Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1332 Views 14 Replies Latest reply: Aug 26, 2013 1:58 PM by huguoarnaud RSS 1 2 Previous Next
huguoarnaud Newcomer 16 posts since
Jul 26, 2013
Currently Being Moderated

Aug 9, 2013 7:59 AM

How to use Header X-Authenticated-Groups in Web gateway 7.2?

Good morning all;


I Have one server Forefront TMG 2010 and one Appliance McAfee Web Gateway 7.2 working together.


On TMG, I have install McAfee Web chaining plugin to foward authentification information to Web Gateway like X-Authenticated-User and X-Authenticated-Groups.


on Web gateway, i verify if header have X-Authenticated-Groups information with Header.Request.exist(X-Authenticated-Groups).


The problem is that, I need to filter the group informations to autorized only a group like "IT GROUP" to access some sites like ",, ...".


1 - How to compare groups information send to web gateway by TMG to the group name that i want to compare with.


Note: Web gateway is not join to the domaine but TMG is join to the domaine and the group it send to Web gateway is pick from domain controller.


2 - The internet connection  is very slow wen transited from TMG -- McAfee Web gateway -- Internet. How optimize internet connectivity to have best result went loading a web site page.



Thank you for your feedback


best Regards

  • asabban McAfee SME 1,354 posts since
    Nov 3, 2009



    TMG will send you the username and group membershits in the two X- headers you named, so there is no need for MWG to talk to the domain controller. You should have a quick look at how the X-Authenticated-Groups headers value look like (or maybe someone else can share this information). It is a Base64 encoded string, after decoding it should look like:


    Domain Users, Administrators, IT GROUP, ...


    so the group memberships is a string containing the groups, and the groups are comma-separated.


    Once you understood how the decoded string looks you can manually perform authentication on MWG by setting the properties accordingly. Use an Event -> Set Property Value to do so.


    You can use user-defined properties to make the process more readable, as follows:


    User-Defined.Username = Header.Request.Get("X-Authenticated-User")               # Property now contains Base64 encodeed value from X-Authenticated-User header

    User-Defined.Username = String.Base64Decode(User-Defined.Username)         # Property now contains decoded value, which is the username in plain text

    Authentication.Username = User-Defined.Username                                                   # Wrote the username from your user-defined property to the "real" property MWG uses


    For the group memberships this is a little more complicated:


    User-Defined.Groups = Header.Request.Get("X-Authenticated-Groups")               # Property now contains Base64 encoded value from X-Authenticated-Groups header

    User-Defined.Groups = String.Base64Decode(User-Defined.Groups)                   # Decode Base64 string, property now contains groups like "group A, group B, group C"

    Authentcation.Groups = String.ToStringList(User-Defined.Groups, ', ', '')                 # Use property to turn string into a list of strings, write strings to the "real" property MWG uses


    And finally tell MWG authentication has happened:


    Authentication.IsAuthenticated = true


    Once this is performed MWG will act like if "real" authentication has happened. You will see usernames in the logs and so on. To make a decision as described above you can use "Authentication.Groups contains"... and match against "IT GROUP" or whatever group you like. There should be tons of examples in the community how to allow/block a URL based on group memberships.




  • asabban McAfee SME 1,354 posts since
    Nov 3, 2009



    can you send me an example X-Authetnicated-Groups header? Please provide the header exactly as it gets into MWG, including Base64 encoding etc.


    You could do a packet capture to obtain the header or add a block rule on MWG which prints the header. Then I can try if I can get the right rules together.




  • pbrickey McAfee Employee 79 posts since
    Oct 13, 2011



    I believe the rule set 'ISA Chaining" found in the Authentication section of the rule set library accounts for this. Go ahead and import it by going to Policy > Rule Sets > Add > Top Level rule set > import rule set from rule set library. It is using 'String.LF' as the group delimeter rather than ',' and also strips off the 'WinNT://".



  • asabban McAfee SME 1,354 posts since
    Nov 3, 2009



    all groups should be available for mapping that are part of the header. So the question is now where the problem is:


    1.) Copy the header from the ISA server and base64 decode it manually. Is the desired group available here?

    2.) If the group is available in the header you should check the list you have created from the header. Just create a block page and Use List.OfString.ToString to print the list to a website in plaintext. Is the desired group there?

    3.) If 1 and 2 are true (so the group is in the list) the rule you use for mapping does not work... in this case most likely there is something wrong with wildcards or similar. Rule engine tracing could help you to find out why your rule does not match.




1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)


  • Correct Answers - 5 points
  • Helpful Answers - 3 points