cancel
Showing results for 
Search instead for 
Did you mean: 

Recommended MWG Deployment for unmanaged and managed device

Hi All,

 

I would like to seek your recommendation on the type of deployment to be used and the ideal placement of the MWG on the attached file. Client requirement is access ontrol and filtering using a dedicated web gateway.mwg setup.png

3 Replies
Reliable Contributor marcus69
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: Recommended MWG Deployment for unmanaged and managed device

Hi Marlon,

i cannot see anything special on your Enviroment.

So i'd suggest to establish a webgateway on a demilitarized zone, that is accessible by Firewall Rule from internal users and from umanaged devices.

For unmanaged devices you'll probably have to insert a transparent Proxy on your firewall that routes incoming requests on tcp/80 and tcp/443 to the webgateway.

Until here, this is no rocket science and a common scenario i've realized for many of our customers.

Best regards
     Marcus

Re: Recommended MWG Deployment for unmanaged and managed device

Thanks Marcus.  This is the detail of the requirement specific subnet from the internal user must connect to a specific IP address of MWG and goes out to specific ISP is it feasible ?

Reliable Contributor marcus69
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: Recommended MWG Deployment for unmanaged and managed device

Hi Marlon,

this would be a question for your firewall supporter.

Lets assume all ISPs are directly associated to your firewall. Your internal net is 192.168.1.1/24, and the DMZ which contains the MWG is 192.168.2.1/24. The Firewalls gateway IP on the DMZ is 192.168.2.1, the MWG has 192.168.2.250

Basically the MWG acts as a Proxy listening by default on Port 9090 on 192.168.2.250. So you have to configure the use of a proxy on 192.168.2.250:9090 for the internal clients.

Based on the MWGs Ruleset, it forwards the request to the firewall (= Default GW =192.168.2.1) that routes it to the internet.

So it is up to Your firewall to decide which ISP to use for this connection. If your firewall is capable of policy based routing, you may establish a rule to use a certain ISP for the Webgateway.

Best regards
     Marcus

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center