We're deploying McAfee Web Gateway 7.2 and Bluecoat. Bluecoat acts as ICAP Client (Proxy, URL Filtering) and McAfee Web Gateway acts as ICAP Server (Virus/Malware filtering).
ICAP Mode Deployment: RESPONSE MODE: Bluecoat will send all data (which is received from Web server) to McAfee Web Gateway (Version 7). REQUESD MODE is not enable.
Can We bypass Virus/malware filtering for some Users/Group ? or Does ICAP packet which Bluecoat send to McAfee Web Gateway, includes users/Groups information ?
in ICAP the user information which is determined on the client (BC) is passed to the server (MWG). The headers are: X-Authenticated-User and X-Authenticated-Groups. In addition the original client IP is sent using the X-Client-IP Header.
MWG can pick up this information and can apply user/group/client ip based policy.
how can this be done best practice? Do you have an example for assigning Rulsets by X-Client-IP Header?
In v6.9 there is was an option in the dropdown in the webmappings section, but in v7.....
when the ICAP client sends the client IP information in X-Client-IP you can grab it on MWG when using the appropriate property, such as
Doing so you can access all ICAP header information made available by the ICAP client.
we implemented a BC and MWG project at a customer using BC8000 series and MWG 5500 appliances, including a forwards and reverse proxy envirionment.
The esiest way for administration in a cimplex environment was to administrate exclusion from scanning at one point. Therefore we built some exclusions via BC´s VPM to exclude users or groups directly from the ICAP service.
I'm morbidly curious.... If someone had MWG available to them, why on earth would they keep the pain of Bluecoat around? (I trust there's a good reason to endure the pain of the Bluecoat administration interface, but I'm curious why/how). Once we got MWG in we ran as fast as we could from the years of pain Bluecoat subjected us to and there eroding support. Woofa.
I don't know..
Bluecoat with CPL is pretty impressive. VPM is shocking and I for one truly hate it.
We have Bluecoat and MWG operating in ICAP mode for a number of users as we migrate from Bluecoat to MWG.
Reasons to keep BC?
1. AWESOME admin interface compared to MWG - The "advanced" set of available stats are light years ahead of MWG
2. Ability to do attack detection - Inbuilt easay peasy feature on Bluecoat... Not even in the picture on the "security-focused MWG"
3. Ability to see "top talkers" in real time and kill a session - Totally impossible on MWG
4. Bluecoat is at least as quick if not quicker for "straight forward HTTP requests"
5. Bluecoat's forwarding proxies compared to MWG's next hop proxy... I mean , seriously.
6. Flash, RTMP, SOCKS, TCP proxies in box fully integrated into UI and just work on Blueoat.
7. DNS proxy on the Bluecoat is a fully working DNS proxy - not a stuck on BIND install that doesn't play nicely with multiple CNAME records.
Don't get me wrong.. MWG is a nice proxy. We can create complex rules and "do" a great deal - but we're only talking HTTP requests on the whole. We're migrating "to" MWG - but we have to keep Bluecoats around for anything that doesn't fit into the tight constraints of what MWG offers.
.. and to be honest, a couple of MWG VMs running ICAP can take the user load of thousands of requests
All you really have to do is think "if the exception you're granting is based on category - code on MWG or code on BC"
Wow. Seriously? Has bluecoat updated that horriffic train wreck of a UI in the past 2 years perhaps? The one I recall, I couldn't even paste a list of IP addresses in anywhere without specifying them painfully one at a time. I guess with CPL all things were possible in that realm but personally the admin interface on bluecoat made me want to stab myself daily. MWG so much nicer in that realm. I was delighted when Bluecoat priced themselves out of a renewal or hardware refresh with apathetic support and a 4x price tag.
The semi real time top talkers was nice, and their QoS was nice but that' s the only nice thing I have to say after horrific 3 years with a pair of 510-20's that have us nothing but trouble. I have a buddy who works at another place who can't escape a separate pair of 510-20's that he still has to maintain and he wants to stab himself daily. They've rma'd those things like 3 times apparently.
I think the sales goofballs undersized our install, but man I don't miss the Bluecoats one iota. I'm glad to see you're having a better experience with them because I wouldn't wish my Bluecoat experience on anyone.
Ah- 510s? ..
Rule 1. set max bandwidth=20mb/sec
Rule 2. Cry. They're awful proxies - almost as bad as the 210s but terrible,
Thankfully our estate has a number of the bigger boxes which play nicely and do what they're supposed. We have many, many proxies. We wouldn't ever ever use the VPM rubbish so feel your pain about how crap it is. I still don't understand how any "serious" proxy guy would use it.. Bluecoat rave about it, but it bites.
Then again, with MWG, try copying an event within a rule... or try moving a rule from one part of the policy to another and "remember" where you were to begin with.. There are problems with both.. but that's life.
For me, the Bluecoats are an easy proxy to manage - I can "see" what is happening in real-time, which I can't on MWG unless I take packet captures.
I can upgrade and downgrade a Bluecoat at will and the backup I take (if I need to) can paste in a downgrade - not so on MWG.
Tracing on the BC vs MWG - both are good - MWG's one is better.. but after spending many years now with Bluecoats and a couple with MWG - and play with some of the "unsupported" features of MWG - I have to say, they're both pretty good - but different.
I HATE HATE HATE the inability of MWG to do simple things like provide proper split-horizon DNS.. I don't want BIND on a proxy - I just want split-horizon DNS.
I don't have anything on MWG to see the coverage of my ACL - which rules are being hit, how often.
I can't drill down or export from the dashboards.
There's no QoS...
I can go on but
Anyway, we're fast becoming a MWG shop* .. (* terms and conditions apply )
managing internet traffic with bluecoat can be neccessary because BC is a PROXY with 10 times more features than McAfee MWG. But remember, it is just o Proxy System without any Malware Scanning capabilities.
- Yon can use BC for many protocols like MMS, RTSP, FTP and so on in every possible implementation szenario like WCCP and so on.
- You can manage protocols like SQL and more.
- You can also implement BC as an reverse proxy many protocos.
These features are not available on MWG yet and i think so they will not be available, because, BC is an Proxy System, MWG is a Secure Gateway for internet traffic.
From my view it depends what are the requirements of a customer. If a customer needs many protocols or WAN acceleration you cannot use MWG, therefore it could be neccesary to use a BC proxy. Afterwards there are different szenarios possible how to implement malware scanners e.g. MWG (ATD)
- MWG could be placed in a proxy chain.
- MWG could be connected via ICAP
- MWG could be added in a transparent envirionment.
- MWG could be added via ICAP and additional ATD is connected to MWG.
- If customer is using Bluecoat with Fire Eye you can also add MWG as described above.
At this moment, when MWG is palced, customer is able to deploy virtual MWGs and/or using MCP to secure mobile clients and so on.
We have a customer who used Squid Proxied, different UTMs, NetCache Proxies, McAfee Webwasher as direct proxy or ICAP Server and so on. This year we removed any system and only McAfee Webgateway is used. :-)
Conclusion, it depends what is going on at the customer, which systems are already in place how MWG can be placed.