cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
shocko
Level 10
Report Inappropriate Content
Message 1 of 5
‎01-21-2020 02:14 PM

SSH via Proxy

Jump to solution

Guys, we have on premise developers who need to SSH to AWS EC2 VMs. I'd like to do this in a controlled manner. Wondering if McAfee have anything that can proxy these connections so we can terminate SSL and inspect traffic on them ?

0 Kudos
Reply
1 Solution

Accepted Solutions
MichaelJames
Level 9
Report Inappropriate Content
Message 5 of 5
‎01-28-2020 01:30 PM

Re: SSH via Proxy

Jump to solution

I will concur with the above posters. just one small caveat. The HTTP will Tunnel the SSH using the HTTP CONNECT compatible client (PUTTY, WINSCP, FileZilla). Web gateway detects the SSH stream as an SSL/TLS and will initiate a TLS connection to the remote server (at a minimum to validate teh x509 certificate in a Client/Server Hello).

You need to prevent this TLS handshake with a Stop RuleSet rather than a Stop Cycle. so that you are bypassing unless its true SSH.

 

 

View solution in original post

Reply
4 Replies
aloksard
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5
‎01-21-2020 10:01 PM

Re: SSH via Proxy

Jump to solution

Hi,

Hope you are doing well.

The best way to pass SSH traffic on MWG is to use SOCKS Proxy.(version >7.4.2)(configure new port for this if you want, per default 1080). With version >= 7.4.2 you will find a "SOCKS Proxy" ruleset in the library.

 

By default SOCKS proxy port is 1080.

 

Just enable the port under Configuration>Proxies and create a policy for SOCKS traffic by using Common Rules > SOCKS Proxy from the Rule Library.

 

You can enable SOCKS proxy by navigating to configuration->Appliance->Proxies->SOCKS Proxy->Enable it.


Then in Policy tab you need to import SOCKS proxy rule set from library.SOCKS proxy rule set is present under Common rules.

 

Please refer below link to know more about SOCKS proxy:-

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26528/en_US/...

 

Page 90.

 

It is seen that  SSH connection does not work with SSL Scanning enabled and  filtering possible is at the domain/IP:port level.


Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

 

Regards

Alok Sarda

0 Kudos
Reply
fw_mon
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 5
‎01-22-2020 01:27 AM

Re: SSH via Proxy

Jump to solution

additionally to SOCKS tunneling there is other, more simple way to allow SSH via MWG - using HTTP CONNECT:

Just place this rule above the HTTPS Scanner:

Name:
Allow SSH from 10.20.30.40 to ssh.example.com

Comment:

Rule Criteria:
Connection.IP equals 10.20.30.40 AND 
URL.Host equals "ssh.example.com" AND 
Command.Name equals "CONNECT"

Action:
Stop Cycle

 

In putty configure HTTP Proxy:

tunneling SSH via McAfee Web Gatewaytunneling SSH via McAfee Web Gateway

Check that the firewall allows outgoing connections from MWG to the destination host via SSH (TCP Port 22 by default).

Be aware that this method has some performance impact comparing to the SOCKS method.

To do the rule more secure you can add a basic auth and the port restiction.

0 Kudos
Reply
AaronT
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 5
‎01-23-2020 01:04 PM

Re: SSH via Proxy

Jump to solution

You can control it with a whitelist.  Just define a list of allowed hosts, and use that along with port 22 to allow or block.  You cannot do ssl inspection on this traffic.

url.host is in SSH_LIST and URL.Port equals 22, Stop Cycle

 

Putty allows for proxy of SSH connections.  It's fairly straightforward to setup, and no SOCKS proxy is required.

0 Kudos
Reply
MichaelJames
Level 9
Report Inappropriate Content
Message 5 of 5
‎01-28-2020 01:30 PM

Re: SSH via Proxy

Jump to solution

I will concur with the above posters. just one small caveat. The HTTP will Tunnel the SSH using the HTTP CONNECT compatible client (PUTTY, WINSCP, FileZilla). Web gateway detects the SSH stream as an SSL/TLS and will initiate a TLS connection to the remote server (at a minimum to validate teh x509 certificate in a Client/Server Hello).

You need to prevent this TLS handshake with a Stop RuleSet rather than a Stop Cycle. so that you are bypassing unless its true SSH.

 

 

View solution in original post

Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC