cancel
Showing results for 
Search instead for 
Did you mean: 
HermanSchenk
Level 11

Web Gateway LDAP authentication in clear text?

Jump to solution

Hi all, today in my lab I played with EWS and MWG LDAP auth within OpenLDAP, I was surprised EWS appears to encrypt the mechanism and and MWG no... so, there is any way to MGW works like EWS?

                                           

ews.PNGNueva imagen de mapa de bits.bmp

El mensaje fue editado por: HermanSchenk on 05/07/12 18:38:46 GMT-06:00
0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: Web Gateway LDAP authentication in clear text?

Jump to solution

Here is a ruleset you can toy with.

You will need to add a new proxy port (10000) for that port, you need to add * for ports treated as SSL.

proxyports.png

The ruleset is barebones, and you will need SSL scanner on in order for HTTPS to authenticate properly.

Let me know how this works and if it makes any sense.

Normally you would have to exempt the MWGs IP in the proxy settings, but I tried to make sure that wasnt needed.

Best,

Jon

0 Kudos
5 Replies
McAfee Employee

Re: Web Gateway LDAP authentication in clear text?

Jump to solution

Hi Herman,

Short answer, yes. Use the Authentication server or Direct proxy auth with Kerberos.

Long answer: The two devices use two different types of authentication (EWS only does one, MWG does many many many)! This is why you are seeing differences.

For EWS it only does "Web based" authentication. Which means you will be redirected to an "Authentication server" of somekind (on the EWS), it will then authenticate you, and give you a cookie.

For MWG, it offers a number of different types of authentication, the main ones being Direct Proxy Authentication, Authentication Server, Cookie Authentication Server.

If you are using Direct Proxy Authentication with LDAP, then yes the credentials will  be sent with every request, base64 encoded. If you use the authentication server, then you can authenticate with the authentication server once every X seconds (default is 600), and this communication can be whatever you like (HTTP/HTTPS).

But they are two fundamentally different types of authentication, and have different underlying processes for user authorization .

Hope this helps,

Jon

HermanSchenk
Level 11

Re: Web Gateway LDAP authentication in clear text?

Jump to solution

Excellent answer! Thanks Jon

Hasta la proxima

0 Kudos
HermanSchenk
Level 11

Re: Web Gateway LDAP authentication in clear text?

Jump to solution

I understand the concept but  can you help me to build the rule ? I try to do it but always appears the text saying that the information will be sent in clear text... so frustrating..

Thanks in advance

El mensaje fue editado por: HermanSchenk on 06/07/12 13:58:16 GMT-06:00
0 Kudos
McAfee Employee

Re: Web Gateway LDAP authentication in clear text?

Jump to solution

Here is a ruleset you can toy with.

You will need to add a new proxy port (10000) for that port, you need to add * for ports treated as SSL.

proxyports.png

The ruleset is barebones, and you will need SSL scanner on in order for HTTPS to authenticate properly.

Let me know how this works and if it makes any sense.

Normally you would have to exempt the MWGs IP in the proxy settings, but I tried to make sure that wasnt needed.

Best,

Jon

0 Kudos
HermanSchenk
Level 11

Re: Web Gateway LDAP authentication in clear text?

Jump to solution

It s works!! you are a master! thanks a lot , thanks , thanks!

usted se merece un aumento de sueldo

0 Kudos