2 Replies Latest reply on Jan 6, 2012 4:06 PM by eelsasser

    MWG 7.1.6

    jspanitz

      Attempting to cut over from MWG 6.9 to MWG 7.1.6.  Running into a few issues.  BTW, we started with the Default template.

       

      We have our MWG 6.9 setup using explicit proxy and WCCP.  Explicit proxy is authenticated against NTLM, transparently for Windows users and via a prompt for OSX users.   WCCP is set up to catch the users and devices that do not or can not have the explicit proxy set.  Explicit users are mapped to rules based on AD groups.  WCCP users are given a single restrictive group.

       

      We implemented the "Web Mapping" rulsets as outlined here - https://community.mcafee.com/docs/DOC-2210.  So far so good.

       

      But how to allow the proxy users that are not in a group (by default our lowest level users are not in a specific AD group but get mapped to a basic access mapping and how to allow unauthenticated WCCP users?

       

      Also, what is the point / functionality of the Global Whitelist, as it doesn't appear to do anything by itself and is not referenced in any of the URL Filter rules / rulesets.

       

      John

        • 1. Re: MWG 7.1.6

          One thing you probably are wondering is how to authenticate only explicit proxy users and not WCCP users.

          Set up two listening proxy ports.

          9090 for explicit and 8080 for WCCP. (or the other way around)

          Then on the authentication rules, put a condition on the Rule Set for Proxy.Port equals 9090. Then only 9090 users will get authenticated.

           

          If we use Jon's web-mapping method you describe, everyone will have a "default" policy unless they are explicitly in some other group that the mapping changes to. This includes Un-authenticated users (WCCP) because the User-defined.Policy variable has an initial value of "default" unless it gets changed.

           

          A Global Whitelist does a Stop Cycle to let it all go through to that site, no matter what. If you don't have it in your default rule set, it's just a list of client IP addresses or URL.Host list that goes through.

           

          This is similar to the ICAP bypass of 6.x.

           

           

          Global Whitelist
          [Ruleset to bypass filtering.]
          Disabled
          Applies to Requests: True / Responses: True / Embedded Objects: True
          Always
          EnabledRuleActionEventsComments
          EnabledClient IP Is in List Allowed Clients
          1: Client.IP is in list Allowed Clients
          Stop CycleIf IP is in given list, filtering will be bypassed.
          EnabledURL Host Matches in List Global Whitelist
          1: URL.Host matches in list Global Whitelist
          Stop CycleIf URL is in given list, filtering will be bypassed.

           

          Message was edited by: eelsasser typos on 1/6/12 5:00:54 PM EST
          1 of 1 people found this helpful
          • 2. Re: MWG 7.1.6

            Hmmm, i have another idea too. You can put a rule at the beginning of the Authentication Rule Set that says:

            Condition: Proxy.Port equals 8080 

            Action: Stop Rule Set

            Event: Set User-Defined.Policy="wccp"

             

            Then the Policy variable will be "wccp" and you can have a different policy set other than "default".

            1 of 1 people found this helpful