cancel
Showing results for 
Search instead for 
Did you mean: 

Web Gateway question

Jump to solution

I am new to the web gateway, I have been tasked with migrating our current physical web gateway to a virtual one on hyper-V.  I have not had much luck with my google-fu today (guess I might not be asking the right questions)

so we would like to migrate our current version from 7.6.2.13.0 to 7.8.0.2 (or the recommended virtual appliance for Hyper-v)

I assume we could build the new VM set the IP's of the nic's the same as the original one then we can do a backup of the original gateway power down/disconnect the original gateway from the network.  then connect the new virtual gateway to the network same IP's then restore the backup file.

I guess my concerns would be if i could just restore a 7.6.x backup to a newer version gateway without any issues?  I would also like to know if there are possibly any good guides around for the migration i am trying to attempt?

Any information would be greatly appreciated

Thanks in advance.

1 Solution

Accepted Solutions
McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 2 of 9

Re: Web Gateway question

Jump to solution

Hi Rafaela,

To setup MWG on Hyper-V check out this article: McAfee KB - How to set up Web Gateway on a Hyper-V virtual platform  and most installation guides include it as well: McAfee KB - Web Gateway 7.7.0 Installation Guide

What you described is what you'd want to do. I'd suggest just getting the Hyper-V instance up and running on its own IP first, then you can restore the policy-only backup onto the virtual instance, then test and verify its functioning as the old instance was.

After all is verified update the IP in the virtual instance and perhaps just change the IP or remove the network cable on the physical appliance (whichever is easier).

There should be no issues restoring a 7.6 backup on a 7.8 node as MWG7 is always backwards compatible.

Best Regards,

Jon

8 Replies
McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 2 of 9

Re: Web Gateway question

Jump to solution

Hi Rafaela,

To setup MWG on Hyper-V check out this article: McAfee KB - How to set up Web Gateway on a Hyper-V virtual platform  and most installation guides include it as well: McAfee KB - Web Gateway 7.7.0 Installation Guide

What you described is what you'd want to do. I'd suggest just getting the Hyper-V instance up and running on its own IP first, then you can restore the policy-only backup onto the virtual instance, then test and verify its functioning as the old instance was.

After all is verified update the IP in the virtual instance and perhaps just change the IP or remove the network cable on the physical appliance (whichever is easier).

There should be no issues restoring a 7.6 backup on a 7.8 node as MWG7 is always backwards compatible.

Best Regards,

Jon

Re: Web Gateway question

Jump to solution

Jon,

Thanks for pointing me in the right direction much appreciated.

Rafa

Re: Web Gateway question

Jump to solution

Jon,

This might be a dumb question but I will ask any way...

When I stand up the VM with it's new IP's and host name, I can configure all the settings the same as the physical gateway correct? add LDAP or EPO connections and what not?  and do like you said above just restore the policy-only

When we go live I am guessing we need to make the IP's and host name the same as the physical gateway?  are there any gotchas I may not be thinking about that could byte me?

I know without you knowing my environment we are guessing so any info you can give would be great.

Thanks again

Rafa

Re: Web Gateway question

Jump to solution

We have clusters that include both physical appliances and VM's, and I can't imagine anything that's different in the UI, except for the listing of available network interfaces.  I'd be interested to hear if anyone knows of some other difference.

McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 6 of 9

Re: Web Gateway question

Jump to solution

Pretty much everything can be configured the same, except some items you might want to specify a different hostname for example.

If you join the MWG to the domain, be sure to use a new name (mwg1 vs mwg2).

As John mentioned VMs and Appliances are treated the same.

Best Regards,

Jon

Re: Web Gateway question

Jump to solution

Great!

Thanks John and Jon

btlyric
Level 12
Report Inappropriate Content
Message 8 of 9

Re: Web Gateway question

Jump to solution

One consideration wrt migrating from a physical appliance to a VM is the extent to which you log connections to local disk on each proxy.

If you are performing extensive logging, it's possible that the underlying storage infrastructure associated with the VM will not be able to handle that load/disk IO.

If you are using the default MWG log configuration, this is probably not a concern.

Although the default MWG log configuration is relatively reasonable, if you want a logging configuration that provides most/all the data that is potentially useful for identifying and isolating specific incidents and/or tracking/identifying specific issues, the default configuration is probably not what you should implement.

In my configuration, our CEF-formatted log lines may exceed 1500 characters. When combined with large rulesets and concurrent client counts, the logging effort can result in connection delay even on very capable appliance hardware. Additionally, some syslog servers/versions will truncate messages received via syslog if they exceed certain lengths.

Re: Web Gateway question

Jump to solution

btlyric,

Thanks for the info, we should be good on the I/O. verified the Physical one and was only about 9 GB of storage.  just in case I set the VM to 250 GB for storage.  EPO is integrated and is collecting logs there so I will need to confirm that is set on the new VM when we cut over.

I have stood up the gateway VM and am currently testing it.  so far so good! basically just like Jon said stand up the new VM mirror the settings from the old one (except the IP(s) and host name) and then restore just the policy.

Now we need some policy clean up... oh... man... this looks like a mess... I am no policy expert but I can sure tell the last person who managed this what not really sure what they were doing.  I will save that for another post

Thanks again for all the help guys

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community