cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Route specific traffic over dedicated network interface in Web Gateway via ruleset

Hello everyone,

I searched the community and Google already but couldn't find anything regarding this Situation, so I hope to find an answer to this here.

Customer A wants to route the application "Teamviewer" through his proxy infrastracture out to the Internet. Every client and server can only communicate through the explicit proxy. The current webproxy infrastructure is beeing replaced by Web Gateways at the moment, which offer much more granular control over the traffic then the current solution. Unfortunately the architecture of the customers network has some drawbacks which they now try to overcome via the Web Gateways. The architecture is also the reason why allowing Teamviewer is not that easy.

See the actual communication chain first:

Client (Teamviewer) > Firewall1 > Web Proxy > Firewall2 (Hide NAT Proxy) > IPS (Blocks all Teamviewer traffic coming from NAT address) > Internet

As you can see, any traffic coming from the proxy to the internet is routed throug Firewall2 which hides the real proxy IP behind a NAT address. The following IPS System does not offer much logic and just blocks all traffic coming from the proxies NAT address to the public teamviewer networks.

Now there are several possibilities to overcome this issue, but we want to make sure if the following is technically possible with Web Gateway or not.

  1. Detect application "Teamviewer" as an actual appliaction in the Web Gateway ruleset (should be possible)
  2. Route the traffic over another network Interface (eth2) via the ruleset and hide the proxy behind a different NAT address on Firewall 2 (Is this possible?)
  3. No policy enforcement for this particular NAT IP address on the IPS

The communication would look like this:

  • Client (Default Traffic) > Firewall1 > Web Proxy (eth1) > Firewall2 (Hide NAT for Proxy) > IPS (Enforce normal IPS policies) > Internet
  • Client (Teamviewer) > Firewall1 > Web Proxy (eth2!) > Firewall2 (different Hide NAT for Proxy) > IPS (No policy enforcement for this NAT address) > Internet

Is there the opportunity to do this? Please do not offer different solutions like Routing/NATing it differently or changing the IPS ruleset, we know that there are more solutions but need to know the feasibility of this particular technical feature for the project.

Thank you very much in advance,

Nicolas Wehmeyer

5 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Route specific traffic over dedicated network interface in Web Gateway via ruleset

Hi Nicolas,

How many MWGs are there? Also, how are you deployed (proxy, proxyha, router, bridge, etc...)?

Does MWG have to send it out eth2, or can we just use a different IP out eth1? I'm guessing it would give the same results because that might be what the IPS is looking for...

MWG has the ability to control the outbound IP on its way to the server. This would work by doing the following (assuming your using explicit proxy mode):

1. Define an alias IP on eth1 (configuration network interfaces):

    

2. Define an IP in the "Outbound Source IP list" (Configuration > Proxies > Advanced Outgoing Connection Settings):

    

3. Use the event "Enable Outbound Source IP Override" in your rules. You will want to do this based on something source based, like the URL, Client IP , or Application name if its detected properly. For testing, I'd start with your client IP, then graduate to others once you have the hang of it.

In the event, we're referencing the list entry from step #2. The 0 (zero) in the event below references the first item in the "Outbound Source IP list" from step #2. Referencing a list rather than a hardcoded IP allows this to scale to multiple appliances which have multiple IPs.

(don't ask me why one is zero-indexed and the other is one-indexed...)

Hope this helps!

Best Regards,

Jon

Highlighted

Re: Route specific traffic over dedicated network interface in Web Gateway via ruleset

Hi Jon,

wow thank you for this really helpful and detailed answer!

The organization uses several MWG clusters for different purposes but in this case we will have 4x MWG 5500C devices in place which are setup as Proxy-HA. Does this also work in Proxy-HA mode? I will be at customer site next week so I cannot test this out before that, so that's why I'm asking this now.

PS: I wasn't aware of the IP alias feature so I guess your suggestion is even better than sending it through a separate network interfaces. It is really amazing to how many use cases can be covered with MWG!

Best regards,

Nicolas

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: Route specific traffic over dedicated network interface in Web Gateway via ruleset

Hi Nicolas,

No problem, officially it looks like its not supported for ProxyHA. Technically though, I was able to get it to work, so your mileage may vary.

When using ProxyHA, step #2 is not an option, so my rule changed a little bit. In this case 10.10.69.172 is still an alias on eth0

If you scale this out, each appliance would need their own alias IP, and in the rules you dictate that that specific appliance uses the alias IP dedicated to itself.

Meaning:

mwg1 = 10.10.69.172

mwg2 = 10.10.69.173

As it scales it might look better like this:

Best Regards,

Jon

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 6

Re: Route specific traffic over dedicated network interface in Web Gateway via ruleset

Hey Nicolas,

I'm curious, did this work out for you?

Best Regards,

Jon

Re: Route specific traffic over dedicated network interface in Web Gateway via ruleset

Hi Jon,

 

We have a client that wants to maximize theres 3 ISP in the branch. The requirement is that web traffic will go to specific interface/ISP based on the rule set source and destination criteria:

user group A - Allow List A > ISP1

user group B - Allow List B > ISP2

user group C - Allow List C > ISP3

 

Thanks in advance

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community