Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 9
Report Inappropriate Content
Message 1 of 9

Need assistance basic setup for MWG 7

Dear Support,

We recently bought MWG hardware appliance and are now setting it up. We want to set it up in explicit proxy mode. I have assigned IP to eth0 of the device. I joined to our windows 2008 domain and it show the status as 'green'. The DNS is given as our internal DNS.

How do I now set the device to get http and https requests from users and forward them to internet ? Where in device need to define settings to go to internet resolve internal internet requests. Getting confused for this. Do we need to use the other NIC as well ?

any other details needed please let me know.


8 Replies
Level 13
Report Inappropriate Content
Message 2 of 9

Re: Need assistance basic setup for MWG 7

This is a community forum, not tech support.

You should really contact a reseller who can provide professional services for the install. You might get it working, but they have experience with implementing best practices.

Also, have you tried reading this? It's posted on the main page for MWG.


on 6/5/13 3:23:54 AM CDT
Level 9
Report Inappropriate Content
Message 3 of 9

Re: Need assistance basic setup for MWG 7

Dear George,

We bought the hardware only and no implementation services, this is the reason I need help from experts here. At the moment I need to understand how the device will resolve the requests to internet, since it have a DNS on eth0 pointing to our Domain Controller DNS in order to use NTLM authentication.

Presently we plan to use in Explict proxy mode so in this case we will only use one network card in appliance, right?

Yes, I found that article on main page of MWG but could not get a way to create a DNS rule for outside requests.

Many Thanks,

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 9

Re: Need assistance basic setup for MWG 7


it seems that the DNS on the Domain Controller is not configured to forward unknown requests to the ISPs DNS. Usually (in a simple environment) you configure the DC to locally resolve its own domain (such as mycompany.tld) but forward all unknown domains it cannot answer to a forwarder, most likely a DNS provided by your ISP. In this case you can configure MWG to use the DNS of the domain controller.

In case the domain controller does not forward there are only a few options:

- Use a public (ISP) DNS. In this case MWG will be able to resolve external domains. For internal requests and authentication you will most likely have to modify the /etc/hosts file and manually add hosts and IPs here to allow MWG to resolve as required

- Use the 7.3.2 controlled release which allows to setup split DNS, e.g. forward all internal requests to the domain controllers and all external requests to the ISPs DNS

- Configure the domain controllers to do forwarding

Without the ability to resolve both, internal and external you won't be happy with MWG since DNS is vital for it to work. Setting up your network to provide proper DNS is basically the task of the network administrator. I would recommend to either configure the DC to resolve external hosts (it can be done easily) or try the split DNS option.



Level 9
Report Inappropriate Content
Message 5 of 9

Re: Need assistance basic setup for MWG 7

Dear Andre,

Many thanks for your reply. Yes, you are right the internal DNS of DC is not configured yet to Fwd unknown requests to ISP's DNS. The second choice is to use 7.3.2 controlled release.

For this logged to my corporate McAfee account and found there also release 'McAfee Web Gateway Main release'  and its appliance ISO is So, how the two are different ? and in case I need to download then burn them to a CD and boot device by CD to get the new ISO installed ?

Many thanks for your detailed response.


Level 9
Report Inappropriate Content
Message 6 of 9

Re: Need assistance basic setup for MWG 7

Dear Andre,

I have now installed controlled release 7.3.2 to appliance, now when I go for conditional Forwarding and enter a public DNS it takes preference over the first primary DNS which is local Active Directory domain, when this happen the appliance can not contact the domain controller.

In host file I need to add only DNS for active directory, only one entry ? OR more changes needed to be done there ?

please advise.

Level 9
Report Inappropriate Content
Message 7 of 9

Re: Need assistance basic setup for MWG 7

Dear Mr. Andre,

Any tip for what I explained above concerning the conditional DNS forwarding.

The status under windows domain member ship still shows as green and also when I do a NTLM test for an AD user, it shows the AD groups user is member off and shows as green if the entered username and password are correct.

Is there a way we create groups in gateway like (Full internet access users) and then add users from AD to it, rather we create a groups in AD. This I remember used to do in ISA Server.

Please advise

McAfee Retired
McAfee Retired
Report Inappropriate Content
Message 8 of 9

Re: Need assistance basic setup for MWG 7

Here's how I have my system setup for comparison. Hopefully, you'll find something on yours that you missed.

I have my Conditional forwarder setup like this:


All internet traffic resolves using the server and lordchariot.local resolves using or .81.

When i try to resolve one of my internal hosts, the internal server resolves it:


I can see this is happening correctly by packet captures of DNS:


My authentication is setup to use the domain like this:


My Web Gateway has forward and reverse DNS enties in AD:



My authentication tests work:


And the rule block like they should.

(This user is NOT in Allow Social Networking, so they will get blocked according to my policy)


the only other suggestion i can give is to open a support ticket.

Level 9
Report Inappropriate Content
Message 9 of 9

Re: Need assistance basic setup for MWG 7

Dear Sir,

Following your steps, I have luck and forward DNS is working if I put name for internal machine it get resolved to IP but reverse not working, any suggestions ? Find attached snapshot


I checked the rules now, working for a user if he is a member of ‘socialnetworking’  and ‘webmail’ in AD, the user is able to open web mail and social networking websites. For all these conditions we need to create groups in AD ? OR it is also possible to have groups created in gateway and pull AD users under those groups, is this also possible?

Please consider case as below

  • Management allowed to use all things with no restrictions for all regular sites BUT yes should be taken care for malicious sites
  • Users from operations department to be able to download executables, iso images, pdf etc files but no mp3 files or video files
  • Users from Admin / HR dept not allowed to download executables, no visit to social networking. but can access web mail, no use of remote applications

Do I need to created AD groups for my each requirement ? the order of rule set should always be like:

  • -          Authentication Rules
  • -          URL Filter
  • -          Application control
  • -          Media type filtering


You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community