Here's some additional info. It seems that my ePO server is able to route to the proxy - it's just the Directory Services Connector that can't. If I update the product list I can watch the ePO server go out through the proxy. I'm wondering if there is a catalina xml file somewhere I can edit to include the proxy settings for the DSC server.
Even more info that makes me just a bit cranky (actually makes me a lot cranky):
Found this on the support.mcafeesaas.com site. I have no idea what the date of it is. I do know if it's true I'm pretty disgusted.
Will the Directory Services Connector Work With an Internet Proxy?
At this time, the Directory Services Connector (DSC) is not designed to function over a proxy. It will communicate to saascontrol.com over HTTPS on port 443. While support for proxies may be added in the future, there is no set timeframe for this addition.
Should you have additional questions, please contact us at 877/695-6442 or log a service request for additional assistance.
i noticed such a behavior with other products so far. Not every EPO component uses the Proxy Settings done in the EPO Server Settings.
First of all i would check if the DSC connector uses HTTP inside the SSL traffic. In many cases we saw different products using SSL over port 443 but this is not HTTP. Therefore a Proxyserver cannot Proxy such a traffic. :-(
On the other side i do not know if McAfee (Intel) will do so much changes with the SaaS Connections, because EPO cloud will be available.
I know this does not solve your problem, but at the moment it looks like there is no solution even you are implementing a transparent Proxy Solution. We use this as an Option at customers where applications are not able to uses a Proxy.
Alright so I have resigned myself to the fact that I will have to bypass the McAfee Web Gateways with the McAfee Directory Services Connector. I've asked my firewall guy to poke a hole to portal.saascontrol.com which I have determined to be 220.127.116.11 through wire shark packet captures of my failed attempts, nslookup, and centralops.net. He pokes the hole to 18.104.22.168 and the DSC instantly attempts to go to 22.214.171.124 - really? Does anyone know all the IPs for portal.saascontrol.com (which is actually mxl147vXXX.mxlogic,net, where XXX=the last octet)? I've gone all the way down to 126.96.36.199 and up to 188.8.131.52 so far - any idea if this is really the range? So I put on my best CIDR hat and can get from 184.108.40.206 thru 220.127.116.11 as 18.104.22.168/21 - but that's not really it. What is everyone else using? If I continue to one-off my network guy he's going to quit speaking to me.
Thanks for the help,