I want sebt logs from MWG in Web Protection.
I configured Proxy HA, but cant take logs.screens 1-6.
When i write proxy IP hendly in explorer, then its working. screen 8.
How configuration must be to take logs, without hendly IP?
I have to admit that I do not understand the problem.
- From the configuration screens Proxy HA does not seem to be correctly configured
- Proxy HA configuration is independent from log files
- I don't see a problem with logs indicated in the screenshots
Maybe it is required to point out the problem in the screenshots? Please provide some more details about the problem you encounter and we will try to assist.
I try explain you what I want, with my bad english.
I have MWG and Web Reporter. I want take information from users about internet traffic.
My Proxy configuration you know and now i try provide you more details.
Authentication method is NTLM.(Screen 2)
You can see Best Practice: Configuring McAfee Web Reporter log source for McAfee Web Gateway https://community.mcafee.com/docs/DOC-4928 (Screens 3-5)
When internet exflorer LAN Setings is default (Screen 6)
Web Reporter can not take Logs (Screen 7)
When at LAN Setings enable Proxy server (screen 9)
Web Reporter can take Logs (screen 10)
When LAN Setings all option are desible(screen 11)
Web Reporter can not take Logs (Screen 12)
I want get logs with LAN Setings default configuration
Also i want specify my Proxy configuration.
Local IP address of the node (do NOT configure a virtual IP address here). This IP address is used to auto discover the scanning nodes. All nodes have to be on the same subnet to be auto discovered.
This is the shared IP for the Proxy HA cluster which needs to be the same on all nodes in Proxy HA. Point your users’ browsers to the VIP.
Is these parametrs corect in my Proxy configuration?
How can i get Local IP address of the node?
Thank you very much.
Okay, I think I start to understand.
First of all lets look at your Proxy HA settings. From the screenshots in your first post I can see that you have no central management configured, so there is probably only one MWG installed currently. With only one node Proxy HA does not make any sense, because MWG cannot fail over to a different node. In case you plan to add a second node later that is fine, but Proxy HA with one MWG does not make any sense.
Next I saw your Proxy HA configuration in the screenshots above. You set "Management IP" to 0.0.0.0 and the virtual IP address to 0.0.0.0. That is not correct. The "Management IP" requires to be configured to the IP address you have configured to your MWG. The IP address of your MWG is the IP you entered during the initial setup and the IP you enter when accessing the UI. If you have configured multiple IP addresses use any of them. On this IP address some internal HA communication to other nodes will take place.
The virtual IP address is the "Cluster IP address", which means a VIRTUAL IP address that you point your browser to. Example:
Virtual IP: 192.168.0.254
Both MWG-A and MWG-B talk to each other to find out who should be the "director" (or "master") node, which accepts all traffic from the clients. The winning node starts responding to 192.168.0.254 although that IP is NOT (and must not be) assigned to any physical interface. All clients are configured to talk to 192.168.0.254. If one of the nodes goes down the other node will start replying on 192.168.0.254 so that clients do not notice if one of the MWG nodes goes down. Thats the idea of the Proxy HA configuration.
Now lets look at the log issue again. MWG and Web Reporter talk to each other, the log processing does NOT run through the browser in any way. E.g. setting the IE settings to MWG or not should not make any difference when MWG tries to push log files. If you click the button in the UI you tell MWG to push log files directly to Web Reporter.
The only reason why you see this behaviour is the following:
When you setup MWG in your Internet Explorer many applications installed on your desktop and of course the browser itself start generating traffic on MWG. When traffic is generated log files are written. If you now click the push button MWG will push away all logs it currently has. When you now turn off MWG in the Internet Explorer settings your computer will no longer create any requests against MWG, which would mean the log files stay empty. If you click the button to push the log files there are no logs which MWG can push, therefore no data arrives at Web Reporter.
I recommend to do the following:
- Enable MWG in your browser configuration
- Surf for a while
- Disable MWG in your browser configuration
- Check in the MWG UI whether log files have been written
- Rotate/Push the log files
- The logs should be sent to Web Reporter, although MWG is not enabled in the browser settings.
Thank you Andre,
I installed MWG in virtual machine. I need not add second MWG. (Screen_VMware)
The server IP, where MWG is installed is 192.168.1.5
Yes, when i did you recommendation the logs are sent, but sent 2 logs same time. And one is filed (screen_logs)
I am not sure andrestend corectly or not.
It is posible send logs without changes IE Settings? What must i do?
If i anderstend at the "Management IP" i must write 192.168.1.121 (Screen_IP)
And at the Virtual IP: Arbitrary IP adress, that is not used?
I hope you can anderstend and help me.
1.) If you only run one MWG you don't need to setup Proxy HA. Proxy HA is used for multiple MWGs only.
2.) There is nothing you need to do. MWG will push log files to Web Reporter independent from your IE settings. MWG pushes log files to Web Reporter directly, your browser is not part of this communication at all.
3.) The screenshots indicate that your MWG is configured at 192.168.1.121. So this should be your management IP. For virtual IP yes, any IP address that is currently not used. Please see note 1. above.
Thank you very much. I understand, but what can i do, that take logs without IE hendly configuration? User can change IE configuration and then cant get logs.
can you explain what "cant get logs" mean?
If I understand you correctly then your wish is the following:
If users do not configure their browser they do not show up in the log files. You want users to use the proxy (which means showing up in the logs) even when they do not have the IE configuration set correctly.
Is that true?
okay, that makes sense.
In this case you won't be happy with Proxy HA, which is for explicit proxy deployments only. Explicit proxy always requires you to enter MWG into the proxy settings of the browser! You should have a look at this:
When you looked at that document you will see that you can have explicit (= browser configuration required) or transparent (= no browser configuration required) deployments with MWG. When you want to send all users web traffic through MWG without touching the browser settings, you are looking for a transparent proxy setup.
In case you have WCCP capable devices (Cisco), follow this document to learn more:
If you do not have WCCP capable devices you need to setup MWG as transparent router or transparent bridge. To do so you must switch MWG to transparent router or bridge mode in the Proxy configuration area:
Once this is done MWG is theoretically able to pick up traffic that has been redirected to it. Now you need to bring MWG into the routing path (transparent router) or place it physically between existing network equipment like a cable (transparent bridge). To do so you need to place MWG depending on your network design, so you need to find the right place yourself or talk to some network folks who can assist. If you pick transparent bridge mode there is one more guide which offers some help:
Also the product guide contains a step by step instruction to set up MWG in transparent bridge/router mode. You should start reading at page 104 for details about transparent deployments.