I'm trying to allow traffic to a website which is accessed on TCP 17000. Since the only two internal workstations that need to access this site already have a rule for other ports to the same company, I'm trying to edit this existing rule. The company states that it uses a different IP than the IPs we currently have in the rule, so I simply added TCP 17000 as an Application and added the new IP to the Endpoints. This doesn't work. I immediately get a Web Gateway page stating "Cannot Connect The proxy could not connect to the destination in time", much like you'd expect if a website did not exist. (I've confirmed the site does exist by using a system outside our network.) I've contacted the company and they don't use ACLs or have any restrictions, so it isn't something along those lines. Furthermore, they can see my incoming pings when attempted by domain name, so it isn't a DNS problem.
When I look at the MFE audit, I'll see 6 entries all showing traffic from the Web Gateway to the correct Endpoint IP on 17000 but with the error message of: reason: Received a TCP connection attempt destined for a service that the current policy does not support.
My rule looks good, so I don't know why it isn't liking this. So, I'm open for suggestions.
The only other "oddity" was that our MFE licenses expired on the 18th and I didn't catch this until I started checking the audits while troubleshooting this today. I went to License and clicked on Activate Firewall which updated our licensing with no problem (it now shows our correct expiration date). Could this somehow be affecting my rule changes that I made prior to updating the license?
Can you show us your rule, and also the entire audit netprobe message? It sounds like it might be something you missed with the rule.
Also, just to let you know, if the support license expires, traffic will still keep passing.
A good night's sleep helps! I've resolved the issue. The problem was that I did not have our McAfee Web Gateway (MWG) IPs in the rule. As soon as I added them, the website was accessable.
And thanks for the license info. I knew that traffic would continue to pass, but wasn't quite 100% sure that changes would be saved (although I didn't really believe that this functionality would be turned off; if it were, I would surely have known about the angry mob with the torches and pitchforks storming the McAfee castle).