cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Allan
Level 8
Report Inappropriate Content
Message 1 of 9

No connectivity on MCP Client

Jump to solution

Hi everyone,

I'm facing a weird behavior with MCP.

I have a set of rules including this one to authenticate users:

Authentication.Authenticate<NTLM> equals false   ->   Athenticate<Default>

Proxy's working fine if I set up proxy manually on my client's OS. But if this rule is activated, MCP shows no connectivity even if the authentication test passes with no issue.

 

Any Idea to troubleshoot this?

I'm trying to found anything with a Wireshark on my client but to be honest, I'm not sure about what I should look for.

 

I hope smoeone can give me a hint on this. 😄

Thanks !

 
2 Solutions

Accepted Solutions
AaronT
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 9

Re: No connectivity on MCP Client

Jump to solution

The MCP client has to have connectivity to hxxp://mcp.webwasher.com/test/MCP.txt in order to "pass" connectivity checks (I believe that's the link).  

Have you done a rule trace to confirm the client is authenticating at that rule as expected?  We have a few rules for MCP on-prem authentication:

Get Customer ID (save Header.Request.Get ("X-SWEB-AuthCustID" in a userdefined field)

Verify Headers:  Authentication.IsAuthenticated = fase AND user.defined.customerID = customerid_number and authentication.authenticate<MCP> = true (where <MCP> is our our setting with the customer ID and shared password).

In the latter, we set authentication.username and Authentication.UserGroups to match, just to ensure the name and groups are set.

My suggestion is rule tracing to validate it's hitting that rule.  That would be the first step to troubleshooting

View solution in original post

Allan
Level 8
Report Inappropriate Content
Message 9 of 9

Re: No connectivity on MCP Client

Jump to solution

The issue is solved.

If you want to know, it's quite simple:

NTLM auth rule was hit even with MCP client. This simply can't work.

If your clients have MCP installed, you have to use MCP or LDAP auth. NTML can't work with MCP the client. 😂

View solution in original post

8 Replies
AaronT
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 9

Re: No connectivity on MCP Client

Jump to solution

The MCP client has to have connectivity to hxxp://mcp.webwasher.com/test/MCP.txt in order to "pass" connectivity checks (I believe that's the link).  

Have you done a rule trace to confirm the client is authenticating at that rule as expected?  We have a few rules for MCP on-prem authentication:

Get Customer ID (save Header.Request.Get ("X-SWEB-AuthCustID" in a userdefined field)

Verify Headers:  Authentication.IsAuthenticated = fase AND user.defined.customerID = customerid_number and authentication.authenticate<MCP> = true (where <MCP> is our our setting with the customer ID and shared password).

In the latter, we set authentication.username and Authentication.UserGroups to match, just to ensure the name and groups are set.

My suggestion is rule tracing to validate it's hitting that rule.  That would be the first step to troubleshooting

Allan
Level 8
Report Inappropriate Content
Message 3 of 9

Re: No connectivity on MCP Client

Jump to solution

Thanks for your reply. I'm not sure to understand everything you said on the second part of your answer but I've got some update.

 

First, you were right about mcp.webwasher.com.

We had a rule that said URL matches in list with "mcp.webwasher.com" in the list, but we need URL.host instead.

Now connectivity is good but the solution revealed another issue. xD

 

If I set up the gateway manually as proxy on a client everything is ok. But if I let MCP do the job, I've then have either "ERR_UNEXPECTED_PROXY_AUTH" or "ERR_SSL_PROTOCOL_ERROR" (on Chrome).

 

I don't understand how the behavior can be different.

Allan
Level 8
Report Inappropriate Content
Message 4 of 9

Re: No connectivity on MCP Client

Jump to solution

It looks like it is the authenticate rule that does not work properly with MCP, because any site I add to the exclusion rule of this ruleset shows up with no error.

AaronT
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 9

Re: No connectivity on MCP Client

Jump to solution

The fun of MCP on-prem rules.

In your Authenticate rule with MCP Settings, the password you enter in the MCP Settings, has to match the password configured in the MCP policy in ePO.  If they are the same, MCP will authenticate on-prem and "in the cloud" without issues.  If they are different, one of those two will fail to authenticate.

Allan
Level 8
Report Inappropriate Content
Message 6 of 9

Re: No connectivity on MCP Client

Jump to solution

YES !

I figured this out here: https://community.mcafee.com/t5/Web-Gateway/How-to-Properly-Authenticate-MCP-Traffic-on-MWG-Without-...

 

😄

 

Now I'm trying to found how to make them match. I'm not the one that installed this solution so I'm always searching for everything. I'll keep you in touch and close this tread if it works.

Thank you for your help !

AaronT
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 9

Re: No connectivity on MCP Client

Jump to solution

I am familiar with that.  If you cannot find the password, and if you can get the xml from the ePO it should have a section "<MCP Credentials><SharedPassword>".  You should be able to paste that value into MWG's settings to get the credentials to sync (there are certain MWG version limitations on this).  That should, hopefully, sync up your passwords in MCP and MWG.

Good luck!

Allan
Level 8
Report Inappropriate Content
Message 8 of 9

Re: No connectivity on MCP Client

Jump to solution

Hey !

So... I tried reapplying the sharedkey on the GTW, then extracted it as xml to upload it on the ePo.

Same issue...

 

But I don't see how the issue could be there since the MCP auth happens only if we are in the cloud. My issue with NTLM happens in the LAN !

I've done a Wireshark on a test client and it looks like nothing happens after the 407 request.

 

Does it look normal to you?

2022-01-26_13h29_07.png

 

Allan
Level 8
Report Inappropriate Content
Message 9 of 9

Re: No connectivity on MCP Client

Jump to solution

The issue is solved.

If you want to know, it's quite simple:

NTLM auth rule was hit even with MCP client. This simply can't work.

If your clients have MCP installed, you have to use MCP or LDAP auth. NTML can't work with MCP the client. 😂

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community