3 Replies Latest reply: Nov 13, 2014 5:46 AM by Galib Shaik RSS

    McAfee Client proxy configuration.


      Hi all,


      I am facing some issue in McAfee Client proxy. We are planning to implement MCP in our client and our testing is going. Here I am mentioning our environment.

      1. MWG,EPO,MCP
      2. We have integrated with Active Directory server in LAN environment.
      3. We have created rules and policy for AD group and rules and policy  are getting properly user are able to browse allowed site and restricted site are getting blocked.
      4. Client has May laptop users so client wants to protect that user while users are browsing internet from outside network (Internet card, Home internet connection). But same rule and policy should get.
      5. So we have planned to Implement MCP client
      6. We have completed configuration of MCP in EPO.

      A, Install the McAfee Client Proxy extension

      B. Check in the McAfee Client Proxy client package to ePolicy Orchestrator

      C. Select a policy and added NATed IP in Proxy server list and port 9091

      D. Deploy McAfee Client Proxy with ePolicy Orchestrator

              7. We have created rule in firewall for MWG with  NATed  public IP to MWG proxy IP with port no 9091


      Now Problem is occurred that.

      1. Users are not get same Active directory policy different different group  users are getting one top level rule and policy.
      2. Internal site are not getting access from outside through proxy.

      My question.

      1. What are the rules we need to create for MCP client in MWG.
      2. How can by-pass my Internal site.



      Sabin karthikeyan.

        • 1. Re: McAfee Client proxy configuration.
          Jon Scholten

          Hi Sabin!


          I imagine the policy issue is occurring because the groups received by MCP, and those returned from your Windows domain membership are different.


          By default when performing direct proxy authentication, groups will simply be returned with the name of the group, NO DOMAIN IS INCLUDED. Example: Domain Users


          By default when using MCP, groups will be returned WITH THE DOMAIN INCLUDE. Example: MCAFEE\Domain Users


          So... I'm guessing you have all of your rules written based on the group WITHOUT the domain. You should change it to INCLUDE the domain to account for how MCP will send the groups.


          You can do this under Policy > Settings > Engines > Authentication > [pick your auth settings], then check the box for "Prefix groups with domain name..." see screenshot below:



          On the second issue, is the MWG in a DMZ that might not permit it to access internal sites? This sounds more like a networking issue. What message are you receiving (cannot connect)?




          • 2. Re: McAfee Client proxy configuration.

            Hi jon,

            I have tried the same setting it not working.


            Can you provide the authentication seetings rule set for MCP and other requred rule set and rule.



            Sabin Karthikeyan.

            • 3. Re: McAfee Client proxy configuration.
              Galib Shaik

              Hi Sabin,


              Going through some search and found this issue, is this issue resolved are still struggling....