I'm currently trying to use a McAfee Web Gateway (latest version) deployed on-premise to manage user access to various resources. The problem is that bypassing the proxy (i.e. direct access) is not an option nor is user-controlled certificate acceptance.
I've gotten SSL Inspection working flawlessly for generic websites but I am having trouble with access to certain partner portals: for some odd reason, SSL inspection fails miserably when the destination host is in a private subnet (i.e. users in 172.16.x.x and server in 10.x.x.x. Traffic from user to server is https and must be proxied and inspected by the MWG. Users must see that the connection is secured using the MWG's sub-CA used for SSL inspection.
Is there some undocumented limitation that prevents SSL inspection for RFC1918 IP ranges?
Thanks for any suggestions and input!
What kind of error messages do you get? There should be no issues with SSL scanning on private network spaces. Are there block pages, or just browser errors? A rule engine trace may be useful here.
I have seen at various sites issues with MWG connecting back into a network, due to network or DNS issues.
there is no undocumented limitation I am aware of. I think MWG is probably not able to talk to the servers hosted in the private network due to some firewall limitation or there are whitelist rules in place which prevent SSL Scanner from inspecing the certificates.