6 Replies Latest reply on Oct 30, 2014 4:31 AM by abolshakov

    McAfee Client Proxy not working

    jebotha

      Hi

       

      I am currently doing a POC at a customer involving Web Gateway 7.4.2.2.0, ePO 5.1.1 and MCP 1.2. The Web Gateway is located in the DMZ but as far as I am aware all ports are open. When I configure the Web Gateway as proxy in the browser, it works perfectly. When I use the MCP though, it tells me No Connectivity and No Redirection

       

      My ePO policy is set to always redirect and the proxy configured in the policy is the same as the one I have configured in the browser. What is strange is in the MCP logs I get the following entry time and time again:

       

      09/30/14 : 16:36:07:735 - [VERBOSE] CNetworkManager::getUrlWebPage -  Getting url

      09/30/14 : 16:36:07:766 - [VERBOSE] CNetworkManager::getUrlWebPage -  Finished getting url

      09/30/14 : 16:36:07:766 - [VERBOSE] CNetworkManager::checkCaptivePortalMethod2 -  Captive portal detected, or no original page

      09/30/14 : 16:36:07:766 - [VERBOSE] CNetworkManager::checkCaptivePortalConnectivity -  Captive portal detected or connection failed

       

      I have done packet captures on the client and a tcpdump on the Web Gateway and from that it is clear that traffic is reaching the Web Gateway from the client and it looks normal. Does anyone have any ideas?

       

      Many thanks

        • 1. Re: McAfee Client Proxy not working
          Jon Scholten

          Hi!

           

          That message means that MCP is detecting a "captive portal". This is the equivalent of what you would get when you visit a starbucks or a hotel, when you need to click the "I accept button" for internet to work.

           

          MCP will stand down when it detects a captive portal because if it doesnt, you cant actually click the button to "Accept".

           

          Do you have a support case open?

           

          Best Regards,

          Jon

          • 2. Re: McAfee Client Proxy not working
            jebotha

            Hi Jon

             

            Many thanks for the reply. Is there any configuration I can change to not check for a Captive Portal? As far as I know there is none. When you open the browser it shows an access denied page from the firewall.

             

            No, I have not opened a support case

             

            Many thanks

            Jacques

            • 3. Re: McAfee Client Proxy not working
              Jon Scholten

              Hi Jacques,

               

              The idea is that if a captive portal is detected, that MCP needs to stand down, but it shouldnt do that if MCP is set to always redirect.

               

              This is MCP 1.2? This sounds like MCP 1.1 (there was a bug where it failed to stand up).

               

              Please open a support case and include the capture you ran so I can take a look.

               

              Best,

              Jon

              • 4. Re: McAfee Client Proxy not working
                abolshakov

                Hello everyone!

                I have the same situation as jebotha described - MCP policy is configured to "always redirect" but MCP still detects captive portal. And I'm using version 1.2 (1.2.0.8 as McAfee Agent says). It can be either a bug (but I thought it was fixed in 1.1 patch 1) or a feature (but in this case I think developers should provide an option to disable captive portal detection).

                As known, MCP tries to connect some website and get data that is known, and if it gets another data than respected MCP thinks that it's a captive portal (something like that). Using wireshark I found that MCP tries to connect to McAfee servers (I will not list them here - they can be different from yours, check your wireshark log) by HTTP GET and request for some resource (usually / or /us or /MCP.txt).

                As a workaround, I just allowed traffic to these destinations by HTTP for all (i.e. unauthorized) users, and now everthing is fine.

                 

                P.S.: I hope this little newbie post will help someone. =) However, I'll be waiting McAfee to fix this problem.

                P.P.S.: Sorry for my english, unfortunately it's not my native language.

                • 5. Re: McAfee Client Proxy not working
                  Troja

                  Hi abolshakov,

                  MCP does this test to detect if direct internet access is possible. This is necessary if you are in a hotel where you have to activate your WLAN access. In this situation no proxy server must be used.

                  The second possibiity where MCPdoes not use a proxy if you configure a proxy server in your browser settings.

                   

                  I took a look to the MCP Log this morning, i cannot see any entry with "captive portal"....

                   

                  Perhaps you want test my policy file, just change the proxy settings and the customer idetifyer.

                   

                  Cheers,

                  Thorsten

                  • 6. Re: McAfee Client Proxy not working
                    abolshakov

                    Hi, Troja,

                    First of all, thanks for your reply! Secondary, I've just tried your policy file (changed customer ID and proxy settings) and I still get problems with captive portal detection:

                     

                    10/30/14 : 11:11:42:829 - [VERBOSE] CNetworkManager::checkConnectivity -  Checking connectivity status

                    10/30/14 : 11:11:42:829 - [VERBOSE] CNetworkManager::checkProxyConnectivity -  Checking proxy connectivity

                    10/30/14 : 11:11:42:829 - [VERBOSE] CNetworkManager::checkProxyConnectivity -  Detected proxy connection at 0ms

                    10/30/14 : 11:11:42:829 - [VERBOSE] CNetworkManager::checkProxyConnectivity -  Using proxy policy order

                    10/30/14 : 11:11:42:829 - [VERBOSE] CNetworkManager::checkConnectivity -  Always redirecting, skipping corporate connectivity tests

                    10/30/14 : 11:11:42:829 - [VERBOSE] CNetworkManager::checkCaptivePortalConnectivity -  Testing captive portal

                    10/30/14 : 11:11:42:829 - [VERBOSE] CNetworkManager::getUrlWebPage -  Getting url

                    10/30/14 : 11:11:42:860 - [VERBOSE] CNetworkManager::getUrlWebPage -  Finished getting url

                    10/30/14 : 11:11:42:860 - [VERBOSE] CNetworkManager::checkCaptivePortalMethod1 -  Captive portal detected, or no original page

                    10/30/14 : 11:11:42:860 - [VERBOSE] CNetworkManager::getUrlWebPage -  Getting url

                    10/30/14 : 11:11:43:141 - [VERBOSE] CNetworkManager::getUrlWebPage -  Finished getting url

                    10/30/14 : 11:11:43:141 - [VERBOSE] CNetworkManager::checkCaptivePortalMethod2 -  Captive portal detected, or no original page

                    10/30/14 : 11:11:43:141 - [VERBOSE] CNetworkManager::checkCaptivePortalConnectivity -  Captive portal detected or connection failed

                     

                    And MCP says "No redirection, No connectivity".

                    About need of captive detection - I don't have any clients outside of organization but I have some software that doesn't support proxy servers natively. That's why I need to use MCP instead of simple proxy settings in IE. Previously we used TMG 2010 and TMG Client.

                     

                    Regards!