Hi Sergej,
I installed an nginx reverse proxy in front of the McAfee webproxy, including a valid certificate-chain from Let's Encrypt, and I redirect port 80 to 443 and then proxy 443 to 4712. Works like a charm, but new browsers don't work with the Java-Console. So I need to use "Web Gateway UI as in-browser HTML", which points to https://webfilter.[domainname]/Konfigurator/html/html-ui.html?anonym=true&app=Konfigurator i get the following error: "Disconnected..." and I can try between "Try again." and "Logout."
Why does that happen? What is special about the Web Gateway UI as in-browser HTML?
Hi Bhit,
unfortunately i dont know which URL will be generated before you click on "HTML UI" link. I assume this is something your Client generate using system variables. Assessing url.host in your browser as you describe wont have destination Port number included. To prove that i checked my LAB UI link, this always contain port number 4712 or alternatively 4711. Depends which URL you access before.
Due to this fact you have to modify UI request as well:
from:
https://webfilter.[domainname]/Konfigurator/html/html-ui.html?anonym=true&app=Konfigurator
to:
https://webfilter.[domainname]:4712/Konfigurator/html/html-ui.html?anonym=true&app=Konfigurator
-Sergej
Dear Sergej,
I checked too, it's true, when I connect directly to the mcafee proxy (https://proxy.mydomain.ch:4712) the port is added to the URL I can click on (see "capture_direct.jpg" in the attachements).
When I connect indirectly using the nginx reverse proxy (http://webfilter.mydomain.ch) the port isn't added (see "capture_indirect.jpg").
But I don't think the problem comes from the port. There is a correct "HTTPS" in the URL. Clicking on it should tell my browser to connect to 443 on the nginx reverse proxy, which is going to talk on port 4712 with the McAfee GUI (see simple_nginx_config.jpg).
....or maybe I just don't see/understand the real problem... Can you point me to what I don't understand? Thanks
capture_direct.jpg
capture_indirect.jpg
simple_nginx_config.jpg
(By the way the nginx reverse proxy hugely enhances user experience... that's really the way to go for us)
Dear Sergej,
I probably found a part of the reason why it doesn't work wehn I click on "Web Gateway UI as in-browser HTML", which is a link to "/Konfigurator/html/html-ui.html" on the WGW: The reverse proxy does probably not provide web-socket connectivity by default, the headers have to be passed or reconfigured or whatever. I'm not deep into it enough yet. If I change the config of the reverse proxy (headers upgrade and connection) like below, the login now pops up. Great, one step forward! It now starts loading when I click on connect, what it did not before, but then I get the message "Login Error: Connection timed out (Connection timed out).
Thanks I appreciate your help. I'm sure your other customers messing with the code directly on WGW do too :-)))
# Default reverse proxy webfilter.mydomain.ch configuration
server {
listen 80;
server_name webfilter.mydomain.ch;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name webfilter.mydomain.ch;
# ssl_certificate /etc/nginx/ssl/example.crt;
# ssl_certificate_key /etc/nginx/ssl/example.key;
ssl_certificate /etc/nginx/ssl/webfilter.domain3.chain.crt;
ssl_certificate_key /etc/nginx/ssl/webfilter.domain3.key;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass https://proxy.mydomain.ch:4712;
}
}
Well in fact it's not a reverse proxy problem, but a "McAfee only problem". Without any proxy in between: I cannot access the GUI using FQDN and valid cert. When I use IP and invalid cert it works.
with FQDN and valid cert it doesn't work
with IP address and invalid cert it works
When I start the GUI with the https://[IP-address]:4712/Konfigurator/html/html-ui.html, that means with the invalid certificate, that's what the GUI reads (see screenshot)
I'm trying to find the user's manual. That smells like fish to me, a "NULL" cipher list cannot be correct ^^ But the input doesn't come from me, that must be some kind of bug I expect.
Hi Bhit,
the documentation about ciphers can be found on external resourced as it not directly belongs to WebGateway. Here is the full documentation what you could setup:
https://www.openssl.org/docs/man1.0.2/man1/ciphers.html
if you scroll below this setting you will also find UI related CA which you could replace with your own if you like. If your device is a part of a domain and your FQDN can be resolved successfully i expect FQDN should work as well. My LAB implementation contains server alternative nave which is my host name.
Hi smasnizk,
thanks. Unfortunately I'm not a cryptography specialist. I use a standard actual browser (Firefox 69.0.2). I just want to connect to the webgateway-UI using SSL with default settings and default tools provided (without java) at /Konfigurator/html/html-ui.html
Self-signed certs don't work either, I tried to remove my key and cert and let the wgw create one. I also deleted the cipher definition because I hoped the wgw-ui would choose "default". A "reset" button for non cryptography specialists would be great too.
Maybe you could just tell me which browser and version you use, and what settings you use in your UI?
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center
Corporate Headquarters
2821 Mission College Blvd.
Santa Clara, CA 95054 USA