3 Replies Latest reply on Jan 5, 2012 12:41 PM by Jon Scholten

    How to configure de MWG for the MFE can see these clients sources IP

    maitane
      Hi!
      We would like to configure the MWG 7.1.0.5 so that the MFE could see the source IP from the client host and not those of the MWG own?
      There are 8 WR5500 devices. 2 directors (Active-Pasive) and 6 scanners. Above these, we have 2 McAfee Firewall Enterprise (MFE) configured HA active/active.
      The MFE doesn´t support "x-forwarding for", so we can´t know the client source Ip. Does anybody know how to configure de MWG for the MFE can see these clients sources IP?
      Thanks in advance.
        • 1. Re: How to configure de MWG for the MFE can see these clients sources IP
          Jon Scholten

          What you are asking for is IP spoofing. Unfortunatley, this is not possible when using MWG in HA mode. In versions MWG 7.1.5+ IP spoofing is possible in all modes EXCEPT proxy HA.

           

          ~Jon

          • 2. Re: How to configure de MWG for the MFE can see these clients sources IP
            maitane

            Hi Jon!!

             

            We have MFE configured in HA mode (Active-Active)

            However, MGW 7.1.5 are configured in transparent router mode with the following details:

             

            [GLOBAL DESCRIPTION]
            There are 8 WR5500 appliances. 4 of them are going to be physically placed in a Data Center and the other 4 are going to be placed in another Data Center . 2 director nodes (one with highest VRRP priority and the other with lowest VRRP priority) and the rest of the others scanning nodes. These data centers are both active. The installation mode chosen is transparent router because the final pc don´t have a proxy configuration in their browsers.

             

            [NETWORK CARDS DESCRIPTION]
            Each of these appliances have 4 network cards: Eth0 is used ONLY for management purposes. To be able to connect to the port 4712, ssh, SNMP, central management and NTP synchronization. Eth1 is the EXTERNAL network card of our transparent router, this is the network card used to reach the default router to the internet. Eth2 is the INTERNAL network card of our transparent router, this is the network card from which our clients will try to connect to the Internet. Eth3 is intended to be used for communication between director and scanning nodes.


            With all this, would it be possible?
            If so, how?

             

            Thanks.
            Regards.

            • 3. Re: How to configure de MWG for the MFE can see these clients sources IP
              Jon Scholten

              That makes things easy. Transparent router mode supports IP spoofing.

               

              You will need to check the box for "IP spoofing (HTTP/HTTPS)" under Configuration > Proxies.

               

              If you use IP spoofing your network paths must go out one path, and come back in the same way. If you have asynchronous routes (go out one path, come back in another) you could encounter a situation where devices may incorrectly redirect the traffic (either back to the client directly, instead of back to the Web Gateway where it came from). This isnt anything specific to MWG, but a general consideration when using IP spoofing.

               

              I highly recommend testing this change out before making it on your production appliances, this is somewhat of a bigger change.

               

              ~Jon