essentially all parts behave correctly...apart from the browser
The borwser doesn't have any proxy setting, so it is not expecting a 407 for proxy authentication and thus won't be able to respond to the authentication query from MWG. What you need to use is the authentication server of MWG! This will 'fake' a web server authentication to which the browser will respond corretly.
Thankyou for the reply, so am I correct in assuming that integrated authentication will not work with WCCP whilst the authentication method is 'NTLM' - do I need to change the method to 'Authentication Server'):
Policy --> Settings --> Authentication --> change from 'NTLM' to 'Authentication Server'
If thats true, is there any other means of using the Cisco ASA for redirecting web traffic to the proxy?
Hi Kernel panic,
It is not just as easy as changing the settigns you described to "Authentication server".
Please see the below articles:
WCCP Explained - https://community.mcafee.com/docs/DOC-4917
Different Options explained for different Deployment Methods - https://community.mcafee.com/docs/DOC-4384
NTLM Domain Membership Explained - https://community.mcafee.com/docs/DOC-4918
MWG Best Practices and Common Scenarios - https://community.mcafee.com/docs/DOC-4818
WCCP (on the Cisco ASA) is the means of redirecting web traffic to the proxy.
Thankyou, our web gateway was configured by our McAfee reseller who enabled the NTLM authentication method.
I had already enabled WCCP as suggested in document (https://community.mcafee.com/docs/DOC-4917) and our network team then used the following config to enable WCCP for a test machine with IP address of 192.168.0.137 on the firewall:
access-list wccp-servers permit ip host 188.8.131.52 any
access-list wccp-traffic permit ip host 192.168.30.137 255.255.255.255 any
wccp web-cache group-list wccp-servers redirect-list wccp-traffic
wccp interface inside web-cache redirect in
wccp interface inside service 51 redirect in
However as i said when I tried to access the web on that test machine I was presented with an authentication box.
Please read the other article regarding authentication which explains why you get the auth popup.
Thankyou Jon, I believe I am getting somewhere as I have created an Authentication Server accessible on port 9091 and have pointed a client to it, however I'm getting blocked with the following error message:
An internal error occured while processing your request.
URL: http://184.108.40.206:9091/mwg-internal/de5fs23hu73ds/plugin?target=Auth&reason =Auth&ClientID=2867389826&ttl=600&url=aHR0cDovL3d3dy5nb29nbGUuY29tLw==&rnd=13729 45420
Current Rule ID: 10809
Current Rule Name: URL Host Matches in List Global Whitelist
The IP authentication server URL value is:
http://$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.ip"/>$:$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.port"/>$
Do I need to change it if using a different port i.e. 9091?
I imagine that your MWG's IP is in the global whitelist as mentioned in the URL.
Please remove this from there if it present.
Thankyou Jon that solved it. I'm going to get our network team to redirect trafic to port 9091 and will update this thread on the results.