8 Replies Latest reply on Jun 10, 2013 4:42 AM by wajeeh_r

    Need assistance basic setup for MWG 7

    wajeeh_r

      Dear Support,

       

      We recently bought MWG hardware appliance and are now setting it up. We want to set it up in explicit proxy mode. I have assigned IP to eth0 of the device. I joined to our windows 2008 domain and it show the status as 'green'. The DNS is given as our internal DNS.

       

      How do I now set the device to get http and https requests from users and forward them to internet ? Where in device need to define settings to go to internet resolve internal internet requests. Getting confused for this. Do we need to use the other NIC as well ?

       

      any other details needed please let me know.

      thanks,

        • 1. Re: Need assistance basic setup for MWG 7
          georgec

          This is a community forum, not tech support.

           

          You should really contact a reseller who can provide professional services for the install. You might get it working, but they have experience with implementing best practices.

           

          Also, have you tried reading this? https://community.mcafee.com/docs/DOC-4818 It's posted on the main page for MWG.

           

          George

           

          on 6/5/13 3:23:54 AM CDT
          • 2. Re: Need assistance basic setup for MWG 7
            wajeeh_r

            Dear George,

             

            We bought the hardware only and no implementation services, this is the reason I need help from experts here. At the moment I need to understand how the device will resolve the requests to internet, since it have a DNS on eth0 pointing to our Domain Controller DNS in order to use NTLM authentication.

             

            Presently we plan to use in Explict proxy mode so in this case we will only use one network card in appliance, right?

             

            Yes, I found that article on main page of MWG but could not get a way to create a DNS rule for outside requests.

             

            Many Thanks,

            • 3. Re: Need assistance basic setup for MWG 7
              asabban

              Hello,

               

              it seems that the DNS on the Domain Controller is not configured to forward unknown requests to the ISPs DNS. Usually (in a simple environment) you configure the DC to locally resolve its own domain (such as mycompany.tld) but forward all unknown domains it cannot answer to a forwarder, most likely a DNS provided by your ISP. In this case you can configure MWG to use the DNS of the domain controller.

               

              In case the domain controller does not forward there are only a few options:

               

              - Use a public (ISP) DNS. In this case MWG will be able to resolve external domains. For internal requests and authentication you will most likely have to modify the /etc/hosts file and manually add hosts and IPs here to allow MWG to resolve as required

              - Use the 7.3.2 controlled release which allows to setup split DNS, e.g. forward all internal requests to the domain controllers and all external requests to the ISPs DNS

              - Configure the domain controllers to do forwarding

               

              Without the ability to resolve both, internal and external you won't be happy with MWG since DNS is vital for it to work. Setting up your network to provide proper DNS is basically the task of the network administrator. I would recommend to either configure the DC to resolve external hosts (it can be done easily) or try the split DNS option.

               

              Best,

              Andre

              • 4. Re: Need assistance basic setup for MWG 7
                wajeeh_r

                Dear Andre,

                 

                Many thanks for your reply. Yes, you are right the internal DNS of DC is not configured yet to Fwd unknown requests to ISP's DNS. The second choice is to use 7.3.2 controlled release.

                 

                For this logged to my corporate McAfee account and found there also release 'McAfee Web Gateway Main release'  and its appliance ISO is  7.2.0.9.0. So, how the two are different ? and in case I need to download then burn them to a CD and boot device by CD to get the new ISO installed ?

                 

                Many thanks for your detailed response.

                 

                Regards,

                • 5. Re: Need assistance basic setup for MWG 7
                  wajeeh_r

                  Dear Andre,

                   

                  I have now installed controlled release 7.3.2 to appliance, now when I go for conditional Forwarding and enter a public DNS it takes preference over the first primary DNS which is local Active Directory domain, when this happen the appliance can not contact the domain controller.

                   

                  In host file I need to add only DNS for active directory, only one entry ? OR more changes needed to be done there ?

                   

                  please advise.

                  • 6. Re: Need assistance basic setup for MWG 7
                    wajeeh_r

                    Dear Mr. Andre,

                     

                    Any tip for what I explained above concerning the conditional DNS forwarding.

                     

                    The status under windows domain member ship still shows as green and also when I do a NTLM test for an AD user, it shows the AD groups user is member off and shows as green if the entered username and password are correct.

                     

                    Is there a way we create groups in gateway like (Full internet access users) and then add users from AD to it, rather we create a groups in AD. This I remember used to do in ISA Server.

                     

                    Please advise

                    • 7. Re: Need assistance basic setup for MWG 7

                      Here's how I have my system setup for comparison. Hopefully, you'll find something on yours that you missed.

                       

                      I have my Conditional forwarder setup like this:

                      capture.png

                      All internet traffic resolves using the 8.8.8.8 server and lordchariot.local resolves using 192.168.2.80 or .81.

                       

                      When i try to resolve one of my internal hosts, the internal server resolves it:

                      capture3.png

                       

                      I can see this is happening correctly by packet captures of DNS:

                      capture4.png

                      My authentication is setup to use the domain like this:

                      capture2.png

                      My Web Gateway has forward and reverse DNS enties in AD:

                      capture7.png

                      capture8.png

                       

                      My authentication tests work:

                      capture6.png

                      And the rule block like they should.

                      (This user is NOT in Allow Social Networking, so they will get blocked according to my policy)

                      capture9.png

                       

                      the only other suggestion i can give is to open a support ticket.

                      • 8. Re: Need assistance basic setup for MWG 7
                        wajeeh_r

                        Dear Sir,

                        Following your steps, I have luck and forward DNS is working if I put name for internal machine it get resolved to IP but reverse not working, any suggestions ? Find attached snapshot

                         

                        DNS_Forwarding.jpgReverse_DNS.jpg

                         

                        I checked the rules now, working for a user if he is a member of ‘socialnetworking’  and ‘webmail’ in AD, the user is able to open web mail and social networking websites. For all these conditions we need to create groups in AD ? OR it is also possible to have groups created in gateway and pull AD users under those groups, is this also possible?

                         

                        Please consider case as below

                        • Management allowed to use all things with no restrictions for all regular sites BUT yes should be taken care for malicious sites
                        • Users from operations department to be able to download executables, iso images, pdf etc files but no mp3 files or video files
                        • Users from Admin / HR dept not allowed to download executables, no visit to social networking. but can access web mail, no use of remote applications

                         

                        Do I need to created AD groups for my each requirement ? the order of rule set should always be like:

                        • -          Authentication Rules
                        • -          URL Filter
                        • -          Application control
                        • -          Media type filtering

                        Thanks,