Hi all,
today i integradet MWG into my DXL environment. I studied the MWG 7.5.2 product guide and KB84824.
I configured this settings:
20:56:29.517: Tracing enabled
20:56:49.107: dxl_async_request(/mcafee/service/tie/file/reputation,760): DERR_OK
{"hashes":[{"value":"St60SKwDOmb++/XS5grv1CjzQUU=","type":"sha1"},{"value":"Zmk0wZJ9d/YY7lqaG2NE4Q==","type":"md5"}]}
20:56:49.112: dxl_async_request callback for 760: ok
{"reputations":[{"providerId":5,"createDate":1434826406,"trustLevel":1,"attributes":{"4195730":"5"}},{"providerId":3,"createDate":1434826398,"trustLevel":0,"attributes":{"2114965":"1","2139285":"72339069014638857","2101652":"1","2111893":"13","2102165":"1434826398"}}],"props":{"submitMetaData":1,"serverTime":1434826609}}
20:57:19.711: Tracing disabled
Looks good so far, but there are some troubles and questions.
Has anyone tested this or has some more information?
Cheers
Solved! Go to Solution.
Servus Thorsten,
the below is all you need. MWG can just subscribe and not publish (yet).
To be very clear - MWG can not publish reputations to TIE right now. We are working internally to get this lined up.
The generic DXL protperties that are reference will enable you to do all kinds of cool things on a Main version while we introduce specfic properties such as TIE.Filereputation in the Controlled version of MWG. The generic properties will allow you to do all these things that the property automates by hand, so that you can use more and new features even when you are not a controlled release but have selected 7.5.2 as Main, once it becomes Main.
+ you need to enter the ePO DXL credentials under Configuration > ePO
+ you need the mep extension (available from https://contentsecurity.mcafee.com)
+ you need to have TIE/DXL running obviously
Servus Thorsten,
the below is all you need. MWG can just subscribe and not publish (yet).
To be very clear - MWG can not publish reputations to TIE right now. We are working internally to get this lined up.
The generic DXL protperties that are reference will enable you to do all kinds of cool things on a Main version while we introduce specfic properties such as TIE.Filereputation in the Controlled version of MWG. The generic properties will allow you to do all these things that the property automates by hand, so that you can use more and new features even when you are not a controlled release but have selected 7.5.2 as Main, once it becomes Main.
+ you need to enter the ePO DXL credentials under Configuration > ePO
+ you need the mep extension (available from https://contentsecurity.mcafee.com)
+ you need to have TIE/DXL running obviously
Hallo Michael,
thanks for the rely, the MWG product manual and the MWG help were confusing me, especially Page 160 in the product manual.
So, i do not have to configure something under Configuration -> Proxies -> Data Exchange Layer. Is this right?
But, and this is really helpful, i can see MWG under TIE Reputations (Where has file run) 🙂
Cheers,
Thorsten
Yep - I know Thorsten, the guide is pretty detailed (which is good) but creates a wrong picture in that regard. As mentioned TIE/DXL and MWG is really easy with that single rule I posted.
I'll ask my docu team to look into improving the section in the docu.
thanks,
Michael
Small correction, the gating criteria for the rule set needs to be AND not OR.
Dear MSchneider,
I need help for MWG integration with TIE server but in my environment ePO server install on custom ports and MWG server unable to connect DXL server due MWG server taking default web console port.
So please let us know can we change configuration in MWG server.
Dear All,
I need to config MWG, ATD and TIE. Could you show me steps to integration these together? Have any document about this? I could integration TIE with ATD but don't know about MWG.
Thanks,
Smalldog
this is real easy going. My information depends on a functioning TIE, DXL environment.
1) Install the Mobile EPO extension into EPO. You can download the extension from https://contentsecurity.mcafee.com -> download -> tools -> McAfee EPO extension -> MePO extension.
2) After a successfull checkin you can see a new option in the McAfee Agent policy.
Activate this setting as seen in the screenshot.
3) In MWG GUI -> Configuration -> ePolicy Orchestrator add the EPO Server name and an user account to register MWG to DXL.
You can use the admin account. If you are using a different user this EPO must must have the following user right granted: DXL McAfee MePO Certificate Creation:
Check the dxl Log on MWG if there are any errors. The log is located under the debug logs.
Note: There is no McAfee Agent installed on MWG. There is only a System Tree object generated in the EPO System Tree through the MePO extension!
If anything is fine you can see MWG in the System Tree. Some infos which are important.
- The last communication field shows the date when the object was generated. This value will not be updated. At the moment this is made by design.
- The Agent version 4.6.0 is show. This is okay and made by design at the moment. Remember, there is no McAfee Agent installed on MWG!!
3) Add the ruleset as shown above from to your MWG ruleset.
- Do NOT enter any value under Configuration -> Proxies (HTTP(S), SOCKS, ICAP...) -> Data Exchange Layer. This is not necessary.
Finally just test your deployment with any file downloadable from internet.
4) EPO Reporting
4.1) If anything is suscessfull you can see the proxy entry under TIE Reputations -> Where has file run -> (dxlproxy.mal.ware is my mwg)
4.2) The query "TIE Server Top 10 Systems with New Files in Last Week" also shows the requests of your proxy.
4.3) If you are using ATD version 3.4.8.96.50610 you will also see your ATD System like your MWG.
4.4) If using the ATD Threat Event extension in EPO you can see a Threat Event for any ATD detection in EPO.
5) At the moment there are two limitations with MWG and the MePO extension.
-Stop MWG services: service mwg stop
-Delete the following folder and its contents: /opt/mwg/data/dxl (do NOT remove the subdirectories)
-Start MWG services: service mwg start
Hope this helps,
Cheers
Dear Troja,
That's very clear. I will try your recommends. Thanks so much!
Best Regards,
Smalldog
Dear Troja,
I installed MePO extension that say successfully but i don't see new options "Enable msg..." also i can not assign permission "DXL McAfee MePO Certificate Creation, Create DXL McAfee MePO Certificates" on ePO. So i can not connect MWG to DXL. I don't know either i missing somethings? ePO version 5.1.1 and Web gateway 7.5.2.1.0 version.
Thanks,
Smalldog
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA