I have a remote location that is creating a VPN tunnel between their ASA5505 and my ASA5520. On the old Webwasher (Secure Computting), I could send an http query to the Secure Computing Smartfilter thru the ASA5520. If the response from the Smartfilter was an ok, then they were allowed access to the URL via a split tunnel (direct access) to the net instead of accessing the net thru their VPN tunnel. This worked extremely well when Secure Computing owned Webwasher. Under McAfee ownership, this option is no longer available from what I can see. Additionally, it does not look like Websense is supported either.
Can tell me if either of these options or something similar are available in MWG 7.0.2 or will be on a newer release. I really really do not want to flood my VPN tunnel with Internet traffic.
What I imagine you are speaking of is called IFP, it is implemented in McAfee Web Gateway version 6.x, but not currently in 7.x.
If you open up a SR, we can add you on to the feature request for that for tracking purposes.
Thanks muchly for the response. I am familiar with IFP, had just forgotten about it. This was such a great feature to have that I can't believe they took it out.
thanks for bringing this up. We are counting votes to bring this back to the product. Can you elaborate a little on your infrastructure, so we can maybe find a way for you to survive until we adding it back?
I am in the Seattle area, I have an office in North Carolina. My data center is on the West coast with me. In my data center i have an ASA 5520 which handles my firewall and VPN. In the data center is also my MWG 7.0.2 which is used strickly for handling our web access. In my East coast office I have an ASA 5505 which creates an IPSEC VPN tunnel to my data center. This is how they utilize network resources, email, accounting, etc.
When Secure Computing owned Web Washer, there was a supported option in the ASA 5520 to use Secure Computing Smartfilter on port 4005. My end user in NC would open their browser and request access to any given site. That request would be sent from the EU PC to their ASA 5505, which in turn would send that request to my ASA 5520. My ASA 5520 would send the request on port 4005 to the Web Washer. If the Web Washer returned an allowed response, that response would be sent back to the remote 5505 in NC and the user would be allowed access to the site via a split tunnel (direct access). On the surface, this looks slow, but it is not. This process is very quick and very reliable and I would love to have this back.
As of now I have two options for this location. First, full unfiltered, direct access to the net which is not going to happen. Second, setup my remote users as proxy clients (done), send all traffic to the data center and just deal with the speed issues. The speed issues are significant in this setup as local sites to this location have now become a 12,000 mile round trip in their browser.
Anyway, I don't know if this answered your question or not.
Sorry for posting to an old thread. I have a similar issue and have discovered a free/open-source program that can act as either an n2h2 or websense IFP server. In other words, I -think- you can run this program, which opens up a port on 4005 for IFP, and will then redirect an incoming requests to ANY proxy server, and then reply back to the requesting system if it was kosher or not.
I am still testing it but will reply again to let everyone know how it goes. I know this will not be an optimal solution for many companies, but at least (I think) it would allow you to use MWG 7.x as an IFP-like server.
Here's the URL to the program at SourceForge:
Here's the help file after you install it on a linux box:
Usage: openufp [OPTIONS] <-n|-w> <BACKEND>
Example: openufp -n -p '192.168.1.10:3128:Access Denied.'
Example: openufp -n -f blacklist -p '192.168.1.10:3128:Access Denied.'
Example: openufp -C http://www.test.com
-l PORT on which port openufp will listen for incoming requests
-r URL when url is denied the client will be redirected to this url; n2h2 only
-c SECS cache expire time in seconds; default 3600; 0 disables caching
-C URL remove specified URL from cache
-d LEVEL debug level 1-3
-n act as n2h2 server
-w act as websense server
-p IPORTENY_PATTERN use the proxy backend
IP is the ipnumber of the proxy server
PORT is the portnumber where the proxy server is listening on
DENY_PATTERN is a piece of text that should match the deny page
-f FILE use the blacklist file backend
FILE is a file which contains blacklisted urls
-g use the squidGuard backend
The default location of the cache db is /var/cache/openufp/cache.db.
When squidguard backend is used be sure that this program has rw permissions
to the squidguard db files.
Report bugs to: email@example.com
Interesting project. I tried it out.
It does accept an IFP packet, create a proxy request, get a response, and send an IFP response back to the router.
There are some fundamental issues that will not make it a viable method for use with MWG7.
1) Authentication is one of them.
You won't be able to get any kind of username into the session in a manner that MWG will recognize.
IFP on MWG6 uses a redirect to a dynamic URL that did AuthServer authentication and used that for it tracking of users.
openufp does not return the redirection URL back to the client to facilitate that process.
2) You're making a proxy request to the MWG. MWG will actually get the page and process it and send the whole page back to openufp.
In essence here's what happens:
So you are actually getting the page twice from the web server, and the MWG is sending the page back to openufp, which actually doubles the bandwidth usage since each request goes to the site twice.
A better method would be to send an ICAP request to MWG instead of a proxy request. I would even offer to help get that working with the openufp developer except that IFP is going to be in MWG7 eventually and I don't know that I have the time to do it.
Nice try, though.
WOW, I can't believe there are new posts to this very old post of mine. Anyway, I did finally settle on using the proxy setting and send all web traffic down the vpn tunnel. After some research and "playing" around, this turned out to be a very effective and effecient way of handling my users.
What I ended up doing (Simplified explanation);
Create AD User Groups-Add your AD Groups
Allowed User Groups-Add your AD User Groups
I have a number of users that are allowed very limited internet access to a specified list of sites.
Under Wildcard Expression
Renamed Global Whitelist with -OLD. Wanted to preserve the original
Created a new Global Whitelist-Contains list of sites for restricted users
Under Rule Sets
Create the restrictive user rule
Restricted Web Access
Authentication.UserGroups contains "Restricted AD Group Name" AND
URL does not match Global Whitelist
Remaining Users for standard filtering
Create standard content filtering rule
Company Allowed Categories
Authentication.UserGroups contains "AD Group Name" AND
URL.Categories<Default> at least one in list Company Category AllowedList
Stop Rule Set
The standard filtering rule does not always stop access to unwanted catergories. I think I need to add a block to the rule above.
When I first posted my question, I was not as familair with the changes on the MWG as I would normally be. I have become very pleased with this box. I am able to get very granular in how I deal with caching, allowed content, blocked content, users and groups, etc
If anyone has a suggestion in streamling what I am doing......please send. Otherwise, I am quite happy with this solution and am moving on.
Thank to everyone for your replies,