Showing results for 
Search instead for 
Did you mean: 
Level 9
Report Inappropriate Content
Message 1 of 5

SSH via Proxy

Guys, we have on premise developers who need to SSH to AWS EC2 VMs. I'd like to do this in a controlled manner. Wondering if McAfee have anything that can proxy these connections so we can terminate SSL and inspect traffic on them ?

4 Replies
aloksard McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: SSH via Proxy


Hope you are doing well.

The best way to pass SSH traffic on MWG is to use SOCKS Proxy.(version >7.4.2)(configure new port for this if you want, per default 1080). With version >= 7.4.2 you will find a "SOCKS Proxy" ruleset in the library.


By default SOCKS proxy port is 1080.


Just enable the port under Configuration>Proxies and create a policy for SOCKS traffic by using Common Rules > SOCKS Proxy from the Rule Library.


You can enable SOCKS proxy by navigating to configuration->Appliance->Proxies->SOCKS Proxy->Enable it.

Then in Policy tab you need to import SOCKS proxy rule set from library.SOCKS proxy rule set is present under Common rules.


Please refer below link to know more about SOCKS proxy:-


Page 90.


It is seen that  SSH connection does not work with SSL Scanning enabled and  filtering possible is at the domain/IP:port level.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!



Alok Sarda

Level 10
Report Inappropriate Content
Message 3 of 5

Re: SSH via Proxy

additionally to SOCKS tunneling there is other, more simple way to allow SSH via MWG - using HTTP CONNECT:

Just place this rule above the HTTPS Scanner:

Allow SSH from to


Rule Criteria:
Connection.IP equals AND 
URL.Host equals "" AND 
Command.Name equals "CONNECT"

Stop Cycle


In putty configure HTTP Proxy:

2020-01-22 10_09_09-PuTTY Configuration.pngtunneling SSH via McAfee Web Gateway

Check that the firewall allows outgoing connections from MWG to the destination host via SSH (TCP Port 22 by default).

Be aware that this method has some performance impact comparing to the SOCKS method.

To do the rule more secure you can add a basic auth and the port restiction.

AaronT Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 5

Re: SSH via Proxy

You can control it with a whitelist.  Just define a list of allowed hosts, and use that along with port 22 to allow or block.  You cannot do ssl inspection on this traffic. is in SSH_LIST and URL.Port equals 22, Stop Cycle


Putty allows for proxy of SSH connections.  It's fairly straightforward to setup, and no SOCKS proxy is required.

Re: SSH via Proxy

I will concur with the above posters. just one small caveat. The HTTP will Tunnel the SSH using the HTTP CONNECT compatible client (PUTTY, WINSCP, FileZilla). Web gateway detects the SSH stream as an SSL/TLS and will initiate a TLS connection to the remote server (at a minimum to validate teh x509 certificate in a Client/Server Hello).

You need to prevent this TLS handshake with a Stop RuleSet rather than a Stop Cycle. so that you are bypassing unless its true SSH.



You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community