I am facing some issue in McAfee Client proxy. We are planning to implement MCP in our client and our testing is going. Here I am mentioning our environment.
A, Install the McAfee Client Proxy extension
B. Check in the McAfee Client Proxy client package to ePolicy Orchestrator
C. Select a policy and added NATed IP in Proxy server list and port 9091
D. Deploy McAfee Client Proxy with ePolicy Orchestrator
7. We have created rule in firewall for MWG with NATed public IP to MWG proxy IP with port no 9091
Now Problem is occurred that.
I imagine the policy issue is occurring because the groups received by MCP, and those returned from your Windows domain membership are different.
By default when performing direct proxy authentication, groups will simply be returned with the name of the group, NO DOMAIN IS INCLUDED. Example: Domain Users
By default when using MCP, groups will be returned WITH THE DOMAIN INCLUDE. Example: MCAFEE\Domain Users
So... I'm guessing you have all of your rules written based on the group WITHOUT the domain. You should change it to INCLUDE the domain to account for how MCP will send the groups.
You can do this under Policy > Settings > Engines > Authentication > [pick your auth settings], then check the box for "Prefix groups with domain name..." see screenshot below:
On the second issue, is the MWG in a DMZ that might not permit it to access internal sites? This sounds more like a networking issue. What message are you receiving (cannot connect)?
using MCP proxy authentication, when we check the box,which one is correct for the rules set setting :
1. authentication.usergroups contains value-string of "Students" [ad user group]
2. authentication.usergroups contains value-string of "domain\Students" [ad user group]
Hope you are doing well.
You can check this once by taking MWG GUI access-> Navigate to Policy->Settings->Authentication->MCP (MCP authentication settings you are using in your Authentication with Mcafee Client proxy rule)-> Their is an option keep domain name in group name.
If option keep domain name in group name is enabled then domain\Students will be taken into consideration. You can disable that option if only group names is being used in the policies.