE. Previously we used TMG 2010 and TMG Client.

Regards!

0 Kudos