1 2 Previous Next 10 Replies Latest reply: Mar 21, 2013 9:10 PM by cscoup8 RSS

    Limiting the browsers supported by Web Gateway 7.2

    hivemind

      Hello everyone,

       

      I am planning a rollout of Web Gateway 7.2 to out users and enforcing it as a mandatory proxy through a proxy pak sent down to them via Group Policy (WCCP is not an option unfortunately)

       

      Further more I have extended group policy to include the Google Chrome and Firefox GPO extentions, seems to be working fine so far 

       

       

      I have been wondering is it possible to limit from within Web Gateway which browsers it will support? so it only accepts connections from Internet Explorer, Google Chrome and Firefox?

       

      It is something thats just a tick box in IPCop and Squid, but I can't find any rule for it in McAfee Gateway 7.2 or any mention of 'browser' based properties for that matter.

       

       

      Thanks in advanced for tips on your experiences.

        • 1. Re: Limiting the browsers supported by Web Gateway 7.2
          eelsasser

          Yes, you can. But you have to maintain the list yourself.

          You would have to create a rule that uses criteria such as:

           

           

          Header.Request.Get ("User-Agent") does not match in list "AllowedBrowsers: User Agents"

          Action: Block

           

          This is a wildcard list where you would put in values like:

          Mozilla/*Firefox/*

          Mozilla/*Trident/*

          Mozilla/*Chrome/*

          etc.

           

          When you have a only a check-box solution, you cannot get very granular and make changes. If you limit it to just browser checkmark, what happens when a particular browser is vulnerable and you want to block the specific version? If you limit to only browsers, you will block content from Flash, Java, iTunes, Adobe Reader, etc.

           

          That's why it is preferred to make your own specific list.

          • 2. Re: Limiting the browsers supported by Web Gateway 7.2
            hivemind

            Ah yes, I see.

            That makes sense I will try creating rules around the Header.Request.Get ("User-Agent")parameters

             

            Thanks for the tips also on the considerations to make for other applications that would become affected, very useful

            • 3. Re: Limiting the browsers supported by Web Gateway 7.2
              cscoup8

              eelsasser wrote:

               

              [...]

               

              When you have a only a check-box solution, you cannot get very granular and make changes. If you limit it to just browser checkmark, what happens when a particular browser is vulnerable and you want to block the specific version? If you limit to only browsers, you will block content from Flash, Java, iTunes, Adobe Reader, etc.

               

              Java and iTunes send a unique user-agent string with version information, but how would one go about blocking Adobe Flash and Reader, or more specifically, outdated versions of Flash and Reader?

              • 4. Re: Limiting the browsers supported by Web Gateway 7.2
                asabban

                Hello,

                 

                we would like to block outdated plugins since a while but so far do not have a good way to do it. It would require a part on the client that tells MWG the version of the plugins or requires the client to visit a pre-defined welcome page once a day to check the plugin version, and then block him until he has the correct versions installed.

                 

                Unfortunately there is no smart way (that I am aware of) to collect the versions of the plugins in real-time and block users running old plug-ins. There are several ideas moving around which could improve this in the future, but at the moment it is rather complicated to set up.

                 

                Best,

                Andre

                • 5. Re: Limiting the browsers supported by Web Gateway 7.2
                  pbrickey

                  Hi Cscoup8,

                   

                  From what I've seen, Flash sends a header called x-flash-version in the request rather than using a custom user-agent. Therefore, you can use the same critiera, Header.Request.Get ("x-flash-version") to block older versions of the flash plugin. I can't be sure that this is always included for 100% of requests. I haven't checked for reader.

                   

                  -Patrick

                  • 6. Re: Limiting the browsers supported by Web Gateway 7.2
                    cscoup8

                    Awesome information about the x-flash-version.  Thank you.

                    • 7. Re: Limiting the browsers supported by Web Gateway 7.2
                      cscoup8

                      FYI: I haven't done extensive testing but the x-flash-version doesn't appear to get sent for Flash that is displayed in Firefox.  For Internet Explorer there seems to be certain scenarios where it doesn't send x-flash-version either, however using this field is definitely useful and catches a lot of it.

                       

                      Using Wireshark I haven't seen any identifier related to Adobe Reader plugin version information including whether PDF files are displayed within the web browser window or not. But given that certain browsers now include a native PDF viewer, this might become less important.

                      • 8. Re: Limiting the browsers supported by Web Gateway 7.2
                        Jon Scholten

                        Hi All,

                         

                        This is an interesting concept that I've seen the for firefox plugin checker:

                        https://www.mozilla.org/en-US/plugincheck/

                         

                        It checks the plugins installed in the browser and gives you a pretty report with action to take.

                         

                        I havent explored how it detects these things though. I'm wondering if it invokes something in the brower to get a response from the plugin and determine its version. Or perhaps it has a better user-agent detection.

                         

                        The help page seems to indicate it uses some sort of javascript detection mechanism:

                        https://www.mozilla.org/en-US/plugincheck/more_info.html

                         

                        IE has limited support because it requires ActiveX code to run properly. Theoretically this could be done with a welcome page as Andre described using javascript for non-IE browsers using javascript.

                         

                        Best,

                        Jon

                        • 9. Re: Limiting the browsers supported by Web Gateway 7.2
                          asabban

                          Hello,

                           

                          or use our plugin check (still beta):

                           

                          http://www.browser-info.net/

                           

                          We had some ideas of creating a welcome page which embedds the browser check, e.g. if you start your browser you have to pass a plugin check. After that is performed MWG will grant access based on installed plugins/versions and/or browser/os versions.

                           

                          Best,

                          Andre

                          1 2 Previous Next