1 Reply Latest reply on May 23, 2017 8:41 AM by rajjesh

    MCP with MACs and Web Hybrid Solution

    matthew.stokes

      All,

       

      Need some assistance on this one. I'm not a MAC guy so I apologize in advance

       

      We're trying to implement the following using MCP client and Web hybrid (synchronization is already setup and working well).

       

      When MAC client is on Internal Network

      Redirect to internal MWG appliances

       

      When MAC is off network

      Redirect to Web Hybrid Saas cloud

       

      Sounds easy but here is the rub so far... these MACs are joined to our internal AD domain. so when we're inside the network we login to them with AD credentials. When we do this the internal redirection works fine and the NTLM authentication with the MWG works great.

       

      However, when we're off the network we have to use a local account to login (I don't see a similar MAC feature to Windows cached profile). When we do this the MCP kicks in and does properly redirect to the Saas URL. However it doesn't look like the 407 messages returned by the Saas cloud are being responded to.

       

      My thinking is this... we login internally with AD credentials and MCP stores those creds in anticipation of using them when off network. BUT we have to login with a different account (local MAC account) when we're off network. So is it possible that MCP has a separate profile for the local account and would not have the stored AD credentials therein?

       

      Has anyone had a problem like this and if so how did you fix it?

       

      Thanks

      MattS...

        • 1. Re: MCP with MACs and Web Hybrid Solution
          rajjesh

          Hi MattS,

           

          If you have to login with local account when outside of the corporate network, then ideally you will have to create a separate rule on MWG which a matching criteria for the username, Because as per my understanding MCP will not send the username details from any cache but will pull the username and groups of the current user and forward it further. So here if there is no rule matching the username or group name the MCP is sending the request will get explicitly block or allow based upon the way the rules are configured.

           

          So if the local login IDs are not common across the systems, you need to at least  have them configured under one group, for which you can then create a single rule.

           

          Hope it is relevant to your requirement.