This is a community forum, not tech support.
You should really contact a reseller who can provide professional services for the install. You might get it working, but they have experience with implementing best practices.
Also, have you tried reading this? https://community.mcafee.com/docs/DOC-4818 It's posted on the main page for MWG.
We bought the hardware only and no implementation services, this is the reason I need help from experts here. At the moment I need to understand how the device will resolve the requests to internet, since it have a DNS on eth0 pointing to our Domain Controller DNS in order to use NTLM authentication.
Presently we plan to use in Explict proxy mode so in this case we will only use one network card in appliance, right?
Yes, I found that article on main page of MWG but could not get a way to create a DNS rule for outside requests.
it seems that the DNS on the Domain Controller is not configured to forward unknown requests to the ISPs DNS. Usually (in a simple environment) you configure the DC to locally resolve its own domain (such as mycompany.tld) but forward all unknown domains it cannot answer to a forwarder, most likely a DNS provided by your ISP. In this case you can configure MWG to use the DNS of the domain controller.
In case the domain controller does not forward there are only a few options:
- Use a public (ISP) DNS. In this case MWG will be able to resolve external domains. For internal requests and authentication you will most likely have to modify the /etc/hosts file and manually add hosts and IPs here to allow MWG to resolve as required
- Use the 7.3.2 controlled release which allows to setup split DNS, e.g. forward all internal requests to the domain controllers and all external requests to the ISPs DNS
- Configure the domain controllers to do forwarding
Without the ability to resolve both, internal and external you won't be happy with MWG since DNS is vital for it to work. Setting up your network to provide proper DNS is basically the task of the network administrator. I would recommend to either configure the DC to resolve external hosts (it can be done easily) or try the split DNS option.
Many thanks for your reply. Yes, you are right the internal DNS of DC is not configured yet to Fwd unknown requests to ISP's DNS. The second choice is to use 7.3.2 controlled release.
For this logged to my corporate McAfee account and found there also release 'McAfee Web Gateway Main release' and its appliance ISO is 220.127.116.11.0. So, how the two are different ? and in case I need to download then burn them to a CD and boot device by CD to get the new ISO installed ?
Many thanks for your detailed response.
I have now installed controlled release 7.3.2 to appliance, now when I go for conditional Forwarding and enter a public DNS it takes preference over the first primary DNS which is local Active Directory domain, when this happen the appliance can not contact the domain controller.
In host file I need to add only DNS for active directory, only one entry ? OR more changes needed to be done there ?
Dear Mr. Andre,
Any tip for what I explained above concerning the conditional DNS forwarding.
The status under windows domain member ship still shows as green and also when I do a NTLM test for an AD user, it shows the AD groups user is member off and shows as green if the entered username and password are correct.
Is there a way we create groups in gateway like (Full internet access users) and then add users from AD to it, rather we create a groups in AD. This I remember used to do in ISA Server.
Here's how I have my system setup for comparison. Hopefully, you'll find something on yours that you missed.
I have my Conditional forwarder setup like this:
All internet traffic resolves using the 18.104.22.168 server and lordchariot.local resolves using 192.168.2.80 or .81.
When i try to resolve one of my internal hosts, the internal server resolves it:
I can see this is happening correctly by packet captures of DNS:
My authentication is setup to use the domain like this:
My Web Gateway has forward and reverse DNS enties in AD:
My authentication tests work:
And the rule block like they should.
(This user is NOT in Allow Social Networking, so they will get blocked according to my policy)
the only other suggestion i can give is to open a support ticket.
Following your steps, I have luck and forward DNS is working if I put name for internal machine it get resolved to IP but reverse not working, any suggestions ? Find attached snapshot
I checked the rules now, working for a user if he is a member of ‘socialnetworking’ and ‘webmail’ in AD, the user is able to open web mail and social networking websites. For all these conditions we need to create groups in AD ? OR it is also possible to have groups created in gateway and pull AD users under those groups, is this also possible?
Please consider case as below
- Management allowed to use all things with no restrictions for all regular sites BUT yes should be taken care for malicious sites
- Users from operations department to be able to download executables, iso images, pdf etc files but no mp3 files or video files
- Users from Admin / HR dept not allowed to download executables, no visit to social networking. but can access web mail, no use of remote applications
Do I need to created AD groups for my each requirement ? the order of rule set should always be like:
- - Authentication Rules
- - URL Filter
- - Application control
- - Media type filtering