I have been trying to setup policies in our Webgateway version 188.8.131.52.0. The idea has been to use different policies without adding users to the MWG. We are using the McAfee Client Proxy to connect to the MWG. I have tried to achieve what I want in two different ways but not managed to succeed. Maybe someone has better knowledge how to get this done?
Idea 1 was to use different Proxy ports for different policies, something like this:
I also tried with Connection.Port but it didn't work as planned.
Idea 2 was to add more than one Authentication With McAfee Client Proxy, with different user names and passwords. Like this:
I then add a criteria to the URL filtering:
The criteria for "Authentication With McAfee Client Proxy" works fine, but when I try to use the policy for "Authentication With McAfee Proxy(1)" I get an error on the clients that my client is not authenticated. I have added the user name and password for "Authentication With McAfee Proxy(1)" in epo, but it still fails...
How do I this up correctly? Any help would be greatly appreciated.
I am a bit confused about your question here.
The title of this post is "several policies without AD or local users", so does this mean you don't have active directory, and you don't want to have to add users to the MWG's local database?
What you explained above more has to do with MCP authentication, it just seems like MCP and MWG are not setup correctly and therefore you get blocked.
To setup MCP correctly, see the Best Practice:
Thanks for your reply! I'm sorry if my question seem confusing. I have looked at the URL:s you provided, but I still do not know how to get MCP to work with more than one policy... If I use just one policy it works great! It is when I try to add a second policy for other users that I run into trouble...
There is no Active directory and I don't want the users in the local database. I just want to install MCP from epo and then be able to give different PC:s in epo different MWG policies.Is it possible to do this somehow? I for example would like to use different URL filters for different users.
URL Filtering and Authentication are two different things, so it's important to keep them separate. You may perform URL filtering based on Authentication information, but that's it.
What do you mean by "how to get MCP to work with more than one policy". What "policy" are we talking about here? Is this it the policy you're creating in ePO?
Or are you talking about URL filtering "policies"?
If MCP policies, this just sounds like you created multiple keys and deployed them to the clients. You should have one single key deployed to all clients.
If URL filtering policies, we're getting ahead of ourselves as it seems like MCP is not working as expected, so we need to fix it first.
Thanks for your fast reply Jon,
the goal is to be able to use several URL filters.
Let me give you a practical example. Let us say I am administrating a group of schools. The schools do not have Active directory and handling the users in a local database will be too much administration since there comes many new students every year and just as many leave.
Each school want to use its own URL filter. All the clients have the epo-agent and since we want the students to go through the MWG when they are home as well we want to use MCP.
Can this be achieved somehow? If I can only use one account and key with MCP how can I separate the users in the different schools? Using IP-addresses is not an option since the policy is also supposed to work from home.
I get it now. So you are deploying MCP to users at different school districts, each district/school has its own unique ePO MCP Policy. Correct? Are you using SaaS too (for users while their at home) or are you redirecting users to your public address of the MWG?
I cant see this working if you're using SaaS, but if you're using your own MWG, then you can assign each district/school their own "Customer ID", this ID is used in the MCP policy and also in the MWG policy to determine what district/school the user is coming from. You can then assign the user a URL filtering policy based on what customer ID they authenticated with.
Hi Jon and thanks for trying to help me resolve this issue!
This is exactly what I am trying to achieve! I have created two Authentication With McAfee Client Proxy rules, like this:
They are configured with different Customer IDs and passwords:
I have created two URL filter rules:
With criterias that are matching McAfee Client Proxy and McAfee Client Proxy (1) like below:
I have created two MCP policies in epo and imported the two different .xml-files with different Customer IDs for different schools:
The problem is that only the users that use McAfee Client Proxy can enter the internet, the users with McAfee Client Proxy (1) gets an authentication error instead.
I was thinking this might be due to the fact that the first MCP policy blocks when it fails to authenticate and the users of MCP (1) needs to reach the next rule to get authenticated so I tried changing block to continue, but it didn't solve my problem:
Do you have any idea what I am doing wrong?
This all makes sense, and I do know what's going wrong.
You should unlock the rules for "Authentication with McAfee Client Proxy", and then delete "Authentication with McAfee Client Proxy (1)".
Inside of "Authentication with McAfee Client Proxy", we're going to rinse and repeat with the "Verify headers" rule. You should modify the first rule to have a criteria like what's shown in the screenshot below.
-Criteria: Header.Request.Get("X-SWEB-AuthCustID") equals "ID-FOR-SCHOOL-1" AND
Authentication.Authenticate(MCP settings for School 1) equals false
If you want to set a user defined variable to denote what school it is, you can, this might be useful in determining what URL filtering to use later.
Let me know if this helps.
Hello Jon and thanks a lot for really making an effort to help me!
I was feeling more optimistic this time, what you suggested looked promising but unfortunately I still do not get it to work...
I setup the rule as you suggested but the Catch all for no match blocked seemed to block Everything so I changed it to below but it still blocked everything:
If I disabled the Catch all for no match I could get the deault policy to work, but not the second one. I thought maybe this was due to the rule critera being set to: "Critera: Authentication.Is.Authenticated equals false" because when I look at the critera it wants me to decide if it applies to MCP or MCP S. I decided to change this to Always like in the screenshot below:
Unfortunately the result is still the same though. When I use the default policy (MCP) and disable Catch all for no match it works, but if I do the same using MCP S I still get the default policy instead of the one created for this user. As soon as the Catch all for no match is enabled Everything gets blocked with the "McAfee Web Gateway has blocked your request because you have not been authorized and authorization i required" error.
I have changed my URL filtering to us the new User-Defined criteria:
and a similar for the second URL filter, but with S instead of Default.
Still it seems I am doing something wrong. Do you have any more suggestion or idea what kind of mistake I am making?
Thanks again for all your help.
I goofed on the catch all rule.
The catch all criteria should be simplified to use a list instead of two separate criteria like: Header.Request.Get(x-sweb-cust...) is not in list [List of Accepted Customer IDs].
Reason why is each criteria is evaluated individually. So when you wrote the criteria as:
Not ID=1 *OR*
"1" is not "9" and coversley "9" is not "1", so the rule triggered because one statement will always be true and you were blocked.
If this does not work (I'm fairly certain it will), please get a support case opened on this one and include a feedback and a rule trace. Do not upload the feedback here as it has sensitive information in it.