1 2 3 Previous Next 22 Replies Latest reply on Oct 5, 2011 1:44 PM by jremtull

    transparent mode in webwasher 7

      will transparent mode support in cisco 3560 switches unlike wccp which cant be support , according the documents transparent mode is configured between router and firewall.  is transparent mode has the same featues like wccp where all traffic are passed through webwasher .

        • 1. Re: transparent mode in webwasher 7



          Transparent Mode in MWG 7 is not dependant on any hardware - you could do policy based routing for example, which means hat port 80 and 443 traffic is routed to MWG or you could also deploy in bridge mode.




          • 2. Re: transparent mode in webwasher 7

            Hi Micheal

                 can the webwasher 7 support WCCP? if it does. do you have a guide how to configure on the webwasher 7? i have a requirement to do POC on WCCP for webwasher7.




            • 3. Re: transparent mode in webwasher 7



              MWG 7 support WCCP. I’m using it in my test environment.

              WCCP configuration it’s look like in previous version.




              • 4. Re: transparent mode in webwasher 7

                Sorry Marek in MWG 7 WCCP config it is different than 6.8, I am trying to configure it now in my lab and it does not work. Then it would be very useful if any could attach a screenshot of WCCP configuration page. Current product guide has no example of wccp configuration.





                • 5. Re: transparent mode in webwasher 7

                  Taken from a colleague's paper (Kudos to Mr. Ebeling ) :


                  It is usually best to set up and verify the operation of McAfee Web Gateway as an explicit proxy prior to attempting to configure WCCP. If authentication will be used, set it up at the Authentication Server with cookie authentication or auth server redirect. Test the authentication with a browser using McAfee Web Gateway as a non-transparent proxy.


                  WCCP configuration on McAfee Web Gateway 7.x is fairly simple. The configuration of WCCP is done through the GUI, and most of the configuration is done in the Configuration > Appliances > <specific appliance> > Proxies (HTTP(S), FTP, ICAP and IM) section:


                  Network Setup


                  Select Proxy and WCCP




                  Add a service:




                  Service ID


                  The service ID must match router config and it is highly recommended to only use a value from 51-98. Service IDs 0-50 are static and reserved for “well known services” with predefined configurations. Service IDs 51-255 are dynamic and involve negotiation between the WCCP peers. This configuration shows 51 for the service ID. “Web-cache” is a Cisco reserved keyword that refers to well-known Service ID 0 and will only redirect port 80 regardless of port settings in the MWG GUI. See also: http://www.ciscopress.com/articles/article.asp?p=1192686&seqNum=2  this article focuses on WAAS but includes useful information about WCCP.


                  WCCP router definition


                  The router, switch, or firewall address that is configured in the Router field should be on the same subnet as one of the McAfee Web Gateway interfaces, but if the router, switch or firewall is set up to use GRE, WCCP can traverse multiple router hops and subnets. MAC rewrite cannot.


                  Multiple McAfee Web Gateways can connect to the same router to support load balancing and failover. Set up a McAfee Web Gateway cluster with Central Management and make sure that each McAfee Web Gateway has the same value in the “Router” field. The first McAfee Web Gateway to come up and establish contact with the router will “assign buckets.” When a McAfee Web Gateway comes on or off line, buckets will be automatically reassigned. If the “bucket assigner” goes off line another McAfee Web Gateway will take over bucket assignment.


                  If WCCP is configured on the router and no peer (McAfee Web Gateway) is active in the service group, the router will just let the requests through, without redirection. If fail close (valve model, traffic blocked), is desired in a single McAfee Web Gateway deployment, configure the firewall to only allow web traffic from McAfee Web Gateway. If fail open (valve model, traffic allowed), is desired in a single McAfee Web Gateway deployment, configure the firewall to allow web traffic from any IP. Some Cisco IOS versions allow “fail-open” or “fail closed” to be configured on the router or switch.


                  WCCP v2 supports multiple routers connecting to a single service supported by a single cache, or group of caches, by using a multicast address, or entering multiple addresses in the router field. McAfee Web Gateway 7.x supports this feature in addition to multiple McAfee Web Gateways working with a single router (supported since 6.5).


                  Multiple routers can be listed in the Router field or a multicast address can be used. Note that if a multicast address is used, “group-address” and “group-listen” must be used in the router or switch configuration.


                  Ports to be redirected


                  The configuration above uses WCCP v2, which supports multiple ports. Any ports that need to be filtered and treated as SSL, other than 443, must also be added under Proxies > Web Proxies > HTTPS Proxy > Settings > Transparent SSL Scanning Setup. If WCCP v1, is used, there are no configuration options available on McAfee Web Gateway and only port 80 traffic will be filtered.


                  Proxy listener IP address and Proxy listener port


                  Use the IP address and port that are set up for transparent proxy under Configuration > Appliances > <specific appliance> > Proxies (HTTP(S), FTP, ICAP and IM) > HTTP Proxy section. It is recommended that you specify both the IP address and the port of any proxy (otherwise the port will be open on all interfaces).


                  Note that “Serve transparent requests” and “Transparent common name handling for proxy requests” are checked. These are similar settings to those described in 6.x above.


                  MD5 authentication  key


                  MD5 authentication is optional, but if used, must match the router configuration.


                  Input for Load Distribution


                  When running multiple appliances, load distribution can be configured for the proxies on them. Data packets can be distributed to these proxies based on the masking of source or destination IP addresses and port numbers or on a hash algorithm.


                  ·       Source IP — When selected, load distribution relies on the masking of source IP addresses.

                  ·       Destination IP — When selected, load distribution relies on the masking of destination IP addresses.

                  ·       Source port — When selected, load distribution relies on the masking of source port numbers.

                  ·       Destination port — When selected, load distribution relies on the masking of the destination port numbers.


                  Assignment Method


                  The bucket assignment method is the method used by WCCP to determine which McAfee Web Gateway to use for the redirection. Certain Cisco switches and routers will only support MASK assignment. See the documentation for the software revision and hardware model of the switch or router. ASA and PIX firewalls currently support only HASH assignment.

                  Assignment Weight


                  The assignment weight field is used to enable unequal distribution of traffic across multiple MWG appliances. The value assigned to each appliance is the relative proportion of traffic the MWG should handle. The load assignment for a particular MWG will be its assignment weight divided by the total of all weight values assigned among all active MWGs in the same service group. For example in a group consisting of 2 1100s and 1 500, it might be advisable to assign weights of 50 to each of the 1100s and a weight of 25 to the 500. If all 3 appliances are up and available, 40% of the traffic would go to each of the 1100s (80% total) and the remaining 20% would go to the 500. If one of the 1100s was unavailable 66% of the traffic would go to the remaining 1100 and 33% would go to the 500.


                  Forwarding Method and L2 Redirect Target


                  With 6.8.0 and later the forwarding method can be selected as GRE encapsulation or L2-rewrite (MAC rewrite). Certain Cisco switches and routers only support L2-rewrite. Note that L2 rewrite requires that the McAfee Web Gateway is in the same layer 2 broadcast domain as the switch or router interface to which it is connected. When doing L2-rewrite the interface connected to the router or switch must be correctly specified as the MWG L2 Redirect Target. As of this writing, Cisco firewalls only support GRE encapsulation.

                  • 6. Re: transparent mode in webwasher 7

                    Dear michael,

                       Please see attached image, When we configure policy based routing on Switch, only http traffic ( tcp:80/443) will be routed to MWG. In this scenario, which mode is MWG deployed? and how to configure MWG ?image004.png

                    • 7. Re: transparent mode in webwasher 7

                      Hi, i also had the some question as sonnv facing. which mode is MWG deployed? kindly advise.. thanks

                      • 8. Re: transparent mode in webwasher 7



                        if you explicitly redirect traffic to port 80/443 to Web Gateway on the switch/firewall I think you do not need to configure one of the transparent modes, because the "transparent redirection" already happens before the data comes to Web Gateway.


                        Transparent Router should be used if you configure the Web Gateway to be the "next hop" (routing wise) for a downstream firewall/router. Transparent bridge should be the right mode if you do not want to perform any configuration on any device. In this case MWG acts like a "cable" and you will use it to connect two existing network devices with each other.


                        I hope that allows you to move on.




                        • 9. Re: transparent mode in webwasher 7


                          i using juniper firewall to perform the PBR to route the port 80 and 443 traffic to MWG. and i cant see from the firewall traffic log which so the PBR is working fine by routing the traffic MWG. but althought it route to MWG, the destination address and port still maintain the same, as attach screenshot.log.jpg .

                          how MWG will automatic redirect the traffic for scanning cause MWG only listen on IP:9090 . do addition configuration need to be done? beside that, if i use transparent router mode. it working fine and authentication part occur issue again. you advise is appreciated

                          1 2 3 Previous Next