cancel
Showing results for 
Search instead for 
Did you mean: 
btlyric
Level 12

badrequest handling (MCP/MWG)

We have a MWG device listening on an publicly routable IP address for MCP connections.

The MCP -> MWG comms work fine.

Since the MCP rule set is an authentication rule set, it is placed right below our Debug rule set.

If a client connects directly to the MCP port on that MWG and is not authenticated as a MCP client the connection is blocked and an extremely generic block page is returned. The browser doesn't display any details and view source shows 10 lines of generic HTML.

While performing some tests from an external notice, it was noticed that if you used telnet to access that port and issued a request that was blocked due to NOT being an authorized MCP client, the proxy would return:

HTTP/1.1 403 "block message"

Via: [HTTP proto version] [IP Address] (McAfee Web Gateway 7.full.version.identification)

I resolved that by adding Enable Proxy Control<Disable Via Header> at the beginning of the MCP authentication rule set.

The proxy, upon receiving a request that isn't interpreted as correct HTTP will return:

HTTP/1.1 400 badrequest

Via: [HTTP proto version] [IP Address] (McAfee Web Gateway 7.full.version.identification)

Additionally, it then returns our custom badrequest.html page.

Questions:

- Is there a way to control which badrequest page is returned?

- Is there a way to control the Via header when a bad request is received by the proxy?

I'm not a big fan of security through obscurity, however I would prefer not to advertise the template text that shows up on all of our block/notification pages -- that's why the MCP auth failure page is stripped down.

0 Kudos
5 Replies
McAfee Employee

Re: badrequest handling (MCP/MWG)

Control the block page used for "Bad request" under Configuration Proxies > Advanced > Proxy Template Schema.

Control the via header for bad requests, Configuration > Proxies > Add via header, uncheck the box (right under the HTTP Proxy listeners).

Best,

Jon

0 Kudos
btlyric
Level 12

Re: badrequest handling (MCP/MWG)

Jon,

The proxy setting takes care of the Via header, but if I modify badrequest.html, internal clients will no longer get the page that they expect to see. Additionally, since a large chunk of info is in index.html (Acceptable Use Policy, etc.), we would have to reconfigure over 80 individual notification pages to include that info in each page rather than having a single location (index.html).

0 Kudos
McAfee Employee

Re: badrequest handling (MCP/MWG)

I was implying you would use a NEW barebones template schema for the proxy related errors (as defined under Configuration > Proxies), and using the default (or your own) schema for the policy related items (i.e. user gets blocked for accessing content they shouldnt be -- under Policy > Settings > Actions).

Proxy errors would come about but probably dont require your acceptable use policy displayed.

Best,

Jon

0 Kudos
btlyric
Level 12

Re: badrequest handling (MCP/MWG)

That dog won't hunt.

0 Kudos
McAfee Employee

Re: badrequest handling (MCP/MWG)

That dog meaning my suggestion, or that dog meaning you?

If you cannot change the proxy template schema due to this then what you stated in your response is what is required (changing all the templates).

Best,

Jon

0 Kudos