cancel
Showing results for 
Search instead for 
Did you mean: 
bhit
Level 7
Report Inappropriate Content
Message 11 of 18

Re: Redirect User Interface port 4711 HTTP to 4712 HTTPS

Hi Sergej,

I installed an nginx reverse proxy in front of the McAfee webproxy, including a valid certificate-chain from Let's Encrypt, and I redirect port 80 to 443 and then proxy 443 to 4712.  Works like a charm, but new browsers don't work with the Java-Console. So I need to use "Web Gateway UI as in-browser HTML", which points to https://webfilter.[domainname]/Konfigurator/html/html-ui.html?anonym=true&app=Konfigurator i get the following error: "Disconnected..." and I can try between "Try again." and "Logout."

Why does that happen? What is special about the Web Gateway UI as in-browser HTML?

McAfee Employee smasnizk
McAfee Employee
Report Inappropriate Content
Message 12 of 18

Re: Redirect User Interface port 4711 HTTP to 4712 HTTPS

Hi Bhit,

 

unfortunately i dont know which URL will be generated before you click on "HTML UI" link. I assume this is something your Client generate using system variables. Assessing url.host in your browser as you describe wont have destination Port number included. To prove that i checked my LAB UI link, this always contain port number 4712 or alternatively 4711. Depends which URL you access before. 

 

Due to this fact you have to modify UI request as well:

 

from:

 https://webfilter.[domainname]/Konfigurator/html/html-ui.html?anonym=true&app=Konfigurator

to:

 https://webfilter.[domainname]:4712/Konfigurator/html/html-ui.html?anonym=true&app=Konfigurator

 

-Sergej

bhit
Level 7
Report Inappropriate Content
Message 13 of 18

Re: Redirect User Interface port 4711 HTTP to 4712 HTTPS

Dear Sergej,

I checked too, it's true, when I connect directly to the mcafee proxy (https://proxy.mydomain.ch:4712) the port is added to the URL I can click on (see "capture_direct.jpg" in the attachements).

When I connect indirectly using the nginx reverse proxy (http://webfilter.mydomain.ch) the port isn't added (see "capture_indirect.jpg").

But I don't think the problem comes from the port. There is a correct "HTTPS" in the URL. Clicking on it should tell my browser to connect to 443 on the nginx reverse proxy, which is going to talk on port 4712 with the McAfee GUI (see simple_nginx_config.jpg).

....or maybe I just don't see/understand the real problem... Can you point me to what I don't understand? Thanks

Capture_direct.JPGcapture_direct.jpgCapture_indirect.JPGcapture_indirect.jpgsimple_nginx_config.JPGsimple_nginx_config.jpg

(By the way the nginx reverse proxy hugely enhances user experience... that's really the way to go for us)

bhit
Level 7
Report Inappropriate Content
Message 14 of 18

Re: Redirect User Interface port 4711 HTTP to 4712 HTTPS

Dear Sergej,

I probably found a part of the reason why it doesn't work wehn I click on "Web Gateway UI as in-browser HTML", which is a link to "/Konfigurator/html/html-ui.html" on the WGW: The reverse proxy does probably not provide web-socket connectivity by default, the headers have to be passed or reconfigured or whatever. I'm not deep into it enough yet. If I change the config of the reverse proxy (headers upgrade and connection) like below, the login now pops up. Great, one step forward! It now starts loading when I click on connect, what it did not before, but then I get the message "Login Error: Connection timed out (Connection timed out).

Thanks I appreciate your help. I'm sure your other customers messing with the code directly on WGW do too :-)))

 

# Default reverse proxy webfilter.mydomain.ch configuration

server {
listen 80;
server_name webfilter.mydomain.ch;

return 301 https://$host$request_uri;

}

server {
listen 443 ssl;
server_name webfilter.mydomain.ch;

# ssl_certificate /etc/nginx/ssl/example.crt;
# ssl_certificate_key /etc/nginx/ssl/example.key;

ssl_certificate /etc/nginx/ssl/webfilter.domain3.chain.crt;
ssl_certificate_key /etc/nginx/ssl/webfilter.domain3.key;


location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass https://proxy.mydomain.ch:4712;
}


}

bhit
Level 7
Report Inappropriate Content
Message 15 of 18

Re: Redirect User Interface port 4711 HTTP to 4712 HTTPS

Well in fact it's not a reverse proxy problem, but a "McAfee only problem". Without any proxy in between: I cannot access the GUI using FQDN and valid cert. When I use IP and invalid cert it works.

image.pngwith FQDN and valid cert it doesn't workimage.pngwith IP address and invalid cert it works

Highlighted
bhit
Level 7
Report Inappropriate Content
Message 16 of 18

Re: Redirect User Interface port 4711 HTTP to 4712 HTTPS

When I start the GUI with the https://[IP-address]:4712/Konfigurator/html/html-ui.html, that means with the invalid certificate, that's what the GUI reads (see screenshot)

I'm trying to find the user's manual. That smells like fish to me, a "NULL" cipher list cannot be correct ^^ But the input doesn't come from me, that must be some kind of bug I expect.

image.png

McAfee Employee smasnizk
McAfee Employee
Report Inappropriate Content
Message 17 of 18

Re: Redirect User Interface port 4711 HTTP to 4712 HTTPS

Hi Bhit,

 

the documentation about ciphers can be found on external resourced as it not directly belongs to WebGateway. Here is the full documentation what you could setup:

 

https://www.openssl.org/docs/man1.0.2/man1/ciphers.html

 

if you scroll below this setting you will also find UI related CA which you could replace with your own if you like. If your device is a part of a domain and your FQDN can be resolved successfully i expect  FQDN should work as well. My LAB implementation contains server alternative nave which is my host name.

bhit
Level 7
Report Inappropriate Content
Message 18 of 18

Re: Redirect User Interface port 4711 HTTP to 4712 HTTPS

Hi smasnizk,

thanks. Unfortunately I'm not a cryptography specialist. I use a standard actual browser (Firefox 69.0.2). I just want to connect to the webgateway-UI using SSL with default settings and default tools provided (without java) at /Konfigurator/html/html-ui.html

Self-signed certs don't work either, I tried to remove my key and cert and let the wgw create one. I also deleted the cipher definition because I hoped the wgw-ui would choose "default". A "reset" button for non cryptography specialists would be great too.

Maybe you could just tell me which browser and version you use, and what settings you use in your UI?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community