Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
537 Views 5 Replies Latest reply: Sep 3, 2013 2:57 PM by Jon Scholten RSS
btlyric Apprentice 184 posts since
Aug 1, 2012
Currently Being Moderated

Aug 23, 2013 9:05 PM

badrequest handling (MCP/MWG)

We have a MWG device listening on an publicly routable IP address for MCP connections.

 

The MCP -> MWG comms work fine.

 

Since the MCP rule set is an authentication rule set, it is placed right below our Debug rule set.

 

If a client connects directly to the MCP port on that MWG and is not authenticated as a MCP client the connection is blocked and an extremely generic block page is returned. The browser doesn't display any details and view source shows 10 lines of generic HTML.

 

While performing some tests from an external notice, it was noticed that if you used telnet to access that port and issued a request that was blocked due to NOT being an authorized MCP client, the proxy would return:

 

HTTP/1.1 403 "block message"

Via: [HTTP proto version] [IP Address] (McAfee Web Gateway 7.full.version.identification)

 

I resolved that by adding Enable Proxy Control<Disable Via Header> at the beginning of the MCP authentication rule set.

 

The proxy, upon receiving a request that isn't interpreted as correct HTTP will return:

 

HTTP/1.1 400 badrequest

Via: [HTTP proto version] [IP Address] (McAfee Web Gateway 7.full.version.identification)

 

Additionally, it then returns our custom badrequest.html page.

 

Questions:

 

- Is there a way to control which badrequest page is returned?

- Is there a way to control the Via header when a bad request is received by the proxy?

 

I'm not a big fan of security through obscurity, however I would prefer not to advertise the template text that shows up on all of our block/notification pages -- that's why the MCP auth failure page is stripped down.

  • Jon Scholten McAfee SME 857 posts since
    Nov 3, 2009
    Currently Being Moderated
    1. Sep 1, 2013 6:22 PM (in response to btlyric)
    Re: badrequest handling (MCP/MWG)

    Control the block page used for "Bad request" under Configuration Proxies > Advanced > Proxy Template Schema.

     

    Control the via header for bad requests, Configuration > Proxies > Add via header, uncheck the box (right under the HTTP Proxy listeners).

     

    Best,

    Jon

  • Jon Scholten McAfee SME 857 posts since
    Nov 3, 2009
    Currently Being Moderated
    3. Sep 3, 2013 2:16 PM (in response to btlyric)
    Re: badrequest handling (MCP/MWG)

    I was implying you would use a NEW barebones template schema for the proxy related errors (as defined under Configuration > Proxies), and using the default (or your own) schema for the policy related items (i.e. user gets blocked for accessing content they shouldnt be -- under Policy > Settings > Actions).

     

    Proxy errors would come about but probably dont require your acceptable use policy displayed.

     

    Best,

    Jon

  • Jon Scholten McAfee SME 857 posts since
    Nov 3, 2009
    Currently Being Moderated
    5. Sep 3, 2013 2:57 PM (in response to btlyric)
    Re: badrequest handling (MCP/MWG)

    That dog meaning my suggestion, or that dog meaning you?

     

    If you cannot change the proxy template schema due to this then what you stated in your response is what is required (changing all the templates).

     

    Best,

    Jon

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points