2 Replies Latest reply on Nov 17, 2010 2:34 AM by P.Bleeker

    Mcafee EPO 4.5 SSL communication with client using reverse proxy

      Hello!

       

      Recently i've been appointed the task of configuring secure communication between external ePO clients and the ePO server through an ISA 2006 proxy server located in the DMZ.

       

      Now i've configured everything from bridging to certificates etc. and...when i use an external browser to open the https://<servername> address - it displayes the same page as it does internally (this website requires you to log on) - which is a very good sign...i thought it works.

       

      However...when i use a McAfee client to connect to the ePO server, it's not connecting - and the proxy shows something very interesting:

      When i connect to the https port using a browser, the ISA server recognizes the traffic as https and the web-listener responds and the request/traffic is properly redirected to the internal ePO server....but, when i connect using the McAfee client, the traffic is not recognized as https traffic and some unknown component/rule of ISA 2006 blocks the traffic before the web-listener even responds :-(

       

      Now i have two questions concerning this, and i hope someone can help me with this because i'm quite stuck here:

      - Does McAfee not follow the https protocol properly so ISA blocks the traffic for this reason...and if so, can i work around it by telling ISA: "just accept the world as it is...and pass these requests along stupid proxy"...or just configure something :-)

      - Is it even possible to route/bridge client-to agent traffic over port 443 through a reverse ISA 2006 proxy using a web-listener?

       

      Thank you in avance for your time, effort and possible reply!

       

      Kind regards,

       

      Peter

       

      P.S.: please don't judge me for using ISA 2006, it was not my choice of proxy :-P

        • 1. Re: Mcafee EPO 4.5 SSL communication with client using reverse proxy
          jstanley

          The use of a reverse proxy between the ePO server and the client is not supported. If you need clients to be able to communicate with the ePO server when on an external network then you should put an agent handler in your DMZ. I've attached the agent handler whitepaper and on page 14 it outlines the port forwarding rules you will need to setup.

          • 2. Re: Mcafee EPO 4.5 SSL communication with client using reverse proxy

            Hi Jeremy,

             

            Thank you for your reply!

             

            However, your response about the reverse proxy setup not beeing supported surprises me; our company has a (by McAfee approved) Technical Design which describes the use of a reverse proxy setup in the DMZ - this way any possible problems with the McAfee product can not be exploited and the only system available to the big bad internet is a hardened reverse proxy system.

             

            So my question remains....how can i get my reverse ISA 2006 proxy to facilitate traffic between McAfee agent handler and it's clients :-)

             

            Thank you in advance for your time, effort and possible reply!

             

            Kind regards,

             

            Peter Bleeker