Dear Sergej,

I checked too, it's true, when I connect directly to the mcafee proxy (https://proxy.mydomain.ch:4712) the port is added to the URL I can click on (see "capture_direct.jpg" in the attachements).

When I connect indirectly using the nginx reverse proxy (http://webfilter.mydomain.ch) the port isn't added (see "capture_indirect.jpg").

But I don't think the problem comes from the port. There is a correct "HTTPS" in the URL. Clicking on it should tell my browser to connect to 443 on the nginx reverse proxy, which is going to talk on port 4712 with the McAfee GUI (see simple_nginx_config.jpg).

....or maybe I just don't see/understand the real problem... Can you point me to what I don't understand? Thanks

capture_direct.jpgcapture_indirect.jpgsimple_nginx_config.jpg

(By the way the nginx reverse proxy hugely enhances user experience... that's really the way to go for us)

Dear Sergej,

I probably found a part of the reason why it doesn't work wehn I click on "Web Gateway UI as in-browser HTML", which is a link to "/Konfigurator/html/html-ui.html" on the WGW: The reverse proxy does probably not provide web-socket connectivity by default, the headers have to be passed or reconfigured or whatever. I'm not deep into it enough yet. If I change the config of the reverse proxy (headers upgrade and connection) like below, the login now pops up. Great, one step forward! It now starts loading when I click on connect, what it did not before, but then I get the message "Login Error: Connection timed out (Connection timed out).

Thanks I appreciate your help. I'm sure your other customers messing with the code directly on WGW do too :-)))

# Default reverse proxy webfilter.mydomain.ch configuration

server {
listen 80;
server_name webfilter.mydomain.ch;

return 301 https://$host$request_uri;

}

server {
listen 443 ssl;
server_name webfilter.mydomain.ch;

# ssl_certificate /etc/nginx/ssl/example.crt;
# ssl_certificate_key /etc/nginx/ssl/example.key;

ssl_certificate /etc/nginx/ssl/webfilter.domain3.chain.crt;
ssl_certificate_key /etc/nginx/ssl/webfilter.domain3.key;

location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass https://proxy.mydomain.ch:4712;
}

}

Well in fact it's not a reverse proxy problem, but a "McAfee only problem". Without any proxy in between: I cannot access the GUI using FQDN and valid cert. When I use IP and invalid cert it works.

with FQDN and valid cert it doesn't workwith IP address and invalid cert it works

When I start the GUI with the https://[IP-address]:4712/Konfigurator/html/html-ui.html, that means with the invalid certificate, that's what the GUI reads (see screenshot)

I'm trying to find the user's manual. That smells like fish to me, a "NULL" cipher list cannot be correct ^^ But the input doesn't come from me, that must be some kind of bug I expect.

Hi smasnizk,

thanks. Unfortunately I'm not a cryptography specialist. I use a standard actual browser (Firefox 69.0.2). I just want to connect to the webgateway-UI using SSL with default settings and default tools provided (without java) at /Konfigurator/html/html-ui.html

Self-signed certs don't work either, I tried to remove my key and cert and let the wgw create one. I also deleted the cipher definition because I hoped the wgw-ui would choose "default". A "reset" button for non cryptography specialists would be great too.

Maybe you could just tell me which browser and version you use, and what settings you use in your UI?