Web Gateway 7.6.0 Product Guide

Web Gateway 7.6.0 Product Guide
Product Guide
Revision A
McAfee Web Gateway 7.6.0
COPYRIGHT
Copyright © 2015 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com
TRADEMARK ATTRIBUTIONS
Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee Active
Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,
McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfee
Total Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.
Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
2
McAfee Web Gateway 7.6.0
Product Guide
Contents
Preface
15
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What's in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . .
1
Introduction
Filtering web traffic . . . . . .
Main functions of the appliance .
Main components of the appliance
Deployment of the appliance . .
High-level administration activities
2
17
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
17
. . 18
.
19
. . 20
. 20
User interface
23
Main elements of the user interface . . . . . . . . . . . . . . . . . . . . . . . . . .
Supporting configuration functions . . . . . . . . . . . . . . . . . . . . . . . . . . .
Discarding changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Discard changes by reloading data . . . . . . . . . . . . . . . . . . . . . . .
Configuring a web security policy on the user interface . . . . . . . . . . . . . . . . . .
Key elements view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure a key element . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Complete rules view . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure a rule element in the complete rules view . . . . . . . . . . . . . . . . .
Administering Web Gateway without the user interface . . . . . . . . . . . . . . . . . .
3
System configuration
23
25
25
26
26
28
30
30
31
32
33
Initial setup system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System configuration after the initial setup . . . . . . . . . . . . . . . . . . . . . . .
System settings for general functions . . . . . . . . . . . . . . . . . . . . . .
Network system settings . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authentication and quota system settings . . . . . . . . . . . . . . . . . . . .
Web filtering system settings . . . . . . . . . . . . . . . . . . . . . . . . . .
Central Management system settings . . . . . . . . . . . . . . . . . . . . . .
System settings for logging and troubleshooting . . . . . . . . . . . . . . . . . .
Configure the system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Appliances tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System settings for general appliance functions . . . . . . . . . . . . . . . . . . . . .
License settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Telemetry settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Date and Time settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .
File Server settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User Interface settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System settings for network functions . . . . . . . . . . . . . . . . . . . . . . . . .
Network Interfaces settings . . . . . . . . . . . . . . . . . . . . . . . . . .
McAfee Web Gateway 7.6.0
15
15
15
15
16
33
34
34
34
34
35
35
35
35
36
37
37
38
40
41
42
45
46
Product Guide
3
Contents
Network Protection settings . . . . . . . . . . . . . . . . . . . . . . . . . .
Port Forwarding settings . . . . . . . . . . . . . . . . . . . . . . . . . . .
Static Routes settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network interface bonding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure network interface bonding . . . . . . . . . . . . . . . . . . . . . . .
Checking the bonding configuration . . . . . . . . . . . . . . . . . . . . . . .
Source-based routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure source-based routing for a management network interface . . . . . . . . . .
System files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
File Editor tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cache volume resizing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Database updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Update database information manually . . . . . . . . . . . . . . . . . . . . . .
Schedule automatic engine updates . . . . . . . . . . . . . . . . . . . . . . .
Closed network updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Update an appliance in a closed network . . . . . . . . . . . . . . . . . . . . .
4
Proxies
49
50
51
53
54
55
56
57
59
59
60
61
61
62
62
63
65
Configure proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Explicit proxy mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
66
Configure the explicit proxy mode . . . . . . . . . . . . . . . . . . . . . . . . 67
Transparent Proxy settings . . . . . . . . . . . . . . . . . . . . . . . . . .
68
Proxy HA settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Best practices - Configuring the Proxy HA mode . . . . . . . . . . . . . . . . . . . . . 74
Configure the Proxy HA mode . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Resolving issues with a Proxy HA configuration . . . . . . . . . . . . . . . . . . . 77
Best practices - High Availability configuration size limits . . . . . . . . . . . . . . . . . . 78
Best practices - Configuring the explicit proxy mode with WCCP . . . . . . . . . . . . . . . 79
Configure use of the WCCP protocol . . . . . . . . . . . . . . . . . . . . . . . 81
Settings for a WCCP service . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Troubleshooting WCCP-related issues . . . . . . . . . . . . . . . . . . . . . . . 83
Transparent router mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Configure the transparent router mode . . . . . . . . . . . . . . . . . . . . . . 85
Configure nodes in transparent router mode . . . . . . . . . . . . . . . . . . .
85
Transparent Router settings . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Transparent bridge mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Configure the transparent bridge mode . . . . . . . . . . . . . . . . . . . . .
90
Configure nodes in transparent bridge mode . . . . . . . . . . . . . . . . . . .
91
Best practices - Fine-tuning a transparent bridge configuration . . . . . . . . . . . . 94
Transparent Bridge settings . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Packet size handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
97
Secure ICAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
97
SOCKS proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Configuring a SOCKS proxy . . . . . . . . . . . . . . . . . . . . . . . . . .
98
Using properties and an event in rules for a SOCKS proxy . . . . . . . . . . . . . . 98
Configure SOCKS proxy settings . . . . . . . . . . . . . . . . . . . . . . . . 99
Using UDP under SOCKS . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
SOCKS Proxy rule set . . . . . . . . . . . . . . . . . . . . . . . . . . . .
101
Instant messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
XMPP proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Configure common proxy settings . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Proxies settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
106
Network Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
106
HTTP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
106
FTP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
ICAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
4
McAfee Web Gateway 7.6.0
Product Guide
Contents
IFP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SOCKS Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Exchange Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Web Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Timeouts for HTTP(S), FTP, ICAP, SOCKS, and UDP . . . . . . . . . . . . . . . . .
DNS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Yahoo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ICQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Windows Live Messenger . . . . . . . . . . . . . . . . . . . . . . . . . . .
XMPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Periodic Rule Engine Trigger List . . . . . . . . . . . . . . . . . . . . . . . .
Controlling outbound source IP addresses . . . . . . . . . . . . . . . . . . . . . . .
Configure control of outbound source IP addresses . . . . . . . . . . . . . . . . .
Using WCCP to redirect FTP traffic . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure the use of WCCP for redirecting FTP traffic . . . . . . . . . . . . . . . .
Using the Raptor syntax for FTP logon . . . . . . . . . . . . . . . . . . . . . . . . .
Node communication protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using DNS servers according to domains . . . . . . . . . . . . . . . . . . . . . . . .
Configure the use of DNS servers according to domains . . . . . . . . . . . . . . .
Domain Name Service settings . . . . . . . . . . . . . . . . . . . . . . . . .
Using DXL messages to exchange web security information . . . . . . . . . . . . . . . .
Configure the settings for information exchange with DXL . . . . . . . . . . . . . .
Configure settings for information exchange using a TIE server . . . . . . . . . . . .
Best practices - Working with the user-agent header . . . . . . . . . . . . . . . . . . .
Create a rule for working with the user-agent header . . . . . . . . . . . . . . . .
Bypassing for Office 365 and other Microsoft services . . . . . . . . . . . . . . . . . .
Key elements for Microsoft services bypassing . . . . . . . . . . . . . . . . . .
Bypass Microsoft (Office 365) Services rule set . . . . . . . . . . . . . . . . . .
Reverse HTTPS proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Redirect HTTPS traffic in transparent bridge or router mode . . . . . . . . . . . . .
Let the appliance listen to requests redirected by DNS entries . . . . . . . . . . . .
SSL certificates in a reverse HTTPS proxy configuration . . . . . . . . . . . . . .
Complete optional activities for a reverse HTTPS proxy configuration . . . . . . . . .
Proxy auto-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Make a .pac file available . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create a rule for downloading a wpad.dat file . . . . . . . . . . . . . . . . . .
Configure auto-detection of a wpad host . . . . . . . . . . . . . . . . . . . .
Using the Helix proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure use of the Helix proxy . . . . . . . . . . . . . . . . . . . . . . . .
5
Central Management
151
Central Management configuration . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure Central Management . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add an appliance to a Central Management configuration . . . . . . . . . . . . . . . . .
Configure the Central Management settings . . . . . . . . . . . . . . . . . . . . . .
Assign a node to node groups . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Assign a node to a runtime group . . . . . . . . . . . . . . . . . . . . . . .
Assign a node to an update group . . . . . . . . . . . . . . . . . . . . . . .
Assign a node to network groups . . . . . . . . . . . . . . . . . . . . . . .
Best practices - Configuring node groups in a Central Management configuration . . . . . . .
Verify the synchronization of nodes . . . . . . . . . . . . . . . . . . . . . . . . . .
Add a scheduled job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Update the appliance software in a Central Management configuration . . . . . . . . . . .
Central Management settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .
McAfee Web Gateway 7.6.0
109
109
110
110
111
111
111
112
113
113
114
117
118
120
120
121
121
122
123
123
123
125
126
127
128
131
132
133
134
135
135
136
137
141
147
147
148
148
149
149
152
153
154
155
155
155
156
156
157
159
160
160
161
Product Guide
5
Contents
6
Rules
173
Rule flexibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Filtering cycles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Process flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rule elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rule format on the user interface . . . . . . . . . . . . . . . . . . . . . . .
Complex criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rule representation in the documentation text . . . . . . . . . . . . . . . . . . . . .
Rule sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rule set system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rule set library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rule Sets tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create a rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Name and enable a rule . . . . . . . . . . . . . . . . . . . . . . . . . . .
Working with the Add Criteria window . . . . . . . . . . . . . . . . . . . . .
Add the rule criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add the rule action . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add a rule event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create a rule set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Import a rule set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Best practices - Rule configuration . . . . . . . . . . . . . . . . . . . . . . . . . .
Using rules and rule sets in appropriate cycles . . . . . . . . . . . . . . . . . .
Using expensive properties at the end of the filtering process . . . . . . . . . . . .
Using not more than two properties in the criteria of a rule . . . . . . . . . . . . .
Restrict access to configuration items . . . . . . . . . . . . . . . . . . . . . . . . .
7
Lists
199
List types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Lists tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access a list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access a list on the Lists tab . . . . . . . . . . . . . . . . . . . . . . . . .
Access a list in a rule . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create a list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add a new list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fill a list with entries . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Work with different types of lists . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add a wildcard expression to a global whitelist for URLs . . . . . . . . . . . . . .
Add a URL category to a blocking list . . . . . . . . . . . . . . . . . . . . . .
Add a media type to a media type filter list . . . . . . . . . . . . . . . . . . .
Subscribed lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create a subscribed list . . . . . . . . . . . . . . . . . . . . . . . . . . .
Settings for subscribed lists content . . . . . . . . . . . . . . . . . . . . . .
Updating subscribed lists . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating a content file for a customer-maintained list . . . . . . . . . . . . . . . .
Best practices - Working with a McAfee-maintained subscribed list . . . . . . . . . .
External lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use of external list data in rules . . . . . . . . . . . . . . . . . . . . . . . .
Substitution and placeholders . . . . . . . . . . . . . . . . . . . . . . . . .
Configure the External Lists module . . . . . . . . . . . . . . . . . . . . . .
External Lists module settings . . . . . . . . . . . . . . . . . . . . . . . . .
Configure general settings for external lists . . . . . . . . . . . . . . . . . . .
External Lists system settings . . . . . . . . . . . . . . . . . . . . . . . . .
Map Type lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create a Map Type list . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using properties to work with Map Type lists . . . . . . . . . . . . . . . . . . .
6
McAfee Web Gateway 7.6.0
173
174
175
175
177
178
179
179
181
182
183
184
186
186
187
189
190
191
191
193
194
194
195
196
198
200
202
203
204
204
204
205
205
205
206
207
207
208
208
209
210
211
213
214
216
216
217
218
224
224
225
225
226
Product Guide
Contents
Retrieving map data from external and subscribed lists . . . . . . . . . . . . . . .
Common Catalog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Prepare the use of Common Catalog lists . . . . . . . . . . . . . . . . . . . .
Set up a user account for Common Catalog lists . . . . . . . . . . . . . . . . .
Set up an administrator account for Common Catalog lists . . . . . . . . . . . . .
Enable use of the REST interface for Common Catalog lists . . . . . . . . . . . . .
Sample settings for registering Web Gateway on a McAfee ePO server . . . . . . . . .
JavaScript Object Notation data . . . . . . . . . . . . . . . . . . . . . . . . . . .
8
Settings
237
Types of settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Settings tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access action and module settings on the Settings tab . . . . . . . . . . . . . . .
Access action and module settings in a rule . . . . . . . . . . . . . . . . . . .
Access system settings . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create action and module settings . . . . . . . . . . . . . . . . . . . . . . . . . .
9
Authentication
237
239
240
240
240
241
241
243
Authenticating users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
LDAP digest authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure the Authentication module . . . . . . . . . . . . . . . . . . . . . . . . .
Authentication settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Implement a different authentication method . . . . . . . . . . . . . . . . . . . . .
Using system settings to configure authentication . . . . . . . . . . . . . . . . . . . .
Kerberos Administration settings . . . . . . . . . . . . . . . . . . . . . . . .
Join the appliance to a Windows domain . . . . . . . . . . . . . . . . . . . .
Windows Domain Membership settings . . . . . . . . . . . . . . . . . . . . .
Best practices - Configuring authentication for deployment types . . . . . . . . . . . . . .
Authentication for the explicit proxy mode . . . . . . . . . . . . . . . . . . . .
Authentication for transparent modes . . . . . . . . . . . . . . . . . . . . . .
Authentication for the explicit proxy mode with WCCP . . . . . . . . . . . . . . .
Best practices - Configuring LDAP authentication . . . . . . . . . . . . . . . . . . . .
Configure the LDAP method for authenticating a user . . . . . . . . . . . . . . . .
Configure the settings for the LDAP authentication method . . . . . . . . . . . . .
Configure queries for user and group attributes . . . . . . . . . . . . . . . . . .
Storing an attribute in a separate property . . . . . . . . . . . . . . . . . . . .
Storing the original user name for logging . . . . . . . . . . . . . . . . . . . .
Testing and troubleshooting LDAP authentication . . . . . . . . . . . . . . . . .
Instant messaging authentication . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure instant messaging authentication . . . . . . . . . . . . . . . . . . .
Configure the Authentication module for instant messaging authentication . . . . . . .
Configure the File System Logging module for instant messaging authentication . . . .
IM Authentication rule set . . . . . . . . . . . . . . . . . . . . . . . . . .
One-time passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure one-time passwords for authenticating users . . . . . . . . . . . . . . .
Configure one-time passwords for authorized overriding . . . . . . . . . . . . . .
Configure the settings for one-time passwords . . . . . . . . . . . . . . . . . .
Authentication Server (Time/IP Based Session with OTP) rule set . . . . . . . . . . .
Authorized Override with OTP rule set . . . . . . . . . . . . . . . . . . . . . .
Authentication Server (Time/IP Based Session with OTP and Pledge) rule set . . . . . .
Authorized Override with OTP and Pledge rule set . . . . . . . . . . . . . . . . .
Client Certificate authentication . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use of certificates for Client Certificate authentication . . . . . . . . . . . . . . .
Rule sets for Client Certificate authentication . . . . . . . . . . . . . . . . . . .
McAfee Web Gateway 7.6.0
227
228
229
229
230
230
231
231
244
245
246
247
247
258
258
258
259
260
261
262
264
267
268
269
270
271
272
273
274
276
277
278
279
279
281
282
282
283
283
286
288
290
292
293
293
Product Guide
7
Contents
Redirecting requests to an authentication server . . . . . . . . . . . . . . . . .
Implement Client Certificate authentication . . . . . . . . . . . . . . . . . . .
Import the Authentication Server (for X509 Authentication) rule set . . . . . . . . .
Modify a rule set to configure the use of server certificates . . . . . . . . . . . . .
Modify a rule set to configure the use of certificate authorities . . . . . . . . . . . .
Configure a listener port for incoming requests on the appliance . . . . . . . . . . .
Import the Cookie Authentication (for X509 Authentication) rule set . . . . . . . . .
Modify a rule set to change the listener port for incoming requests . . . . . . . . . .
Import a client certificate into a browser . . . . . . . . . . . . . . . . . . . .
Administrator accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add an administrator account . . . . . . . . . . . . . . . . . . . . . . . . .
Edit an administrator account . . . . . . . . . . . . . . . . . . . . . . . . .
Delete an administrator account . . . . . . . . . . . . . . . . . . . . . . . .
Administrator account settings . . . . . . . . . . . . . . . . . . . . . . . .
Manage administrator roles . . . . . . . . . . . . . . . . . . . . . . . . . .
Administrator role settings . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure external account management . . . . . . . . . . . . . . . . . . . .
10
Quota management
307
Imposing quotas and other restrictions on web usage . . . . . . . . . . . . . . . . . .
Time quota . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure time quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Time Quota settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Time Quota rule set . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Volume quota . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure volume quotas . . . . . . . . . . . . . . . . . . . . . . . . . . .
Volume Quota settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Volume Quota rule set . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Coaching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure coaching . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Coaching settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Coaching rule set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authorized override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure authorized overriding . . . . . . . . . . . . . . . . . . . . . . . .
Authorized Override settings . . . . . . . . . . . . . . . . . . . . . . . . .
Authorized Override rule set . . . . . . . . . . . . . . . . . . . . . . . . .
Blocking sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure blocking sessions . . . . . . . . . . . . . . . . . . . . . . . . . .
Block Session settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Blocking Sessions rule set . . . . . . . . . . . . . . . . . . . . . . . . . .
Quota system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
Web filtering
McAfee Web Gateway 7.6.0
307
310
310
311
311
313
314
314
315
317
318
318
318
320
320
321
321
323
323
324
324
325
327
Virus and malware filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure key elements for virus and malware filtering . . . . . . . . . . . . . . .
Key elements for virus and malware filtering . . . . . . . . . . . . . . . . . . .
Configure virus and malware filtering using the complete rules view . . . . . . . . . .
Configure settings for the Anti-Malware module . . . . . . . . . . . . . . . . . .
Change the module combination for scanning web objects . . . . . . . . . . . . .
Anti-Malware settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Gateway Anti-Malware rule set . . . . . . . . . . . . . . . . . . . . . . . . .
Media stream scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Anti-malware queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
URL filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure key elements for URL filtering . . . . . . . . . . . . . . . . . . . . .
Key elements for URL filtering . . . . . . . . . . . . . . . . . . . . . . . . .
8
294
295
296
296
297
298
299
299
300
302
302
302
303
303
304
304
305
327
329
329
330
331
331
333
337
339
340
341
343
343
Product Guide
Contents
Configure URL filtering using the complete rules view . . . . . . . . . . . . . . .
Configure settings for the URL Filter module . . . . . . . . . . . . . . . . . . .
URL Filter settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Best practices - Using URL properties to whitelist web objects . . . . . . . . . . . .
URL Filtering rule set . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
URL filtering using the Dynamic Content Classifier . . . . . . . . . . . . . . . . .
Using your own URL filter database . . . . . . . . . . . . . . . . . . . . . . .
URL filtering using an IFP proxy . . . . . . . . . . . . . . . . . . . . . . . .
Media type filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure key elements for media type filtering . . . . . . . . . . . . . . . . . .
Key elements for media type filtering . . . . . . . . . . . . . . . . . . . . . .
Configure media type filtering using the complete rules view . . . . . . . . . . . . .
Properties for media type filtering . . . . . . . . . . . . . . . . . . . . . . .
Modify a media type filtering rule . . . . . . . . . . . . . . . . . . . . . . .
Media Type Filtering rule set . . . . . . . . . . . . . . . . . . . . . . . . .
Application filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure application filtering . . . . . . . . . . . . . . . . . . . . . . . . .
Create a list for application filtering . . . . . . . . . . . . . . . . . . . . . . .
Modify the risk level in an application filtering rule . . . . . . . . . . . . . . . . .
Application Control rule set . . . . . . . . . . . . . . . . . . . . . . . . . .
Streaming media filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure streaming media filtering . . . . . . . . . . . . . . . . . . . . . .
Configure the streaming media detection module . . . . . . . . . . . . . . . . .
Best practices - Configuring the Stream Detector . . . . . . . . . . . . . . . . .
Stream Detector settings . . . . . . . . . . . . . . . . . . . . . . . . . . .
Global whitelisting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure global whitelisting . . . . . . . . . . . . . . . . . . . . . . . . .
Global Whitelist rule set . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSL scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure SSL scanning . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure the modules for SSL scanning . . . . . . . . . . . . . . . . . . . . .
Replace the default root certificate authority . . . . . . . . . . . . . . . . . . .
Client certificate list . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSL Scanner settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSL Client Context with CA settings . . . . . . . . . . . . . . . . . . . . . . .
SSL Client Context without CA settings . . . . . . . . . . . . . . . . . . . . .
Certificate Chain settings . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSL Scanner rule set . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hardware Security Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use a Hardware Security Module for key handling . . . . . . . . . . . . . . . . .
Configure local use of a Hardware Security Module . . . . . . . . . . . . . . . . .
Configure remote use of a Hardware Security Module . . . . . . . . . . . . . . . .
Select a private key on a Hardware Security Module . . . . . . . . . . . . . . . .
Working with a security infrastructure . . . . . . . . . . . . . . . . . . . . . .
Hardware Security Module settings . . . . . . . . . . . . . . . . . . . . . . .
Advanced Threat Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Workflows for using Advanced Threat Defense . . . . . . . . . . . . . . . . . .
Criteria for additional scanning by Advanced Threat Defense . . . . . . . . . . . . .
Configuration elements for using Advanced Threat Defense . . . . . . . . . . . . .
Using an existing Advanced Threat Defense scanning report . . . . . . . . . . . . .
Using an ongoing Advanced Threat Defense scanning run . . . . . . . . . . . . . .
Limiting object sizes for scanning by Advanced Threat Defense . . . . . . . . . . . .
Configure the use of Advanced Threat Defense . . . . . . . . . . . . . . . . . .
Configure key elements for using Advanced Threat Defense . . . . . . . . . . . . .
Key elements for using Advanced Threat Defense . . . . . . . . . . . . . . . . .
Configure settings for using Advanced Threat Defense . . . . . . . . . . . . . . .
McAfee Web Gateway 7.6.0
344
345
345
348
354
356
357
358
363
364
364
364
365
366
367
368
370
371
371
372
374
375
376
376
378
378
379
379
380
381
382
383
384
387
388
391
392
393
398
399
400
401
401
402
403
406
407
408
408
410
411
412
413
415
415
416
Product Guide
9
Contents
Monitoring the use of Advanced Threat Defense . . . . . . . . . . . . . . . . . .
Gateway ATD settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Advanced Threat Defense rule set . . . . . . . . . . . . . . . . . . . . . . .
ATD - Offline Scanning with Immediate File Availability rule set . . . . . . . . . . . .
Data loss prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure data loss prevention . . . . . . . . . . . . . . . . . . . . . . . .
Configure data loss prevention using default classifications . . . . . . . . . . . . .
Configure data loss prevention using dictionary entries . . . . . . . . . . . . . . .
Data Loss Prevention (Classifications) settings . . . . . . . . . . . . . . . . . .
Data Loss Prevention (Dictionaries) settings . . . . . . . . . . . . . . . . . . .
Data Loss Prevention rule set . . . . . . . . . . . . . . . . . . . . . . . . .
Preventing data loss using an ICAP server . . . . . . . . . . . . . . . . . . . .
12
Supporting functions
437
Progress indication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure progress indication . . . . . . . . . . . . . . . . . . . . . . . . .
Configure the progress indication modules . . . . . . . . . . . . . . . . . . . .
Progress Page settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Trickling settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Progress Indication rule set . . . . . . . . . . . . . . . . . . . . . . . . . .
Bandwidth throttling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Bandwidth throttling rules . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure bandwidth throttling . . . . . . . . . . . . . . . . . . . . . . . .
Web caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Verify the enabling of the web cache . . . . . . . . . . . . . . . . . . . . . .
Web Cache rule set . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Next-hop proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Next-hop proxy modes . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure next-hop proxies . . . . . . . . . . . . . . . . . . . . . . . . . .
Add a next-hop proxy to a list . . . . . . . . . . . . . . . . . . . . . . . . .
Configure the Next Hop Proxy module . . . . . . . . . . . . . . . . . . . . .
Configure next-hop proxy stickiness . . . . . . . . . . . . . . . . . . . . . .
Next-hop proxies for SOCKS traffic . . . . . . . . . . . . . . . . . . . . . . .
Best practices - Troubleshooting next-hop proxy issues . . . . . . . . . . . . . . .
Next Hop Proxy settings . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add Next Hop Proxy settings . . . . . . . . . . . . . . . . . . . . . . . . .
Protocol Detector settings . . . . . . . . . . . . . . . . . . . . . . . . . . .
Next Hop Proxy rule set . . . . . . . . . . . . . . . . . . . . . . . . . . .
13
User messages
Cloud single sign-on
McAfee Web Gateway 7.6.0
461
463
464
464
465
467
467
473
How cloud single sign-on is configured . . . . . . . . . . . . . . . . . . . . . . . .
SSO process in proxy and non-proxy modes . . . . . . . . . . . . . . . . . . . . . .
Supported authentication methods . . . . . . . . . . . . . . . . . . . . . . . . . .
SSO Catalog of supported cloud services . . . . . . . . . . . . . . . . . . . . . . . .
Viewing the SSO Catalog . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSO Catalog in the user interface . . . . . . . . . . . . . . . . . . . . . . . .
SSO Catalog as a service . . . . . . . . . . . . . . . . . . . . . . . . . . .
10
437
438
439
439
440
441
441
442
443
444
444
444
446
446
448
449
449
450
450
454
457
457
458
459
461
Sending messages to users . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Edit the text of a user message . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authenticate settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Block settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Redirect settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Templates tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Template Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14
417
418
420
421
423
427
428
428
430
431
432
434
474
475
477
477
478
478
479
Product Guide
Contents
Generic vs. individual connector templates . . . . . . . . . . . . . . . . . . . .
Configure a custom cloud connector using a template . . . . . . . . . . . . . . .
Delete a custom cloud connector . . . . . . . . . . . . . . . . . . . . . . . .
Locate information about the latest SSO updates . . . . . . . . . . . . . . . . .
SSO Connector lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring cloud access through SSO Connector lists . . . . . . . . . . . . . . .
Add a cloud connector to an SSO Connector list . . . . . . . . . . . . . . . . . .
Providing SSO services for HTTP cloud applications . . . . . . . . . . . . . . . . . . . .
The SSO credential model for HTTP cloud applications . . . . . . . . . . . . . . .
Configure an HTTP cloud connector . . . . . . . . . . . . . . . . . . . . . . .
Configure a generic HTTP cloud connector . . . . . . . . . . . . . . . . . . . .
Generic HTTP connector settings . . . . . . . . . . . . . . . . . . . . . . . .
Providing SSO services for SAML 2.0 cloud applications . . . . . . . . . . . . . . . . . .
How SAML single sign-on is initiated . . . . . . . . . . . . . . . . . . . . . .
Certificate management for SAML single sign-on . . . . . . . . . . . . . . . . .
Configure a SAML2 cloud connector . . . . . . . . . . . . . . . . . . . . . . .
SAML2 connector settings . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure a generic SAML2 cloud connector . . . . . . . . . . . . . . . . . . .
Generic SAML2 connector settings . . . . . . . . . . . . . . . . . . . . . . .
Configuring external data sources for SAML single sign-on . . . . . . . . . . . . . .
SAML authentication using an external Identity Provider . . . . . . . . . . . . . . . . .
SAML authentication process using an external Identity Provider . . . . . . . . . . .
How Web Gateway supports static ACS URLs . . . . . . . . . . . . . . . . . . .
High-level configuration tasks . . . . . . . . . . . . . . . . . . . . . . . . .
Validating the SAML authentication response . . . . . . . . . . . . . . . . . . .
Cookie authentication with SAML back end and fixed ACS URL — rule set . . . . . . . .
Providing SSO services for .NET and Java web applications . . . . . . . . . . . . . . . .
Configure a generic IceToken cloud connector . . . . . . . . . . . . . . . . . . .
Generic IceToken connector settings . . . . . . . . . . . . . . . . . . . . . .
How the end user works with the application launchpad . . . . . . . . . . . . . . . . . .
Customizing the application launchpad . . . . . . . . . . . . . . . . . . . . . . . .
Edit the Launchpad.html file . . . . . . . . . . . . . . . . . . . . . . . . . .
Edit the default launchpad style sheet . . . . . . . . . . . . . . . . . . . . . .
Import a custom launchpad style sheet . . . . . . . . . . . . . . . . . . . . .
Provide a custom logo for the launchpad . . . . . . . . . . . . . . . . . . . . .
Creating bookmarks to cloud services for your organization . . . . . . . . . . . . . . . .
Monitoring logons to cloud services on the dashboard . . . . . . . . . . . . . . . . . .
Single Sign On rule set summary . . . . . . . . . . . . . . . . . . . . . . . . . . .
Key elements for configuring cloud single sign-on . . . . . . . . . . . . . . . . . . . .
Single Sign On rule set reference . . . . . . . . . . . . . . . . . . . . . . . . . . .
Select Services rule set . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HTTPS Handling rule set . . . . . . . . . . . . . . . . . . . . . . . . . . .
Launchpad rule set . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OTP Authentication rule set . . . . . . . . . . . . . . . . . . . . . . . . . .
Get Login Action rule set . . . . . . . . . . . . . . . . . . . . . . . . . . .
Process Common Tasks rule set . . . . . . . . . . . . . . . . . . . . . . . .
Perform SSO rule set . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Single Sign On lists and settings . . . . . . . . . . . . . . . . . . . . . . . . . . .
Single Sign On lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Single Sign On settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSO certificate and private key settings . . . . . . . . . . . . . . . . . . . . .
SSO logging overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable SSO logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSO Log rule set reference . . . . . . . . . . . . . . . . . . . . . . . . . .
Resolving SSO issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
McAfee Web Gateway 7.6.0
480
481
481
482
482
482
483
483
484
484
484
485
488
488
490
491
491
492
493
496
499
499
500
501
505
506
512
512
513
514
516
516
517
519
519
520
520
520
521
523
524
527
528
529
531
535
535
536
536
537
539
540
541
542
547
Product Guide
11
Contents
15
Cloud storage encryption
549
Encrypting and decrypting cloud storage data . . . . . . . . . . . . . . . . . . . . . .
Configure encryption and decryption of cloud storage data . . . . . . . . . . . . . . . .
Configure the settings for encrypting and decrypting data . . . . . . . . . . . . . . . . .
Cloud Storage Encryption settings . . . . . . . . . . . . . . . . . . . . . . . . . .
Cloud Storage Encryption Support settings . . . . . . . . . . . . . . . . . . . . . . .
Decrypt cloud storage data manually . . . . . . . . . . . . . . . . . . . . . . . . .
Cloud Storage Encryption rule set . . . . . . . . . . . . . . . . . . . . . . . . . .
16
Hybrid solution
557
Working with the hybrid solution . . . . . . . . . . . . . . . . . . . . . . . . . . .
Restrictions of the hybrid solution . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure a hybrid solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure settings for the hybrid solution . . . . . . . . . . . . . . . . . . . . . . .
Select a rule set for the hybrid solution . . . . . . . . . . . . . . . . . . . . . . . .
Perform synchronization manually . . . . . . . . . . . . . . . . . . . . . . . . . .
Web Hybrid settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Legacy hybrid solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Synchronizing settings for the legacy hybrid solution . . . . . . . . . . . . . . . .
Web filtering settings for synchronization . . . . . . . . . . . . . . . . . . . .
Configure synchronization settings . . . . . . . . . . . . . . . . . . . . . . .
Web Hybrid Legacy settings . . . . . . . . . . . . . . . . . . . . . . . . . .
17
Monitoring
McAfee Web Gateway 7.6.0
557
558
560
560
561
562
562
563
564
564
565
565
567
Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access the dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Alerts tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Charts and Tables tab . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Administer logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
View log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Log file types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure log file settings . . . . . . . . . . . . . . . . . . . . . . . . . .
Log File Manager settings . . . . . . . . . . . . . . . . . . . . . . . . . .
File System Logging settings . . . . . . . . . . . . . . . . . . . . . . . . .
Create a log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create a log handler . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Elements of a logging rule . . . . . . . . . . . . . . . . . . . . . . . . . .
Best practices - Adding a log file field . . . . . . . . . . . . . . . . . . . . . .
Best practices - Creating a log . . . . . . . . . . . . . . . . . . . . . . . . .
Access log rule set . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Found Viruses Log rule set . . . . . . . . . . . . . . . . . . . . . . . . . .
Error handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Error handling using error IDs . . . . . . . . . . . . . . . . . . . . . . . . .
Error handling using incident information . . . . . . . . . . . . . . . . . . . .
Configure error handling . . . . . . . . . . . . . . . . . . . . . . . . . . .
View the error handling rule sets . . . . . . . . . . . . . . . . . . . . . . .
Best practices - Working with the Error Handler . . . . . . . . . . . . . . . . . .
Default error handler rule set . . . . . . . . . . . . . . . . . . . . . . . . .
Performance measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
View performance information . . . . . . . . . . . . . . . . . . . . . . . . .
Configure performance measurement . . . . . . . . . . . . . . . . . . . . . .
Using properties in rules to log performance information . . . . . . . . . . . . . .
Using events in rules to measure rule set processing time . . . . . . . . . . . . .
Event monitoring with SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure the SNMP settings . . . . . . . . . . . . . . . . . . . . . . . . .
12
549
552
552
553
553
554
554
567
568
568
571
578
579
579
580
581
582
584
585
586
586
587
588
594
594
595
595
595
596
597
597
600
607
608
608
609
610
611
611
Product Guide
Contents
SNMP settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Transferring data for McAfee ePO monitoring . . . . . . . . . . . . . . . . . . . . . .
Configure the ePolicy Orchestrator settings . . . . . . . . . . . . . . . . . . .
ePolicy Orchestrator settings . . . . . . . . . . . . . . . . . . . . . . . . .
Bypass ePO Requests rule set . . . . . . . . . . . . . . . . . . . . . . . . .
Best practices - Sending access log data to a syslog server . . . . . . . . . . . . . . . .
Add a rule for sending access log data . . . . . . . . . . . . . . . . . . . . . .
Adapt the rsyslog.conf system file for sending access log data . . . . . . . . . . . .
Resolving issues with sending access log data . . . . . . . . . . . . . . . . . . .
Sending syslog data to McAfee Enterprise Security Manager . . . . . . . . . . . . . . . .
Configure the sending of syslog data . . . . . . . . . . . . . . . . . . . . . .
Adapt the rsyslog system file for the data transfer . . . . . . . . . . . . . . . . .
Fine-tuning the collection and evaluation of syslog data . . . . . . . . . . . . . . .
Resolving issues with the transfer of syslog data . . . . . . . . . . . . . . . . .
18
Troubleshooting
625
Troubleshooting methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rule tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Debug rule processing issues using rule tracing . . . . . . . . . . . . . . . . . .
Rule tracing panes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use rule tracing to find out why a request was blocked . . . . . . . . . . . . . . .
Best practices - Find out why a web page displays no images . . . . . . . . . . . .
Restore removed rule traces to the rule tracing panes . . . . . . . . . . . . . . .
Delete rule traces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create a feedback file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable the creation of core files . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable the creation of connection tracing files . . . . . . . . . . . . . . . . . . . . .
Create a packet tracing file . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Work with system and network tools . . . . . . . . . . . . . . . . . . . . . . . . .
Restart a service of the operating system . . . . . . . . . . . . . . . . . . . . . . .
Display running AV threads . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Back up and restore an appliance configuration . . . . . . . . . . . . . . . . . . . . .
Troubleshooting settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A
Configuration lists
List
List
List
List
List
List
of
of
of
of
of
of
625
626
628
628
635
636
638
639
639
639
640
640
641
641
642
642
643
645
actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
block reason IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
error IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
incident IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Properties - A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Properties - B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Properties - C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Properties - D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Properties - E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Properties - F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Properties - G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Properties - H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Properties - I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Properties - J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Properties - L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Properties - M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Properties - N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Properties - P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Properties - Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
McAfee Web Gateway 7.6.0
612
614
614
615
615
616
617
618
619
620
620
620
621
623
645
646
647
652
664
674
674
679
683
685
689
690
691
691
692
695
698
716
719
719
723
Product Guide
13
Contents
Properties - R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Properties - S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Properties - T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Properties - U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Properties - W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Wildcard expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Test a wildcard expression . . . . . . . . . . . . . . . . . . . . . . . . . .
List of important special glob characters . . . . . . . . . . . . . . . . . . . . .
List of important special regex characters . . . . . . . . . . . . . . . . . . . .
B
REST interface
755
Prepare use of the REST interface . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable use of the interface . . . . . . . . . . . . . . . . . . . . . . . . . .
Give permission to access the interface . . . . . . . . . . . . . . . . . . . . .
Working with the REST interface . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using curl as the data transfer tool . . . . . . . . . . . . . . . . . . . . . . .
Authenticating to the interface . . . . . . . . . . . . . . . . . . . . . . . .
Requesting resources . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Performing basic activities . . . . . . . . . . . . . . . . . . . . . . . . . .
Working on individual appliances . . . . . . . . . . . . . . . . . . . . . . . .
Working with system files . . . . . . . . . . . . . . . . . . . . . . . . . .
Working with log files . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Working with files uploaded for troubleshooting . . . . . . . . . . . . . . . . . .
Working with lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sample scripts for working with the REST interface . . . . . . . . . . . . . . . . . . .
C
Third-party software
14
McAfee Web Gateway 7.6.0
755
756
756
756
757
759
760
761
763
764
765
766
767
771
775
Third-party software list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Index
727
728
740
741
748
748
749
749
751
775
783
Product Guide
Preface
This guide provides the information you need to work with your McAfee product.
About this guide
This information describes the guide's target audience, the typographical conventions and icons used
in this guide, and how the guide is organized.
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
•
Administrators — People who implement and enforce the company's security program.
Conventions
This guide uses these typographical conventions and icons.
Book title, term,
emphasis
Title of a book, chapter, or topic; a new term; emphasis.
Bold
Text that is strongly emphasized.
User input, code,
message
Commands and other text that the user types; a code sample; a displayed
message.
Interface text
Words from the product interface like options, menus, buttons, and dialog
boxes.
Hypertext blue
A link to a topic or to an external website.
Note: Additional information, like an alternate method of accessing an
option.
Tip: Suggestions and recommendations.
Important/Caution: Valuable advice to protect your computer system,
software installation, network, business, or data.
Warning: Critical advice to prevent bodily harm when using a hardware
product.
What's in this guide
This guide is organized to help you find the information you need.
The McAfee Web Gateway appliance is introduced with overviews of main functions, deployment
options, system architecture, and administrator activities.
This is followed by an explanation of how to setup the appliance and complete first steps up to the
point where you configure proxy, authentication, and web filtering functions.
McAfee Web Gateway 7.6.0
Product Guide
15
Preface
About this guide
Configuration of these main functions is explained in separate chapters.
It is also explained how to configure functions of the appliance system, such as domain name services,
port forwarding, or static routes, and how to set up an appliance as a node in a Central Management
configuration.
Chapters on monitoring and troubleshooting are provided at the end of the guide.
An appendix contains lists of important configuration elements, such as actions, events, properties,
and others.
Find product documentation
After a product is released, information about the product is entered into the McAfee online Knowledge
Center.
Task
16
1
Go to the Knowledge Center tab of the McAfee ServicePortal at http://support.mcafee.com.
2
In the Knowledge Base pane, click a content source:
•
Product Documentation to find user documentation
•
Technical Articles to find KnowledgeBase articles
3
Select Do not clear my filters.
4
Enter a product, select a version, then click Search to display a list of documents.
McAfee Web Gateway 7.6.0
Product Guide
1
Introduction
The McAfee® Web Gateway (Web Gateway) appliance ensures comprehensive web security for your
network.
It protects your network against threats arising from the web, such as viruses and other malware,
inappropriate content, data leaks, and related issues. It also ensures regulatory compliance and a
productive work environment.
Contents
Filtering web traffic
Main functions of the appliance
Main components of the appliance
Deployment of the appliance
High-level administration activities
Filtering web traffic
The appliance is installed as a gateway that connects your network to the web and filters the traffic
that goes out and comes in.
Following the implemented web security rules, it filters the requests that users send to the web from
within your network and the responses that are sent back from the web. Embedded objects sent with
requests or responses are also filtered.
Malicious and inappropriate content is blocked, while useful matter is allowed to pass through.
Figure 1-1 Filtering web traffic
1 – Your network
2 – Web Gateway
3 – Web
Sends request to the web.
Filters requests and responses.
Sends responses to your network.
McAfee Web Gateway 7.6.0
Product Guide
17
1
Introduction
Main functions of the appliance
Main functions of the appliance
Filtering web traffic is a complex process. The main functions of the appliance contribute to it in
different ways.
Filtering web objects
Special anti-virus and anti-malware functions on the appliance scan and filter web traffic and block
web objects if they are infected.
™
Other functions filter requested URLs, using information from the Global Threat Intelligence system,
or perform media type and application filtering.
They are supported by functions that do not filter themselves, but complete such jobs as counting
user requests or indicating the progress made in downloading web objects.
Filtering users
Authentication functions of the appliance filter users, using information from internal and external
databases and methods such as NTLM, LDAP, RADIUS, Kerberos, and others.
In addition to filtering normal users, the appliance also gives you control over administrator rights and
responsibilities.
Intercepting web traffic
This is a prerequisite for any filtering of web objects or users. It is achieved by the proxy functions of
the appliance, using different network protocols, such as HTTP, HTTPS, FTP, Yahoo, ICQ, Windows Live
Messenger, XMPP, and others.
The appliance can run in explicit proxy mode or in transparent bridge or router mode.
Monitoring the filtering process
The monitoring functions of the appliance provide a continuous overview of the filtering process.
They include a dashboard, which displays information on alerts, web usage, filtering activities, and
system behavior. Logging and tracing functions are also available, as well as options to forward data to
an McAfee ePolicy Orchestrator (McAfee ePO) server or do event monitoring with an SNMP agent.
®
18
McAfee Web Gateway 7.6.0
™
Product Guide
Introduction
Main components of the appliance
1
Main components of the appliance
The McAfee Web Gateway appliance uses several subsystems to provide filtering and other functions,
based on its operating system.
Appliance subsystems
The subsystems of the appliance and their modules do the following:
•
Core subsystem — Provides a proxy module for intercepting web traffic and a rule module for
processing the filtering rules that make up your web security policy.
This subsystem furthermore provides the modules (also known as engines) that complete special
jobs for the filtering rules and can be configured by you, for example, the Anti-Malware module,
the URL Filter module, or the Authentication module.
A flow manager module ensures efficient cooperation between the modules.
•
Coordinator subsystem — Stores all configuration data processed on the appliance
This subsystem also provides update and Central Management functions.
•
Configurator subsystem — Provides the user interface (internal subsystem name is Konfigurator)
Figure 1-2 Appliance subsystems and modules
Operating system
The subsystems of the appliance rely on the functions of its operating system, which is MLOS2
(McAfee Linux Operating System version 2).
This version is also used by other Linux-based McAfee security products, for example, by McAfee Email
Gateway, which reduces your learning effort if you are the administrator for two or more of these
products.
McAfee Web Gateway 7.6.0
Product Guide
19
1
Introduction
Deployment of the appliance
The operating system provides functions for executing the actions that the filtering rules trigger, file
and network reading and writing, and access control.
A configuration daemon (sysconfd daemon) implements changed configuration settings in the
operating system.
Deployment of the appliance
Before you set up the McAfee Web Gateway appliance, consider how you want to use it. You can run it
on different platforms and configure different modes of network integration. You can also set up and
administer multiple appliances as nodes in a Central Management configuration.
Platform
You can run the appliance on different platforms.
•
Hardware-based appliance — On a physical hardware platform
•
Virtual appliance — On a virtual machine
Network integration
In your network, the appliance can intercept, filter, and transmit web traffic in different modes.
•
Explicit proxy mode — The clients that the appliance communicates with are aware of it. You
must configure them “explicitly” to direct their traffic to the appliance.
•
Transparent modes — The clients are not aware of the appliance.
•
Transparent bridge — The appliance acts as an “invisible” bridge between its clients and the
web. You need not configure the clients for this.
•
Transparent router — The appliance routes traffic according to a routing table, which you
need to fill out.
Administration and updates
You can administer the appliance and have updates distributed in different ways.
•
Standalone — Administer the appliance separately and let it not receive updates from other
appliances.
•
Central Management — Set up the appliance as a node in a complex configuration and
administer other nodes on its user interface, including the distribution of updates.
You can then administer the appliance on other nodes and let it receive updates from them.
High-level administration activities
Administering the appliance includes different activities, depending on the requirements of your
network.
The following are recommended high-level administration activities.
20
McAfee Web Gateway 7.6.0
Product Guide
Introduction
High-level administration activities
1
Task
1
Perform the initial setup.
The setup procedure includes the initial configuration of system parameters, such as host name
and IP address, implementing an initial system of filtering rules, and licensing.
Two wizards are available in this phase: one for the initial configuration, another for the filtering
rules.
2
Configure the proxy functions.
After the initial setup, explicit proxy mode and the HTTP protocol are preconfigured on the
appliance.
You can modify this setup and also configure other network components that the appliance
communicates with.
3
Consider implementing authentication.
Authentication is not implemented on the appliance by default.
If you want to implement it, you can choose from a number of different authentication methods,
including NTML, LDAP, Kerberos, and others.
4
Configure web filtering.
You can review the rules that have been implemented during the initial setup for virus and malware
filtering, URL filtering, media type filtering, and other filtering-related processes.
You can finetune these rules and adapt them to the needs of your network.
Working on the filtering rules includes maintaining the lists that the rules use and configuring the
settings for rule actions and the modules that are involved in the filtering process.
5
Monitor the appliance behavior.
When you have configured the appliance according to your requirements, you can monitor it to see
how it performs the filtering process.
You can also monitor system functions, such as CPU and memory usage, number of active
connections, and others.
For more information on these activities, see the sections that deal with them, for example, under
Setup, Authentication, or Web filtering.
McAfee Web Gateway 7.6.0
Product Guide
21
1
Introduction
High-level administration activities
22
McAfee Web Gateway 7.6.0
Product Guide
2
User interface
The user interface allows you to work with rules, lists, settings, accounts, and other items for
administering Web Gateway. It provides information on key filtering and system parameters and
enables you to perform troubleshooting measures.
Contents
Main elements of the user interface
Supporting configuration functions
Configuring a web security policy on the user interface
Administering Web Gateway without the user interface
Main elements of the user interface
The main elements of the user interface can be seen in the following sample screen.
Figure 2-1 User interface
The table below describes the main elements of the user interface.
McAfee Web Gateway 7.6.0
Product Guide
23
2
User interface
Main elements of the user interface
Table 2-1 Main elements of the user interface
Option
Definition
System information
line
Displays system and user information.
User Preferences
Opens a window to let you configure settings for the user interface and
change your password.
Logout
Logs you off from the user interface.
Help icon
Opens the online Help.
You can browse through its pages or navigate on a tree structure and perform
a full text search or search for index terms.
Top-level menu bar
Lets you select one of the following menus:
• Dashboard — For viewing information on events, web usage, filtering
activities, and system behavior
• Policy — For configuring your web security policy
• Configuration — For configuring the system settings of the appliance
• Accounts — For managing administrator accounts
• Troubleshooting — For solving problems on the appliance
Search
Opens a window with the following search options:
• Search for objects — Lets you search for rule sets, rules, lists, and settings.
Typing a search term in the input field displays all objects with names
matching the search term.
• Search for objects referring to — Lets you select a list, property, or settings and
displays all rules that use the selected item.
Save Changes
Saves your changes.
Tab bar
Provides the tabs of the currently selected top-level menu.
The top-level menus have the following tabs:
• Dashboard
• Alerts
• Charts and Tables
• Policy
• Rule Sets
• Lists
• Settings
• Templates
• Configuration
• Appliances
• File Editor
• Accounts
• Administrator Accounts
The Troubleshooting top-level menu has no tabs.
Toolbar (on tab)
24
McAfee Web Gateway 7.6.0
Provides varying tools (depending on the selected tab).
Product Guide
2
User interface
Supporting configuration functions
Table 2-1 Main elements of the user interface (continued)
Option
Definition
Navigation pane
Provides tree structures of configuration items, such as rules, lists, and
settings.
Configuration pane
Provides options for configuring the item that is currently selected on the
navigation pane.
Supporting configuration functions
The user interface provides several functions to support your configuration activities.
Table 2-2 Supporting administration functions
Option
Definition
Yellow triangle
Appears attached to the name of a list that is still empty and needs to be filled
by you.
Some filter lists are created, but not filled by the policy configuration wizard
because they are too sensitive.
Yellow text insert
Appears when you move your mouse pointer over an item on the user interface
providing information on the meaning and usage of the item.
OK icon
Appears in a window when the input you entered is valid.
False icon
Appears in a window when the input you entered is invalid.
Message text
Appears with the False icon, providing information on your invalid input.
Light red color of
input field
Indicates an invalid entry.
Save Changes
The button turns red when you change an item.
It turns gray again when you have saved your changes.
Red triangle
Appears attached to tabs, icons, and list entries when you have changed an
item and not yet saved.
For example, when you have changed a rule, the red triangle appears:
• In the row of the rule entry on the settings pane
• On the rule set icon
• On the projection of the Rule Sets tab
• On the Policy icon of the top-level menu bar
Discarding changes
When you have been performing administrator activities on the user interface, you can discard
changes you have made instead of saving them.
One option to discard changes is a positive answer when prompted at logoff whether you really want
to do it with unsaved changes.
Another option is to discard changes and reload configuration data.
Reloading configuration data restores the configuration that existed after it was last saved, which can
have been done by you or another administrator. If no changes have been saved yet after the initial
setup of the appliance, the initial setup configuration is restored.
McAfee Web Gateway 7.6.0
Product Guide
25
2
User interface
Configuring a web security policy on the user interface
Discard changes by reloading data
You can discard changes you have configured on the user interface by reloading the existing
configuration data.
Task
1
Click the small black triangle next to the Save Changes button.
An insert reading Reload Data from Backend appears.
2
Click the insert.
Pending changes are discarded and the configuration data is reloaded.
Configuring a web security policy on the user interface
On the user interface, you can configure a web security policy for your network.
A web security policy is implemented on Web Gateway by various rules, which are grouped into rule
sets. The rules in a rule set usually deal with a particular field of web security. For example, there can
be a rule set with rules for anti-malware filtering, for URL filtering, for media type filtering, and so on.
You can view these rules and rule sets on the user interface, edit them, delete them, and also create
new rules and rule sets.
A rule contains several elements. For example, a URL filtering rule could contain a list of categories for
URLs, a block action, and other elements. When a user sends a request for web access, the rule would
block this request if a URL is submitted with it that falls into one of these categories.
By including this rule in your web security policy, you can make sure that users cannot access, for
example, websites that fall into the categories Online Shopping, Entertainment, or Drugs, from within
your network.
Policy tabs
The user interface provides three tabs for configuring a web security policy.
•
Rule Sets tab — On this tab, you can perform all activities for configuring web security rules.
You can also work with the lists and settings that are used in rules on this tab.
For more information about working with rules, see the Rules chapter.
•
Lists tab — This tab provides an alternative method of access to the lists that are used in rules.
You can select lists from the lists tree and configure them.
For more information about working with lists, see the Lists chapter.
•
Settings tab — This tab provides an alternative method of access to the settings that are used in
rules. You can select settings from the settings tree and configure them.
In rule configuration on Web Gateway, the term settings is used to refer to a group of parameters
that are set to particular values. There are two kinds of settings:
26
•
Settings for the modules (also known as engines) that perform jobs in rule processing, for
example, for the Anti-Malware module, which scans web objects for infections by viruses and
other malware
•
Settings for the actions that are executed by rules, for example, for the Block action
McAfee Web Gateway 7.6.0
Product Guide
User interface
Configuring a web security policy on the user interface
2
There can be various settings for a module or action. This way a module can perform its job in
different ways or an action can be executed in different ways, depending on which of the various
settings are configured for a module or action.
For more information about working with settings, see the Settings chapter.
•
Templates tab — This tab allows you to work with templates that are used for configuring
messages to users of Web Gateway.
For more information about working with templates, see the User messages chapter.
Working with the Rule Sets tab
On the Rule Sets tab, you can select a rule set, for example, the URL Filtering rule set, and configure its
rules.
Two different rule set views are available, which allow you to work with:
•
Key elements of rules — This rule set view shows key elements of the rules in a particular rule
set, but not the complete rules with all elements that might be configured.
Key elements are the elements that you will most likely want to modify when you are configuring
your web security policy. This rule set view allows you to focus your attention on working with
these elements.
This rule set view appears when you:
•
Select a default rule set
•
Import some rule sets from the rule set library
Some library rule sets do not appear in this view.
This rule set view does not appear for rule sets that you have created on your own.
The following is an example of a key element that can be configured in this view.
Figure 2-2 Sample key element - URL whitelist
A URL whitelist is an element, for example, of a rule for URL filtering.
Click Edit to open the list for editing.
McAfee Web Gateway 7.6.0
Product Guide
27
2
User interface
Configuring a web security policy on the user interface
•
Complete rules — This rule set view shows complete rules, and shows all the rules that are
contained in a particular rule set. You can select individual elements from these rules, including the
key elements, and configure them. You can also create new rules in this view or delete rules.
When you select a default rule set or a library rule set for which both views are provided, you need
to leave the key elements view before you can work with the complete rules view. After leaving the
key elements view, you cannot return to this view unless you discard all changes or re-import the
rule set.
The URL whitelist example is a key element of a rule for URL filtering, which looks as follows when
it is displayed in the complete rules view.
Figure 2-3 Sample element within a complete rule - URL whitelist
Click URL WhiteList to open the list for editing.
See also
Key elements view on page 28
Complete rules view on page 30
Key elements view
The key elements view shows key elements of the rules in a rule set and allows you to configure them.
Figure 2-4 Key elements view
Options of the key elements view
The following table describes the options of the key elements view.
28
McAfee Web Gateway 7.6.0
Product Guide
User interface
Configuring a web security policy on the user interface
2
Table 2-3 Options of the key elements view
Option
Definition
Rule set name
field
Shows the default name of the rule set that key elements are displayed for and
lets you edit this name.
Rule set
description field
Shows the default description of the rule set that key elements are displayed for
and lets you edit this description.
Enable
When selected, the rule set with the key elements you are currently configuring is
enabled.
Unlock View
Leaves the key elements view and displays the corresponding complete rules
view.
A confirmation message appears. Be aware that after leaving the key elements
view, you cannot return to it unless you discard all changes or re-import the rule
set.
On the rule sets tree, icons before the rule set name show which of the two views
is currently enabled.
Rule set in key elements view
Rule set in complete rules view
• To work with nested rule sets, click Unlock View for the nesting rule set.
The nested rule sets appear on the rule sets tree, with the complete rule sets
view enabled for each of them.
• To display the nested rule sets of the default Common Rules rule set, expand
this rule set.
The complete rules view is already enabled for the last of the nested rule sets,
while the others are still displayed in the key elements view.
You can use the Unlock option of the rule set context menu to leave the
key elements view for one or more rule sets at once.
1 Select one rule set or several rule sets at once, then right-click and
select Unlock.
You can also expand a rule set that includes nested rule sets and select
one or more nested rule sets.
2 Confirm that you want to leave the key elements view.
The complete rules view is enabled for all selected rule sets
Permissions
Opens a window for configuring who is allowed to access the rule set with the key
elements you are currently configuring.
Key elements for The key elements vary for each rule set.
a rule set
Key elements for related functions are displayed in a group. Each group is
preceded by a group header.
For example, on the key elements view for URL filtering, key elements are
displayed in the groups Basic Filtering, SafeSearch, and others.
These groups contain key elements for basic URL filtering, for additionally using
SafeSearch functions in the filtering process, and for other functions.
McAfee Web Gateway 7.6.0
Product Guide
29
2
User interface
Configuring a web security policy on the user interface
Configure a key element
The following is a sample task for configuring a key element of a web security rule.
A URL is entered into a URL whitelist. This whitelist is a key element of a rule in the default URL
Filtering rule set.
When a request for access to a web object is received on Web Gateway, the rule lets the request skip
URL filtering if the URL that is submitted with the request is on the whitelist. This reduces filtering
effort and time for requests to access "allowed" web objects.
The URL entry in the sample is http://www.mcafee.com/*. Due to the wildcard element (*), all
requests with URLs that match this entry, for example, http://www.mcafee.com/us/products/
web-gateway.aspx, will skip URL filtering.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, select the URL Filtering rule set.
Key elements of the rules in this rule set appear in the configuration pane.
3
Under Basic Filtering, click Edit next to URL Whitelist.
The Edit List window opens.
4
Enter a URL into the whitelist.
a
Under List content, click the Add icon.
The Add Wildcard Expression window opens.
b
In the Wildcard Expression field, type http://www.mcafee.com/*.
c
Click OK.
The Add Wildcard Expression window closes, and the URL appears in the list of the Edit List window.
5
Click OK.
The Edit List window closes.
6
Click Save Changes.
Complete rules view
The complete rules view shows the complete rules that are contained in a rule set. It allows you to
work with their elements, including the key elements.
You can edit and delete rules and create rules of your own. You can also edit, delete, and create rule
sets. New rule sets can be filled with existing rules, as well as with rules of your own.
30
McAfee Web Gateway 7.6.0
Product Guide
User interface
Configuring a web security policy on the user interface
2
You can also import rule sets from a rule set library on Web Gateway and from an online rule set
library. You can then work with these rule sets and their rules in the same way as with any other rules
and rule sets.
Figure 2-5 Complete rules view
For more information about the complete rules view, see the Rules chapter.
Configure a rule element in the complete rules view
The following is a sample task for configuring an element of a web security rule in the complete rules
view.
A URL is entered into a URL whitelist. This whitelist is an element of a rule in the default URL Filtering
rule set. The steps for accomplishing this are almost the same as for completing this task in the key
elements view. Only the way the URL whitelist is accessed is different.
When a request for access to a web object is received on Web Gateway, a rule lets the request skip
URL filtering if the URL that is submitted with the request is on the whitelist. This reduces filtering
effort and time for requests to access "allowed" web objects.
The URL entry in the sample is http://www.mcafee.com/*. Due to the wildcard element (*), all
requests with URLs that match this entry, for example, http://www.mcafee.com/us/products/
web-gateway.aspx, will skip URL filtering.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, select the URL Filtering rule set.
Key elements of the rules in this rule set appear in the configuration pane.
3
Click Unlock View to leave the key elements view.
A message asks you to confirm that you want to leave the key elements view, and also warns you
that you cannot return to this view.
McAfee Web Gateway 7.6.0
Product Guide
31
2
User interface
Administering Web Gateway without the user interface
4
Click Yes.
The complete rules view appears.
5
In the rule Allow URLs that match in URL WhiteList, click URL WhiteList.
The Edit List window opens.
6
Enter a URL into the whitelist.
a
Under List content, click the Add icon.
The Add Wildcard Expression window opens.
b
In the Wildcard Expression field, type, for example, http://www.mcafee.com/*.
c
Click OK.
The Add Wildcard Expression window closes, and the URL appears in the list of the Edit List window.
7
Click OK.
The Edit List window closes.
8
Click Save Changes.
For more information about working with rules and rule sets, see the Rules chapter.
Administering Web Gateway without the user interface
An additional interface is provided that allows you to administer Web Gateway without being logged on
to its standard user interface. This alternative interface is referred to as REST (Representational State
Transfer) interface.
Using the REST interface, you can perform administration activities on a particular Web Gateway
appliance and on others that are connected to it, for example, turn off an appliance, restart it, work
with lists and settings, or trigger updates.
For an introduction to the REST interface that explains basic methods of working with it and provides
sample script lines for communicating with the interface, see the REST interface section in the
appendix of this guide.
32
McAfee Web Gateway 7.6.0
Product Guide
3
System configuration
The appliance system provides basic functions that are used by other functions, such as web filtering,
authentication, or quota management. You can configure this system to adapt it to the requirements
of your network.
When configuring the appliance system, you are dealing mainly with:
•
System settings — Are configured for network interfaces, DNS servers, proxies, Central
Management, and other components and methods that are related to the appliance system
•
System files — Contain settings for functions of the appliance system that can be modified using
the File Editor
•
Database updates — Ensure that relevant information is made available to the filtering functions
of an appliance
System configuration is in part performed during the initial setup of an appliance. After this setup, you
can complete further configuration activities for the appliance system.
Contents
Initial setup system settings
System configuration after the initial setup
Configure the system settings
Appliances tab
System settings for general appliance functions
System settings for network functions
Network interface bonding
Source-based routing
System files
File Editor tab
Cache volume resizing
Database updates
Closed network updates
Initial setup system settings
Performing the initial setup of an appliance includes configuring some of its system settings.
You can leave the initial settings at their default values or implement your own settings. Later on, you
can still modify these settings.
The following table shows the settings that are configured at the initial setup and their default values.
McAfee Web Gateway 7.6.0
Product Guide
33
3
System configuration
System configuration after the initial setup
Table 3-1 Initial setup system settings
Parameter
Default value
Primary network interface
eth0
Autoconfiguration with DHCP
yes
Host name
mwgappl
Root password
<none>
Remote root logon with SSH
on
Default gateway
<configured by DHCP>
DNS server
<configured by DHCP>
System configuration after the initial setup
All settings for the appliance system can be configured after its initial setup. This includes the
modification of the settings that were configured during this setup.
Settings for the appliance system can be configured in different fields.
System settings for general functions
Some system settings are configured for functions of the appliance system that provide general
services, such as licensing or date and time on an appliance.
See also
License settings on page 37
Telemetry settings on page 38
Date and Time settings on page 40
File Server settings on page 41
User Interface settings on page 42
Network system settings
Network system settings are configured to integrate the appliance system into the network.
Some network system settings are already configured at the initial setup, including settings for the
primary network interface of an appliance and the DNS server that is used by an appliance.
Later on, you can also configure settings for the proxy functions, port forwarding, static routes, and
other network-related functions.
See also
Network Interfaces settings on page 46
Domain Name Service settings on page 123
Network Protection settings on page 49
Port Forwarding settings on page 50
Static Routes settings on page 51
Proxies settings on page 106
Authentication and quota system settings
Authentication and quota system settings are configured to implement methods for authenticating
users on an appliance and imposing restrictions on their web usage.
Configuring authentication and quotas is mainly done on an appliance by working with rules in
authentication and quota rule sets.
34
McAfee Web Gateway 7.6.0
Product Guide
3
System configuration
Configure the system settings
However, a few authentication functions are configured as settings of the appliance system, including
settings for the Kerberos authentication method and for Windows domain membership.
Some quota parameters are also configured as system settings.
See also
Kerberos Administration settings on page 258
Windows Domain Membership settings on page 260
Quota system settings on page 325
Web filtering system settings
Web filtering system settings are configured to implement functions for filtering web objects on an
appliance.
Web filtering configuration is mainly done on an appliance by working with rules in web filtering rule
sets, such as the Gateway Antimalware or the URL Filter rule set.
However, a few web filtering functions are configured as settings of the appliance system, for example,
the anti-malware queue, which collects web objects in a queue to limit work load for the scanning
modules of an appliance.
See also
Anti-Malware system settings on page 340
Central Management system settings
Central Management system settings are configured when you are running multiple appliances as
nodes in a common configuration.
In a Central Management configuration, you can also configure system settings for other nodes from
the node you are logged on to.
See also
Central Management settings on page 161
System settings for logging and troubleshooting
System settings for logging and troubleshooting are configured to control the log file manager on an
appliance and also for using external components to record log data.
Use of external components includes forwarding data to a McAfee ePO server and monitoring events
with an SNMP agent.
See also
Log File Manager settings on page 582
ePolicy Orchestrator settings on page 615
SNMP settings on page 612
Configure the system settings
You can configure settings for the appliance system to adapt it to the requirements of your network.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select an appliance and click the system settings you want to configure.
McAfee Web Gateway 7.6.0
Product Guide
35
3
System configuration
Appliances tab
3
Configure these settings as needed.
4
Click Save Changes.
See also
System configuration after the initial setup on page 34
Appliances tab
Use the Appliances tab to configure system settings on an appliance.
Figure 3-1 Appliances tab
Main elements of the Appliances tab
The following table describes the main elements of the Appliances tab.
Table 3-2 Main elements of the Appliances tab
Element
Description
Appliances toolbar
Toolbar with items for adding appliances to a Central
Management configuration, removing them, and updating
them all at once
Appliances tree
Tree structure of appliances with the system settings for each
appliance
Appliance toolbar
Toolbar with items for working with a selected appliance
(appears when an appliance is
selected on the appliances tree)
Appliance settings
System settings for the selected appliance
Appliances toolbar
The appliances toolbar provides the following options.
36
McAfee Web Gateway 7.6.0
Product Guide
System configuration
System settings for general appliance functions
3
Table 3-3 Appliances toolbar
Option
Definition
Add
Opens the Add Appliance window for adding an appliance.
Delete
Deletes a selected appliance.
A window opens to let you confirm the deletion.
Manual engine update Updates DAT files with virus signatures and other filtering information for all
appliances in a Central Management configuration.
Appliance toolbar
The appliance toolbar provides the following options.
Table 3-4 Appliance toolbar
Option
Definition
Reboot
Restarts an appliance.
Flush cache
Flushes the web cache of an appliance.
Update appliance software Installs an updated version of the appliance software.
Shutdown
Lets an appliance become inactive.
Rotate logs
Rotates log files on an appliance.
Rotate and push logs
Rotates log files on an appliance and pushes them to the destination that is
specified within the Log File Manager settings.
System settings for general appliance functions
Some system settings are configured for functions that provide general services of the appliance
system.
Settings for general appliance functions include:
•
License settings
•
Date and Time settings
•
File Server settings
•
User Interface settings
License settings
The License settings are used for importing a license to an appliance. Information about the license is
shown together with these settings, and options for reviewing the agreements on license and data
usage.
License Administration
Settings for importing a license
McAfee Web Gateway 7.6.0
Product Guide
37
3
System configuration
System settings for general appliance functions
Table 3-5 License Administration
Option
Definition
Import license
Provides the options that are required for importing a license.
I have read and accept the
end user license agreement
Provides a link to the End User License Agreement and a checkbox to select
after reading the document.
To import a license, the checkbox must be selected, otherwise the import
options remains grayed out.
License file
Shows the name and path of the license file that has been selected after
browsing the local file system.
When the name and path appear in this field, more license information is
shown under License information.
The license is activated by clicking Save Changes.
Opens the local file system to let you browse for a license file.
Browse
License Information
Information about an imported license and an option for reviewing the Data Usage Statement
Table 3-6 License Information
Option
Definition
Status
Shows the name of a license file.
Creation
Shows the date when a license file was created.
Expiration
Shows the date when a license file expires.
License ID
Shows the ID of a license.
Customer
Shows the name of the license owner.
Customer ID
Shows the ID of the license owner.
Seats
Shows the number of workplaces in the license owner's organization
that the license is valid for,
Evaluation
Shows whether the license has been evaluated.
Features
Lists the features of Web Gateway that are covered by the license.
I have read and understood the data Provides a link to the Data Usage Statement.
usage statement
Telemetry settings
The Telemetry settings are used for configuring the collection of feedback data about web objects that
are potentially malicious, as well as about policy configuration.
Feedback Settings
Settings for collecting feedback data
You can separately enable or disable each of the following options.
38
McAfee Web Gateway 7.6.0
Product Guide
3
System configuration
System settings for general appliance functions
Table 3-7 Feedback Settings
Option
Definition
Send feedback to McAfee about system
information and suspicious URLs to improve
its threat prediction and protection services
When selected, feedback data is collected and sent to special
McAfee feedback servers.
McAfee collects this data to analyze it and improve the threat
prediction and protection features of Web Gateway.
For more information, see the Data Usage Statement.
Send feedback to McAfee about potentially
malicious websites
When selected, relevant data for virus and malware filtering is
collected and sent to a special McAfee feedback server.
Send feedback to McAfee about dynamically
classified websites
When selected, relevant data for classifying websites is
collected and sent to a special McAfee feedback server.
Send feedback to McAfee about policy
configuration to improve the product
When selected, relevant data for policy configuration is
collected and sent to a special McAfee feedback server.
Further Information
Link to the Data Usage Statement
Table 3-8 Further Information
Option
Definition
Data Usage Statement Provides a link to the data usage statement, which explains:
• What McAfee uses collected feedback data for
• What data is collected
• How data collection can be turned off for different types of data
The data usage statement has also been presented to you at the initial setup of the
appliance.
Advanced Settings
Advanced settings for collecting feedback data
Table 3-9 Advanced Settings
Option
Definition
Use upstream proxy
When selected, a proxy server is used to send feedback data to McAfee.
IP or name of the proxy
Specifies the IP address or host name of the proxy server.
Port of the proxy
Specifies the port number of the port on the proxy server that listens for
requests to send feedback data.
The port number can range from 1 to 65635.
The default port number is 9090.
User name
Provides the user name that is required for logging on to the proxy server.
Password
Provides the password that is required for logging on to the proxy server.
Clicking Set opens a window for setting the password.
Choose feedback server When selected, an IP address and port number can be configured for the server
that feedback data is sent to.
IP of the server
McAfee Web Gateway 7.6.0
Specifies the IP address of the feedback server.
Product Guide
39
3
System configuration
System settings for general appliance functions
Table 3-9 Advanced Settings (continued)
Option
Definition
Port of the server
Specifies the port number of the port on the feedback server that listens for
requests to send data.
The port number can range from 1 to 65635.
The default port number is 443.
Port of the server
When selected, feedback-sending activities are logged.
Date and Time settings
The Date and Time settings are used for configuring the time servers that synchronize date and time
of the appliance system. They also allow you to set the system time manually.
Date and Time
Settings for date and time of the appliance system
Table 3-10 Date and Time
Option
Definition
Enable time
synchronization with NTP
servers
When selected, the appliance uses time servers under the NTP (Network Time
Protocol) for time synchronization.
The system time of the appliance is then synchronized with the time on the
NTP servers. This will fail, however, if the delta between both times is too big.
We therefore recommend that you restart the appliance after configuring time
synchronization with NTP servers. When the appliance restarts, it sets system
time to the time on the NTP servers.
NTP server list
Provides a list for entering the servers that are used for time synchronization
under the NTP protocol.
The list elements are as follows:
• String — Specifies the name of an NTP server.
• Comment — Provides a plain-text comment on an NTP server.
Select time zone
Provides a list for selecting a time zone.
Time synchronization performed by the NTP servers or manually set time refer
to the time zone that you select here
Set System Time Manually
Settings for configuring time and date on the appliance system manually
40
McAfee Web Gateway 7.6.0
Product Guide
System configuration
System settings for general appliance functions
3
Table 3-11 Set System Time Manually
Option
Definition
Current date and
time
Provides items for setting date and time of the appliance system.
• Date — Enables you to enter a date by typing it in the field or using a calendar.
• Calendar icon — Opens a calendar for selecting a date.
After selecting a date on the calendar and clicking OK, the date appears in the date
field.
• Time — Lets you specify a time by typing it.
The system time of an appliance is then synchronized with the time on the NTP
servers. This will fail, however, if the delta between both times is too big.
We therefore recommend that you restart the appliance after configuring time
synchronization with NTP servers. When the appliance restarts, it sets system time to
the time on the NTP servers.
Set now
Sets the date and time you have entered into the corresponding fields.
File Server settings
The File Server settings are used for configuring dedicated file server ports on an appliance to enable,
for example, the downloading of files by clients.
HTTP Connector Port
Settings for dedicated file server ports on an appliance
Table 3-12 HTTP Connector Port
Option
Definition
Enable dedicated
file server port
over HTTP
When selected, the dedicated HTTP file server ports configured below are enabled.
HTTP connector
Specifies the port number of the dedicated HTTP file server port.
You can enter more than one port number here, separating them by commas. The
allowed range is 1024 to 65335.
You can set up a port forwarding rule if you want to forward requests to ports 1–
1023.
Instead of entering a port number alone, you can enter it with an IP address. This
means connecting to an appliance over this port is only allowed when using the
specified address.
For example:
An appliance has two interfaces with IP addresses as follows:
eth0: 192.168.0.10, eth1: 10.149.110.10
You enter the following under HTTP connector:
4711, 192.168.0.10:4722
Then connecting to the appliance over port 4711 is allowed using both IP addresses,
whereas connecting over port 4722 requires that IP address 192.168.0.10 is used.
Restricting connections in the latter way can be used for setting up an intranet.
McAfee Web Gateway 7.6.0
Product Guide
41
3
System configuration
System settings for general appliance functions
Table 3-12 HTTP Connector Port (continued)
Option
Definition
Enable dedicated
file server port
over HTTPS
When selected, a dedicated HTTPS file server port is enabled.
HTTPS connector
Specifies the port number of the dedicated HTTPS file server port.
You can enter more than one port number here, separating them by commas. The
allowed range is 1024 to 65335.
Entering an IP address with a port number can be done in the same way as for the
HTTP connector and has the same meaning.
You can set up a port forwarding rule if you want to forward requests to ports 1–
1023.
User Interface settings
The User Interface settings are used for configuring elements of the local user interface of an appliance.
These elements include ports, the logon page, a certificate for SSL-secured communication, and other
items.
UI Access
Settings for configuring the way that the user interface of an appliance can be accessed
Table 3-13 UI Access
Option
Definition
HTTP connector
Provides options for configuring access to the user interface under the HTTP
protocol.
• Enable local user interface over HTTP — When selected, you can connect to the user
interface under the HTTP protocol.
• HTTP connector — Specifies a port for connecting to the user interface under HTTP.
• Enable REST interface over HTTP — When selected, you can connect to the REST
interface under the HTTP protocol.
HTTPS connector
Provides options for configuring access to the user interface under the HTTPS
protocol.
• Enable local user interface over HTTPS — When selected, you can connect to the user
interface under the HTTPS protocol.
• HTTPS connector — Specifies a port for connecting to the user interface under HTTPS.
• Enable REST interface over HTTPS — When selected, you can connect to the REST
interface under the HTTPS protocol.
42
McAfee Web Gateway 7.6.0
Product Guide
System configuration
System settings for general appliance functions
3
Table 3-13 UI Access (continued)
Option
Definition
HTTPS client
certificate
connector
Provides options for configuring a client certificate connector.
• Enable client certificate authentication — When selected, client certificate authentication
can be performed.
• HTTPS connector for client certificate authentication — Specifies a port for connecting to the
user interface when client certificate authentication is performed.
• Redirect target after authentication — When selected, a request is redirected after client
certificate authentication has successfully been performed.
• Redirection host and port — Specifies the host system and the port on this system that
requests are redirected to.
Miscellaneous
Provides miscellaneous options for configuring access to the user interface.
• Session timeout — Limits the time (in minutes) that elapses before a session on the
user interface is closed if no activities occur.
The range for the session timeout is 1–99,999 minutes.
The timeout is 30 minutes by default.
Login Page Options
Settings for the page that is used to log on to the user interface of an appliance
Table 3-14 Login Page Options
Option
Definition
Allow browser to save login
credentials
When selected, credentials submitted by a user for logging on to an
appliance are saved by the browser.
Restrict browser session to
IP address of user
When selected, a session for working with the user interface is only valid as
long as the IP address of the client that the user started this session from
remains the same.
Let user decide to restrict
When selected, it is up to the user who started a session for working with
session for IP address or not the user interface whether it should be valid only for the IP address of the
client that the session was started from.
Allow multiple logins per
login name
When selected, more than one user can log on to the user interface using
the same user name and password.
Use HTTPOnly session
cookies (applet loading may
take longer)
When selected, HTTPOnly cookies are used for a session with the user
interface.
Maximum number of active
applet users
Limits the number of users that can be logged on to the user interface of an
appliance at the same time.
The maximum number of users is 20 by default.
Login message
Provides the following options for displaying an additional message on the
page used for logging on to the user interface.
You can work with these options if you want to display a message, for
example, to comply with internal policies or external regulations.
• Show on login page — When selected, the text that you type in the HTML
message field, appears on the logon page.
• HTML message — The text that you type in this field appears on the logon
page.
McAfee Web Gateway 7.6.0
Product Guide
43
3
System configuration
System settings for general appliance functions
User Interface Certificate
Settings for a certificate that is used in SSL-secured communication over the HTTPS port for the user
interface
Table 3-15 User Interface Certificate
Option
Definition
Subject, Issuer, Validity, Extensions Provide information about the certificate that is currently in use.
Import
Opens the Import Certificate Authority window for importing a new certificate.
Certificate chain
Displays a certificate chain that is imported with a certificate.
Import Certificate Authority window
Settings for importing a certificate that is used in SSL-secured communication
Table 3-16 Import Certificate Authority window
Option
Definition
Certificate
Specifies the name of a certificate file.
The file name can be entered manually or by using the Browse button in the same line.
Browse
Opens the local file manager to let you browse for and select a certificate file.
Private key
Specifies the name of a private key file.
The file name can be entered manually or by using the Browse button in the same line.
Only keys that are AES-128-bit encrypted or unencrypted keys can be used here.
Browse
Opens the local file manager to let you browse for and select a private key file.
Password
Sets a password that allows the use of a private key.
Import
Opens the Import Certificate Authority window for importing a new certificate.
OK
Starts the import process for the specified certificate.
Certificate chain Specifies the name of a certificate chain file.
The file name can be entered manually or by using the Browse button in the same line.
Browse
Opens the local file manager to let you browse for and select a certificate chain file.
After importing a certificate with a certificate chain, the certificate chain is displayed in
the Certificate chain field of the User Interface Certificate settings.
Memory Settings
Settings for the memory that is available when working with the user interface of an appliance
44
McAfee Web Gateway 7.6.0
Product Guide
System configuration
System settings for network functions
3
Table 3-17 Memory Settings
Option
Definition
Amount of maximum memory
available for GUI applet
Limits the amount of memory (in MiB) that is available for the user
interface applet.
The range for the available maximum is 100–999 MiB.
The available maximum is 512 MiB by default.
Amount of maximum memory
available for MWG UI backend
Limits the amount of memory (in MiB) that is available for the user
interface backend.
The range for the available maximum is 100–9999 MiB.
If no value is specified here, the default maximum of 512 MiB is
configured.
REST Settings
Settings for configuring use of the REST interface to work with an appliance
Table 3-18 REST Settings
Option
Definition
Maximum size of a REST
request
Limits the size (in MiB) of a request that is sent to the REST interface.
The maximum amount of memory that is available when working with the REST
interface is 200 MiB.
The maximum size of a request is 2 MiB by default.
Maximum memory per
REST session
Limits the amount of memory (in MiB) that is available for a session when
working with the REST interface.
The maximum amount of memory that is available when working with the REST
interface is 200 MiB.
The maximum amount of memory for a session is 10 MiB by default.
Maximum number of
active REST users
Limits the number of users that can work with the REST interface at the same
time.
The maximum number of users is 20 by default.
System settings for network functions
Some system settings are configured for functions that integrate the appliance system into your
network.
System settings for network functions include proxy settings and the following settings:
•
Network Interfaces settings
•
Static Routes settings
•
Domain Name Service settings
•
Port Forwarding settings
•
Network Protection settings
See also
Proxies settings on page 106
McAfee Web Gateway 7.6.0
Product Guide
45
3
System configuration
System settings for network functions
Network Interfaces settings
The Network Interfaces settings are used for configuring the network interfaces of an appliance.
Network Interface Settings
Settings for network interfaces
Table 3-19 Network Interface Settings
Option
Definition
Host name / Fully
qualified domain
name
Specifies the host name of an appliance.
Default gateway
(IPv4)
Specifies the default gateway for web traffic under IPv4.
Default gateway
(IPv6)
Specifies the default gateway for web traffic under IPv6.
Enable these
network interfaces
Provides a list of network interfaces that are available for being enabled or disabled.
IPv4
The name must be specified as fully qualified domain name.
The eth0 network interface is by default included in the list and enabled.
Provides options for configuring network interfaces under IPv4.
The options are provided on a separate tab.
IPv6
Provides options for configuring network interfaces under IPv6.
The options are provided on a separate tab.
Advanced
Provides options for configuring additional media and a bridge for a network
interface.
The options are provided on a separate tab.
Add VLAN
Opens a window for adding a network interface for VLAN traffic.
You can use this option to run VLANs under IPv4 or IPv6.
To add a network interface, you specify a number as its ID and click OK.
The interface name is composed of two parts, separated by a dot.
The first part is the name and number of the interface that is enabled in the list of
available network interfaces. The second part is the number that you specify.
For example, if the eth0 interface is enabled and you specify 1, a network interface
for VLAN traffic is added as eth0.1. It is initially not enabled.
The range of numbers for VLAN network interfaces is 1–4094.
After adding one or more network interfaces for VLAN traffic, you must also
add their IDs to the parameters of the port redirects for the network mode
that you are using, for example, the transparent bridge mode.
The window for adding or editing port redirects provides the Optional 802.1Q
VLANs field for entering VLAN IDs. Separate multiple entries by commas.
Delete
Deletes a selected network interface for VLAN traffic.
The following tables describe the options on the IPv4, IPv6, and Advanced tabs.
IPv4
Tab for configuring network interfaces under IPv4
46
McAfee Web Gateway 7.6.0
Product Guide
System configuration
System settings for network functions
3
Table 3-20 IPv4
Option
Definition
IP settings
Lets you select a method to configure an IP address for a network interface.
• Obtain automatically (DHCP) — The IP address is automatically obtained, using the Dynamic
Network Host Protocol (DHCP).
• Configure manually — The IP address is configured manually.
• Disable IPv4 — IPv4 is not used for this interface.
Specifies the IP address of a network interface (manually configured).
IP address
Subnet mask Specifies the subnet mask of a network interface (manually configured).
Default route Specifies the default route for web traffic using the network interface (manually
configured).
MTU
Limits the number of bytes in a single transmission unit to the specified value.
IP aliases
Provides a list of aliases for the IP address.
• Add alias — Opens the Input window for adding an alias.
• Delete — Deletes a selected alias.
IPv6
Tab for configuring network interfaces under IPv6
Table 3-21 IPv6
Option
Definition
IP settings
Lets you select a method to configure an IP address for a network interface.
• Obtain automatically (DHCP) — The IP address is automatically obtained, using the Dynamic
Network Host Protocol (DHCP).
• Solicit from router — The IP address is obtained from a router.
• Configure manually — The IP address is configured manually.
• Disable IPv6 — IPv6 is not used for this interface.
Specifies the IP address of a network interface (manually configured).
IP address
Default route Specifies a default route for web traffic using the network interface (manually
configured).
MTU
Limits the number of bytes in a single transmission unit to the specified value.
IP aliases
Provides a list of aliases for the IP address.
• Add alias — Opens a window for adding an alias.
• Delete — Deletes a selected alias.
Advanced
Tab for configuring advanced network interface functions.
The tab provides different options when the currently selected network interface is a bonding interface.
These options are described in a second table.
McAfee Web Gateway 7.6.0
Product Guide
47
3
System configuration
System settings for network functions
Table 3-22 Advanced
Option
Definition
Media
Lets you select additional media for use with a network interface.
• Automatically detect — Media for use with a network interface are automatically detected
if available in the network environment of an appliance.
• 1000BaseT-FD, 1000Base-HD, ... — The selected media item is used with a network interface.
Bridge enabled When selected, web traffic is routed through a network interface in transparent bridge
mode.
• Name — Specifies the name of the transparent bridge.
Bond enabled
When selected, the currently selected network interface, for example, eth2, is configured
as a bonded interface that is subordinated to a bonding interface.
• Name — Specifies the name of the bonding interface.
The following table describes the options provided on the Advanced tab when a bonding interface is
selected.
48
McAfee Web Gateway 7.6.0
Product Guide
3
System configuration
System settings for network functions
Table 3-23 Advanced
Option
Definition
Bonding
options
Provides options for a bonding interface.
• Mode — Specifies the mode used to let the bonded network interfaces in the bonding
configuration become active.
• Active/Passive — When selected, only one bonded interface is active at any time.
A different bonded interface becomes active only if the active bonded interface fails.
The MAC address of the bonding interface is only visible externally on one port,
which avoids address confusion for a network switch.
This mode is referred to in some system messages as mode 1.
The mode is selected by default.
• 802.3ad/LACP — When selected, all bonded interfaces in the bonding configuration are
active.
The bonded interface for outgoing traffic is selected according to the configured hash
policy.
This mode is referred to in some system messages as mode 4.
When this mode is selected, the LACP rate and Hash policy options become accessible.
• Miimon — Sets the time interval (in milliseconds) for sending the polling messages of
the MII monitoring program.
The default interval is 100 milliseconds.
• LACP rate — Sets the transmission rate for sending LACP-DU data packets in 802.3ad
mode.
• Slow — When selected, data packets are sent every 30 seconds.
This transmission rate is selected by default.
• Fast — When selected, data packets are sent every second.
• Hash policy — Determines the way that a hash value is calculated for a bonding
configuration.
• Layer2 — When selected, a combination of layer 2 values is used to calculate the
hash. The values that are included in this combination are hardware MAC addresses
and packet type ID addresses.
This hash policy is selected by default.
• Layer2+3 — When selected, a combination of layer 2 and layer 3 protocol information
is used to calculate the hash.
Network Protection settings
The Network Protection system settings are used for configuring protective rules for traffic coming in
to an appliance from your network.
Network Protection Rules
Settings for configuring network protection rules
McAfee Web Gateway 7.6.0
Product Guide
49
3
System configuration
System settings for network functions
Table 3-24 Network Protection Rules
Option
Definition
Enable network protection
When selected, the settings configured in the following for network
protection are enabled.
Input policy
Lets you select the action taken on incoming traffic.
Incoming traffic can either be dropped or accepted.
Allow Ping requests
When selected, the appliance accepts and answers Ping requests.
Exceptions from default
policy
Provides a list for entering the network devices that send traffic to an
appliance.
Traffic from these devices is not handled according to the rules that are
currently implemented. When these rules drop incoming traffic, traffic sent
from the devices listed here is accepted and vice versa.
The following table describes an entry in the list of exceptions from the default policy.
Table 3-25 Exceptions from default policy – List entry
Option
Definition
Device
Specifies the name of a network device that sends traffic to the appliance.
Typing * or no input means all devices are covered.
Protocol
Specified the protocol used for sending traffic.
Source
Specifies the IP address or address range of the network device or devices that send
traffic to the appliance.
Destination port Specifies the port on an appliance that is the destination of network traffic.
Comment
Provides a plain-text comment on an exception.
Port Forwarding settings
The Port Forwarding settings are used for configuring rules that let an appliance forward web traffic sent
from a port on a particular host to another port.
Port Forwarding
Settings for configuring port forwarding rules
Table 3-26 Port Forwarding
Option
Definition
Port forwarding rules
Provides a list of port forwarding rules.
The following table describes an entry in the list of port forwarding rules.
Table 3-27
Port forwarding rules – List entry
Option
Definition
Source host
Specifies the IP address of a host that is the source of web traffic in a port forwarding
rule.
Bind IP
Specifies the bind IP address.
Target port
Specifies the port that web traffic from the source host is forwarded to.
Destination host Specifies the IP address of the host that is the destination of web traffic sent from the
source host.
50
McAfee Web Gateway 7.6.0
Product Guide
System configuration
System settings for network functions
Table 3-27
Option
3
Port forwarding rules – List entry (continued)
Definition
Destination port Specifies the port on the destination host used for listening to web traffic coming in
from the source host.
Provides a plain-text comment on a port forwarding rule.
Comment
The Port Forwarding settings continue as follows.
Table 3-28 Port Forwarding (continued)
Option
Definition
Enable extended
connection logging
When selected, all logs for port forwarding are stored on the appliance system
under /var/log/mwg_fwd.log.
The logging options that you configure here apply to all port forwarding that
performed under the configured port forwarding rules.
The stored log files can also be viewed on the user interface under the
Troubleshooting top-level menu.
Select the appliance that you want to view log files for, then select Log files and
open the system folder.
Customize extended
logging fields
When selected, the input fields for configuring the type of data that should be
logged become accessible.
Log on success
Lets you enter the type of data to be logged when web traffic is successfully
forwarded.
You can enter one or more of the following data types by typing them in capital
letters, separated by commas: PID, HOST, USERID, EXIT, DURATION, TRAFFIC.
Log on failure
Lets you enter the type of data to be logged when forwarding web traffic failed.
You can enter one or more of the following data types by typing them in capital
letters, separated by commas: HOST, USERID, ATTEMPT.
HOST data is logged by default.
Static Routes settings
The Static Routes settings are used for configuring routes that always use the same gateway and
interface on this gateway when web traffic is routed from an appliance to a particular host.
Static Routes
Settings for static routes under IPv4 or IPv6
Table 3-29 Static Routes
Option
Definition
Static routes list
Provides a list of static routes for transmitting web traffic under IPv4 or IPv6.
The following table describes an entry in the list of static routes.
Table 3-30 Static routes list – List entry
Option
Definition
Destination Specifies the IP address and (optionally) net ask of the host that is the destination of a
static route.
Gateway
Specifies the IP address of the gateway for routing web traffic from the appliance to a
host.
Device
Specifies the interface used on a gateway for a static route.
McAfee Web Gateway 7.6.0
Product Guide
51
3
System configuration
System settings for network functions
Table 3-30 Static routes list – List entry (continued)
Option
Definition
Description Provides a plain-text description of a static route.
Comment
Provides a plain-text comment on a static route.
Source-based routing
Settings for source-based routing under IPv4 or IPv6
Table 3-31 Source-based routing
Option
Definition
Source-based routing for IPv4
When selected, source-based routing is performed under IPv4.
Source-based routing for IPv6
When selected, source-based routing is performed under IPv6.
Static source routing table number Provides a list of entries for source routing tables that are used to route
the traffic that is sent and received through the management user
interface.
Source-based routing list for IPv4
Provides a list of routing entries for the traffic that is sent and received
through the management user interface.
These routing entries are for a network where IPv4 is followed.
Source-based routing list for IPv6
These routing entries are for a network where IPv6 is followed.
The following table describes an entry in the list for static source routing tables.
Table 3-32 Static source routing table number – List entry
Option
Definition
Source information to look up routing
table
Specifies the source IP address of the traffic that is routed according
to the configured static source routing table.
Routing table number
Specifies the number of the routing table for routing the traffic that
is sent and received through the management user interface.
Comment
Provides a plain-text comment on a static source routing table.
The following table describes an entry in the list for source-based routing under IPv4.
Table 3-33 Source-based routing list for IPv4 – List entry
Option
Definition
Destination
Specifies the IP address range (in CIDR notation) for the destinations of the traffic
that is sent through the management network interface.
Routing table number Specifies the number of the routing table for routing the traffic that is sent and
received through the management user interface.
Gateway
Specifies the IP address of the gateway for the traffic that is sent and received
through the management network interface.
Device
Specifies the name of the network interface that is configured as the management
network interface.
Source IP
Specifies the IP address of the network interface that is configured as the
management network interface.
This address is the source IP address of the traffic that is routed according to the
routing table.
Comment
Provides a plain-text comment on an entry for source-based routing.
The following table describes an entry in the list for source-based routing under IPv6.
52
McAfee Web Gateway 7.6.0
Product Guide
System configuration
Network interface bonding
3
Table 3-34 Source-based routing list for IPv6 – List entry
Option
Definition
Destination
Specifies the IP address range (in CIDR notation) for the destinations of the traffic
that is sent through the management network interface.
Routing table number Specifies the number of the routing table for routing the traffic that is sent and
received through the management user interface.
Gateway
Specifies the IP address of the gateway for the traffic that is sent and received
through the management network interface.
Device
Specifies the name of the network interface that is configured as the management
network interface.
Source IP
Specifies the IP address of the network interface that is configured as the
management network interface.
This address is the source IP address of the traffic that is routed according to the
routing table.
Provides a plain-text comment on an entry for source-based routing.
Comment
Network interface bonding
Bonding two or more network interfaces enables them to act as one while increasing bandwidth and
providing High Availability.
The network interfaces on Web Gateway, for example, the eth2 and eth3 interfaces, can be bound
together to form a single channel. A bonding kernel module is created this way and made accessible
through a common network interface, which is referred to as the bonding interface.
The network interfaces that are bound together under the bonding interface are referred to as the
bonded interfaces. These interfaces can be provided by different NICs.
The terms "master" and "subordinate" are also used to refer to a bonding and a bonded interface,
respectively. In some system messages, you will also see the term "slave" used for a bonded
interface.
With regard to the components and processes that are involved, network interface bonding is also
known as NIC bonding, ethernet bonding, or channel bonding.
You can configure network interface bonding on the user interface of Web Gateway. To verify that a
bonding interface has successfully been configured, you can run some suitable commands from a
system console.
A VLAN can be configured on a bonding interface in the same way as on an ordinary network
interface, using the relevant configuration options of the user interface.
When the transparent bridge or router mode are configured for a network, network interface bonding
cannot be implemented.
McAfee Web Gateway 7.6.0
Product Guide
53
3
System configuration
Network interface bonding
Configure network interface bonding
To configure network interface bonding, create a bonding interface and configure parameters for this
interface and the bonding configuration.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to configure network interface bonding on
and click Network Interfaces.
The Network Interfaces settings appear in the configuration pane.
3
Create a bonding interface.
a
Under Enable these network interfaces, select a network interface that you want to run as a bonded
interface, for example, eth2.
b
On the Advanced tab, select Bond enabled and in the Name field type the name of the bonding
interface that you want to create, for example, bond1.
Repeat substeps a and b for another network interface that you want run as a bonded interface
under this bonding interface.
You can also add further network interfaces as bonded interfaces and have more than two
network interfaces in the bonding configuration.
c
Click Save Changes.
d
Log out and log on again.
After the logon, the new bonding interface appears in the list under Enable these network interfaces.
4
Configure parameters for the bonding interface.
a
Select the bonding interface and click the IPv4 or IPv6 tab, according to the protocol version that
is used in your network.
b
Select Configure manually and under IP address and subnet mask type an IP address and the values for
a subnet mask.
You can leave the default value under MTU, which specifies the maximum number of bytes in a
single transmission unit, as it is.
5
Configure parameters for the bonding configuration.
a
Select the bonding interface and click the Advanced tab.
b
Under Mode, select one of the following bonding modes.
•
Active/Passive — In this mode, only one bonded interface in the bonding configuration is active
at any time. A different bonded interface becomes active only if the active bonded interface
fails.
The MAC address of the bonding interface is only visible externally on one port, which avoids
address confusion for a network switch.
This mode is referred to in some system messages as mode 1.
The mode is selected by default.
54
McAfee Web Gateway 7.6.0
Product Guide
System configuration
Network interface bonding
•
3
802.3ad/LACP — In this mode, all bonded interfaces in the bonding configuration are active.
The bonded interface for outgoing traffic is selected according to the configured hash policy.
This mode is referred to in some system messages as mode 4.
When this mode is selected, the LACP rate and Hash policy options become accessible.
c
Under Miimon, configure monitoring for the bonding interface.
The value that you configure here sets the time interval (in milliseconds) for sending the polling
messages of the MII monitoring program.
The default interval is 100 milliseconds.
d
If you have selected 802.3ad/LACP as bonding mode, select options that are specific to this mode.
Under LACP rate, select the transmission rate for the LACP-DU data packets that are exchanged
between bonding and bonded network interfaces.
•
Slow — With this transmission rate, data packets are sent every 30 seconds.
This transmission rate is selected by default.
•
Fast — With this transmission rate, data packets are sent every second.
Under Hash policy, select one of the following options.
•
Layer2 — This policy uses a combination of layer 2 values to calculate the hash. The values
that are included in this combination are hardware MAC addresses and packet type ID
addresses.
This hash policy is selected by default.
•
6
Layer2+3 — This policy uses a combination of layer 2 and layer 3 protocol information to
calculate the hash.
Click Save Changes.
See also
Network Interfaces settings on page 46
Checking the bonding configuration
You can verify that you have successfully configured a bonding network interface from a system
console.
To verify that the bonding configuration runs with the parameters that you have configured, you can
use a suitable network script. An additional command enables you to check the status of the bonding
interface and the network interfaces that are bound to it.
Verifying the configuration parameters
The ifcfg network script allows you to verify that the network interfaces of the bonding configuration
are running with the configured parameters, such as the bonding mode or the IP address of the
bonding interface.
To view the parameters for the bonding interface, for example, bond 1, run the network script using
the following command:
cat /etc/sysconfig/network-scripts/ifcfg-bond1
McAfee Web Gateway 7.6.0
Product Guide
55
3
System configuration
Source-based routing
The command returns, for example, the following lines.
### BEGIN AUTOGENERATED CONFIG
BONDING_OPTS:='mode=1 miimon=600'
BOOTPROTO='none'
DEVICE='bond1'
IPADDR='10.11.12.12'
...
To view the parameters for a bonded interface, for example, eth2 1, run the following command:
cat /etc/sysconfig/network-scripts/ifcfg-bond1
The command returns, for example, the following lines.
### BEGIN AUTOGENERATED CONFIG
BOOTPROTO='none'
MASTER='bond1'
SLAVE:'yes'
DEVICE='eth2'
...
Checking the network interface status
You can check whether the bonded network interfaces are running properly under the bonding
interface and which of the bonded interfaces is currently in active (slave) status.
Run the following command, for example, if the bonding interface is bond1:
cat /proc/net/bonding/bond1
The command returns, for example, the following lines.
### Ethernet Channel Bonding Driver: v. 3.7.1 (April 27, 2015)
Bonding Mode: fault-tolerance (active-backup)
Primary Slave: None
MII Status: up
MII Polling Interval (ms): 600
Up Delay (ms): 0
Down Delay (ms): 0
Slave Interface: eth2
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW Addr: 00:0c:29:e0:a7:37
Slave Queue ID: 0
Slave Interface: eth3
MII Status: up
...
Source-based routing
When configuring routing for traffic in your network, you can let routing decisions be based on the
source IP address. This routing method is known as source-based routing.
Using this method you can separate the management traffic that an administrator creates when
accessing the user interface of a Web Gateway appliance from the traffic that the administrator or end
users create when accessing the web. The two kinds of traffic can also be protected by a separate
firewall for each of them.
56
McAfee Web Gateway 7.6.0
Product Guide
System configuration
Source-based routing
3
To implement the method, you allow administrator access to the user interface only through a
particular network interface on the appliance. This network interface is the management network
interface, while a different network interface is configured for access to the web.
You can also configure that monitoring information, for example, SNMP messages, must access the
appliance through the management network interface.
After passing through the management interface, traffic can be identified for further routing by its
source IP address, which is the address of the management interface.
Configuring the routing for this traffic includes two main steps:
•
Configuring a routing table
•
Configuring a route within this table
The source IP address is specified in both steps to ensure that traffic with this address is routed
according to a particular table and route.
Different routing tables can be configured and entered in a list on Web Gateway while different routes
can be configured for each table.
You can configure routes for use under IPv4 or IPv6, depending on which version of this protocol is
followed within your network.
Configure source-based routing for a management network
interface
Configure source-based routing to separate other traffic from traffic that has a management network
interface as its source.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to configure source-based routing on.
3
Configure use of the management network interface for administrator access to the user interface.
4
a
Click User Interface.
b
Under HTTP Connector, proceed as follows.
•
Make sure Enable local user interface over HTTP is selected.
•
In the HTTP connector field, type the IP address and listener port of the management network
interface.
Configure use of the management network interface for SNMP messages.
a
Click SNMP.
b
Under SNMP Port Settings, click the Add icon on the toolbar of the Listener address list.
The Add SNMP Listeners window opens.
c
In the Listener address field, type the IP address and listener port of the management network
interface.
d
Click OK.
The window closes and the listener address appears in the list.
McAfee Web Gateway 7.6.0
Product Guide
57
3
System configuration
Source-based routing
5
Configure source-based routing for traffic that is sent and received through the management
network interface.
a
Click Static Routes.
b
Under Source-based routing, select Source-based routing for IPv4 or Source-based routing for IPv6, depending on
the IP version used in your network.
Two lists for configuring source-based routing appear.
c
On the toolbar of the Static source routing table number list, click the Add icon.
The Add ApplianceSourceBasedRoutingTable window opens.
d
e
Configure an entry for the routing table as follows.
•
In the Source information to look up routing table field, type the IP address of the management
network interface.
•
In the Routing table number field, type the number of the routing table for the traffic that is sent
and received through the management network interface.
Click OK.
The window closes and the routing table entry appears in the list.
f
On the toolbar of the Source-based routing list for IPv4 (or the list for IPv6), click the Add icon.
The Add ApplianceSourceBasedRoutingIPv4 window (or the window for IPv6) opens.
g
h
Configure a routing entry as follows.
•
In the Destination field, type the IP address range in CIDR notation for the destinations of the
traffic that is sent through the management network interface.
•
In the Routing table number field, type the number of the routing table for the traffic that is sent
and received through the management network interface.
•
In the Gateway field, type the IP address of the gateway for the traffic that is sent and
received through the management network interface.
•
In the Device field, type the name of the network interface that you want to configure as the
management network interface.
•
In the Source IP field, type the IP address of the network interface that you want to configure
as the management network interface.
Click OK.
The window closes and the routing entry appears in the list.
6
Click Save Changes.
See also
Static Routes settings on page 51
58
McAfee Web Gateway 7.6.0
Product Guide
System configuration
System files
3
System files
System files contain settings for functions of the appliance system. You can edit these settings using
the File Editor.
The settings that are stored in system files include settings of parameters the appliance system uses
for network communication, for example, IP addresses, the maximum message size, or the maximum
number of messages in a queue.
Other settings are used to configure functions of the appliance system such as logging, access
restrictions, and others.
An example for a system file is the /etc/hosts file, which contains entries for IP addresses and host
names, including the local IP address and host name of the appliance itself.
The File Editor allows you to edit the settings in these files. It is accessible on a tab of the user
interface.
To edit system files, only use the File Editor. If you open these files outside the File Editor to edit them
manually, your changes will be overwritten when an upgrade to a new version of Web Gateway is
performed.
See also
File Editor tab on page 59
File Editor tab
The File Editor tab allows you to edit system files on an appliance.
Main elements of the File Editor tab
The following table describes the main elements of the File Editor tab.
McAfee Web Gateway 7.6.0
Product Guide
59
3
System configuration
Cache volume resizing
Table 3-35 Main elements of the File Editor tab
Element
Description
Files
Tree structure of appliances with the system files for each
appliance
Editor
Toolbar with items for editing a system file and content pane
for displaying the file entries
(appears when a system file is selected
under Files)
Editor toolbar
The Editor toolbar provides the following options.
Table 3-36 File Editor toolbar
Option
Definition
Edit
Opens a menu with options for editing the text in system file entries.
• Cut — Cuts out selected text
• Delete — Deletes selected text
• Copy — Copies selected text
• Select All — Selects the complete text
• Paste — Pastes copied or cut-out text
Discard changes Discards text changes.
A window opens to let you confirm the discarding.
Cache volume resizing
Logical volumes for web caching and for storing temporary and log files can be resized on an appliance
using a wizard.
After Web Gateway has been installed on an appliance, the logical volume for web caching is larger
than that for storing temporary and log files. The appliance volume wizard is provided, which allows
you to change this sizing and provide more disk space for storing temporary and log files.
Volume size is shown on the wizard pages in GiB. Before the resizing, sizes could be, for example, as
follows:
•
Web cache volume: 197 GiB
•
Temporary and log files volume: 40 GiB
After the resizing the size relation is inverted:
•
Web cache volume: 40 GiB
•
Temporary and log files volume: 197 GiB
The wizard guides you through the resizing when you set up a Web Gateway appliance for the first
time. After completing work with the configuration wizard that is provided for configuring initial system
settings, the appliance restarts and the wizard appears.
If the wizard process is interrupted, you can restart it from the command line of a system console
using the following command:
mwg-cache-wizard
60
McAfee Web Gateway 7.6.0
Product Guide
System configuration
Database updates
3
When the yum upgrade command is used to set up an appliance, the wizard must also be started
manually.
The path and file name for the main log that records the activities of the wizard are /var/log/
resize-cache.log.
If the resizing has already been performed on an appliance, the wizard displays a corresponding
message.
If you still need to resize the appliance volumes, contact McAfee support.
Database updates
Information retrieved from external databases for use in the filtering process must be updated from
time to time.
Web objects are filtered on an appliance in a rule-based process. The filtering rules need information
on these objects to know whether they should trigger actions, such as blocking access to an object or
allowing it. They rely for this information on special modules (also known as engines).
For example, a virus and malware filtering rule relies on the Anti-Malware module (engine) to find out
whether an object is virus-infected, or a URL filtering rule relies on the URL Filter module (engine) for
URL category information.
The modules retrieve this information, for example, virus signatures stored in DAT files, from external
databases. The database updates on an appliance apply to this information.
You can update database information on an appliance using different methods.
•
Manual engine update — You can manually update database information for the modules of the
appliance you are currently logged on to.
•
Automatic engine update — You can also configure automatic updates in regular intervals for the
modules of the appliance you are currently logged on to.
These updates can retrieve information:
•
From the internet — Information is then downloaded from the relevant external databases.
Database information is for the first time updated in this way immediately after the initial setup
of an appliance.
•
From other nodes in a Central Management configuration — Information is then
downloaded from these nodes. For every node, you can in turn configure whether uploading
information from it to other nodes is allowed.
You can configure these updates when you set up a Central Management configuration,
specifying for each node how it should behave with regard to automatic updates.
Update database information manually
You can update database information for the modules of an appliance manually.
The update applies to the modules of the appliance you are logged on to and to those of other
appliances that you have included as nodes in a Central Management configuration.
McAfee Web Gateway 7.6.0
Product Guide
61
3
System configuration
Closed network updates
Task
1
Select Configuration | Appliances.
2
On the appliances toolbar, click Manual Engine Update.
The update is performed.
Schedule automatic engine updates
You can schedule automatic updates of database information for the modules of an appliance.
When you are running multiple appliances as nodes in a Central Management configuration, you can
schedule updates for the modules (also known as engines) on the nodes as part of configuring settings
for this configuration.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to schedule automatic updates on and click
Central Management.
3
Scroll down to Automatic Engine Updates and configure update settings as needed.
4
Click Save Changes.
Closed network updates
Web Gateway appliances can be operated and updated in networks that have no internet connectivity
for security or other reasons. These networks are also known as "closed" or "isolated" networks.
When appliances that run in these networks need to be updated, they cannot connect to the usual
McAfee update servers. An offline update procedure must be performed instead.
You can select and download an update package from a McAfee portal that is provided for this
purpose, store it on portable media and use this media to apply the update package to one or more
appliances in a closed network.
Update packages contain updated information for modules (engines) and malware patterns used in the
filtering process on an appliance. Only full updates (as opposed to incremental updates) are made
available on the portal.
After entering the portal, you need to submit the version number of Web Gateway on the appliance
you want to update, and are provided with a list of features that updated information is currently
available for.
According to your selection, an update package including all files required for the update is created in
zipped format for downloading.
62
McAfee Web Gateway 7.6.0
Product Guide
System configuration
Closed network updates
3
Update an appliance in a closed network
To update an appliance in a network with no internet connectivity, download an update package, store
it on portable media, and use the media to perform the update.
Task
1
Download an update package.
a
Use a browser to go to the update page of the Content & Cloud Security at:
https://contentsecurity.mcafee.com/update
b
On the update page, enter the version number for an appliance you want to update.
A list of features that updated information is available for appears.
c
Select the features you want to update.
An update package is created according to your selection.
d
Download the update package to your system.
2
Use portable media, for example, a USB drive, to transfer the update package from the system you
used for the download to your administration system in the closed network.
3
For each appliance in the closed network that you want to update, perform the following steps:
a
Select Configuration | Appliances.
b
Click Update Engines, then select Upload Update File.
The Engine Update by File Upload window opens.
c
Click Browse, go to the location on the administration system where you stored the update
package, and select the update package file.
d
Click Update.
The appliance is updated using the information from the update package.
e
Click Close to close the window.
McAfee Web Gateway 7.6.0
Product Guide
63
3
System configuration
Closed network updates
64
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
The appliance uses its proxy functions to intercept web traffic and transmit it if this is allowed by the
filtering rules. You can configure these functions to meet the requirements of your network.
The following are key settings for proxies:
•
Network mode — Explicit proxy mode or a transparent mode
Specific settings can be configured for each of these modes.
•
Network protocol — HTTP, HTTPS, FTP, ICAP, and instant messaging protocols
Protocol settings are common proxy settings that can be configured for each of the network modes.
You can configure other common proxy settings and also implement special proxy solutions, for
example, reverse HTTPS proxy or proxy auto-configuration.
Contents
Configure proxies
Explicit proxy mode
Best practices - Configuring the Proxy HA mode
Best practices - High Availability configuration size limits
Best practices - Configuring the explicit proxy mode with WCCP
Transparent router mode
Transparent bridge mode
Packet size handling
Secure ICAP
SOCKS proxy
Instant messaging
XMPP proxy
Configure common proxy settings
Proxies settings
Controlling outbound source IP addresses
Using WCCP to redirect FTP traffic
Using the Raptor syntax for FTP logon
Node communication protocols
Using DNS servers according to domains
Using DXL messages to exchange web security information
Best practices - Working with the user-agent header
Bypassing for Office 365 and other Microsoft services
Reverse HTTPS proxy
Proxy auto-configuration
Using the Helix proxy
McAfee Web Gateway 7.6.0
Product Guide
65
4
Proxies
Configure proxies
Configure proxies
You can configure the proxy functions of the appliance as is appropriate for your network.
Complete the following high-level steps.
Task
1
Review the proxy settings.
The following key settings are configured by default:
2
•
Network mode: Explicit proxy
•
Network protocol: HTTP
Modify these settings as needed.
You can, for example, do the following:
•
Configure a different network mode.
You can choose one of the following:
•
•
Explicit proxy mode with High Availability functions
•
Transparent router mode
•
Transparent bridge mode
Configure a different network protocol.
You can add one or more of the following to HTTP (or add them and disable HTTP):
•
•
HTTPS
•
FTP
•
IFP
•
ICAP
•
Instant messaging protocols: Yahoo, ICQ, Windows Live Messenger, XMPP (for Jabber and
other services)
Modify other proxy settings, for example, timeouts or the maximum number of client
connections.
3
Configure a special proxy solution if needed, for example, reverse HTTPS proxy or proxy
auto-configuration.
4
Save your changes.
Explicit proxy mode
In explicit proxy mode, the clients that have their web traffic filtered on the appliance “know” they are
connected to it. They must explicitly be configured to direct their web traffic to the appliance.
If this is ensured, it is less important where the appliance is deployed within your network. Typically, it
is placed behind a firewall and connected to its clients and the firewall by a router.
66
McAfee Web Gateway 7.6.0
Product Guide
Proxies
Explicit proxy mode
4
The following diagram shows a configuration in explicit proxy mode.
Figure 4-1 Explicit proxy mode
Configure the explicit proxy mode
You can configure the proxy functions of an appliance in explicit proxy mode, which is the default
mode for these functions.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to configure the explicit proxy mode for and
click Proxies (HTTP(S), FTP, ICAP, and IM).
3
Under Network Setup, select one of the two options for the explicit proxy mode.
•
Proxy — For the explicit proxy mode
This is the default proxy mode.
When it is selected, specific settings for configuring transparent features of the explicit proxy
mode appear below the Network Setup settings.
•
Proxy HA — For an explicit proxy mode with High Availability functions
After selecting this option, specific Proxy HA settings appear below the Network Setup settings.
4
Configure specific and common settings for the selected option as needed.
5
Click Save Changes.
See also
Packet size handling on page 97
Best practices - Configuring the Proxy HA mode on page 74
Transparent Proxy settings on page 68
Proxy HA settings on page 73
Proxies settings on page 106
McAfee Web Gateway 7.6.0
Product Guide
67
4
Proxies
Explicit proxy mode
Transparent Proxy settings
The Transparent Proxy settings are used for configuring transparent features of the explicit proxy
mode.
Transparent Proxy
Settings for configuring the explicit proxy mode with transparent features
Table 4-1 Transparent Proxy
Option
Definition
Supported client
redirection
methods
Provides methods for intercepting web traffic and directing it to an appliance.
• WCCP — When selected, HTTP client requests sent to web servers under the IPv4
protocol are intercepted by an additional network device and directed to the
appliance using the WCCP protocol.
The clients are not aware of the redirection, it remains transparent for them.
In the same way as for client requests, responses from web servers are directed
back to the appliance.
When using the WCCP redirection method, you need to configure one or more
WCCP services on the appliance to let them perform the redirection.
You also need to configure the network device that intercepts the client requests
and server responses. This device can be configured as a router or switch with
routing functions.
After selecting this option, the WCCP Services inline list appears for configuring and
adding WCCP services.
• L2 transparent — When selected, client requests sent to a web server under the IPv4
and IPv6 protocols are intercepted by an additional network device and directed to
the appliance using the Layer 2 redirection method.
Under this method, client requests are accepted on the appliance even if their
destination IP addresses are not addresses of the appliance. The redirection is
transparent to the clients.
You need to enter the original ports for those client requests that are to be
intercepted and redirected in a list on the appliance together with the ports that
these requests are redirected to.
The additional network device must be configured accordingly.
When this option is selected, requests can not be transmitted using a connection in
active FTP mode. Only the passive FTP mode is then available.
After selecting this option, the Port Redirects inline list appears for entering ports.
The following two tables describe list entries in the lists of WCCP services and port redirects.
Table 4-2 WCCP Services – List entry
Option
Definition
Service ID
Identifies a service that directs web traffic to an appliance under the WCCP
protocol.
WCCP router definition Specifies the Multicast IP address and DNS name of a router (or switch with
routing functions) that uses a WCCP service to direct web traffic to an appliance.
You can configure multiple routers here, separating entries by commas.
Ports to be redirected
Lists the ports, for example, on web servers, that data packets must have in their
address information to be redirected.
You can specify up to eight port numbers here, separated by commas.
68
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Explicit proxy mode
Table 4-2 WCCP Services – List entry (continued)
Option
Definition
Ports to be redirected
are source ports
Specifies whether the ports that are to be redirected are source ports.
Proxy listener IP
address
Specifies the IP address of an appliance when serving client requests.
Proxy listener port
Specifies a port for listening to client requests.
When configuring a WCCP service, you need to select this option if the service is
used to redirect responses from web servers back to the appliance.
The default port number is 9090.
MD5 authentication key Sets a password used under the MD5 algorithm for signing and verifying control
data packets.
The Set button opens a window for setting the password.
The password can have up to eight characters.
Assignment
method
This main item does not appear in the list, but is visible in the Add and Edit
windows. The following two elements are related to it, specifying the assignment
method.
• Assignment by mask — When selected, masking of the source or destination IP
addresses is used for load distribution.
• Assignment by hash — When selected, a hash algorithm is used for load
distribution.
McAfee Web Gateway 7.6.0
Product Guide
69
4
Proxies
Explicit proxy mode
Table 4-2 WCCP Services – List entry (continued)
Option
Definition
Input for load
distribution
This main item does not appear in the list, but is visible in the Add and Edit
windows. The following elements are related to it, specifying what is used in a
data packet as the criteria for load distribution
Different elements are provided, depending on whether you have selected
assignment by mask or hash.
When running multiple appliances, load distribution can be configured for the
proxies on them. Data packets can be distributed to these proxies based on their
source or destination IP addresses and port numbers.
When source or destination IP addresses are used for load distribution, they can
be masked or a hash algorithm can be applied to them, see the options under
Assignment method.
When source or destination ports are used, only the hash algorithm method can
be selected.
Load distribution options for assignment by mask:
• Source IP mask — Specifies the mask for a source IP address.
The default mask value is 0x15.
• Destination IP mask — Specifies the mask for a destination IP address.
The default mask value is 0x15.
The maximum mask length is 4 digits, for example, 0xa000.
For both masks together, 6 bit can be set as a maximum.
If a mask is set to 0x0, it does not influence load distribution.
So, if you want to use, for example, only source IP addresses for load
distribution, you need to set the mask for destination IP addresses to this value.
Load distribution options for assignment by hash:
• Source IP — When selected, load distribution is based on source IP addresses.
• Destination IP — When selected, load distribution is based on destination IP
addresses.
• Source port — When selected, load distribution is based on source port numbers.
• Destination port — When selected, load distribution is based on destination port
numbers.
When configuring one WCCP service for handling client requests and another for
handling web server responses, you need to select Source IP and Destination IP in a
"crosswise" corresponding manner.
This means that if you select Source IP for the client requests service, you must
select Destination IP for the web server responses service. If you select Source IP for
the web server responses service, you must select Destination IP for the client
requests service, and so on.
The same applies when selecting Source port and Destination port.
Assignment weight
Sets a value to determine how much load is assigned to a proxy.
Use this value to assign more load to a proxy on an appliance that has more CPU
capacity. 0 means no load is distributed to a proxy.
70
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Explicit proxy mode
Table 4-2 WCCP Services – List entry (continued)
Option
Definition
Forwarding
method
This main item does not appear in the list, but is visible in the Add and Edit
windows. The following two elements are related to it, specifying the forwarding
method.
• GRE-encapsulated — When selected, data packets are encapsulated by the router
before being redirected.
• L2-rewrite to local NIC — When selected, data packets are redirected to the
appliance by replacing the MAC address of the next device (on the route to the
web server) with that of the appliance.
L2-redirect target
Specifies a network interface on an appliance that data packets are redirected to
Magic (Mask
assignment)
Lets you set an unknown field in the mask that an appliance sends to the router.
Comment
Provides a plain-text comment on a WCCP service.
This setting is needed for ensuring compatibility with different versions of the
vendor's operating system, which is used for the router.
Table 4-3 Port redirects – List entry
Option
Definition
Original destination port Specifies the port that the data packets belonging to a client request were
originally directed to.
Destination proxy port
Specifies a port that data packets are redirected to.
Comment
Provides a plain-text comment on a port redirect.
Advanced Outgoing Connection Settings
Settings specifying methods for handling information contained in client requests sent to web servers
that are requirements for the network environment of the appliance
McAfee Web Gateway 7.6.0
Product Guide
71
4
Proxies
Explicit proxy mode
Table 4-4 Advanced Outgoing Connection Settings
Option
Definition
IP spoofing (HTTP,
HTTPS, FTP)
When selected, the appliance keeps the client IP address that is contained in a client
request as the source address and uses it in communication with the requested web
server under various protocols.
When WCCP services are used for intercepting web traffic and directing it to the
appliance, you need to configure two services for each port on the appliance that
listens to client requests: one for the requests that come in from the clients, and
one for responses to these requests that are sent by the web servers.
When this option is not selected, the appliance chooses a source port and uses it in
this communication.
• IP spoofing for explicit proxy connections — When selected, client addresses are kept in
explicit proxy mode, in which web traffic is not intercepted by an additional
device.
• Use same source port as client for IP spoofing — When selected, client source ports are kept
and used in addition to client source addresses for communication with web
servers.
When this option is not selected, the appliance chooses a random source port and
uses it in this communication.
HTTP: Host header
has priority over
original destination
address
(transparent proxy)
When selected, the destination address that is provided in the HOST header part of
a client request under the HTTP protocol is used for communication with the
requested web server.
In a transparent proxy configuration, communication with a web server could also
use the destination address that is specified under the TCP protocol for the
connection that serves to transmit a client request. This address is also known as
the original destination address.
Both methods of communication are available to a transparent proxy on an
appliance that intercepts client requests or to a WCCP service that intercepts
requests and redirects them to an appliance.
Using the HOST header destination address is the preferred method, however, for
some configurations it can be necessary to deselect this option and use the original
destination address for communication with a web server.
• If web traffic is processed on multiple appliances with transparent proxies running
on them and client requests are routed to them according to destination
addresses, it must be ensured that the proxies use the original destination
addresses when connecting to web servers.
• This applies also if a WCCP service intercepts client requests and redirects them to
multiple appliances, using destination addresses for load distribution.
Sample WCCP service settings for IP spoofing
Sample settings for configuring WCCP services with IP spoofing
Configure these settings only if you want to perform IP spoofing. It is usually not required that you
configure two services for redirecting web traffic to the appliance under the WCCP protocol.
You can use IP spoofing in a configuration with WCCP services that intercept web traffic and direct it to
the appliance. In this case, you need to configure two services for all ports on the appliance that
listen.
One of these services is for the requests that come in from the clients and another one for the
responses to these requests that are sent by the web servers.
The following table shows sample parameter values for these services.
72
McAfee Web Gateway 7.6.0
Product Guide
Proxies
Explicit proxy mode
4
Table 4-5 Sample parameter values for two WCCP services configured with IP spoofing
Option
Service for client requests
Service for web server
responses
Service ID
51
52
WCCP router definition
10.150.107.254
10.150.107.254
Ports to be redirected
80, 443
80, 443
Ports to be redirected are source
ports
false
true
Proxy listener IP address
10.150.107.251
10.150.107.251
Proxy listener port
9090
9090
MD5 authentication key
*****
*****
Input for load distribution
This main item does not appear in the settings list, but is visible in the
Add and Edit windows. The following four elements are related to it
Source IP
true
false
Destination IP
false
true
Source port
true
false
Destination port
false
true
Assignment method
This main item does not appear in the settings list, but is visible in the
Add and Edit windows. The following four elements are related to it
Assignment by mask
true
true
Assignment by hash
false
false
Assignment weight
100
100
Forwarding method
This main item does not appear in the settings list, but is visible in the
Add and Edit windows. The GRE-encapsulated and L2-rewrite to local
NIC elements are related to it
GRE-encapsulated
false
false
L2-rewrite to local NIC
true
true
L2-redirect target
eth1
eth1
Magic (Mask assignment)
-1
-1
Comment
Proxy HA settings
The Proxy HA settings are used for configuring the proxy functions of the appliance in explicit proxy
mode with High Availability functions.
Proxy HA
Settings for the explicit proxy mode with High Availability functions
McAfee Web Gateway 7.6.0
Product Guide
73
4
Proxies
Best practices - Configuring the Proxy HA mode
Table 4-6 Proxy HA
Option
Definition
Port redirects
Provides a list for entering the ports that requests sent by users are redirected to.
Director priority Sets the priority (ranging from 0 to 99) that an appliance takes in directing data
packets.
The highest value prevails. 0 means the appliance never directs data packets, but only
filters them.
In a High Availability configuration, two appliances are typically configured as director
nodes with a priority higher than zero to direct data packets, providing fail-over
functions for each other.
The remaining nodes are configured with zero priority (also known as scanning nodes).
The priority value is set on a slider scale.
Management IP Specifies the source IP address of an appliance that directs data packets when sending
heartbeat messages to other appliances.
Virtual IPs
Provides a list of virtual IP addresses.
We strongly recommend that you do not use a virtual IP to log on to the user interface
when you have configured the explicit proxy mode with High Availability functions (Proxy
HA) on Web Gateway.
The following two tables describe entries in the list of port redirects and the list of virtual IP addresses.
Table 4-7
Port redirects – List entry
Option
Definition
Protocol name
Specifies the name of the protocol used for data packets coming in when a user
sends a request.
Original destination ports Specifies the ports that redirected data packets were originally sent to.
Destination proxy port
Specifies the port that data packets sent to the above ports originally are
redirected to.
Optional 802.1Q VLANs
Lists the IDs of the network interfaces for VLAN traffic that are configured.
Comment
Provides a plain-text comment on a port redirect.
Table 4-8
Option
Virtual IPs – List entry
Definition
Virtual IP address Specifies a virtual IP address (in CIDR notation).
Network interface Specifies a network interface on an appliance used for heartbeats under VRRP (Virtual
Router Redundancy Protocol).
Comment
Provides a plain-text comment on a virtual IP address.
Best practices - Configuring the Proxy HA mode
The Proxy HA network mode that can be configured on Web Gateway is an explicit proxy mode with
High Availability functions. It allows you to perform failover and load balancing without using external
load balancers.
We recommend that you only use this setup for networks with up to 1000 Web Gatewayusers. For
larger networks, we recommend external load balancing devices.
74
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Best practices - Configuring the Proxy HA mode
Director node and scanning nodes
One of the appliances in a Proxy HA configuration is configured as the director node. The other
appliances are then configured as scanning nodes. The role is assigned to each appliance by
configuring a priority value.
The director node performs load balancing within the High Availability cluster by distributing load to
the scanning nodes. Usually, the director node also acts as a scanning node. The scanning nodes can
act as backup nodes to replace a failed director node. You can also configure a node as a simple
scanning node that does not perform backup functions.
The node that has the director role at a given point in time is known as the active director. The active
director uses a virtual IP address (VIP) as an alias IP address on its interface for communication with
the clients.
We recommend that you also configure the appliances you want to include in the Proxy HA
configuration as members of a Central Management configuration.
These configurations do not depend on each other for running successfully. But if the appliances are
not controlled and synchronized by Central Management, each appliance might follow different web
security rules after some time.
Load balancing
Load balancing in a Proxy HA configuration takes into account resource usage and active number of
connections. So, if one scanning node is overloaded, others get more traffic to compensate.
When load balancing is performed, requests from the same client usually go to the same scanning
node.
Failover
If the director node fails, the backup node with the highest priority takes over the director role. When
the original director node returns to active status, it takes over the director role again.
To verify that nodes are available, VRRP (Virtual Router Redundancy Protocol) is used for health
checks. You must configure the following for VRRP on each appliance to enable the health checks: A
VRRP interface and a virtual router ID that is the same for all members of the High Availability cluster.
Each node sends a multicast packet per second to IP address 224.0.0.18. If no multicast packet from
the active director is seen for 3–4 seconds, a failover is performed. The failover lets the backup node
with the highest priority become the director node. This node takes on ownership of the virtual IP
address of the High Availability cluster and informs the other nodes about its new director role.
Gratuitous ARP (Address Resolution Protocol) messages are used to update the ARP tables of
participating clients and routers. Each time the common virtual IP address changes ownership (a
failover occurs), the new director node sends a gratuitous ARP message. Subsequent TCP/IP packets
can then reach this node.
See also
Best practices - High Availability configuration size limits on page 78
McAfee Web Gateway 7.6.0
Product Guide
75
4
Proxies
Best practices - Configuring the Proxy HA mode
Configure the Proxy HA mode
Configure the Proxy HA mode to perform load balancing and failover without using external load
balancers.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select an appliance that you want to include in the Proxy HA configuration,
then click Proxies (HTTP, HTTP(S), FTP, SOCKS, ICAP ...).
3
Under Network Setup, select Proxy HA.
The Proxy HA settings appear immediately below the Network Setup settings.
4
Configure Web Gatewaythe following for each appliance in the Proxy HA configuration:
a
Port redirects — Add an entry with the following parameters in the list of port redirects.
•
Protocol name — HTTP
•
Original destination ports — Proxy port that the users of your network select in their browsers
•
Destination proxy port — Proxy port used by Web Gateway
The proxy port that the users select in their browsers and the proxy port that Web Gateway
uses can be the same, for example, 9090.
In this case, enter a port redirect into the list that redirects, for example, port 9090 to port
9090.
b
Director priority — Set a numerical value for the priority in taking the director role.
•
Highest priority, for example, 99 — For the director node
•
Lower priority, must be higher than 0, for example, 89 — For a backup node
A backup node can perform a failover to replace the director node when that node fails and
no other node with a higher priority is available. Otherwise the backup node works as a
scanning node.
•
c
0 — For a node that only acts as a scanning node
Management IP — Specify the local IP address of the appliance.
This IP address is used to auto-discover the scanning nodes. All nodes must be on the same
subnet to be auto-discovered.
d
Virtual IPs — Specify the shared IP address for the High Availability cluster.
This address is owned by the active director and must be the same on all nodes. Your users
must select this address in their browsers.
76
McAfee Web Gateway 7.6.0
Product Guide
Proxies
Best practices - Configuring the Proxy HA mode
e
4
Configure the settings for the VRRP health checks.
•
Virtual router ID — ID used for the VRRP health checks
This ID must be the same on all nodes. It is 51 by default.
You can leave the default ID, unless you are already using VRRP elsewhere in your network
with ID 51. Then change it here to make it unique for the Proxy HA configuration.
•
VRRP interface — Interface used by VRRP for the health checks
This interface is eth0 by default.
You can leave the default interface, unless you are not using the eth0 interface on your
appliances at all or want to use multiple interfaces.
5
Click Save Changes.
When the size of data packets is handled in a flexible manner between a Web Gateway appliance and its
clients, using the method known as Path MTU discovery, an additional configuration effort is required for
the Proxy HA mode.
See also
Packet size handling on page 97
Proxy HA settings on page 73
Resolving issues with a Proxy HA configuration
Several measures can be taken when trying to resolve issues with a Proxy HA configuration.
Look up VRRP health check messages
Messages about the VRRP health checks are logged on an appliance system under:
/var/log/messages
These messages also inform you about whether an appliance is in director or backup node status.
Find out which node blocked a request
To find out which of the nodes in a High Availability cluster blocked a request, edit the user message
template for Block actions. Insert the System.HostName property.
Test a specific node
To test the behavior of a particular node, enter a new proxy port in the port redirect list only on that
node, for example, 9091.
Then point the browser on the client system that you are using to test the node to <IP address of Web
Gateway>:9091.
Identify the active director
To identify the active director node that owns the virtual IP address of the High Availability cluster, set
up an SSH session with each node. Then run the ip addr show command on each of them.
McAfee Web Gateway 7.6.0
Product Guide
77
4
Proxies
Best practices - High Availability configuration size limits
Inspect failure to distribute web traffic
If all web traffic is processed on the director node or another single node instead of being distributed
to other nodes, it could have these reasons:
•
No port redirects are configured on the director node. If there are no port redirects, the director
node will not redirect traffic to other nodes, but handle it locally.
•
The director node does not know about any other nodes because they are configured with IP
addresses that do not belong to the same subnet.
•
All traffic is coming from the same source IP address because there is a downstream proxy or a
NAT device in place. Then the usual behavior for load balancing is to direct this traffic to the same
node again and again.
Best practices - High Availability configuration size limits
When configuring the Proxy HA (High Availability) network mode, you need to consider the number of
Web Gateway appliances to include in the configuration.
In most cases, multiple appliances are run in a network and configured as nodes that are administered
using Central Management functions.
Usually, one of these nodes is configured as the director node that directs incoming web traffic to the
other nodes, which are termed scanning nodes since their job is to scan this traffic.
On a particular appliance, network interfaces are usually configured in a two-leg solution, which uses
separate interfaces for incoming and outgoing web traffic, or in a three-leg solution, which uses an
additional interface for Central Management communication.
Considering a network that is configured in this way, the following should be taken into account:
•
The number of scanning nodes must be chosen in a way that lets their added maximum throughput
not exhaust or exceed the maximum throughput that can be achieved by the director node, which
is 1 gigabit per second by default.
This value results from the following internal restrictions: The network interface that the director
node uses by default is limited to processing a data volume of 1 gigabit per second.
Also, the kernel-mode driver of the MLOS operating system, which runs on a Web Gateway
appliance, only allows a scaling of up to 1 gigabit per second.
•
We recommend that you leave a clear safety margin when configuring the number of scanning
nodes that would theoretically be possible under these conditions.
•
For example, with a throughput of 100 megabits per second for a scanning node, ten nodes
would be possible, but we recommend five.
•
With a throughput of 300 megabits per second, three nodes would be possible, but we
recommend two.
The maximum throughput on a scanning node varies with the appliance model that is used as a node
and how a node is configured, for example, whether anti-malware filtering or the web cache are
enabled or not. To find this value for a node, you can use a sizing calculator.
Calculations look different if a 10G network interface is used by a director node instead of the default
1G network interface or if IP spoofing is enabled in a configuration. This is explained in the following.
78
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Best practices - Configuring the explicit proxy mode with WCCP
10G network interfaces
When a 10G network interface is installed on an appliance that is configured as the director node, the
maximum throughput for this node is increased. However, the scaling limit of the MLOS kernel-mode
driver must still not be exhausted or exceeded.
•
For example, with a throughput of 100 megabits per second for a scanning node, more than five
nodes are possible, but we still recommend not to extend their number to ten.
•
With a throughput of 300 megabits per second, three nodes are possible, we recommend not to
use more.
IP spoofing
When IP spoofing is configured, data packets pass through the director node twice, once when the
director node directs them to the scanning nodes and a second time when they are returned from the
scanning nodes to the director node, as this node forwards the data packets to their original IP
addresses.
This means the maximum throughput is only 500 megabits per second on the director node if a 1G
network interface is used while the scaling limit of the MLOS kernel-mode driver remains the same.
The number of scanning nodes must be adapted accordingly.
•
For example, with a throughput of 100 megabits per second for a scanning node and a director
node that uses a 1G network interface, the number of scanning nodes must be less than five.
If a 10G network interface is used, the number of scanning nodes can be higher, but we still
recommend five.
•
With a throughput of 300 MBit/s for a scanning node and a director node that uses a 1G network
interface, there should be only one scanning node.
If a 10G network interface is used, we recommend not to configure more than three scanning
nodes.
See also
Best practices - Configuring the Proxy HA mode on page 74
Best practices - Configuring the explicit proxy mode with WCCP
When implementing the explicit proxy mode on a Web Gateway appliance, you can configure the
redirection of web traffic to Web Gateway under WCCP (Web Cache Communication Protocol). Use of
this protocol considerably enhances the capabilities for load balancing and failover.
To enable redirection under WCCP, a suitable router must be placed between the client systems of the
users in your network and the web. The router redirects requests for web access from the clients that
are directed to particular ports to the Web Gateway appliance.
The router is also referred to as the WCCP device. Instead of a router, you can also use a switch as
WCCP device.
On the appliance, you must configure a WCCP service. When configuring this service, you specify a
service ID, the IP address of the router, the ports that requests are redirected from, and other
information.
Multiple appliances can connect to the same router under WCCP for load balancing and failover. The
appliances must be configured as nodes in a Central Management configuration and a WCCP service
must be configured on each of them.
McAfee Web Gateway 7.6.0
Product Guide
79
4
Proxies
Best practices - Configuring the explicit proxy mode with WCCP
The redirection happens transparently, which means users are not aware that their requests are
redirected. When the response to a request is received from a web server, Web Gateway forwards it to
the client, using (spoofing) the IP address of the web server.
To start working with the router, Web Gateway subscribes to it. The router is not aware of Web
Gateway until the subscription happens. No settings must be configured on the router to inform it
about Web Gateway.
Communication between Web Gateway and the router
Under WCCP, data packets are exchanged to subscribe, negotiate settings, and as health checks. Web
Gateway sends a "Here I Am" packet to the router and forwards the configured settings. These
settings include the ports for redirection, the ID of the WCCP service, the IP address that traffic should
be redirected to, and other information.
The router acknowledges with an "I See You" packet that the subscription has been successful and
includes the router ID, which is the highest interface IP address on the router.
If a router does not receive a "Here I Am" packet over more than 25 seconds, it sends a removal
query, requesting that Web Gateway respond immediately. If no response is received within another 5
seconds, Web Gateway is considered offline and removed from the pool of WCCP partners.
Load balancing and failover
In a WCCP configuration with multiple Web Gateway appliances, the first appliance that connects to
the router distributes workload to the other appliance. Portions of workload that are distributed are
also known as "buckets" in WCCP terminology.
When an appliances goes offline or returns, buckets are immediately reassigned. If the appliance that
is currently assigning buckets goes offline, another appliance takes over its role.
We do not recommend using WCCP when the router, client systems, or the Web Gateway appliances
are separated by a device that uses the method known as source NATing to handle client traffic. This
method impacts the performance of load balancing under WCCP. It also prevents you from configuring
rules for user authentication based on time or client IP addresses.
Fail-open and fail-closed strategies
If use of the WCCP protocol is configured on the router and no Web Gateway appliance is available,
the router lets requests for web access pass through without redirection. This behavior follows a
strategy known as fail-open strategy.
If you have a firewall in your network, you must configure it to allow requests for web access with any
source IP addresses to enable this strategy. Requests can then go out to the web directly.
Under a fail-close strategy, requests are blocked if no Web Gateway appliance is available to redirect
them to. For this strategy to work, you must configure the firewall to allow only requests with source
IP addresses belonging to Web Gateway.
Using WCCP only or as fallback solution
You can use the explicit proxy mode with WCCP as your only network mode solution, which means all
web traffic is handled in this mode. You can also use it as a fallback solution for special use cases in an
explicit proxy configuration, for example, to deal with applications that do not recognize proxy
settings. Another use case would be handling web traffic in a Wi-Fi network segment where users can
bring their own devices.
80
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Best practices - Configuring the explicit proxy mode with WCCP
As best practice, we recommend using two different proxy ports. Configure one for handling web
traffic in explicit proxy mode with WCCP, and one for handling it without WCCP. Following this practice
allows you to use the property for proxy ports in the criteria of web security rules.
Configure use of the WCCP protocol
To configure use of the WCCP protocol, configure a router and one or more Web Gateway appliances
for handling web traffic according to this protocol.
Task
1
Configure a router for handling web traffic according to the WCCP protocol.
Configuring the router mainly includes specifying the ID of the WCCP service. For more
information, see the router documentation.
2
Configure a Web Gateway appliance for handling web traffic according to the WCCP protocol.
Configuring the appliance mainly includes setting up a WCCP service on it.
a
Select Configuration | Appliances.
b
Select the appliance that you want to configure for use of the WCCP protocol and click Proxies
(HTTPS, FTP, SOCKS, ICAP ...).
c
Under Network Setup make sure that Proxy (optional WCCP) is selected. Under Transparent Proxy select
WCCP.
The WCCP services list appears.
d
On the list toolbar, click the Add icon.
The Add WCCP Service window opens.
e
To add a service, provide values for the service parameters. When you are done, click OK.
The new service appears in the WCCP services list.
f
Click Save Changes.
You can include more than one appliance in a WCCP configuration. Configure a WCCP service on
every appliance that you want to include.
When configuring the explicit proxy mode with WCCP after using a different network
mode before (Proxy HA mode, transparent router or bridge mode), you must restart the
appliance.
The restart unloads the network driver that handles the transparent interception and
redirection of web traffic. Restarting is only required once. Later on you can enable and
disable use of the WCCP protocol without restarting.
See also
Settings for a WCCP service on page 81
Settings for a WCCP service
When configuring the settings for a WCCP service, you specify values for several service parameters.
Regarding these parameters, consider the best-practice information that is provided in the following.
McAfee Web Gateway 7.6.0
Product Guide
81
4
Proxies
Best practices - Configuring the explicit proxy mode with WCCP
Service ID
The service ID identifies the WCCP service. The service is also included in the configuration of the
router, where the ID for this service must be the same.
Service IDs 0–50 are static under WCCP and reserved for well known services with standard
configurations. Service IDs 51–255 are dynamic and involve negotiation between the partners in the
WCCP configuration. For the WCCP service that you configure, we recommend using a value from 51
to 98.
WCCP router definition
The IP address of the router that is used in the WCCP configuration is specified in the router definition.
Alternatively, you can specify the name that this IP address is resolved to by a domain name server.
You can configure multiple routers by specifying an IP address or DNS name for each of them or by
using a multicast IP address. The use of an IP address as multicast IP address for multiple routers is
indicated in the configuration of the respective routers by specifying the keywords group-address and
group-listen.
Ports to be redirected
The ports that web traffic is redirected from to the Web Gateway proxy port are listed here.
The redirection works for traffic under the HTTP protocol and also under HTTPS. Redirection of FTP
traffic or traffic under any other protocol is not supported. This means that all ports that you list here
must be ports for HTTP and HTTPS traffic. Port 80 for HTTP traffic and port 443 for HTTPS traffic are by
default included in the list.
If you add more ports for HTTPS traffic, you must also add them as ports that are to be treated as SSL
within the HTTP proxy configuration.
If version 1 of WCCP is used, only traffic for port 80 is redirected. You cannot add any other ports for
redirection.
Proxy listener address
The proxy listener address is the physical IP address of the network interface card on a Web Gateway
appliance that web traffic is redirected to.
Proxy listener port
The proxy listener port is the port on Web Gateway that listens to the redirected requests.
For the redirection to work, you must bind the proxy listener port to the IP address 0.0.0.0. For
example, if you are using the default port 9090, bind it by specifying 0.0.0.0:9090.
You must not bind the port (by specifying localhost) to the IP address of the appliance that you are
working on, nor to any other IP address. Otherwise the redirection will not work and traffic will not be
processed.
Assignment method
The assignment method is the method for assigning buckets (processing jobs) under WCCP to
different Web Gateway appliances when a configuration consists of more than one appliance. The
method can be assignment by mask or hash. Some routers only support the mask assignment
method. For more information, see the router documentation.
82
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Best practices - Configuring the explicit proxy mode with WCCP
Input for load distribution
Load distribution can based on the source or destination IP address or the source or destination port of
a request. We recommend configuring load distribution based on the source IP address. This ensures
that the same appliance is always used for the requests that a user submits from a particular client
system. Breaking sessions is avoided this way.
Assignment weight
The assignment weight is used to assign traffic load to different Web Gateway appliances in a WCCP
configuration. If the default value 1000 is configured on all appliances, the load is distributed equally.
If an appliance in the configuration performs better than the others, you can configure a higher value
on this appliance and lower values on the others. If all appliances perform equally well, we
recommend leaving the default value on each of them.
GRE-encapsulated
When the Generic Routing Encapsulation (GRE) method is used for sending data packets, an original
data packet is encapsulated inside a new packet with additional headers. The new packet is then sent
from the router to Web Gateway over a connection that is known as a GRE tunnel. This method
requires more overhead, but has the advantage of working across subnets.
L2-rewrite to local NIC
When the L2-rewrite (Layer 2 rewrite) method is used for sending data packets, the destination MAC
address is rewritten to the MAC address of the proxy. The packets are then redirected to a network
interface on an appliance. This method works only if the router and the appliance are on the same
subnet.
L2-redirect target
The target for redirecting data packets under the L2-rewrite method is the network interface of a NIC
on the appliance that you are working on. The interface name, for example, etho, is selected to
specify this interface.
Troubleshooting WCCP-related issues
You can review WCCP-related information on the appliance dashboard or retrieve it running suitable
commands on the command line of a system console that is connected to the appliance.
Review WCCP-related information on the dashboard
Review WCCP-related information on the dashboard, to see whether troubleshooting activities are
required.
Task
1
Select Dashboard | Charts and Tables.
2
On the navigation pane, click System Summary and scroll down to the WCCP Service Current Status Report
table.
The table shows values for several WCCP parameters, such as the ID of the WCCP service that the
appliance has subscribed to, the IP address of the router, forwarding and return methods, and
assigned buckets.
It also shows the time stamps of the latest "Here I Am" and "I See You" data packets, which allows
you to verify that the health check is working.
McAfee Web Gateway 7.6.0
Product Guide
83
4
Proxies
Transparent router mode
Retrieving WCCP-related information on the command line
You can use several commands to retrieve WCCP-related information on the command line.
Enter the following command to see if web traffic is redirected to the configured port on a Web
Gateway appliance.
iptables -t mangle -L
You will see, for example, an entry for the chain WCCP0 with a line containing redirect
10.10.73.72:9090.
10.10.73.72 is the IP address of the network interface of the NIC on the Web Gateway appliance that
you configured as destination of the redirected traffic. 9090 is the configured port.
You can check whether the appliance sends "Here I Am" and "I See You" data packets. Enter the
following command:
tcpdump -npi eth0 port 2048
Within the data packets that are displayed, verify that the following applies:
•
The IP address shown for the web cache is the IP address of the Web Gateway appliance.
•
The bucket assignment method is the method that is also configured for Web Gateway.
•
The redirect method is the method that is also configured for Web Gateway.
You can check whether the GRE-encapsulated or L2-rewritten data packets are received on the Web
Gateway appliance.
•
For GRE-encapsulation, enter the following command:
tcpdump -npi eth0 ip proto 47
Verify that the source IP address of the data packets is the IP address that is configured for the
router on Web Gateway.
•
For L2-rewriting, enter the following command:
tcpdump -npi eth0 not host <IP address of the Web Gateway appliance
Verify that the source IP address of the data packets is the IP address of the client that sent the
request.
To check that redirected data packets are received on Web Gateway, you can also enter the ifconfig
command.
Transparent router mode
The transparent router mode is one of the two transparent modes you can configure for the proxy
functions of a Web Gateway appliance if you do not want to use an explicit mode.
In transparent router mode, the clients are unaware of the appliance and need not be configured to
direct their web traffic to it.
The appliance is placed as a router immediately behind a firewall. A switch can be used for connecting
the appliance to its clients. A routing table is used to direct the traffic.
84
McAfee Web Gateway 7.6.0
Product Guide
Proxies
Transparent router mode
4
Director and scanning nodes
If you are running several appliances as nodes within a complex configuration, for example, in a
Central Management cluster, one node is usually configured as director, while the other nodes are
configured as scanning nodes.
The director node receives web traffic from the clients and distributes it to the scanning nodes, which
perform filtering activities on the traffic according to the rules that are implemented. Further handling
of the traffic by the director or scanning nodes differs depending on what is configured.
The director node can also perform filtering activities. We recommend to configure at least two
director nodes to avoid problems in case one of them goes offline.
If you are only running one Web Gateway appliance in your network and want to configure it in
transparent router mode, you must still configure the director role for it to let it receive, filter, and
forward web traffic.
Configure the transparent router mode
To configure the proxy functions of an appliance in transparent router mode, complete the following
high-level steps.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to configure the transparent router mode for
and click Proxies (HTTP(S), FTP, ICAP, and IM).
3
Under Network Setup, select Transparent Router.
After selecting this mode, specific Transparent Router settings appear below the Network Setup settings.
Common settings follow the specific settings, including settings for configuring the HTTP, FTP, and
other network protocols.
4
Configure specific and common settings as needed.
5
Click Save Changes.
When running several appliances as nodes in a Central Management configuration, you can configure
the transparent router mode on each of them.
When the size of data packets is handled in a flexible manner between a Web Gateway appliance and its
clients, using the method known as Path MTU discovery, an additional configuration effort is required for
the transparent router mode.
See also
Packet size handling on page 97
Transparent Router settings on page 88
Configure nodes in transparent router mode
You can configure the transparent router mode for two or more appliances that are nodes in a Central
Management configuration. One of the nodes takes the director role, which means it directs data
packets, while the scanning nodes filter them.
Node configuration includes configuring network and proxy settings.
McAfee Web Gateway 7.6.0
Product Guide
85
4
Proxies
Transparent router mode
Tasks
•
Configure network settings for a director node in transparent router mode on page 86
To configure a director node in transparent router mode, configure network interfaces for
inbound and outbound web traffic.
•
Configure proxy settings for a director node in transparent router mode on page 86
To configure proxy settings for a director node in transparent router mode, configure the
director role for this node, as well as port redirects and proxy ports.
•
Configure a scanning node in transparent router mode on page 87
To configure a scanning node in transparent router mode, configure at least one network
interface for outbound traffic. Configure the proxy settings in the same way as for a
director node in this mode, except for the scanning role.
Configure network settings for a director node in transparent router mode
To configure a director node in transparent router mode, configure network interfaces for inbound and
outbound web traffic.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to configure as a director node and click
Network interfaces.
3
Configure network interfaces as is suitable for your network.
You need at least one interface for inbound and one for outbound web traffic.
4
Click Save Changes.
You are logged off and logged on to the appliance again.
Configure proxy settings for a director node in transparent router mode
To configure proxy settings for a director node in transparent router mode, configure the director role
for this node, as well as port redirects and proxy ports.
The director role is configured by giving the node a priority value > 0.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to configure as a director node and click
Proxies (HTTP(S), FTP, ICAP, and IM).
3
Under Network Setup, select Transparent Router.
Specific Transparent Router settings appear below the Network Setup settings.
4
Configure one or more port redirects that let requests sent from clients of Web Gateway be
redirected to a particular port.
a
Under Port redirects, click Add.
The Add Port Redirects window opens.
86
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Transparent router mode
b
Configure the following for a new port redirect that applies to connections under HTTP or
HTTPS:
•
Protocol name — http
http covers connections under both HTTP and HTTPS.
•
Original destination ports — 80. 443
These are the default destination ports. They cover connections under both HTTP and HTTPS.
If you also want to filter HTTPS traffic, enable the SSL Scanner rule set, which is by default
provided on the rule sets tree, but not enabled.
•
Destination proxy port — 9090
9090 is the default proxy port on an appliance.
If you need to use other ports due to the requirements of your network, change these
settings as needed.
To configure a port direct for connections under FTP, select this protocol. Default ports are
then preconfigured, which you can change as needed.
5
Set Director priority to a value > 0.
6
In the Management IP field, type an IP address for each of the scanning nodes that the director should
be able to connect to.
7
Under Virtual IPs, configure virtual IP addresses for the inbound and outbound network interfaces,
using free IP addresses for this purpose.
8
Leave the number under Virtual router ID as it is.
9
From the VRRP interface list, select the interfaces for heartbeats under this protocol.
10 Configure IP spoofing as needed.
11 Under HTTP proxy port, make sure Enable HTTP proxy is selected.
The setting is selected by default. An entry for port 9090 is also configured by default on the HTTP
Port Definition List.
•
You can change this port as needed. Clicking Add opens the Add HTTP Proxy Port window, which
allows you to add more proxy ports.
•
To configure one or more FTP proxies, select Enable FTP Proxy under FTP Proxy. An entry for FTP
control port 2121 and FTP data port 2020 is then preconfigured on the FTP Port Definition List
12 Click Save Changes.
Configure a scanning node in transparent router mode
To configure a scanning node in transparent router mode, configure at least one network interface for
outbound traffic. Configure the proxy settings in the same way as for a director node in this mode,
except for the scanning role.
The scanning role is configured by giving the node 0 as the priority value.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to configure as a scanning node and click
Network Iinterfaces.
McAfee Web Gateway 7.6.0
Product Guide
87
4
Proxies
Transparent router mode
3
Configure network interfaces as is suitable for your network.
You need at least one interface for outbound web traffic.
4
Click Save Changes.
5
You are logged off and logged on to the appliance again.
6
On the appliances tree, select the appliance you want to configure as a scanning node and click
Proxies (HTTP(S), FTP, SOCKS, ICAP ...).
7
Under Network Setup, select Transparent Router.
Specific Transparent Router settings appear below the Network Setup settings.
8
Configure the same port redirects as for the director node.
9
Set Director priority to 0.
10 Configure IP spoofing in the same way as for the director node.
11 Configure the same HTTP and FTP proxy ports as for the director node.
12 Click Save Changes.
To run more than one scanning node in transparent router mode, configure additional appliances in
the same way.
Transparent Router settings
The Transparent Router settings are specific settings for configuring the proxy functions of an
appliance in transparent router mode.
Transparent Router
Settings for configuring the transparent router mode
Table 4-9 Transparent Router
Option
Definition
Port redirects
Provides a list for entering the ports that requests for web access sent by users of
your network are redirected to.
Director priority
Sets the priority (ranging from 0 to 99) that an appliance takes in directing the
data packets that are sent in a request.
When several appliances are run as nodes in a complex configuration, for example,
a Central Management cluster, the node with the highest value is the director node,
while the other nodes are scanning nodes that only perform filtering activities.
The director node receives data packets, distributes them to the other nodes for
filtering, and forwards the data packets that have passed the filtering to the web.
In a complex configuration, set the director note to a value higher than zero, and
set the scanning nodes to zero.
If you are only running one Web Gateway appliance in your network and want to
configure it in transparent router mode, you must still set its priority to a value
higher than zero to let it receive, filter, and forward data packets.
88
Management IP
Specifies the source IP address of an appliance that directs data packets when
sending heartbeat messages to other appliances.
Virtual IPs
Provides a list for entering virtual IP addresses.
Virtual router ID
Identifies a virtual router.
McAfee Web Gateway 7.6.0
Product Guide
Proxies
Transparent router mode
4
Table 4-9 Transparent Router (continued)
Option
Definition
VRRP interface
Specifies the network interface on an appliance for sending and receiving heartbeat
messages.
IP spoofing (HTTP,
HTTPS)
When selected, the appliance keeps the client IP address that is sent with a request
as the source address and uses it in communication with the requested web server
under various protocols.
The appliance does not verify whether this address matches the host name of the
request.
IP spoofing (FTP)
When selected, the appliance communicates with a file server under the FTP
protocol in the same way as under the HTTP or HTTPS protocol to perform IP
spoofing.
For active FTP, this option must be enabled.
The following two tables describe entries in the list of port redirects and the list of virtual IP addresses.
Table 4-10
Port redirects – List entry
Option
Definition
Protocol name
Specifies the name of the protocol used for sending and receiving requests.
Original destination
ports
Specifies the ports that requests must originally be sent to if they are to be
redirected.
Destination proxy port
Specifies the port that requests are redirected to.
Source IP based
exceptions
Excludes requests that have been received from clients with the specified IP
addresses from redirecting.
• For each IP address, a net mask must also be specified.
• When a request is excluded from redirecting, it is not processed by any of the
filtering rules that are implemented.
• You can configure redirection exceptions in this way to let requests received
from trusted sources skip further processing on Web Gateway or for
troubleshooting connection problems.
Destination IP based
exceptions
Excludes requests that are sent to a destination with the specified IP address
from redirecting.
• For each IP address, a net mask must also be specified.
• When a request is excluded from redirecting, it is not processed by any of the
filtering rules that are implemented.
• You can configure redirection exceptions in this way to let requests sent to
trusted destinations skip further processing on Web Gateway or for
troubleshooting connection problems.
Optional 802.1Q VLANs Lists the IDs of the network interfaces for VLAN traffic that are configured.
Comment
McAfee Web Gateway 7.6.0
Provides a plain-text comment on a port redirect.
Product Guide
89
4
Proxies
Transparent bridge mode
Table 4-11
Option
Virtual IPs – List entry
Definition
Virtual IP address Specifies a virtual IP address (in CIDR notation).
Network interface Specifies a network interface on an appliance that the virtual IP address configured
here is assigned to.
This virtual IP address is only assigned to the interface if the current node takes the
role of an active director.
Comment
Provides a plain-text comment on a virtual IP address.
Transparent bridge mode
The transparent bridge mode is one of the transparent modes you can configure for the proxy
functions of the appliance if you do not want to use an explicit mode.
In this mode, the clients are unaware of the appliance and need not be configured to direct their web
traffic to it. The appliance is usually placed between a firewall and a router, where it serves as an
invisible bridge.
The following diagram shows a configuration in transparent bridge mode.
Figure 4-2 Transparent bridge mode
Configure the transparent bridge mode
To configure the proxy functions of an appliance in transparent bridge mode, complete the following
high-level steps.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to configure the transparent bridge mode for
and click Proxies (HTTP(S), FTP, ICAP, and IM).
3
Under Network Setup, select Transparent Bridge.
After selecting this mode, specific Transparent Bridge settings appear below the Network Setup settings.
Common settings follow the specific settings, including settings for configuring the HTTP, FTP, and
other network protocols.
4
90
Configure specific and common settings as needed.
McAfee Web Gateway 7.6.0
Product Guide
Proxies
Transparent bridge mode
5
4
Restart the appliance.
The restart includes the reloading of network drivers, which ensures that the appropriate drivers
for this network mode are applied.
We also recommend restarting the appliance after switching from the transparent bridge mode to
another network mode.
6
Click Save Changes.
When running several appliances as nodes in a Central Management configuration, you can configure
the transparent bridge mode on each of them.
When the size of data packets is handled in a flexible manner between a Web Gateway appliance and its
clients, using the method known as Path MTU discovery, an additional configuration effort is required for
the transparent bridge mode.
See also
Packet size handling on page 97
Transparent Bridge settings on page 95
Configure nodes in transparent bridge mode
You can configure the transparent bridge mode for two or more appliances that are nodes in a Central
Management configuration. One of the nodes takes the director role, which means it directs data
packets, while the scanning nodes filter them.
Node configuration includes configuring network, Central Management, and proxy settings.
Tasks
•
Configure network and Central Management settings for a director node in transparent
bridge mode on page 91
To configure a director node in transparent bridge mode, configure a network interface for
the transparent bridge functions and let its IP address be used for Central Management
communication.
•
Configure proxy settings for a director node in transparent bridge mode on page 92
To configure proxy settings for a director node in transparent bridge mode, configure the
director role for it, as well as port redirects and proxy ports.
•
Configure a scanning node in transparent bridge mode on page 93
To configure a scanning node in transparent bridge mode, configure the same settings as
for a director node in this mode, except for the scanning role.
Configure network and Central Management settings for a director node in
transparent bridge mode
To configure a director node in transparent bridge mode, configure a network interface for the
transparent bridge functions and let its IP address be used for Central Management communication.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to configure as a director node and click
Network interfaces.
McAfee Web Gateway 7.6.0
Product Guide
91
4
Proxies
Transparent bridge mode
3
Prepare the network interface for the transparent bridge functions.
a
Select a still unused network interface of the appliance, but do not enable it yet.
b
On the Advanced tab, select Bridge enabled.
c
In the Name field, type ibr0 as the name of the interface.
d
On the IPv4 tab, under IP Settings, select Disable IPv4.
e
Click Save Changes.
You are logged off and logged on to the appliance again.
4
Configure the network interface for the transparent bridge functions.
a
Select Configuration | Appliances. Then select the appliance again, and click Network interfaces.
An additional network interface named ibr0 is now available.
5
b
Select the ibr0 interface.
c
On the IPv4 tab, configure an IP address, a subnet mask, and a default route for this interface.
d
Select the checkbox next to the interface to enable it.
Configure the network interface that is currently used to access the appliance as the network
interface for the transparent bridge functions.
a
Select the network interface that is currently used to access the appliance.
b
On the Advanced tab, select Bridge enabled.
c
In the Name field, type ibr0 as the name of the interface.
d
On the IPv4 tab, under IP Settings, select Disable IPv4.
6
Enable the ibr0 network interface that you selected in step 3 from the until now unused network
interfaces.
7
Configure Central Management settings.
8
a
Select Central Management.
b
Under Central Management Settings, add the IP address you configured for the ibr0 network interface
to the list that is provided.
Click Save Changes.
If you want to use more than one network interface for the transparent bridge mode, configure more
unused network interfaces of an appliance in the same way.
Configure proxy settings for a director node in transparent bridge mode
To configure proxy settings for a director node in transparent bridge mode, configure the director role
for it, as well as port redirects and proxy ports.
The director role is configured by giving the node a priority value > 0.
Task
92
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to configure as a director node and click
Proxies (HTTP(S), FTP, ICAP, and IM).
McAfee Web Gateway 7.6.0
Product Guide
Proxies
Transparent bridge mode
3
4
Under Network Setup, select Transparent Bridge.
Specific Transparent Bridge settings appear below the Network Setup settings.
4
Configure one or more port redirects that let requests sent from clients of Web Gateway be
redirected to a particular port.
a
Under Port redirects, click Add.
b
Configure the following for a new port redirect that applies to connections under HTTP or
HTTPS:
•
Protocol name — http
http covers connections under both HTTP and HTTPS.
•
Original destination ports — 80. 443
These are the default destination ports. They cover connections under both HTTP and HTTPS.
If you want to filter also HTTPS traffic, you need to enable the SSL Scanner rule set, which is
by default provided on the rule sets tree, but not enabled.
•
Destination proxy port — 9090
9090 is the default proxy port on an appliance.
If you need to use other ports due to the requirements of your network, change these
settings as needed.
To configure a port direct for connections under FTP, select this protocol. Default ports are
then preconfigured, which you can change as needed.
5
Set Director priority to a value > 0.
6
In the Management IP field, type the IP address you specified for ibr0 when configuring the network
settings.
7
Configure IP spoofing as needed.
8
Under HTTP proxy port, make sure Enable HTTP proxy is selected.
The setting is selected by default. An entry for port 9090 is also configured by default on the HTTP
Port Definition List.
9
•
You can change this port as needed. Clicking Add opens the Add HTTP Proxy Port window, which
allows you to add more proxy ports.
•
To configure one or more FTP proxies, select Enable FTP Proxy under FTP Proxy. An entry for FTP
control port 2121 and FTP data port 2020 is then preconfigured on the FTP Port Definition List
Click Save Changes.
Configure a scanning node in transparent bridge mode
To configure a scanning node in transparent bridge mode, configure the same settings as for a director
node in this mode, except for the scanning role.
The scanning role is configured by giving the node 0 as the priority value.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to configure as a scanning node and click
Proxies (HTTP(S), FTP, SOCKS, ICAP ...).
McAfee Web Gateway 7.6.0
Product Guide
93
4
Proxies
Transparent bridge mode
3
Under Network Setup, select Transparent Bridge.
Specific Transparent Bridge settings appear below the Network Setup settings.
4
Configure the same port redirects as for the director node.
5
Set Director priority to 0.
6
Configure IP spoofing in the same way as for the director node.
7
Configure the same HTTP and FTP proxy ports as for the director node.
8
Click Save Changes.
To run more than one scanning node in transparent bridge mode, configure additional appliances in
the same way.
Best practices - Fine-tuning a transparent bridge configuration
When configuring Web Gateway in transparent bridge mode, you can complete several activities in
addition to the basic steps to improve the configuration.
These activities include the following:
•
Configuring port redirects
•
Setting up more than one appliance
•
Appropriate handling of the STP protocol
Configuring port redirects
Web Gateway is by default configured to scan and filter requests for web access arriving on ports 80
and 443. All requests arriving on other ports are passed on to the web unfiltered unless you specify
additional ports.
You can configure port redirects as exceptions for requests coming from a particular client IP address
or going to a particular destination IP address. These exceptions are also passed on to the web
unfiltered.
Setting up more than one appliance
When configuring Web Gateway in transparent bridge mode, we recommend setting up more than one
appliance.
When a Web Gateway appliance is configured in this mode, it is implemented in an in-line position
within your network. This means that all traffic is physically passing through the appliance, even if no
ports are configured to receive the traffic and enable its filtering. Setting up only one appliance would
therefore make it a single point of failure.
If you set up at least one other appliance, it can serve as a failover device. Another appliance will,
however, not only perform failover functions, but also load balancing, receiving, and processing web
traffic.
Avoiding a port shutdown under STP
When the Web Gateway appliances in your network are directly connected to switches that use the
Spanning Tree Protocol (STP), ports needed for load balancing communication might be shut down
under this protocol.
On most network switches, STP is used to avoid loops and ensure a single path of communication,
shutting down redundant ports that cause such loops.
94
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Transparent bridge mode
The protocol is also used, however, when two or more Web Gateway appliances are configured in
transparent bridge mode. One of the appliances then takes the director role, in which it directs the
web traffic that occurs to the other appliance or appliances for processing.
STP is used to communicate this role and the load balancing measures between the appliances.
If network switches with STP are directly connected to the Web Gateway appliances, it is highly likely
that ports needed for this load balancing communication are shut down.
You can proceed in one of the following ways to avoid a shutdown:
•
Disable STP on every switch that is directly connected to a Web Gateway appliance.
Do not use this method if other components of your network rely on these switches and STP.
•
Install a second switch without STP between every Web Gateway appliance and every switch with
STP that the appliance would be connected to.
Setting up your network in this way ensures that load balancing on the Web Gateway appliances
and other network components that rely on switches with STP are not impacted.
See also
Configure the transparent bridge mode on page 90
Configure port redirects for the transparent bridge mode
Configure port redirects for the transparent bridge mode to pass on particular requests to the web
unfiltered.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to configure port redirects on and click Proxies
(HTTP(S), FTP, SOCKS, ICAP ...).
3
Under Network Setup, select Transparent Bridge.
The Transparent Bridge settings appear below the Network Setup settings.
4
In the list under Port redirects, specify an IP address and subnet mask for every port redirect that you
want to configure.
5
Click Save Changes.
Transparent Bridge settings
The Transparent Bridge settings are specific settings for configuring the proxy functions of an
appliance in transparent bridge mode.
Transparent Bridge
Settings for configuring the transparent bridge mode
McAfee Web Gateway 7.6.0
Product Guide
95
4
Proxies
Transparent bridge mode
Table 4-12 Transparent Bridge
Option
Definition
Port redirects
Provides a list for entering the ports that requests for web access sent by users of
your network are redirected to.
Director priority
Sets the priority (ranging from 0 to 99) that an appliance takes in directing the data
packets that are sent in a request.
The highest value prevails. 0 means an appliance is what is known as a scanning
node, which never directs data packets, but only filters them.
You can use this option only to configure a node as a scanning node
(priority = 0) or a director node (priority > 0).
Differences in node priorities greater than 0 are not evaluated.
After configuring node priorities greater than 0 for multiple appliances in
transparent bridge mode, you need to watch their behavior to find out
which one has actually become the director node that directs data packets.
Management IP
Specifies the source IP address of an appliance that directs data packets when
sending heartbeat messages to other appliances.
IP spoofing (HTTP,
HTTPS)
When selected, the appliance keeps the client IP address that is sent with a request
as the source address and uses it in communication with the requested web server
under various protocols.
The appliance does not verify whether this address matches the host name of the
request.
IP spoofing (FTP)
When selected, the appliance communicates with a file server under the FTP
protocol in the same way as under the HTTP or HTTPS protocol to perform IP
spoofing
For active FTP, this option must be enabled.
The following table describes an entry in the list of port redirects.
Table 4-13
Port redirects – List entry
Option
Definition
Protocol name
Specifies the name of the protocol used for sending and receiving requests.
Original destination
ports
Specifies the ports that redirected requests must originally be sent to if they are
to be redirected.
Destination proxy port
Specifies the port that requests are redirected to.
Source IP based
exceptions
Excludes requests that have been received from clients with the specified IP
addresses from redirecting.
• For each IP address, a net mask must also be specified.
• When a request is excluded from redirecting, it is not processed by any of the
filtering rules that are implemented.
• You can configure redirection exceptions in this way to let requests received
from trusted sources skip further processing on Web Gateway or for
troubleshooting connection problems.
96
McAfee Web Gateway 7.6.0
Product Guide
Proxies
Packet size handling
Table 4-13
4
Port redirects – List entry (continued)
Option
Definition
Destination IP based
exceptions
Excludes requests that are sent to a destination with the specified IP address
from redirecting.
• For each IP address, a net mask must also be specified.
• When a request is excluded from redirecting, it is not processed by any of the
filtering rules that are implemented.
• You can configure redirection exceptions in this way to let requests sent to
trusted destinations skip further processing
Optional 802.1Q VLANs Lists the IDs of the network interfaces for VLAN traffic that are configured.
Comment
Provides a plain-text comment on a port redirect.
Packet size handling
When communication between Web Gateway on an appliance and its clients requires that the size of
data packets is handled in a flexible manner, only the explicit proxy mode can be configured as usual.
The following modes require an additional configuration effort in this case:
•
Proxy HA (High Availability) mode
•
Transparent router mode
•
Transparent bridge mode
The size of data packets is measured by the MTU (Maximum Transmission Unit) parameter, which
limits the number of bytes that can be sent in one packet.
The method of negotiating the value for this parameter between communication partners is known as
Path MTU Discovery. It is not available for the three modes listed above.
For example, when Web Gateway sends a data packet to a client that it connects to through a VPN
(Virtual Private Network) tunnel, the MTU that the VPN tunnel can handle might be 1412, whereas the
MTU of the data packets is 1500.
The VPN gateway then sends a message under the ICMP protocol to inform its partner about the
required size, but this message cannot be processed unless the configured network mode is the
explicit proxy mode.
To solve this problem for the other modes, reduce the MTU parameter value for the network interface
on Web Gateway that is used for the communication, in this case, for communication with clients
behind a VPN tunnel. Set the parameter to the value that is required, for example, to 1412.
The MTU parameter is configured on the user interface as part of the Network Interfaces settings for the
IPv4 or IP6 protocol, which can be accessed under Configuration | Appliances.
Secure ICAP
When an appliance takes the roles of server and client under the ICAP protocol, communication can be
performed in SSL-secured mode.
To use this mode, you need to import a server certificate for each ICAP port on the appliance that will
receive SSL-secured requests from its clients. The clients are not required to submit certificates.
McAfee Web Gateway 7.6.0
Product Guide
97
4
Proxies
SOCKS proxy
Requests that are directed from the appliance in its role as an ICAP client to the ICAP server must
include ICAPS as a specification in the server address to enable SSL-secured communication with that
server.
The appliance does not send a client certificate to the ICAP server.
SOCKS proxy
You can configure Web Gateway to run as a proxy that forwards web traffic under the SOCKS
(Sockets) protocol.
When web traffic goes on under the SOCKS protocol, it also follows an embedded protocol, which can
be, for example, HTTP or HTTPS.
The embedded protocol can be detected on Web Gateway, and if filtering is supported for web traffic
under this protocol, the configured filtering rules can be processed for this traffic. If filtering is not
supported, the traffic can be blocked by a suitable rule.
There are some restrictions to using the SOCKS protocol for the proxy functions on Web Gateway:
•
The SOCKS protocol version must be 5, 4, or 4a.
•
The BIND method is not supported for setting up connections under the SOCKS protocol.
Web traffic that is forwarded by a next-hop proxy under the SOCKS protocol can be protected using
level 1 or 2 of the Kerberos authentication method.
In this case, encryption that would also make this traffic SSL-secured cannot by applied, so SSL
scanning is not required. The default SSL Scanner rule set therefore includes a criteria part that lets
this traffic skip SSL scanning.
Configuring a SOCKS proxy
To configure Web Gateway as a SOCKS proxy, you need to complete several activities.
•
Enable the SOCKS proxy.
•
Specify one or more proxy ports that listen to the SOCKS proxy clients when they send requests to
Web Gateway.
These ports are specified as part of the common proxy settings on Web Gateway.
•
Create rules that control the behavior of the SOCKS proxy.
These settings are configured as part of the common proxy settings on Web Gateway.
Using properties and an event in rules for a SOCKS proxy
Two properties and an event are available to create rules for controlling the behavior of Web Gateway
when it runs as a SOCKS proxy.
There is no preconfigured SOCKS proxy rule set available in the default rule set system or the rule set
library. If you want to use such rules, you need to create them and insert them in an existing rule set or
create a rule set for them.
98
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
SOCKS proxy
•
ProtocolDetector.DetectedProtocol — This property can be used to detect the embedded protocol
that is followed in web traffic under the SOCKS protocol, for example, HTTP or HTTPS.
Its value is the protocol name in string format. When the embedded protocol cannot be detected,
the string is empty.
•
ProtocolDetector.ProtocolFilterable — This property can be used to find out whether filtering is
supported for web traffic following the embedded protocol that has been detected.
Its value is true if this traffic is filterable and false otherwise.
If this property is processed in a rule, the ProtocolDetector.DetectedProtocol property is also filled
with a value. If this value is an empty string for the latter property, which means no the embedded
protocol could not be detected, the value of the ProtocolDetector.ProtocolFilterable property is,
consequently, set to false.
•
ProtocolDetector.ApplyFiltering — This event can be used to enable processing of other rules that
are configured on Web Gateway for filtering web traffic under the protocol that has been detected.
Accordingly, the following rule enables processing of other rules for filtering web traffic under the
SOCKS protocol if an embedded protocol has been detected that is filterable.
Name
Enable filtering for SOCKS traffic following an embedded protocol that is filterable
Criteria
ProtocolDetector.ProtocolFilterable is true
–>
Action
Event
StopCycle
ProtocolDetector.ApplyFiltering
The following rule blocks SOCKS traffic if no embedded protocol is detected.
Name
Block SOCKS traffic if no embedded protocol can be detected
Criteria
ProtocolDetector.DetectedProtocol equals " "
Action
–>
Block
If no rule is configured that would enable the filtering of SOCKS traffic or block it if no embedded
protocol is detected, this traffic is allowed.
This means that if a request for web access is received from a SOCKS client on Web Gateway, it is
forwarded to the requested web server without any further processing.
Configure SOCKS proxy settings
You can configure settings for a SOCKS proxy as part of the common proxy settings on Web Gateway.
Task
1
Select Configuration | Appliances .
2
On the appliances tree, select the appliance you want to configure as a SOCKS proxy, then click
Proxies (HTTP(S), FTP, ICAP, and IM).
The settings for configuring proxy functions appear in the configuration pane.
3
Scroll down to the SOCKS Proxy settings.
McAfee Web Gateway 7.6.0
Product Guide
99
4
Proxies
SOCKS proxy
4
Configure these settings as needed.
5
Click Save Changes.
See also
Proxies settings on page 106
Using UDP under SOCKS
You can configure UDP (User Datagram Protocol) when Web Gateway is running as a proxy under the
SOCKS protocol.
When traffic going on under the SOCKS protocol is processed by the proxy functions on Web Gateway,
traffic that follows UDP can also be detected and forwarded. This traffic is not filtered, but forwarded
as it is.
To allow the handling of UDP traffic in this way, you must complete the following configuration
activities.
•
Set the range of ports that listen to UDP traffic.
•
Set a timeout on connections for UDP traffic.
You need not explicitly enable the handling of UDP traffic in addition to configuring these settings, as it
is basically enabled by default.
When a client of Web Gateway sends a request for setting up a connection that follows UDP under
SOCKS, the command name sent with the request is stored as the value of a property.
The name of the property is Command.Name and its value is SOCKSUDPASSOCIATE then. You can use
this property in a rule for monitoring or other purposes.
You can also use this property in a rule to disable processing of UDP traffic on Web Gateway.
Use of UDP is also monitored and shown on the dashboard under SOCKS Traffic Summary.
Configure settings for UDP under SOCKS
Configure settings for UDP to enable filtering of traffic that is going on under this protocol when Web
Gateway is running as a proxy under the SOCKS protocol.
Task
100
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to configure UDP settings on and click Proxies
(HTTP(S), FTP, SOCKS, ICAP ...).
3
In the configuration pane, scroll down to SOCKS Proxy. Under Port range for UDP, set the range of ports
that listen to UDP traffic.
4
Scroll further down to Timeouts for HTTP(S), FTP, ICAP, SOCKS, and UDP. Under UDP timeout, set the timeout on
connections for UDP.
5
Click Save Changes.
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Instant messaging
SOCKS Proxy rule set
The SOCKS Proxy rule set is a library rule set for filteirng traffic that is going on under the SOCKS
protocol.
Library rule set – SOCKS Proxy
Criteria – Always
Cycles – Requests (and IM) and responses
The rule set contains the following rules.
Filter traffic under the SOCKS protocol with filterable embedded protocol
ProtocolDetector.ProtocolFilterable <Protocol Detector Settings> equals true –> Stop Cycle —
ProtocolDetector.ApplyFiltering
The rule uses the ProtocolDetector.ProtocolFilterable property to check whether the protocol that is
embedded in the SOCKS traffic is filterable on Web Gateway. Filterable protocols are HTTP and
HTTPS.
If either of these two protocols is detected, filtering is enabled by the rule event. If no embedded
protocol is detected, the rule does not apply and processing continues with the second rule.
Block traffic under the SOCKS protocol if no embedded protocol is detected
ProtocolDetector.ProtocolFilterable <Protocol Detector Settings> equals " " –> Block <Default>
The rule blocks requests if no embedded protocol is detected.
Block traffic under the SOCKS protocol if detected protocol is not on whitelist
ProtocolDetector.DetectedProtocol <Protocol Detector Settings> is not in list Protocol Whitelist –>
Block <Default>
The rule blocks requests if an embedded protocol is detected, but is not on a particular whitelist.
The rule is not enabled by default.
Instant messaging
Instant messaging proxies can be set up on an appliance to filter instant messaging (IM) chat and file
transfer.
When users of your network participate in instant messaging communication, they send, for example,
chat messages to an instant messaging server, receive responses to their messages, or send and
receive files. An instant messaging proxy on an appliance can intercept and filter this traffic according
to the implemented filtering rules. For this purpose, instant messaging traffic is redirected to the
appliance.
The following network components are involved in the filtering process:
•
Instant messaging proxies — Proxies can be set up on an appliance to filter instant messaging
under different protocols, for example, a Yahoo proxy, a Windows Live Messenger proxy, and
others.
•
Instant messaging clients — These clients run on the systems of the users within your network
to enable communication with instant messaging servers.
McAfee Web Gateway 7.6.0
Product Guide
101
4
Proxies
Instant messaging
•
Instant messaging servers — These are the destinations that are addressed by client from
within your network.
•
Other components of your network — Other components involved in instant messaging filtering
can be, for example, a firewall or a local DNS server that redirects instant messaging traffic to an
appliance.
When configuring instant messaging filtering, you need to complete configuration activities for the
instant messaging proxy or proxies to ensure they intercept and filter the instant messaging traffic.
You also need to ensure that the instant messaging traffic is redirected to the instant messaging
proxies. However, configuration activities for this are not performed on the clients, but on other
components of your network. For example, DNS redirects or firewall rules are configured in a suitable
manner.
An instant messaging proxy on an appliance is mainly intended to be used together with vendor IM
client software that is provided, for example, by Yahoo, Microsoft, ICQ, or Google. But this client
software can still change its behavior, for example, use a new logon server, without advance warning
after a hidden update.
When using third-party client software, you should generally be aware that logon servers, protocol
versions, or authentication methods could have been modified in comparison to those of the original
client software, which can prevent an instant messaging proxy on an appliance from intercepting and
filtering instant messaging traffic.
Configuring an instant messaging proxy
To configure an instant messaging proxy on an appliance, you need to configure the relevant parts of
the Proxies settings of the Configuration top-level menu.
These are mainly settings for:
•
Enabling an instant messaging proxy
•
IP address and ports for listening to requests sent by instant messaging clients
•
Settings for instant messaging servers
•
Timeouts for instant messaging communication
Default values are preconfigured for all these settings after the initial setup of an appliance.
Instant messaging going on under the following protocols can be filtered:
•
Yahoo
•
ICQ
•
Windows Live Messenger
•
XMPP, which is the protocol used for Google Talk, Facebook Chat, Jabber, and other instant
messaging services
The rules that are processed on an appliance for filtering instant messaging traffic are those that have
Requests (and IM) configured as the processing cycle in the settings of their rule sets.
However, the Responses cycle can also be involved when instant messaging under the Yahoo protocol
is filtered. Under this protocol, a requested file is transferred to a client in a response of the same kind
as a response used for transferring files in normal web traffic. The file is stored on a server and
retrieved by the client under HTTP, for example, using a suitable URL.
102
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Instant messaging
When problems arise in the communication between instant messaging client and proxy under a
particular protocol, the client can also switch to using a different protocol and bypass the proxy this
way. The client can even use a protocol for normal web traffic. On the dashboard of an appliance, this
would result in a decrease of the IM traffic and an increase of the web traffic that is displayed.
Session initialization
During initialization of an instant messaging session between client and server, client requests can
only be received on an appliance, but no responses can be sent back. As long as this is the case, the
IM.Message.CanSendBack property will have false as its value when used in a rule.
We recommend that you do not implement any blocking rules with regard to session initialization,
unless you want to block instant messaging traffic completely. You should also allow required helper
connections, which are typically DNS requests or HTTP transfers.
Restrictions that you implement, for example, allowing only authenticated users, should rather apply
to traffic going on during the session itself, such as chat messages and file transfers.
Configuring other network components for instant messaging filtering
The purpose of configuring other network components for instant messaging filtering is to redirect the
instant messaging traffic that is going on between clients and servers to an appliance that has one or
more instant messaging proxies running.
For example, under the ICQ protocol, clients send their requests to a server with the host name
api.icq.net. For instant messaging filtering, you need to create a DNS redirecting rule that lets this
host name be resolved not to the IP address of the ICQ server, but to that of the appliance.
In a similar way, firewall rules can be created to direct instant messaging traffic to an appliance rather
than to an instant messaging server.
Filtering instant messaging traffic under Windows Live Messenger
When configuring the filtering of instant messaging traffic that is going on under the Windows Live
Messenger protocol, the following is useful to know.
The host name of the instant messaging server is messenger.hotmail.com. This is the host name that
must be resolved in a redirecting rule by the IP address of an appliance with an instant messaging
proxy.
Sometimes a client connects to the server without requesting the host name to be resolved in a DNS
lookup. In this case, it can help to find and remove the following registry entry within the client
settings:
geohostingserver_messenger.hotmail.com:1863, REG_SZ
For a successful logon to a server, the following URL must be accessible to a client without
authentication:
http://login.live.com
For this reason, you need to insert this URL in the whitelists that are used by the implemented web
filtering rules on an appliance.
Filtering Instant messaging traffic under ICQ
When configuring the filtering of instant messaging traffic that is going on under the ICQ protocol, the
following is useful to know.
McAfee Web Gateway 7.6.0
Product Guide
103
4
Proxies
Instant messaging
The host names of the instant messaging servers are as follows:
•
api.icq.net (Service request server: new since parting from AOL)
•
ars.icq.com (File transfer proxy: new since parting from AOL)
•
api.oscar.aol.com (Old service request server)
•
ars.oscar.aol.com (Old file transfer proxy)
•
login.icq.com (For new logon procedure)
•
login.oscar.aol.com (For old logon procedure)
ICQ clients log on to a server in an encrypted process that cannot be intercepted by the instant
messaging proxy on an appliance.
But after this, an ICQ client asks the service request server for information about the session server,
using the magic token received after the logon. Here the instant messaging proxy intercepts. The
filtering process then uses another logon procedure after the client name has been announced in the
communication with the session server.
In contrast to the vendor Yahoo client, the vendor ICQ client ignores any Internet Explorer connection
settings.
Filtering instant messaging traffic under Yahoo
When configuring the filtering of instant messaging traffic that is going on under the Yahoo protocol,
the following is useful to know.
The list of instant messaging servers that requests are sent to can be very long. The following is a list
of the host names of servers that are or have been in use. New servers can have appeared by now
that would have to be added to the list.
104
•
vcs.msg.yahoo.com
•
scs.msg.yahoo.com
•
vcs1.msg.yahoo.com
•
scs-fooa.msg.yahoo.com
•
vcs2.msg.yahoo.com
•
scs-foob.msg.yahoo.com
•
scs.yahoo.com
•
scs-fooc.msg.yahoo.com
•
cs.yahoo.com
•
scs-food.msg.yahoo.com
•
relay.msg.yahoo.com
•
scs-fooe.msg.yahoo.com
•
relay1.msg.dcn.yahoo.com
•
scs-foof.msg.yahoo.com
•
relay2.msg.dcn.yahoo.com
•
scsd.msg.yahoo.com
•
relay3.msg.dcn.yahoo.com
•
scse.msg.yahoo.com
•
mcs.msg.yahoo.com
•
scsf.msg.yahoo.com
•
scs.msg.yahoo.com
•
scsg.msg.yahoo.com
•
scsa.msg.yahoo.com
•
scsh.msg.yahoo.com
•
scsb.msg.yahoo.com
McAfee Web Gateway 7.6.0
Product Guide
Proxies
XMPP proxy
4
For a successful logon to a server, the following URLs must be accessible to a client without
authentication:
•
http://vcs1.msg.yahoo.com/capacity
•
http://vcs2.msg.yahoo.com/capacity
For this reason, you need to insert these URLs in the whitelists that are used by the implemented web
filtering rules on an appliance.
Even if the option Connect directly to the Internet has been enabled within the settings on a Yahoo client, it
might still use Internet Explorer connection settings. This can cause the logon to fail in a later stage of
the process. Therefore, we recommend that you also insert the URL *login.yahoo.com* in a whitelist.
Issues with instant messaging filtering
Issues with instant messaging filtering can involve, for example, the connection between client and
server or the application of the implemented filtering rules.
Keep-alive data packets are sent in regular intervals as part of the instant messaging traffic to indicate
the communication partners are still connected and responsive. Intervals vary between 20 and 80
seconds, depending on the IM protocol and client software. These data packets are not processed by
the filtering rules that are implemented on an appliance.
If you detect such data packets in a troubleshooting situation, you can use rule engine tracing to see
which rules are still executed.
When a client sends a request for logon to the server, it is redirected to the appliance if you have
configured the appropriate settings. However, a client can at the same time try to log on to another
server that requires SSL-secured authentication. If this fails, the client can also drop the connection to
the appliance.
Some clients also provide options for performing basic troubleshooting tests after a failure to log on to
the server.
XMPP proxy
When filtering instant messaging communication on an appliance, one of the methods you can use is
to set up a proxy under the XMPP (Extensible Messaging and Presence Protocol).
This protocol is also known under the name of Jabber. It is used, for example, to participate in
Facebook chats or Google talk going on between an XMPP client and server.
You can configure settings for the XMPP proxy on the user interface under Configuration | Proxies.
When the SSL Scanner rule set is not enabled on an appliance, traffic going on between an XMPP
client and this appliance is not encrypted, but filtered by all rules that are enabled on the appliance. If
the client does not accept unencrypted traffic, the connection is closed.
When the SSL Scanner rule set is enabled, traffic is encrypted and inspected using SSL scanning to
make it available for filtering by other rules on the appliance.
McAfee Web Gateway 7.6.0
Product Guide
105
4
Proxies
Configure common proxy settings
Configure common proxy settings
You can configure common proxy settings in addition to the specific settings for a network mode.
Common proxy settings include settings for the different types of proxies that can be configured on
Web Gateway.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to configure common proxy settings for and
click Proxies (HTTP(S), FTP, ICAP, and IM).
3
Configure these settings as needed.
4
Click Save Changes.
Proxies settings
The Proxies settings are used for configuring specific parameters for the different network modes that
can be implemented on Web Gateway, as well as common parameters that apply for any of these
modes. A periodic triggering of the rule engine can also be configured.
Network Setup
Settings for implementing a network mode
When a network mode is selected, specific settings for this mode appear below these settings.
Table 4-14 Network Setup
Option
Definition
Proxy (optional WCCP) When selected, the explicit proxy mode is used and WCCP services can redirect
web traffic to an appliance.
Proxy HA
When selected, the explicit proxy mode with High Availability functions is used.
Transparent router
When selected, the transparent router mode is used.
Transparent bridge
When selected, the transparent bridge mode is used.
HTTP Proxy
Settings for running a proxy on an appliance under the HTTP protocol
This protocol is used for transferring web pages and other data (also providing SSL encryption for
enhanced security).
Table 4-15 HTTP Proxy
106
Option
Definition
Enable HTTP proxy
When selected, a proxy is run on an appliance under the HTTP protocol.
HTTP Port Definition list
Provides a list for entering the ports on an appliance that listen to client
requests.
Anonymous login for FTP over
HTTP
Specifies the user name for logging on as an anonymous user when
requests are transmitted to an FTP server by an HTTP proxy on an
appliance.
Password for anonymous login
for FTP over HTTP
Sets a password for a user name.
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Proxies settings
Table 4-15 HTTP Proxy (continued)
Option
Definition
Add Via HTTP header
When selected, a Via HTTP header is added to a request that is processed
on an appliance.
This option is selected by default.
Adjust content-type header for
When selected, a content-type header in a request for access to an
requests to archives (depending archive file is adjusted if this header does not match the content encoding
on the content encoding)
that was detected for the archive.
Host header has priority over
original destination address
(transparent proxy)
When selected, requests that are sent to the proxy on an appliance in
transparent proxy mode are recognized as traffic in explicit proxy mode
and processed accordingly.
Requests can, for example, be received on an appliance in transparent
mode when they have been forwarded by a load balancer. If the proxy
does not recognize the requests as traffic in explicit proxy mode, they will
be forwarded to the web without filtering.
This option is only available if the explicit proxy mode is not already
configured on an appliance.
If the option is available, it is selected by default.
FTP Proxy
Settings for running a proxy on an appliance under the FTP protocol
This protocol is used for transferring files, using separate connections for control functions and data
transfer.
When a file is uploaded to the web from an FTP client and processed on Web Gateway, you
can send progress indicators to the client by inserting the FTP Upload Progress Indication event
into a suitable rule.
This will prevent a timeout on the client when processing takes more time, for example, due
to scanning the file for infections by viruses and other malware.
Table 4-16 FTP Proxy
Option
Definition
Enable FTP proxy
When selected, a proxy is run on an appliance under the
FTP protocol.
FTP port definition list
Provides a list for entering the ports on an appliance that
listen to client requests.
Allow character @ in FTP server user name
(Authentication using USER
ftpserveruser@ftpserver)
When selected, this character is allowed in a user name.
Enable authentication using USER
proxyuser@ftpserveruser@ftpserver
When selected, this syntax is allowed for a user name.
Enable authentication using USER
ftpserveruser@proxyuser@ftpserver
When selected, this syntax is allowed for a user name.
McAfee Web Gateway 7.6.0
Product Guide
107
4
Proxies
Proxies settings
Table 4-16 FTP Proxy (continued)
Option
Definition
Enable customized welcome message
When selected, you can edit the welcome message that is
shown to a user who sends a request for web access under
the FTP protocol.
Type the welcome message into the Customized welcome
message text field, using the appropriate values for the
variables that are contained in the message.
Welcome to §MWG-ProductName$ $MWG-Version$ - build
$MWG.BuildNumber$
Running on $System.HostName$ - $System.UUID$
$Proxy.IP$:$Proxy.Port$
Select the command to be used for next-hop proxy
login
Allows you to select the command that Web Gateway sends
for logon when connecting to a next-hop proxy under the
FTP protocol.
The following commands can be selected:
• SITE
• OPEN
• USER@Host
The following table describes an entry in the FTP port definition list.
Table 4-17 FTP port definition list – List entry
Option
Definition
Listener address
Specifies the IP address and port number for a port that listens to FTP
requests.
Data port
Specifies the port number of a port that is used for handling data
transfer under the FTP protocol.
Port range for client listener
Configures a range of numbers for ports that listen to FTP requests
received from clients.
The range is configured by specifying port numbers for its beginning
and end.
108
Port range for server listener
Configures a range of numbers for ports that listen to FTP responses
received from web servers that requests were forwarded to.
Allow clients to use passive FTP
connections
When selected, requests can be sent from clients using passive
connections under the FTP protocol.
McAfee Web Gateway uses same
connections (active/passive) as
clients does
When selected, Web Gateway uses the same type for forwarding web
traffic as a client that sent a request to Web Gateway.
McAfee Web Gateway uses passive
FTP connections
When selected, Web Gateway can forward web traffic using passive
connections under the FTP protocol.
Comment
Provides a plain-text comment on a port that listens to FTP requests.
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Proxies settings
ICAP Server
Settings for running an ICAP server on an appliance that modifies requests and responses in
communication with ICAP clients
Table 4-18 ICAP Server
Option
Definition
Enable ICAP server
When selected, an ICAP server is run on an appliance.
ICAP Port Definition list Provides a list for entering the ports on an appliance that listen to requests from
ICAP clients.
When multiple ICAP servers are configured on different appliances within your
network, requests coming in from ICAP clients are distributed among these
servers in round-robin mode.
IFP Proxy
Settings for running a proxy on an appliance under the IFP protocol
This protocol is used for transferring web pages.
Table 4-19 IFP Proxy
Option
Definition
Enable IFP proxy
When selected, a proxy is run on an appliance under the IFP protocol.
IFP port definition list
Provides a list for entering the ports on an appliance that listen to client
requests for the IFP proxy.
Maximum number of concurrent
IFP requests allowed
Limits the number of IFP requests that are processed at the same time
to the specified value.
You can use this setting to prevent an overloading of the IFP proxy.
The following table describes an entry in the IFP port definition list.
Table 4-20 IFP port definition list – List entry
Option
Definition
Listener address
Specifies the IP address and port number for a port that listens for IFP
requests.
Send error message as
redirect
When set to true, a user who sent a request is informed, for example,
about a blocking of the request, by redirecting the request to an error
message page.
Otherwise the relevant information is sent as a normal message under the
IFP protocol.
Comment
Provides a plain-text comment on a port that listens to IFP requests.
SOCKS Proxy
Settings for running a proxy on an appliance under the SOCKS (sockets) protocol
Table 4-21 SOCKS Proxy
Option
Definition
Enable SOCKS proxy
When selected, a proxy is run on an appliance under the SOCKS protocol.
SOCKS port definition list Provides a list for entering the ports on an appliance that listen to client
requests for the SOCKS proxy.
The following table describes an entry in the SOCKS port definition list.
McAfee Web Gateway 7.6.0
Product Guide
109
4
Proxies
Proxies settings
Table 4-22 SOCKS port definition list – List entry
Option
Definition
Listener address
Specifies the IP address and port number of a port that listens for SOCKS requests.
Port range for UDP Sets the range of ports used for listening to requests sent under the UDP protocol
when a SOCKS proxy is configured.
Comment
Provides a plain-text comment on a port that listens to SOCKS requests.
Data Exchange Layer
Settings for using the DXL (Data Exchange Layer) technology to exchange information between
different security products
Table 4-23 Data Exchange Layer
Option
Definition
Subscription Topics Provides a list of topics that a security product can subscribe to in order to receive
messages about these topics.
Services
Provides a list of services that send messages about topics to security products.
The following tables describe entries in the Subscription Topics and Services lists.
Table 4-24 Subscription Topics – List entry
Option
Definition
String
Specifies the name of a topic.
Comment
Provides a plain-text comment on a topic.
Table 4-25 Services – List entry
Option
Definition
Service
Specifies the name of a service that sends messages about topics.
Comment
Provides a plain-text comment on a service.
Web Cache
Setting for enabling the web cache on an appliance
In addition to enabling the web cache, you need to implement a rule set to control reading from and
writing to the cache.
Table 4-26 Web Cache
110
Option
Definition
Enable cache
When selected, the web cache is enabled on an appliance.
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Proxies settings
Timeouts for HTTP(S), FTP, ICAP, SOCKS, and UDP
Settings for timeouts on connections for communication under the HTTP, HTTPS, FTP, ICAP, SOCKS,
and UDP protocols
Table 4-27 Timeouts for HTTP(S), FTP, ICAP, SOCKS, and UDP
Option
Definition
Initial connection timeout
Sets the time (in seconds) that is allowed to elapse before a newly opened
connection is closed if no request is received.
Connection timeout
Sets the time (in seconds) that is allowed to elapse before a connection is
closed if a client or web server remains inactive during an uncompleted
connection request communication.
Client connection timeout
Sets the time (in seconds) that is allowed to elapse between one request
and the next before a connection from an appliance to a client is closed.
Maximum idle time for unused Sets the time (in seconds) that is allowed to elapse between one request
HTTP server connections
and the next before a connection from an appliance to a server under the
HTTP protocol is closed.
Sets the time (in seconds) that is allowed to elapse between one request
and the next before a connection from an appliance to a client under the
UDP protocol is closed.
UDP timeout (inactivity
timeout)
DNS Settings
Settings for communication with a domain name system server
Table 4-28 DNS Settings
Option
Definition
IP protocol version
preference
Lets you select the version of the IP protocol that is used for communication.
• (Version options)
• Same as incoming connection — When selected, the protocol version is used that is
already in use on the incoming connection.
• IP4 — When selected, version 4 of the IP protocol is used.
• IP6 — When selected, version 6 of the IP protocol is used.
• Use other protocol version as fallback — When selected, the other protocol version is
used if one of the two versions is not available.
Minimal TTL for DNS
cache
Sets a minimum time (in seconds) that must have elapsed before data stored in
the cache is deleted.
Maximal TTL for DNS
cache
Limits the time (in seconds) that elapses before data stored in the cache is
deleted to the specified value.
Yahoo
Settings for running an instant messaging proxy under the Yahoo protocol on an appliance
Table 4-29 Yahoo
Option
Definition
Enable Yahoo proxy
When selected, a proxy for instant messaging under the Yahoo protocol is
run on an appliance.
Listener address
Specifies the IP address of a proxy and the number of the port that listens
to client requests.
Support file transfer over
0.0.0.0:80
When selected, requests for file transfers can use this IP address and port.
McAfee Web Gateway 7.6.0
Product Guide
111
4
Proxies
Proxies settings
Table 4-29 Yahoo (continued)
Option
Definition
Login server
Specifies the host name and port number of the server that users log on to
before sending requests.
Relay server (Japan)
Specifies the host name and port number of the server used as a relay
station for transferring files.
Yahoo client connection
timeout
Limits the time (in seconds) that elapses before an inactive connection from
an instant messaging proxy to a client is closed to the specified value.
Yahoo server connection
timeout
Limits the time (in seconds) that elapses before an inactive connection from
an instant messaging proxy to a server is closed to the specified value.
ICQ
Settings for running an instant messaging proxy under the OSCAR (Open System for Communication
in Real Time) protocol on an appliance
Table 4-30 ICQ
Option
Definition
Enable ICQ proxy
When selected, a proxy for instant messaging under OSCAR is run on an
appliance.
Login and file transfer
proxy port
Specifies the IP address of an appliance that an instant messaging proxy is run
on and the number of the port for handling logon and file transfer.
• Enable additional file transfer proxy port — When selected, an additional port can be
used for handling file transfers.
• Additional file transfer proxy port — Specifies the additional IP address and port
number for handling file transfers.
BOS listener port
Specifies the IP address of an appliance that an instant messaging proxy is run
on and the number of the port that listens to BOS (Basic OSCAR Service)
requests.
These requests are requests for sending chat messages, as opposed to, for
example, requests for file transfers.
112
ICQ login server
Specifies the host name and port number of the server that users log on to
before sending requests.
ICQ service request
server
Specifies the host name and port number of the server that handles requests.
ICQ file transfer proxy
Specifies the host name and port number of the server that handles file
transfers.
ICQ client connection
timeout
Limits the time (in seconds) that elapses before an inactive connection from
the instant messaging proxy to a client is closed to the specified value.
ICQ server connection
timeout
Limits the time (in seconds) that elapses before an inactive connection from
the instant messaging proxy to a server is closed to the specified value.
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Proxies settings
Windows Live Messenger
Settings for running an instant messaging proxy under the Windows Live Messenger protocol on an
appliance
Table 4-31 Windows Live Messenger
Option
Definition
Enable Windows Live Messenger When selected, a proxy for instant messaging under Windows Live
proxy
Messenger is run on an appliance
Windows Live Messenger NS
proxy listener 1
Specifies the IP address of an appliance that an instant messaging proxy
is run on and the number of the first port that listens to client requests in
NS (Notification Server) mode.
Windows Live Messenger NS
proxy listener 2
Specifies the IP address of an appliance that an instant messaging proxy
is run on and the number of the second port that listens to client requests
in NS (Notification Server) mode.
Windows Live Messenger SB
proxy port
Specified the IP address of an appliance that an instant messaging proxy
is run on and the number of the port that listens to client requests sent in
SB (Switchboard) mode.
Windows Live Messenger client
connection timeout
Limits the time (in seconds) that elapses before an inactive connection
from the instant messaging proxy to a client is closed to the specified
value.
Windows Live Messenger server Limits the time (in seconds) that elapses before an inactive connection
connection timeout
from the instant messaging proxy to a server is closed to the specified
value.
XMPP
Settings for running an instant messaging proxy under the XMPP protocol on an appliance
This is the protocol used for several instant messaging services including Jabber, Google Talk,
Facebook Chat, and others.
Table 4-32 XMPP
Option
Definition
Enable XMPP proxy
When selected, a proxy for instant messaging under the XMPP protocol is run
on an appliance
Proxy port
IP address of an appliance that an instant messaging proxy is run on and port
number for the port that listens to requests sent under the XMPP protocol
Client connection timeout Limits the time (in seconds) that elapses before an inactive connection from
the instant messaging proxy to a client is closed to the specified value.
Server connection timeout Limits the time (in seconds) that elapses before an inactive connection from
the instant messaging proxy to a server is closed to the specified value.
McAfee Web Gateway 7.6.0
Product Guide
113
4
Proxies
Proxies settings
Advanced Settings
Settings for advanced proxy functions
Table 4-33 Advanced Settings
Option
Definition
Maximum number of
client connections
Limits the number of connections between a proxy on an appliance and its
clients.
Specifying 0 means that no limit is configured.
Compress content to
client
Provides options for compressing the content in the body of a response from a
web server that is forwarded to a client by Web Gateway.
• Never — The content is never compressed when the response of the server is
forwarded to the client.
• If server's response is compressed — The content is compressed if the content was
already compressed in the response of the server.
• If client supports compression — The content is only compressed if the client that it
is forwarded to supports compression.
Handle compressed
requests from client
Provides options for handling requests that were received in compressed format
from a client of Web Gateway.
• Ignore — The compressed content is not extracted and filtered, and the request
is forwarded to the web server in compressed format.
• Extract — The compressed content is extracted, so it can be filtered, but not
compressed again before it is eventually forwarded to the web server.
• Extract and compress again — The compressed content is extracted, so it can be
filtered, and compressed again before it is eventually forwarded to the web
server.
Number of working
threads
Specifies the number of threads used for filtering and transmitting web objects
when a proxy is run on an appliance.
Number of threads for AV Specifies the number of threads used to scan web objects for infections by
scanning
viruses and other malware when a proxy is run on an appliance.
Use TCP no delay
When selected, delays on a proxy connection are avoided by not using the
Nagle algorithm to assemble data packets.
This algorithm enforces that packets are not sent before a certain amount of
data has been collected.
Maximum TTL for DNS
cache in seconds
114
Limits the time (in seconds) that host name information is stored in the DNS
cache.
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Proxies settings
Table 4-33 Advanced Settings (continued)
Option
Definition
Timeout for errors for
long running
connections
Sets the time (in hours) that a long-running connection to another network
component is allowed to remain inactive before Web Gateway closes the
connection.
The default time is 24 hours.
This setting prevents the performance of a Web Gateway appliance from being
impacted by long-running connections that run extremely long.
Time is measured as follows for the different connection protocols to determine
whether the timeout has been reached.
• HTTP, HTTPS (with content inspection), ICAP, and similar protocols: Time is
measured for every request that is sent on a connection.
• SOCKS (when the embedded protocol is not followed), tunneled HTTP, HTTPS
(without content inspection), and similar protocols: Time is measured for a
connection as a whole.
• FTP: Time is measured for the control connection.
When the connection is closed, an error is generated, which can be handled by
the rules in an Error Handler rule set.
Check interval for long
running connections
Sets the time (in minutes) that elapses between check messages sent over a
long-running connection.
Maximum amount of data Sets the amount of data (in MB) that can be sent on a long-running connection
per connection or
to another network component before Web Gateway closes the connection.
request
The default amount is 10,240 MB.
This setting prevents the performance of a Web Gateway appliance from being
impacted by long-running connections that carry a very high data load.
Data load is measured as follows for the different connection protocols to
determine whether the maximum amount has been reached.
• HTTP, HTTPS (with content inspection), ICAP, and similar protocols: Data load
is measured for every request that is sent on a connection.
• SOCKS (when the underlying protocol is not followed), tunneled HTTP, HTTPS
(without content inspection), and similar protocols: Data load is measured for
a connection as a whole.
• FTP: Data load is measured for the data connection.
When the connection is closed, an error is generated, which can be handled by
the rules in an Error Handler rule set.
The following properties are then set to the value of the measured data to be
available for the error handling rules: Bytes.ToClient, Bytes.ToServer,
Bytes.FromClient, Bytes.FromServer.
Volume interval for
connections
Sets the volume interval for long-running connections.
Internal path ID
Identifies the path an appliance follows to forward internal requests (not
requests received from clients), for example, requests for style sheets used to
display error messages.
Bypass RESPmod for
responses that must not
contain a body
When selected, responses sent in communication under the ICAP protocol are
not modified according to the RESPMOD mode if they do not include a body.
McAfee Web Gateway 7.6.0
Product Guide
115
4
Proxies
Proxies settings
Table 4-33 Advanced Settings (continued)
Option
Definition
Call log handler for
When selected, the rules in the log handler rule set that is implemented on the
progress page updates
appliance are processed to deal with the specified updates and objects.
and objects embedded in
error templates
Allow connections to use When selected, local ports can be used for requests on an appliance that a
local ports using proxy
proxy is run on.
Use virtual IP as the
Proxy.IP property value
When selected, the value for the Proxy.IP property in High Availability mode is a
virtual IP address for all nodes in a configuration.
It is the virtual IP address that is used by clients to connect to the proxy.
When the director node redirects a request sent from a client to a scanning
node, this address is the value of the Proxy.IP property also on the scanning node
(not the physical address of the scanning node).
HTTP(S): Remove all
hop-by-hop headers
When selected, hop-by-hop headers are removed from requests received on an
appliance that an HTTP or HTTPs proxy is run on.
HTTP(S): Inspect via
headers to detect proxy
loops
When selected, via headers in requests received on the appliance that an HTTP
or HTTPS proxy is run on are inspected to detect loops.
HTTP(S): Host from
When selected, the host names corresponding to absolute URLs in requests
absolute URL has
received on an appliance that an HTTP or HTTPS proxy is run on are preferred to
priority over host header the host names contained in the request headers.
Encode own IP address
in progress page ID to
enable non-sticky load
balancers
When selected the own IP address is encoded in the progress page ID.
HTTP(S): Maximum size
of a header
Sets a limit to the size (in MB) for the header of a request or response sent in
HTTP(S) traffic.
The default size is 10 MB.
Listen backlog
Specifies a value for the listen backlog.
The default value is 128.
Limit for working threads Sets a limit to the number of working threads for the web cache.
doing IO in web cache
The default number is 25.
Progress page limit
Sets a limit to the size (in KB) of the progress page.
The default size is 40,000 KB.
116
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Proxies settings
Table 4-33 Advanced Settings (continued)
Option
Definition
Enable TCP window
scaling
When selected, the window for receiving data packages at the TCP
communication level is increased by the scaling factor that you specify under
TCP window scale.
This option is enabled by default.
If you disable the option, it means that there is no window scaling.
Disable the option only if you really want to configure the receive
window in this way.
TCP window scale
(format: 0-14)
Sets the size of the window for receiving data packages on the TCP
communication level.
The initial size of the receive window can be scaled using a scaling factor that is
calculated by taking base 2 to the power of the value that you specify here.
For example, if you specify 1, the scaling factor is 2^1 = 2, which means the
window size is doubled.
The range of values that you can specify is 0–14.
If you specify 0, it yields 1 as the scaling factor. It means that you want to leave
the initial size of your receive window as it is.
It still allows, however, the use of window scaling for the receive window of the
communication partner.
The default value is 2.
Periodic Rule Engine Trigger List
Settings for connecting to web servers, calling the rule engine, and downloading data
Table 4-34 Periodic Rule Engine Trigger List
Option
Definition
Enable Periodic Rule
Engine Trigger List
When selected, connections to the web servers specified in list called URL definition
list are set up in regular intervals.
The interval for each web server connection is also specified on the list.
When the interval has elapsed, the rule processing module (rule engine) on an
appliance is called, a connection to the web server is set up, and data is
downloaded from the web server and passed on to the rule engine for processing.
Data is only downloaded under the HTTP and HTTPS protocols.
Web servers that connections are set up to in this way include next-hop proxy
servers and other servers used for providing particular services in the web.
URL definition list
Provides a list of web servers that a connection can be set up to.
The following table describes a list entry in the URL definition list.
Table 4-35 URL definition list – List entry
Option
Definition
Host
Specifies the IP address and port number or the URL of a web server that a connection
can be set up to.
Trigger interval Specifies the interval (in seconds) that elapses before the next attempt to set up a
connection to a web server.
Comment
Provides a plain-text comment on a web server connection.
McAfee Web Gateway 7.6.0
Product Guide
117
4
Proxies
Controlling outbound source IP addresses
Controlling outbound source IP addresses
Using different source IP addresses for outbound connections from Web Gateway to web servers or
next-hop proxies can lead to connection problems. To avoid these problems, you can replace these
addresses with a single address.
Different source IP addresses might be used, for example, when load balancing is configured for
multiple Web Gateway appliances. Load balancing can lead to connection problems on the side of the
involved web servers or next-hop proxies. Problems can, for example, arise when source IP addresses
change during a session period.
To avoid these problems, you can configure a rule that replaces changing source IP addresses with a
single address.
This single address does not have to be fixed. You can set up a list of IP addresses and let the rule
select an address in a particular position on the list. The address that replaces other addresses then
varies according to what you have entered in that position.
Network setups for controlling outbound source IP addresses
Controlling outbound source IP addresses is supported for network setups with:
•
IPv4 or IPv6
•
HTTP, HTTPS, FTP, or SOCKS proxy
Instant messaging is not supported.
•
Proxy (with optional WCCP) mode
The transparent router mode is supported if the source IP addresses that are used for replacing
other addresses are configured as aliases.
The Proxy HA and transparent bridge modes are not supported.
Periodic rule engine triggering is also possible when control of outbound source IP addresses is
implemented.
Sample rule for controlling outbound source IP addresses
A rule that replaces outbound source IP addresses by a single address, for example, when connections
to next-hop proxies are set up, could look as follows:
Name
Use proxy depending on the destination
Criteria
URL.Destination.IP is in range list Next
Hop Proxy IP Range List
OR
Action
Events
–> Continue Enable Next Hop Proxy<Internal Proxy>
Enable Outbound Source IP
Override(Proxy.OutboundIP(2))
URL.Destination.IP is in list Next Hop Proxy
IP List
The criteria of the rule specifies when a next-hop proxy is used. The first of the two events sets up a
connection to a next-hop proxy.
The second event, Enable Outbound Source IP Override, is for controlling outbound source IP
addresses. It replaces ("overrides") any source IP address that is submitted with a request by an IP
address that is taken from a list.
118
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Controlling outbound source IP addresses
An event parameter, which is itself a property, specifies the IP address. The name of the property is
Proxy.OutboundIP. Its value is the IP address in the list position determined by the property
parameter.
List of IP addresses for controlling outbound source IP addresses
The list of IP addresses that you can use to replace outbound source IP addresses is part of the
Proxies settings. You can find it there under Advanced Outgoing Connection Settings. Its name is
Outbound Source IP list.
The following applies regarding the position of an IP address in the list:
•
The list index starts from 0. If you specify, for example, 2, as the parameter of the
Proxy.OutboundIP property to determine a position, the third IP address on the list is selected.
•
If you specify a parameter value that is higher than the number of list entries, the position is
determined by calculating <parameter-value> modulo <number-of-list-entries>.
For example, if you specify 5 for a list that has only three list entries, the result of the modulo
calculation is 2. The third IP address on the list is then selected.
Network routing and IP address spoofing
The IP addresses that are inserted into data packets by the Enable Outbound Source IP Override event
are non-local source IP addresses. You must therefore configure network routing in a suitable way.
Data packets that are sent back from a web server to a client must be routed to the proxy on Web
Gateway. You can, for example, use static routes to route the data packets.
When the Enable Outbound Source IP Override event is triggered and you have IP address spoofing
enabled, the event also overrides this setting.
Logging the use of outbound IP source addresses
Several properties are available for logging data about outbound connections, including the source IP
address and port that Web Gateway uses when connecting to web servers or next-hop proxies.
These properties are set to particular values, regardless of whether you have configured a single
source IP address, using the Enable Outbound Source IP Override event. But you can also use them in
this case.
•
Proxy.Outbound.IP — Stores the source IP address that Web Gateway uses when connecting to
web servers and next-hop proxies.
Do not confuse this property with Proxy.OutboundIP, which has no dot before IP and is used
together with the Enable Outbound Source IP Override event to select a single source IP address
from a list.
•
Proxy.Outbound.Port — Stores the source port that is used by Web Gateway when connecting to
web servers or next-hop proxies.
•
Proxy.Outbound.IPList — Stores the list of source IP addresses that Web Gateway can select an
address from when connecting to web servers and next-hop proxies.
The list is configured as part of the Proxies settings under Advanced Outgoing Connection Settings.
Its name is Outbound Source IP list. When a single source IP address for outbound connections is
configured, it is taken from this list.
McAfee Web Gateway 7.6.0
Product Guide
119
4
Proxies
Using WCCP to redirect FTP traffic
Configure control of outbound source IP addresses
Replace different outbound source IP addresses with a single address to avoid connection problems.
Task
1
Select Configuration | Appliances.
2
Select an appliance for configuring the replacement of IP addresses, then select Proxies (HTTP(S), FTP,
SOCKS, ICAP ...) and scroll down to Advanced Outgoing Connection Settings.
3
Under Outbound source IP list, add one or more IP addresses to the list of source IP addresses for
outbound requests.
4
Add the following event to an existing rule for connections to web servers or next-hop proxies:
Enable Outbound Source IP Override with Proxy.OutboundIP property as a parameter.
The rule now uses the list that you have configured to select an IP address for replacing different
outbound source IP addresses.
Using WCCP to redirect FTP traffic
Requests that clients of Web Gateway send to servers under the FTP protocol can be redirected to Web
Gateway using the WCCP (Web Cache Control Protocol) redirection method.
To send a request to a server under the FTP protocol, a client of Web Gateway opens the initial FTP
connection. The client uses the IP address of the server for this connection. To let Web Gateway act as
a proxy, the request is redirected to the IP address of the appliance that Web Gateway runs on.
Under the default settings, the client considers this redirection as a security risk and does therefore
not continue with opening the FTP data connection. When redirection is performed using the WCCP
protocol, you can solve this problem by modifying the settings as follows:
•
Using the active FTP mode for the connection from the client to the proxy
Clients are by default allowed to use the passive FTP mode. You can enforce the active FTP mode
by disabling an option of the proxy settings on the user interface of Web Gateway.
•
Configuring a port for redirection to the proxy
This port must be entered in the list of ports that are redirected under WCCP.
•
Letting the proxy use the IP address of the FTP server instead of its own IP address
Setting a particular parameter ensures that the proxy uses this address.
After modifying the settings in this way, a client uses the active FTP mode. It sends the proxy an IP
address and a port number to connect to. The proxy returns a synchronization message. In this
message, the IP address of the FTP server is used as the source IP address of the proxy. The port
number is 21 or 2020.
The client responds with the IP address of the FTP server as its destination IP address and the same
port number. Requests from the client to the FTP server are then redirected to the proxy, using WCCP
as the redirection method.
The WCCP redirection method cannot be used for FTP traffic in transparent bridge or router mode.
120
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Using the Raptor syntax for FTP logon
Configure the use of WCCP for redirecting FTP traffic
To enable the use of the WCCP redirection method for requests that clients send to servers under the
FTP protocol, configure the proxy settings as follows.
Task
1
Enforce use of the active FTP mode by clients.
a
Select Configuration | Appliances.
b
On the appliances tree, select the appliance that you want to enable use of the WCCP
redirection method for, then click Proxies (HTTP(S), FTP, SOCKS, ICAP ...).
c
Scroll down to FTP Proxy and make sure that Enable FTP proxy is selected.
d
Select an entry in the FTP port definition list, click Edit, and under FTP Proxy Port, deselect Allow clients to
use passive connections.
Repeat this substep for all entries in the list.
2
Add ports 21 and 2020 to the ports that are used for redirection under WCCP.
a
Within the Proxies settings, scroll to Transparent Proxy, and under Supported redirection methods, make
sure that WCCP is selected.
b
Select an entry in the WCCP services list, click Edit, and under Ports to be redirected type 21,2020.
Repeat this substep for all entries in the list.
3
Click Save Changes.
4
Within the relevanr settings, set the ftp.match.client.data parameter to yes.
This setting ensures that Web Gateway uses the IP address that it received from the client as its
source IP address when responding to the client.
This address is the IP address of the FTP server in question, not the IP address of the Web Gateway
appliance. The client does therefore not suspect a security risk.
Requests sent from a client to a server under the FTP protocol are now redirected to Web Gateway,
using the WCCP redirection method, and processed without problems.
Using the Raptor syntax for FTP logon
When Web Gateway is configured to run as an FTP proxy, the Raptor syntax can be used for logging on
to an FTP server with Web Gateway as a proxy.
To perform this logon, the user who wants to access the FTP server can run the USER, PASS, and
ACCEPT commands from a suitable FTP client. Using these commands, the FTP server is specified
together with user names and passwords for both the FTP server and the Web Gateway proxy.
The command syntax is as follows:
USER <ftpuser>@<ftpserver> <proxyuser>
PASS <ftpuserpass>
ACCT <proxyuserpass>
The following table describes the meanings of the command parameters.
McAfee Web Gateway 7.6.0
Product Guide
121
4
Proxies
Node communication protocols
Table 4-36 Command parameter for FTP logon
Option
Definition
ftpserver
FTP server that access is requested to
ftpuser
User name on the FTP server
ftpuserpass
Password for the FTP server
proxyuser
User name on the Web Gateway proxy
proxyuserpass
Password for the Web Gateway proxy
Node communication protocols
When Web Gateway appliances run as director and scanning nodes in a Central Management
configuration, communication between the nodes uses the Virtual Router Redundancy Protocol (VRRP)
and MWG Management Protocol.
Use of the protocols depends on the proxy settings that you have configured on the appliances that
run as nodes. The protocols differ with regard to the activities of director and scanning nodes that are
covered by them.
Virtual Router Redundancy Protocol
The Virtual Router Redundancy Protocol is used when you have configured Web Gateway as a proxy in
transparent router mode or High Availability proxy mode.
Under this protocol, virtual IP addresses are assigned to active director nodes and backup director
nodes. The protocol also determines which director node takes the active director role.
MWG Management Protocol
The MWG Management Protocol is used in transparent router, transparent bridge, and High Availability
proxy mode. Under this protocol, scanning nodes are identified that are available for processing web
traffic.
The node that takes the active director role sends out broadcast messages to the scanning nodes,
using the IP address that you have configured as its source IP address under the Management IP
option of the respective proxy settings.
The protocol lets scanning nodes that are available within the same network segment respond in
regular intervals to the discovery messages of the director node.
Security considerations
The security features of the Virtual Router Redundancy Protocol and MWG Management Protocol are
similar to that of the Address Resolution Protocol (ARP).
The Virtual Router Redundancy Protocol uses multicast with an IP address that is not routed beyond
the local broadcast domain. MWG Management Protocol uses broadcast messages.
A malicious node on the same network segment might send VRRP messages and hence impersonate
itself as the active director node holding the respective virtual IP address. If that node decides to drop
all data packets it receives for the virtual IP address, network connectivity stops for the clients that
are connected to the Web Gateway proxy.
To prevent malicious nodes from harming operation of the Web Gateway proxy, we recommend that
you use IP addresses from a protected network segment when configuring proxy settings according to
the Virtual Router Redundancy Protocol and the MWG Management Protocol.
122
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Using DNS servers according to domains
Using DNS servers according to domains
The use of DNS (Domain Name System) servers to resolve domain information provided in URLs into
IP addresses when requests for web access are processed on Web Gateway can be configured
according to the domains of the requested destinations.
This use of DNS servers is also known as conditional DNS forwarding.
Domains, for example, testnet.webwasher.com, are entered into a list together with the IP address of
the DNS server that is used to resolve the URL information. More than one DNS server can be
specified this way for a domain.
When a request to a particular destination on the web is sent to Web Gateway, it is forwarded to a
DNS server according to this list.
The use of a particular DNS server can be configured dynamically with DHCP (Dynamic Host
Configuration Protocol. This is also the default setting after the initial setup of a Web Gateway
appliance.
If both configuration with DHCP and conditional DNS forwarding are configured, DHCP takes
precedence and conditional DNS forwarding is bypassed.
If a BIND server is configured as a DNS server, the DNS server settings that are stored in a
configuration file on Web Gateway will be overwritten. To keep these settings for domain name
resolving, you need to enter them manually again.
Configure the use of DNS servers according to domains
To enable the use of DNS servers according to the domains of destinations in the web, configure the
Domain Name Service settings in a suitable manner.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to configure the use of DNS servers for and
click Domain Name Service.
3
Configure the settings in the Conditional DNS Forwarder Configuration section as needed.
4
Click Save Changes.
Domain Name Service settings
The Domain Name Service settings are used for configuring DNS servers, including the use of DNS
servers according to particular domains, which is also known as conditional DNS forwarding.
Domain Name Service Settings
Settings for DNS servers
Table 4-37 Domain Name Service Settings
Option
Definition
Primary domain name server
Specifies the IP address of the first server.
Secondary domain name server
Specifies the IP address of the second server.
Tertiary domain name server
Specifies the IP address of the third server.
McAfee Web Gateway 7.6.0
Product Guide
123
4
Proxies
Using DNS servers according to domains
Conditional DNS Forwarder Configuration
Settings for using DNS servers according to domains
Table 4-38 Conditional DNS Forwarder Configuration
Option
Definition
Enable conditional
forwarding
When selected, a DNS server from the Conditional Forwarder List resolves domain
information sent in a request to Web Gateway into an IP address.
• A DNS server is selected from the list according to the domain of the requested
destination.
• A DNS server is specified in the list by its IP address.
• Up to 5 DNS servers can be specified for a domain.
If this option is enabled, the following five options become accessible.
Default resolver(s)
Specifies the IP addresses of the DNS server or servers that are by default used
for resolving domain information.
IP addresses for up to 5 DNS servers can be specified here.
TTL for positive answer Limits the time (in seconds) that positive answers are cached for conditional DNS
forwarding to the specified value.
• The allowed time range is 1 to 604800 seconds.
• The default time is 604800 seconds.
TTL for negative
answer
Limits the time (in seconds) that negative answers are cached for conditional
DNS forwarding to the specified value.
• The allowed time range is 1 to 604800 seconds.
• The default time is 10800 seconds.
Conditional Forwarder
List
Contains entries for domains and IP addresses of DNS servers that are involved
in conditional forwarding.
Conditional Forwarder
Reverse Lookup List
Contains entries for domains and IP addresses of DNS servers that are involved
when a reverse lookup is performed in conditional forwarding.
The following table describes an entry in the Conditional Forwarder List.
Table 4-39 Conditional Forwarder List – List entry
Option
Definition
Forward zone Specifies a domain name.
When a request for a destination within a particular domain is sent to Web Gateway, the
DNS server or servers are used for a lookup that have been specified for this domain.
DNS server(s) Specifies a DNS server or several DNS servers by their IP addresses.
IP addresses for up to five DNS servers can be specified here.
Comment
Provides a plain-text comment on the conditional DNS forwarding that is configured by
this list entry.
The following table describes an entry in the Conditional Forwarder Reverse Lookup List.
124
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Using DXL messages to exchange web security information
Table 4-40 Conditional Forwarder Reverse Lookup List – List entry
Option
Definition
Forward zone Specifies the IP address of a domain.
• The IP address is specified in CIDR notation.
• When a reverse lookup is performed for an IP address, the DNS server or servers are
used that have been specified for this address.
DNS server(s) Specifies a DNS server or several DNS servers by their IP addresses.
IP addresses for up to five DNS servers can be specified here.
Comment
Provides a plain-text comment on the conditional DNS forwarding that is configured by
this list entry.
Using DXL messages to exchange web security information
You can use the DXL technology to send and receive information to and from web security products
that are connected to Web Gateway in a common security architecture.
®
McAfee Data Exchange Layer (DXL) is a messaging technology for real-time information exchange.
The technology is used to exchange security-related information, for example, file reputation scores
between Web Gateway and other web security products that are connected to it.
This kind of information exchange is part of a security architecture that is provided by McAfee and is
also known as Security Connected.
You can exchange information under DXL in two main scenarios: One is publishing a message about a
security topic in an event and receiving this message after subscribing for the topic. The other is
sending a query for information about a security topic to a service and receiving a response from this
service.
The web security products that are connected to each other, including Web Gateway, take the various
roles that belong to these scenarios. Products can be publishers and subscribers, they can send
queries and also act as services that queries are sent to.
When a publisher sends DXL messages to the subscribers, they send no responses. When a DXL
message is sent as a query for security-related information to a service, the service sends a response,
providing information about the topic that was specified in the query.
Web Gateway supports the sending of DXL messages in events and as queries to a service. It can also
receive DXL messages and act as a service that provides information on a web security topic
Configuring settings for the exchange of web security information
To enable the exchange of information about web security topics on Web Gateway, you must configure
several settings. Credentials for a McAfee ePO server must be configured, as parts of the DXL
architecture are managed by this administration product.
Topics and services are configured as part of the settings for the proxy functions of Web Gateway.
DXL messages can also be traced for troubleshooting after enabling the relevant option of the
Troubleshooting settings.
Sample rule for sending a DXL message in an event
The following sample rule uses an event to send a message about a topic to the subscribers.
McAfee Web Gateway 7.6.0
Product Guide
125
4
Proxies
Using DXL messages to exchange web security information
The message is sent when processing a request for web access from a client of Web Gateway shows
that the requested URL belongs to a bad category. The event then sends the IP address of the client to
all that have subscribed to the "Bad Client" topic to receive information about bad clients.
The event DXL.Event is provided for creating a rule like this. The event has two parameters, which are a
topic and information that is in some way related to the topic.
The rule looks as follows.
Name
Use an event to send a DXL message to the subscribers
Criteria
Action
URL.Categories<Default> at least one in list Bad Categories
Event
–> Continue DXL.Event ("Bad Client", "IP.ToString(Client.IP))
Sample rule for sending a DXL message as a query to a service
The following sample rule retrieves the reputation score for a requested file and blocks the request if
the reputation score has a particular value.
The rule uses the DXL.Query property in its criteria. This property provides a reputation score that was
retrieved by sending a DXL message as a query to a service. The web security product that takes the
role of the service is a McAfee Threat Intelligence Exchange (TIE) server.
®
One of the property parameters is the topic that the query is about. The other parameter is the
information about the topic that was the query retrieved. This information was received as response
from the service that the query was sent to.
If a query is sent to a TIE server, the TIE.Filereputation property is used to store the information that is
retrieved as response from this server.
The rule looks as follows.
Name
Send a DXL message as a query to a service
Criteria
DXL.Query ("File Reputation", TIE.Filereputation) matches *reputation=15*
Action
–>
Block <FileReputation>
Configure the settings for information exchange with DXL
To enable information exchange with DXL, configure credentials for communication with a McAfee ePO
server and the topics and services that you want to include in DXL messages.
Task
1
2
126
Configure the credentials that Web Gateway submits when connecting to a McAfee ePO server to
enable DXL messaging.
a
Select Configuration | Appliances.
b
On the appliances tree, select the appliance that you want to configure the information
exchange on and click ePolicy Orchestrator.
c
Under ePO DXL Settings, configure a host name, user account, and password for use by Web
Gateway when connecting to a McAfee ePO server.
Click Proxies (HTTP(S), FTP, SOCKS, ICAP ...) and on the configuration pane scroll down to Data Exchange Layer.
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Using DXL messages to exchange web security information
3
Configure topics for DXL messages:
a
On the toolbar of the Subscription Topics list, click the Add (or Multiple Add) icon.
b
In the window that opens, type a topic name (or multiple names separated by commas), then
click OK.
The window closes and the topics appear in the list.
4
Configure the following for each service that you want to receive DXL messages:
a
On the toolbar of the Services list, click the Add icon.
The Add DXL Service window opens.
b
Type a service name in the Service field.
c
On the toolbar of the Topics list, click the Add (or Multiple Add) icon.
d
In the window that opens, type the name of a topic (or multiple names separated by commas)
that the service is to send information about, then click OK.
The window closes and the topics appear in the list.
e
Click OK to close the Add DXL Service window.
The service appears in the list.
5
Click Save Changes.
Configure settings for information exchange using a TIE server
Configure settings to use a TIE server for providing web security information that is collected on this
server. The web security information that Web Gateway can retrieve from a TIE server is file
reputation scores.
Task
1
Select Policy | Settings.
2
On the Engines branch of the settings tree, select TIE Filter and click Add.
An Add Settings window opens.
3
In the Name field, type a name for the settings.
4
Under Product Priorities, select one of the following.
•
Use default product priority order
The default order is to use information from the TIE server first for sending in an event. If this
information is not available, the lowest reputation score that a connected product sent is
retrieved.
After selecting this option, continue with step 6.
•
Customize product priority order
After selecting this option, continue with step 5.
McAfee Web Gateway 7.6.0
Product Guide
127
4
Proxies
Best practices - Working with the user-agent header
5
Customize the product priority order.
a
On the toolbar of the product list, click the Add icon.
b
In the Product ID field of the window that opens, type a comma-separated list of product IDs in
the order that you want to use information from these products.
Typing an asterisk as a list element means that the lowest reputation score sent by a product is
used.
In the Comment field, you can optionally type an explanation for each product ID.
c
Click OK.
The window closes and each product ID appears in a separate line of the list.
6
Click OK to close the Add Settings window.
The window closes and the new settings appear under TIE Filter on the settings tree.
7
Click Save Changes.
Best practices - Working with the user-agent header
The user-agent header is a header in a request for web access sent under the HTTP protocol. This
header identifies the software program that was used to send the request. You can work with this
header to create a rule that performs a particular action on a request that contains this header.
The software used on a client for sending a request can be a browser, a media player, or a similar
program. If you find, for example, that requests sent with a particular browser cause issues with user
authentication on Web Gateway, you can create a rule that skips authentication for these requests or
blocks them.
The rule contains the value of the user-agent header in the criteria for the action that is performed.
When a request is processed on Web Gateway, this value is retrieved from the request to see whether
it is the one for the software program that causes issues.
If not only one program causes issues or you expect that more will be found, you can also work with a
list of user-agents. The value of the user-agent header within a request is then compared to the list
entries to see whether it matches any of them.
128
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Best practices - Working with the user-agent header
Finding the user-agent
To create a rule with an action for a request that caused issues due to its user-agent, you must know
which user-agent it is. There are several ways to find this out.
•
Access log — You can inspect the access log that is maintained on Web Gateway. The data that
this log records includes the user-agent header of a request by default.
•
Online resources — You can find information about browsers, media players, and similar
programs that run as user-agents on client systems using online resources, for example,
performing an online search.
Websites ae available that support your search for information, for example, by listing and
describing the most common user-agents or by identifying the browser that is currently in use on a
client.
•
TCP dump — You can create a TCP dump of the request processing that Web Gateway performs,
using the troubleshooting functions on the user interface. For more information about these
functions, see the Troubleshooting chapter.
When a TCP dump has been created, you can work with a packet tracing tool, for example,
Wireshark, to follow the TCP stream. You can select a GET request sent for web access and inspect
the data packets of this request with its headers.
If you already have some information about the user-agent that causes issues, you can filter the
output in Wireshark accordingly. Entering, for example, the following line returns all data packets
that contain the text string "Mozilla".
http.user_agent matches "Mozilla"
Most user-agent headers for browsers begin with the text string "Mozilla". This does not necessarily
mean that the user-agent is the Mozilla Firefox browser. It could be Firefox or a different browser.
Common user-agent headers
The following list provides information about some user-agent headers for software programs that are
often found when TCP dumps created on Web Gateway are inspected.
Codes lines from the Wireshark packet tracing tool showing the relevant information are added for
each user-agent header.
•
Firefox — A user-agent header for a Mozilla Firefox browser contains the text string "Firefox/"
followed by the version number.
Mozilla/6.0 (Windows NT 6.2; WOW64; rv:16.0.1) Gecko/20121011 Firefox/16.0.1
•
Internet Explorer — A user-agent header for a Microsoft Internet Explorer browser contains the
text string "MSIE" followed by the version number.
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
•
Chrome — A user-agent header for a Google Chrome browser contains the text string
"AppleWebKit".
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/
25.0.1364.172 Safari/537.22
Do not confuse a header like this with a user-agent header for the Apple iPhone smartphone.
McAfee Web Gateway 7.6.0
Product Guide
129
4
Proxies
Best practices - Working with the user-agent header
•
Windows Media Player — A user-agent header for Windows Media Player contains the two text
strings shown in this sample code block.
Windows-Media-Player/10.0.0.xxxx
NSPlayer/10.0.0.xxxx WMFSDK/10.0
•
iTunes — A user-agent header for an Apple iTunes media player contains the text string "iTunes/"
followed by the version number.
Mozilla/6.0 (Windows NT 6.2; WOW64; rv:16.0.1) Gecko/20121011 Firefox/16.0.1
•
Safari on iPhone — A user-agent header for an app that runs on an iPhone, for example, the
Apple Safari browser, contains the text string "iPhone".
Mozilla/6.0 (Windows NT 6.2; WOW64; rv:16.0.1) Gecko/20121011 Firefox/16.0.1
Sample rule for working with the user-agent header
In a rule that performs an action on a request with a user-agent header for a particular software
program, the user-agent is included in the rule criteria. If the rule is to apply for more than one
user-agent, you can work with a list of user-agents.
We recommend using a list, even if you are presently interested in a particular user-agent only. Using a
list makes it easier to modify the rule when more user-agents must be addressed in the future.
The rule criteria contains a property that is set to the value for the user-agent in the user-agent
header when the rule is processed. The rule applies if this value matches one of the entries in a list of
user-agents or a single user-agent if you have configured the rule this way.
The list might, for example, contain the entry "MSIE 10" for version 10 of the Microsoft Internet
Explorer. If a request includes a user-agent header for this browser, the rule criteria matches, as the
string that you entered in the list is also contained in the user-agent header.
The property that is used to retrieve the value for the user-agent from the user-agent header in a
request is Header.Request.Get. To use the property for retrieving this value, you configure the string
"User-Agent" as a parameter of the property.
The purpose of the sample rule is to let a request skip SSL scanning, It looks as follows.
Name
Skip SSL Scanner for user-agents in list
Criteria
Action
Header.Request.Get("User-Agent") matches in list User Agent Whitelist
–>
Stop Rule Set
We recommend including still another criteria part in a rule like this. As it is the client that provides the
information about the user-agent, the client or a malware program might spoof a trusted user-agent to
bypass filtering.
A sample rule that has its criteria extended by another part to protect the rule against user-agent
spoofing looks as follows.
Name
Skip SSL Scanner for user-agents in list
Criteria
130
McAfee Web Gateway 7.6.0
Action
Product Guide
4
Proxies
Best practices - Working with the user-agent header
–> Stop Rule Set
Header.Request.Get("User-Agent") matches in list User Agent Whitelist AND URL.Host matches
*samplesite.com
In the sample rules, Stop Rule Set is configured as action. To address issues that a user-agent causes
with regard to a function of Web Gateway, you insert the rule in the rule set for that function.
For example, if a user-agent causes issues with SSL scanning, insert it at the beginning of the SSL
Scanner rule set. If the rule applies, processing of this rule set is stopped, which means that the
relevant request skips SSL scanning. The rule can be used in a similar way to skip, for example, user
authentication.
If you do not want to let requests skip anything due to issues with user-agents, you can replace the
Stop Rule Set action with Block. You can then create a rule set for globally blocking requests (if it does not
yet exist in your rule set system) and insert the rule.
Create a rule for working with the user-agent header
Create a rule that performs an action on requests depending on their user-agent headers to address
issues caused by the user-agents.
The following procedure assumes that an issue with SSL scanning is caused by a particular user-agent.
The rule that is created lets requests with user-agent headers containing this user-agent skip SSL
scanning to avoid the issues.
Task
1
Select the rule set for the function that is skipped for requests with the user-agent that causes
issues.
a
Select Policy | Rule Sets.
b
On the rules tree, select the SSL Scanner rule set.
c
Click Unlock View on the configuration pane and confirm with Yes.
The nesting SSL Scanner rule set is accessible for inserting rules.
2
Configure the name of the rule that lets requests skip the rules in the rule set.
a
Click Add Rule.
The Add Rule window opens with the Name step selected.
b
3
In the Name field, type a name for the rule, for example, Skip SSL Scanner for user-agents
on list.
Configure the property that is used to retrieve the user-agent.
a
Click Rule Criteria and then Add.
b
From the drop-down menu, select Advanced Criteria.
The Add Criteria window opens.
c
Click Filter, then select Engine | Header and from the filtered list of properties select
Header.Request.Get.
d
Click Parameters at the property.
e
In the window that opens, make sure that Parameter value is selected and type User-Agent, then click
OK to close the window.
McAfee Web Gateway 7.6.0
Product Guide
131
4
Proxies
Bypassing for Office 365 and other Microsoft services
4
Configure the operator and the list to compare the property value with.
a
Leave the Matches in list operator that is suggested.
b
From the lists under Compare with, select User Agent Whitelist.
The list is initially empty and you must insert an entry for the user-agent that causes issues.
c
Click OK.
The Add Criteria window closes and the complete criteria appears in the Add Rule window.
5
6
Configure the rule action.
a
Click Action.
b
From the Action list select Stop Rule Set
Complete the configuration.
a
Click Finish.
The Add Rule window closes and the rule appears in the SSL Scanner rule set.
The SSL Scanner rule set is empty by default, as the rules for the scanning functions are contained
in nesting rule sets. If you find that the nesting rule set contains rules that were inserted after
the initial setup, move the new rule into first position.
b
Click Save Changes.
Bypassing for Office 365 and other Microsoft services
Requests sent to Office 365 and other Microsoft services, and responses received from these services,
can be configured to bypass filtering to avoid a load increase on Web Gateway.
Bypassing is handled for these requests and responses by rules. A rule set with suitable rules is
provided in the default rule set system and in the rule set library.
To configure the bypassing of requests and responses in traffic to and from Office 365 and
other Microsoft services, you can work with:
•
Key elements of rules — After opening the rule set with the bypassing rules, you can
view and configure key elements of these rules.
•
Complete rules — After clicking Unlock View in the key elements view, you can view the
bypassing rules completely, configure all their elements, including the key elements, and
also create rules or delete rules.
You cannot return from this view to the key elements view unless you discard all changes
or reimport the rule set.
Office 365 and other Microsoft services
Microsoft offers several cloud-based applications that belong to the Office 365 application suite. These
applications rely heavily on HTML5 features to provide an enriched user experience.
132
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Bypassing for Office 365 and other Microsoft services
Consequently, some of these applications can set up a high number of connections and also several
"endless" connections, which might considerably increase the load on a Web Gateway appliance. The
increased load can have an impact on the proxy functions of Web Gateway, leading to slow or delayed
web access, timeouts, and other issues.
To avoid such issues, you might want to let requests and responses in traffic to and from Office 365
and other Microsoft services bypass filtering on Web Gateway. Many of these requests and responses
also use undocumented formats or protocols that are proprietary to Microsoft and cannot be scanned
and filtered on Web Gateway.
Rule set for Microsoft services bypassing
The Bypass Microsoft (Office 365) Services rule set contains rules that enable bypassing for requests and
responses in traffic to and from Office 365 and other Microsoft services.
IP address and URL lists published by Microsoft are used to recognize the requests that are submitted
for accessing these services.
The rule set is placed at the top of the default rule set system.
Using a Domain Name System
The bypassing rule set requires Web Gateway to access a Domain Name System (DNS). In some
configurations, for example when next-hop proxies are used, Web Gateway does not normally require
DNS access, so this access might not be configured or even be blocked by a rule.
Most of the rules in the rule set, however, rely on evaluating the URL.Destination.IP property to recognize
relevant requests. The DNS is then used to resolve the destination IP address of the request that is
currently processed.
So, if a DNS is not correctly configured or not configured at all, you might encounter timeouts or slow
performance when working with the rule set.
Key elements for Microsoft services bypassing
The key elements of the rules that handle bypassing for Office 365 and other Microsoft services are
related to the individual services that requests and responses are sent to and received from.
Bypassing for Microsoft services
Options for handling Microsoft services bypassing
Table 4-41 Bypassing for Microsoft services
Option
Definition
Bypass Exchange Online, Bypass
Microsoft Federation Gateway, and
other options for handling
Microsoft services bypassing
When selected, a request from a client of Web Gateway to access
Exchange Online or another Microsoft service is forwarded to the
service unfiltered.
When a response is received from the service, it is also passed on
to the client unfiltered.
None of these options is enabled by default.
McAfee Web Gateway 7.6.0
Product Guide
133
4
Proxies
Bypassing for Office 365 and other Microsoft services
Bypass Microsoft (Office 365) Services rule set
The Bypass Microsoft (Office 365) Services rule set is the default rule set for letting requests and responses in
traffic to and from Office 365 and other Microsoft services bypass filtering on Web Gateway.
Default rule set – Bypass Microsoft (Office 365) Services
Criteria – Always
Cycles – Requests (and IM), Responses
The rule set contains the following rules.
Shortcut Microsoft service in response
Cycle.Name equals "Response" AND User-Defined.Shortcut_Microsoft_Service equals true – Stop Cycle
The rule uses the Cycle.Name property to find out whether processing on Web Gateway is currently
going on in the response cycle.
It also uses a user-defined property to check whether the response that is processed in this cycle
was triggered by a client requesting access to Office 365 or any of several other Microsoft services.
If such a request is received on Web Gateway, a particular rule that is processed in the request cycle
sets the user-defined property to true. The current rule checks whether the property is actually set
this way in the response cycle, using the second part of its criteria.
If both criteria parts match, the rule applies and the response cycle is stopped. The response is then
forwarded to the requesting client without filtering.
This rule is enabled by default.
All rules that follow the first rule in the rule set work in a similar way. They ensure that a
request sent by a client of Web Gateway to a particular Microsoft service is forwarded to this
service unfiltered.
Each of them also sets the property that is evaluated by the first rule to true after receiving
such a request.
The first of these subsequent rules is explained here as an example in full detail. A summary
is then given for all other rules.
Bypass Exchange Online
URL.Destination.IP is in range list Exchange Online IP Addresses OR URL.Destination.IP is in range list Exchange Online
Protection P Addresses OR URL.Host matches in list Exchange Online URLs – Stop Cycle – Set
User-Defined.Shortcut_Microsoft_Service = true
The rule uses the URL.Destination.IP and URL.Host properties to find out whether the IP address and URL
that are sent with a request are on particular lists.
If they are, the request cycle is stopped and the request is forwarded to the requested destination,
which is the Microsoft Exchange Online service.
The User-Defined.Shortcut_Microsoft_Service property is then set to true by an event. The property is
evaluated in the response cycle by the first rule in the rule set.
This rule is not enabled by default.
Bypass Microsoft Federation Gateway, Bypass Microsoft Lync/Skype for Business Online, and other rules for Microsoft
services bypassing
Similar to the Bypass Exchange Online rule, these rules use the URL.Destination.IP property or the URL.Host
property or both (in one case also the URL property) to find out whether the IP addresses or URLs
that are sent with requests are on particular lists. The lists vary with each rule depending on the
respective service.
134
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Reverse HTTPS proxy
If the IP addresses or URLs are found on the lists, the request cycle is stopped and the request is
forwarded to the requested destination, which is one of the Microsoft services.
The User-Defined.Shortcut_Microsoft_Service property is then set to true by an event. The property is
evaluated in the response cycle by the first rule in the rule set.
None of these rules is enabled by default.
Reverse HTTPS proxy
A reverse HTTPS proxy configuration can prevent clients from uploading unwanted data, such as
malware or particular media types, to web servers under the HTTPS protocol.
In this configuration, HTTPS traffic is redirected to an appliance that a proxy is run on. It is inspected
and eventually forwarded or blocked, according to the rules implemented on the appliance.
You can configure this in the following ways:
•
Set up a transparent bridge or router.
•
Set up a DNS configuration that points directly to the appliance when access to a particular web
server is requested.
Redirection to an appliance can also be achieved by configuring proxy-aware connections that rely on
the use of CONNECT headers.
However, this method would require an additional network device to assemble these headers for
incoming requests. It is therefore not recommended.
In addition to configuring your network, you need to configure the handling of SSL certificates.
Optionally, you can configure additional settings that are not SSL-related to ensure a smooth operation
of the reverse HTTPS proxy.
Redirect HTTPS traffic in transparent bridge or router mode
In transparent bridge or router mode, you can use a port redirect rule (also known as port forwarding
rule) to direct HTTPS traffic to the proxy port on an appliance.
You also need to ensure that the redirected requests are treated as SSL-secured communication.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to redirect traffic to and click Proxies (HTTP(S),
FTP, ICAP, and IM).
3
In the Network Setup section, select Transparent bridge (or Transparent router).
The section with the specific transparent bridge (or router) settings appears.
4
Under Port redirects, click Add.
The Add Port Redirects window opens.
5
Configure the following settings for a new port redirect rule:
•
Protocol name — HTTP
This setting covers connections under both the HTTP and HTTPS protocols.
McAfee Web Gateway 7.6.0
Product Guide
135
4
Proxies
Reverse HTTPS proxy
•
Original destination ports — 443
If the web servers that are the destinations for requests can be reached under the HTTP
protocol as well, you can add port 80 here (separated by a comma). This type of traffic is then
also directed to the appliance.
•
Destination proxy port — 9090
This is the default proxy port on an appliance.
6
Click OK.
The window closes and the new rule appears on the list.
7
Under HTTP proxy port, make sure Enable HTTP proxy is selected and click Add.
The Add HTTP Proxy Port window opens.
8
9
Make sure the following is configured:
•
Serve transparent SSL connections — Selected
•
Ports treated as SSL — 443
Leave the other settings at their default values and click OK.
The window closes and the new HTTP proxy port appears on the list.
10 Click Save Changes.
Let the appliance listen to requests redirected by DNS entries
When requests under the HTTPS protocol are redirected to an appliance according to DNS entries, you
can configure the proxy on the appliance to listen directly on the appropriate port. You also need to
ensure that only SSL-secured connections are served.
Before you begin
If you want to configure the proxy in this way, make sure of the following:
•
The host names of the requested web servers are not resolved to the appliance when
the appliance does a DNS lookup.
You can achieve this by entering the IP addresses of the web servers into the /etc/hosts
file on the appliance or by using an appropriately configured internal DNS server.
•
A rule set that handles content inspection is implemented on the appliance and enabled.
A suitable rule set is provided in the default rule set system as nested rule set of the
SSL Scanner rule set.
When using DNS entries, a port redirect rule cannot be applied because the purpose of such a rule is
forwarding requests for other destinations to the appliance. However, due to the DNS entries, the
appliance is already the destination.
You also need to ensure that only SSL-secured connections are served.
Task
136
1
Select Configuration | Appliances.
2
On the appliances tree, select an appliance for listening to requests and click Proxies (HTTP(S), FTP, ICAP,
and IM).
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Reverse HTTPS proxy
3
Under HTTP proxy port, make sure Enable HTTP proxy is selected and click Add.
The Add HTTP Proxy Port window opens.
4
Configure the following settings for a new HTTP proxy port:
•
Listener address — 0.0.0.0:443
This setting lets the appliance listen to requests for any web servers, regardless of their IP
addresses. You can also specify a particular IP address here and restrict the appliance to
listening for requests to the server in question.
If you are running several network interface cards on your appliance, you can specify IP
addresses (separated by commas) for as many web servers as there are network interface
cards.
5
•
Serve transparent SSL connections — Selected
•
Ports treated as SSL — *
Leave the other settings at their default values and click OK.
The window closes and the new proxy port appears on the list.
If a web server should also be accessible under the HTTPS protocol, you need to add another HTTP
proxy port with listener address 0.0.0.0:80 or the address of a particular web server.
6
Click Save Changes.
SSL certificates in a reverse HTTPS proxy configuration
A reverse HTTPS proxy configuration is usually set up to protect a limited number of web servers
against the upload of unwanted data by clients. You need to import SSL certificates for these servers
and add them to the appliance configuration.
In a reverse HTTPS proxy configuration, the appliance communicates in SSL-secured mode with its
clients. The SSL certificates that the appliance sends to the clients during the SSL handshake cannot
be issued, however, by its SSL Scanner module. Therefore, the appliance uses the original certificates
of the web servers that the clients request access to.
You can import these certificates when configuring the settings for the SSL Client Context without CA
module.
The appliance uses several methods to find the appropriate certificates for sending to its clients.
Choosing certificates for sending to the clients
To find out which certificate should be sent to a client in a given situation, the appliance scans the list
of imported certificates. On this list, certificates are mapped to the host names of the web servers
they belong to. The appliance then sends the certificate that is mapped to the name of the host that a
client requested access to.
In an explicit proxy setup, the host name would be transmitted and made known to the appliance in
the header of the CONNECT request.
McAfee Web Gateway 7.6.0
Product Guide
137
4
Proxies
Reverse HTTPS proxy
In a transparent setup, the appliance uses the following methods to detect the host names:
•
If a client sends an SNI extension, the host name can be found in a way that is similar to detecting
it in an explicit proxy configuration.
•
If client requests are redirected to the appliance according to DNS entries, the host name is known
by the IP address that you specified when configuring redirection.
In this case, you also need to create a rule set with rules that set the URL.Host property to the
appropriate value for every IP address the appliance has been configured to listen to. This is to let
the appliance know where to forward a request to when it has been filtered and allowed.
•
If the transparent setup does not use redirection by DNS entries, the appliance will send a
handshake message to the web server that a client requested, extract the common name from the
certificate it receives from the web server, and use this common name to detect the appropriate
host name.
This method requires that the appliance and the web server communicate in SSL-secured mode,
too. You can configure a setting on the appliance to ensure this mode is used.
Create settings for SSL certificates in a reverse HTTPS proxy configuration
You can create settings for the SSL certificates that are used for web servers in a reverse HTTPS proxy
configuration and import the certificates when configuring these settings.
Task
1
Select Policies | Settings.
2
On the settings tree, select Enable SSL Client Context without CA.
3
Click Add above the settings tree.
The Add Settings window opens.
4
In the Name field, enter a name for the settings you want to add, for example, Imported web
server certificates.
5
[Optional] In the Comments field, type a plain-text comment on the settings.
6
[Optional] Select the Permissions tab and configure who is allowed to access the settings.
7
In the Define SSL Client Context (Without Certificate Authority) section, configure the settings parameters.
a
On the toolbar of the inline list Select server certificate by host or IP, click Add.
The Add Host to Certificate Mapping window opens.
b
Click Import and use the options of the Import Server Certificate window that opens to import an SSL
certificate for a web server.
c
Configure the other parameters in the Add Host to Certificate Mapping window as needed.
d
Click OK.
The window closes and a new entry for mapping an SSL certificate to the host name of a web
server appears in the inline list.
e
Repeat substeps a to d if you want to add more mapping entries to the inline list.
f
Select or deselect SSL-Scanner functionality applies only to client connection, according to whether the
connection to the web server should be SSL-secured or not.
If you choose to let this connection be unsecured, you need to create a rule that changes the
network protocol from HTTPS to HTTP.
138
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Reverse HTTPS proxy
g
Configure the other settings parameters for the SSL client context as needed.
h
Click OK.
The Add Settings window closes and the new settings appear on the settings tree.
8
Click OK.
The window closes and the new settings appear on the settings tree.
9
Click Save Changes.
You can use these settings in the rule for setting the client context that is provided in the SSL Scanner
rule set of the default rule set system.
Set the URL.Host property in a reverse HTTPS proxy configuration
When client requests are redirected to the appliance by DNS entries in a reverse HTTPS proxy
configuration, you need to set the IP address of a web server as values of the URL.Host property to let
the appliance know where to forward requests to.
After filtering a request has led to the result that it is allowed, the appliance uses the URL.Host
property that was submitted with the request to forward it to the requested web server.
When requests are redirected according to DNS entries, web servers are known to the appliance by
their IP addresses. If the URL.Host property has the IP address of a web server as its value, the
appliance forwards the request to the appropriate destination.
Setting the value of a URL.Host property to an IP address can be done by a rule. You need to create
such a rule for each web server that the appliance should forward requests to.
These rules can be contained in a rule set of their own.
Tasks
•
Create a rule set for setting the URL.Host property on page 139
You can create a rule set with rules that set the IP address of a web server as the value of
the URL.Host property.
•
Create rules for setting the URL.Host property on page 140
You can create rules that set the IP address of a web server as the value of the URL.Host
property.
Create a rule set for setting the URL.Host property
You can create a rule set with rules that set the IP address of a web server as the value of the
URL.Host property.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, navigate to the position where you want to insert the rule set.
3
Above the tree, click Add and select Rule Set.
The Add New Rule Set window opens.
4
Under Name, enter a suitable name for the new rule set, for example, Set value of URL.Host to IP address.
5
Make sure Enable is selected.
6
Under Applies to select Requests and IM.
7
Under Apply this rule set, select Always.
McAfee Web Gateway 7.6.0
Product Guide
139
4
Proxies
Reverse HTTPS proxy
8
[Optional] Under Comment, type a plain-text comment on the rule set.
9
[Optional] Click the Permissions tab and configure who is allowed to access the rule set.
10 Click OK.
The window closes and the new rule set appears on the rule sets tree.
Create rules for setting the URL.Host property
You can create rules that set the IP address of a web server as the value of the URL.Host property.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, select the rule set you have created for the new rules, for example, Set value of
URL.Host to IP address.
3
Click Add Rule.
The Add Rule window opens with the Name step selected.
4
In the Name field, type a name for a new rule, for example, Set value of URL.Host to
10.141.101.51.
5
Select Rule Criteria, then If the following criteria is matched, and click Add.
The Add Criteria window opens.
6
7
Configure the rule criteria as follows:
a
From the list of properties in the left column, select URL.Destination.IP.
b
From the list of operators in the middle column, select equals.
c
In the operand field under Compare with in the right column, type an IP address.
Click OK.
The window closes and the new criteria appears under Rule Criteria.
8
Click Action, select Continue, and leave the default settings for this action.
9
Click Events, then Add, and from the drop-down menu that appears, select Set Property Value.
The Add Set Property window opens.
10 Set a property as follows:
a
Under Set this property, select URL.Host.
b
Under To concatenation of these strings, click Add.
The Please Enter a String window opens.
c
In the Parameter value field, type the host name of the web server that has the IP address you are
using in this rule.
d
Click OK.
The window closes and the host name appears in the Add Set Property window.
11 Click OK.
The window closes and the event for setting the URL.Host property appears under Events.
140
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Reverse HTTPS proxy
12 Click Finish.
The Add Rule window closes and the new rule appears within the rule set that you have created for
the value-setting rules.
13 Click Save Changes.
Complete optional activities for a reverse HTTPS proxy
configuration
In addition to configuring the network setup and the SSL certificate handling, you can complete
several other activities, which are optional, to ensure a smooth operation of the reverse HTTPS proxy.
•
Deactivate proxy loop detection
•
Restrict access to appliance ports
•
Restrict access to web servers
•
Address multiple web servers
Tasks
•
Deactivate proxy loop detection on page 141
An appliance can detect proxy loops by evaluating the Via header of a client request. We
recommend that you deactivate this detection process in a reverse HTTPS proxy
configuration.
•
Restrict access to appliance ports on page 142
In a reverse HTTPS proxy configuration, access should be restricted to the proxy ports of
an appliance. You need to configure the user interface and file server settings accordingly.
•
Restrict access to web servers on page 142
A reverse HTTPS proxy configuration is usually implemented to protect a limited number of
web servers against unwanted data uploads from clients. In this configuration, you should
allow access to these servers only and block it for others.
•
Address multiple web servers on page 145
You can let an appliance forward consecutive requests to different web servers to achieve
load balancing and ensure redundancy.
Deactivate proxy loop detection
An appliance can detect proxy loops by evaluating the Via header of a client request. We recommend
that you deactivate this detection process in a reverse HTTPS proxy configuration.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to deactivate proxy loop detection for and
click Proxies (HTTP(S), FTP, ICAP, and IM).
3
In the Advanced Settings section, deselect HTTP(S): Inspect Via header to detect proxy loops.
4
Click Save Changes.
McAfee Web Gateway 7.6.0
Product Guide
141
4
Proxies
Reverse HTTPS proxy
Restrict access to appliance ports
In a reverse HTTPS proxy configuration, access should be restricted to the proxy ports of an appliance.
You need to configure the user interface and file server settings accordingly.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to restrict port access for and click User
Interface.
3
Under HTTP Connector Port, enter the appliance proxy port (default: 9090).
4
Select File Server.
5
Under HTTP Connector Port, enter the appliance proxy port (default: 9090).
6
Click Save Changes.
Restrict access to web servers
A reverse HTTPS proxy configuration is usually implemented to protect a limited number of web
servers against unwanted data uploads from clients. In this configuration, you should allow access to
these servers only and block it for others.
After access to others servers has been requested and blocked, we also recommend that you let the
appliance close these connections.
To restrict access:
•
Create a list of the web servers you want to protect.
•
Create a rule set for a blocking rule.
•
Create a rule that blocks access to other web servers and closes connections to clients after
blocking their requests.
Tasks
•
Create a list of protected web servers on page 142
You can create a list the web servers that you want to protect in a reverse HTTPS proxy
configuration.
•
Create a rule set for a blocking rule on page 143
You can create a rule set for the rule that blocks access to web servers in a reverse HTTPS
proxy configuration.
•
Create a rule to block access to web servers on page 144
You can create a rule for blocking access to web servers when these are not on the list of
protected servers in a reverse HTTPS proxy configuration.
Create a list of protected web servers
You can create a list the web servers that you want to protect in a reverse HTTPS proxy configuration.
Task
1
Select Policy | Lists.
2
Above the lists tree, click Add.
The Add List window opens.
142
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Reverse HTTPS proxy
3
Configure the following settings for the list:
•
Name — List name, for example, Protected web servers
•
[Optional] Comment — A plain-text comment on the new list
•
Type — Wildcard Expression
4
[Optional] Click the Permissions tab and configure who is allowed to access the list.
5
Click OK.
The window closes and the new list appears on the lists tree under Custom Lists | WildcardExpression.
6
To fill the list with entries, click Add above the settings pane.
The Add Wildcard Expression window opens.
To add multiple entries at once, click Add Multiple.
7
Enter one or more wildcard expressions matching the URLs for the web servers you want to
protect. Separate multiple entries by commas.
8
Click OK.
The window closes and the new entries appear on the list.
9
Click Save Changes.
Create a rule set for a blocking rule
You can create a rule set for the rule that blocks access to web servers in a reverse HTTPS proxy
configuration.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, navigate to the position where you want to insert the rule set.
3
Above the tree, click Add and select Rule Set.
The Add New Rule Set window opens.
4
Under Name, enter a name for the new rule set, for example, Block web servers in a reverse
HTTPS proxy configuration.
5
Make sure Enable is selected.
6
Under Applies to, select Requests and IM.
7
Under Apply this rule set, select If the following criteria is matched. Then click Add.
The Add Criteria window opens.
8
Configure the rule set criteria as follows:
a
From the Property list, select URL.Protocol.
b
From the Operator list, select equals.
c
Under Operand, type https.
d
[Optional] Under Comment, type a plain-text comment on the new rule set.
McAfee Web Gateway 7.6.0
Product Guide
143
4
Proxies
Reverse HTTPS proxy
9
[Optional] Click the Permissions tab and configure who is allowed to access the rule set.
10 Click OK.
The window closes and the new rule set appears on the rule sets tree.
Create a rule to block access to web servers
You can create a rule for blocking access to web servers when these are not on the list of protected
servers in a reverse HTTPS proxy configuration.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, select the rule set you have created for the blocking rule, for example, Block
web servers in a reverse HTTPS proxy configuration.
3
Click Add Rule.
The Add Rule window opens with the Name step selected.
4
In the Name field, type a name for the rule, for example, Allow access only to protected web
servers.
5
Select Rule Criteria, then If the following criteria is matched and click Add.
The Add Criteria window opens.
6
7
Configure the rule criteria as follows:
a
From the list of properties in the left column, select URL.Host.
b
From the list of operators in the middle column, select matches in list.
c
From the list of operands in the right column, select the web server list you configured, for
example, Protected web servers.
Click OK.
The window closes and the new criteria appears under Rule Criteria.
8
Click Action, select Block and leave the default settings for this action.
9
Click Events, then Add and from the drop-down list that appears, select Event.
The Add Event window opens.
10 Configure an event as follows:
a
From the Event list, select Enable Proxy Control.
b
From the Settings list, select Do not keep connection to client persistent.
11 Click OK.
The window closes and the new event appears under Events.
12 Click Finish.
The Add Rule window closes and the rule appears within the new rule set that you have created.
13 Click Save Changes.
144
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Reverse HTTPS proxy
Address multiple web servers
You can let an appliance forward consecutive requests to different web servers to achieve load
balancing and ensure redundancy.
To implement this, you need to:
•
Import the Next Hop Proxy rule set from the rule set library
•
Create a list of next-hop proxies
•
Create next-hop proxy settings
•
Create a rule that uses the list and the settings to trigger the Enable Next Hop proxy event when a
web server from the list of protected servers is requested.
The list also uses a list of protected servers. For this list, you can use the one that you created to
restrict access to these servers.
Tasks
•
Create a list of next-hop proxies on page 145
You can create a list of the web servers that are addressed as next-hop proxies when a
suitable rule triggers the Enable Next Hop Proxy event.
•
Create next-hop proxy settings on page 146
You can create next-hop proxy settings for the rule that triggers the Enable Next Hop Proxy
event when a server from the list of protected web servers is requested.
•
Create a rule for the Enable Next Hop proxy event on page 146
You can create a rule that triggers the Enable Next Hop Proxy event when a server from the list
of protected web servers is requested.
Create a list of next-hop proxies
You can create a list of the web servers that are addressed as next-hop proxies when a suitable rule
triggers the Enable Next Hop Proxy event.
Task
1
Select Policy | Lists.
2
Above the lists tree, click Add.
The Add List window opens.
3
Configure the following settings for the list:
•
Name — List name, for example, Protected web servers as next-hop proxies
•
[Optional] Comment — Plain-text comment on the new list
•
Type — NextHopProxy
4
[Optional] Click the Permissions tab and configure who is allowed to access the list.
5
Click OK.
The window closes and the new list appears on the lists tree under Custom Lists | NextHopProxy.
6
To fill the list with entries, click Add above the settings pane.
The Add Wildcard Expression window opens.
To add multiple entries at once, click Add Multiple.
McAfee Web Gateway 7.6.0
Product Guide
145
4
Proxies
Reverse HTTPS proxy
7
Enter one or more wildcard expressions matching URLs for the web servers you want to address.
Separate multiple entries by commas.
8
Click OK.
The window closes and the new entries appear on the list.
9
Click Save Changes.
Create next-hop proxy settings
You can create next-hop proxy settings for the rule that triggers the Enable Next Hop Proxy event
when a server from the list of protected web servers is requested.
Task
1
Select Policy | Settings.
2
On the settings tree, select Enable Next Hop Proxy and click Add.
The Add Settings window opens.
3
4
5
Configure the following settings parameters:
•
Name — Settings name, for example, Protected web servers
•
[Optional] Comment — A plain-text comment on the new settings
Under Next Hop Proxy Servers configure the following:
a
From the List of next hop proxy servers, select the next hop proxy list you created, for example,
Protected web servers as next hop proxies.
b
Make sure Round Robin is selected.
c
Deselect Proxy style requests.
Click OK.
The window closes and the new settings appear on the settings tree.
6
Click Save Changes.
Create a rule for the Enable Next Hop proxy event
You can create a rule that triggers the Enable Next Hop Proxy event when a server from the list of
protected web servers is requested.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, select the Next Hop Proxy rule set.
The rules of this rule set appear on the settings pane.
3
Click Add Rule.
The Add Rule window opens with the Name step selected.
4
In the Name field, type a name for the rule, for example, Address protected web servers as
next-hop proxies.
5
Select Rule Criteria, then If the following criteria is matched, and click Add.
The Add Criteria window opens.
146
McAfee Web Gateway 7.6.0
Product Guide
Proxies
Proxy auto-configuration
6
7
4
Configure the rule criteria as follows:
a
From the list of properties in the left column, select URL.Host.
b
From the list of operators in the middle column, select does not match in list.
c
From the list of operands in the right column, select the web server list you configured to
restrict access to these servers, for example, Protected web servers.
Click OK.
The window closes and the new criteria appears under Rule Criteria.
8
Click Action, and leave the default Continue.
9
Click Events, then Add and from the drop-down list that appears, select Event.
The Add Event window opens.
10 Configure an event as follows:
a
From the Event list, select Enable Next Hop Proxy.
b
From the Settings list, select the settings you configured for this rule, for example, Protected web
servers.
11 Click OK.
The window closes and the new event appears under Events.
12 Click Finish.
The Add Rule window closes and the new rule appears within the Next Hop Proxy rule set.
13 Click Save Changes.
Proxy auto-configuration
One or more proxy auto-configuration (PAC) files can be made available on an appliance for web
browsers on clients. The browsers can use them to find proxies for accessing particular web pages.
A proxy auto-configuration file usually has .pac as its file name extension. There can be several of
them on an appliance, for example, a proxy.pac and a webgateway.pac.
Under the WPAD (Web Proxy Auto-Discovery) protocol, a proxy auto-configuration file must have
wpad.dat as its file name. Therefore, it can exist on an appliance only once.
Make a .pac file available
You can make a .pac file available for proxy auto-configuration to a web browser on a client.
Task
1
Store the .pac file in the /opt/mwg/files folder on the appliance.
2
Start the browser and navigate to the network configuration settings.
3
In the Connection section, click Settings.
McAfee Web Gateway 7.6.0
Product Guide
147
4
Proxies
Proxy auto-configuration
4
Select Automatic proxy configuration URL, then enter the path and file name for the .pac file.
For example, enter:
http://mwgappl.webwasher.com:4711/files/proxy.pac
If you want the clients to use a dedicated port for downloading the file, you must first configure
this port.
If no dedicated port is used, clients are directed to the HTTP port for the user interface (the default
port number is 4711).
5
Click OK.
Create a rule for downloading a wpad.dat file
To enable the download of a wpad.dat file by a web browser on a client, you need to configure a rule
that forwards the download request to the appropriate port on an appliance.
Task
1
On the user interface of the appliance, select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to make the wpad.dat file available on and
click Port Forwarding.
3
Under Port Forwarding Rules, click Add.
The Add AppliancePortForwarding window opens.
4
Configure settings for a port forwarding rule as follows:
•
Source Host — 0.0.0.0
•
Target Port — 80
•
Destination Host — 127.0.0.1
•
Destination Port — <File download port>
As <File download port>, enter the HTTP port for the user interface of the appliance (default:
4711) or a dedicated port that you have configured.
5
Click OK.
The window closes and the rule appears in the list.
Configure auto-detection of a wpad host
You can let a web browser use auto-detection to find the appliance as the host where a wpad.dat file is
stored.
Task
148
1
Start the web browser and go to the network configuration settings.
2
In the Connection section, click Settings.
3
Select Auto-detect proxy settings for this network.
4
Click OK.
McAfee Web Gateway 7.6.0
Product Guide
4
Proxies
Using the Helix proxy
Using the Helix proxy
The Helix proxy is a third-party proxy for handling real-time streaming data.
It is initially not accessed from the user interface of the appliance, but from a command line interface,
which is, for example, provided on your administration system.
After accessing the Helix proxy, you can administer it on its own user interface.
Configure use of the Helix proxy
You can configure the use of the Helix proxy from a command line interface.
Task
1
On the command line interface, enter an activation command for the Helix proxy.
This command could, for example, look as follows:
service helix-proxy activate
You are asked to enter a user name and password for the initial administrator account.
2
Enter both.
The Helix proxy is started.
After the start, you can find configuration files for the proxy in the /opt/helix-proxy folder on the
appliance and modify them manually as needed.
3
Connect to the user interface of the Helix proxy with the following command:
http://<IP address of the Helix proxy>:21774/admin/index.html
The user interface appears and displays a logon window.
4
Enter the user name and password from Step 2.
After a successful logon, the user interface of the Helix proxy becomes accessible.
5
Use this interface for further configuration of the Helix proxy as needed.
6
Configure your real-player application to use the appliance as a proxy.
This can be done, for example, in the following way:
a
Start the real player.
b
On its user interface, go to the proxy settings.
c
In the appropriate input field, for example, the RTSP (Real-Time Streaming Protocol) field, enter
the IP address of the appliance with 554 as the port number.
McAfee Web Gateway 7.6.0
Product Guide
149
4
Proxies
Using the Helix proxy
150
McAfee Web Gateway 7.6.0
Product Guide
5
Central Management
Central Management allows you to administer multiple appliances that you have set up within your
network as nodes in a common configuration.
When administering a Central Management configuration, you are dealing mainly with:
•
Nodes — An appliance can be set up as a node that is connected to other nodes and can send and
receive data to and from them to perform updates, backups, downloads and other activities.
•
Node groups — Nodes are assigned to different types of node groups that allow data transfer in
different ways.
•
Scheduled jobs — Data can be transferred according to different kinds of schedules that you can
configure.
Update schedules can also be configured for the nodes in a Central Management configuration
specifying the time when updates should be performed and when not.
Contents
Central Management configuration
Configure Central Management
Add an appliance to a Central Management configuration
Configure the Central Management settings
Assign a node to node groups
Best practices - Configuring node groups in a Central Management configuration
Verify the synchronization of nodes
Add a scheduled job
Update the appliance software in a Central Management configuration
Central Management settings
McAfee Web Gateway 7.6.0
Product Guide
151
5
Central Management
Central Management configuration
Central Management configuration
In a Central Management configuration, multiple appliances run as nodes and can be administered
from any node according to what you have configured.
The nodes in a Central Management configuration are connected within your network as follows:
•
Each node is connected to client systems of your network that direct their web traffic to it.
•
Nodes are assigned to node groups.
•
Node groups allow common administration activities for the group members, for example,
transferring data for updates from one node to another node or several other nodes.
When configuring appliances as nodes, you must make sure that they can connect to
("see") each other. The default port on an appliance that listens to messages from
other appliances is 12346.
Using the ping command is a method to verify that appliances can connect. This
method is, however, not applicable to all networks.
•
There are different types of node groups that allow different kinds of data transfer between the
group members.
A Central Management configuration of multiple Web Gateway appliances is sometimes
referred to as a cluster.
However, it is a cluster in the sense of a High Availability cluster with fail-over functions only
if you configure the Proxy HA (High Availability) mode for the proxy functions of the
appliances that are involved.
The following diagram shows several appliances that run as nodes in a Central Management
configuration.
Figure 5-1 Central Management configuration
152
McAfee Web Gateway 7.6.0
Product Guide
5
Central Management
Configure Central Management
Types of node groups
The nodes of a Central Management configuration can be assigned to node groups.
Node groups have names and differ with regard to their types. There are the following types of node
groups:
•
Runtime group — A node that is a member of a runtime group can share runtime data with all
other nodes in the group.
Runtime data is data that is created at runtime on an appliance. For example, the amount of time
that is left for a user at a given point in time when a quota restriction has been imposed on web
usage is runtime data.
A node can only be a member of one particular runtime group.
•
Update group — A node that is a member of an update group can share updates with all other
nodes in the group.
A node can only be a member of one particular update group.
•
Network group — A node that is a member of a network group can immediately connect to all
other node in the group.
A node can be a member of different network groups at the same time.
When a node is a member of different node groups, for example, of groups A and B, it is possible
to transfer data through that node from other nodes in group A that are not members of group B to
nodes in group B that are not members of group A.
Scheduled jobs
You can schedule jobs on an appliance, such as creating a configuration backup or downloading files,
for execution on a particular time and date or in regular intervals.
You can also configure the schedule on the user interface of the appliance you are currently working
on and have the job executed on another node of the same Central Management configuration.
Configure Central Management
You can configure Central Management for multiple appliances within your network to administer them
as nodes in a common configuration.
Complete the following high-level steps.
Task
1
Begin with configuring Central Management on the user interface of an appliance within your
network and add at least one other appliance as a node in a common configuration.
Appliances are not by default included as nodes in any Central Management configuration, so all
relevant activities must be performed by the administrator.
For all these activities, you work with the options on the Appliances tab of the Configuration top-level
menu.
To add a node to a configuration, you need to configure at least the following:
•
Host name or IP address of the appliance you want to add as a node
•
Membership of the node in a network node group
McAfee Web Gateway 7.6.0
Product Guide
153
5
Central Management
Add an appliance to a Central Management configuration
You can also configure the following settings for a node:
•
IP addresses and ports that should be used for communication with other nodes
•
Membership in runtime and update node groups
•
Scheduled jobs
•
Updates
Repeat these activities for any other appliance you want to add as a node to the configuration.
2
After initially setting up a Central Management configuration, perform more configuration activities
as needed.
You can, for example, do the following:
•
Review the settings for Central Management on any node of the configuration and modify them
You can review and modify settings for any node on the user interface of any other node of the
configuration.
•
3
Add one or more new nodes to the configuration
Save your changes.
Add an appliance to a Central Management configuration
You can add an appliance as a node to a Central Management configuration and assign it to a network
group.
Task
1
On the user interface of an appliance, select Configuration | Appliances.
2
On the appliances toolbar, click Add.
The Add Appliance window opens.
3
In the Host name or IP field, type the host name or the IP address of another appliance within your
network.
4
From the Network group list, select a network group for the appliance.
5
Click OK.
The window closes and the appliance appears on the appliances tree.
It is a now a node in a Central Management configuration with the appliance you have been
working on to complete the addition.
154
McAfee Web Gateway 7.6.0
Product Guide
5
Central Management
Configure the Central Management settings
Configure the Central Management settings
You can configure the Central Management settings to enable the administration of multiple appliances
as nodes in a common configuration.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to configure settings for and click Central
Management.
The Central Management settings appear on the settings pane.
3
Configure these settings as needed.
4
Click Save Changes.
Assign a node to node groups
You can assign an appliance that is a node in a Central Management configuration to node groups of a
different types to allow different kinds of data transfer between nodes.
The procedure for assigning a node to a runtime or an update group is nearly the same.
The procedure for a network group is different because a node can be a member in more than one
network group.
Tasks
•
Assign a node to a runtime group on page 155
You can assign a node to a runtime group by typing the group name in the appropriate
input field.
•
Assign a node to an update group on page 156
You can assign a node to an update group by typing the group name in the appropriate
input field.
•
Assign a node to network groups on page 156
You can assign a node to one or more network groups by entering the group name or
names into the appropriate list.
Assign a node to a runtime group
You can assign a node to a runtime group by typing the group name in the appropriate input field.
Task
1
On the user interface of an appliance, select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to assign as a node to a runtime group and
click Central Management.
McAfee Web Gateway 7.6.0
Product Guide
155
5
Central Management
Assign a node to node groups
3
In the Group runtime field of the section This Node Is a Member of the Following Groups, type the name of the
runtime group you want to assign the node to.
When typing the name, be sure to overwrite all, which appears in the field as the default name for
a runtime group.
This default name is provided to give you the option of not using different runtime groups, but
having only one runtime group for all nodes.
If you delete the default all and do not enter a name, you assign the node to a group anyway, one
that has an empty string as its name.
4
To include another node in the same runtime group, select this node on the appliances tree, click
Central Management again, and type the same name in the Group runtime field.
Repeat this procedure for every node you want to include in the same runtime group.
5
Click Save Changes.
Assign a node to an update group
You can assign a node to an update group by typing the group name in the appropriate input field.
Task
1
On the user interface of an appliance, select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to assign as a node to an update group and
click Central Management.
3
In the the Group update field of the section This Node Is a Member of the Following Groups type the name of the
update group you want to assign the node to.
The procedure is the same as the one for assigning a node to a runtime group.
Also to include other nodes in the group, proceed in the same way as for a runtime group.
4
Click Save Changes.
Assign a node to network groups
You can assign a node to one or more network groups by entering the group name or names into the
appropriate list.
Task
1
On the user interface of an appliance, select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to assign as a node to one or more network
groups and click Central Management.
3
To assign the node to a network group other than the default all group, click the Add icon on the
toolbar of the Group network inline list.
The default group is provided to give you the option of not using different network groups, but
having only one network group for all nodes.
If you want to have more than one network group, you should delete the all group or rename it.
The Add String window opens.
156
McAfee Web Gateway 7.6.0
Product Guide
5
Central Management
Best practices - Configuring node groups in a Central Management configuration
4
Configure a new network group.
a
In the Name field, type a name for the network group.
b
[Optional] In the Comment field, type a plain-text comment on the network group.
c
Click OK.
The window closes and the new network group appears in the Group network inline list.
The node is now a member of this network group.
You can also add multiple network groups at once by clicking the Add multiple icon and working with
the Add Strings window that opens.
In the window, you can enter multiple group names, using a new line for each of them.
The window provides also options for adding the same comment to all groups or add different
comments to individual groups.
5
To include another node in the same network group or groups, select this node on the appliances
tree, click Central Management again, and enter the same group name or names in the Group network
inline list.
Repeat this procedure for every node you want to include in the same network group or groups.
6
Click Save Changes.
Best practices - Configuring node groups in a Central
Management configuration
In a Central Management configuration, nodes are assigned to node groups, which enables different
ways of communication between the nodes.
Node groups can also include nodes that are installed in different physical locations.
Before you begin to configure these groups, make sure the following applies:
•
Appropriate routes are configured in your network to allow communication between nodes.
If nodes in different locations are protected by firewalls, they must allow use of the port that is
configured on each node for communication with other nodes (default port: 12346).
•
Time is synchronized. Node communication depends on this when it is determined which node has
the most up-to-date configuration.
We highly recommend that you configure the use of an NTP server on each node for automatic
synchronization. This is done as part of configuring the Date and Time settings of the Configuration
top-level menu.
If you are not using an NTP server for your network, you can configure the default server that is
provided by McAfee at ntp.webwasher.com.
•
The same version and build of Web Gateway is running on all appliances that are configured as
nodes.
Small sample configuration
In this sample configuration, there are two different locations (Tokyo and New York) with two nodes
each. In both locations, the nodes are assigned to their own runtime, update, and network groups.
The group names are tokyo and newyork, respectively, for all types of groups.
McAfee Web Gateway 7.6.0
Product Guide
157
5
Central Management
Best practices - Configuring node groups in a Central Management configuration
One node in each location is also assigned to the transit network group, which is the same for both
locations.
The following diagram shows this configuration.
This way, the following is achieved:
•
Policy changes that an administrator configures on any node are distributed to all other nodes, due
to the existence of a transit group node in each location. This ensures the web security policy
remains the same on all nodes.
The changes are transferred, for example, from the non-transit node in New York to the transit
node because both are in one network group. They are then transferred from this transit node to
the node in Tokyo, again, because both are in one network group, the transit group.
Finally, the changes are transferred from the Tokyo transit node to the other node in this location.
•
Updates of anti-malware and URL filtering information for the respective modules (engines) of Web
Gateway are only distributed between nodes in Tokyo and between nodes in New York.
This allows you to account for differences in the network structure of locations, which is advisable
regarding the download of potentially large update files.
Nodes in one location with, for example, fast connections and LAN links can share these updates,
while they are not distributed between these nodes and those in other locations with, for example,
slower connections and WAN links.
We generally recommend that you include only nodes of one location in the same update group.
•
Runtime data, for example, the quota time consumed by users, is only distributed between nodes
in Tokyo and between nodes in New York.
This make sense, as probably users in one location will only be directed to the local nodes when
requesting web access. So it would not be required for a node in New York to be informed about,
for example, the remaining quota time of a user in Tokyo.
If the nodes in one location are assigned to different user groups with regard to their
web access, you can also configure these nodes in different runtime groups to avoid an
information overhead on any node.
Larger sample configuration
Not more than 10 nodes should be configured for a network group together with a transit node. This
means that in larger locations, you need to configure more than one node for the transit network
group.
158
McAfee Web Gateway 7.6.0
Product Guide
5
Central Management
Verify the synchronization of nodes
In the following sample configuration, there are 22 nodes in one location (Tokyo), which are split into
two network groups (toknet1 and toknet2), both of which include one node that is also a member of
the transit group.
The 18 nodes in the second location (New York) are configured in the same way, whereas the 9 nodes
in the third location (Paderborn) are all in one network group with one node that is also in the transit
group.
The following diagram shows this configuration.
Regarding runtime and update node groups, there is one of each type for every location.
Policy changes, updates of anti-malware and URL filtering information, as well as sharing of runtime
data are handled in the same way as for the smaller sample configuration.
Verify the synchronization of nodes
The user interface displays, among other general information, a timestamp for each node in a Central
Management Configuration, which allows you to verify whether all nodes are synchronized.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select Appliances (Cluster).
Status and general information about the configuration and its nodes appears on the settings pane.
Under Appliances Information, a list is shown that contains a line with information for every node. The
timestamp is the last item in each line.
3
Compare the timestamps for all nodes.
If they are they same for all nodes, the Central Management configuration is synchronized.
McAfee Web Gateway 7.6.0
Product Guide
159
5
Central Management
Add a scheduled job
Add a scheduled job
You can add a scheduled job to a list of jobs to let them be executed according to a time schedule that
you configure.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to add a scheduled job on and click Central
Management.
3
On the settings pane, expand the Advanced Scheduled Jobs section.
The list of scheduled jobs list appears.
4
On the toolbar above the list, click Add.
The Add Scheduled Job window opens.
5
Configure settings for the scheduled job.
6
Click OK.
The window closes and the new scheduled job appears on the job list.
7
Click Save Changes.
Update the appliance software in a Central Management
configuration
To update the appliance software on the nodes of a Central Management configuration, you can
perform the update procedure from the user interface of one of the nodes, which is itself the last to be
updated.
Before you begin
Make sure you have created a backup of the current configuration.
Task
1
Install a repository with the product version you want to update to on each appliance that is a node
in the configuration.
a
Log on to an appliance from a system console using SSH.
b
Run the following command:
yum install yumconf-<version number>-mwg
yumconf-<version number>-mwg is the repository name. The digits of the version number must
be separated by dots.
2
Log on to the user interface of one appliance in the configuration.
3
Select Configuration | Appliances.
On the appliances tree, select an appliance other than the one you have logged on to.
160
McAfee Web Gateway 7.6.0
Product Guide
5
Central Management
Central Management settings
4
5
Update each appliance on the appliances tree, except the appliance you are working from.
a
On the appliances tree, select an appliance.
b
On the toolbar above the settings pane, click Update appliance software.
When all other appliances that are nodes in the configuration are running their updates, perform
the update for the appliance you are working from.
a
Select the appliance on the appliances tree.
b
Click Update appliance software.
If the nodes in a configuration are assigned to different network groups, with some nodes
being members of more than one group, we recommend that you:
•
Perform the update procedure from one of the nodes with multiple membership.
•
Update any other node with multiple membership at the end of the procedure.
•
Update the node you are working from last.
For example, you have network group A with nodes 1, 2, 3, 4 and network group B with
nodes 3, 4, 5, 6. Then choose node 3 or 4 to perform the update procedure from. Update
nodes 1, 2, 5, 6 first, then 4 (if you have chosen 3 to perform the procedure from), and
finally 3.
The appliance software is now updated.
Central Management settings
The Central Management settings are used for configuring appliances that you administer as nodes in
a common configuration.
Central Management Settings
Settings for basic communication parameters of a node in a Central Management configuration
Table 5-1 Central Management Settings
Option
Definition
IP addresses and ports of this node for
Central Management communication
Provides a list for entering the IP addresses and port numbers that a
node uses to communicate with other nodes in a Central
Management configuration.
Timeout for distributing messages to
other nodes
Limits the time (in seconds) that is allowed for another node to
respond to a message from the current node to the specified value.
The time can range from 10 to 600 seconds.
It is set on a slider scale.
The following table describes the elements of an entry in the IP addresses and ports list.
Table 5-2 IP addresses and ports – List entry
Option
Definition
String
Specifies the IP address and port number for a node.
Comment
Provides a plain-text comment on an IP address and a port number.
McAfee Web Gateway 7.6.0
Product Guide
161
5
Central Management
Central Management settings
Advanced Management Settings
Settings for advanced administration of a Central Management configuration
Table 5-3 Advanced Management Settings
Option
Definition
Multiplier for timeout
when distributing over
multiple nodes
Sets a factor for increasing the time interval that has been configured under
Timeout for distributing messages to other nodes in the Central Management Settings
section.
Increasing the time interval gives messages more time to proceed from one node
to another, from there to the next node, and so on.
The interval can be increased by a value between 1 and 2.
The value is set on a slider scale.
Node priority
Sets the priority that a node takes within a node group
The highest priority is 1.
If the configuration data on a node is no longer synchronized with that of other
nodes, for example, because the node has been down for some time, the node
receives the most recent configuration data from the node with the highest
priority.
If this is not your intention, make sure that all nodes have the same priority,
which is also the recommended setting.
The priority of a node can range from 1 to 100.
It is set on a slider scale.
Allow a GUI server to
attach to this node
When selected, a server providing an additional user interface for the appliance is
allowed to connect to the node.
Allow to attach a GUI
server from non-local
host
When selected, a server with an additional user interface that is not running on
the current node is allowed to connect to the node.
GUI control address
Specifies the IP address and port number the additional user interface uses for
connecting to the current node.
GUI request address
Specifies the IP address and port number of this server used when sending
requests to it.
Contact other nodes
unencrypted
When selected, messages sent from this node to other nodes in the configuration
are not encrypted.
However, authentication using certificates is still performed.
Enable IP checking for
other nodes
When selected, the IP address can be verified when messages are sent from this
node to other nodes in the configuration.
This function is intended to increase web security, but can lead to problems for
some network setups, for example, NAT setups.
162
McAfee Web Gateway 7.6.0
Product Guide
5
Central Management
Central Management settings
Table 5-3 Advanced Management Settings (continued)
Option
Definition
Allowed time difference Limits the time difference (in seconds) allowed for accepting configuration
changes to the specified value.
The number of seconds can range from 10 to 600.
It is set on a slider scale.
Enable version
checking for other
nodes
When selected, the version of the appliance software is checked before
configuration changes are distributed between nodes.
Configuration changes are not distributed to a node if the version of the
appliance software on this node does not match the version on the node that
distributes the changes.
• Level of version check – Sets a level of thoroughness when verifying the version of
the appliance software.
The level is set on a slider scale. It can take the following values:
• 1 – Only major version number (7 in 7.3.0) must match.
• 2 – Minor version number (3 in 7.3.0) must also match.
• 3 – Feature version number (0 in 7.3.0) must also match.
• 4 – Maintenance version number (if any, for example, 1 in 7.3.0.1.2) must also
match.
• 5 – Hotfix version number (if any, for example, 2 in 7.3.0.1.2) must also
match.
• 6 – Build number (for example, 14379) must also match.
This Node is a Member of the Following Groups
Settings for including a node in a group of nodes
Table 5-4 This Node is a Member of the Following Groups
Option
Definition
Group runtime Determines the group of a node, in which runtime data can be shared with all nodes in
the group, for example, time quotas.
Group update
Determines the group of a node, in which updates can be shared with all nodes in the
group
Group network Determines the group of a node, in which the node can immediately connect to all other
nodes in the group
A node can be a member of more than one network group.
In this case, the nodes of a group that a node is a member of can connect through this
node to nodes of another group that this node is also a member of.
All groups that a node is a member of are listed in the Group network list.
The following table describes the elements of a list entry in the group network list.
Table 5-5 Group network – List entry
Option
Definition
String
Specifies the name of a network node group.
Comment
Provides a plain-text comment on a network node group.
McAfee Web Gateway 7.6.0
Product Guide
163
5
Central Management
Central Management settings
Automatic Engine Updates
Settings for scheduling automatic updates of database information for modules used in the filtering
process
Table 5-6 Automatic Engine Updates
Option
Definition
Enable automatic updates
When selected, database information is automatically updated.
Allow to download updates When selected, database updates are downloaded from the internet.
from the internet
Allow to download updates When selected, database updates are downloaded from other nodes in a
from other nodes
Central Management configuration.
Update interval
Limits the time (in minutes) that elapses before database information is again
updated to the specified value.
The time is set on a slider scale.
Allowed values range from 15 to 360.
CRL update interval
Limits the time (in hours) that elapses before certificate revocation lists used
in filtering SSL-secured web traffic are updated to the specified value.
This update uses a method that differs from those of other updates and must
therefore be configured separately.
The time is set on a slider scale
Allowed values range from 3 to 168.
Enable update proxies
When selected, proxy servers are used for routing updated database
information.
Update proxies (fail over)
Provides a list for entering the proxy servers that are used for routing updated
database information.
The proxy servers are used in failover mode. The first server on the list is tried
first and only if the configured timeout has elapsed is the next server tried.
The following table describes the elements of an entry in the Update proxies list.
Table 5-7 Update proxies – List entry
Option
Definition
Host
Specifies the host name or IP address of a server that is used as a proxy for routing
updates.
Port
Specifies the port on a proxy that listens for update requests.
User
Specifies the user name of a user who is authorized to access a proxy for routing updates.
Password
Sets a password for this user.
Comment Provides a plain-text comment on a proxy.
Advanced Update Settings
Settings for advanced update functions
164
McAfee Web Gateway 7.6.0
Product Guide
5
Central Management
Central Management settings
Table 5-8 Advanced Update Settings
Option
Definition
Allow to upload updates to other
nodes
When selected, updated database information can be uploaded from the
appliance (as a a node in a Central Management configuration) to other
nodes.
The first time an update starts, it
should wait an appropriate time
before starting
Limits the time (in seconds) that elapses before an update is started to
the specified value.
The first time an automatic update
starts, it uses the startup interval
to update
Limits the time (in seconds) that elapses between attempts to start an
automatic update for the first time to the specified value.
Allowed values range from 5 to 1200.
During an update, the coordinator subsystem, which stores updated
information on the appliance, tries to connect to the appliance core,
where the modules reside that use this information.
A low value for this interval can therefore speed up updates because it
reduces the time the coordinator might have to wait until the core is
ready to receive data.
Allowed values range from 5 to 600.
Try to update with start interval
Limits the number of attempts (1 to 9) the appliance makes when trying
to start an update to the specified value.
Use alternative URL
Specified the URL of an update server that is used instead of the default
server.
Verify SSL tunnel
When selected, a certificate sent to a node by an update server in
SSL-secured communication is verified.
Enter a special custom parameter
sequence for an update server
Updates of URL filtering information are taken from the URL filter
database server that is specified by the URL entered here.
No updates should be made in
defined time window
Provides a list for entering daily time slots during which no updates of
database information should be made.
The following table describes the elements of an entry in the time slot list.
Table 5-9 Time slot – List entry
Option
Definition
Start of time slot (hour)
Sets the hour when a daily time slot begins.
Start of time slot (minute)
Sets the minute in an hour when a daily time slot begins.
Start of time slot (second)
Sets the second in a minute when a daily time slot begins.
End of time slot (hour)
Sets the hour when a daily time slot ends.
End of time slot (minute)
Sets the minute in an hour when a daily time slot ends.
End of time slot (second)
Sets the second in a minute when a daily time slot ends
Comment
Provides a plain-text comment on a time slot.
Advanced Subscribed Lists Settings
Settings for advanced subscribed lists functions
McAfee Web Gateway 7.6.0
Product Guide
165
5
Central Management
Central Management settings
Table 5-10 Advanced Subscribed Lists Settings
Option
Definition
Allow to download
customer
subscribed lists
When selected, customer subscribed lists can be downloaded from the current
appliance.
If the appliance is a node in a Central Management configuration and this option is
also selected on other nodes, one of the nodes will download the lists.
If you want a particular node to download the lists, you need to make sure the
option is deselected on every other node.
When a node is restarted and one or more subscribed lists are configured on this
node, list content is downloaded to ensure a valid configuration.
The download is performed regardless of whether this download option is selected or
not.
When a node is added to a configuration with other nodes that have subscribed lists
configured, list content is downloaded for these lists onto the new node.
To reduce internal traffic, the download is performed without prior communication
with other nodes.
The download is performed regardless of whether this download option is selected or
not.
Manual Engine Updates
Setting for performing manual updates of database information for modules used in the filtering
process
Table 5-11 Manual Engine Updates
Option
Definition
Manual Engine Update Updates database information for modules used in the filtering process
immediately.
Database information is only updated for the modules on the appliance you are
currently working on.
Handle Stored Configuration Files
Settings for storing configuration file folders on disk
166
McAfee Web Gateway 7.6.0
Product Guide
5
Central Management
Central Management settings
Table 5-12 Handle Stored Configuration Files
Option
Definition
Keep saved configuration
folders for a minimal time
Limits the time (in days) that configuration file folders are at least stored on
disk to the specified value.
The number of days can range from 1 to 100.
Keep minimal number of
configuration folders
Limits the number of configuration file folders that are at least stored on
disk at any time to the specified value.
The number can range from 1 to 100.
Keep minimal number of
packed folders
Limits the number of packed configuration file folders that are at least
stored on disk at any time to the specified value.
Configuration folders are packed when the minimal time configured for
storing them on disk has elapsed and the minimal number of folders stored
on disk at any time would be exceeded if they were stored unpacked any
longer.
The number of folders can range from 1 to 100.
Advanced Scheduled Jobs
Settings for scheduled jobs
Table 5-13 Advanced Scheduled Jobs
Option
Definition
Job list
Provides a list of scheduled jobs.
The following table describes the elements of a list entry.
Table 5-14 Job list entry
Option
Definition
Start job
Specifies the time setting for starting a scheduled job, for
example, hourly, daily, once.
Start job immediately if it was not started at
its original schedule
Lets a scheduled job start immediately if this has not happened
according to the originally configured schedule.
Job
Specifies the type of job, for example, Backup Configuration.
Unique job ID
Identifies a scheduled job.
When this job has finished run job with ID
Provides the ID of a job that is run immediately after this job.
Comment
Provides a plain-text comment on a scheduled job.
Add Scheduled Job window
Settings in the window for adding a scheduled job
•
Time Settings — Settings for the time when a scheduled job is started
•
Job Settings — Settings for the type and ID of a scheduled job
•
Parameter Settings — Settings for additional parameters of a scheduled job
McAfee Web Gateway 7.6.0
Product Guide
167
5
Central Management
Central Management settings
These settings differ for each job type as follows:
•
(Backup configuration settings) — Settings for a scheduled job that creates a backup of an
appliance configuration
•
(Restore backup settings) — Settings for a scheduled job that restores a backup of an appliance
configuration
•
(Upload file settings) — Settings for a scheduled job that uploads a file to an external server
using the HTTP or HTTPS protocol
•
(Download file settings) — Settings for a scheduled job that downloads a file to the appliance
using the HTTP or HTTPS protocol
For a scheduled job that performs a yum update, there are no additional parameter settings.
Table 5-15 Time Settings
Option
Definition
Start job
Lets you select a time setting.
• Hourly — Starts a scheduled job every hour
• Daily — Starts a scheduled job once on a day
• Weekly — Starts a scheduled job once in a week
• Monthly — Starts a scheduled job once in a month
• Once — Starts a scheduled job only once
• Activated by other job — Starts a scheduled job after another job has been completed
(Time
parameter
settings)
Settings specifying the parameters for a time setting, for example, the minute in
an hour when a job scheduled for hourly execution should be started
Which time parameter settings are shown depends on the selected time setting.
For example, if you have selected Hourly, you can configure the minute in an hour,
but not the day in a month.
• Minute — Sets a minute in an hour
• Hour — Sets an hour on a day
• Day of month — Sets a day in a month
• Enter day of week — Provides a list for setting a day in a week
• Month — Sets a month in a year (specified by a number from 1 to 12)
• Year — Sets a year (four digits)
Start job immediately When selected, a scheduled job is started immediately if this has not happened
if it was not started
according to the originally configured schedule.
at its original
This can be the case, for example, when an appliance is temporarily shut down due
schedule
to overload and a job was scheduled to run during this downtime.
The job is then executed as soon as the appliance is up again.
168
McAfee Web Gateway 7.6.0
Product Guide
5
Central Management
Central Management settings
Table 5-16 Job Settings
Option
Definition
Job
Lets you select the type of a scheduled job.
• Backup configuration — Creates a backup of an appliance configuration
• Restore backup — Restores a backup of an appliance configuration
• Upload file — Uploads a file to an external server using the HTTP or HTTPS protocol
• Download file — Downloads a file onto the appliance using the HTTP or HTTPS
protocol
• Yum update — Performs a yum update on an appliance configuration
This scheduled job type is not available when an appliance runs in a
FIPS-compliant mode
Unique job ID
Identifies a scheduled job.
The characters specified in this string are case-sensitive
Job description
Provides an optional description of a scheduled job in plain-text format.
When this job has
Provides the ID of a scheduled job that is to run immediately after the job
finished run job with configured here has finished.
ID
For this job, you must have configured the Activated by other job time setting.
Execute job on
remote node
Provides a list for selecting other nodes of the configuration to execute a scheduled
job.
The list displays the host names for the other nodes.
The scheduled job that you configure on this appliance is executed with its time
and parameter settings on the selected node or nodes.
A message is sent to the other node or nodes to inform them about the scheduled
job.
Table 5-17 Parameter Settings – Backup configuration
Option
Definition
Use most recent
configuration
When selected, the scheduled job creates a backup from the most recent
appliance configuration
Format: |<path name>/<file name with extension>
Backup configuration
path
Specifies the name of the path to the folder where the configuration is stored
that should be used for the backup.
Format: /opt/mwg/storage/default/configfolder
This setting is only available when Use most recent configuration is deselected.
Save configuration to
path
Specifies the path and file name for a backup configuration.
Format: /<path name>/<file name with file name extension>
You must set user rights for the folder you want to store the backup
configuration in, making the appliance the owner who is allowed to write data
into the folder.
On the command line provided, for example, by a serial console, run the
appropriate commands to create a folder or change the rights for an existing
folder.
McAfee Web Gateway 7.6.0
Product Guide
169
5
Central Management
Central Management settings
Table 5-18 Parameter Settings – Restore backup
Option
Definition
Restore backup from
file
Specifies the path and file name for the file that should be used to restore a
backup.
Format: |<path name>/<file name with extension>
Only restore policy
When selected, a scheduled job backs up only settings related to the web
security policy that was implemented on an appliance.
Other settings, for example, settings needed for connecting an appliance to a
network are not restored.
Lock storage during
restore
When selected, no other files can be stored on the appliance until the scheduled
job has completely restored the backup configuration.
Password
Sets a password that is submitted for basic authentication.
Set
Opens the New Password window for setting a password.
When a password has been set, the Set button is replaced by a Change button,
which opens the New Password window for changing a password.
This setting is only available when Enable basic authentication is selected.
Table 5-19 Parameter Settings – Upload file
Option
Definition
File to upload
Specifies the path and file name for a file that should be uploaded.
Format: |<path name>/<file name with extension>
Destination to upload file to Specifies the name of the path to the server that a file should be uploaded to
under the HTTP or HTTPS protocol and the file name for storing the file on the
server.
Format: http|https: //<URL>/<file name with extension>
Enable basic authentication When selected, basic authentication is required for uploading a file.
User name
Specifies a user name that is submitted for basic authentication.
This setting is only available when Enable basic authentication is selected.
Password
Sets a password that is submitted for basic authentication.
Set
Opens the New Password window for setting a password.
When a password has been set, the Set button is replaced by a Change button,
which opens the New Password window for changing a password.
This setting is only available when Enable basic authentication is selected.
Table 5-20 Parameter Settings – Download file
Option
Definition
URL to download
Specifies a URL for the location of a file that should be downloaded under the
HTTP or HTTPS protocol and the name of the file.
Format: http|https: //<URL>/<file name with extension>
Save downloaded file to
Specifies a path to the location where a downloaded file should be stored and
the file name for storing the file.
Format: |<path name>/<file name with extension>
Enable basic authentication When selected, basic authentication is required for downloading a file
170
McAfee Web Gateway 7.6.0
Product Guide
5
Central Management
Central Management settings
Table 5-20 Parameter Settings – Download file (continued)
Option
Definition
User name
Specifies a user name submitted for basic authentication.
This setting is only available when Enable basic authentication is selected.
Password
Sets a password that is submitted for basic authentication.
Set
Opens the New Password window for setting a password.
When a password has been set, the Set button is replaced by a Change button,
which opens the New Password window for changing a password.
This setting is only available when Enable basic authentication is selected.
McAfee Web Gateway 7.6.0
Product Guide
171
5
Central Management
Central Management settings
172
McAfee Web Gateway 7.6.0
Product Guide
6
Rules
Web filtering and authentication is controlled by rules, which you can implement and modify to let
them suit the needs of your network.
Rules are grouped and made available in rule sets, each of which usually covers a particular field of
filtering activities. There can be, for example, a virus and malware filtering rule set, a URL filtering
rule set, an authentication rule set, and so on.
At the initial setup of the appliance, a default system of rule sets is implemented. You can review
these rules sets and their rules, modify and delete them, and also create your own rules and rule sets
or even a complete system of your own.
Additionally, you can import rule sets from libraries and modify them in the same way as the other
rule sets.
Contents
Rule flexibility
About filtering
Rule elements
Rule representation in the documentation text
Rule sets
Rule set system
Rule set library
Rule Sets tab
Create a rule
Create a rule set
Import a rule set
Best practices - Rule configuration
Restrict access to configuration items
Rule flexibility
When working with web security rules on Web Gateway, a considerable flexibility allows you to modify
these rules in many ways, depending on what is best suited for your network.
The rules that are implemented as part of the default rule set system after the initial setup of Web
Gateway can therefore be seen as a sample system. This system is meant to show you what a system
of web security rules might look like. You are not required to keep this system or any part of it
unmodified or to keep it at all.
Similarly, the rules in the rule sets of the rule set libraries are sample solutions for extending the web
security functions of Web Gateway in one way or other. They are open to modification in the same way
as the default rules.
McAfee Web Gateway 7.6.0
Product Guide
173
6
Rules
About filtering
The documentation explains the default and many library rules to let you understand how they work
and what they can be used for.
But the documentation never says that you must necessarily implement a particular default rule set or
import a particular library rule set. Nor does it say that you must handle a particular rule and its
elements in the same way as it is explained in the documentation.
The specific needs of your network can always require that what you actually implement differs from a
given explanation.
About filtering
A filtering process is performed on the appliance that uses the implemented rules to ensure web
security for your network.
This process filters web traffic. It blocks some objects and lets others pass through, like a tea sieve or
strainer that catches the tea leaves and allows the liquid to flow through its perforations.
How does the process tell the tea leaves from the liquid? The tea strainer obviously uses size as a key
concept. If something is too big, it cannot pass through.
Similarly, the filtering process on the appliance uses in its rules all kinds of properties that web objects
can have or that are related in some way to web objects to make filtering decisions.
Properties of filtered objects
A property of a web object checked in the filtering process is, for example, being virus-infected. A web
object can have the property of being virus-infected, put more simply, it can be virus-infected.
Other examples could be the property of belonging into a particular URL category or the property of
having a particular IP address.
The following can then be asked about these and other properties:
•
For a given web object, what value does property p have?
•
And: If this value is x, what action is required?
Giving an answer to the second question leads to a rule:
If the value of property p is x, action y is required.
A property is a key element in every rule on the appliance. Understanding the property is essential to
understanding the rule.
When you are creating a rule, it is a good idea to begin by thinking about the property you want to
use. Using a property of an already existing rule as an example, you might consider something like the
following:
I want to filter viruses and other malware. I use the property of being virus-infected and build a rule
around it. I let this rule require a blocking action to be taken if a given web object has this property.
The rule could look as follows:
If being virus-infected has the value true (for a given web object), block access to this object.
The web object could, for example, be a file that a web server has sent because a user of your
network requested it and that is intercepted and filtered on the appliance.
174
McAfee Web Gateway 7.6.0
Product Guide
6
Rules
About filtering
Properties and rules are explained in this section using normal language. However, the format they
have on the user interface of the appliance does not differ from this very much.
For example, the above rule about virus infections could appear on the user interface as follows:
Antimalware.Infected equals true –> Block (Default)
where Antimalware.infected is the property and Block is the action, which is executed in the default
way.
The arrow does not appear on the user interface, it is inserted here to show that the blocking action is
triggered if a given web object really has the property in question.
Filtering users
Properties can be related to web objects, but also to the users that request them.
For example, a rule could use the property user groups that user is member of to block requests sent
by users who are not in an allowed group:
If user groups that user is member of (for a given user) are not on the list of allowed groups, block
requests sent by this user.
Filtering cycles
The filtering process on the appliance has three cycles: the request cycle, the response cycle, and the
embedded objects cycle. Only one of them can go on at a given moment.
The request cycle is performed for filtering requests that users of your network send to the web, the
response cycle is for the responses received upon these requests from the web.
When embedded objects are sent with requests or responses, the embedded objects cycle is
performed as an additional cycle of processing.
An embedded object could, for example, be a file sent with a request to upload a file and embedded in
this file. The filtering process begins with the request cycle, filtering the request and checking the file
that is requested for uploading. Then the embedded objects cycle is started for the embedded file.
Similarly, the response cycle and the embedded objects cycle are started one after another for a file
that is sent in response from a web server and has another file embedded in it.
For every rule on the appliance, it is specified in which cycle it is processed. However, the cycle is not
specified individually for a rule, but for the rule set that contains it.
A rule set can be processed in just one cycle or in a combination of cycles.
Process flow
In the filtering process, the implemented rules are processed one after another, according to the
positions they take in their rule sets.
The rule sets themselves are processed in the order of the rule set system, which is shown on the Rule
Sets tab of the user interface.
In each of the three cycles, the implemented rule sets are looked up one after another to see which
must be processed in this cycle.
When a rule is processed and found to apply, it triggers an action. The action executes a filtering
measure, such as blocking a request to access a web object or removing a requested object.
McAfee Web Gateway 7.6.0
Product Guide
175
6
Rules
About filtering
In addition to this, an action has an impact on the filtering process. It can specify that the filtering
process must stop completely, or skip some rules and then continue, or simply continue with the next
rule.
Processing also stops after all implemented rules have been processed.
Accordingly, the process flow can be as follows:
All rules have been
–> Processing stops.
processed for each of the
In the request cycle, the request is allowed to pass through to the
configured cycles and no rule
appropriate web server.
has been found to apply.
In the response cycle, the response sent from the web is
forwarded to the appropriate user.
In the embedded objects cycle, the embedded object is allowed to
pass through with the request or response it was sent with.
Processing begins again when the next request is received.
A rule applies and requires
that processing must stop
completely.
–> Processing stops.
An example of a rule that stops processing completely is a rule
with a blocking action.
If, for example, a request is blocked because the requested URL is
on a blocking list, it is no use to process anything else.
No response is going to be received because the request was
blocked and not passed on to the appropriate web server. Filtering
an embedded object that might have been sent with the request
is also not needed because the request is blocked anyway.
A message is sent to the user who is affected by the action, for
example, to inform this user that the request was blocked and
why.
Processing begins again when the next request is received.
A rule applies and requires
–> Processing stops for this rule set.
that processing must stop for
The rules that follow the stopping rule in the rule set are skipped.
the current rule set.
An example of a rule that stops the processing of a rule set is a
whitelisting rule followed by a blocking rule in the same rule set.
When a requested web object is found on a whitelist, the request
is allowed to pass through without further filtering. Therefore the
rule set is not processed any further and the rule that eventually
blocks the object is skipped.
Processing continues with the next rule set.
The next rule set can contain rules that, for example, block a
request, although it was allowed to pass through the preceding
rule set.
A rule applies and requires
–> Processing stops for this cycle.
that processing must stop for
The rules and rule sets that follow the stopping rule in the cycle
the current cycle.
are skipped.
An example of a rule that stops the processing of a cycle is a
global whitelisting rule.
When a requested object is found on a global whitelist, the
request is allowed to pass through to the appropriate web server.
To ensure the request is not blocked eventually by any of the
following rules and rule sets, the request cycle is not processed
any further.
Processing continues with the next cycle.
176
McAfee Web Gateway 7.6.0
Product Guide
Rules
Rule elements
A rule applies and requires
that processing continues
with the next rule.
6
–> Processing continues with the next rule.
This can be the next rule in the current rule set or the first rule in
the next rule set or cycle.
An example of a rule that lets the filtering process continue
unimpeded is a statistics rule.
This rule just counts requests by increasing a counter and does
otherwise nothing.
Rule elements
A web security rule on the appliance has three main elements: criteria, action, and (optionally) event.
1
Criteria
Determines whether a rule applies.
Other rule syntaxes use the term condition instead of criteria.
If the category of a URL is on list x, ...
The criteria has three elements: property, operator, and operand
•
Property
Is related to a web object or a user.
... the category of a URL ...
•
Operator
Links the property to an operand.
... is on list ...
•
Operand
Specifies a value that the property can have.
... x (list name), ...
The operand is also referred to as parameter on the user interface.
2
Action
Is executed if the criteria is matched.
... block the URL ...
3
Event
Is executed if the criteria is matched.
... and log this action.
An event is optional for a rule. A rule can also have more than one event.
McAfee Web Gateway 7.6.0
Product Guide
177
6
Rules
Rule elements
Rule format on the user interface
On the user interface, a rule appears in the following format.
Figure 6-1 Format of a rule on the user interface
The following table explains the meaning of the rule elements.
Table 6-1 Elements of a rule on the user interface
Option Definition
Enabled
Allows you to enable or disable the rule.
Name
Name of the rule
• Block URLs ... — Name text
• Category BlockList (in rule name) — List used by the rule
Clicking on the list name opens the list for editing.
• Yellow triangle (next to a list name) — Indicates that the list is initially empty and you
need to fill the entries.
Criteria
Criteria of the rule
The criteria is only visible after clicking the Show details toggle button.
• URL.Categories — Property
• <Default> — Settings of the module that retrieves a value for the property
For example, the Default settings that appear here are settings of the URL Filter module.
Clicking on the settings name opens the settings for editing.
The module name is not visible in the rule. It appears, however, in the Edit window for the
rule criteria.
• at least one in list — Operator
• Category BlockList — Operand (also known as parameter)
Clicking on the list name opens the list for editing.
The list name appears both in the rule name and the criteria to let it be available when the
criteria is not visible.
• Yellow triangle (next to a list name) — Indicates that the list is initially empty.
178
McAfee Web Gateway 7.6.0
Product Guide
6
Rules
Rule representation in the documentation text
Table 6-1 Elements of a rule on the user interface (continued)
Option Definition
Action
Action of the rule
• Block — Name of the action
• <URLBlocked> — Settings of the action
Clicking on the settings name opens the settings for editing.
Events
One or more events of the rule
The events are only visible in full after clicking the Show Details toggle button.
• Statistics.Counter. Increment — Name of the event
• “BlockedByURLFilter, 1” — Parameters of the event
• <Default> — Settings of the event
Clicking on the settings name opens the settings for editing.
Complex criteria
The criteria of a rule can be made complex by configuring it with two or more parts.
In complex criteria each of the parts has a property with operator and operand. The parts are linked
by AND or OR.
The criteria is matched if a filtered URL belongs to a category that is on any of the two specified
category lists (or on both).
If you configure criteria with three or more parts and use both AND and OR between them, you also
need to put brackets to indicate how the parts are logically connected. For example, (a AND b) OR c
differs in meaning from a AND (b OR c).
When you add a third criteria part on the user interface, lowercase letters appear before the parts and
an additional field is inserted at the bottom of the configuration window.
The field displays your criteria parts in short, for example, a AND b OR c. You can then type brackets
in the field as needed.
Rule representation in the documentation text
When rules are explained in the Web Gateway documentation, different ways of representing them
within the documentation text are used.
A rule can be represented in a long or short format, providing more or less explicit information about
the structure of a rule. The individual elements of a rule can be marked using different fonts to
distinguish them from each other or all appear in the same font.
The long and the short formats can both be combined with different element markup to represent
rules as follows:
•
Short rule representation — A rule is represented in a short format with different fonts used for
the individual rule elements.
•
Short unified rule representation — A rule is represented in a short format with the same fonts
used for all rule elements.
McAfee Web Gateway 7.6.0
Product Guide
179
6
Rules
Rule representation in the documentation text
•
Long rule representation — A rule is represented in a long format with different fonts used for
the individual rule elements.
•
Long unified rule representation — A rule is represented in a long format with the same fonts
used for all rule elements.
All rule representations are followed by explanations of the respective rules in plain text.
Rule representation on the user interface
On the user interface of Web Gateway, a rule looks like this. The three main rule elements (criteria,
action, and events) are each shown in a separate column. The rule name appears in bold above the
rule criteria.
Figure 6-2 Rule representation on the user interface
In this sample representation, the rule name and elements are as follows:
•
Name — Block if virus was found
•
Criteria — Antimalware.Infected<Gateway Anti-Malware> equals true
•
Action — Block<Virus Found>
•
Event — Statistics.Counter.Increment("BlockedByAntiMalware",1)<Default>
The different representation methods used in the documentation text all rely in one way or other on
how a rule is represented here.
Short rule representation
The short rule representation shows the main elements of a rule next to each other with the rule name
in bold above the criteria. This representation method comes closest to the way that a rule is shown
on the user interface.
To distinguish the main rule elements even further than it is done on the user interface, the criteria is
shown in italics and the action is preceded by an arrow. The arrow symbolizes the relation between
the criteria and the action (if the criteria matches, then the action is performed).
The rule event is always optional. It is also executed if the criteria matches, so it is just added after
the action, separated by a dash.
Block if virus was found
Antimalware.Infected<Gateway Anti-Malware> equals true –> Block<Virus Found> –
Statistics.Counter.Increment (“BlockedByAntiMalware”,1)<Default>
Short unified rule representation
The short unified rule representation differs from the short rule representation in that it does not use
different fonts to distinguish the name from the rule elements and the rule elements from each other.
It rather shows them all in narrow bold font.
Block if virus was found
Antimalware.Infected<Gateway Anti-Malware> equals true – Block<Virus Found> – Statistics.Counter.Increment
(“BlockedByAntiMalware”,1)<Default>
180
McAfee Web Gateway 7.6.0
Product Guide
6
Rules
Rule sets
Long rule representation
The long rule representation shows each rule element in a separate row within a table, preceded by
the element name. The rule name appears in red above the table like a section title.
Block if virus was found
Rule element
Definition
Criteria
Antimalware.Infected<Gateway Anti-Malware> equals true
Action
Block<Virus Found>
Event
Statistics.Counter.Increment (“BlockedByAntiMalware”,1)<Default>
Long unified rule representation
The long unified rule representation differs from the long rule representation in that all individual rule
elements are marked in narrow bold font.
Block if virus was found
Rule element
Definition
Criteria
Antimalware.Infected<Gateway Anti-Malware> equals true
Action
Block<Virus Found>
Events
Statistics.Counter.Increment (“BlockedByAntiMalware”,1)<Default>
Rule sets
Rules are grouped and included in rule sets on the appliance. A rule can never stand on its own, it
must be included in a rule set.
A rule set can include just a single rule or several of them. It can also include one or more nested rule
sets. If it includes nested rule sets, it can include individual rules on the same level as the nested rule
sets.
Rule sets usually include rules that work together to provide a particular function for ensuring web
security.
For example, a virus and malware filtering rule set will include a rule that blocks infected rule sets and
one or several others that whitelist objects to let them skip the blocking rule and ensure users can
access them.
You can modify the implemented rule sets and create rule sets of your own to build functional units in
whatever way is suitable for your network.
Rule set criteria
Like rules, rule sets have criteria and are applied if their criteria matches.
Usually, the criteria of a rule set differs from that of its rules. For a rule to apply, both its own criteria
and the criteria of its rule set must match.
Rule set cycles
Rule sets are processed, with their rules, in the three cycles of the filtering process.
McAfee Web Gateway 7.6.0
Product Guide
181
6
Rules
Rule set system
A rule set can be processed in any combinations of these cycles, for example, only in the request cycle
or in both request and response cycles, and also in all three cycles.
The cycles of a rule set are at the same time those of the individual rules it includes. A rule cannot
differ with regard to cycles from its rule set.
Nested rule sets
Rule sets can have other rule sets nested within them. A nested rule set has its own criteria.
Regarding cycles, it can only be processed in the cycles of the nesting rule set, but need not be
processed in all of them.
This way, a nested rule set can be configured to deal especially with a particular cycle, while another
nested rule set deals with a different cycle.
For example, a media type filtering rule set could apply to all cycles, but have nested rule sets that are
not processed in all of them.
Media Type Filtering rule set (for requests, responses, and embedded objects)
•
Nested rule set Media Type Upload( for requests)
•
Nested rule set Media Type Download for responses and embedded objects)
Rule set system
Rule sets are implemented on the appliance within a rule set system.
When a request for web access is received on the appliance, all rule sets in the system are processed
for this request from top to bottom.
If a rule in a rule set is found to apply, the action of this rule is executed. If the action is Block,
processing stops. Other actions let processing continue in one or the other way.
Similarly, the rule sets of the implemented system are processed for responses and embedded objects
sent with requests and responses.
Working with the rule set system
During the initial setup of the appliance, a default system of rule sets is implemented. You can do the
following to fine-tune this system and adapt it to the requirements of your network:
•
Modify rules and rule sets
•
Delete rules and rule sets
•
Create rules and rule sets
•
Import rule sets
•
Move rules and rule sets to new positions
•
Copy rules and paste them into other rule sets
Default rule set system
The default rule system looks like this (nested rule sets are not shown).
182
McAfee Web Gateway 7.6.0
Product Guide
6
Rules
Rule set library
Table 6-2 Default rule set system
Rule set
Description
Bypass Microsoft (Office 365) Services Lets requests and responses that are sent to and received from Office
365 and other Microsoft services bypass filtering.
(not enabled by default)
SSL Scanner
(not enabled by default)
Prepares SSL-secured web traffic for processing by other filtering
functions.
Global Whitelist
Lets requests for whitelisted URLs or IP addresses skip further
filtering.
Remove Privacy Violation Header
Removes privacy violation headers from requests to prepare them for
processing by other filtering functions.
Common Rules
Provides functions that support the filtering process, such as web
caching, progress indication, and opening of archives.
URL Filtering
Controls filtering of individual URLs and URL categories.
Media Type Filtering
Controls filtering of particular types of media.
Gateway AntiMalware
Controls virus and malware filtering using virus signatures and
proactive methods.
Dynamic Content Classification
Controls dynamic classification of content.
Rule set library
The rule set library provides rule sets for you to import into your rule set system.
You can import a rule set, for example, to add a function that is missing in your system or when the
implemented rule sets do not suit your network.
•
The rule set library also contains the rule sets that are part of the default rule set system.
•
More rule sets are available from an online rule set library. A link to this library is provided in the
window of the standard rule set library.
In the standard rule set library, rule sets are grouped in categories, for example, authentication or URL
filtering.
The following table shows the categories of the standard rule set library.
Table 6-3 Categories of library rule sets
Rule set category Includes rule sets for ...
Application Control
Filtering applications and individual functions of applications
Authentication
Authenticating users
Coaching/Quota
Imposing quotas and other restrictions on the web access of users
Cloud Services
Implementing single sign-on access to cloud applications
Common Rules
Supporting the filtering process, for example, by web caching, progress
indication, or opening of archives
DLP
Implementing data loss prevention
ePO
Enabling use of the ePolicy Orchestrator
Error Handling
Implementing error handling measures
Gateway Anti-Malware
Filtering web objects for infections by viruses and other malware
HTML/Script Filter
Filtering HTML pages and scripts
McAfee Web Gateway 7.6.0
Product Guide
183
6
Rules
Rule Sets tab
Table 6-3 Categories of library rule sets (continued)
Rule set category Includes rule sets for ...
ICAP Client
Running an ICAP client on an appliance
Logging
Logging filtering and other activities
Media Type Filter
Filtering particular types of media
Mobile Security
Filtering mobile traffic
Next Hop Proxy
Using next-hop proxies for data transfer
Privacy
Modifying requests to ensure privacy
SiteAdvisor Enterprise
Using the SiteAdvisor for filtering request
SSL Scanner
Handling SSL-secured web traffic
Troubleshooting
Performing troubleshooting measures
URL Filter
Filtering individual URLs and URL categories
Web Hybrid
Enabling synchronization with the McAfee SaaS Web Protection Service
Rule Sets tab
Use the Rule Sets tab to work with rules and rule sets.
Figure 6-3 Rule Sets tab
Main elements of the Rule Sets tab
The following table describes the main elements of the Rule Sets tab.
Table 6-4 Main elements of the Rule Sets tab
Element
Description
Rule sets toolbar Items for working with the rule sets on the rule sets tree
Rule sets tree
184
Tree structure displaying the rule sets of the appliance configuration
McAfee Web Gateway 7.6.0
Product Guide
6
Rules
Rule Sets tab
Table 6-4 Main elements of the Rule Sets tab (continued)
Element
Description
Rule sets menu
Buttons for displaying tree structures of:
• (General) rule sets
• Log handler rule sets
• Error handler rule sets
• User-defined properties (for use in rule set criteria, rule criteria, and rule events)
Rules toolbar
Items for working with rules
Rules
Rules of the currently selected rule set
Rule sets toolbar
The rule sets toolbar provides the following options.
Table 6-5 Rule sets toolbar
Option
Definition
Add
Opens a menu or a window for adding an item, depending on what is currently selected
from the Rule sets menu.
• (Rule Sets is selected) — Opens a menu, from which you can select:
• Rule Set from Library — Opens the Add from Rule Set Library window for importing a rule set
from the rule set library.
• Rule Set — Opens the Add New Rule Set window to let you add a rule set to the appliance
configuration.
• Top-Level Rule Set — Opens the Add New Top-Level Rule Set window for adding a rule set at the
top level of the rule sets tree.
• (Log Handler is selected) — Lets you select Log Handler from a menu as the only accessible
item to open the Add New Log Handler window for adding a new Log Handler rule set.
• (Error Handler is selected) — Lets you select Error Handler from a menu as the only accessible
item to open the Add New Error Handler window for adding a new Error Handler rule set .
• (User-Defined Property is selected) — Lets you select User-Defined Property to open the Add New
User-Defined Property window for adding a property.
Export
Opens the Export Rule Set window for exporting a rule set to the library or into a file.
Edit
Opens the Edit Rule Set window for editing a selected rule set.
Delete
Deletes a selected rule set.
A window opens to let you confirm the deletion.
Move up
Moves a rule set up among other rules sets on the same level.
Move down Moves a rule set down among other rule sets on the same level.
Move out of Moves a rule out of its nesting rule set and onto the same level as the nesting rule set.
Move into
Moves a rule set out of its nesting rule set and into the rule set following this rule set.
Expand all
Expands all collapsed items on the rule sets tree.
Collapse all Lets all expanded items on the rule sets tree collapse.
Rules toolbar
The rules toolbar provides the following options.
McAfee Web Gateway 7.6.0
Product Guide
185
6
Rules
Create a rule
Table 6-6 Rules toolbar
Option
Definition
Add
Opens the Add Rule window for adding a rule.
Edit
Opens the Edit Rule window for editing a selected rule.
Delete
Deletes a selected rule.
A window opens to let you confirm the deletion.
Move up
Moves a rule up within its rule set.
Move down
Moves a rule down within its rule set.
Copy
Copies a selected rule.
Paste
Pastes a copied rule.
Show details
Shows (or hides) details of a rule entry including the criteria.
Create a rule
Creating a rule includes several activities that are related to the different elements of a rule.
The Add Rule window is provided for creating a rule. It allows you to complete the activities for
configuring the rule elements in the order that you prefer.
You can, for example, begin with naming and enabling a rule and then add the criteria, the action, and
an event.
Tasks
•
Name and enable a rule on page 186
Configure name and enabling as general settings for a rule.
•
Add the rule criteria on page 189
Add the rule criteria to determine when a rule is applied.
•
Add the rule action on page 190
Add the action that is executed if the rule criteria matches.
•
Add a rule event on page 191
Optionally add one or more events that are executed if the rule criteria matches.
Name and enable a rule
Configure name and enabling as general settings for a rule.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, select a rule set for the new rule.
3
Click Add Rule above the settings pane.
The Add Rule window opens with the Name step selected.
4
186
Configure general settings for the rule:
a
In the Name field, type a name for the rule.
b
Select Enable rule to let the rule be processed when its rule set is processed.
c
[Optional] In the Comment field, type a plain-text comment on the rule.
McAfee Web Gateway 7.6.0
Product Guide
6
Rules
Create a rule
Continue with adding the rule elements.
Working with the Add Criteria window
The window for adding the rule criteria provides several functions to help you with selecting suitable
criteria elements.
According to the three elements of the rule criteria, the window is divided into the following columns:
•
Left column for selecting a property
•
Middle column for selecting an operator
•
Right column for selecting an operand
Within a column, properties, operators, and operands are displayed in lists.
For example, you can select the following:
•
Left column: MediaType.EnsuredTypes
•
Middle column: none in list
•
Right column: Anti-Malware Media Type Whitelist
This creates the criteria MediaType.EnsuredTypes none in list Anti-Malware Media Type Whitelist. If
you add Block as the action, you get a rule for blocking access to media of all types that have not
been entered in the specified whitelist.
To help you make suitable selections, the window does the following:
•
Filters lists according to the filter settings that you provide
•
Adapts lists in other columns when you select an item in one column to show only items that are
suitable for being configured with the selected item
•
Groups lists items in the left and right columns into the categories Recommended, Suggested, and Other
if this categorization is possible for the currently displayed items
•
Preselects two or three items (one per column) if they can be recommended for being combined
with each other
Beginning with the left or right column
You can begin by selecting an item from the left or right column, depending on what you have already
in mind about the criteria you are going to add.
For example, if this criteria is to be part of a rule for filtering infected web objects, you might begin by
selecting the property Antimalware.Infected from the left column and then see what are suitable items
to go with it. The result could be: Antimalware.Infected (property) equals (operator) true (operand).
On the other hand, if you want to include the criteria in a rule that prevents the users of your network
from accessing drug-selling web sites, you might begin by selecting the URL category list Drugs as an
operand and then combine it with a suitable operator and property. The result could be:
URL.Categories (property) at least one in list (operator) Drugs (operand).
Left column
The list in the left column of the window allows you to select a property. The currently selected
property appears at the top of the column in the Selected property field.
McAfee Web Gateway 7.6.0
Product Guide
187
6
Rules
Create a rule
You can adapt the list in the following ways:
•
Filter the list.
•
Using the Filter menu to filter according to:
•
Property type
•
Module (or engine) that is called to deliver a value for a property
•
Criteria group, such as Anti-Malware criteria, Media Type criteria, and others
This part of the menu appears also immediately before the window opens. After selecting a
criteria group, the lists in all columns show only items that are suitable for configuring
criteria of the selected group.
•
•
•
User-defined properties (to show only those properties)
Using a filtering term that you type in the input field below the menu
Add self-configured properties to the list using the Add User-Defined Property button and window.
The list is automatically adapted when you select an operand from the list in the right column. Then it
shows only properties that are suitable for being configured with this operand.
After selecting a property, you can configure its settings and parameters if it has any. The Settings and
Parameter buttons are then displayed with the property, which open windows for configuring the
respective items.
Middle column
The list in the middle column of the window allows you to select an operator. The currently selected
operator appears at the top of the column in the Selected operator field.
The list is automatically adapted when you select an item from the list in the left or right column. Then
it shows only operators that are suitable for being configured with the selected item.
Right column
The list in the right column of the window allows you to select an operand. The currently selected
operand appears at the top of the column in the Compare with field.
An operand can be a single item of different types, a list of items, or another property. Types for single
operands include Boolean, String, Number, Category, and others.
You can adapt the list in the following ways:
•
Select an operand type (including the list and property types) from the list at the top of the
column.
Only items of this type are then displayed in the main list.
•
(Only for lists and properties:) Filter the list using the Filter drop-down menu or the input field
below .
If lists are displayed as operands, the Add <list type> and Edit <list type> buttons are provided at the bottom
of the column. They open windows for adding and editing lists in the usual way.
The list is automatically adapted when you select a property from the list in the left column. Then it
shows only operands that are suitable for being configured with this property.
188
McAfee Web Gateway 7.6.0
Product Guide
6
Rules
Create a rule
Add the rule criteria
Add the rule criteria to determine when a rule is applied.
Task
1
In the Add Rule window, click Rule Criteria.
2
In the Apply this rule section, select when the rule is applied:
•
Always — The rule is always applied.
Continue with adding another element, for example, the rule action.
•
If the following criteria is matched — The rule is applied if the configured criteria is matched.
Continue with the next step.
3
In the Criteria section, click Add and select a criteria group from the drop-down menu.
The Add Criteria window opens displaying items that are suitable for configuring criteria from the
selected group.
To display items for all criteria, select Advanced criteria.
The window has three columns:
•
Left column for selecting a property
•
Middle column for selecting an operator
•
Right column for selecting an operand
The currently selected elements are displayed at the top of each column under Selected property,
Selected operator, and Compare with.
The window supports you in selecting suitable elements by automatically adapting the lists in the
other columns after you have selected an item in one column. Then the other columns show only
items that are suitable for being configured with the selected item.
You can begin by selecting an item from the left or right column. Accordingly, steps 4 to 6 could
also be completed in a different order.
If your criteria is to use a list as an operand, we recommend that you begin with selecting this list
from the right column.
4
Select a property.
a
From the list in the left column, select an item or leave the one that is preselected (if there is
any).
You can filter the list and add self-configured properties.
b
[Conditional] If you have selected a property that requires settings, select settings from the
Settings drop-down list that is displayed with the property or leave the preconfigured settings.
c
[Conditional] If you have selected a property that requires the setting of parameters, click
Parameters below the property name and work with the options in the window that opens to set
values for all required parameters.
McAfee Web Gateway 7.6.0
Product Guide
189
6
Rules
Create a rule
5
Select an operator from the list in the middle column or leave the one that is preselected (if there
is any).
6
Select an operand from the list in the right column or leave the one that is preselected (if there is
any). If the list is empty, type a suitable value, for example, a number.
To change the type of operands that are displayed, select a type from the list at the top
of the column.
After selecting an individual operand or a type of operands, the lists in the middle and left columns
are adapted to show suitable operators and properties.
7
Click OK to close the Add Criteria window.
The new criteria appears in the Add Rule window.
If you want to configure complex criteria, repeat steps 3 to 6 to configure more criteria parts.
Connect criteria parts by AND or OR, which are then provided as options. For three or more criteria
parts, type parentheses to indicate how they are logically connected in the Criteria combination field,
which appears then.
Continue with adding another element, for example, the rule action.
Add the rule action
Add the action that is executed if the rule criteria matches.
Task
1
In the Add Rule window, click Action.
2
From the Action list, select one of the following actions:
3
•
Continue — Continues with processing the next rule
•
Block — Blocks access to an object and stops processing rules
•
Redirect — Redirects the client that requested access to an object to another object
•
Authenticate — Stops processing the current cycle and sends an authentication request
•
Stop Rule Set — Stops processing the current rule set and continues with the next rule set
•
Stop Cycle — Stops processing the current cycle, but does not block access to the requested
object
•
Remove — Removes the requested object and stops processing the current cycle
[Conditional] If you have selected an action that requires settings (Block, Redirect, Authenticate),
select settings from the Settings list.
Click Add or Edit before selecting settings to open windows for adding new settings or editing existing
settings.
4
If you have created all required rule elements, but do not want to add an event:
a
[Optional] Click Summary to review what you have configured.
b
Click Finish.
The Add Rule window closes and the new rule appears within the rule set you have selected for it.
190
McAfee Web Gateway 7.6.0
Product Guide
6
Rules
Create a rule set
Add a rule event
Optionally add one or more events that are executed if the rule criteria matches.
Task
1
In the Add Rule window, click Events.
2
In the Events section, click Add and select Events from the drop-down list.
The Add Event window opens.
3
From the Event list, select an event.
To filter the list, type a filtering term in the input field above the list.
4
[Conditional] If you have selected an event that requires settings, select settings from the Settings
list.
Click Add or Edit before selecting settings to open windows for adding new settings or for editing
existing settings.
5
[Conditional] If you have selected an event that requires the setting of parameters, click Parameters
and work with the options in the window that opens to set values for all required parameters.
6
Click OK.
The Add Event window closes and the new event appears in the Events list.
7
If this is the last of the adding procedures:
a
[Optional] Click Summary to review what you have configured.
b
Click Finish.
The Add Rule window closes and the new rule appears within the rule set you have selected for it.
Create a rule set
You can create a rule set and add it to your configuration.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, navigate to the position where you want to insert the new rule set.
3
Click Add above the rule sets tree.
A drop-down list opens.
4
Select Rule Set.
The Add New Rule Set window opens.
5
Configure the following general settings for the rule set:
•
Name — Name of the rule
•
Enable — When selected, the rule set is enabled.
•
[Optional] Comment — Plain-text comment on the rule set
McAfee Web Gateway 7.6.0
Product Guide
191
6
Rules
Create a rule set
6
7
8
In the Applies to section, configure the processing cycles. You can select only one cycle, or any
combination of these three:
•
Requests — The rule set is processed when requests from the users of your network are received
on the appliance.
•
Responses — The rule set is processed when responses from web servers are received.
•
Embedded objects — The rule set is processed for embedded objects sent with requests and
responses.
In the Apply this rule set section, configure when the rule set is applied:
•
Always — The rule set is always applied.
•
If the following criteria is matched — The rule set is applied if the criteria configured below is matched.
In the Criteria section, click Add.
The Add Criteria window opens.
9
In the Property area, use the following items to configure a property:
•
Property — List for selecting a property (property types shown in brackets)
•
Search — Opens the Property Search window to let you search for a property.
•
Parameter — Opens the Property Parameters window for adding up to three parameters, see Step 10.
The icon is grayed out if the property has no parameters.
•
Settings — List for selecting the settings of the module that delivers a value for the property
(module names shown in brackets)
The icon is grayed out if no settings are required for the property and (not needed) is added.
•
Add (String, Boolean, or numerical) — Configure it in the Value area. Then click OK.
•
Edit — Opens the Edit Settings window for editing the selected settings.
If no parameters need to be configured for the property, click OK and continue with Step 11.
10 If you need to add property parameters:
a
Click Parameter.
The Property Parameters window opens.
b
Add as many parameters as needed.
A parameter can be a:
•
Value (String, Boolean, or numerical) — Configure it in the Value area. Then click OK.
•
Property — Follow the instructions for editing properties, beginning with Step 4.
11 From the Operator list, select an operator.
12 In the Parameter area, add a parameter (also known as operand).
This can be a:
•
Value (String, Boolean, or numerical) — Configure it in the Value area.
•
Property — Follow the instructions for editing properties, beginning with Step 4.
13 Click OK to close the Add Criteria window.
14 [Optional] Click the Permissions tab and configure who is allowed to access the new rule set.
192
McAfee Web Gateway 7.6.0
Product Guide
6
Rules
Import a rule set
15 Click OK. to close the Add New Rule Set window.
The Add New Rule Set window closes and the rule set is inserted into your rule set system.
16 Click Save Changes.
Import a rule set
You can import a rule set from the library into your rule set system.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, navigate to the position where you want to insert the new rule set.
3
From the Add drop-down list, select Rule Set from Library.
A window with a list of the library rule sets opens.
4
Select the rule set you want to import, for example, the Gateway Antimalware rule set.
If conflicts arise when importing this rule set, they are displayed in the window.
Conflicts arise when a rule set uses configuration objects, such as lists or settings, that already exist
in your rule set system.
5
Use one of the following methods to solve conflicts:
•
•
6
Click Auto-Solve Conflicts and choose one of the following strategies for all conflicts:
•
Solve by referring to the existing objects — If rules of the imported rule set refer to objects existing in
the appliance configuration under the same names, references are made to apply to these
existing objects.
•
Solve by copying and renaming to suggested — If rules of the imported rule set refer to objects
existing in the appliance configuration under the same names, these objects are also used,
but are renamed, so as to avoid conflicts.
Click the listed conflicts one after another and solve them individually by choosing either of the
two above strategies each time.
Click OK.
The rule set is inserted in the rule sets tree. It is enabled by default.
List and settings that the rule set needs to perform its filtering job are implemented with the rule
set and can be viewed on the lists and settings trees.
7
If necessary, use the blue arrows above the rule sets tree, to move the rule set to where you want
it to be.
8
Click Save Changes.
McAfee Web Gateway 7.6.0
Product Guide
193
6
Rules
Best practices - Rule configuration
Best practices - Rule configuration
Web Gateway offers many ways to configure rules. However, to achieve an efficient filtering process,
some guidelines should be observed.
•
Use rules and rule sets in appropriate filtering cycles — Some filtering activities are better
handled in the request cycle, while others can be left to processing in the response cycle. For
example, a rule that blocks requests based on the categories of the submitted URLs should be
processed in the request cycle.
•
Use "expensive" properties toward the end of the filtering process — Some properties
require more time and bandwidth to retrieve values for them during the filtering process.
For example, the Antimalware.Infected property is expensive in this sense, so a rule that contains
this property should be placed after a rule with, for example, the less expensive URL.Categories
property. If a request is blocked by the first rule, the effort of processing the second rule is
avoided.
•
If possible, do not use more than two properties in the rule criteria — This guideline does
not save processing resources, but makes it easier to understand how rules work.
Using rules and rule sets in appropriate cycles
Rule processing on Web Gateway is performed in different cycles. Perform filtering activities in the
cycles that are best suited for them.
The following cycles are available:
•
Request cycle — For processing requests from clients of Web Gateway
This cycle works with any data that is available in a request, such as client IP address, URL, user
name (if authentication is performed), or browser-related header information.
If a request is blocked in this cycle, no response cycle is performed, as the request is not forwarded
to a web server and therefore no response is received.
•
Response cycle — For processing responses by web servers, responding to the requests that Web
Gateway forwarded to them
This cycle works with any data that is available in a response, such as the requested data or
server-related header information.
•
Embedded objects cycle — For processing web objects that are embedded in requests or
responses
This cycle is performed when an opener is called in the request or response cycle to allow the
filtering modules to look into a web object more deeply. The following two openers are available:
•
Composite Opener — The "normal" opener for inspecting files with formats such as .zip, .exe,
and others
•
HTML Opener — Used very rarely in some advanced configurations
The embedded objects cycle is performed after the request or response cycle if embedded objects
need to be inspected. If there are no embedded objects, the cycle is not performed.
After the request, response, and embedded object cycles are completed, rule sets with logging rules
are processed on Web Gateway to let data be written into log files. Processing these rule sets is
sometimes also referred to as performing the logging cycle.
194
McAfee Web Gateway 7.6.0
Product Guide
6
Rules
Best practices - Rule configuration
General guideline for using the request cycle
Let any information that is available in a request be filtered in the request cycle to get any blocked
matter out of the way as soon as possible. To understand this guideline, consider cases like the
following:
•
If filtering based on URL categories is performed in the response cycle, rather than in the request
cycle, the requested data might be received from the web server, only to find out that it cannot be
passed on to the client because their category is not allowed.
•
If filtering based on client IP addresses is performed in the request cycle and a request is blocked,
no response cycle is performed, so it is useless to have a rule for filtering this data in the response
cycle. If a request is allowed, it is not necessary to filter the data a second time in the response
cycle.
Processing cycles and recommended filtering activities
The following table shows the filtering activities that should be performed in the different cycles.
Table 6-7 Processing cycles and recommended filtering activities
Request cycle
Response cycle
Embedded objects cycle
Filtering based on whitelists
Filtering based on whitelists
Inspecting the body of a
request or response
Filtering based on blocking lists
Filtering based on server-sent
headers, such as Content-Length
and others
Media type filtering
Filtering based on client-sent
headers, such as User-Agent and
others
Media type filtering
Anti-malware scanning for
embedded objects
User authentication
Anti-malware scanning for
downloads
URL filtering
Anti-malware scanning for uploads
As this overview also shows, there are some activities that are only recommended for one cycle, while
others, for example, whitelisting or anti-malware scanning, are recommended for two or more cycles.
Using expensive properties at the end of the filtering process
"Expensive" properties require a huge processing effort. Rules with these properties should be placed
at the end of the rule set system.
When rules are processed, the modules (or engines) on Web Gateway are called to retrieve values for
their properties. Some of these modules usually consume more time and bandwidth than others. For
example, running the engines for anti-malware scanning usually consumes more resources than
letting the URL Filter module retrieve URL category information.
To improve performance, place rule sets containing rules with expensive properties at the end of the
rule set system, so that rules with less expensive properties are processed first. If one of these rules
already blocks a request or response, the rules with the more expensive properties need not be
processed.
Expensiveness of properties
The following table shows the "expensiveness" of some properties that are often used in rules.
McAfee Web Gateway 7.6.0
Product Guide
195
6
Rules
Best practices - Rule configuration
Properties marked by an * (asterisk) rely also on external components, for example, on an
authentication server, which additionally impacts performance. The table also shows expensiveness for
two rule elements that are not properties, but events.
Less expensive
Medium
More expensive
URL
URL.Destination.IP*
Antimalware.Infected
URL.Host
Media.EnsuredTypes
Properties used in DLP (Data Loss
Prevention) filtering
URL.Categories*
Properties* used for
authenticating users
Using the HTML Opener (enabled
by an event)
Client.IP
Using the Composite Opener
(enabled by an event)
Proxy.IP
Proxy.Port
System.Hostname
Properties used to check HTTP
header information
Expensiveness of properties considered for individual rules
The guideline for using properties according to their expensiveness applies not only to a suitable
placement of rules and rule sets within the rule set system as a whole, but also to the use of
properties in individual rules.
The following rule blocks a request for access to a web server with a particular host name if this
request was sent by a client with a particular IP address.
Name
Block host abcd.com for client with IP address 1.2.3.4
Criteria
Client.IP equals 1.2.3.4 AND URL.Host matches *abcd.com
Action
Event
–> Block<Default>Continue
When the rule is processed, the value for Client.IP is retrieved first to see where the request comes
from. If it does not equal the configured operand, the rule does not apply and processing continues
with the next rule. Only if the value for Client IP is actually 1.2.3.4, will the value for URL.Host be
retrieved as well, to see if the criteria matches completely.
Client.IP is placed first in the criteria because comparing two client IP addresses is less expensive than
verifying that a host name matches a wildcard expression.
Using not more than two properties in the criteria of a rule
Using not more than two properties in the criteria of a rule (where possible) makes the rule easier to
understand for others and for you when you get back to it after some time.
The following sample rule allows access to destinations within a particular domain and for
administrators, but only if they use a particular port for access. There are four different properties in
the criteria of this rule for checking the following parameters:
196
•
Host name of a URL — Is access requested to the configured domain?
•
User group — Did authentication show that the user who sent the request is in the user group for
administrators?
McAfee Web Gateway 7.6.0
Product Guide
6
Rules
Best practices - Rule configuration
•
Client IP address range — Was the request sent from a client with an IP address within the
address range that is reserved for administrators?
•
Proxy port — Is access to the domain requested over the configured port?
The rule looks as follows:
Name/Criteria
Action
Event
Allow only administrators using port 9090 access to test domain
URL.Host matches "testdomain.com" AND (Authentication.UserGroups
does not contain "Administrator" OR Client.IP is not in range
192.168.42.0/24 OR Proxy.Port does not equal 9090)
–> Block <Default>
For a match that lets the rule apply, the first part of the rule criteria requires that a request for access
to the test domain is actually submitted.
All other criteria parts are phrased negatively. If the user is not an administrator or the client IP
address is not within the configured range or the proxy port is not 9090, then the request is blocked.
In other words, only if a request for access to the test domain is sent by an administrator from a client
with an IP address that is within the configured range, using proxy port 9090, does this rule allow
access.
The last three criteria parts are included in parentheses, so a combined truth value can be found for
them and then checked together with the value for the first criteria part.
The same filtering behavior can be achieved by splitting this rule up into the following three rules.
Name/Criteria
Action
Event
Check whether request is for accessing test domain
URL.Host does not match *testdomain.com
–> Stop Rule Set
Block access if not over proxy port 9090
Proxy.Port does not equal 9090
–> Block <Default>
Block users who are not administrators based on user name and client IP address
Authentication.UserGroups does not contain "Administrator" OR Client.IP –> Block <Default>
is not in range 192.168.42.0/24
The first of the three rules checks whether a request for access to the test domain is actually
submitted. If this is not the case, processing the rules that follow this rule within the same rule set is
stopped.
This means the two blocking rules that follow the first rule would not be processed. It is not necessary
to process them, however, as there is no attempt made to access the test domain in the first place.
When the two blocking rules are processed, they check the parameters that are involved in deciding
whether a request to access the test domain is allowed. The checking is performed in the same way as
in the preceding single rule with four properties in its criteria.
The parameters that concern the administrator status of a user are combined within one rule with two
properties.
McAfee Web Gateway 7.6.0
Product Guide
197
6
Rules
Restrict access to configuration items
Restrict access to configuration items
When creating rule sets, lists, or settings, or working with existing ones, you can restrict access to
them.
Task
1
Select Policy | Rule Sets (or Lists or Settings).
2
On the tree structure, navigate to the position where you want to add the new item.
3
Click Add above the tree structure.
An Add window opens.
4
Complete the steps for adding a new item. Then click the Permissions tab.
Three modes of access can be configured: Read and Write, Read, and No Access.
5
Click Add under the Read and Write pane.
The Add Role or User window opens.
6
Select a role or a user (or more than one of each type at once) from the list in the corresponding
pane. Or type a wildcard expression as the name of a role or user in the Wildcard field.
7
Add as many entries to the Read and Write list as needed.
Use the Delete button under the pane to delete entries
8
Fill the Read and No Access panes in the same way.
9
Use the radio buttons under All other roles have to configure access for all roles and users that are not
included in one of the lists on the tab.
10 Click OK to close the window.
11 Click Save Changes
198
McAfee Web Gateway 7.6.0
Product Guide
7
Lists
Lists are used by rules for retrieving information on web objects and users.
There are several types of lists, which differ, for example, with regard to who created them or which
type of elements they contain. Accordingly, you work with these lists in different ways.
Lists appear in different places on the user interface, for example, in the criteria of rules and rule sets,
on the Lists tab, and within settings.
At the initial setup of the appliance, lists are implemented together with the rule set system.
You can then review the lists of the implemented system, modify and delete them, and also create
your own lists.
Contents
List types
Lists tab
Access a list
Create a list
Work with different types of lists
Subscribed lists
External lists
Map Type lists
Common Catalog
JavaScript Object Notation data
McAfee Web Gateway 7.6.0
Product Guide
199
7
Lists
List types
List types
Web security rules on Web Gateway use several types of lists for retrieving information about web
objects and users.
The following are the main list types:
•
Custom lists — You can modify these lists. They are displayed on the upper branch of the lists
tree on the Lists tab, for example, the list of URLs that are exempted from filtering.
Custom lists can have entries in string, number, category, and other formats. Lists with different
formats can require different methods of maintaining them. Some custom lists are initially empty
and must have their entries filled by you.
To the custom lists that Web Gateway provides after the initial setup, you can add lists that you
create on your own.
•
System lists — You cannot modify these lists. They are displayed on the lower branch of the lists
tree on the Lists tab.
System lists include category, media type, and application name lists, as well as lists of connectors
used for cloud single sign-on. They are updated when an upgrade to a new version of Web Gateway
is performed.
System lists for Data Loss Prevention (DLP), application filtering, and the Dynamic Content
Classifier can be included in automatic updates that you schedule.
•
Inline lists — You can modify these lists, but they do not appear on the Lists tab. They appear
inline as part of the settings for a configuration item, for example, a list of HTTP ports as part of
the proxy settings.
•
Subscribed lists — You set up these lists with a name on Web Gateway. They are initially empty
and have their content retrieved from a data source that you subscribe to. Subscribed lists are
displayed on the lists tree at the end of the custom lists.
There are two subtypes of subscribed lists:
•
McAfee-maintained lists — Content for these lists is retrieved from a McAfee server.
A number of lists are available on the McAfee server, for example, lists of IP address ranges or
media types.
•
Customer-maintained lists — Content for these lists is retrieved from a data source that you
specify.
Sources that you can specify are files on web servers running under HTTP, HTTPS, or FTP.
List content is maintained on the respective servers. To ensure that newer versions of this content
are transferred to your lists on Web Gateway, you can perform updates manually or configure
automatic updates.
200
McAfee Web Gateway 7.6.0
Product Guide
7
Lists
List types
•
External lists — These lists reside on external sources under their own names. They have their
content transferred to Web Gateway, where they provide the value of a property in a rule.
External list content is transferred during runtime, which means it is retrieved when the rule with
the external list property is processed.
When the content has been retrieved, it is cached and reused until its date of expiration, which you
can configure. After expiration, the transfer is repeated when the rule is processed again.
Sources that content can be retrieved from include files on web servers running under HTTP,
HTTPS, FTP, or LDAP, and in particular types of databases. They also include files that are stored
within your local file system.
•
Map type lists — These lists store pairs of keys and values that are mapped to each other. You
can create map type lists and fill list entries on Web Gateway, or retrieve them as subscribed or
external lists from other sources.
Keys and values on map type lists are initially stored in string format, but can be converted into
different formats using suitable properties in rules.
•
Common Catalog lists — These lists can be pushed from a McAfee ePO server to Web Gateway.
Common Catalog lists can have entries in IP address, domain name, string, or wildcard expression
format. They are maintained on the McAfee ePO server.
McAfee Web Gateway 7.6.0
Product Guide
201
7
Lists
Lists tab
Lists tab
Use the Lists tab to work with lists.
Figure 7-1 Lists tab
Main elements of the Lists tab
The following table describes the main elements of the Lists tab.
Table 7-1 Main elements of the Lists tab
Element
Description
Lists toolbar
Items for working with the lists on the lists tree
Lists tree
Tree structure displaying the lists of the appliance configuration
List entries toolbar
Settings of the currently selected item on the settings tree
List entries
Entries of the currently selected list
Lists toolbar
The lists toolbar provides the following options.
202
McAfee Web Gateway 7.6.0
Product Guide
7
Lists
Access a list
Table 7-2 Lists toolbar
Option
Definition
Add
Opens the Add List window for adding a list.
Edit
Opens the Edit List window for editing a selected list .
Delete
Deletes a selected list.
A window opens to let you confirm the deletion
Import
Opens the file manager on your system to let you import a list.
Export
Opens the file manager on your system to let you export a list that you have selected on
the lists tree.
View
Opens a menu to let you display the lists in different ways (A-Z, Z-A, by list type, with or
without list types for which currently no lists exist).
Expand all
Expands all collapsed items on the lists tree.
Collapse all Lets all expanded items on the lists tree collapse.
List entries toolbar
The list entries toolbar provides the following options.
Table 7-3 Lists entries toolbar
Option
Definition
Add
Opens the Add <List type> window for adding a list entry, for example, the Add String window.
Add multiple Opens the Add <List type> window for adding multiple list entries if this is possible for a list
type.
Edit
Opens the Edit <List type> window for editing a selected list entry, for example, the Edit String
window.
Delete
Deletes a selected list entry.
A window opens to let you confirm the deletion.
Move up
Moves an entry up the list.
Move down
Moves an entry down the list.
Filter
Input field for typing a filtering term to display only matching list entries
The filtering function works as soon as you type a character in the field.
Access a list
You can access a list on the Lists tab or by clicking a list name in a rule.
Tasks
•
Access a list on the Lists tab on page 204
To access a list on the Lists tab, you locate it on the lists tree and select the list.
•
Access a list in a rule on page 204
To access a list in a rule, you locate the rule on the Rule Sets tab and click the list name.
McAfee Web Gateway 7.6.0
Product Guide
203
7
Lists
Create a list
Access a list on the Lists tab
To access a list on the Lists tab, you locate it on the lists tree and select the list.
Task
1
Select Policy | Lists
2
On the lists tree, navigate to the branch that contains the list you want to access and click the list
name.
The list entries appear on the settings pane.
You can now work with the list.
Access a list in a rule
To access a list in a rule, you locate the rule on the Rule Sets tab and click the list name.
Task
1
Select Policy | Rule Sets
2
On the rule sets tree, select the rule set that contains the rule with the list you want to access.
The rules of the rule set appear on the settings pane.
3
Make sure Show details is selected.
4
In the rule with the list you want to access, do one of the following:
•
Click the list name in the rule name if it is contained in this name.
•
Click the list name in the rule criteria.
An Edit List <Type> window opens, where <Type> is the type of the list you are accessing.
You can now work with the list.
Create a list
You can create lists of your own in addition to those that were implemented on the appliance at the
initial setup or when you imported a list from the library.
Creating a list includes the following two steps:
•
Adding a new list
•
Filling the new list with entries
Tasks
204
•
Add a new list on page 205
You can add a new list that you fill with entries later.
•
Fill a list with entries on page 205
When you have added a new list on the appliance, you need to fill it with entries.
McAfee Web Gateway 7.6.0
Product Guide
Lists
Work with different types of lists
7
Add a new list
You can add a new list that you fill with entries later.
Task
1
Select Policy | Lists.
2
On the lists tree, navigate to the position where you want to add the list.
3
Click Add on the toolbar.
The Add List window opens, with the Add List tab selected.
4
Use the following items to configure general settings for the list:
•
Name — Name of the list
•
Comment — [Optional] Plain-text comment on the list
•
Type — List for selecting a list type
5
[Optional] Click the Permissions tab and configure who is allowed to access the list.
6
Click OK.
The Add List window closes and the new list appears on the lists tree.
7
Click Save Changes.
You can now fill the list with entries.
Fill a list with entries
When you have added a new list on the appliance, you need to fill it with entries.
Task
1
Select Policy | Lists.
2
From the lists tree, select the list you want to add entries to.
3
Click Add on the settings pane.
The Add <List type> window opens, for example, the Add String window.
4
Add an entry in the way it is done for a particular list type.
5
[Optional] In the Comment field, type a plain-text comment on the list entry.
6
Click OK.
The Add <List type> window closes and the entry appears in the list.
7
Click Save Changes.
Work with different types of lists
Working with lists is done differently depending on the list type.
For example, if the type is String, you can add entries by typing strings in the String field of the Add
String window. However, if the type is MediaType, you need to select an entry from a media type folder,
which is part of a system of folders.
McAfee Web Gateway 7.6.0
Product Guide
205
7
Lists
Work with different types of lists
For string and wildcard expression lists, there is the option to add multiple entries at once by clicking
Add multiple and typing text for each entry in a new line.
For media type lists, you can select multiple entries or folders at once if you do not want to add them
separately.
Tasks
•
Add a wildcard expression to a global whitelist for URLs on page 206
You can add a wildcard expression to a whitelist used by a global whitelisting rule.
•
Add a URL category to a blocking list on page 207
You can add a URL category to a blocking list to block access to all URLs falling into that
category.
•
Add a media type to a media type filter list on page 207
You can add a media type to a list for media type filtering.
Add a wildcard expression to a global whitelist for URLs
You can add a wildcard expression to a whitelist used by a global whitelisting rule.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, select a rule set that contains rules for global whitelisting, for example Global
Whitelist.
The rules appear on the settings pane.
3
Find the rule that uses a whitelist to exempt requests when they submit URLs for hosts matching
the wildcard expressions on the list, for example, URL.Host matches in list Global Whitelist and click on the
list name.
A yellow triangle next to the list name means the list is initially empty and you need to fill the
entries.
The Edit List (Wildcard Expression) window opens.
4
Click Add.
The Add Wildcard Expression window opens.
5
In the Wildcard expression field, type a wildcard expression.
To add multiple wildcard expressions at once, click Add multiple and type every wildcard expression in
a new line.
6
[Optional] In the Comment field, type a comment on the wildcard expression.
7
Click OK.
The window closes and the wildcard expression appears on the whitelist.
8
206
Click Save Changes.
McAfee Web Gateway 7.6.0
Product Guide
7
Lists
Work with different types of lists
Add a URL category to a blocking list
You can add a URL category to a blocking list to block access to all URLs falling into that category.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, select the rule set that contains rules for URL filtering.
The rules appear on the settings pane.
3
Find the rule that uses a category blocking list, for example, Block URLs whose category is in Category
BlockList, and click on the list name.
A yellow triangle next to the list means that the list is initially empty and you need to fill the entries.
The Edit List (Category) window opens.
4
Expand the group folder with the category you want block, for example, Purchasing, and select the
category, for example, Online Shopping.
To add multiple categories at once, select multiple categories or one or multiple group folders.
5
Click OK.
The window closes and the category appears on the blocking list.
6
Click Save Changes.
Add a media type to a media type filter list
You can add a media type to a list for media type filtering.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, navigate to a rule set that contains rules for media filtering, for example, the
nested Download Media Types rule set of the Media Type Filtering rule set and select it.
The rules appear on the settings pane.
3
Select the rule Block types from Media Type Blocklist and click on the list name.
The Edit List (MediaType) window opens.
4
Click Edit.
An Edit window opens. It displays a list of group folders with media types.
5
Expand the group folder with the media type you want to add, for example, Audio, and select the
media type, for example, audio/mp4.
To add multiple media types at once, select multiple media types or one or multiple group folders.
6
Click OK.
The window closes and the media type appears on the filter list.
7
Click Save Changes.
McAfee Web Gateway 7.6.0
Product Guide
207
7
Lists
Subscribed lists
Subscribed lists
Lists for use in web security rules can be filled with content that is retrieved from suitable servers.
These lists are known as subscribed lists.
When working with subscribed lists, you only have to configure general settings, such as the list
name, yourself. For the list content, for example, IP addresses or URLs, you rely on a server, which
can be the McAfee server that is provided for maintaining subscribed lists or another server that you
specify.
Subscribed lists that retrieve their content from the McAfee server are known as McAfee-maintained
lists. Lists that retrieve their content from another server are known as customer-maintained lists.
After you have created a subscribed list, it appears on the Subscribed Lists branch of the lists tree on
the user interface. You can work with a subscribed list in the same way as with other lists on the lists
tree.
There is a restriction in size for subscribed lists. A subscribed list must not be larger than 4 MB or
contain more than 100,000 entries.
By configuring update schedules or performing updates manually, you ensure that the latest content is
made available to the web security rules by a subscribed list.
Retrieving list content from the McAfee server
When the content of a subscribed list is retrieved from the McAfee server that is provided for this
purpose, you select the type of content for this list from a catalog.
The content is maintained on the McAfee server. To ensure that McAfee-maintained lists hold the latest
content, you perform manual updates on the user interface of your appliance.
Retrieving list content from another server
When the content of a subscribed list is retrieved from a server other than the McAfee server, you
specify the URL for the file that holds this content on the server.
The content is maintained on this server. Updates for this kind of subscribed lists are performed
according to a schedule that you set up when configuring the list settings.
Create a subscribed list
To create a subscribed list, you configure general list settings and settings for the list content.
Task
1
Select Policy | Lists.
2
Above the lists tree, click the Add icon.
The Add List window opens.
3
208
Configure general settings for the list.
a
In the Name field, type the list name.
b
From the Type lists, select the list type.
c
Under Contains, select the type of entry that the list will contain.
McAfee Web Gateway 7.6.0
Product Guide
7
Lists
Subscribed lists
d
[Optional] In the Comments field, type a plain-text comment on the list.
e
[Optional] Click the Permissions tab and configure who is allowed to access the list.
4
Select List content is managed remotely.
5
Configure settings for the list content.
•
For list content that is retrieved from the McAfee server:
•
Under Source, select McAfee maintained list.
•
Click Choose.
The Choose List Content window opens.
•
•
Select a content type
•
Click OK to close the window.
For list content that is retrieved from another server:
•
Under Source, select Customer maintained list.
•
Click Setup.
The Setup window opens.
6
•
Configure settings for the list content.
•
Click OK to close the window.
Click OK again.
The Add List window closes and the list appears on the Subscribed Lists branch of the lists tree.
7
Click Save Changes.
Settings for subscribed lists content
When a subscribed list is maintained on a server other than the McAfee server, settings must be
configured for its content.
Table 7-4 Settings for subscribed list content
Option
Definition
URL to download
Specifies the URL of a file with content for a subscribed list.
The format for specifying the URL is:
HTTP | HTTPS | FTP ://<path>/<filename>.<extension>
Use this
When selected, the certificate contained in the certificate authority chain
appearing next to the radio button is used.
This is required if the connection to the server that provides the list content is a
SSL-secured connection for communication under the HTTPS protocol.
Ignore certificate
errors
When selected, certificate errors will not cause a failure to retrieve a list content
from a server
URL authentication
Provides settings for configuring a user name and password if authentication is
required for access to a server.
• User name — Specifies a user name for authenticating to a server.
• Password — Sets a password for authenticating to a server.
McAfee Web Gateway 7.6.0
Product Guide
209
7
Lists
Subscribed lists
Table 7-4 Settings for subscribed list content (continued)
Option
Definition
Proxy
Provides a list for selecting proxy servers that are used to access a server with list
content.
By default, no proxy server is used to access a list content server.
Add Proxy
Opens a window for adding a proxy server to the list.
List content update
Provides settings for configuring an update schedule for list content .
An update can be performed:
• Hourly at — Sets the minutes after the full hour.
• Daily at — Sets hours and minutes.
• Weekly at — Sets a day of the week with hours and minutes.
• Every — Sets the minutes of the interval that is to elapse before the next update
happens.
Updating subscribed lists
Updates of subscribed lists content are performed manually or according to a schedule, depending on
whether the content is retrieved from the McAfee server that is provided for this purpose or from
another server.
For list content that is retrieved from the McAfee server, you must perform updates manually. Each
time you perform a manual update, all McAfee-maintained lists are updated together.
The content of McAfee-maintained lists is also updated each time you create a new list of this kind.
For list content that is retrieved from a server other than the McAfee server, updates are performed
according to a schedule. Each subscribed list has a schedule of its own. You can set up and modify the
schedule when configuring the settings for the list content.
When administering subscribed lists on a node in a Central Management configuration, updates are
shared by all other nodes within the update group.
The update group is configured in the section This Node is a Member of the Following Groups of the Central
Management settings.
Update subscribed lists maintained on the McAfee server
For subscribed lists that are maintained on the McAfee server, you must perform updates manually.
The content of McAfee-maintained lists is also updated each time you create a new list.
Task
1
Select Configuration | Appliances.
2
On the toolbar above the appliances tree, click Manual Engine Update.
The content of all McAfee-maintained lists is updated.
210
McAfee Web Gateway 7.6.0
Product Guide
7
Lists
Subscribed lists
Creating a content file for a customer-maintained list
When a subscribed list has been configured as a customer-maintained list, a content file describing the
list structure must be created and stored on the web server that the content for this list is retrieved
from.
A content file is created in txt or xml format, depending on whether it describes the structure of a
simple or complex customer-maintained list. For simple lists, the content file can be created in both
formats, for complex lists in xml format only.
Simple customer-maintained lists can be lists of the following types: Application Name, Category,
Dimension, IP, IPRange, MediaType, Number, String, Wildcard Expression.
Complex customer-maintained can be lists of the following types: Certificate Authority, Extended List
Element, HostAndCertificate, ICAP Server, NextHopProxy.
Content file for a simple list in txt format
The following is an example of a content file in txt format for a customer-maintained list of the
Wildcard Expression type.
type=regex
"*.txt" "txt file extension"
"*.xml" "xml file extension"
The example illustrates the following conventions for a content file in txt format.
•
The first line in the file specifies the type of the customer-maintained list that the content file is
provided for. The format is: type=<list type>
For the list type, one of the following terms must be used: applcontrol, category, dimension, ip,
iprange, mediatype, number, string, regex.
•
The lines below the first line are for list entries in the customer-maintained list.
A line contains as many items as a list entry in the customer-maintained list. Each item is included
in double quotes.
An entry in a list of the Wildcard Expression type contains two items. One is the wildcard
expression, the other is a comment that describes the wildcard expression.
The following example illustrates some more conventions for a content file.
type=string
"withoutDescription"
"*emptyDescription\"\"\" ""
"data with description and more spaces in-between"
"data with spaces*
"
"description"
"Hello\"Michael\" \"Michael!\"" ""
•
"description"
An entry in a list of the String type also contains two items: the string and a comment that
describes it. However, the description can be omitted.
If the description is omitted, the item for it in the content file can also be omitted, which is shown
in line 2.
•
Alternatively, if the description is omitted, this can be represented by two double quotes with
nothing in between, as shown in line 3.
McAfee Web Gateway 7.6.0
Product Guide
211
7
Lists
Subscribed lists
The line also illustrates the following:
•
Double quotes occurring in a string must be masked by a following backslash.
•
A backslash that does not follow on double quotes represents itself (a backslash).
•
Non-alphanumerical characters, such as the * (asterisk), are allowed at the beginning of a
string.
On the user interface, the list entry specified in line 3 would look as follows: *emptyDescription
\""
•
If multiples spaces are inserted between items in the content file, they are ignored in the list
entries of the customer-maintained file.
On the user interface, the entry specified in line 4 would therefore look as follows: "data with
description and more spaces in-between" "description"
•
Multiple spaces within a string in a content file are also ignored in the list entry of the
customer-maintained list.
So, on the use interface, the entry specified in line 5 would look as follows: "data with spaces*
" "description"
•
Line 6 illustrates several of the already mentioned conventions.
Content file for a simple list in xml format
The following is an example of a content file in xml format for a customer-maintained list of the
Wildcard Expression type. The list content is the same as in the first example of the preceding
subsection.
<content type="regex">
<listEntry>
<entry>*.txt</entry>
<description>txt file extension</description>
</listEntry>
<listEntry>
<entry>*.xml</entry>
<description>xml file extension</description>
</listEntry>
</content>
For the content type, the same terms must be used as for a content file in txt format.
Content files for complex lists
Manually creating a content file for a complex customer-maintained list is rather difficult. However,
you can use the options of the user interface to export an existing complex list and store it in a file.
In this file, the complex list appears in xml format. If you delete all lines in the file that precede the
opening <content> tag and follow the closing </content> tag, you almost get a content file for that
complex list.
Then you only need to modify the opening <content> tag to read <content type="<file type>", for
example, <content type="nexthopproxy">.
212
McAfee Web Gateway 7.6.0
Product Guide
7
Lists
Subscribed lists
The terms you can use to specify the file type are: ca, extendedlist, icapserver,
hostandcertificate, nexthopproxy.
Best practices - Working with a McAfee-maintained subscribed
list
You can use a subscribed list that is maintained by McAfee in a rule of your web security policy, for
example, to let particular traffic bypass SSL scanning.
Web traffic might be sent from the clients of your corporate network to particular destinations, for
example, WebEx applications, using SSL-secured connections. When this traffic is received on Web
Gateway, you might want to let it skip SSL scanning.
For this purpose, you need a list with the IP address ranges that are used by WebEx. As these
addresses change frequently, McAfee maintains an address list, saving you the effort of keeping this
list up to date manually.
The list is included in the update schedule that you configure on Web Gateway to make sure that any
updates by McAfee are eventually passed on to your Web Gateway appliance or to all the appliances
that you are running in a Central Management configuration.
To use this McAfee-maintained list in your web security policy:
•
Create an empty list of your own and let this list be filled with WebEx address ranges from the
McAfee list
•
Set up a rule that uses your list to let requests for accessing WebEx destinations skip SSL scanning
Create a McAfee-maintained subscribed list with IP address ranges
To create a subscribed list with IP address ranges for WebEx applications that is maintained by
McAfee, create a list of your own and let its content be provided by a McAfee-maintained list.
Task
1
Select Policy | Lists.
2
Above the lists tree, click the Add icon.
3
In the Add List window, configure a list as follows.
a
4
Configure general settings for the list:
•
Name: WebEx Subscribed List or any other suitable name
•
Type: IPRange
b
Select List content is managed remotely.
c
Select McAfee-maintained list and click Choose.
d
In the Choose List Content window, select the list named WebEx IP Ranges.
Click OK in both windows.
The list appears on the Subscribed Lists branch of the lists tree
5
Click Save Changes.
You can now use the list that you have created in a suitable rule.
McAfee Web Gateway 7.6.0
Product Guide
213
7
Lists
External lists
Use a McAfee-maintained subscribed list in a rule
To use a McAfee-maintained subscribed list in a rule that performs a suitable action on web traffic to
particular destinations, configure the list as part of the rule criteria.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, select the SSL Scanner default rule set and click Unlock View to view the
complete rules view.
3
Make sure the rule set is enabled and select the nested Handle CONNECT Call rule set.
4
Click Add Rule and in the window that opens configure a rule as follows.
a
Under Name, type the rule name, for example, Bypass SSL scanning for WebEx
destinations.
b
Under Criteria, configure the following:
•
Property: URL.Destination.IP
•
Operator: is in range list
•
Compare with (operand): WebEx IP Ranges Subscribed Lists
c
Under Action, select Stop Rule Set.
d
Click Finish.
The window closes and the rule appears at the end of the rules in the rule set.
e
5
Move the rule into first position.
Click Save Changes.
Requests for destinations with the IP addresses on the WebEx list will now bypass SSL scanning on
Web Gateway.
External lists
Data can be retrieved from external sources, for example, web servers, and used in rules on the
appliance.
This data can be a complete list or a single value. It is generally referred to as external lists or
external list data. Different data types can be used in an external list, such as strings, numbers, IP
addresses, and others.
An important feature of external lists is that they are processed dynamically on the appliance. All
retrieving and conversion of external list data happens at run time when the data is first used in a
rule.
When the data has been retrieved, it is stored in an internal cache for a period of time that you can
configure, but not on disk, so it will not persist after a restart of the appliance. Also external lists do
not appear on the lists tree of the user interface.
214
McAfee Web Gateway 7.6.0
Product Guide
Lists
External lists
7
External lists properties
Access to data retrieved from external sources is provided through special properties. The name of an
external list property is ExtLists.<type>, where <type> is the type of elements in the list that is the
value of the property. For example, the value of ExtLists.IntegerList is a list of integers. Possible list
element types include String, Number, Wildcard Expression, and others.
Usually the value of an external list property is a list, but there also external list properties for single
values. When an external source delivers more than one value as input for the latter type of property,
only the last value is retrieved and stored.
External list data can be filtered, depending on the source type, and converted into a different format,
depending on the type of the property used in a given rule.
By configuring parameters for an external list property, you can specify placeholders that are
substituted with property parameters at run time. Using these placeholders, you can let the content of
an external list depend on criteria such as a user name or user group name.
For logging purposes, you can use the ExtLists.LastUsedListName property, which has as its value the
name of the settings for the External Lists module that were used last.
External Lists module
To specify which data is to be retrieved from an external source, you need to configure the settings of
the External Lists module (also known as the External Lists filter or engine), which retrieves the data.
When external data cannot be retrieved successfully, the External Lists module returns an error code,
which you can process using Error Handler rules. A separate range of error IDs is available for this
purpose.
The External Lists module consumes memory for caching data that it retrieves from external sources.
You should take this into account when setting up rules for external list handling.
Sources of external list data
The sources of the content that external lists are filled with can be the following:
•
A web service, which is accessed under the HTTP, HTTPS, or FTP protocol
•
A file within your local file system
•
An LDAP or LDAPS server
•
A database:
•
PostgreSQL
•
SQLite3
For performing queries on the databases, the SQL query language is used. However, the particular
query format can be different for both database types.
As an SQLite3 database operates file-based, we recommend it for testing, rather than for production
environments. However, you might still want to use it if you already have data in a database of this
type. Otherwise it is easier to use Web Service or File data sources for retrieving external list content.
Recommended use
Working with the external lists feature is recommended in cases like the following.
McAfee Web Gateway 7.6.0
Product Guide
215
7
Lists
External lists
You need to handle a large number of lists that are mostly stored in external sources, you are running
multiple appliances as nodes in a Central Management configuration, and you need to apply frequent
changes to the list data.
Synchronizing all list data on all nodes could then no longer be scalable.
Use of external list data in rules
To handle external list data, you need to configure rules that contain suitable external list properties in
their criteria.
Suppose you want to block a request for a web object if its URL has a destination IP address that is
within one of the IP address ranges on a list that is stored in an external source.
You can achieve this with the following rule:
Block URLs with IP addresses in forbidden range
URL.Destination.IP is in range ExtLists.IPRangeList(“ ”, “ ”, “ ”)<External Lists> –> Block<URL
Blocked>
When the rule is processed, it is checked whether the IP address that is the value of the
URL.Destination.IP property is within one of the ranges on the list that is the value of
ExtLists.IPRangeList.
Together with the external list property, the <External Lists> settings are specified. These are the
settings that the External Lists module uses to retrieve the appropriate data as the value for the
external list property.
You need to configure these settings to let the module know where a particular external list can be
retrieved from and how the retrieval is performed. For example, if this list is stored in a text file on a
web server, you can specify the URL that allows access to the file.
Other information that you can configure as part of these settings includes timeouts and size limits.
The parameters of an external list property are optional. They are empty in this example.
By default, no rules for handling external lists exist on the appliance. If you want to use external list
data to restrict web access for the users of your network, you need to set up one or more rules like
the above and insert them into a suitable rule set.
Substitution and placeholders
To allow more flexibility in retrieving external list data, placeholders can be used when configuring the
settings of the External Lists module, for example, in URLs.
A placeholder is substituted at run time with a value that you provide as a parameter of an external
list property.
For example, you want to retrieve data from a web service that delivers lists of media types allowed
for individual users. A URL for a particular media type list would then be:
http://my-web-service.com/ mediatypes?user= <value>
where <value> is the name of a user.
216
McAfee Web Gateway 7.6.0
Product Guide
7
Lists
External lists
Configuring separate settings for the External Lists module to cover each user individually would be
tiresome, so you can use a placeholder in the following way:
•
For the Web service’s URL parameter in the settings, you specify:
http://my-web-service.com/mediatypes?user=${0}
where ${0} is a placeholder for the first of the three parameters of the external list property you
are using in a rule.
•
For the first parameter of the external list property, you specify the Authentication.Username
property.
This retrieves a list with the media types that are allowed for an individual user. The user name is the
one that this user submitted when required to authenticate after sending a request to access media of
a particular type.
You can use the following two types of placeholders:
•
${<n>} — Placeholder that is substituted with a converted value
<n> is the position number (0, 1, 2) for a parameter of an external list property. At run time, this
placeholder is substituted by the value that you specified when configuring the parameter.
Before the placeholder is substituted, the value is converted. This process is also known as
“escaping”. The conversion is performed according to the internal rules of the data source that is
involved.
For example, if the source is a web service, it replaces all characters that are not allowed by %XX
sequences, as is specified in the corresponding HTTP standard (RFC 2616).
•
$<<n>> — Placeholder that is substituted with a non-converted value
As above, but without conversion. This means you need to ensure yourself that the substitution
does not lead to unwanted results.
You can use this type of placeholder when complete URLs, rather than parts of them are to be
substituted.
Configure the External Lists module
You can configure settings for the External Lists module to provide the information the module needs
to retrieve external list data.
By default, no settings exist for this module on the appliance. You need to add individual settings and
configure them for each external list you want to retrieve data from in a rule.
Task
1
Select Policy | Settings.
2
On the settings tree, select External Lists and click Add.
The Add Settings window opens.
3
In the Name field, type the settings name.
4
[Optional] In the Comment field, type a plain-text comment on the settings.
5
[Optional] Click the Permissions tab and configure who is allowed to access the settings.
6
Configure the other settings parameters as needed.
McAfee Web Gateway 7.6.0
Product Guide
217
7
Lists
External lists
7
Click OK.
The window closes and the settings appear under External Lists on the settings tree.
8
Click Save Changes.
External Lists module settings
The External Lists module settings are used to configure the module that retrieves data from external
sources.
Data Source Type
Settings for the type of source that data is retrieved from
You can configure specific settings for each source type in another section, which appears depending
on what you select here.
Table 7-5 Data Source Type
Option
Definition
Web service
Data is retrieved using a web service under the HTTP, HTTPS, or FTP protocol.
File on disk
Data is retrieved from a file within your local file system.
LDAP
Data is retrieved from an LDAP server.
Database
Data is retrieved from a PostgreSQL or SQLite3 database.
Common Parameters
Settings for time limits in handling external lists
218
McAfee Web Gateway 7.6.0
Product Guide
7
Lists
External lists
Table 7-6 Common Parameters
Option
Definition
Operation
timeout
Limits the time (in seconds) that elapses before an operation for handling external lists
is aborted if it cannot be completed successfully.
This option applies when the source of an external list is a web server. The timeout is
reached, for example, when a web server does not respond to a request from the
appliance.
You can specify the expiration of the timeout as:
• Simple expiration — When selected, you can specify the time (in minutes) to elapse
before retrieved list data is removed from the internal cache in the Expiration time
input field
• Scheduled expiration — When selected, you can specify the time that is to elapse before
an external list is removed from the internal cache in several input fields that appear
Expiration time
Limits the time (in minutes) that elapses before retrieved data is removed from the
internal cache to the specified value.
Minutes/Hours/
Days/Months/
Week days
Limits the time that elapses before retrieved data is removed from the internal cache
to the specified value.
These input fields appear when you select Scheduled expiration.
Your input must be in a “cron”-compliant format because the removal is calculated and
performed by a cron job.
For more information, see the crontab (5) man page of the documentation for Linux
(UNIX) operating systems.
You can specify values in one of these fields or in any combination of fields.
Data Conversion Settings
Settings for converting data that is retrieved from an external source
These settings are only available when you have selected Web service or File on disk as the source of the
data.
Table 7-7 Data Conversion Settings
Option
Definition
Data type
Lets you select the input format of the data that is converted.
You can select one of the following:
• Plain text — The data is in plain-text format
Each line appears as a separate entry in a converted list.
Optionally, you can specify a regular expression as a filtering term in the input field
below. Only strings matching this term are then entered into the list.
If there is no grouping operator in the regular expression, the complete string is
stored in a list. Otherwise, the data captured by the first group is stored.
• XML — The data is in XML format
You need to specify an XPath expression to select the data that is to be retrieved.
Data can be retrieved, for example, according to XML tags or attributes.
Regular
expression
McAfee Web Gateway 7.6.0
Specifies a regular expression used to retrieve the data that is converted.
This option appears when you have selected Plain text under Data type.
Product Guide
219
7
Lists
External lists
Table 7-7 Data Conversion Settings (continued)
Option
Definition
XPath expression Specifies an XPath expression used to retrieve the data that is converted.
This option appears when you have selected XML text under Data type.
For information on how to use XPath expressions, refer to appropriate documentation,
for example, the XPath tutorial that is provided on the w3schools site.
XPath expression Specifies an XPath expression for a second attribute used in retrieving Map Type
for second
conversion data.
attribute (only for
The data retrieved using the second attribute provides the value of a Map Type
MapType)
key-value pair.
Data for the key is retrieved using a first attribute, which is configured by specifying
an XPath expression in the XPath expression field.
The number of entries that are retrieved from an external list using this XPath
expression must be the same as the number of entries retrieved with the expression
for the first attribute.
The order in which entries are retrieved using the two expressions must also be the
same.
Web Service Specific Parameters
Settings applying when the source of an external list is provided by a web service
These settings appear when Web service is selected in the Data Source Type section.
Table 7-8 Web Service Specific Parameters
Option
Definition
Web service’s URL
Specifies the URL of a file on a web server that contains an external list and
is provided by a particular web service (HTTP, HTTPS, or FTP).
You can specify a placeholder inside the URL.
Specify authentication data
When selected, you can specify information for an authentication that must
be performed successfully before data can be retrieved from a web service.
Type of HTTP authentication
Provides a list for selecting a type of HTTP authentication.
Supported types are: None, Basic, Digest
User's name
Specifies a user name that is submitted for authentication.
User's password
Sets a password that is submitted for authentication.
Click Set to open a window for settings a password.
Use next-hop proxy for access When selected, access to the web server is achieved using a next-hop proxy
to server
server
After selecting this checkbox, the following three items become accessible.
List of next-hop proxy servers Provides a list for selecting a list of servers that can be used as next-hop
to use
proxies to access a web server.
Click Add or Edit to open windows for adding a new list or editing an existing
list.
220
McAfee Web Gateway 7.6.0
Product Guide
7
Lists
External lists
Table 7-8 Web Service Specific Parameters (continued)
Option
Definition
List of certificate authorities
Provides a list for selecting a list of certificate authorities that can be used
in SSL-secured communication with a web service.
Click Add or Edit to open windows for adding a new list or editing an existing
list.
List of additional HTTP
headers
Provides a list for selecting headers that are added to an HTTP request after
it has been received on an appliance.
The following table describes the elements of a entry in the List of additional HTTP headers.
Table 7-9 Additional HTTP headers – List entry
Option
Definition
Header name
Specifies the name of a header that is added to an HTTP request.
Header value
Specifies the value of a header that is added to an HTTP request.
Comment
Provides a plain-text comment on a header.
File Specific Parameters
Settings applying when the source of an external list is a file within your local file system
These settings appear when File on disk is selected in the Data Source Type section.
Table 7-10 File Specific Parameters
Option
Definition
Full path to the file Specifies the path to the file within your local file system that is the source of an
external list.
LDAP Specific Parameters
Settings applying when the source of an external list is an LDAP server
These settings appear when LDAP is selected in the Data Source Type section.
Table 7-11 LDAP Specific Parameters
Option
Definition
LDAP server’s URL Specifies the name of the file from your local file system that is the source of an
external list.
You can specify a placeholder inside the URL.
To restrict the possible location of the file, you can specify a part of your local file
system when configuring the External Lists system settings.
The file must be within the specified part then, for example, opt/mwg/temp.
List of certificate
authorities
Provides a list for selecting a list of certificate authorities that can be used in
SSL-secured communication with a web service.
Click Add or Edit to open windows for adding a new list or editing an existing list.
User name
McAfee Web Gateway 7.6.0
Specifies the user name the appliance submits when attempting to connect to the
LDAP server.
Product Guide
221
7
Lists
External lists
Table 7-11 LDAP Specific Parameters (continued)
Option
Definition
LDAP password
Sets the password that an appliance submits when attempting to connect to an
LDAP server.
You can set or change the password using the Set/Change toggle button that is
provided.
Search DN
Specifies the name of a domain in the database on an LDAP server that is searched
for an external list.
You can specify a placeholder inside this name.
Search scope
Lets you select the scope of the search for an external list on an LDAP server.
• Subtree — The complete subtree of the domain specified under Search DN is searched.
• One level — Only one level below the domain specified under Search DN is searched.
• Base — Only the base of the domain specified under Search DN is searched.
Search filter
Specifies a term for filtering the results of the search for an external list on an LDAP
server.
Only if the name of an entry in the database matches the filtering term, the item
that the entry represents is retrieved.
You can specify a placeholder within this term.
Attribute
Specifies the attribute of an item in the database on an LDAP server that is the
intended search result, for example, an email address.
Second attribute
(only for MapType)
Specifies a second attribute of a database item on an LDAP server that is the
intended search result when the data for this item is Map Type data.
The data retrieved using the second attribute provides the value of a Map Type
key-value pair.
Data for the key is retrieved using a first attribute which is configured in the Attribute
field.
Enable LDAP
version 3
When selected, version 3 of the LDAP protocol is used
If you disable this option, you need to provide the encoding that is used for
communication with the LDAP server.
The following input field for this information appears when you deselect Enable LDAP
version 3.
Allow LDAP library When selected, referrals to locations outside the LDAP server that a search for an
to follow referrals external list performed on can be followed to retrieve the list
Database Specific Parameters
Settings applying when the source of an external list is a database
These settings appear when Database is selected in the Data Source Type section.
222
McAfee Web Gateway 7.6.0
Product Guide
Lists
External lists
7
Table 7-12 Database Specific Parameters
Option
Definition
SQL query
Specifies a string to denote the type of query that is performed on a database.
The default type of query used for retrieving external lists information is SELECT.
You can put a ; (semicolon) at the end of the string, but this is not required.
A query can also use placeholders to include variable data.
If the $N placeholder is used, the data that is filled in as the value of the variable is
"escaped" to prevent an SQL injection. Then a \(backslash) is replaced with \\ (double
backslash), and a ' ' (apostrophe) is preceded by a \ (backslash).
An SQL query usually returns one data column. if you perform a query that returns
multiple columns, only the first is used for external list content.
To retrieve content from several columns, you need to specify combined columns for
output, using appropriate SQL operators.
Type of
database
Specifies the type of database that external list content is retrieved from.
The following two types are available:
• PostgreSQL
• SQLite3
After selecting a database type, database specific parameters appear according to this
type.
Table 7-13 PostgreSQL Database Specific Parameters
Option
Definition
Database host
Specifies the host name of the server that a database resides on.
Database port
Specifies the port number of the port on a database host that listens to
queries for retrieving external list content.
The default port number is 5432.
Name of database on database
server
Specifies the name a database is known under on the database server.
Database user name
Specifies the user name of an appliance when connecting to a database
server.
Database password
Sets a password for the user name of an appliance.
The Set button opens a window for setting the password.
Table 7-14 SQLite Database Specific Parameter
Option
Definition
File path to SQLite database
Specifies the full path to the file on an appliance that contains a database.
Advanced Parameters
Settings for advanced methods of handling external lists
McAfee Web Gateway 7.6.0
Product Guide
223
7
Lists
External lists
Table 7-15 Advanced Parameters
Option
Definition
Skip “bad” entries during
data conversion
When selected, data that cannot be converted to the required type, such as
Integer, Double, or Boolean, is omitted
Maximal number of entries
to fetch
Limits the number of entries that are retrieved from an external list to the
specified value.
The number can range from 0 to unlimited
We recommend that you specify a limit here to avoid high memory
consumption in case of large lists.
Maximal size of entries to
fetch
Limits the amount of data (in KB) that is retrieved from an external list.
The number can range from 0 to unlimited
We recommend that you specify a limit here to avoid high memory
consumption in case of large lists.
This option is not available when the source of the external list is an LDAP
server.
Configure general settings for external lists
You can configure settings applying to all external lists that are retrieved for use on the appliance.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to configure settings for and click External Lists.
The settings for the external lists appear on the settings pane.
3
Configure these settings as needed.
4
Click Save Changes.
External Lists system settings
The External Lists system settings apply to all external lists that are processed on the appliance.
Global Configuration
Setting for the internal cache on the appliance that stores external list data
Table 7-16 Global Configuration
Option
Definition
Flush External Lists
Cache
Removes the data that is stored in the internal cache.
Time before retry after
failure
Limits the time (in seconds) that the External Lists module remembers a failure
to retrieve data from a particular external source to the specified value.
The module will not perform retries for a source as long as it remembers the
failure.
We recommend that you keep the default value or modify it according to the
requirements of your network.
This way you avoid adding load by constant retries to a web server that is
already overloaded.
224
McAfee Web Gateway 7.6.0
Product Guide
7
Lists
Map Type lists
File Data Source Configuration
Setting for the local file system that external list data can be retrieved from
Table 7-17 File Data Source Configuration
Option
Definition
File system allowed for
file data access
Specifies the path that leads to the folder for storing external lists within your
local file system.
External lists that data is retrieved from must be stored in this folder.
Otherwise an attempt to retrieve the data will lead to an access-denied error.
When external list data is retrieved from an SQLite database, the path specified
here is the path to the folder within your local file system that contains the
database.
Web Data Source Configuration
Setting for all web services that are the sources of external list data
Table 7-18 Web Data Source Configuration
Option
Definition
Check SSL certificate
identity
When selected, a certificate that a web server submits in SSL-secured
communication under the HTTPS protocol is verified
The verification is performed according to the SSL scanning rules that are
implemented on the appliance.
This can, for example, lead to an error if the web server uses a self-signed
certificate.
Map Type lists
Map Type lists, also known as maps, can be used to store pairs of keys and values mapped to each
other. Both the keys and their values are of the string type.
Lookup operations can be performed on existing maps, for example, to find out whether a particular
key exists in a map or what value is mapped to a key.
Other operations include setting and deleting values for a particular key or converting a complete map
into a single string.
You can create and fill Map Type lists on the user interface of Web Gateway or retrieve them from a
remote location using the external lists and subscribed lists functions.
If you want to work with other data types for your maps, for example, numbers or IP addresses, you
can convert them using properties such as Number.ToString or IP.ToString.
Create a Map Type list
To create a Map Type list, add a list of this type and fill it with pairs of keys and values.
Task
1
Select Policy | Lists.
2
Above the lists tree, click the Add icon.
The Add List window opens.
McAfee Web Gateway 7.6.0
Product Guide
225
7
Lists
Map Type lists
3
Add a MapType list.
a
In the Name field, type a list name.
b
From the Type list, select MapType.
c
Click OK.
The window closes and the new Map Type list appears on the lists tree under Custom Lists | MapType.
The settings pane is ready for filling the list with entries.
4
Click the Add icon on the settings pane.
The Add Map Type window opens.
5
For each pair of entries, you need to fill the list as follows.
a
In the key field, type a key name.
b
In the value field, type a value.
c
Click OK.
The window closes and the pair of entries appears in the first row on the settings pane.
6
Click Save Changes.
Using properties to work with Map Type lists
There are several properties for working with Map Type lists. Using these properties in rule criteria,
you can retrieve information about a Map Type list, modify a list, create a new list, and also convert a
list into a string.
To retrieve information about a Map Type list (map), you can:
•
Retrieve a map that you specify a name for
•
Retrieve a list of the keys in a map
•
See whether a particular key exists within a
map
•
Retrieve the value for a given key in a map
•
Retrieve the number of key-value pairs in a
map
The following properties are used to perform these activities.
Property
Description
Map.ByName
Provides a map with the name that you specified.
Map.HasKey
Is true if the specified map includes the specified key.
Map.Size
Provides the number of key-value pairs in a map.
Map.GetKeys
Provides a list of the keys in a map.
Map.GetStringValue
Provides the string that is the value of the specified key in the specified map.
You can, for example, use the Map.GetStringValue property in the criteria of a rule to see whether a
key in a list has a particular value. The key could be a user name and the value a string that serves as
a token for authentication.
The criteria would then be configured as follows:
Map.GetStringValue (testmap, "sampleuser") equals "sampletoken"
226
McAfee Web Gateway 7.6.0
Product Guide
7
Lists
Map Type lists
If the sampleuser key has sampletoken as its value, the criteria matches, and the rule executes a
particular action, for example, Continue.
When a map is modified, the modification is applied to a copy of the original map, while the original
map itself remains unmodified. To modify a map in this way, you can:
•
Set a key to a particular value
•
Delete a key
The following properties are used to perform these activities.
Property
Description
Map.SetStringValue
Provides a map in which the specified value is set for the specified key.
Map.DeleteKey
Provides a map in which the specified key is deleted.
To create a new map or convert a map into a string, the following properties are used.
Property
Description
Map.CreateStringMap
Provides a new map, which is still empty.
Map.ToString
Provides a map converted into a string.
Retrieving map data from external and subscribed lists
Data for Map Type lists (maps) can be retrieved from external and subscribed lists.
External lists
For retrieving map data from an external list, the ExtLists.StringMap property is provided, which you
can use in the criteria of a suitable rule. The value of this property is a list of maps that have an
external list as their source.
For example, to find out whether a particular key is contained in a list that is retrieved from an
external source, you can configure the following rule criteria:
Map.GetKeys(ExtLists.StringMap(" ", " ", " ")<External Lists>) contains "samplekeyname"
To specify the external list and where it can be retrieved from, you need to configure the settings of
the External Lists module, which is the module that performs the retrieval. In the above criteria, these
settings appear under the name of External Lists.
McAfee Web Gateway 7.6.0
Product Guide
227
7
Lists
Common Catalog
External list data can be retrieved from a web service, a file, a PostgreSQL or SQLite3 database, or
using LDAP. For these source types, the following must be observed when configuring the retrieval of
data for a map:
•
Web service or file
The type of data that is retrieved from a web service or a file must be Plain Text.
To locate the data, a regular expression is used that includes two parts. The first part is for the
keys, the second for the values.
•
Databases
The database query for retrieving the data must return two columns. The first column delivers the
keys, the second column delivers the values.
•
LDAP
To retrieve the data, a first and a second attribute are configured within the LDAP settings. The first
attribute delivers the keys, the second attribute delivers the values.
Subscribed lists
Entries in subscribed lists that map data is retrieved from must have the following format.
<listEntry>
<complexEntry defaultRights="2">
<configurationProperties>
<configurationProperty key="key" type="com.scur.type.string" value="key"/>
<configurationProperty key="value" type="com.scur.type.string" value="value"/>
</configurationProperties>
</complexEntry>
<description></description>
<l/istEntry>
Within the listEntry element, there's a complexEntry embedded. This allows the Subscribed Lists
module to process the format.
Common Catalog
The Common Catalog provides lists that can be pushed from a McAfee ePO server to a Web Gateway
appliance.
The following types of lists can be pushed: IP address, domain name, string, wildcard expression.
Do not modify the content of the lists on the Web Gateway appliance, because this content is updated in
intervals on the McAfee ePO server. These updates will overwrite any changes that you might have
applied.
A REST (Representational State Transfer) interface runs internally on both systems to enable the list
transfer. A McAfee ePO extension for Web Gateway must also be running on the McAfee ePO server.
This extension includes a help extension, which provides online Help for handling the extension. An
extension package is provided on the user interface of Web Gateway under the ePolicy Orchestrator
system settings.
To let requests from the McAfee ePO server bypass filtering by web security rules on Web Gateway,
you need to import a suitable rule set from the library, place it at the topmost position of the rule sets
tree, and enable it.
228
McAfee Web Gateway 7.6.0
Product Guide
7
Lists
Common Catalog
In addition to this, you need to set up a McAfee ePO user account, as there must be an instance on
the appliance that is allowed to handle the list transfer. For setting up this account, the ePolicy
Orchestrator system settings are used.
The user of the McAfee ePO account must also appear as an administrator with an account among the
internal Web Gateway administrator accounts.
After lists from the Common Catalog have been pushed to Web Gateway, they appear on the Lists tab
of its user interface. A prefix in the list name indicates that a McAfee ePO server is the source of a list.
You can use these lists to configure rules like any other lists on the Lists tab.
Prepare the use of Common Catalog lists
To prepare the use of Common Catalog lists that are pushed from a McAfee ePOserver to a Web
Gateway appliance, complete the following high-level steps.
Task
1
Set up an account for a McAfee ePO user on Web Gateway.
2
Set up an administrator account with the same user name and password on Web Gateway.
3
Enable use of the REST interface on Web Gateway.
4
Import the Bypass ePO Requests rule set from the library on the user interface of Web Gateway,
move it to the topmost position of the rule sets tree, and enable it.
5
Download a McAfee ePO extension package for Web Gateway and install it on the McAfee ePO
server.
6
On the user interface of the McAfee ePO server, register a new server for communication with Web
Gateway, specifying an appliance that Web Gateway runs on.
On the dashboard of the user interface, you should see, after about 15 minutes, data on web traffic
that is processed on Web Gateway.
7
Push lists from the McAfee ePO server to Web Gateway.
You should see the lists that you have pushed to Web Gateway on the lists tree of its user interface.
For more information on how to install a McAfee ePO extension package and perform activities on the
McAfee ePO server, refer to the McAfee ePO documentation.
Set up a user account for Common Catalog lists
To enable the use of Common Catalog lists, you must set up a McAfee ePO user account on Web
Gateway to create an instance that is allowed to handle the list transfer.
Task
1
Select Configuration | ePolicy Orchestrator.
2
Under ePolicy Orchestrator Settings, configure a user account.
a
In the ePO user account field, leave the preconfigured value, which is epo.
b
Next to the Password field, click Change.
The New Password window opens.
c
Use the window options to set a new password.
McAfee Web Gateway 7.6.0
Product Guide
229
7
Lists
Common Catalog
3
Make sure Enable data collection for ePO is selected.
4
Click Save Changes.
The user of the McAfee ePO account that you have configured must also appear as an administrator in
an administrator account on Web Gateway.
Set up an administrator account for Common Catalog lists
To enable the use of Common Catalog lists, you must set up an administrator account on Web
Gateway with the same user name and password as for the McAfee ePO user account.
Task
1
Select Accounts | Administrator Accounts.
2
Under Internal Administrator Accounts, click Add.
The Add Administrator window opens.
3
Set up an administrator account for using Common Catalog lists.
a
In the User name field, type epo.
b
In the Password and Password repeated fields, type the password you configured when setting up the
user account for the ePO user.
c
From the Role list, select the ePO Common Catalog Administrator role.
d
Click Edit to review the current role settings.
The Edit Role window opens. Enable the following settings if necessary:
e
•
Policy — Lists accessible
•
Policy — Lists creation
•
REST Interface accessible
Click OK.
The window closes and the new administrator account appears under Internal Administrator Accounts.
Together with the user account for the McAfee ePO user, this administrator account serves as the
instance on Web Gateway that must exist for handling the transfer of lists from a McAfee ePO server.
Enable use of the REST interface for Common Catalog lists
For communication with the McAfee ePO server that Common Catalog lists can be transferred from,
you need to enable the internal REST (Representational State Transfer) interface on Web Gateway.
Task
230
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance that you want to transfer Common Catalog lists to and
click User Interface.
3
Under UI Access, select both Enable Rest Interface over HTTP and Enable Rest Interface over HTTPS .
4
Under Login Page Options, select Allow multiple logins per login name.
5
Click Save Changes.
McAfee Web Gateway 7.6.0
Product Guide
7
Lists
JavaScript Object Notation data
Sample settings for registering Web Gateway on a McAfee ePO
server
To transfer Common Catalog lists to a Web Gateway appliance, you must register the appliance as a
new server on the McAfee ePO server.
The following are sample settings for this registration.
Option
Sample value
Server type
McAfee Web Gateway 7
Name
mwg7-3.sample-lab.local
Notes
(optional)
Host name
mwg7-3.sample-lab.local
Host address
171.18.19.226
Administration port
4712
Statistics retrieval port
9090
User name (for access to the host GUI)
<Initial or current user name for access to the Web Gateway user
interface>
Password
<Initial or current password for access to the Web Gateway user
interface>
User name (for statistics retrieval and list
management)
epo
Password
<Same password as the one that was configured for the ePO user
and administrator accounts on Web Gateway>
Options
Allow ePO to manage lists on this system (enabled)
The initial user name and password for access to the user interface of Web Gateway are admin and
webgateway.
JavaScript Object Notation data
Data that is encoded in JavaScript Object Notation (JSON) format can be read, modified, and created
on Web Gateway.
JavaScript Object Notation is a text-based data-interchange format. It can be read easily by
JavaScript, but is not tied to using this language. The notation is used for communication with
interactive websites, as well as with NoSQL and document-oriented databases, for example, MongoDB
or Couch DB.
JSON-based programming interfaces exist for use in well-known social networks, such as Facebook or
Twitter.
®
On Web Gateway, JSON data is used, for example, in scanning reports that are provided by McAfee
Advanced Threat Defense (Advanced Threat Defense). Lists that are retrieved form external sources
and processed on Web Gateway can also be in JSON data format.
JSON data
JSON data is made available in what is called objects. A JSON object is a container that includes data
of the same or of different ordinary types, such as strings, numbers, and others.
McAfee Web Gateway 7.6.0
Product Guide
231
7
Lists
JavaScript Object Notation data
The basic structure of a JSON object can be represented as follows:
object: {"key": value,
"key": value, ...}
For example:
Employee: {"First name": "Joe",
"Last name": "Miller",
"Age": 32}
The value of a JSON element can be data of the following types: string, number, Boolean, null.
A JSON object can also include an array:
object: {"key": value,
"key": value,
array: [value, value,
...]}
For example:
Employee: {"First name": "Joe",
"Last Name": "Miller",
"Children": [Ian, Lisa]}
In original JavaScript Object Notation, only objects and arrays can occur at the top level of a
hierarchical data structure. However, when it is supported on Web Gateway, a simple element can also
occur in top-level position.
A JSON object can also be embedded in another JSON object.
Using properties to handle JSON data
Several properties are available on Web Gateway for reading, modifying, and creating JSON data.
For example, the JSON.FromString property is used to create a JSON element from a string. The string
is specified as a parameter of the property. So JSON.FromString("Miller") delivers the string "Miller" as
the value of a JSON element.
A JSON object is created using the JSON.CreateObject property. This object is initially empty. To store
a JSON element inside an object, you need to identify both items by giving them names.
An object is given a name by making it a user-defined property, which is always configured with a
name.
For example, you can create a user-defined property under the name User-Defined.myjsonemployee
and then use an event in a rule to give it the value of the JSON.CreateObject property.
Name
Create JSON object as user-defined property
Criteria
Always
Action
–>
Continue
Event
– Set User-Defined.myjsonemployee = JSON.CreateObject
The empty JSON object User-Defined.myjsonemployee can be filled using the JSON.StoreByName
property, which has parameters for object name, element key, and element value.
For example, the following stores an element with the key "Last name" and the value "Miller" in the
object:
JSON.StoreByName(User-Defined.myjsonemployee, "Last name", JSON.FromString("Miller"))
232
McAfee Web Gateway 7.6.0
Product Guide
7
Lists
JavaScript Object Notation data
Storing an element inside an object can also be performed in a simpler way:
•
You need not create the object before using the JSON.StoreByName property.
Specifying the object name as a parameter of the property creates the object if it did not exist
before.
•
You need not use the JSON.FromString property to obtain the element value.
Specifying a string directly also creates this value. The same applies to the other ordinary data
types that the value of a JSON element can have.
So, the following also stores an element inside an object:
JSON.StoreByName(User-Defined.myjsonemployee, "Last name", "Miller"))
Groups of JSON properties
Many JSON properties are similar to other properties in that they are used to perform the same kind of
data handling activity.
The JSON.From<x> properties, for example, JSON.FromString, deliver a JSON element that has the
value of a simple data type. The value of the simple data type is specified as the parameter of the
JSON property.
The following are some important groups of JSON properties:
•
JSON.From<x> = Delivers a JSON element that has the value of a simple data format
Properties: JSON.FromString, JSON.FromNumber, JSON.FromBool, JSON.FromStringList,
JSON.FromNumberList
•
JSON.As<x> = Delivers the value of a JSON element in a simple data format
The properties of this group are used to perform an operation that is the reverse of what the
JSON.From<x> properties do.
For these properties to work correctly, the format of the JSON element must match the simple data
format.
For example, the JSON.AsString property will only deliver a (simple) string if the value of the JSON
element is a (JSON) string.
Properties: JSON.AsString, JSON.AsNumber, JSON.AsBool
•
JSON.Create<x> = Creates a JSON object, array, or the element value 0.
Properties: JSON.CreateObject, JSON.CreateArray, JSON.CreateNull
•
JSON.Get<x> = Delivers a JSON element from within an object or the data type of an element
JSON.GetByName delivers an element that is identified by its key from within a JSON object.
JSON.GetAt delivers an element that is identified by its position within a JSON array.
JSON.GetType delivers the type of an element.
Using JSON properties in filtering rules
The JSON.ToString property delivers the value of a JSON element in string format.
You can use this property, for example, in a simple rule to whitelist a particular client IP address.
McAfee Web Gateway 7.6.0
Product Guide
233
7
Lists
JavaScript Object Notation data
In this rule, a given client IP address is compared to the client IP address you want to whitelist to see
whether both addresses match.
Name
Allow client IP address provided as JSON element value
Criteria
Action
Client.IP equals String.ToIP(JSON.ToString(User-Defined.myjsonipaddress))
–> StopCycle
The client IP address that is to be whitelisted is provided as the value of the user-defined property
User-Defined.myjsonipaddress.
The JSON.ToString property delivers this value in string format. The String.ToIP property converts the
string back into an IP address, so it can be compared to the address that is the value of the Client.IP
property at the beginning of the rule.
Before the UserDefined.myjsonipaddress property can be used in the sample rule, you must create it
in JSON data format and set its value to the address that is to be whitelisted.
To set the value, you can use an event in another sample rule, as shown in the following.
Name
Set value of JSON type user defined property to client IP address
Criteria
Always
Action
Event
–> Continue – Set User-Defined.myjsonipaddress = JSON.FromString ("10.149.8.34")
The JSON.FromString property in the rule event converts the client IP address, which is specified as a
property parameter in string format, into the value of a JSON element.
Retrieving JSON data from an Advanced Threat Defense report
When Advanced Threat Defense is called by a rule on Web Gateway to scan a web object, the scanning
result is stored as the value of the Antimalware.MATD.Report property.
The result is provided as a string that has the elements of the result arranged in JSON style. It can be
converted into a JSON element, using the JSON.ReadFromString property. This property takes the
AntiMalware.MATD.Report property as a parameter.
The JSON element can then be set as the value of a user-defined property.
The rule that uses these properties could look as follows:
Name
Set value of JSON type user defined property to Advanced Threat Defense report
Criteria
Action
Event
Always –> Continue – Set User-Defined.myjsonmatdreport = JSON.ReadFromString
(Antimalware.MATD.Report)
You can retrieve the data of the result using the JSON.GetByName property and, for example, write it
into a log file.
Name
Write JSON data from Advanced Threat Defense report into log file
Criteria
234
Action
McAfee Web Gateway 7.6.0
Event
Product Guide
7
Lists
JavaScript Object Notation data
Always – Continue – FileSystemLogging.WriteLogEntry(GetByName(User-Defined.myjsonmatdreport,
>
"Summary")<AdvancedThreat DefenseLog>
In the event of this rule, "Summary" is the key of a JSON element that has the data of a scanning
result as its value. This key and its value are contained in a JSON object, which is the value of the
Antimalware.MATD.Report property.
The structure of the JSON object is shown in the following.
It contains several embedded objects. The element keys are the ones that are actually used in a
report, while the values are examples.
Report: {"Summary":
{"Selectors":
"Verdict":
"Stats":
Survival",
}
[{"Engine": "GAM engine",
"MalwareName": "EICAR test file",
"Severity": "5"
}],
{"Severity": "5",
"Description": "Subject is malicious"
},
[{"ID": "0",
"Category": "Persistence, Installation Boot
"Severity": "5"
}]
Retrieving external lists in JSON data format
For handling JSON data in a list that has been retrieved from an external source, the Ext.Lists.JSON
property is available. After retrieving the external list, the list content is a JSON element that is the
value of this property.
Like all external list properties, Ext.Lists.JSON has three parameters in string format, which can be
used to identify the external source.
McAfee Web Gateway 7.6.0
Product Guide
235
7
Lists
JavaScript Object Notation data
236
McAfee Web Gateway 7.6.0
Product Guide
8
Settings
Settings are used within Web Gateway for configuring modules (engines), rule actions, and system
functions.
Settings names appear in different places on the user interface, for example, in the criteria, action,
and events of rules or on the Settings and Appliances tabs.
After clicking a settings name, you can access and configure the parameters and values of the
settings.
At the initial setup of the appliance, module and action settings are implemented together with the
rule set system, as well as settings for the appliance system. Additional module and action settings
are implemented when you import a rule set from the rule set library.
You can review and modify the initially implemented or imported settings. You can also completely
delete module and action settings and create module and action settings of your own.
Contents
Types of settings
Settings tab
Access settings
Create action and module settings
Types of settings
Different types of settings are used in rule processing and with other functions on the appliance.
•
Module settings — Settings for the modules (also known as engines) that are called by rules to
deliver values for properties and perform other jobs
•
Action settings — Settings for the actions that rules execute
•
System settings — Settings of the appliance system
Module settings
Module settings are settings for the modules (also known as engines) that are called by rules to
deliver values for properties and perform other jobs.
For example, the URL Filter module retrieves information on URL categories to deliver values for the
URL.Categories property in a filtering rule.
In a rule, the settings name for a module that is called by the rule appears next to a rule property. For
example, in a rule for virus and malware filtering, Gateway Antimalware can appear as the settings
name next to the Antimalware.Infected property.
McAfee Web Gateway 7.6.0
Product Guide
237
8
Settings
Types of settings
This means that when the Anti-Malware module is called to deliver the value true or false for the
property, the module runs with the Gateway Antimalware settings. These settings specify, for
example, which methods are used in scanning web objects for infections.
You can access module settings in rules and on the lower main branch of the settings tree on the
Settings tab.
You can modify these settings and also create new settings.
Action settings
Action settings are settings for the actions that are executed by rules.
They are mainly configured to specify the messages that are sent to users who are affected by rule
actions, such as Block or Authenticate. Actions that do not affect users have no settings, for example,
Continue or Stop Rule Set.
You can access these settings in rules and on the upper main branch of the settings tree on the
Settings tab.
You can modify these settings and also create new settings.
System settings
System settings are settings of the appliance system, for example, network interface settings or
domain name system settings
You can access these settings on the Appliances tab of the Configuration top-level menu.
You can modify these settings, but not create new system settings.
238
McAfee Web Gateway 7.6.0
Product Guide
Settings
Settings tab
8
Settings tab
Use the Settings tab to work with settings for actions and modules (engines).
Figure 8-1 Settings tab
Main elements of the Settings tab
The following table describes the main elements of the Settings tab.
Table 8-1 Main elements of the Settings tab
Element
Description
Settings toolbar
Controls for working with settings for actions and modules (engines)
Settings tree
Tree structure displaying actions and modules (engines)
Settings
Parameters and values of the currently selected action or module (engine)
Settings toolbar
The settings toolbar provides the following options.
Table 8-2 Settings toolbar
Option
Definition
Add
Opens the Add Settings window for creating new settings.
Edit
Opens the Edit Settings window for editing existing settings.
McAfee Web Gateway 7.6.0
Product Guide
239
8
Settings
Access settings
Table 8-2 Settings toolbar (continued)
Option
Definition
Delete
Deletes the selected settings.
A window opens to let you confirm the deletion.
Expand all
Expands all collapsed items on the settings tree.
Collapse all
Lets all expanded items on the settings tree collapse.
Access settings
You can access settings on the Settings tab or by clicking a settings name in a rule. For accessing
system settings, you must work with the Appliance tab of the Configuration top-level menu.
Tasks
•
Access action and module settings on the Settings tab on page 240
You can use the Settings tab to access settings for actions and modules.
•
Access action and module settings in a rule on page 240
You can click names of settings for actions and modules that appear in rules to access
these settings.
•
Access system settings on page 241
You can access system settings using the Configuration top-level menu.
Access action and module settings on the Settings tab
You can use the Settings tab to access settings for actions and modules.
Task
1
Select Policy | Settings.
2
On the settings tree, navigate to the Actions or Engines branch to access the settings you want to
work with.
3
To select settings, do one of the following:
•
On the Actions branch, click an action to expand it, and select the action settings you want to
access.
•
On the Engine branch, click a module (also known as engine) to expand it, and select the module
settings you want to access.
The parameters and values of the settings appear on the settings pane.
You can now work with the settings.
Access action and module settings in a rule
You can click names of settings for actions and modules that appear in rules to access these settings.
Task
1
Select Policy | Rule Sets
2
On the rule sets tree, select the rule set that contains the rule with the settings you want to access.
The rules of the rule set appear on the settings pane.
240
McAfee Web Gateway 7.6.0
Product Guide
8
Settings
Create action and module settings
3
Make sure Show details is selected.
4
In the rule with the settings you want to access, click the settings name:
•
In the rule criteria to access module settings
•
In the rule action to access action settings
The Edit Settings window opens with the settings that you selected.
You can now work with the settings.
Access system settings
You can access system settings using the Configuration top-level menu.
Task
1
Select Configuration | Appliances
2
On the appliances tree, select the appliance you want to configure system settings for and click the
settings name.
The parameters and values of the settings appear on the settings pane.
You can now work with the settings.
Create action and module settings
You can create settings for modules and actions.
When creating these settings, you do not create them completely new, but use existing settings that
you give a new name and modify as needed.
Task
1
Select Policy | Settings.
2
To select the settings that serve you as the starting point for creating new settings, use one of the
following two methods:
•
On the settings tree, select these settings and click Add.
The Add Settings window opens with the parameters and values of the selected settings.
•
Click Add right away.
The Add Settings window opens.
Select settings from the Settings for pane of the window.
The parameters and values of these settings appear in the window.
3
In the Name field of the window, type a name for the new settings.
4
[Optional] In the Comment field, type a plain-text comment on the settings.
5
Modify the existing values of the settings as needed.
6
[Optional] Click the Permissions tab and configure who is allowed to access the settings.
McAfee Web Gateway 7.6.0
Product Guide
241
8
Settings
Create action and module settings
7
Click OK.
The window closes and the new settings appear on the settings tree.
8
242
Click Save Changes.
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
Users can be “filtered” on an appliance, which means you can allow web access only for those who are
able to authenticate.
Authentication is not implemented by default, but there are preconfigured authentication rule sets,
which you can use.
The types of authentication that you can implement include:
•
Standard authentication — You can configure authentication for users who send requests for
web access under a standard protocol, such as HTTP, HTTPS, or FTP.
When the authentication rule set of the default rule set system is enabled, user information is by
default retrieved from an internal user database.
You can change this setting and configure a different method, such as NTLM, LDAP, Kerberos, and
others.
•
Instant messaging authentication — You can configure authentication for users who send
requests for web access under an instant messaging protocol, such as Yahoo, Windows Live
Messenger, ICQ, and others.
You can also control administrator access to an appliance by setting up and maintaining administrator
accounts and roles.
Contents
Authenticating users
LDAP digest authentication
Configure authentication
Configure the Authentication module
Authentication settings
Implement a different authentication method
Using system settings to configure authentication
Best practices - Configuring authentication for deployment types
Best practices - Configuring LDAP authentication
Instant messaging authentication
One-time passwords
Client Certificate authentication
Administrator accounts
McAfee Web Gateway 7.6.0
Product Guide
243
9
Authentication
Authenticating users
Authenticating users
Authenticating the users of your network ensures that they cannot access the web if they are not
successfully authenticated. The authentication process looks up user information, for example, in an
internal database or on a web server and blocks or allows access accordingly.
The process includes several elements, which contribute to it in different ways.
•
Authentication rules control the process.
•
The Authentication module, which is called by the rules, retrieves information about users from a
database
An authentication process is not implemented by default on Web Gateway after the initial setup. You
can implement a process by importing suitable rule sets from the rule set library and modify this
process to adapt it to the requirements of your web security policy.
To configure authentication, you can work with:
•
Key elements of rules — After importing the library rule sets for authentication and
clicking them on the rule sets tree, you can view and configure key elements of the rules
for the authentication process.
•
Complete rules — After clicking Unlock View in the key elements view, you can view the
rules for the authentication process completely, configure all their elements, including the
key elements, and also create new rules or delete rules.
You cannot return from this view to the key elements view unless you discard all changes
or re-import the rule set.
Authentication rules
Authentication rules usually include a rule that asks an unauthenticated user to authenticate and
blocks requests from users who cannot be successfully authenticated.
There can lso be whitelisting rules that allow users who send a request to skip authentication, for
example, depending on the IP address that a request was sent from or the URL that is requested.
Rule sets with rules for several types of authentication, for example, IM and cookie authentication, are
available in the rule sets library.
Authentication module
The Authentication module is also known as Authentication engine. It retrieves information about
users from a database. The module is called by the rules that need to know whether a user who
requests access to a web object is authenticated.
Different methods of retrieving this information can be used:
•
NTLM — Uses a database on a Windows domain server
•
NTLM Agent — Uses an external agent on a Windows-based system for applying the NTLM
authentication method
•
User Database — Uses an internal database on the appliance
This method is used by default when the rule set of the default rule set system is enabled.
•
244
LDAP — Uses a database on an LDAP server
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
LDAP digest authentication
•
Novell eDirectory — Uses data from a directory on a server that takes the role of an LDAP server
•
RADIUS — Uses a database on a RADIUS server
•
Kerberos — Uses a database on a Kerberos server
•
Authentication Server — Uses a database on another external server
You can configure settings for the Authentication module to specify the authentication method and
other parameters of the authentication process.
LDAP digest authentication
The LDAP digest authentication method, which is based on the LDAP authentication method, uses a
shared secret known by both sides of the authentication process: a user requesting web access, using
a browser on a client of Web Gateway, and Web Gateway.
Web Gateway uses its proxy functions to intercept the request to enable authentication and further
filtering under the configured web security policy.
Unlike simpler authentication methods, such as basic authentication, no password is sent directly from
the browser to Web Gateway. Instead the password is a part of the shared secret that is known on
both sides of the authentication process.
A hash value is calculated for the shared secret and several additional parameters on the client and
transmitted to Web Gateway, which calculates the hash again, using its instance of the shared secret,
to see if the result is identical. If it is, the user is authenticated.
The hash value that is transmitted from the client to Web Gateway is also referred to as digest. Web
Gateway retrieves the shared secret that it requires for recalculating the hash from an LDAP server.
Calculating a hash for LDAP digest authentication
The MD5 method for calculating a hash is used when LDAP digest authentication is performed in an
authentication process with Web Gateway.
Before the client sends the hash, Web Gateway sends a request for authentication to the client,
including a so-called nonce (number only once), which is a number that is randomly created on Web
Gateway and is one of the parameters that must be used in addition to the shared secret for
calculating the hash.
The complete list of parameters that is used for calculating the hash includes the following:
•
User name (part of the shared secret)
•
Nonce
•
Realm name (part of the shared secret)
•
HTTP request that was sent from the client
•
Password (part of the shared secret)
•
URL of the requested destination in the web
Configuring LDAP digest authentication on Web Gateway
LDAP digest authentication on Web Gateway requires the following:
•
LDAP authentication must have been configured as the general authentication method on Web
Gateway.
•
The realm name must be configured as part of the common authentication settings on Web
Gateway. This name must also be used for the shared secret.
McAfee Web Gateway 7.6.0
Product Guide
245
9
Authentication
Configure authentication
•
You must configure the following parameters for LDAP digest authentication:
•
Enabling of LDAP digest authentication
•
Name of the attribute on the LDAP server that stores the authentication hash
•
Maximum number of times that a nonce can be used
•
Maximum time that a nonce can be used
Optionally, you can do the following.
•
Allow only LDAP digest authentication as an authentication method under the current settings
When configuring other authentication settings, you could, however, still allow other authentication
methods, for example, the User database method with basic authentication.
•
Let a check be performed for the URL that a client sends as a parameter for calculating the hash
This URL should be te same as the URL that this client sends in its request for accessing a
particular destination in the web. Otherwise successfully passing digest authentication, based on
identical hash values, might allow a user to access a destination that was not requested. So if the
result of the check is that both URLs are not the same, the request is blocked.
As the browsers that are used on clients for sending this information use different URL formats, this
check might fail, however, due to the formatting problem, even if two URLs are really the same. For
this reason, the URL check is optional.
The realm name that is used for the shared secret is configured under Common Authentication Parameters,
which is a section that is available under every authentication method at the beginning of the
Authentication settings.
The parameters for LDAP digest authentication are configured on Web Gateway as part of the settings
for the Authentication module (or engine).
When LDAP is selected as the general authentication method at the beginning of these settings, a
section named Digest Authentication becomes available after the section for other LDAP specific
parameters.
See also
Authentication settings on page 247
Configure authentication
You can implement authentication and adapt it to the needs of your network.
Complete the following high-level steps.
Task
1
Enable the Authenticate and Authorize rule set of the default rule set system.
2
Review the nested Authenticate with User Database rule set.
This rule set contains a single rule, which asks unauthenticated users to authenticate.
The rule criteria includes settings for the Authentication module, which specify use of the User
Database authentication method. This means information for authenticating users is retrieved from
an internal database on the appliance.
3
246
Modify the default rule set as needed.
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
Configure the Authentication module
You can, for example, do the following:
•
Modify the common parameters of the Authentication module
•
Modify the specific parameters for the User Database method
•
Implement a different authentication method, for example, NTLM or LDAP
•
Modify the specific parameters for the new authentication method
4
Consider importing a rule set from the library to implement authentication for a different type of
communication, for example, instant messaging authentication.
5
Save your changes.
Configure the Authentication module
You can configure the Authentication module to modify the way user information is retrieved to
authenticate users.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, select the rule set for authentication.
In the default rule set system, this is the Authenticate and Authorize rule set.
3
Select a rule that controls user authentication and click the settings that are specified in the rule
criteria.
In the rule set of the rule set system, this is, for example, the rule Authenticate with User Database in the
nested Authenticate with User Database rule set and the settings name is User Database.
The Edit Settings window opens. It provides the settings for the Authentication module.
4
Configure these settings as needed.
5
Click OK to close the window.
6
Click Save Changes.
See also
Authentication settings on page 247
Authentication settings
The Authentication settings are used for configuring the method the Authentication module applies
when it is looking up information about users in the authentication process.
Authentication Method
Settings for selecting an authentication method
McAfee Web Gateway 7.6.0
Product Guide
247
9
Authentication
Authentication settings
Table 9-1 Authentication Method
Option
Definition
Authentication
method
Provides a list for selecting an authentication method.
You can select one of the following:
• NTLM
• NTLM-Agent
• User Database
• LDAP
If you want to configure Secure LDAP, also known as LDAPS, you must
work with LDAP version 3.
This version can be selected under LDAP Specific Parameters. It is by default
selected.
• RADIUS
• Kerberos
• SSL Client Certificate
• Authentication Server
• One-Time Password
• SWPS (McAfee Client Proxy)
®
After selecting a method, settings that are specific to it appear below the common
settings
Authentication Test
Settings for testing whether a user with given credentials would be authenticated
Table 9-2 Authentication Test
Option
Definition
User
Specifies the user name that is tested.
Password
Specifies the tested password.
Authenticate User
Executes the test.
Test result
Displays the outcome of the test.
Common Authentication Parameters
Settings common to all authentication methods
There is also an advanced setting that is common to all authentication methods. It is described at the
end of this main section after the last of the subsections for the specific authentication parameters.
Table 9-3 Common Authentication Parameters
Option
Definition
Proxy Realm
Specifies the location of the proxy that receives requests from users who
are asked to authenticate.
Authentication attempt timeout Limits the time (in seconds) that elapses before the authentication process
terminates if not completed successfully to the specified value.
248
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
Authentication settings
Table 9-3 Common Authentication Parameters (continued)
Option
Definition
Use authentication cache
When selected, authentication information is stored in a cache.
Authentication is then based on this stored information, rather than on
information retrieved from an authentication server or the internal user
database.
Authentication cache TTL
Limits the time (in minutes) that authentication information is stored in the
cache to the specified value.
NTLM Specific Parameters
Settings for the NTLM authentication method
Table 9-4 NTLM Specific Parameters
Option
Definition
Default NTLM domain
Specifies the name of the default Windows domain used for looking up
authentication information.
This is one of the domains you have configured on the Appliances tab of the
Configuration top-level menu.
Get global groups
When selected, information on global user groups is searched for on the
Windows domain server.
Get local groups
When selected, information on local user groups is searched for on the
Windows domain server.
Prefix group name with
When selected, the name of the Windows domain appears before the name
domain name (domain\group) of the user group when authentication information on this group is sent from
the domain server.
Enable basic authentication
When selected, the basic NTLM authentication method is applied to
authenticate users.
Information that a user submits for authentication is then sent in plain-text
format (less secure) to the Windows domain server.
Enable integrated
authentication
When selected, the integrated NTLM authentication method is applied to
authenticate users.
Information that a user submits for authentication is then encrypted before
it is sent to the Windows domain server.
Enable NTLM cache
When selected, NTLM authentication information is stored in this cache.
Authentication is then based on this stored information, rather on
information retrieved from the Windows domain server.
NTLM cache TTL
Limits the time (in seconds) that authentication information is stored in this
cache to the specified value.
International text support
Specifies a set of characters used by default for a request sent from a client,
for example, ISO-8859-1.
NTLM Agent Specific Parameters
Settings for the NTLM Agent authentication method
McAfee Web Gateway 7.6.0
Product Guide
249
9
Authentication
Authentication settings
Table 9-5 NTLM Agent Specific Parameters
Option
Definition
Use secure agent connection
When selected, the connection used for communicating with the NTML
Agent is SSL-secured
Authentication connection
timeout in seconds
Limits the time (in seconds) that elapses before the connection to the NTLM
Agent is closed if no activities occur on it to the specified value.
Agent Definition
Provides a list for entering the agents that are involved in performing NTLM
authentication.
Default NTLM domain
Specifies the name of the default Windows domain used for looking up
authentication information.
This is one of the domains you have configured on the Appliances tab of the
Configuration top-level menu.
Get global groups
When selected, information on global user groups is searched for on the
Windows domain server.
Get local groups
When selected, information on local user groups is searched for on the
Windows domain server.
Prefix group name with
domain name (domain\group)
When selected, the name of the Windows domain appears before the name
of the user group when authentication information on this group is sent
from the domain server.
Enable basic authentication
When selected, the basic NTLM authentication method is applied to
authenticate users.
Information that a user submits for authentication is then sent in plain-text
format (less secure) to the Windows domain server.
Enable integrated
authentication
When selected, the integrated NTLM authentication method is applied to
authenticate users.
Information that a user submits for authentication is then encrypted before
it is sent to the Windows domain server.
Enable NTLM cache
When selected, NTLM authentication information is stored in this cache.
Authentication is then based on this stored information, rather on
information retrieved from the Windows domain server.
NTLM cache TTL
Limits the time (in seconds) that authentication information is stored in this
cache to the specified value.
International text support
Specifies a set of characters used by default for a request sent from a
client, for example, ISO-8859-1.
User Database Specific Parameters
Settings for the User Database authentication method
Table 9-6 User Database Specific Parameters
Option
Definition
Send domain and machine
name to the client
When selected, the names of the appliance and the domain it has been
assigned to are sent to the client that a user who is to be authenticated sent
a request from.
Enable basic authentication
When selected, the basic NTLM authentication method is applied to
authenticate users.
Information that a user submits for authentication is then sent in plain-text
format (less secure) to the Windows domain server.
250
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
Authentication settings
Table 9-6 User Database Specific Parameters (continued)
Option
Definition
Enable integrated
authentication
When selected, the integrated NTLM authentication method is applied to
authenticate users.
Information that a user submits for authentication is then encrypted before
it is sent to the Windows domain server.
Enable NTLM cache
When selected, NTLM authentication information is stored in this cache.
Authentication is then based on this stored information, rather on
information retrieved from the Windows domain server.
NTLM cache TTL
Limits the time (in seconds) that authentication information is stored in this
cache to the specified value.
International text support
Specifies a set of characters used by default for a request sent from a client,
for example, ISO-8859-1.
LDAP Specific Parameters
Settings for the LDAP authentication method
Table 9-7 LDAP Specific Parameters
Option
Definition
LDAP server(s) to connect to
Provides a list for entering the LDAP servers that authentication information
is retrieved from.
List of certificate authorities
Provides a list for entering the certificate authorities that issue certificates
when a Secure LDAP (S-LDAP) connection is used for communication with
an LDAP server.
Credentials
Specifies the user name of an appliance for logging on to an LDAP server.
Password
Sets the password for a user name.
The Set button opens a window for configuring a new password.
International text support
Specifies a set of characters used by default for a request sent from a
client, for example, ISO-8859-1.
Enable LDAP version 3
When selected, version 3 of the LDAP protocol is used.
If you want to configure Secure LDAP authentication, also known as LDAPS,
it is this LDAP version that you must use.
This version is by default selected.
Allow LDAP library to follow
referrals
When selected, the lookup of user information can be redirected from the
LDAP server to other servers.
Connection live check
Limits the time (in minutes) that elapses between checks to see whether
the connection to the LDAP server is still active to the specified value.
LDAP operation timeout
Limits the time (in seconds) that elapses before the connection to the LDAP
server is closed if no communication occurs to the specified value.
Base distinguished name to
user objects
Specifies the Distinguished name (DN) in the directory on an LDAP server
where the lookup of user attributes should begin.
Map user name to DN
When selected, the name of the user who asks for authentication must map
to a DN (Distinguished Name).
This name identifies the user in the directory on the LDAP server
McAfee Web Gateway 7.6.0
Product Guide
251
9
Authentication
Authentication settings
Table 9-7 LDAP Specific Parameters (continued)
Option
Definition
Filter expression to locate a
user object
Specifies a filtering term for restricting the lookup of user attributes.
Get user attributes
When selected, user attributes are looked up on the LDAP server to
authenticate a user.
User attributes to retrieve
Provides a list for entering the user attributes that should be retrieved from
an LDAP server.
Attributes concatenation
string
Specifies a string for separating user attributes found by a lookup, for
example, / (slash).
Get groups attributes
When selected, user group attributes are also looked up on the LDAP server
to authenticate a user.
Base distinguished name to
group objects
Specifies the Distinguished name (DN) in the directory on the LDAP server
where the lookup of group attributes should begin
Filter expression to locate a
group object
Specifies a filtering term for restricting the lookup of group attributes.
Group attributes to retrieve
Provides a list for entering the group attributes that should be retrieved
from an LDAP server.
To substitute the user name in the filtering term, u% is used as a variable.
To substitute the user name in the filtering term, u% is used as a variable.
Digest Authentication
Settings for LDAP digest authentication
Table 9-8 Digest Authentication
Option
Definition
Enable digest
authentication
When selected, digest authentication is performed as method for authenticating
users under the LDAP authentication method.
User attribute with
password hash
Specifies the attribute of a user entry on the LDAP server that stores the value
for the authentication hash.
Nonce maximal use count Sets a limit to repeated uses of the nonce (number only once) that is
transmitted in the authentication process and required as a parameter for
calculating the authentication hash.
The maximum number of times that a nonce can be used by default is 100.
Nonce maximal TTL
Sets a limit to the time period (in minutes) that a nonce remains valid.
The maximum time that a nonce can remain valid by default is 30 minutes.
Enable digest URI check
When selected, a check is performed to ensure that the URL that a client sends
as a parameter for calculating the authentication hash is the same as the URL
that this client sends in its request for accessing a particular destination in the
web.
If this check fails, the request is blocked.
As this check might also fail due to problems with the different formats that the
browsers on the clients use for sending URLs, it is optional.
The check is enabled by default.
Allow digest
authentication only
252
When selected, digest authentication must always be performed if a user is to
be authenticated under the LDAP authentication method.
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
Authentication settings
Novell eDirectory Specific Parameters
Settings for the Novell eDirectory authentication method
Table 9-9 Novell eDirectory Specific Parameters
Option
Definition
LDAP server(s) to connect to
Provides a list for entering the eDirectory servers that take the role of
LDAP servers in providing authentication information.
List of certificate authorities
Provides a list for entering the certificate authorities that issue certificates
when a Secure LDAP (S-LDAP) connection is used for communication with
an LDAP server.
Credentials
Specifies the user name of an appliance for logging on to an LDAP server.
Password
Sets a password for a user name.
The Set button opens a window for configuring a new password.
International text support
Specifies a set of characters used by default for a request sent from a
client, for example, ISO-8859-1.
Enable LDAP version 3
When selected, version 3 of the LDAP protocol is used.
Allow LDAP library to follow
referrals
When selected, the lookup of user information can be redirected from an
LDAP server to other servers.
Connection live check
Limits the time (in minutes) that elapses between checks to see whether
the connection to an LDAP server is still active to the specified value.
LDAP operation timeout
Limits the time (in seconds) that elapses before the connection to an
LDAP server is closed if no communication occurs to the specified value.
eDirectory network address
attribute
Specifies the name of the attribute that provides the network addresses
used for an eDirectory server
eDirectory network login time
attribute
Specifies the name of the attribute that provides the logon time used on
an eDirectory server.
eDirectory network minimal
update interval
Specifies the time that elapses (in seconds) before information from an
eDirectory server is updated.
Base distinguished name to user
objects
Specifies the Distinguished name (DN) in the directory on an LDAP server
where the lookup of user attributes should begin.
Map user name to DN
When selected, the name of the user who asks for authentication must
map to a DN (Distinguished Name). This name identifies the user in the
directory on the LDAP server.
Filter expression to locate a user
object
Specifies a filtering term for restricting the lookup of user attributes.
Get user attributes
When selected, user attributes are looked up on the LDAP server to
authenticate a user.
User attributes to retrieve
Provides a list for entering the user attributes that should be retrieved
from an LDAP server.
Attributes concatenation string
Specifies a string for separating user attributes found by a lookup, for
example, / (slash).
Get groups attributes
When selected, user group attributes are also looked up on the LDAP
server to authenticate a user.
Base distinguished name to
group objects
Specifies the Distinguished name (DN) in the directory on an LDAP server
where the lookup of group attributes should begin.
McAfee Web Gateway 7.6.0
To substitute the user name in the filtering term, u% is used as a
variable.
Product Guide
253
9
Authentication
Authentication settings
Table 9-9 Novell eDirectory Specific Parameters (continued)
Option
Definition
Filter expression to locate a
group object
Specifies a filtering term for restricting the lookup of group attributes.
Group attributes to retrieve
Provides a list of group attributes that should be retrieved from an LDAP
server.
To substitute the user name in the filtering term, u% is used as a
variable.
RADIUS Specific Parameters
Settings for the RADIUS authentication method
Table 9-10 RADIUS Specific Parameters
Option
Definition
RADIUS server definition
Provides a list for entering the RADIUS servers that authentication
information is retrieved from.
Default domain name
Specifies the name of the domain that information is retrieved from if no
other domain is specified.
Shared secret
Sets the password used by an appliance to get access to a RADIUS server.
Radius connection timeout
in seconds
Limits the time (in seconds) that elapses before the connection to the RADIUS
server is closed if no traffic occurs to the specified value.
International text support
Specifies the set of characters used by default for a request sent from a
client, for example, ISO-8859-1.
Value of attribute with code
Sets the code value for the attribute retrieved with the user group
information, according to RFC 2865.
For example, 25 is the code for the “class” attribute.
Vendor specific attribute
with vendor ID
Sets the Vendor ID that is required for retrieving vendor-related data in the
search for user group information.
According to RFC 2865, the vendor ID is a part of the vendor attribute,
followed by a number of subattributes. Its code value is 26.
Vendor subattribute type
Sets a code value for the type of subattributes included in a vendor attribute.
according to RFC 2865.
Since not all vendors adhere to this structure, we recommend to specify 0 as
value here. This allows the authentication module to retrieve all available
vendor information.
Kerberos Specific Parameters
Settings for the Kerberos authentication method
More settings for this authentication method can be configured using the Kerberos Administration system
settings, which can be accessed under the Configuration top-level menu.
254
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
Authentication settings
Table 9-11 Kerberos Specific Parameters
Option
Definition
Extract group membership IDs
from the ticket
When selected, information to identify the groups that a user is a
member of is retrieved from the ticket that is used in the process of
authenticating users under the Kerberos authentication method.
When this option is selected, the following option becomes accessible.
Look up group names via NTLM
When selected, the names of the groups that a user is a member of are
retrieved using the NTLM authentication method.
Authentication Server Specific Parameters
Settings for the Authentication Server method
Table 9-12 Authentication Server Specific Parameters
Option
Definition
Authentication server URL
Specifies the URL of a server that is used under this method to look up
authentication information.
Require client ID
When selected, the authentication server requires the ID of the client
that a user sent a request from.
Store authentication result in a
cookie
When selected, the information retrieved from the authentication server
is stored in a cookie
If cookie authentication is implemented, the cookie is added to the next
request sent by the respective user, so that this user need not
authenticate again.
Allow persistent cookie for the
server
When selected, a cookie can be used persistently for sending multiple
requests to the authentication server
Cookie TTL for the authentication
server in seconds
Limits the time (in seconds) that a cookie sent with a request to the
server is stored to the specified value.
Cookie prefix
Specifies a prefix that is added on the appliance to a cookie, for
example, MWG_Auth .
One-Time Password Specific Parameters
Settings for the One-Time Password authentication method
McAfee Web Gateway 7.6.0
Product Guide
255
9
Authentication
Authentication settings
Table 9-13 One-Time Password Specific Parameters
Option
Definition
OTP server
Specifies the IP address and port number of the OTP server that Web Gateway
connects to when authenticating a user under the One-Time Password
authentication method.
Communicate with SSL When selected, communication with the OTP server is performed using an
and trust certificate
SSL-secured connection.
below
When this option is selected, the information in the following four fields is no
longer grayed out and the Import button below these fields becomes accessible.
The fields provided detailed information about the certificate that is currently
used in SSL-secured communication with the OTP server.
• Subject — Provides general information about the certificate.
• Common Name (CN) — Specifies the common name of the certificate.
By default, this name is localhost.
• Organization (O) — Specifies the organization of the certificate.
By default, the organization is OTP Server.
• Organizational Unit (OU) — Specifies the organizational unit of the certificate.
By default, the organizational unit is not set.
• Issuer — Provides information about the issuer of the certificate.
• Common Name (CN) — Specifies the common name of the issuer.
By default, this name is localhost.
• Organization (O) — Specifies the organization of the issuer.
By default, the organization is OTP Server.
• Organizational Unit (OU) — Specifies the organizational unit of the server
certificate.
By default, the organizational unit is not set.
• Validity — Limits the time the certificate is valid.
• Not before — Shows the date and time when the validity of the certificate
begins.
• Not after — Shows the date and time when the validity of the server certificate
ends.
• Extensions — Provides additional information on the certificate.
• Comment — Provides a plain-text comment on the certificate.
By default no comment is provided.
• Import — Opens a window for importing a certificate.
WS client name
Specifies the user name for Web Gateway in communication with the OTP server.
WS client password
Specifies the password for Web Gateway in communication with the OTP server.
OTP message
Specifies the prefix to messages that are sent from the OTP server to Web
Gateway and the delimiters that include a message.
By default a message looks like this:
OTP for MWG: $$<OTP message>$$
McAfee Client Proxy
Settings for the SWPS (McAfee Client Proxy) authentication method
256
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
Authentication settings
Table 9-14 McAfee Client Proxy
Option
Definition
Customer ID
Specifies an identifier for a customer.
Shared password
Sets a password for a customer.
Clicking Set opens a window that allows you to perform the setting.
Keep domain in group name
When selected, domain information contained in the name of a user
group is kept.
This option is selected by default.
Remove custom headers used for
authentication
When selected, headers contained in the information that is submitted
for authentication are removed.
This option is selected by default.
Export MCP credentials to XML file Lets you export the credentials that are submitted when performing the
SWPS (McAfee Client Proxy) authentication method.
By default a message looks like this:
OTP for MWG: $$<OTP message>$$
Advanced Parameters
Setting for configuring advanced authentication
This is setting is the same for all authentication methods. Its description is therefore also
provided at the beginning of this description of the authentication settings, after the
description of the common settings.
Table 9-15 Advanced Parameters
Option
Definition
Always evaluate
property value
When selected, a new evaluation to assign a value to a property is performed each
time a rule containing this property is processed.
If a value has been stored for a property in the cache, it is not used.
While it is normally recommended to let cache values be used to improve
performance, there can be situations where the new evaluation of a property is
required.
In these situations, the same property is used more than once within the
authentication rules and with the same settings of the Authentication module. A new
evaluation ensures the most current value is assigned to the property each time.
McAfee Web Gateway 7.6.0
Product Guide
257
9
Authentication
Implement a different authentication method
Implement a different authentication method
If you do not want to use the User Database authentication method of the default rule set, you can
implement a different method, such as NTLM, LDAP, and others.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, navigate to the rule set that contains rules for authenticating users, for
example, the default Authentication and Authorize rule set and select the nested Authenticate with User
Database rule set.
The rules of the nested rule set appear on the settings pane.
3
Select the rule Authenticate with User Database and in the rule criteria click User Database.
The Edit Settings window opens.
4
From the list provided under Authentication Method, select an authentication method, for example,
NTLM.
5
Configure common and specific parameters for the selected method as needed.
6
Click OK to close the window.
7
Click Save Changes.
We recommend that after changing the authentication method, you rename the settings of the
Authentication module, the authentication rule, and the nested rule set, accordingly.
For example, after selecting NTLM, rename the settings to NTLM and both the rule and the nested rule
set to Authenticate with NTLM.
Instead of renaming the default settings, you can also keep several settings with different names and
parameter values for the Authentication module.
Using system settings to configure authentication
For some authentication methods, you need to configure settings that are not settings of the
Authentication module, but of the appliance system.
This applies when you are implementing NTLM as the authentication method. In this case, you need to
join the appliance to a Windows domain and configure the Windows Domain Membership settings,
which are system settings.
It applies also for the Kerberos authentication method, which is implemented using the Kerberos
Administration system settings.
Kerberos Administration settings
The Kerberos Administration settings are specific settings for the Kerberos authentication method.
Kerberos Administration
Settings for the Kerberos authentication method
258
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
Using system settings to configure authentication
Table 9-16 Kerberos Administration
Option
Definition
Key tab file
Specifies the file that contains the master key required to access the Kerberos server.
You can type a file name or use the Browse button to browse to the file and enter its
name in the field.
When a ticket is issued for authentication according to the Kerberos method, the
master key is read on the appliance and used to verify the ticket.
If you are running a load balancer that directs web requests to the appliance, tickets
are issued for the load balancer and verified on the appliance. It is then not checked
whether a request is directed to the appliance.
Kerberos realm
Specifies an administrative domain configured for authentication purposes.
Within the boundaries of this domain the Kerberos server has the authority to
authenticate a user who submits a request from a host or using a service.
The realm name is case sensitive, however. normally only uppercase letters are used,
and it is good practice to make the realm name the same as that of the relevant DNS
domain.
Maximal time
difference
between
appliance and
client
Limits the time (in seconds) that the system clocks on the appliance and its clients are
allowed to differ to the specified value.
Configuring Kerberos as the authentication method can lead to problems when
particular browsers are used for sending requests:
• When the Microsoft Internet Explorer is used in a version lower than 7.0, Kerberos
authentication might not be possible at all.
• When this explorer runs on Windows XP, Kerberos authentication might not work as
expected.
• When Mozilla Firefox is used, Kerberos authentication must be configured in the
browser settings to enable this authentication method.
Enable replay
cache
When selected, a ticket that is issued for authentication cannot be used more than
once.
Selecting this option reduces authentication performance
Join the appliance to a Windows domain
When using the NTLM authentication method, you need to join an appliance to a Windows domain to
let the authentication module retrieve user information stored on the domain server.
An appliance can be joined to more than one domain.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to join and click Windows Domain Memberhship.
A list of domains appears on the settings pane. It is initially empty.
3
Click Join to enter a domain into the list.
The Join Domain window opens.
McAfee Web Gateway 7.6.0
Product Guide
259
9
Authentication
Using system settings to configure authentication
4
Configure a domain name, a domain controller, and other settings in the window.
5
Click OK.
The window closes and the new domain appears in the list. The appliance is now a member of this
domain.
Repeat Steps 3 to 5 to add multiple domains.
Use the other icons on the toolbar to work with the list, for example. to modify a list entry or to let an
appliance leave a domain.
See also
Windows Domain Membership settings on page 260
Windows Domain Membership settings
The Windows Domain Membership settings are used for joining an appliance to a Windows domain.
Join Domain
Settings for joining an appliance to a Windows domain
Table 9-17 Join Domain
Option
Definition
Windows domain name
Specifies the name of the domain.
McAfee Web Gateway account
name
Specifies the name of an account for an appliance.
Overwrite existing account
When selected, an existing account is overwritten.
Use NTLM version 2
When selected, NTLM version 2 is used.
Timeout for requests to this NTLM Limits the time (in seconds) that elapses before processing stops for a
domain
request sent from an appliance to a domain controller if no response is
received to the specified value.
Wait time for reconnect to domain Specifies the time (in seconds) that elapses before another attempt is
controller
made to connect to a domain controller after a previous attempt failed.
The allowed range is from 5 to 300 seconds.
Configured domain controllers
Provides a list for entering the domain controllers that an appliance can
connect to in order to retrieve authentication information.
Entries must be separated by commas.
Number of active domain
controllers
Maximum number of configured domain controllers that can be active at
the same time
The allowed range is from 1 to 10.
Administrator name
Specifies the user name for the account that is created when an
appliance is joined to a domain.
User name and password are only used for this purpose and not stored.
Password
260
McAfee Web Gateway 7.6.0
Sets a password for the administrator name.
Product Guide
Authentication
Best practices - Configuring authentication for deployment types
9
Best practices - Configuring authentication for deployment
types
When configuring authentication, you need to consider the type of deployment that is configured for
handling the traffic between Web Gateway and its clients, such as the explicit proxy mode or a
transparent mode. For each type, there is a rule set in the rule set library that is best suited to handle
authentication.
The following two questions are important with regard to the authentication process:
•
How are the user credentials that are evaluated during this process obtained by Web Gateway?
This part of the authentication process is sometimes referred to as the authentication front-end.
The method for obtaining user credentials depends on whether the explicit proxy mode (also known
as direct proxy mode) or a transparent mode (transparent router or bridge mode) is configured for
handling the traffic between Web Gateway and its clients.
For the explicit proxy mode, you can configure that clients use a service under the WCCP protocol
to send requests as an additional option.
The rule set library provides suitable rule sets for each of these modes.
•
How should credentials be evaluated once they have been obtained?
This is sometimes referred to as the authentication back-end.
The evaluation of credentials depends on the authentication method that is configured, for
example, LDAP or NTLM.
Library rule sets for authentication
The rule sets for configuring authentication are located in the Authentication rule set group of the rule
set library.
The following table shows which of these rule sets are recommended for particular types of
deployment.
Table 9-18 Library rule sets for authentication
Deployment type
Recommended library rule set
Explicit proxy mode
Direct Proxy Authentication and Authorization
Transparent router or bridge mode Authentication Server (Time/IP Based Session)
Explicit proxy mode with WCCP
If traffic is processed in:
• Explicit proxy mode — Direct Proxy Authentication and
Authorization
• WCCP mode — Authentication Server (Time/IP Based Session)
After importing a rule set from the library, you can modify its rules to adapt them further to the needs
of your network.
Position in the rule sets tree
An authentication rule set should be placed after the Global Whitelist rule set, but before the Common
Rules rule set (if you keep these items from the default rule sets tree).
Placing an authentication rule set in this way ensures that a user needs not be authenticated when
sending a request for accessing a web object that is on the global whitelist.
McAfee Web Gateway 7.6.0
Product Guide
261
9
Authentication
Best practices - Configuring authentication for deployment types
Authentication for the explicit proxy mode
When configuring authentication for the explicit proxy mode, a suitable rule set must be implemented
on Web Gateway.
Library rule set for the explicit proxy mode
The recommended library rule set for the explicit proxy mode is Direct Proxy Authentication and
Authorization.
This rule set has two nested rule sets:
•
Authenticate with User Database
•
Authorize User Groups
When this rule set is implemented, the authentication process is performed for each request that is
received from a client of Web Gateway unless an exception rule applies.
Using this rule set is also the preferred way of handling authentication when Citrix is installed or
workstations are shared in a configuration.
Direct Proxy Authentication and Authorization rule set
This rule set contains rules for making exceptions that allow a request to be processed on Web
Gateway without authenticating the user who sent the request.
Exceptions can be based on:
•
The IP address of the client that a request was sent from
•
The URL of the web object that is the destination of the request
Using these rules you can ensure that requests coming in from trusted clients or going out to trusted
destinations are spared the effort of performing an authentication process for their users, which
increases performance.
You can also create rules of your own and add them to this rule set to allow for more exceptions.
Authenticate with User Database nested rule set
This rule set contains a rule that lets authentication be performed for a user who sends a request for
web access from a client of Web Gateway. The user is asked to submit credentials, which are
evaluated based on information that is stored in the internal user database.
The rule set applies if the user in question has not yet been authenticated and not tried unsuccessfully
to authenticate before. The Authentication.Is.Authenticated and Authentication.Failed properties are
used to check this.
Instead of using information from the internal user database to evaluate the credentials, you can
configure a different authentication method, for example, LDAP or NTLM.
Authorize User Groups nested rule set
This rule set contains a rule that allows only requests of authorized users, which means a request is
blocked if the user who sent it is not a member of one of the user groups on a particular list. The
request is blocked, even if the user has successfully passed the evaluation that was performed before.
This rule allows you to implement an additional security check. If you want to use it, you need to fill
the list that is used in this rule set with user groups. If you do not want to use it, you can disable or
delete the rule set.
262
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
Best practices - Configuring authentication for deployment types
Modifying the rule set for the explicit proxy mode
When configuring authentication for the explicit proxy mode, you can modify the library rule set to
adapt it to the needs of your network.
This includes:
•
Changing the authentication method
•
Modifying, disabling, or deleting user authorization
•
Configuring more exception rules
Changing the authentication method
By default, the method used for evaluating credentials is comparing them to the information stored in
the internal user database.
To change this authentication method (authentication back-end), you need to configure the settings
that appear next to the Authentication.Authenticate property in the only rule of the Authenticate with
User Database rule set.
Under Authentication method, a list of authentication methods is provided to let you select a method that is
better suited to the needs of your network, for example, LDAP or NTLM.
Modifying, disabling, or deleting user authorization
The nested Authorized User Groups rule set allows only requests from authorized users. You can fill
the list that is provided in the only rule of this rule set with user groups as needed.
If you do not want to use this rule as an additional security check, you can disable or delete the rule
set.
Configuring more exception rules
You can add rules to the Direct Proxy Authentication and Authorization rule set to cover more
exceptions from the authentication process.
If any of these rules applies, processing of the rule set is stopped, which means it is not executed for
the nested rule sets that handle authentication.
For example, you can add a rule to allow requests when the browser on the client they were sent from
runs with a particular user agent. Information about the user agent is taken from the request header.
The rule might look as follows:
Skip authorization for user agents that are in list Allowed User Agents
Header.Request.Get ("User-Agent") matches in list Allowed User Agents –> Stop Rule Set
Another rule could allow requests for access to objects on web servers with IP addresses that are on a
particular list. The IP address is taken from the URL that was submitted with a request.
This rule might look as follows:
Skip authorization for destination IPs that are in list Allowed Destination IPs
URL.Destination.IP is in range list Allowed Destination IPs –> Stop Rule Set
McAfee Web Gateway 7.6.0
Product Guide
263
9
Authentication
Best practices - Configuring authentication for deployment types
Authentication for transparent modes
When configuring authentication for the transparent modes, the settings on the browsers that are
used for sending requests to Web Gateway need to be modified. A suitable rule must also be
implemented on Web Gateway.
Modifying the browser settings
To enable authentication for the transparent router or bridge mode, the settings of each web browser
that is used for sending requests must be configured to let it trust Web Gateway.
If NTLM or Kerberos is also configured as the authentication method on Web Gateway, the
authentication process is handled internally, without asking the user to authenticate.
•
When using Microsoft Internet Explorer, you need to modify the security settings by:
•
Configuring your local intranet as a security zone
•
Adding Web Gateway as a website to this zone
This is done by specifying a URL with an IP address or a fully qualified domain name, for
example, http://10.10.69.73 or http://*.mcafee.local.
•
Configuring automatic logon for all websites in the zone as the security setting for user
authentication
You can configure this under Internet Options, using the Local Intranet and Security Settings - Local Intranet Zone
windows.
If group policies can be configured for a browser, you can also use the Group Policy Management Editor
together with the Site to Zone Assignment List and the Logon Options window.
•
When using Mozilla Firefox, you need to configure an IP address or a fully qualified domain name
for Web Gateway under about:config as the value of the network.automatic-ntlm-auth.trusted-uris parameter,
for example, 10.10.69.73 or mwgappl.yourdomain.local.
For more information, refer to the documentation of the respective web browser.
Library rule set for transparent modes
The recommended library rule set for the transparent router or bridge mode is Authentication Server
(Time/IP Based Session).
It has two nested rule sets:
•
Check for Valid Authentication Session
•
Authentication Server
Differing from the authentication process that is performed for the explicit proxy mode, this rule set
handles authentication by creating an authentication session when a user who sent a request for web
access is successfully authenticated.
Subsequent requests that this user sends are processed without requiring authentication again as long
as this session is still valid. The default session length is 600 seconds.
Using this rule set in a configuration where Citrix is installed or workstations are shared can lead to
the following situation: User A sends a request, is authenticated, and an authentication session is
created. Later on, user B sends a request from the same workstation and is still allowed to continue
with user A's session.
Authentication Server (Time/IP Based Session) rule set
This rule set serves as a container for the two nested rule sets and has no rules of its own.
264
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
Best practices - Configuring authentication for deployment types
Check for Valid Authentication Session nested rule set
This rule set contains a rule that checks whether a valid session exists for a user who sends a request
from a client. Session information is stored in an internal session database. It includes the user name,
the IP address of the client, and the session length.
If a valid session exists, processing of the request is continued for the remaining rules and rule sets
that are configured. If no valid session exists, the request is redirected to the authentication server.
Authentication Server nested rule set
This rule set contains a rule that lets authentication be performed for a user whose request has been
redirected to the authentication server. If the authentication was successful, a session is created for
this user in the session database.
The method used by default for evaluating the user's credential is comparing them to the information
that is stored in the internal user database. You can replace this method with a different method, for
example, LDAP or NTLM.
Modifying the rule set for transparent modes
When configuring authentication for transparent modes, you can modify the library rule set to adapt it
to the needs of your network.
This includes:
•
Modifying the authentication server URL
•
Changing the authentication method
•
Enabling the ideal conditions rule
•
Increasing the session TTL
Modifying the authentication server URL
If you have modified the security settings of the browsers that are used for sending requests to Web
Gateway by configuring your local domain as a security zone, you can include Web Gateway as a
website in this zone by specifying a URL with an IP address or fully qualified domain name for it.
In this case, you also need to modify the URL of the authentication server, which by default contains
an IP address for Web Gateway, by inserting the name of your local domain.
The authentication server URL is dynamically generated for an appliance that Web Gateway runs on.
As there can be several Web Gateway appliances in a configuration, the IP address cannot be static,
but must be configured dynamically, which is done using internal configuration properties.
You can modify this URL under the IP Authentication Server settings, which appear next to the
Authentication.Authenticate property in the Redirect clients that do not have a valid session to the
authentication server rule of the Check for Valid Authentication Session rule set.
By default, the URL looks like this:
http://$<propertyInstance useMostRecentConfiguration="false"
propertyId="com.scur.engine.system.proxy.ip"/>$:$<propertyInstance
useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.port"/>$
Shown in human readable format, a particular authentication server URL could be:
http://10.10.69.71:9090
McAfee Web Gateway 7.6.0
Product Guide
265
9
Authentication
Best practices - Configuring authentication for deployment types
After adapting the URL to the browser settings that have your local domain configured within a
security zone, it looks like this:
http://$<propertyInstance useMostRecentConfiguration="false"
propertyId="com.scur.engine.system"/>$.yourdomain.local:$<propertyInstance
useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.port"/>$
with "com.scur.engine.system.proxy.ip"/>$ having been replaced by
"com.scur.engine.system"/>$.yourdomain.local.
In human readable format, this could be, for example
http://mwgappl.yourdomain.local:9090
where mwgappl is the host name of an appliance that Web Gateway runs on.
Changing the authentication method
By default, the method used for transparent modes to evaluate credentials is comparing them to the
information stored in the internal user database.
To change this authentication method (authentication back-end), you need to configure the settings
that appear next to the Authentication.Authenticate property in the Authenticate user against user
database rule of the Authentication Server rule set.
Under Authentication method, a list of authentication methods is provided to let you select a method that is
better suited to the needs of your network, for example, LDAP or NTLM.
Enabling the ideal conditions rule
The Revalidate session under ideal conditions rule in the Check for Valid Authentication Session rule
set lets a user authenticate again under "ideal" conditions, which means authentication will not be
asked for at a time when the session has already expired.
In more detail, these conditions are by default:
•
The remaining session time is less than 400 seconds.
•
The network protocol is HTTP.
•
The request that the user sends is a GET request.
Enabling this rule avoids a situation like the following:
1
A user sends a request from a client of Web Gateway and authenticates (600 seconds are allowed
for the session time).
2
The user wants to send a ticket to the help desk and begins filling out a data form (300 seconds
are used up).
3
The user needs more information to fill out the form and browses the web for this information,
which lets some GET requests be received on Web Gateway (200 more seconds are used up).
4
The user completes the data form and submits it, which lets a POST request be received on Web
Gateway (200 more seconds elapse, session time expires after the first 100 seconds).
5
As the session time has expired, the user is asked to authenticate again before the POST request is
processed. However, due to the session expiration, all filled-out data is lost.
If the ideal conditions rule is enabled, the user is already asked when browsing for information at step
3 to authenticate again, which leaves enough time to complete the form and submit it.
266
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
Best practices - Configuring authentication for deployment types
Increasing the session TTL
You can increase the allowed time for an authentication session, for example, from the default 600
seconds (10 minutes) to an hour.
You can also modify the time condition in the criteria of the Revalidate session under ideal conditions
rule, for example, by increasing it from 400 to 600 seconds.
This way, the rule will ask a user, upon receiving a GET request, to authenticate when session
expiration is still 10 minutes away.
Authentication for the explicit proxy mode with WCCP
Configuring authentication for the explicit proxy mode with WCCP includes import and modification of
two rule sets, as well as specifying ports for incoming traffic to trigger the use of the appropriate rule
set.
When the explicit proxy mode with WCCP is configured, clients send requests to Web Gateway in
explicit proxy mode or using a service under the WCCP protocol.
To handle authentication for the explicit proxy mode, the Direct Proxy Authentication and Authorization
rule set is recommended, for the WCCP mode, which is a transparent mode, it is the Authentication
Server (Time/IP Based Session) rule set.
This means you should import both rule sets and complete additional activities as needed for both
modes, including the modification of the browser settings for the WCCP mode.
To let traffic for each mode be handled by the appropriate authentication rule set, you can configure
different ports for both types of traffic and specify the respective port in the criteria of each rule set.
Configuring different ports for the explicit proxy and WCCP modes
The ports for the explicit proxy and WCCP modes could, for example, be 9090 and 9091. You need to
specify the port for the WCCP mode when configuring a WCCP service and both ports in the list of
HTTP ports.
A WCCP service is configured by entering it in the WCCP Services list. This list appears after selecting
WCCP in the Transparent Proxy section of the Proxies (HTTP(S), FTP, ICAP, and IM) system settings.
The section appears within these settings when you begin to configure the explicit proxy mode with
WCCP by selecting Proxy (optional WCCP) under Network Setup.
The entry for a WCCP service that is used for traffic coming in on port 9091 could, for example, look
as follows:
No Service WCCP
ID
router ...
1
91
Ports ... Ports ... Proxy
listener ...
10.10.69.7 80, 443 false
Proxy
MD5 ... Assignment Comment
listener
port
10.10.69.73 9091
oooooo 1000
The HTTP Port Definition List can be configured in the HTTP Proxy section, which is located below the
Transparent Proxy section.
The entries for the explicit proxy and WCCP modes could look as follows:
No Listener address Serve ... Ports ... Transparent ... McAfee ... Comment
1
0.0.0.0:9090
true
443
false
true
Explicit proxy traffic
2
0.0.0.0:9091
true
443
false
true
WCCP traffic
McAfee Web Gateway 7.6.0
Product Guide
267
9
Authentication
Best practices - Configuring LDAP authentication
Adapting the criteria of the authentication rule sets
After configuring different ports for traffic coming in under the explicit proxy mode or using a WCCP
service, for example, 9090 and 9091, you need to adapt the criteria of the rule sets for handling the
two kinds of traffic.
The adapted rule criteria of the Direct Proxy Authentication and Authorization rule set would then look
as follows:
Proxy.Port equals 9090 AND (Connection.Protocol equals "HTTP" OR Connection.Protocol
equals "HTTPS")
For the Authentication Server (Time/IP Based Session) rule set, the adapted criteria would be:
Proxy.Port equals 9091
Best practices - Configuring LDAP authentication
LDAP authentication is one of the methods that can be configured on Web Gateway for authenticating
users.
LDAP stands for Lightweight Directory Access Protocol. Under this protocol, the authentication process
on Web Gateway can be integrated with an existing directory service in a network. The directory holds
user information, which can be queried and used for authentication.
In addition to authenticating a user, a directory can be queried to find other pieces of information
about a user and the groups that a user belongs to. These pieces of information are called attributes.
An entry for a user in, for example, the Microsoft Windows Server Active Directory (Active Directory)
usually includes a memberOf attribute holding information about the groups that the user belongs to.
An entry for a group usually has a member attribute to hold the group members' user names.
The results returned by lookups for both user and group attributes are stored on Web Gateway as the
value of the Authentication.UserGroups property.
LDAP authentication process
The process that integrates user authentication on Web Gateway and a directory on an LDAP server
includes the following main steps.
•
Web Gateway sends an initial bind request with administrator credentials to the LDAP server.
•
If the request is successful, Web Gateway sends a query with the user name that the user submits.
The purpose of this query is to find a distinguished name that the user name is mapped to in the
directory on the LDAP server.
•
If a distinguished name is found, the LDAP server sends it back.
The distinguished name (DN) is a combination of information about a user, a user group, and a
network domain provided in an LDAP-style syntax.
For example, for the user name jsmith, the LDAP server sends back the distinguished name
cn=John Smith,cn=users,dc=ldap,dc=local.
268
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
Best practices - Configuring LDAP authentication
•
Web Gateway sends a second bind request to the LDAP server with the purpose of authenticating
the user.
This request includes the distinguished name and the password that the user submitted.
•
If the request is successful, the user is authenticated.
You can record the steps of the authentication process in a tcpdump to review them.
Rule for authenticating a user under LDAP
To configure LDAP authentication on Web Gateway, you must implement a rule that authenticates a
user in an integrated process with Web Gateway and a directory on an LDAP server.
The rule set library provides a rule set with a default rule that you can modify and use for this
purpose. The modified rule looks as follows:
Name
Authenticate with LDAP
Criteria
Action
Authentication.Authenticate<LDAP> equals false
–>
Authenticate<Default>
The rule applies if a user has not yet been authenticated using the LDAP authentication method.
The settings of the Authentication.Authenticate property in this rule are configured to provide the
information that is necessary to run the authentication process successfully, including the IP address
of the LDAP server and the administrator credentials for Web Gateway.
Configure the LDAP method for authenticating a user
To configure the LDAP method for authenticating a user, you can adapt an already existing
authentication rule. Modify the names and settings within this rule in a way that makes them suitable
for LDAP authentication.
Task
1
Import the Explicit Proxy Authentication and Authorization rule set from the rule set library.
This rule set is for authentication in explicit proxy mode. For a transparent mode, import the
Authentication Server rule set.
2
Adapt the authentication rule in the nested Authenticate with User Database rule set to make it suitable for
LDAP authentication.
For a transparent mode, adapt the authentication rule in the nested Authentication Server rule set.
a
Rename the current rule name to Authenticate with LDAP.
b
Rename the settings of the Authentication.Authenticate property to a name that is appropriate for
LDAP-related settings, for example, LDAP.
c
Modify the settings to make them suitable for LDAP authentication.
McAfee Web Gateway 7.6.0
Product Guide
269
9
Authentication
Best practices - Configuring LDAP authentication
3
Rename the nested rule set to Authenticate with LDAP.
Instead of adapting the nested library rule set, you can also disable or delete it and
create a new nested rule set for LDAP authentication.
The second nested rule set of the Explicit Proxy Authentication and Authorization library rule set,
Authorize User Groups, is not needed for LDAP authentication.
If you delete this nested rule set, you should rename the nesting rule set or have only
one rule set named, for example, Explicit Proxy Authentication with LDAP.
4
Click Save Changes.
See also
Configure the settings for the LDAP authentication method on page 270
Configure the settings for the LDAP authentication method
Configure the settings for the LDAP authentication method by modifying the settings in the rule for
authenticating a user that you have imported from the rule set library.
Task
1
In the imported rule, click the settings of the Authentication.Authenticate property that you have
renamed to LDAP or a similar name.
The Edit Settings window opens.
2
Under Authentication Method, select LDAP.
The LDAP Specific Parameters section appears next to Common Authentication Parameters.
You can leave the common parameters as they are, as well as the LDAP-specific
parameters that are not mentioned in the following.
3
In the LDAP server(s) to connect to list, add an entry for the LDAP server that the directory with the user
information resides on.
The syntax for an entry is as follows:
{LDAP | LDAPS}://<IP address>[:<port number>]
For example: LDAP://10.205.67.8:389
LDAP is an insecure protocol, as it transmits information in clear text. We recommend
using LDAPS (secure LDAP) if possible.
The default LDAP port is 389 while LDAPS uses 636.
4
Provide the administrator credentials that Web Gateway submits when trying to connect to the
LDAP server.
a
Under Credentials, type a common name and a domain controller name in LDAP style, for
example:
cn:administrator,cn:users,dc:ldap,dc:local
270
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
Best practices - Configuring LDAP authentication
b
Under Password, type an administrator password.
5
If the directory on the LDAP server is an Active Directory, deselect Allow LDAP directory to follow referrals.
6
Provide information for the query to find the distinguished name of the user who is to be
authenticated.
a
Under Base distinguished name to user objects, specify a starting point for the query.
The starting point is specified in LDAP style, for example:
cn:users,dc:ldap,dc:local
b
Select Map user name to DN.
Selecting this option lets the query search for a distinguished name that the submitted user
name is mapped to in the directory.
c
Under Filter expression to locate a user object, specify a user attribute that allows the distinguished
name to be found.
Specifying this filter expression enables the search to find the entry for a user in the directory.
The filter expression is the user name that the user submitted. The user name is stored in the
directory as the value of an attribute that is part of the entry for a user.
In an Active Directory, the name of the attribute that stores the user name is sAMAccountName.
On Web Gateway, the user name is stored in a variable named %u.
The filter expression must therefore be specified as follows if an Active Directory is used:
samaccountname=%u
Using this filter expression, the query will find the user entry and, consequently, try to map the
user name to a distinguished name that might have been entered into the directory for a user
with that user name.
7
Click OK to close the window.
8
Click Save Changes.
These settings enable Web Gateway to authenticate a user under the LDAP authentication method. To
retrieve information stored in other attributes within a directory, additional settings are required.
See also
Configure queries for user and group attributes on page 271
Configure queries for user and group attributes
Configure additional settings to perform queries that retrieve ("pull") more information about users
and user groups from a directory on an LDAP server.
The settings for these queries are part of the settings that you configure for the Authentication module
(engine) on Web Gateway to handle the integrated process for authenticating a user.
Task
1
Configure a query for user attributes.
a
Select Get user attributes.
You need not configure any special values for the Base distinguished name to user objects option, as
these values are the same as those that you already configured for the purpose of authenticating
a user.
McAfee Web Gateway 7.6.0
Product Guide
271
9
Authentication
Best practices - Configuring LDAP authentication
b
In the User attributes to retrieve list, add the name of the attribute that the query should find a value
for. You can also add multiple names here.
For example, to retrieve information about the group or groups that a user belongs to, add
memberof.
c
2
Under Attributes concatenation string, type a character for separating multiple resulting values, for
example, a comma.
Configure a query for group attributes.
a
Select Get group attributes.
b
Under Base distinguished name to group objects, provide a starting point for the query using LDAP
syntax, for example, ou=groups,dc=ldap,dc=local.
c
Under Filter expression to locate a group object, specify an attribute of a group that allows the group to
be found.
For example, specify member=%u, which has member as the attribute name and the %u variable
that holds the user's user name on Web Gateway as the attribute value.
d
In the Group attributes to retrieve list, add the name of the attribute that the query should find a
value for. You can also add multiple names here
For example, to find the so-called common name of a group, add cn.
e
Under Attributes concatenation string, type a character for separating multiple resulting values, for
example, a comma.
Storing an attribute in a separate property
You can store a user or group attribute in a separate User-Defined property for logging and other
purposes.
When a query for an attribute of a user or user group is performed in a directory on an LDAP server,
the resulting information is stored on Web Gateway as the value of the Authentication.UserGroups
property.
If you are interested in a particular piece of information, for example, the email address of a user, you
can also retrieve it separately and store it in a User-Defined property.
For this purpose, you must create an additional rule, as well as additional settings named, for
example, LDAP Email Lookup, for the Authentication module (engine). In this rule, the Authentication
module runs with the additional settings to retrieve the information that is stored within the entry for
a user as the value of the email attribute.
Options must be especially configured in the additional settings as follows:
•
Get user attributes must be enabled.
•
The User attributes to retrieve list must contain a single entry for the email attribute. When an Active
Directory is running on the LDAP server, the attribute name is mail.
•
Map user to DN must be disabled.
Not disabling the option produces an error, as the user name has already been mapped when the
Authentication module was running with the LDAP settings to authenticate the user.
All other options can be configured in the same way as the settings within the rule that authenticates
the user.
272
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
Best practices - Configuring LDAP authentication
The complete rule should look as follows:
Name
Get email information and store separately
Criteria
Authentication.IsAuthenticated equals true
AND
Authentlcation.GetUserGroups
<LDAP_Email_:Lookup> does not contain
"no-group"
Action
Event
–> Continue Set User-Defined.Email=
List.OfString.ToString
(Authentication.UserGroups," ")
The rule must be added to the rule set for LDAP authentication and placed after the rule that
authenticates the user.
Storing the original user name for logging
The original user name can be stored for logging purposes.
When a user has been authenticated using the LDAP method, the value of the
Authentication.Username property is set to the user's distinguished name. If the property is used for
creating a log entry, the part of the log entry that identifies the user will look, for example, as follows:
CN=John Smith,CN=Users,DC=LDAP,DC=local
To let the log entry show the original user name, which might be jsmith, rather than the distinguished
name, you can modify the rule set for LDAP authentication in a suitable manner.
Instead of having only a rule that authenticates a user under LDAP, the rule set should contain the
following:
•
A rule that handles LDAP authentication for a user and stores the original user name in a
User-Defined property
•
One or more rules that perform other LDAP-related activities, for example, retrieving information
about the group that a user belongs to
•
A rule that restores the original user name as the value of the Authentication.Username property
after all LDAP-related activities have been completed
Rule for authenticating a user and storing the user name
The following rule stores the original user name after authenticating the user. An event in this rule sets
the value of a User-Defined property accordingly.
Name
Authenticate user and store user name
Criteria
Authentication.IsAuthenticated equals false
AND
Authentlcation.Authenticate<LDAP> equals
true
Action
Event
–> Continue Set User-Defined.UserName=
List.OfString.ToString
(Authentication.UserGroups," ")
The user name is retrieved by querying the directory on the LDAP server for this name. The settings of
the Authentication.Authenticate property, which is responsible for authenticating the user, are
configured accordingly.
McAfee Web Gateway 7.6.0
Product Guide
273
9
Authentication
Best practices - Configuring LDAP authentication
When the query has been performed, the user name is stored as the value of the
Authentication.Groups property. It is converted into a string, using the List.OfString.ToString property.
The original value of the converted property is a list of strings, as it might include not only the user
name, but also other pieces of information, after all LDAP-related activities have been completed.
Rule for retrieving user group information
The following rule is an example for an additional LDAP-related activity. It retrieves information about
the groups that a user belongs to.
Name
Get user group information
Criteria
Action
–> Continue
Authentication.IsAuthenticated equals true AND
Authentlcation.GetUserGroups<LDAP_Group_:Lookup> does not contain "no-group"
To identify the user, the rule still needs to know the user's distinguished name, so the original user
name can not yet be restored as the value of the Authentication.Username property.
You must create different settings and configure them for the Authentication module
(engine) to run and retrieve a value for the Authentication.GetUserGroups property.
The name of these settings might, for example, be LDAP Group Lookup, as in this sample
rule.
Within these settings, the Map user to DN option must be disabled.
Rule for restoring the original user name
The following rule restores the original user name as the value of the Authentication.UserName
property.
Name
Restore user name
Criteria
Authentlcation.Authenticate<LDAP>
equals false
Action
–> Stop Rule
Set
Event
Set Authentication.UserName=
User-Defined.Authentication.Username
An event in this rule sets this property to the value of the User-Defined property that you created to
store the original user name in a preceding rule. The distinguished name that has temporarily been
the value of this property is overwritten.
When the original user name has been restored, the property can be used for logging purposes.
Testing and troubleshooting LDAP authentication
Several activities can be completed for testing and troubleshooting the LDAP authentication process.
A tool for testing the configured authentication process with a given user name and password is
available on the user interface of Web Gateway.
274
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
Best practices - Configuring LDAP authentication
If running the tool shows that the process failed, carefully review what you have configured. If no
errors can be found, you can create a debug log using another tool. If this does not explain the failure
either, create a tcpdump using a third tool.
Test authentication for a given user name and password
The settings for the Authentication module include a section for testing purposes. You can enter a user
name and password and let Web Gateway attempt to authenticate the user.
Task
1
Select Policy | Settings.
2
On the Engines branch of the settings tree, click the settings for the Authentication module (engine)
that you have modified or newly created, for example, the LDAP settings.
3
Under Common Authentication Parameters, deselect Use authentication cache.
Otherwise no changes in the directory on the LDAP server are detected until the cache expiration
time has elapsed.
4
Expand Authentication Test and type a user name and password in the fields that are provided.
5
Click Authenticate User.
The result of the authentication process is shown under Test result.
•
If the process is successfully performed, an OK message appears.
The testing tool also displays any attribute values that you have configured queries for.
•
If the process fails, the following message appears: Error: Authentication failed.
Create a debug log file for troubleshooting authentication
You can create a debug log file to record the authentication process and review it for troubleshooting
purposes.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance that you want to create a debug log file on, then click
Troubleshooting.
3
In the Authentication Troubleshooting section, select Log authentication events.
We recommend that you also select Restrict tracing to one IP and specify a client IP address to prevent
the log file from becoming too large.
4
Reproduce the authentication process.
A debug log file is created for the process.
5
Locate the debug log file.
a
Select Troubleshooting
b
On the troubleshooting tree, select the appliance that you created the debug log file on, then
click Log files.
c
Open the debug folder and look for the mwg-core.Auth.debug.log file with the appropriate time stamp.
McAfee Web Gateway 7.6.0
Product Guide
275
9
Authentication
Instant messaging authentication
The log file contains log lines showing failure IDs for the authentication process. The meaning of these
IDs is as follows:
0
2
3
4
5
6
8
–
–
–
–
–
–
–
NoFailure: Authentication was successful
UnknownUser: Cannot map user name to user DN
WrongPassword: Bind with user password failed
NoCredentials: Credentials are missing or have invalid format
NoServerAvailable: Could not get a server connection
ProxyTimeout: Request is being processed longer than the configured timeout
CommunicationError: Communication with server failed, for example, due to a timeout
Create a tcpdump for troubleshooting authentication
If the reason for a failed authentication process cannot be found by reviewing a debug log file, create
a tcpdump to retrieve more information.
Task
1
Select Troubleshooting.
2
On the troubleshooting tree, select the appliance that you want to create a tcpdump on, then click
Packet tracing.
3
In the Command line parameters field, type the following:
"-s 0 -i any port 389"
The port parameter lets Web Gateway connect to the LDAP server over an unencrypted port, which
is required for troubleshooting purposes.
4
Click tcpdump start.
5
Reproduce the problem, then click tcpdump stop.
6
Open the trace using the wireshark tool. Then work with the ldap.bindResponse display filter to find
a response from the LDAP server.
The server response usually includes LDAP, Active Directory, and other error codes. For example, in
the following line from a server response:
"invalidCredentials (80090308: LdapErr: DSID-0c09030f, comment: AcceptSecurityContext error,
data 773, vece)"
the 773 error code is an Active Directory error code meaning that the user password must be
changed.
Instant messaging authentication
Instant messaging authentication ensures that users of your network cannot access the web through
an instant messaging service if they are not authenticated. The authentication process looks up user
information and asks unauthenticated users to authenticate.
The following elements are involved in this process:
276
•
Authentication rules that control the process
•
The Authentication module, which retrieves information about users from different databases
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
Instant messaging authentication
An authentication rule can use an event to log information on the authentication of users who
requested access to the web.
In this case, a logging module is also involved in the process.
Authentication rules
Instant messaging authentication is not implemented by default on the appliance, but you can import
the IM Authentication rule set from the library.
This rule set contains a rule that looks up user information to see whether users who request web
access are already authenticated. The method used for looking up the information is the User
Database method.
Unauthenticated users that no information can be found for in the user database are asked to submit
their credentials for authentication.
Another rule looks up information using the Authentication Server method to see whether users are
authenticated and asks unauthenticated users for their credentials.
The Authentication module is called by these rules to retrieve the user information from the
appropriate databases.
You can review the rules in the library rule set, modify or delete them, and also create your own rules.
Authentication module
The Authentication module (also known as engine) retrieves information that is needed to authenticate
users from internal and external databases. The module is called by the authentication rules.
The different methods of retrieving user information are specified in the module settings. Accordingly,
two different settings appear in the rules of the library rule set for instant messaging communication:
•
User Database at IM Authentication Server
•
Authentication Server IM
These settings are implemented with the rule set when it is imported from the library.
You can configure these settings, for example, to specify the server that user information is retrieved
from under the Authentication Server method.
Logging module
The library rule set for instant messaging authentication includes a rule that logs authenticationrelated data, such as the user name of a user who requested web access, or the URL of the requested
web object.
The logging is handled by the FileSystemLogging module, which you can also configure settings for.
Configure instant messaging authentication
You can implement instant messaging authentication and adapt it to the needs of your network.
Complete the following high-level steps.
Task
1
Import the IM Authentication rule set from the library.
2
Review the rules in the rule set and modify them as needed.
McAfee Web Gateway 7.6.0
Product Guide
277
9
Authentication
Instant messaging authentication
You can, for example, do the following:
3
•
Modify the settings of the Authentication module for the User Database or the Authentication
Server method.
•
Modify the settings of the logging module that handles the logging of information about instant
messaging authentication.
Save your changes.
Configure the Authentication module for instant messaging
authentication
You can configure the Authentication module to specify how it retrieves the information that is needed
to authenticate users of an instant messaging service.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, select the rule set for instant message authentication.
If you have imported this rule set from the library, it is the IM Authentication rule set.
The rules of the rule set appear on the settings pane.
3
Make sure Show details is selected.
4
Find the rules that call the Authentication module.
In the library rule set, these are the rules Authenticate Clients against the User Database and
Redirect Not Authenticated Clients to the Authentication Server.
5
In the rule criteria, click the settings name of the settings you want to configure.
This name appears next to the Authentication. Authenticate property.
In the library rule set, it is the User Database at IM Authentication Server or the Authentication
Server IM settings.
The Edit Settings window opens. It provides the settings for the Authentication module.
6
Configure these settings as needed.
7
Click OK to close the window.
8
Click Save Changes.
See also
Authentication settings on page 247
278
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
Instant messaging authentication
Configure the File System Logging module for instant
messaging authentication
You can configure the File System Logging module to specify how it logs information that is related to
instant messaging authentication.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, select the rule set for instant message authentication.
If you have imported this rule set from the library, it is the IM Authentication rule set.
The rules of the rule set appear on the settings pane.
3
Make sure Show details is selected.
4
Find the rule that calls the File System Logging module.
In the library rule set , this is the rule Show Authenticated page .
5
In the rule event, click the name of the settings for the module.
In the library rule set, this name is IM Logging.
The Edit Settings window opens. It provides the settings for the File System Logging module.
6
Configure these settings as needed.
7
Click OK to close the window.
8
Click Save Changes.
See also
File System Logging settings on page 584
IM Authentication rule set
The IM Authentication rule set is a library rule set for instant messaging authentication.
Library rule set – IM Authentication
Criteria – Always
Cycles – Requests (and IM), responses, embedded objects
The following rule sets are nested in this rule set:
•
IM Authentication Server
•
IM Proxy
IM Authentication Server
This nested rule set handles authentication for instant messaging users. It applies the User Database
method for retrieving user information.
Nested library rule set – IM Authentication Server
Criteria – Authentication.IsServerRequest equals true
Cycles – Requests (and IM), responses, embedded objects
The rule set criteria specifies that the rule set applies when authentication has been requested for a
user of an instant messaging service.
McAfee Web Gateway 7.6.0
Product Guide
279
9
Authentication
Instant messaging authentication
The rule set contains the following rules.
Authenticate clients against user database
Authentication.Authenticate<User Database at IM Authentication server> equals false–>
Authenticate<IM Authentication>
The rule uses the Authentication.Authenticate property to check whether a user who sends a chat
message or file under an instant messaging protocol is authenticated. The settings that follow the
property in the rule criteria specify the User Database method for this authentication.
If a user is not authenticated under this method, processing stops and a message is displayed asking
the user to authenticate.
The action settings specify that the IM Authentication template is used for displaying the
authentication message to the user.
Processing continues when the next user request is received.
Show Authenticated page
Always–> Redirect<Show IM Authenticated> —
Set User-Defined.logEntry =
“[”
+ DateTime.ToISOString
+ “]””
+ URL.GetParameter (“prot”)
+ ““auth””
+ Authentication.Username
+ ““ ””
+ URL.GetParameter (“scrn”)
+ “““
FileSystemLogging.WriteLogEntry (User-Defined.logEntry)<IM Logging>
The rule redirects a request sent from a client by an instant messaging user to an authentication
server and displays a message to inform the user about the redirect.
The action settings specify that the Show IM Authenticated template is used for the message.
The rule also uses an event to set values for a log entry on the authentication request. It uses a
second event to write this entry into a log file. A parameter of this event specifies the log entry.
The event settings specify the log file and the way it is maintained.
IM Proxy
This nested rule set handles authentication of instant messaging users. It applies the Authentication
Server method to retrieve user information.
Nested library rule set – IM Proxy
Criteria – Connection.Protocol.IsIM equals true AND IM.MessageCanSendBack is true
Cycles – Requests (and IM), responses, embedded objects
The rule set criteria specifies that the rule set applies when a user sends a chat message or a file on a
connection under an instant messaging protocol and a message can already be sent back from the
appliance to the user.
The rule set contains the following rule.
280
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
One-time passwords
Redirect not authenticated users to the authentication server
Authentication.Authenticate<Authentication Server IM> equals false–> Authenticate<IM
Authentication>
The rule uses the Authentication.Authenticate property to check whether a user who sends a chat
message or file under an instant messaging protocol is authenticated. The settings that follow the
property in the rule criteria specify the Authentication Server method for this authentication.
If a user is not authenticated under this method, processing stops and a message is displayed,
asking the user to authenticate.
The action settings specify that the IM Authentication template is used for displaying the
authentication message to the user.
Processing continues when the next user request is received.
One-time passwords
One-time passwords (OTPs) can be processed on Web Gateway to authenticate users. This includes
the use of passwords for authorized overriding when a web session has terminated due to quota
expiration.
When a user sends a request for web access, authentication is first performed using one of the other
authentication methods that are available on Web Gateway, for example, authentication based on
information stored in the internal user database.
If the use of one-time passwords is configured, this authentication method is performed as a second
step. Web Gateway informs the user that a one-time password is also needed for web access and upon
the user's request for such a password, it forwards the user name to a McAfee One Time Password
(McAfee OTP) server and asks the server to provide a password.
®
If the request is granted, the McAfee OTP server returns a one-time password, which is, however, not
exposed to Web Gateway. In its response, the McAfee OTP server also includes what is called "context"
information in a header field.
The context information lets the password field and submit button in the page that was presented to
the user be activated, so the user can click the button, which submits the one-time password and lets
the user access the requested web object.
To implement the use of one-time passwords on Web Gateway, you can import a rule set from the rule
set library. After importing the rule set, default settings are provided, which you can configure to
adapt them to the needs of your network.
The settings that need to be configured include the IP address or host name of the McAfee OTP server
and the port on this server that listens to requests from Web Gateway.
A user name and password for Web Gateway to authenticate to the McAfee OTP server are also
required.
If the communication between Web Gateway and the McAfee OTP server should be SSL-secured, you
need to import a certificate for use in this communication.
The McAfee OTP server must be configured for working with Web Gateway to handle the
authentication process.
One-time passwords for authorized overriding
When quota restrictions are imposed on web usage from within your network, a one-time password
can be used as the password that is required to override the termination of a web session due to
quota expiration.
McAfee Web Gateway 7.6.0
Product Guide
281
9
Authentication
One-time passwords
To implement the use of one-time passwords for authorized overriding, you can import a different rule
set from the library, which also allows you to configure the settings for the authentication process.
Using one-time passwords from a McAfee Pledge device
One-time passwords for authenticating users or performing an authorized override can be provided by
a McAfee Pledge device.
®
To enable this method of using one-time passwords for the authentication process, you need to
implement suitable rule sets, which you can import from the rule set library. Settings for the
authentication process are implemented with the import.
For more information on working with a McAfee Pledge device, refer to the documentation for this
product.
Configure one-time passwords for authenticating users
To configure the use of one-time passwords for authenticating users, complete the following high-level
steps.
Task
1
Import the Authentication Server (Time/IP Based Session with OTP) rule set from the rule set
library.
When using one-time passwords from a McAfee Pledge device, import the Authentication Server
(Time/IP Based Session with OTP and Pledge)
The rule sets are located in the Authentication rule set group.
2
Configure the settings for one-time passwords.
3
Save your changes.
For information on how to configure the McAfee OTP server for working with Web Gateway, refer to the
McAfee OTP server documentation.
Configure one-time passwords for authorized overriding
To configure the use of one-time passwords for authorized overriding. complete the following
high-level steps.
Task
1
Import the Authorized Override with OTP rule set from the rule set library.
When using one-time passwords from a McAfee Pledge device, import Authorized Override with
OTP and Pledge.
The rules sets are located in the Coaching/Quota rule set group.
2
Configure the settings for one-time passwords.
3
Save your changes.
For information on how to configure the McAfee OTP server for working with Web Gateway, refer to the
McAfee OTP server documentation.
282
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
One-time passwords
Configure the settings for one-time passwords
Settings for one-time passwords are implemented with default values after importing the rule sets that
handle the use these passwords. Configure these settings to adapt them to the requirements of your
network.
You need to configure different settings for authentication and authorized overriding with one-time
passwords.
Task
1
Select Policy | Settings.
2
On the Engines branch of the settings tree, expand Authentication.
3
To configure settings for using one-time passwords to authenticate users, complete the following
substeps. Otherwise continue with step 4.
a
Click OTP.
The OTP settings appear on the settings pane.
b
Configure the settings in the One-Time Password Specific Parameters section and the settings in the
other sections, which are common authentication settings, as needed.
c
Click IP Authentication Server.
The IP Authentication Server settings appear on the settings pane.
d
Configure the settings in the IP Authentication Server Specific Parameters section and the settings in the
other sections, which are common authentication settings, as needed.
e
Click User Database at Authentication Server.
The User Database at Authentication Server settings appear on the settings pane.
f
Configure the settings in the User Database Specific Parameters section and the settings in the other
sections, which are common authentication settings, as needed.
Then continue with step 5.
4
To configure settings for using one-time passwords in authorized overriding, complete the following
substeps.
a
Click OTP.
The OTP settings appear on the settings pane.
b
5
Configure the settings in the One-Time Password Specific Parameters section and the settings in the
other sections, which are common authentication settings, as needed.
Click Save Changes.
Authentication Server (Time/IP Based Session with OTP) rule
set
The Authentication Server (Time/IP Based Session with OTP) rule set is a library rule set that enables
the use of one-time passwords for authenticating users.
Library rule set – Authentication Server (Time/IP Based Session with OTP)
Criteria – Always
Cycles – Requests (and IM)
The following rule sets are nested in this rule set:
McAfee Web Gateway 7.6.0
Product Guide
283
9
Authentication
One-time passwords
•
Check for Valid Authentication Session
•
Authentication Server
Check for Valid Authentication Session
This nested rule redirects a user's request sent from a client to the authentication server if the user
has not yet been successfully authenticated on that server.
Nested library rule set – Check for Valid Authentication Session
Criteria – Authentication.IsServerRequest equals false AND
(Connection.Protocol equals "HTTP" OR
Connection.Protocol equals "SSL" OR
Connection.Protocol equals "HTTPS" OR
Connection.Protocol equals "IFP")
Cycles – Requests (and IM)
The rule set criteria specifies that the rule set applies if the request that is currently processed is not
requesting a connection to the authentication server and the protocol used in this communication is
one of the four that are specified..
The rule set contains the following rules:
Fix hostname
Command.Name equals "CERTVERIFY" AND SSL.Server.Certificate.CN.HasWildcards equals false –>
Continue – Set URL.Host = SSL.Server.Certificate.CN
The rule uses an event to set the host name that is submitted with the URL of a request to a
particular value, which is required when communication is going on under the SSL protocol. This
value is the common name of the certificate that is provided in this communication.
The rule applies if the request that is processed contains the CERTVERIFY command and no wildcards
are allowed for the common name.
Redirect clients that do not have a valid session to the authentication server
Authentication.Authenticate<IP Authentication Server> equals false AND Command.Name does not
equal "CONNECT" –> Authenticate<Default>
The rule uses the Authentication.Authenticate property to check whether the user who sends a
request is successfully authenticated at the user database of the authentication server. For this
purpose, the IP address of the client that the request was sent from is evaluated.
The Command.Name property is used to check whether the request is a connection request in
SSL-secured communication.
If neither is the case, the user is asked to submit credentials for authentication. This action is
executed with the specified settings.
Revalidate session under ideal conditions
Authentication.CacheRemainingTime less than 400 AND
Connection.Protocol equals "HTTP" AND
Command.Name equals "GET"
–> Authenticate<Default>
Under particular conditions (which could be termed "ideal"), a user is asked to authenticate again
after sending a request to ensure the current web session is prolonged before the time quota has
elapsed completely.
284
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
One-time passwords
This is done if communication is going on under the HTTP protocol and the request contains the GET
command.
The rule is not enabled by default.
Authentication Server
This nested rule set forwards a request for web access when a user submitted a valid one-time
password. A user who could not submit a valid one-time password is asked to authenticate.
Authentication is first performed using information from the user database on an authentication
server. A successfully authenticated user is then informed that web access also requires a one-time
password, which is sent by Web Gateway upon the user's request.
Nested library rule set – Authentication Server
Criteria – Authentication.IsServerRequest equals true
Cycle – Requests (and IM)
The rule set criteria specifies that the rule set applies when a user who sent a request must be
authenticated using information from an authentication server.
The rule set contains the following rules:
Redirect if we have a valid OTP
Authentication.Authenticate<OTP> equals true –> Redirect <Redirect Back from Authentication
Server>
The rule uses the Authentication.Authenticate property to check whether a user who submitted a
one-time password with a request for web access could be successfully authenticated.
If this is the case, web access is allowed and the user is redirected from the authentication server to
the requested web object.
Stop after providing an invalid OTP
Authentication.Failed equals true –> Block<Authorized Only>
The rule uses the Authentication.Failed property to check whether a user who submitted a one-time
password with a request for web access could not be successfully authenticated.
If this is the case, the request is blocked and a message informs the user about the blocking and the
block reason.
Authenticate user against user database
Authentication.Authenticate<User Database at Authentication Server> equals false –>
Authenticate<Default>
The rule uses the Authentication.Authenticate property to check whether a user who sent a request
and submitted an invalid one-time password could be successfully authenticated at the user database
on the authentication server.
If this is not the case, the user is asked to authenticate.
Send OTP if requested
Header.Exists(Request.OTP) equals true –> Continue – Authentication.SendOTP<OTP>
If none of the preceding rules in this rule set has applied, it means no valid one-time password was
submitted by a user who sent a request for web access, but authentication at the user database on
the authentication server was successful.
Then this rule is processed, which uses the Header.Exists property to check whether the request has
a header providing the information that sending a one-time password is requested.
If this is the case, the rule uses an event to send a one-time password to the user.
McAfee Web Gateway 7.6.0
Product Guide
285
9
Authentication
One-time passwords
Return authentication data to client
Header.Exists("Request.OTP") equals true –> Block<Authentication Server OTP> –
Header.Block.Add("OTP Context", Authentication.OTP.Context<OTP>)
The rule uses the Header.Exists property to check whether there is a header in a request with
information that sending a one-time password is requested.
If this is the case, the request is blocked and a message sent to inform the user who sent the
request that a one time password is required for access.
An event is also triggered that adds a header with context information about the one-time password
authentication process to the block message.
The first of the two event parameters specifies the header information that is added. The second
parameter is a property that has information about the one-time password authentication process as
its value, which is the source of the added information.
Block request and offer sending OTP
Always –> Block<Authentication Server OTP>
If none of the preceding rules in this rule set have applied, the Block action of this rule is always
executed.
The action stops rule processing and the request is not forwarded.
The action settings specify that a message is sent to inform the user that a one-time password is
required for web access, which can be obtained from Web Gateway.
Authorized Override with OTP rule set
The Authorized Override with OTP rule set is a library rule set for enabling the use of one-time
passwords in authorized overriding.
Library rule set – Authorized Override with OTP and Pledge
Criteria – SSL.ClientContext.IsApplied equals true OR Command.Name does not equal "CONNECT"
Cycles – Requests (and IM)
The rule criteria specified that the rule set applies when SSL-secured communication is configured or
the request that is currently processed is not a CONNECT request, which is usually sent at the
beginning of this communication.
The following rule sets are nested in this rule set:
•
Verify OTP
•
OTP Needed?
Verify OTP
This nested rule checks whether a user who sends a one-time password with a request for authorized
overriding is successfully authenticated and performs a redirect to the requested web object if this is
true.
Nested library rule set – Verify OTP
Criteria – Quota.AuthorizedOverride.IsActivationRequest.Strict<Default> equals true
Cycles – Requests (and IM)
The rule set criteria specifies that the rule set applies when a user sends a request to override the
termination of a web session due to quota expiration and to continue with the session.
286
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
One-time passwords
The rule set contains the following rules:
Verify OTP
Authentication.Authenticate<OTP> equals false –> Block<Authorized Only>
The rule uses the Authentication.Authenticated property to check whether the user who submitted a
one-time password when sending an authorized overriding request has been successfully
authenticated.
If this is not the case, the request is blocked and the user is informed about the blocking and the
reason for it.
The Block action is executed with the specified settings.
The session is validated. Redirect to the original page
Always –> Redirect<Default>
If authentication of a user who submitted a one-time password with a request for authorized
overriding did not fail, the preceding rule in this rule set does not apply and processing continues
with this rule.
The rule always allows the user to continue with the current session and performs a redirect to the
requested web object.
The Redirect action is executed with the specified settings.
OTP Needed?
This nested rule set provides a one-time password for a user who sends a request for authorized
overriding if the requested web object is located on a host within the corporate domain of McAfee.
Nested library rule set – OTP Needed?
Criteria – URL.Host matches *mcafee.com*
Cycles – Requests (and IM)
The rule set criteria specifies that the rule set applies when the host of the URL sent in a request is
located within the corporate domain of McAfee.
The rule set contains the following rules:
Send OTP if requested
Header.Exists(Request.OTP) equals true –> Continue – Authentication.SendOTP<OTP>
If none of the proceeding rules in this rule set have applied when processing a request, it means no
valid one-time password was submitted by the user who sent the request, but authentication at the
user database of the authentication server was successful.
Then this rule is processed, it uses the Header.Exists property to check whether the request has a
header provides the information that sending a one-time password is requested.
if this is the case, an event is triggered that send a one-time password to the user.
Return authentication data to client
Header.Exists(Request.OTP) equals true –> Block<Authentication Server OTP> –
Header.Block.Add("OTP Context", Authentication.OTP.Context<OTP>)
The uses the Header.Exists property to check whether the request has a header providing the
information that sending a one-time password is requested.
If none of the proceeding rules in this rule set have applied when processing a request, it means no
valid one-time password was submitted by the user who sent the request, but authentication at the
user database of the authentication server was successful.
If this is the case, the request is not forwarded and an event is triggered that sets a particular
property to a value that provides information about the authentication of the user.
McAfee Web Gateway 7.6.0
Product Guide
287
9
Authentication
One-time passwords
The Block action is executed with the specified settings, which require that a message is sent to
inform the user about the reason of the blocking.
The information that the event provides is specified by the OTP.Context event parameter. The
property that has its value set to this information is specified in a second parameter.
Block request and offer sending OTP
Always –> Block<Authentication Server OTP>
If none of the preceding rules in this rule set have applied when processing a request, the action of
this rule is always executed.
It stops rule processing and the request is not forwarded. The action settings specify that a message
is sent to inform the user that a one-time password can be obtained from Web Gateway.
Authentication Server (Time/IP Based Session with OTP and
Pledge) rule set
The Authentication Server (Time/IP Based Session with OTP and Pledge) rule set is a library rule set
for authenticating users through one-time passwords that are provided by a McAfee Pledge device.
Library rule set – Authentication Server (Time/IP Based Session with OTP and Pledge)
Criteria – Always
Cycle – Requests (and IM)
The following rule sets are nested in this rule set:
•
Check for Valid Authentication Session
•
Authentication Server
Check for Valid Authentication Session
This nested rule redirects a user's request sent from a client to the authentication server if the user
has not yet been successfully authenticated on that server.
Nested library rule set – Check for Valid Authentication Session
Criteria – Authentication.IsServerRequest equals false AND
(Connection.Protocol equals "HTTP" OR
Connection.Protocol equals "SSL" OR
Connection.Protocol equals "HTTPS" OR
Connection.Protocol equals "IFP")
Cycle – Requests (and IM)
The rule set criteria specifies that the rule set applies if the request that is currently processed is not
requesting a connection to the authentication server and the protocol used in this communication is
one of the four that are specified.
The rule set contains the following rules:
Fix hostname
Command.Name equals "CERTVERIFY" AND SSL.Server.Certificate.CN.HasWildcards equals false –>
Continue – Set URL.Host = SSL.Server.Certificate.CN
288
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
One-time passwords
The rule uses an event to set the host name that is submitted with the URL of a request to a
particular value, which is required when communication is going on under the SSL protocol. This
value is the common name of the certificate that is provided in this communication.
The rule applies if the request that is processed contains the CERTVERIFY command and no wildcards
are allowed for the common name.
Redirect clients that do not have a valid session to the authentication server
Authentication.Authenticate<IP Authentication Server> equals false AND Command.Name does not
equal "CONNECT" –> Authenticate<Default>
The rule uses the Authentication.Authenticate property to check whether the user who sends a
request is successfully authenticated at the user database of the authentication server. For this
purpose, the IP address of the client that the request was sent from is evaluated.
The Command.Name property is used to check whether the request is a connection request in
SSL-secured communication.
If neither is the case, the user is asked to submit credentials for authentication. This action is
executed with the specified settings.
Revalidate session under ideal conditions
Authentication.CacheRemainingTime less than 400 AND
Connection.Protocol equals "HTTP" AND
Command.Name equals "GET"
–> Authenticate<Default>
Under particular conditions (which could be termed "ideal"), a user is asked to authenticate again
after sending a request to ensure the current web session is prolonged before the time quota has
elapsed completely.
This is done if communication is going on under the HTTP protocol and the request contains the GET
command.
The rule is not enabled by default.
Authentication Server
This nested rule set forwards a request for web access by a user who submitted a valid one-time
password that was retrieved from a McAfee Pledge device.
A user who did not submit a valid one-time password is asked to authenticate. Authentication is first
performed using information from the user database of the authentication server.
A successfully authenticated user is then informed that web access also requires a one-time password
from a McAfee Pledge device.
Nested library rule set – Authentication Server
Criteria – Authentication.IsServerRequest equals true
Cycle – Requests (and IM)
The rule set criteria specifies that the rule set applies when a user who sent a request must be
authenticated using information from an authentication server.
The rule set contains the following rules:
Authenticate user against user database
Authentication.Authenticate<User Database at Authentication Server> equals false –>
Authenticate<Default>
McAfee Web Gateway 7.6.0
Product Guide
289
9
Authentication
One-time passwords
The rule uses the Authentication.Authenticate property to check whether a user who sent a request
and submitted an invalid one-time password could be successfully authenticated at the user database
on the authentication server.
If this is not the case, the user is asked to authenticate.
Show block template
URL.GetParameter(pledgeOTP) equals " " –> Block<Authentication.Server OTP with PledgeOTP>
The rule uses the URL.GetParameter property to check whether a one-time password from a McAfee
Pledge device was sent as a parameter of the URL in a request.
If the parameter is empty, the request is blocked and the user is informed that authentication using a
one-time password from a McAfee Pledge device is also required for web access.
Retrieve OTP context
Always –> Continue – Authentication.SendOTP<OTP>
The rule uses an event to send context information on the one-time password authentication process
to an authenticated user.
This way the information is retrieved that is required to validate a one-time password on a McAfee
OTP server.
Redirect back if we have a valid OTP
Authentication.Authenticate<OTP> equals true –> Redirect<Redirect Back from Authentication
Server>
The rule uses the Authentication.Authenticate property to check whether a user who submitted a
one-time password with a request for web access could be successfully authenticated.
If this is the case, web access is allowed and the user is redirected from the authentication server to
the requested web object.
Stop after providing an invalid OTP
Authentication.Failed equals true –> Block<Authorized Only>
The rule uses the Authentication.Failed property to check whether a user who submitted a one-time
password with a request for web access could not be successfully authenticated.
If this is the case, the request is blocked and a message informs the user about the blocking and the
block reason.
Authorized Override with OTP and Pledge rule set
The Authorized Override with OTP and Pledge rule set is a library rule set for authorized overriding
using one-time passwords that are provided by a McAfee Pledge device.
Library rule set – Authorized Override with OTP and Pledge
Criteria – SSL.ClientContext.IsApplied equals true OR Command.Name does not equal "CONNECT"
Cycles – Requests (and IM)
The rule criteria specified that the rule set applies when SSL-secured communication is configured or
the request that is currently processed is not a CONNECT request, which is usually sent at the
beginning of this communication.
The following rule sets are nested in this rule set:
290
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
One-time passwords
•
Verify OTP
•
OTP Needed?
Verify OTP
This nested rule checks whether a user who sends a one-time password with a request for authorized
overriding is successfully authenticated and performs a redirect to the requested web object if this is
true.
Nested library rule set – Verify OTP
Criteria – Quota.AuthorizedOverride.IsActivationRequest.Strict<Default> equals true
Cycles – Requests (and IM)
The rule set criteria specifies that the rule set applies when a user sends a request to override the
termination of a web session due to quota expiration and to continue with the session.
The rule set contains the following rules:
Verify OTP
Authentication.Authenticate<OTP> equals false –> Block<Authorized Only>
The rule uses the Authentication.Authenticated property to check whether the user who submitted a
one-time password when sending an authorized overriding request has been successfully
authenticated.
If this is not the case, the request is blocked and the user is informed about the blocking and the
reason for it.
The Block action is executed with the specified settings.
The session is validated. Redirect to the original page
Always –> Redirect<Default>
If authentication of a user who submitted a one-time password with a request for authorized
overriding did not fail, the preceding rule in this rule set does not apply and processing continues
with this rule.
The rule always allows the user to continue with the current session and performs a redirect to the
requested web object.
The Redirect action is executed with the specified settings.
OTP Needed?
This nested rule set provides a one-time password for a user who sends a request for authorized
overriding if the requested web object is located on a host within the corporate domain of McAfee.
Nested library rule set – OTP Needed?
Criteria – URL.Host matches *mcafee.com* AND
Quota.AuthorizedOverride.SessionExceeded<Default> equals true
Cycles – Requests (and IM)
The rule set criteria specifies that the rule set applies when the host of the URL sent in a request is
located within the corporate domain of McAfee and the time quota for a session that can be continued
after an authorized override has been exceeded.
The rule set contains the following rules:
Retrieve OTP context
Always –> Continue – Authentication.SendOTP<OTP>
McAfee Web Gateway 7.6.0
Product Guide
291
9
Authentication
Client Certificate authentication
The rule uses an event to send a one-time password to an authenticated user.
This way the context information is obtained that is required for authenticating a user through a
one-time password that is validated on a McAfee OTP server.
Block request and offer sending OTP
Always –> Block<OTP Required with Pledge>
The rule blocks a request for web access.
The action settings specify that a message is sent to inform the user web access can be allowed after
submitting a one-time password that an be obtained from a McAfee Pledge device.
Client Certificate authentication
Submitting a client certificate can be configured as a method of accessing the user interface of the
appliance. This method is known as Client Certificate authentication or X.509 authentication.
Client Certificate authentication is one of the methods you can choose for the authentication procedure
when configuring the proxy functions of the appliance.
The following applies to the method when using it in proxy configuration.
•
No user name and password is required to authenticate a user who sends a request, as is the case
with other methods such as NTLM or LDAP.
•
The method can be implemented for requests that are sent in SSL-secured communication from a
web browser on a client to an appliance that is configured in explicit proxy mode.
•
The protocol used for this communication is HTTPS.
A client certificate is submitted when the SSL handshake is performed as one of the initial steps in the
communication between the appliance and a client. The request is then redirected to an authentication
server to validate the certificate.
If it is valid, authentication is successfully completed for the client and the request is eventually
forwarded to the appropriate web server.
When running multiple appliances as nodes in a configuration, it is important that the authentication
server resides on the node that a request was originally directed to.
Also forwarding to the web after successful authentication must be done from the same node.
Use of an authentication server for Client Certificate authentication is controlled by rules. You can
import an authentication server rule set and modify the rules in its nested rule sets to enable the use
of appropriate certificates.
You must also implement a way to let Client Certificate authentication be applied. A recommended
way of doing this is using cookie authentication.
If this method is implemented, authentication is required for a client that a request was sent from, but
a cookie is set for this client after a certificate has been submitted and recognized as valid once.
Submitting a certificate is then not required for subsequent requests from that client.
You can import and modify a rule set for having Client Certificate authentication handled in this way.
292
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
Client Certificate authentication
Use of certificates for Client Certificate authentication
Different types of certificates are required for performing authentication under the Client Certificate
authentication method, which can be implemented for SSL-secured communication.
Client certificate
A client certificate is needed to certify the identity of a client that sends a request to the appliance.
Only if the client is trusted will a request that it sends be accepted. A client is trusted if the certificate
that is submitted with the request has been signed by a Root CA (certificate authority) that is trusted.
Under the Client Certificate authentication method, the client certificate is also used for authentication.
Authentication is successfully completed if the client certificate that is submitted with a request has
been signed by a trusted certificate authority.
Server certificate
A server certificate is needed to certify the identity of a server that is involved in SSL-secured
communication.
A server is trusted by a client if the certificate that it sends during the initial steps of the
communication has been signed by a Root CA (certificate authority) that is also trusted by the client.
Under the Client Certificate authentication method, a server certificate is needed for the authentication
server.
Root CA
A Root CA (certificate authority) is an instance that signs other certificates.
In SSL-secured communication, a Root CA appears itself as a certificate that can be viewed in the
communication process.
If a Root CA is trusted by a client or server, certificates that have been signed by it are trusted as well,
which means that if a client or server submits such a signed certificate, it is trusted.
Rule sets for Client Certificate authentication
Rule sets for implementing the Client Certificate authentication method are available in the rule set
library.
Authentication Server (for X509 Authentication) rule set
The Authentication Server (for X509 Authentication) rule set uses several nested rule sets to handle
use of the authentication server under the Client Certificate authentication method.
•
SSL Endpoint Termination — Prepares the handling of requests in SSL-secured communication
•
Accept Incoming HTTPS Connections — Provides the certificates that can be submitted for
the authentication server
•
Content Inspection — Enables inspection of the content that is transmitted with a request
McAfee Web Gateway 7.6.0
Product Guide
293
9
Authentication
Client Certificate authentication
•
Authentication Server Requests — Redirects requests back to the proxy on the appliance for
further processing after authentication on the authentication server was completed successfully
Requests are also redirected if a cookie has been set for a client that a request was sent from.
If authentication could not be completed successfully on the authentication server, the user is
asked to submit credentials for authentication on the user database.
•
Block All Others — Blocks requests for which authentication was not completed successfully
Cookie Authentication (for X509 Authentication) rule set
The Cookie Authentication (for X509 Authentication) rule set uses several nested rule sets to initiate
use of the Client Certificate authentication method and handle the setting of cookies.
•
Cookie Authentication at HTTP(S) Proxy — Contains nested rule sets that handle Client
Certificate authentication with cookies
•
Set Cookie for Authenticated Clients — Sets a cookie after authentication has been
successfully completed once for a client and redirects the request that the client sent back to
the proxy on the appliance for further processing
•
Authenticate Clients with Authentication Server — Redirects requests sent from clients for
which no cookie has been set to the authentication server
Redirecting requests to an authentication server
Under the Client Certificate authentication method, a request is redirected to an authentication server
for validating the client certificate that was submitted with it. The redirecting can be done using a
special listener port on the appliance or a unique host name.
Using a special listener port
Requests can be redirected to an authentication server using a special listener port, for example, port
444. Suppose the IP address of an appliance is 192.168.122.119, then a request will be redirected to
the authentication server by:
https://192.168.122.119:444/
294
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
Client Certificate authentication
However, it is important to consider whether exceptions from using a proxy have been configured for
the web browser on a client that sends the request.
•
No proxy exceptions configured — If no proxy exceptions have been configured, all requests
are sent to the proxy port that is listening for them on the appliance, which is port 9090 by default.
Even a request to https://192.168.122.119:444/ will arrive on port 9090 if this is the configured
proxy port.
If a firewall is part of your network configuration, no exceptions from the firewall rules are needed
because there is no connection from the client to port 444.
To ensure requests are redirected to the authentication server, 444, or another value that you want
to use for this purpose, must be configured for the URL.Port property in the criteria of the
Authentication Server (for X509 Authentication) rule set.
The value of the URL.Port property is the port contained in the URL that is specified by a request. It
can be, for example, 444, even if the request actually arrives at port 9090.
•
Proxy exceptions configured — Proxy exceptions can be configured for various reasons. For
example, a web browser could be configured not to use proxies for accessing local hosts.
A request to https://192.168.122.119:444/ will then not arrive at port 9090.
Because the browser is configured to access its destination directly, it will try to connect to the
appliance on port 444. This means that you need to set up a listener port with port number 444.
If firewall rules are in place, an exception is also needed to allow requests to arrive at port 444.
To ensure requests are processed by the appropriate rules, 444, or another value that you want to
use for this purpose, must be configured for the Proxy.Port property in the criteria of the
Authentication Server (for X509 Authentication) rule set.
The value of the Proxy.Port property is the port that a request actually arrives at. It is, for example,
444 if you have set up a port with this number for receiving requests that are to be redirected to
an authentication server.
Using a unique host name
Requests can be redirected to an authentication server using a unique host name, for example,
authserver.local.mcafee. Using this name, requests are redirected to the authentication server by:
https://authserver.mcafee.local
The client that the request was sent from must not try to look up the host name using DNS, as the
URL will most likely not resolve and the client will be unable to connect.
To ensure that requests are processed by the appropriate rules, this host name must be configured as
the value for the URL.Host property in the criteria of the Authentication Server (for X509
Authentication) rule set.
Implement Client Certificate authentication
The Client Certificate authentication method uses client certificates that are sent with requests for
authentication. To implement this method on the appliance, complete the following high-level steps.
Task
1
Import the Authentication Server (for X509 Authentication) rule set.
2
Modify the nested rule sets to configure the use of appropriate certificates.
McAfee Web Gateway 7.6.0
Product Guide
295
9
Authentication
Client Certificate authentication
3
Configure a listener port for requests sent by web browsers that are not using the proxy port on
the appliance.
4
Configure a way to let Client Certificate authentication be applied.
You can import and modify the Cookie Authentication (for X509 Authentication) rule set to use a
cookie for authentication after Client Certificate authentication has been applied once and
successfully been completed.
5
Make sure a suitable client certificate is available on a web browser that is used for sending
requests to the appliance.
Import the Authentication Server (for X509 Authentication)
rule set
To implement the Client Certificate authentication method on the appliance, there must be a rule set
that handles authentication in this way. You can import the Authentication Server (for X509
Authentication) rule set for this purpose.
We recommend that you insert the rule set at the top of the rule sets tree.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, navigate to the position where you want to insert the rule set and click Add.
3
Click Top Level Rule Set, then click Import Rule Set from Library.
The Add from Rule Set Library window opens.
4
Select the Authentication Server (for X509 Authentication) rule set and click OK.
If conflicts arise from the import, they are displayed next to the list of rule sets. Follow one of the
suggested procedures for solving them before clicking OK.
The rule set is inserted with its nested rule sets in the rule sets tree.
5
Review the rule set criteria and modify them if necessary.
After the import, the criteria is:
URL.Port equals 444 or Proxy.Port equals 444.
This ensures that the rule set is applied to all requests coming in on that port. If you want to use a
different port, specify its port number here.
Modify a rule set to configure the use of server certificates
The Authentication Server (for X509 Authentication) rule set needs to be modified to ensure
appropriate server certificates are submitted for the authentication server. The modification is done in
a nested rule set.
Because it is possible to reach the authentication server under different host names and IP addresses,
you can let the appliance submit a different server certificate each time, so that the host name or IP
address is matched by the common name in the certificate.
To achieve this, you need to import a server certificate for each host name or IP address and add it to
the list of server certificates.
296
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
Client Certificate authentication
Task
1
Select Policy | Rule Sets and expand the Authentication Server (for X509 Authentication) rule set.
2
Expand the nested SSL Endpoint Termination rule set and, within this rule set, select the nested Accept
Incoming HTTPS Connections rule set.
3
In the Set client context rule, click the Proxy Certificate event settings.
The Edit Settings window opens.
4
In the Define SSL Context section, review the list of server certificates.
5
To add a server certificate to the list:
a
Click the Add icon above the list.
The Add Host to Certificate Mapping window opens.
b
In the Host field, enter the host name or IP address that the certificate should be submitted for.
c
Click Import.
The Import Server Certificate window opens.
d
Click Browse and browse to the certificate you want to import.
e
Repeat this activity to import a key and certificate chain with the certificate.
f
Click OK.
The window closes and the import is performed. The certificate information appears in the Add
Host to Certificate Mapping window.
6
[Optional] In the Comment field, type a plain-text comment on the server certificate.
7
Click OK.
The window closes and the server certificate appears in the list.
8
Make sure the SSL-Scanner functionality applies only to client connection checkbox is selected.
This lets the appliance accept requests from its clients without contacting other servers of the
network, which is not required in this communication.
9
Click OK to close the Edit Settings window.
10 Click Save Changes.
Modify a rule set to configure the use of certificate authorities
The Authentication Server (for X509 Authentication) rule set needs to be modified to ensure
appropriate Root CAs (certificate authorities) are configured. The modification is done in a nested rule
set.
A client certificate is trusted if signed by a certificate authority from the list that is maintained on the
appliance. You need to import all certificate authorities into the list that you want to be signing
instances for trusted client certificates.
Task
1
Select Policy | Rule Sets and expand the Authentication Server (for X509 Authentication) rule set.
2
Expand the nested SSL Authentication Server Request rule set.
McAfee Web Gateway 7.6.0
Product Guide
297
9
Authentication
Client Certificate authentication
3
In the Ask user for client certificate rule, click the X509 Auth module settings.
The Edit Settings window opens.
4
In the Client Certificate Specific Parameters section, review the list of certificate authorities.
5
To add a certificate authority to the list:
a
Click the Add icon above the list.
The Add Certificate Authority window opens.
b
In the Host field, enter the host name or IP address that the certificate should be submitted for.
c
Click Import.
A window providing access to your local file system opens.
d
Browse to the certificate authority file you want to import.
e
Click OK.
The window closes and the import is performed. The certificate appears in the Add Certificate
Authority window.
6
Make sure the Trusted checkbox is selected.
7
[Optional] In the Comment field, type a plain-text comment on the certificate authority.
8
Click OK.
The window closes and the certificate authority appears in the list.
9
Click OK to close the Edit Settings window.
10 Click Save Changes.
Configure a listener port for incoming requests on the
appliance
Requests that are sent to the appliance can be received on the proxy port or a special listener port.
The proxy port is port 9090 by default.
You need to configure a listener port if proxy exceptions have been created that prevent requests from
arriving at the proxy port.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to configure a listener port on and click
Proxies (HTTP(S), FTP, ICAP, and IM).
The proxy settings appear on the settings pane.
3
Scroll down to the HTTP Proxy section.
4
Make sure Enable HTTP proxy is selected.
5
On the toolbar of the HTTP port definition list, click the Add icon.
The Add HTTP Proxy Port window opens.
298
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
Client Certificate authentication
6
Configure a listener port as follows:
a
In the Listener address field, type 0.0.0.0:444.
If you want to use a different port for listening to incoming requests, type it here.
b
In the Ports treated as SSL field, type *.
c
Make sure all other checkboxes are selected.
7
Click OK to close the Edit Settings window.
8
Click Save Changes.
9
Restart the appliance to make the configuration of the listener port effective.
Import the Cookie Authentication (for X509 Authentication)
rule set
When the Client Certificate authentication method is used on the appliance, use of this method can be
initiated by the Cookie Authentication (for X509 Authentication) rule set.
We recommend that you insert this rule set after the rules sets for functions that do not require
authentication, but before the rule sets that handle the filtering functions.
This ensures the filtering functions are not executed when a request is blocked because authentication
failed, which saves resources and improves performance.
If your rule set system is similar to the default system, you can insert the rule set after the SSL
Scanner and Global Whitelist rule sets, but before the Content Filtering and Gateway Antimalware rule
sets.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, navigate to the position where you want to insert the rule set and click Add.
3
Click Top Level Rule Set, then click Import Rule Set from Library.
The Add from Rule Set Library window opens.
4
Select the Cookie Authentication (for X509 Authentication) rule set and click OK.
If conflicts arise from the import, they are displayed next to the list of rule sets. Follow one of the
suggested procedures for solving them before clicking OK.
The rule set is inserted with its nested rule sets in the rule sets tree.
Modify a rule set to change the listener port for incoming
requests
You can modify the Cookie Authentication (for X509 Authentication) rule set to configure a listener
port for incoming requests that you want to use instead of port 444, which is the default port. The
modification is done in a nested rule set.
A special listener port must be used for receiving incoming requests if proxy exceptions are in place
that prevent requests from arriving at the proxy port of the appliance. Requests that arrive at port 444
or a different port you have configured for this purpose are redirected to the authentication server.
McAfee Web Gateway 7.6.0
Product Guide
299
9
Authentication
Client Certificate authentication
Task
1
Select Policy | Rule Sets and expand the Cookie Authentication (for X509 Authentication) rule set.
2
Expand the nested Cookie Authentication at HTTP(S) Proxy rule set and, within this rule set, select the
nested Authenticate Clients with Authentication Server rule set.
3
In the Set client context rule, click the Proxy Certificate event settings.
The Edit Settings window opens.
4
In the Authentication Server Specific Parameters section, review the URL in the Authentication server URL field.
The URL is by default as follows:
https://$<propertyInstance useMostRecentConfiguration="false" propertyId=
"com.scur.engine.system.proxy.ip"/>$:444
When the rule is processed, the $...$ term is replaced by the IP address of the appliance.
5
To configure a different listener port, type the number of this port here.
6
Click OK to close the Edit Settings window.
7
Click Save Changes.
Import a client certificate into a browser
A suitable client certificate must be available on a web browser to be sent with a request to an
appliance in SSL-secured communication.
Procedures for importing certificates vary for different browsers and are subject to change. Browser
menus can also vary depending on the operating system you are using.
The following are two possible procedures for importing a client certificate into Microsoft Internet
Explorer and Mozilla Firefox.
Tasks
•
Import a client certificate into Microsoft Internet Explorer on page 300
You can import a client certificate and make it available on Microsoft Internet Explorer for
presenting it in SSL-secured communication.
•
Import a client certificate into Mozilla Firefox on page 301
You can import a client certificate and make it available on Mozilla Firefox for presenting it
in SSL-secured communication.
Import a client certificate into Microsoft Internet Explorer
You can import a client certificate and make it available on Microsoft Internet Explorer for presenting it
in SSL-secured communication.
Before you begin
To import the certificate file, you must have stored it within your local file system.
Task
1
Open the browser and on the top-level menu bar, click Tools, then click Internet Options.
The Internet Options window opens.
2
300
Click the Content tab.
McAfee Web Gateway 7.6.0
Product Guide
Authentication
Client Certificate authentication
3
9
In the Certificates section, click Certificates.
The Certificates window opens.
4
Click Import.
The Certificate Import Wizard appears.
5
On the wizard pages, proceed as follows:
a
On the Welcome page, click Next.
b
On the File to Import page, click Browse and navigate to the location where you stored the certificate
file.
c
In the File Name field, type *.pfx, then press Enter.
d
Select the certificate file and click Open, then click Next.
e
On the Password page, type a password in the Password field. Then click Next.
f
On the Certificate Store page, click Place all certificates in the following store.
g
In the Certificate Store section on the same page, select Personal, then click Next.
h
On the Completing the Certificate Import Wizard page, click Finish.
6
Confirm the message that appears by clicking OK.
7
Click Close, then click OK to close the Certificates and Internet Options windows.
Import a client certificate into Mozilla Firefox
You can import a client certificate and make it available on Mozilla Firefox for presenting it in
SSL-secured communication.
Before you begin
To import the certificate file, you must have stored it within your local file system.
Task
1
Open the browser and on the top-level menu bar, click Tools, then click Options.
The Options window opens.
2
Click Advanced, then click Encryption.
3
In the Certificates section of the Encryption tab, click View Certificates.
The Certificate Manager window opens.
4
Click Import.
Your local file manager opens.
5
Navigate to the certificate file that you have stored and click Open.
6
When prompted, submit a password, then click OK.
McAfee Web Gateway 7.6.0
Product Guide
301
9
Authentication
Administrator accounts
Administrator accounts
Administrator accounts can be set up and managed on the appliance or on an external server. Roles
can be created with different access privileges for administrators.
Add an administrator account
You can add administrator accounts to the account that is created by the appliance system at the
initial setup.
Task
1
Select Accounts | Administrator Accounts.
2
Under Internal Administrator Accounts, click Add.
The Add Administrator window opens.
3
Add a user name, a password, and other settings for the account. Then click OK.
The window closes and the new account appears in the accounts list.
4
Click Save Changes.
See also
Administrator account settings on page 303
Edit an administrator account
You can edit administrator accounts including the one that is created by the appliance system at the
initial setup.
Task
1
Select Accounts | Administrator Accounts.
2
Under Internal Administrator Accounts, select an account and click Edit.
Before selecting an account, you can type a filtering term in the Filter field to display only accounts
with matching names.
The Edit Administrator window opens
3
Edit the settings of the account as needed. Then click OK.
The window closes and the account appears with your changes in the accounts list.
4
Click Save Changes.
See also
Administrator account settings on page 303
302
McAfee Web Gateway 7.6.0
Product Guide
9
Authentication
Administrator accounts
Delete an administrator account
You can delete any administrator account, as long as there is at least one that remains.
Task
1
Select Accounts | Administrator Accounts.
2
Under Internal Administrator Accounts, select an account and click Delete.
Before selecting an account, you can type a filtering term in the Filter field to display only accounts
with matching names.
A window opens to let you confirm the deletion.
3
Click Save Changes.
Administrator account settings
The administrator account settings are used for configuring credentials and roles for administrators.
Administrator account settings
Settings for administrator accounts
Table 9-19 Administrator account settings
Option
Definition
User name
Specifies the user name of an administrator.
Password
Sets an administrator password.
Password repeated Lets you repeat the password and confirm it.
In the Edit Administrator window, you need to select Set a new password before the two
password fields become available.
Role
Provides a list for selecting an administrator role.
You can use the Add and Edit options to add and edit roles.
The added and edited roles appear in the list of administrator roles.
Name
Specifies the real name of the person that an account is set up for.
Configuration of this name is optional.
Test with current settings
Settings for testing whether an administrator with given credentials would be admitted on the
appliance
Table 9-20 Test with current settings
Option
Definition
User
Specifies a user name that is tested.
Password
Specifies the tested password.
Test
Executes the test.
The Authentication Test Results window opens to display the outcome of the test.
McAfee Web Gateway 7.6.0
Product Guide
303
9
Authentication
Administrator accounts
Manage administrator roles
You can create roles and use them for configuring administrator accounts.
One administrator role is already created by the appliance system at the initial setup.
Task
1
Select Accounts | Administrator Accounts.
2
To add an administrator role:
a
Under Roles, click Add.
The Add Role window opens.
b
In the Name field, type a role name.
c
Configure access rights for the dashboard, rules, lists, and other items.
d
Click OK.
The window closes and the new role appears in the list of administrator roles.
3
Use the Edit and Delete options in similar ways to edit and delete roles.
4
Click Save Changes.
The newly added or edited role is now available for being assigned to an administrator account.
See also
Administrator role settings on page 304
Administrator role settings
The administrator role settings are used for configuring roles that can be assigned to administrators.
Administrator role settings
Settings for administrator roles
Table 9-21 Administrator role settings
Option
Definition
User name
Specifies the user name of an administrator.
Password
Sets an administrator password.
Password repeated Lets you repeat the password and confirm it.
In the Edit Administrator window, you need to select Set a new password before the two
password fields become available.
Role
Provides a list for selecting an administrator role,
You can use the Add and Edit options to add and edit roles.
The added and edited roles appear in the list of administrator roles.
Name
Specifies the real name of the person that an account is set up for.
Configuring this name is optional.
304
McAfee Web Gateway 7.6.0
Product Guide
Authentication
Administrator accounts
9
Configure external account management
You can let administrator accounts be managed on external authentication servers and map externally
stored user groups and individual users to roles on an appliance.
Task
1
Select Accounts | Administrator Accounts.
2
Click Administrator accounts are managed in an external directory server.
Additional settings appear.
3
Under Authentication Server Details, configure settings for the external server.
These settings determine the way the Authentication module on the appliance retrieves information
from that server.
4
Use the settings under Authentication group = role mapping, to map user groups and individual users
stored on the external server to roles on the appliance:
a
Click Add.
The Add Group/User Role Name Mapping window opens.
b
Select the checkboxes next to the field for group or user matching as needed and type the
name of a group or user in this field.
c
Click OK.
d
Under Role to map to, select a role.
e
Click OK.
The window closes and the new mapping appears on the mappings list.
f
Click Save Changes.
You can use the Edit and Delete options in similar ways to edit and delete mappings.
McAfee Web Gateway 7.6.0
Product Guide
305
9
Authentication
Administrator accounts
306
McAfee Web Gateway 7.6.0
Product Guide
10
Quota management
Quota management is a means of guiding the users of your network in their web usage. This way you
can ensure that resources and performance of your network are not impacted in excess.
Quotas and other restrictions can be imposed in several ways:
•
Time quotas — Limit the time that users are allowed to spend on their web usage
•
Volume quotas — Limit the volume that users are allowed to consume during their web usage
•
Coaching — Limits the time that users can spend on their web usage, but allows them to exceed
the configured time limit if they choose to do so
•
Authorized override — Limits the time that users can spend on web usage in the same way as
coaching
However, the time limit can only be exceeded by an action of an authorized user, for example, a
teacher in a classroom.
•
Blocking sessions — Blocks access to the web for a configured period of time after a user
attempted to access a web object, for which access was not allowed
Quotas and other restrictions can be imposed separately or in a combination of measures.
Contents
Imposing quotas and other restrictions on web usage
Time quota
Volume quota
Coaching
Authorized override
Blocking sessions
Quota system settings
Imposing quotas and other restrictions on web usage
Imposing quotas and other restrictions in a quota management process for the users of your network
allows you to guide their web usage and limit their consumption of network resources.
The quota management process includes several elements, which contribute to it in different ways.
•
Quota management rules control the process.
•
Quota management lists are used by the rules to impose restrictions with regard to users and
particular web objects, such as URLs, IP addresses, and others.
•
Quota management modules, which are called by the rules, handle time and volume quotas,
session times, and other restrictions within the process.
McAfee Web Gateway 7.6.0
Product Guide
307
10
Quota management
Imposing quotas and other restrictions on web usage
A quota management process is not implemented by default on Web Gateway after the initial setup.
You can implement a process by importing suitable rule sets from the rule set library and modify this
process to adapt it to the requirements of your web security policy.
To configure quota management, you can work with:
•
Key elements of rules — After importing the library rule sets for quota management
and clicking them on the rule sets tree, you can view and configure key elements of the
rules for the quota management process.
•
Complete rules — After clicking Unlock View in the key elements view, you can view the
rules for the quota management process completely, configure all their elements,
including the key elements, and also create new rules or delete rules.
You cannot return from this view to the key elements view unless you discard all changes
or re-import the rule set.
Quota management rules
The rules that control the management of quotas and other restrictions are contained in different rule
sets, according to the type of restriction, for example, in a time quota or a coaching rule set.
The rules in these rule sets check whether the configured limits for time or and volume have been
exceeded and eventually block requests for further web access. They also redirect requests when a
user chooses to continue with a new session.
Quota management rule sets are not implemented in the default rule set system, but can be imported
from the rule set library. The library rule set names are Time Quota, Volume Quota, Coaching,
Authorized Override, and Blocking Sessions.
You can review the rules that are implemented with the library rule sets, modify or delete them, and
also create your own rules.
Quota management lists
The rule sets for managing quotas and other restrictions use lists of web objects and users to impose
restrictions accordingly. The lists are contained in the criteria of a rule set.
For example, a list contains a number of URLs and the time quota rule set has this list in its criteria.
Then this rule set and the rules within it apply only if a user accesses one of the URLs on the list. Lists
of IP addresses or media types can be used in the same way.
You can add entries to these lists or remove entries. You can also create your own lists and let them
be used by the quota management rule sets.
Quota management modules
The quota management modules (also known as engines) handle the time and volume parameters of
the quota management process and are checked by the rule sets of the process to find out about
consumed and remaining times or volumes, session times, and other values.
There is a module for each type of restriction, for example, the Time Quota or the Coaching module.
By configuring settings for these modules, you specify the times and volumes that apply in the quota
management process. For example, when configuring the time quota module, you specify how much
hours and minutes per day users can access web objects with particular URLs or IP addresses.
308
McAfee Web Gateway 7.6.0
Product Guide
Quota management
Imposing quotas and other restrictions on web usage
10
Session time
Among the settings that you can configure for the quota management module is also session time.
This is the time allowed for a single session that a user spends on web usage.
Session time is configured separately and handled differently for time quotas, volume quotas, and
other parameters of the quota management process.
•
Session time for time quotas — When configuring time quotas, you also need to configure a
session time. Whenever session time has elapsed for a user, the amount of time that is configured
as session time is deducted from the user’s time quota.
As long as the time quota has not been used up, the user can start a new session. When the time
quota has elapsed, a request that the user sends is blocked and a block message is displayed.
•
Session time for volume quotas — When configuring volume quotas, the session time has no
impact on the volume quota for a user.
You can still configure a session time to inform the user about the amount of time that has been
used up for web access. When time has elapsed for a session, the user can start a new session, as
long as the configured volume has not been consumed.
If you set the session time to zero, no session time is configured and communicated to the user.
•
Session time for other quota management functions — Session time can also be configured
for other Coaching, Authorized Override, and Blocking Sessions. Accordingly, there can be a
coaching, an authorized override, or a blocking session.
When session time has elapsed for coaching and authorized overriding, a request that a user sends
is blocked.
A message is displayed to the user, stating why the request was blocked. The user can start a new
session unless time quota has also been configured and is used up.
The session time that is configured for a blocking session is the time during which requests sent by
a particular user are blocked. When this time has elapsed, requests from the user are again
accepted unless time quota has also been configured and is used up.
Combining quota management functions
Using a particular quota management function to restrict web usage has no impact on the use of other
quota management functions. For example, time quotas and volume quotas are configured and
implemented separately on the appliance.
You can, however, combine these functions in meaningful ways.
For example, you can impose coaching on users’ access to some URL categories, while requesting
authorized override credentials for others.
For still another group of categories you could block users who attempt to access them over a
configured period of time.
McAfee Web Gateway 7.6.0
Product Guide
309
10
Quota management
Time quota
Time quota
By configuring time quotas, you can limit the time that users of your network are allowed to spend for
web usage.
Time quotas can be related to different parameters:
•
URL categories — When time quotas are related to URL categories, users are allowed only a
limited time for accessing URLs that fall into particular categories, for example, Online Shopping.
•
IP addresses — When time quotas are related to IP addresses, users who send requests from
particular IP addresses are allowed only a limited time for web usage.
•
User names — When time quotas are related to user names, users are allowed only a limited time
for web usage. Users are identified by the user names they submitted for authentication on the
appliance.
These parameters are used by the rules in the library rule set for time quotas. You can create rules of
your own that use other parameters in relation to time quotas.
The time that users spend on web usage is stored on the appliance. When the configured time quota
has been exceeded for a user, a request that this user sends is blocked. A message is displayed to the
user stating why the request was blocked.
Users are identified by the user names they submitted for authentication. If no user name is sent with
a request, web usage is recorded and blocked or allowed for the IP address of the client system that
the request was sent from.
Web usage can be limited to time spent per day, per week, or per month.
Configure time quotas
You can configure time quotas to limit the time users of your network spend on web usage.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, expand the rule set that contains rules for time quotas, for example, the Time
Quota library rule set.
The nested rule sets appear.
3
Select the appropriate nested rule set.
For example, to configure time quotas with regard to URL categories, select Time Quota With URL
Configuration.
The general settings and rules of the rule set appear on the settings pane.
4
In the rule set criteria, click the URL Category Block List for Time Quota list name.
A yellow triangle next to a list name means the list is initially empty and you need to fill the entries.
The Edit List (Category) window opens.
5
Add URL categories to the blocking list. Then click OK to close the window.
6
In the criteria for one of the rules, click the URL Category Configuration settings name.
The Edit Settings window opens.
310
McAfee Web Gateway 7.6.0
Product Guide
Quota management
Time quota
10
7
Configure session time and the time quota per day, week, and month. Then click OK to close the
window.
8
Click Save Changes.
Time Quota settings
The Time Quota settings are used for configuring the module that handles time quota management.
Time Quota per Day, Week, Month, and Session Time
Settings for time quotas
When a time unit or the session time is selected, the heading of the next section reads accordingly.
Table 10-1 Time Quota per Day, Week, Month, and Session Time
Option
Definition
Time quota per day (week, month) When selected, the quota that is configured in the next section applies to
the selected time unit.
When selected, the quota that is configured in the next section applies to
the session time.
Session time
Hours and Minutes for . . .
Settings for time quotas that apply to the selected time unit or the session time
The heading of this section varies according to what you selected in the preceding section.
For example, if you selected Time quota per week, the heading reads Hours and Minutes for Time
Quota per Week.
Table 10-2 Hours and Minutes for . . .
Option
Definition
Hours
Sets the allowed hours per day, week, month, or for the session time.
Minutes
Sets the allowed minutes per day, week, month, or for the session time.
Actual Configured Time Quota
Displays the configured time quotas.
Table 10-3 Actual Configured Time Quota
Option
Definition
Time quota per day (week, month)
Shows the allowed time per day, week, or month.
Session time
Shows the allowed session time.
Time Quota rule set
The Time Quota rule set is a library rule set for imposing time quotas on web usage.
Library rule set – Time Quota
Criteria – SSL.Client.Context.IsApplied equals true OR Command.Name does not equal “CONNECT”
Cycle – Requests (and IM)
The rule set criteria specifies that the rule set applies to SSL-secured communication and to any other
communication, which does not use the CONNECT command at the beginning.
McAfee Web Gateway 7.6.0
Product Guide
311
10
Quota management
Time quota
The following rule sets are nested in this rule set:
•
Time Quota With URL Configuration
•
Time Quota With IP Configuration
This rule set is not enabled initially.
•
Time Quota With Authenticated User Configuration
This rule set is not enabled initially.
Time Quota With URL Configuration
This nested rule set handles time quotas related to URL categories.
Nested library rule set – Time Quota With URL Configuration
Criteria – URL.Categories<Default> at least one in list URL Categories Blocklist for Time Quota
Cycle – Requests (and IM)
The rule set criteria specifies that the rule set applies when a user sends a request for a URL that falls
into a category on the blocking list for time quotas related to URL categories.
The rule set contains the following rules:
Redirecting after starting new time session
Quota.Time.lsActivationRequest equals true –> Redirect<Redirection After Time Session Activation>
The rule redirects a request to let a user again access a web object after session time has been
exceeded and the user has chosen to continue with a new session.
The action settings specify a message to the requesting user.
Check if time session has been exceeded
Quota.Time.Session.Exceeded<URL Category Configuration> equals true –>
Block<ActionTimeSessionBlocked>
The rule uses the Quota.Time.SessionExceeded property to check whether the configured session
time has been exceeded for a user. If it has, the user’s request for web access is blocked.
The URL Category Configuration settings, which are specified with the property, are the settings of
the module that handles time quotas.
The action settings specify a message to the requesting user.
Check if time quota has been exceeded
Quota.Time.Exceeded<URL Category Configuration> equals true –>
Block<ActionTimeQuotaBlocked>
The rule uses the Quota.Time.Exceeded property to check whether the configured time quota has
been exceeded for a user. If it has, the user’s request for web access is blocked.
The URL Category Configuration settings, which are specified with the property, are the settings of
the module that handles time quotas.
The action settings specify a message to the requesting user.
Time Quota With IP Configuration
This nested rule set handles time quotas related to IP addresses.
312
McAfee Web Gateway 7.6.0
Product Guide
Quota management
Volume quota
10
Nested library rule set – Time Quota With IP Configuration
Criteria – Client.IP is in list IP Blocklist for Time Quota
Cycle – Requests (and IM)
The rule set criteria specifies that the rule set applies when a user sends a request from a client with
an IP address that is on the blocking list for time quotas related to IP addresses.
The rules in this rule set are the same as in the Time Quota with URL Configuration rule set, except for
the module settings that appear in the rule criteria, which are IP Configuration.
Time Quota With Authenticated User Configuration
This nested rule set handles time quotas related to user names.
Nested library rule set – Time Quota With Authenticated User Configuration
Criteria – Authenticated.RawUserName is in list User Blocklist for Time Quota
Cycle – Requests (and IM)
The rule set criteria specifies that the rule set applies when a request is sent by a user whose user
name is on the blocking list for time quotas related to user names.
The rules in this rule set are the same as in the Time Quota with URL Configuration rule set, except for
the module settings that appear in the rule criteria, which are Authenticated User Configuration.
Volume quota
By configuring volume quotas, you can limit the volume of web objects, measured in GB and MB, that
the users of your network are allowed to download from the web.
Volume quotas can be related to several parameters:
•
URL categories — Users are allowed to download only a limited volume of web objects through
URLs that fall into particular categories, for example, Streaming Media.
•
IP addresses — Users who send download requests from particular IP addresses are allowed only
a limited volume.
•
User names — Users are allowed to download web objects only up to a limited volume. Users are
identified by the user names they submitted for authentication on the appliance.
•
Media types — Users are allowed to download web objects belonging to particular media types
only up to a limited volume.
These parameters are used by the rules in the library rule set for volume quotas. You can create rules
of your own that use other parameters in relation to volume quotas.
Information on the volume that users download from the web is stored on the appliance. When the
configured volume quota has been exceeded for a user, a request that this user sends is blocked. A
message is displayed to the user stating why the request was blocked.
Users are identified by the user names they submitted for authentication. If no user name is sent with
a request, web usage is recorded and blocked or allowed for the IP address of the client system that
the request was sent from.
Web downloads can be limited to volume downloaded per day, per week, or per month.
McAfee Web Gateway 7.6.0
Product Guide
313
10
Quota management
Volume quota
Configure volume quotas
You can configure volume quotas to limit the volume that user of your network consume during their
web usage.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, expand the rule set that contains rules for the volume quota , for example,
the Volume Quota library rule set.
The nested rule sets appear.
3
Select the appropriate nested rule set, for example, Volume Quota With IP Configuration.
The general settings and rules of the rule set appear on the settings pane.
4
In the rule set criteria, click the appropriate blocking list name, for example, IP Block List for Volume
Quota.
A yellow triangle next to the list name means the list is initially empty and you need to fill the
entries.
The Edit List (Category) window opens.
5
Add the appropriate entries to the blocking list, for example, IP addresses. Then click OK to close
the window.
6
In the criteria for one of the rules, click the appropriate settings name, for example, IP Configuration.
The Edit Settings window opens.
7
Configure the appropriate parameters, for example, session time and the volume quota per day,
week, and month. Then click OK to close the window.
8
Click Save Changes.
Volume Quota settings
The Volume Quota settings are used for configuring the module that handles volume quota
management.
Volume Quota per Day, Week, and Month
Settings for volume quotas
When a time unit or the session time is selected, the heading of the next section reads accordingly.
Table 10-4 Volume Quota per Day, Week, and Month
Option
Definition
Volume quota per day (week, month) When selected, the quota that is configured in the next section applies
to the selected time unit
Session time
When selected, the quota that is configured in the next section applies
to the session time
Volume for . . .
Settings for volume quotas that apply to the selected time unit or the session time
The heading of this section varies according to what you selected in the preceding section.
314
McAfee Web Gateway 7.6.0
Product Guide
Quota management
Volume quota
10
For example, if you selected Volume quota per week, the heading reads Volume for Volume Quota per
Week.
However, if you selected Session Time, the heading reads Hours and Minutes.
Table 10-5 Volume for . . .
Option
Definition
GiB
Specifies the number of GiB that are allowed as volume.
MiB
Specifies the number of MiB that are allowed as volume.
Actual Configured Volume Quota
Displays the configured volume quotas.
Table 10-6 Actual Configured Volume Quota
Option
Definition
Volume quota per day (week, month)
Shows the allowed volume per day, week, or month.
Session time
Shows the allowed session time.
Volume Quota rule set
The Volume Quota rule set is a library rule set for imposing volume quotas on web usage.
Library rule set – Volume Quota
Criteria – SSL.Client.Context.IsApplied equals true OR Command.Name does not equal “CONNECT”
Cycle – Requests (and IM)
The rule set criteria specifies that the rule set applies to SSL-secured communication and to other
communication that does not use the CONNECT command at the beginning.
The following rule sets are nested in this rule set:
• Time Quota With URL Configuration
• Time Quota With IP Configuration
This nested rule set is not enabled initially.
• Time Quota With Authenticated User Configuration
This nested rule set is not enabled initially.
Library rule set – Volume Quota
Criteria – SSL.Client.Context.IsApplied equals true OR Command.Name does not equal “CONNECT”
Cycle – Requests (and IM)
The rule set criteria specifies that the rule set applies to SSL-secured communication and to any other
communication, which does not use the CONNECT command at the beginning.
The following rule sets are nested in this rule set:
•
Volume Quota With URL Configuration
•
Volume Quota With IP Configuration
This rule set is not enabled initially.
McAfee Web Gateway 7.6.0
Product Guide
315
10
Quota management
Volume quota
•
Volume Quota With Authenticated User Configuration
This rule set is not enabled initially.
•
Volume Quota With Media Type Configuration
This rule set is not enabled initially.
Volume Quota With URL Configuration
This nested rule set handles volume quotas related to URL categories.
Nested library rule set – Volume Quota With URL Configuration
Criteria – URL.Categories<Default> at least one in list URL Categories Blocklist for Volume Quota
Cycle – Requests (and IM)
The rule set criteria specifies that the rule set applies when a user sends a request for a URL that falls
into a category on the blocking list for volume quotas related to URL categories.
The rule set contains the following rules:
Redirecting after starting new time session
Quota.Volume.lsActivationRequest<URL Category Configuration> equals true –>
Redirect<Redirection After Volume Session Activation>
The rule redirects a request to let a user again access a web object after session time has been
exceeded and the user has chosen to continue with a new session.
The URL Category Configuration settings, which are specified with the property, are the settings of
the module that handles volume quotas.
The action settings specify a message to the requesting user.
Check if volume session has been exceeded
Quota.Volume.Session.Exceeded<URL Category Configuration> equals true –>
Block<ActionVolumeSessionBlocked>
The rule uses the Quota.Volume.SessionExceeded property to check whether the configured session
time has been exceeded for a user. If it has, the user’s request for web access is blocked.
The URL Category Configuration settings, which are specified with the property, are the settings of
the module that handles volume quotas.
The action settings specify a message to the requesting user.
Check if volume quota has been exceeded
Quota.Time.Exceeded<URL Category Configuration> equals true –>
Block<ActionVolumeSessionBlocked>
The rule uses the Quota.Volume.Exceeded property to check whether the configured volume quota
has been exceeded for a user. If it has, the user’s request for web access is blocked.
The URL Category Configuration settings, which are specified with the property, are the settings of
the module that handles volume quotas.
The action settings specify a message to the requesting user.
Volume Quota With IP Configuration
This nested rule set handles volume quotas related to IP addresses.
Nested library rule set – Volume Quota With IP Configuration
Criteria – Client.IP is in list IP Blocklist for Volume Quota
Cycle – Requests (and IM)
316
McAfee Web Gateway 7.6.0
Product Guide
Quota management
Coaching
10
The rule set criteria specifies that the rule set applies when a user sends a request from a client with
an IP address that is on the blocking list for volume quotas related to IP addresses.
The rules in this rule set are the same as in the Volume Quota with URL Configuration rule set, except
for the module settings that appear in the rule criteria, which are IP Configuration.
Volume Quota With Authenticated User Configuration
This nested rule set handles volume quotas related to user names.
Nested library rule set – Volume Quota With Authenticated User Configuration
Criteria – Authenticated.RawUserName is in list User Blocklist for Volume Quota
Cycle – Requests (and IM)
The rule set criteria specifies that the rule set applies when a request is sent by a user whose user
name is on the blocking list for volume quotas related to user names.
The rules in this rule set are the same as in the Volume Quota with URL Configuration rule set, except
for the module settings that appear in the rule criteria, which are Authenticated User Configuration.
Volume Quota With Media Type Configuration
This nested rule set handles volume quotas related to media types.
Nested library rule set – Volume Quota With Media Type Configuration
Criteria – MediaType.FromFileExtension at least one n list Media Type Blocklist for Volume Quota
Cycle – Requests (and IM)
The rule set criteria specifies that the rule set applies when a request is sent to access a web object
belonging to a media type that is on the blocking list for volume quotas related to media types.
The rules in this rule set are the same as in the Volume Quota with URL Configuration rule set, except
for the module settings that appear in the rule criteria, which are Media Type Configuration.
Coaching
By configuring coaching quotas, you can limit the time that users of your network are allowed to
spend for web usage, but allow them to continue if they choose to do so.
To coach the web usage of your users, you configure a coaching session with a particular length of
time. When this session time has elapsed for a user, a block message is displayed. The user can then
choose to start a new session.
You can configure coaching in relation to the parameters used in the Coaching library rule set, such as
URL categories, IP addresses, and user names. You can also create rules of your own using other
parameters.
McAfee Web Gateway 7.6.0
Product Guide
317
10
Quota management
Coaching
Configure coaching
You can configure coaching to restrict web usage for the users of your network, but allow them to
continue when they choose to do so after the configured time limit has been exceeded.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, expand the rule set that contains rules for coaching, for example, the Coaching
library rule set.
The nested rule sets appear.
3
Select the appropriate nested rule set, for example, Coaching With IP Configuration.
The general settings and rules of the rule set appear on the settings pane.
4
In the rule set criteria, click the appropriate blocking list name, for example, IP Block List for Coaching.
A yellow triangle next to the list name means the list is initially empty and you need to fill the
entries.
The Edit List (Category) window opens.
5
Add the appropriate entries to the blocking list, for example, IP addresses. Then click OK to close
the window.
6
In the criteria for one of the rules, click the appropriate settings name, for example, IP Configuration.
The Edit Settings window opens.
7
Configure the appropriate parameters, for example, the session time. Then click OK to close the
window.
8
Click Save Changes.
Coaching settings
The Coaching settings are used for configuring the module that handles coaching.
Hours and Minutes of Session Time
Settings for configuring the length of a coaching session
Table 10-7 Hours and Minutes of Session Time
Option
Definition
Days
Sets the days of a coaching session.
Hours
Sets the hours of a coaching session.
Minutes
Sets the minutes of a coaching session.
Coaching rule set
The Coaching rule set is a library rule set for imposing restrictions on web usage that can users can
pass by if they choose to do so.
Library rule set – Coaching
Criteria – SSL.Client.Context.IsApplied equals true OR Command.Name does not equal “CONNECT”
Cycle – Requests (and IM)
318
McAfee Web Gateway 7.6.0
Product Guide
Quota management
Coaching
10
The rule set criteria specifies that the rule set applies to SSL-secured communication and to any other
communication, which does not use the CONNECT command at the beginning.
The following rule sets are nested in this rule set:
•
Coaching With URL Configuration
•
Coaching With IP Configuration
This rule set is not enabled initially.
•
Coaching With Authenticated User Configuration
This rule set is not enabled initially.
Coaching With URL Configuration
This nested rule set handles coaching related to URL categories.
Nested library rule set – Coaching With URL Configuration
Criteria – URL.Categories<Default> at least one in list URL Categories Blocklist for Coaching
Cycle – Requests (and IM)
The rule set criteria specifies that the rule set applies when a user sends a request for a URL that falls
into a category on the blocking list for coaching related to URL categories.
The rule set contains the following rules:
Redirecting after starting new coaching session
Quota.Coaching.lsActivationRequest equals true –> Redirect<Redirection After Coaching Session
Activation>
The rule redirects a request to let a user again access a web object after session time has been
exceeded and the user has chosen to continue with a new session.
The action settings specify a message to the requesting user.
Check if coaching session has been exceeded
Quota.Coaching.Session.Exceeded<URL Category Configuration> equals true –>
Block<ActionCoachingSessionBlocked>
The rule uses the Quota.Coaching.SessionExceeded property to check whether the configured session
time has been exceeded for a user. If it has, the user’s request for web access is blocked.
The URL Category Configuration settings, which are specified with the property, are the settings of
the module that handles coaching.
The action settings specify a message to the requesting user.
Coaching Quota With IP Configuration
This nested rule set handles coaching related to IP addresses.
Nested library rule set – Coaching With IP Configuration
Criteria – Client.IP is in list IP Blocklist for Coaching
Cycle – Requests (and IM)
The rule set criteria specifies that the rule set applies when a user sends a request from a client with
an IP address that is on the blocking list for coaching related to IP addresses.
The rules in this rule set are the same as in the Coaching with URL Configuration rule set, except for
the module settings that appear in the rule criteria, which are IP Configuration.
McAfee Web Gateway 7.6.0
Product Guide
319
10
Quota management
Authorized override
Coaching With Authenticated User Configuration
This nested rule set handles coaching related to user names.
Nested library rule set – Coaching With Authenticated User Configuration
Criteria – Authenticated.RawUserName is in list User Blocklist for Coaching
Cycle – Requests (and IM)
The rule set criteria specifies that the rule set applies when a request is sent by a user whose user
name is on the blocking list for coaching related to user names.
The rules in this rule set are the same as in the Coaching with URL Configuration rule set, except for
the module settings that appear in the rule criteria, which are Authenticated User Configuration.
Authorized override
You can configure session time for a session that allows authorized overriding.
When this session time has elapsed, a user request is blocked and a block message is displayed. The
message also asks for submission of a user name and password to start a new session.
These credentials must be those of an authorized user. For example, in a classroom situation, a user
who gets blocked after termination of an authorized override session could be a student, while the
teacher is the authorized user.
Authentication of this user is performed according to the configured authentication method. However,
when configuring this method, you cannot let it include an integrated authentication mode.
The block message also provides an option to specify the time length of the authorized override
session for the user who was blocked.
The time length that is configured for this user should not exceed the time length configured for all
other users as part of the module settings for authorized overriding.
You can configure authorized overriding in relation to the parameters used in the library rule set, such
as URL categories, IP addresses, and user names. You can also create rules of your own using other
parameters.
Configure authorized overriding
You can configure authorized overriding to restrict the web usage of your users, but allow the
configured time limit to be passed by through the action of an authorized user.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, expand the rule set that contains rules for authorized overriding, for
example, Authorized Override library rule set.
The nested rule sets appear.
3
Select the appropriate nested rule set, for example, Authorized Override With IP Configuration.
The general settings and rules of the rule set appear on the settings pane.
320
McAfee Web Gateway 7.6.0
Product Guide
Quota management
Authorized override
4
10
In the rule set criteria, click the appropriate blocking list name, for example, IP Block List for Authorized
Override.
A yellow triangle next to the list name means the list is initially empty and you need to fill the
entries.
The Edit List (Category) window opens.
5
Add the appropriate entries to the blocking list, for example, IP addresses. Then click OK to close
the window.
6
In the criteria for one of the rules, click the appropriate settings name, for example, IP Configuration.
The Edit Settings window opens.
7
Configure the appropriate parameters, for example, the session time. Then click OK to close the
window.
8
Click Save Changes.
Authorized Override settings
The Authorized Override settings are used for configuring the module that handles authorized
overriding.
Hours and Minutes of Maximum Session Time
Settings for configuring the maximum time length of a session with authorized overriding.
Table 10-8 Hours and Minutes of Maximum Session Time
Option
Definition
Days
Sets the days of an Authorized Override session.
Hours
Sets the hours of an Authorized Override session.
Minutes
Sets the minutes of an Authorized Override session.
Authorized Override rule set
The Authorized Override rule set is a library rule set for imposing a time limit on web usage that can
be passed by through the action of authorized user.
Library rule set – Authorized Override
Criteria – SSL.Client.Context.IsApplied equals true OR Command.Name does not equal “CONNECT”
Cycle – Requests (and IM)
The rule set criteria specifies that the rule set applies to SSL-secured communication and to any other
communication, which does not use the CONNECT command at the beginning.
The following rule sets are nested in this rule set:
•
Authorized Override With URL Configuration
•
Authorized Override With IP Configuration
This rule set is not enabled initially.
•
Authorized Override With Authenticated User Configuration
This rule set is not enabled initially.
McAfee Web Gateway 7.6.0
Product Guide
321
10
Quota management
Authorized override
Authorized Override With URL Configuration
This nested rule set handles authorized overriding related to URL categories.
Nested library rule set – Authorized Override With URL Configuration
Criteria – URL.Categories<Default> at least one in list URL Categories Blocklist for Authorized
Override
Cycle – Requests (and IM)
The rule set criteria specifies that the rule set applies when a user sends a request for a URL that falls
into a category on the blocking list for authorized overriding related to URL categories.
The rule set contains the following rules:
Redirect after authenticating for authorized override
Quota.AuthorizedOverride.lsActivationRequest<URL Category Configuration> equals true AND
Authentication.Authenticate<User Database> equals true –> Redirect<Redirection After Authorized
Session Activation>
The rule redirects a request to let a user again access a web object after session time has been
exceeded and the credentials the user submitted to continue with a new session have been validated.
The action settings specify a message to the requesting user.
Check if authorized override session has been exceeded
Quota.AuthorizedOverride.SessionExceeded<URL Category Configuration> equals true –>
Block<Action Authorized Override Blocked>
The rule uses the Quota.AuthorizedOverride.SessionExceeded property to check whether the
configured session time has been exceeded for a user. If it has, the user’s request for web access is
blocked.
The URL Category Configuration settings, which are specified with the property, are the settings of
the module that handles authorized overriding.
The action settings specify a message to the requesting user.
Authorized Override With IP Configuration
This nested rule set handles authorized overriding related to IP addresses.
Nested library rule set – Authorized Override With IP Configuration
Criteria – Client.IP is in list IP Blocklist for Authorized Override
Cycle – Requests (and IM)
The rule set criteria specifies that the rule set applies when a user sends a request from a client with
an IP address that is on the blocking list for authorized overriding related to IP addresses.
The rules in this rule set are the same as in the Authorized Override with URL Configuration rule set,
except for the module settings in the rule criteria, which are IP Configuration.
Authorized Override With Authenticated User Configuration
This nested rule set handles authorized overriding related to user names.
Nested library rule set – Authorized Override With Authenticated User Configuration
Criteria – Authenticated.RawUserName is in list User Blocklist for Authorized Override
Cycle – Requests (and IM)
The rule set criteria specifies that the rule set applies when a request is sent by a user whose user
name is on the blocking list for authorized overriding related to user names.
322
McAfee Web Gateway 7.6.0
Product Guide
Quota management
Blocking sessions
10
The rules in this rule set are the same as in the Authorized Override with URL Configuration rule set,
except for the module settings in the rule criteria, which are Authenticated User Configuration.
Blocking sessions
By configuring blocking sessions you can block requests sent by a user for a configured period of time.
A blocking session is imposed after a user has sent a request that is blocked according to a configured
rule, for example, a request for a URL that falls into a category that is not allowed.
This is a means of enforcing a web security policy that handles unwanted access to web objects with
more strictness.
You can configure blocking sessions in relation to the parameters that are used in the library rule set.
You can also create rules of your own using other parameters.
Configure blocking sessions
You can configure blocking sessions to block session for a user over a configured period of time after
an attempt to access a web object that is not allowed.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, expand the rule set that contains rules for the blocking session, for example,
the Blocking Sessions library rule set.
The nested rule sets appear.
3
Select the appropriate nested rule set, for example, Blocking Sessions With IP Configuration.
The general settings and rules of the rule set appear on the settings pane.
4
In the rule set criteria, click the appropriate blocking list name, for example, IP Block List for Blocking
Sessions.
A yellow triangle next to the list name means the list is initially empty and you need to fill the
entries.
The Edit List (Category) window opens.
5
Add the appropriate entries to the blocking list, for example, IP addresses. Then click OK to close
the window.
6
In the criteria for one of the rules, click the appropriate settings name, for example, IP Configuration.
The Edit Settings window opens.
7
Configure the appropriate parameters, for example, the period of time over which sessions are
blocked. Then click OK to close the window.
8
Click Save Changes.
McAfee Web Gateway 7.6.0
Product Guide
323
10
Quota management
Blocking sessions
Block Session settings
The Block Session settings are used for configuring the module that handles blocking sessions.
Hours and Minutes for Session Time
Settings for configuring the time length of a blocking session
Table 10-9 Hours and Minutes for Session Time
Option
Definition
Days
Sets the days of a blocking session.
Hours
Sets the hours of a blocking session.
Minutes
Sets the minutes of a blocking session.
Blocking Sessions rule set
The Blocking Sessions rule set is a library rule set for blocking web sessions after an attempt to access
a web object that is not allowed.
Library rule set – Blocking Sessions
Criteria – SSL.Client.Context.IsApplied equals true OR Command.Name does not equal “CONNECT”
Cycle – Requests (and IM)
The rule set criteria specifies that the rule set applies to SSL-secured communication and to any other
communication, which does not use the CONNECT command at the beginning.
The following rule set is nested in this rule set: Blocking Sessions With URL Configuration
Blocking Sessions With URL Configuration
This nested rule set handles blocking sessions related to URL categories.
Nested library rule set – Blocking Sessions With URL Configuration
Criteria – URL.Categories<Default> at least one in list URL Categories Blocklist for Blocking Sessions
Cycle – Requests (and IM)
The rule set criteria specifies that the rule set applies when a user sends a request for a URL that falls
into a category on the blocking list for blocking sessions related to URL categories.
The rule set contains the following rules:
Block user if blocking session is active
BlockingSession.IsBlocked<Blocking Session Configuration> equals true –> Block<Blocking Session
Template>
The rule uses the BlockingSession.IsBlocked property to check whether a blocking session has been
activated for a user who sends a request. If it has, the request is blocked.
The action settings specify a message to the requesting user.
Activate blocking session if category is in list Category List for Blocking Sessions
URL.Categories<Default> at least one in list Category List for Blocking Session –> Continue —
BlockingSession.Activate<Blocking Session Configuration>
324
McAfee Web Gateway 7.6.0
Product Guide
Quota management
Quota system settings
10
The rule uses the URL.Categories property to check whether a URL that a user requests access to
falls into a category on the blocking list maintained especially for blocking sessions. If it falls into a
category on the list, a blocking session is activated for the user.
The BlockingSession.Activate event is used to activate the blocking session. The event settings are
specified with the event.
Quota system settings
Quota system settings are general settings for time intervals related to quota management .
If an appliance is a node in a Central Management configuration, you can configure time intervals for
data synchronization with other nodes.
These settings are configured on the Appliances tab of the Configuration top-level menu.
They can also appear under the name of Coaching (instead of Quota), but apply in both cases to all
options that are provided for quota management: Authorized override, blocking sessions, coaching,
time quota, and volume quota.
Quota Intervals for Synchronisation and Saving in Minutes
Settings for time intervals related to quota management
Table 10-10 Quota Intervals for Synchronisation and Saving in Minutes
Option
Definition
Save interval
Limits the time (in minutes) that elapses before current quota values are saved
on an appliance to the specified value.
Quota value to be saved are, for example, the byte volumes that have been
consumed by users.
Interval for sending
updated quota data
Limits the time (in minutes) that elapses before current quota values are
distributed from an appliance to all nodes in a Central Management configuration
to the specified value.
The distributed data includes the changes in quota values that have occurred
since the last time that data were distributed from the appliance.
McAfee Web Gateway 7.6.0
Product Guide
325
10
Quota management
Quota system settings
Table 10-10 Quota Intervals for Synchronisation and Saving in Minutes (continued)
Option
Definition
Interval for base
synchronisation
Limits the time (in minutes) that elapses before quota values are synchronized on
all nodes in a Central Management configuration to the specified value.
The synchronization takes a snapshot of the current quota values on all
appliances. The values that are most recent with regard to individual users are
distributed to all appliances.
The values are also distributed to nodes that were temporarily inactive and did
not receive updates sent during that time. They are, furthermore, distributed to
nodes that have been newly added to the configuration, so they did not receive
any previous updates.
Cleanup database after Limits the time (in days) that elapses before data is deleted in the quota
database to the specified value.
Before data is deleted, a check is performed to see whether the data is obsolete.
Data is obsolete if the time interval that has been configured for a quota
management function has elapsed.
For example, if a particular amount of bytes has been configured as volume quota
for a user to be consumed during a month, the amount that the user actually
consumed during a month becomes obsolete when a new month begins. The
cleanup then deletes this data if the time configured under the Cleanup database after
option has also elapsed.
Stored data becomes obsolete after a month for time quotas. For other quota
management functions, other time intervals are relevant. For example, for
coaching and authorized overriding, the cleanup cannot be performed before the
allowed session time has elapsed.
326
McAfee Web Gateway 7.6.0
Product Guide
11
Web filtering
When the users of your network send requests for web access, Web Gateway filters these requests, as
well as the responses that are sent back from the web. Embedded objects sent with requests and
responses are also filtered.
Web filtering is performed in various ways. It is controlled by rules, which you can review and modify
to adapt them to the requirements of your web security policy.
Default filtering on Web Gateway includes:
•
Virus and malware filtering — Blocks access to web objects that are infected by viruses and
other malware
•
URL filtering — Blocks or allows access to web objects with particular URLs
•
Media type filtering — Blocks or allows access to web objects that belong to particular media
types
Global whitelisting allows access to web objects before any of the rules for the above filtering methods
are applied. SSL scanning enables the filtering of requests that are sent on SSL-secured connections.
Contents
Virus and malware filtering
URL filtering
Media type filtering
Application filtering
Streaming media filtering
Global whitelisting
SSL scanning
Hardware Security Module
Advanced Threat Defense
Data loss prevention
Virus and malware filtering
Virus and malware filtering ensures that the users of your network cannot access web objects that are
infected by viruses and other malware. The filtering process detects infections and blocks access
accordingly.
The process includes several elements, which contribute to it in different ways.
•
Filtering rules control the process.
•
Whitelists are used by rules to let some web objects skip virus and malware filtering.
•
The Anti-Malware module, which is called by a particular rule, scans web objects for infections by
viruses and other malware.
McAfee Web Gateway 7.6.0
Product Guide
327
11
Web filtering
Virus and malware filtering
A default process for virus and malware filtering is implemented on Web Gateway after the initial
setup. You can modify this process to adapt it to the requirements of your web security policy.
To configure virus and malware filtering, you can work with:
•
Key elements of rules — After clicking the default Gateway Anti-Malware rule set on
the rule sets tree, you can view and configure key elements of the default rules for the
filtering process.
•
Complete rules — After clicking Unlock View in the key elements view, you can view the
default rules for the filtering process completely, configure all their elements, including
the key elements, and also create new rules or delete rules.
You cannot return from this view to the key elements view unless you discard all changes
or re-import the rule set.
Filtering rules
The rules that control virus and malware filtering are usually contained in one rule set. The key rule in
this rule set is the one that blocks access to web objects if they are infected by viruses and other
malware.
To find out whether an object is infected, the rule calls the Anti-Malware module, which scans the
object and lets the rule know about the result.
Whitelisting rules can be placed and processed in this rule set before the blocking rule. If any of them
applies, the blocking rule is skipped and the whitelisted objects are not scanned.
When the default rule set system is implemented, a rule set for virus and malware filtering is included.
Its name is Gateway Anti-Malware.
Whitelists
Whitelists are used by whitelisting rules to let the blocking rule be skipped for particular web objects,
which means no scanning is applied to these objects. There can be whitelists for URLs, media types,
and other types of objects.
You can add entries to these lists or remove entries. You can also create your own lists and let them
be used by the whitelisting rules.
Blocking lists are typically not used in virus and malware filtering because here the blocking depends
not on entries in lists, but on the findings of the Anti-Malware module.
Anti-Malware module
The Anti-Malware module is also known as the Anti-Malware engine. This module scans objects to
detect infections by viruses and other malware. According to the findings of this module, the blocking
rule blocks access to web objects or lets them pass through.
When the Anti-Malware module is called to run and scan web objects, it is by default a combination of
two modules (engines) that are running. These modules can be seen as submodules of the
Anti-Malware module. Each of these submodules uses different scanning methods.
The two default submodules are the McAfee Gateway Anti-Malware engine, and the McAfee
Anti-Malware engine. The latter uses virus signatures to detect infections in web objects.
However, this method can only detect viruses and other malware that are already known and have
been given signatures. To ensure a higher level of web security, the McAfee Gateway Anti-Malware
engine uses also proactive methods to detect new viruses and malware.
328
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Virus and malware filtering
11
When configuring settings for the Anti-Malware module, you can change the default mode to have a
third-party submodule running in addition or alone.
To avoid temporary overloading of the submodules, you can configure an anti-malware queue that
requests are moved to before being scanned.
Configure key elements for virus and malware filtering
Configure key elements of the rules for virus and malware filtering to adapt important parts of the
filtering process to the requirements of your web security policy.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, select the Gateway Anti-Malware rule set.
Key elements of the rules for the filtering process appear in the configuration pane.
3
Configure the key elements as needed.
4
Click Save Changes.
See also
Key elements for virus and malware filtering on page 329
Key elements for virus and malware filtering
The key elements of the rules for virus and malware filtering deal with important parts of this filtering
process.
Bypass Scanning for These Agents and Hosts
Key elements for bypassing scanning by the Anti-Malware module
Table 11-1 Bypass scanning for these agents and hosts
Option
Definition
User agent whitelist Clicking Edit opens a window to let you edit the User Agent Whitelist that is used by
a rule.
You can add, modify, and remove entries on the list.
URL host whitelist
Clicking Edit opens a window to let you edit the URL Host Whitelist that is used by a
rule.
You can add, modify, and remove entries on the list.
Scanning Options
Key elements for the scanning activities of the Anti-Malware module
McAfee Web Gateway 7.6.0
Product Guide
329
11
Web filtering
Virus and malware filtering
Table 11-2 Scanning Options
Option
Definition
Remove partial
content for HTTP
requests
When selected, a rule is enabled that removes the specification in an HTTP or HTTPS
request for accessing only a part of the content of a web object and lets the request
ask for the complete content.
If a web object, for example, a file, is delivered completely by the web server in
question, it can also be scanned completely on Web Gateway. A complete scan can
detect infections that might not be noticed if only a part of the web object was
scanned.
Block partial
content for FTP
requests
When selected, a rule is enabled that blocks FTP requests for access to only a part
of the content of a web object.
Use the Media
Stream Scanner
When selected, the Media Stream Scanner scans and delivers web objects that are
streaming media chunk-by-chunk, to speed up the process.
Under the FTP protocol. it is not possible to remove a specification in a request for
access to only a part of the content of a web object. For this reason it might be
advisable to block such requests.
The proactive functions of the McAfee Gateway Anti-Malware engine are used for the
scanning, but the other engines that are available for this purpose on Web Gateway
are not involved.
Gateway Anti-Malware Settings
Key elements for configuring settings for the Anti-Malware module
Table 11-3 Gateway Anti-Malware Settings
Option
Definition
Enable Anti-Malware scanning When selected, a rule is enabled that calls the Anti-Malware Module, which
scans web objects for infections by viruses and other malware.
Settings
Clicking Edit opens a window to let you edit the settings for the Anti-Malware
module.
Configure virus and malware filtering using the complete rules
view
You can configure virus and malware filtering to adapt this process to the requirements of your
network.
Complete the following high-level steps.
Task
1
Review the rules in the rule set for virus and malware filtering.
By default, this is the Gateway Anti-Malware rule set.
2
Modify these rules as needed.
You can, for example, do the following:
•
Enable or disable whitelisting rules
•
Edit the lists used by the whitelisting rules
A yellow triangle next to a list name means the list is initially empty and you need to fill the
entries.
330
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Virus and malware filtering
11
•
Create whitelists of your own and let them be used by the whitelisting rules
•
Modify the combination of submodules that run when the Anti-Malware module is called to scan
web objects
By default, the combination includes the following submodules:
•
•
McAfee Gateway Anti-Malware
•
McAfee Anti-Malware
Modify other settings of the Anti-Malware module
3
Configure the anti-malware queues as needed to avoid overloading of the modules that scan web
objects.
4
Save your changes.
Configure settings for the Anti-Malware module
You can configure the Anti-Malware module to modify the way web objects are scanned for infections
by viruses and other malware.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, select the rule set for virus and malware filtering.
By default, this is the Gateway Anti-Malware rule set.
The rules of the rule set appear on the settings pane.
3
Make sure Show details is selected.
4
Find the rule that calls the Anti-Malware module.
By default, this is the rule Block if virus was found.
5
In the rule criteria, click the settings name.
This name appears next to the Antimalware.Infected property. By default, it is Gateway
Anti-Malware.
The Edit Settings window opens. It provides the settings for the Anti-Malware module.
6
Configure these settings as needed. Then click OK to close the window.
7
Click Save Changes.
See also
Anti-Malware settings on page 333
Change the module combination for scanning web objects
When configuring the settings of the Anti-Malware module, you can change the combination of
submodules that run to scan web objects.
Different submodules can run under the name of Anti-Malware module (or engine) to perform the
scanning. Which of them are available on your appliance depends on the licenses you have purchased.
McAfee Web Gateway 7.6.0
Product Guide
331
11
Web filtering
Virus and malware filtering
Task
1
Select Policy | Rule Sets.
2
Access the Anti-Malware settings.
a
On the rule sets tree, select the rule set for virus and malware filtering.
By default, this is the Gateway Anti-Malware rule set.
The rules of the rule set appear on the settings pane.
b
Make sure Show details is selected.
c
Find the rule that calls the Anti-Malware module.
By default, this is the rule Block if virus was found.
d
In the rule criteria, click the settings name.
This name appears next to the Antimalware.Infected property. By default, it is Gateway
Anti-Malware.
The Edit Settings window opens. It provides the settings for the Anti-Malware module.
3
In the Select scanning engines and behavior section, select one of the following combinations of
submodules:
•
Full McAfee coverage: The recommended high-performance configuration — When selected, the McAfee
Gateway Anti-Malware engine and the McAfee Anti-Malware engine are active.
The scanning mode is then: Proactive methods + virus signatures
This module combination is enabled by default.
•
Layered coverage: Full McAfee coverage plus specific Avira engine features – minor performance impact — When
selected, the McAfee Gateway Anti-Malware engine, the McAfee Anti-Malware engine, and, for
some web objects, also the third-party Avira engine are active.
The scanning mode is then: Proactive methods + virus signatures + third-party module
functions for some web objects
•
Duplicate coverage: Full McAfee coverage and Avira engine – less performance and more false positives — When
selected, the McAfee Gateway Anti-Malware engine, the McAfee Anti-Malware engine, and the
third-party Avira engine are active.
The scanning mode is then: Proactive methods + virus signatures + third-party module
functions
•
Avira only: Only uses Avira engine — not recommended — When selected, only the Avira engine is active.
The scanning mode is then: Third-party module functions
4
Click OK to close the window.
5
Click Save Changes.
If you select the Avira only option when working with the Gateway Anti-Malware rule set, you should
rename the settings and the rule set to indicate that a key setting has changed.
The renaming could, for example, be from Gateway Anti-Malware (settings and rule set) to Avira
Anti-Malware (settings and rule set).
332
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Virus and malware filtering
11
Instead of renaming the rule set and the settings, you can also create an additional rule set and
additional settings to have them available when needed for configuring rules.
Anti-Malware settings
The Anti-Malware settings are used for configuring the way the Anti-Malware module scans web objects for
infections by viruses and other malware.
Select Scanning Engines and Behavior
Settings for selecting a combination of scanning engines and their behavior in case one of them
detects an infection
The scanning engines are the submodules that run together as the Anti-Malware module to scan web
objects
Table 11-4 Select Scanning Engines and Behavior
Option
Definition
Full McAfee coverage: The recommended
high-performance configuration
When selected, the McAfee Gateway Anti-Malware engine and
the McAfee Anti-Malware engine are active.
Web objects are then scanned using:
Proactive methods + Virus signatures
This option is selected by default.
Layered coverage: Full McAfee coverage
plus specific Avira engine features — minor
performance impact
When selected, the McAfee Gateway Anti-Malware engine, the
McAfee Anti-Malware engine, and, for some web objects, also the
third-party Avira engine are active.
Web objects are then scanned using:
Proactive methods + Virus signatures + Third-party module
functions for some web objects
Duplicate coverage: Full McAfee coverage
and Avira engine — less performance and
more false positives
When selected, the McAfee Gateway Anti-Malware engine, the
McAfee Anti-Malware engine, and the third-party Avira engine
are active.
Web objects are then scanned using:
Proactive methods + Virus signatures + Third-party module
functions
Avira only: Only uses Avira engine — not
recommended
When selected, only the Avira engine is active.
Web objects are then scanned using:
Third-party module functions
Stop virus scanning right after an engine
detected a virus
When selected, engines stop scanning a web object as soon as
one of them has detected an infection by a virus or other
malware.
Mobile Code Behavior
Settings for configuring a risk level in classifying mobile code
The risk level can take values from 60 to 100.
A low value means the risk in proactively scanning the behavior of mobile code and not detecting that
it is malware is low because the scanning methods are applied very strictly. Mobile code will then be
classified as malware even if only a few criteria of being potentially malicious have been detected.
This can lead to classifying mobile code as malware that is actually not malicious (“false positives”).
McAfee Web Gateway 7.6.0
Product Guide
333
11
Web filtering
Virus and malware filtering
While more proactive security is achieved with a stricter setting, accuracy in determining which mobile
code is really malicious will suffer. Consequently, the appliance might block web objects that you want
to get through to your users.
A high value means the risk in not detecting malicious mobile code is high (more “false negatives”),
but more accuracy is achieved in classifying mobile code correctly as malicious or not (fewer “false
positives”).
Table 11-5 Mobile Code Behavior
Option
Definition
Classification threshold
Sets a risk level as described above on a slider scale.
• Minimum value (maximum proactivity): 60
• Maximum value (maximum accuracy): 100
Advanced Settings
Advanced settings for all scanning submodules
Advanced Settings
Table 11-6 Advanced Settings
Option
Definition
Enable Antivirus prescan
When selected, performance of the submodules is improved by
reducing the load sent to them for scanning.
Increase Web Gateway performance
by making a light-weight pass on:
• Common web files
This option is by default selected. We recommend that you keep this
setting.
• Common web files and other
low-risk files
When this option is selected, the three options below it are also
accessible.
• Common web files, other low-risk
files, and web content on
trustworthy sites
You can select one of them to configure the range of file types that
light-weight malware scanning should be applied to.
The third option is selected by default.
Files matching the selected option do The three options are related to each other: If the first option is
not continue to the standard
configured, the other two options are not effective. The second option
anti-malware scanning.
includes the first option, the third option includes the first and the
second option.
The URL Filter module is involved to verify whether the web site that a
file is downloaded from is trustworthy.
Updates of virus and malware filtering information can modify the
categorization of file types as safe or rarely exploited or hosted on
trustworthy web sites.
334
Enable GTI file reputation queries
When selected, information on the reputation of files retrieved from
the Global Threat Intelligence system is included in the scanning
result.
Enable heuristic scanning
When selected, heuristic scanning methods are applied to web
objects.
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Virus and malware filtering
11
Advanced Settings for McAfee Gateway Anti-Malware
Advanced settings for the McAfee Gateway Anti-Malware submodule
Table 11-7 Advanced Settings for McAfee Gateway Anti-Malware
Option
Definition
Enable detection for potentially
unwanted programs
When selected, web objects are also scanned for potentially unwanted
programs.
Enable mobile code scanning
When selected, mobile code is scanned in general.
Individual settings can be configured under Scan the following mobile
code types.
Enable removal of disinfectable
content detected in HTML
documents by mobile code filter
When selected, the content described here can be removed.
Scan the following mobile code
types
When the following mobile code types are selected, they are scanned.
Windows executables
Once downloaded from the web or received by email, these executables
can become a threat when launched because they run with all the
privileges of the current user.
JavaScript
JavaScript code can be embedded virtually anywhere, from web pages
and PDF documents to video and HTML files.
Flash ActionScript
ActionScript code can be embedded in flash videos and animations and
has access to the flash player and the browser with all their functions.
Java applets
Java applets can be embedded in web pages. Once activated, they can
run at different permission levels, based on a digital certificate and the
user’s choice.
Java applications
Java applications run stand-alone with all privileges of the current user.
ActiveX controls
ActiveX controls can be embedded in web pages and office documents.
Once activated, they run with all privileges of the current user.
Windows libraries
These libraries usually come along with an executable in a setup package
or are downloaded from the web by a running executable or by malicious
code.
Visual Basic script
Visual Basic script code can be embedded in web pages or in emails.
Visual Basic for applications
Visual Basic macros can be embedded in office documents created with
Word, Excel, or PowerPoint.
Block the following behavior
When the following types of behavior are selected, web objects showing this behavior are blocked.
Data theft: Backdoor
Malicious applications grant an attacker full remote access and control to
a victim’s system through existing or newly created network channels.
Data theft: Keylogger
Malicious applications hook into the operating system to record and save
keyboard strokes.
The captured information, such as passwords, is sent back to the
attacking party.
Data theft: Password stealer
McAfee Web Gateway 7.6.0
Malicious applications gather, store, and leak sensitive information, such
as the system configuration, confidential data, credentials, and other
data for user authentication.
Product Guide
335
11
Web filtering
Virus and malware filtering
Table 11-7 Advanced Settings for McAfee Gateway Anti-Malware (continued)
Option
Definition
System compromise: Code
execution exploit
Exploits for vulnerabilities in client applications, such as browsers, office
programs, or multi-media players, allow an attacker to run arbitrary code
on the compromised system.
System compromise: Browser
exploit
Exploits for vulnerabilities in browser applications and plug-ins allow an
attacker to run arbitrary code, steal sensitive data, or escalate privileges.
System compromise: Trojan
Malicious applications pretend to be harmless or useful, but actually
perform damaging activities.
Stealth activity: Rootkit
Malicious applications or device drivers manipulate the operating system
and hide presence of malware on infected systems.
After the compromise, files, registry keys, and network connections
belonging to the malware processes turn invisible and can be hard to
recover.
Viral Replication: Network worm
Malicious applications or device drivers self-replicate using email, the
internet, peer-to-peer networking, or by copying themselves onto
removable media such as USB devices.
Viral Replication: File infector
virus
Self-replicating applications infect existing files on the hard-disk,
embedding viral code in order to spread through the newly infected host
file.
System compromise: Trojan
downloader
Malicious applications or script code download and execute additional
payload from the web.
System compromise: Trojan
dropper
Malicious applications carry hidden payload, extract, and launch it upon
execution.
System compromise: Trojan
proxy
Malicious applications allow to relay potentially malicious hidden network
activities through the compromised system.
Web threats: Infected website
Websites contain injected malicious script code or request additional
malicious code as soon as it is opened in a browser.
The initial infection could have taken place through an SQL injection
attack against the web server.
Stealth activity: Code injection
Applications copy their code into other, often legitimate processes, which
results in a hijacking of the respective privileges and trust.
This technique is typically employed by malware that tries to hide its
presence on compromised systems and to evade detection.
336
Detection evasion: Obfuscated
code
Applications consist of highly scrambled or encrypted code, so malicious
code portions are hard to detect.
Detection evasion: Packed code
Applications have their content compressed by a run-time packer or
protector. This changes the way the content looks, so it is harder to
classify.
Potentially unwanted: Ad-/
Spyware
Applications show potentially annoying or unwanted advertisements, but
also track and analyze user behavior and activities.
Potentially unwanted: Adware
Applications show potentially annoying or unwanted advertisements, but
also track and analyze user behavior and activities.
Data theft: Spyware
Applications track and analyze user behavior and activities, steal
sensitive data, and leak this data to the attacker’s servers.
Potentially unwanted: Dialer
Applications provide access to content, for example, pornography,
through a more expensive network connection.
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Virus and malware filtering
11
Table 11-7 Advanced Settings for McAfee Gateway Anti-Malware (continued)
Option
Definition
Web threats: Vulnerable ActiveX
controls
ActiveX controls appearing on web pages that are restricted to other
on-browser usage present potential vulnerabilities.
Potentially unwanted: Suspicious Potentially malicious code shows either non-standard or not fully trusted
activity
behavior.
Web threats: Cross-site scripting
Malicious scripts exploit access-control vulnerabilities in browsers or web
applications to steal user data, for example, cookies.
Potentially unwanted: Deceptive
behavior
Messages mislead the user, play missing code tricks, and fake alerts.
Potentially unwanted: Redirector
Redirecting code forwards users visiting a website to other, potentially
malicious locations.
These threats could tell users that their systems are infected with
spyware and promote fake AV applications for cleaning.
This behavior is often caused by an infection of a previously legitimate
website.
Potentially unwanted: Direct
kernel communication
Applications directly communicate with a Windows kernel or in kernel
mode, trying, for example, to install a root kit or to destabilize the
system.
Potentially unwanted: Privacy
violation
Potentially malicious code accesses sensitive or private data, which can
result in eavesdropping clipboard content or in reading registry keys.
Advanced Settings for Avira
Advanced settings for the Avira submodule
Table 11-8 Advanced Settings for Avira
Option
Definition
Maximum size of archive
member
Limits the size (in MB) of a member in an archive that the Avira engine
scans for infections.
If an archive member exceeds this size, it is not scanned and the archive is
blocked.
The default size limit is 1024 MB.
Gateway Anti-Malware rule set
The Gateway Anti-Malware rule set is the default rule set for virus and malware filtering.
Default rule set – Gateway Anti-Malware
Criteria – Always
Cycles – Requests (and IM), Responses, Embedded Objects
The rule set contains the following rules.
Allow if user agent matches User Agent Whitelist
Header.Request.Get (“User-Agent”) matches in list User Agent WhiteList –> Stop Rule Set
The rule uses the Header.Request.Get property to check the user agent information that is sent with
the header of a request.
If the user agent in question is on the specified whitelist, processing of the rule set stops, so the
blocking rule at the end of the rule set is not processed.
McAfee Web Gateway 7.6.0
Product Guide
337
11
Web filtering
Virus and malware filtering
A parameter of the property specifies that it is the user agent information that must be checked
when the rule is processed.
This rule is not enabled by default.
Using this rule alone for whitelisting will cause a security problem because usually a client can set
whatever user agent it prefers.
Allow URL host that matches in list Anti-Malware URL Whitelist
URL.Host matches in list Anti-Malware URL Whitelist –> Stop Rule Set
The rule uses the URL.Host property to check whether a given URL matches one of the entries on the
specified whitelist.
If it does, processing of the rule set stops and the blocking rule at the end of the rule set is not
processed.
You can use this rule to exempt web traffic from filtering when the hosts of the URLs involved are
well-known web servers for which it is safe to assume that they spread no viruses and other
malware.
Whitelisting increases performance because it avoids the effort of scanning the respective web
objects.
Remove partial content for HTTP requests
Cycle.TopName equals “Request” AND (Connection.Protocol equals “http” OR Connection.Protocol
equals “https”) –> Continue – Header.RemoveAll (“Range”)
The rule uses the Cycle.TopName and Connection.Protocol properties to check whether the current
processing cycle is the request cycle and whether a request is sent in HTTP or HTTPS mode.
If this is the case, the Header.RemoveAll event modifies the request by removing the specification
that only partial content is requested. A request for complete content is then forwarded to the
relevant web server and eventually received from there, so that the complete content of a web object
can be processed on the appliance.
For example, a complete archive can be opened and scanned for viruses and other malware.
Malicious content that is distributed over several parts of a file can be detected by scanning the
complete file, while it could go unnoticed if only parts of the file were scanned.
The Continue action lets processing continue with the next rule.
Block partial content for FTP requests
Cycle.TopName equals “Request” AND Connection.Protocol equals “ftp” AND Command.Categories
contains “Partial” –> Block<Partial Content Not Allowed>
The rule uses the Cycle.TopName, Connection.Protocol, and Command.Categories properties to check
whether the current processing cycle is the request cycle, the request is sent in FTP mode, and the
command category used for the FTP transfer contains Partial as a string.
This allows Web Gateway to detect an FTP request for partial content and block it.
Unlike with HTTP or HTTPS requests, an FTP request for partial content cannot be modified to make it
a request for complete content. However, security problems would arise if partial content was
accepted on the appliance, which are the same as the ones that were explained in the comment on
the rule for blocking HTTP and HTTPS requests.
The action settings specify a message to the requesting user.
Start Media Stream Scanner on streaming media and skip anti-malware scanning
Cycle.Name equals "Response" AND StreamDetector.IsMediaStream<Default Streaming Detection>
equals true –> Stop Rule Set – Enable Media Stream Scanner
338
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Virus and malware filtering
11
The rule uses the Cycle.Name property to check whether processing is in the response cycle and the
StreamDetector.IsMediaStream property to check whether the web object that is sent in response to
Web Gateway is streaming media.
If both are the case, processing of the rule set stops, so the remaining rule is not processed, and an
event is used to start the Media Stream Scanner.
Block if virus was found
Antimalware.Infected<Gateway Anti-Malware> equals true –> Block<Virus Found> –
Statistics.Counter.Increment (“BlockedByAntiMalware”,1)<Default>
The rule uses the Antimalware.Infected property to check whether a given web object is infected by
a virus or other malware.
When the Anti-Malware module is called to scan the object, it runs with the Gateway Anti-Malware
settings, as specified with the property. These settings let the module use all its three submodules
and their methods to scan web objects.
If the module finds that a web object is infected, processing of all rules stops and the object is not
passed on further. Access to it is blocked this way.
In a request cycle, the infected web object is not passed on to the web. In the response and
embedded object cycles, it is not passed on to the user who requested it.
The action settings specify a message to this user.
The rule also uses an event to count blocking due to virus and malware infections.
The event parameters specify the counter that is incremented and the size of the increment. The
event settings specify the settings of the Statistics module, which executes the counting.
Media stream scanning
Media streams can be scanned on Web Gateway chunk-by-chunk, which allows users to see or hear
downloaded streaming media faster, as they do not have to wait until a stream has been scanned
completely.
This scanning method is performed by the Media Stream Scanner, which is provided by the McAfee
Gateway Anti-Malware engine. Streaming media is scanned and delivered chunk-by-chunk to the client
that requested the download. If an infection is detected in a chunk, the download stops, and this
chunk and the rest of the streaming media are not delivered.
The scanning that is performed by the Media Stream Scanner uses the proactive functions of the
Gateway Anti-Malware engine. The McAfee Anti-Malware and Avira engines, which can also be
configured to scan web objects for infections by viruses and other malware, are not involved when the
Media Stream Scanner is active.
The scanner is started by an event of a rule in the Gateway Anti-Malware rule set of the default rule
set system. The rule applies if the Stream Detector module finds that a web object that was received
on Web Gateway in response to a download request is streaming media.
Processing of the rule set stops and the remaining rule in the rule set, which also lets web objects be
scanned for infections by viruses and other malware, is not processed.
If a web object is not recognized by the Stream Detector as streaming media, the rule does not apply,
processing continues with the remaining rule, and the web object is scanned according to the settings
that are configured for this rule.
McAfee Web Gateway 7.6.0
Product Guide
339
11
Web filtering
Virus and malware filtering
Anti-malware queue
To avoid overloading of the modules that scan web objects for infections by viruses and other
malware, requests for access to web objects are moved to a queue before being processed.
This queue is known as the anti-malware queue. When a request has been received on the appliance,
it is moved to this queue by a working thread of the proxy module. It remains there until it is fetched
by another thread and forwarded to a thread of one of the scanning modules.
The same applies to responses received from web servers that requests have been forwarded to.
The working threads that deliver requests and responses to the scanning modules, as well as those
that are used by the modules to execute scanning activities, are referred to as anti-malware working
threads or simply as AV threads.
When configuring the anti-malware queue, you can specify the following:
•
Number of available anti-malware working threads
•
Size of the anti-malware queue
•
Maximum time for requests and responses to stay in the queue
Moving requests and responses to the anti-malware queue is a solution to avoid load peaks occurring
over a short period of time. Permanent overloading should be addressed by other measures.
Configure the anti-malware queue
You can configure settings for the anti-malware queue to avoid overloading of the scanning modules.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to configure the anti-malware queue on and
click Anti-Malware.
The settings for the anti-malware queue appear on the settings pane.
3
Configure these settings as needed.
4
Click Save Changes.
Anti-Malware system settings
The Anti-Malware system settings are used for configuring the anti-malware queue.
Global Anti-Malware Settings
Settings for the anti-malware queue
340
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
URL filtering
11
Table 11-9 Global Anti-Malware Settings
Option
Definition
Number of threads for AV scanning
Sets the number of anti-malware working threads that are available on
an appliance.
The number you specify here applies to both the threads that forward
requests and responses to threads of the scanning modules and the
scanning module threads themselves.
For example, if you specify 25, there will be 25 threads for forwarding
and 25 for scanning.
Use at least as many AV threads as
the number of CPU cores available
When selected, the number of AV threads use for scanning activities is
at least the same as the number of available CPU cores.
Maximum number of jobs in the
queue
Limits the number of requests or responses that can be moved to the
anti-malware queue as jobs for the scanning modules.
Number of seconds a scanning job
stays in the queue before being
removed
Limits the time (in seconds) that elapses before a request or response
is removed from the anti-malware queue if it has not been forwarded
for scanning.
URL filtering
URL filtering ensures that the users of your network cannot access web objects that are considered a
risk for web security or are not allowed for other reasons.
The filtering process uses blocking lists, category information, and reputation scores for the URLs of
web objects and blocks or allows access accordingly.
The process includes several elements, which contribute to it in different ways.
•
Filtering rules control the process.
•
A whitelist and various blocking lists are used by rules to let some web objects skip URL filtering
and block others.
•
The URL Filter module, which is called by particular rules, retrieves information on URL categories
and web reputation scores from the Global Threat Intelligence service.
A default process for URL filtering is implemented on Web Gateway after the initial setup. You can
modify this process to adapt it to the requirements of your web security policy.
To configure URL filtering, you can work with:
•
Key elements of rules — After clicking the default URL filtering rule set on the rule sets
tree, you can view and configure key elements of the default rules for the filtering
process.
•
Complete rules — After clicking Unlock View in the key elements view, you can view the
default rules for the filtering process completely, configure all their elements, including
the key elements, and also create new rules or delete rules.
You cannot return from this view to the key elements view unless you discard all changes
or re-import the rule set.
McAfee Web Gateway 7.6.0
Product Guide
341
11
Web filtering
URL filtering
Filtering rules
The rules that control the URL filtering process are usually contained in one URL filtering rule set. One
of these rules says, for example, that access to a URL is blocked if it matches an entry on a blocking
list.
Another rule blocks URLs if they belong to a category that is on a blocking list. This rule calls the URL
Filter module to retrieve category information for URLs from the Global Threat Intelligence system.
Another rule works in a similar way to block URLs that have a bad reputation.
A whitelisting rule exempts URLs from filtering if they match entries on the list used by the rule. This
rule is placed and processed before the blocking rules. If it applies, the blocking rules are skipped and
no URL filtering is performed for the whitelisted objects.
When the default rule set system is implemented, a rule set for URL filtering is included. Its name is
URL Filtering.
Whitelist and blocking lists
A whitelist is used by a whitelisting rule to let some URLs skip the blocking rule, which means there is
no filtering for these URLs.
Since a URL filtering rule set controls only URL filtering, multiple whitelists for several types of objects
are not needed in the filtering process, in contrast to virus and malware filtering.
Another rule blocks URLs if they belong to a category that is on a blocking list. This rule calls the URL
filter module to retrieve category information for URLs from the Global Threat Intelligence system.
Another rule works in a similar way to block URLs that have a bad reputation.
Since a URL filtering rule set handles only URL filtering, whitelists are not needed for several types of
objects as they are in virus and malware filtering.
Blocking lists are used by rules for blocking URLs according to the categories they belong to or
because they match an entry on a list. Each of the blocking rules uses its own list.
Filter module
The URL Filter module is also known as the URL Filter engine. It retrieves information on URL
categories and reputation scores from the Global Threat Intelligence™ service that is provided by
McAfee. Based on this information, blocking rules block access to URLs.
Various technologies, such as link crawlers, security forensics, honeypot networks, sophisticated
auto-rating tools, and customer logs are used to gather this information. An international,
multi-lingual team of McAfee web analysts evaluates the information and enters URLs under particular
categories into a database.
To gather information on the reputation of a URL, its behavior on a worldwide real-time basis is
analyzed, for example, where a URL shows up in the web, its domain behavior, and other details.
You can configure settings for this module, for example, to let it include category information retrieved
from an extended list that you provide or to perform a DNS lookup for URLs and include the
corresponding IP address in the search for category information.
342
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
URL filtering
11
Configure key elements for URL filtering
Configure key elements of the rules for URL filtering to adapt important parts of the filtering process to
the requirements of your web security policy.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, select the URL Filtering rule set.
Key elements of the rules for the filtering process appear in the configuration pane.
3
Configure the key elements as needed.
4
Click Save Changes.
See also
Key elements for URL filtering on page 343
Key elements for URL filtering
The key elements for URL filtering deal with important parts of this filtering process.
Basic Filtering
Key elements for performing basic URL filtering
Table 11-10 Basic Filtering
Option
Definition
URL whitelist
Clicking Edit opens a window to let you edit the URL whitelist that is used by a
rule.
You can add, modify, and remove entries on the list.
URL blocklist
Clicking Edit opens a window to let you edit the URL blocklist that is used by a rule.
You can add, modify, and remove entries on the list.
URL category blocklist Clicking Edit opens a window to let you edit the URL category blocklist that is used
by a rule.
You can add, modify, and remove entries on the list.
SafeSearch
Key elements for integrating SafeSearch in the URL filtering process
Table 11-11 SafeSearch
Option
Definition
Enable SafeSearch
When selected, a rule is enabled that controls the SafeSearch part of the URL
filtering process.
SafeSearch settings Clicking Edit opens a window to let you edit the settings for the SafeSearch Enforcer
module (or engine).
This module handles the integration of the SafeSearch Enforcer, which is an
additional web security product, in the URL filtering process on Web Gateway.
McAfee Web Gateway 7.6.0
Product Guide
343
11
Web filtering
URL filtering
GTI reputation
Key element for evaluating reputation scores retrieved from the Global Threat Intelligence service
within the URL filtering process
Table 11-12 GTI reputation
Option
Definition
Block URLs with a High
Risk reputation
When selected, a rule is enabled that blocks URLs with a reputation score that
lets them appear to be a high or medium risk to web security.
The reputation score of a URL is established by the Global Threat Intelligence
service, which is provided by McAfee. It is retrieved from this service by the
URL Filter module.
Uncategorized URLs
Key element for handling URLs that could not be categorized during the URL filtering process
Table 11-13 Uncategorized URLs
Option
Definition
Uncategorized URLs Selecting Block enables a rule that blocks requests for access to web objects with
URLs that could not be categorized during the URL filtering process.
Selecting Allow means that no action is executed by this rule. URL filtering continues
with processing the next rule.
Configure URL filtering using the complete rules view
You can configure URL filtering to adapt this process to the needs of your network.
To configure URL filtering, you can work with the key elements view or the rules view.
Task
1
Review the rules in the rule set for URL filtering.
By default, this is the URL Filtering rule set.
2
Modify these rules as needed.
You can, for example, do the following.
•
Enable or disable blocking rules and the whitelist rule
•
Edit the lists used by these rules
A yellow triangle next to a list name means the list is initially empty and you need to fill the
entries.
•
3
344
Modify the settings of the URL Filter module
Save your changes.
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
URL filtering
11
Configure settings for the URL Filter module
You can configure the URL Filter module to modify the way information on URL categories and
reputation scores is retrieved from the Global Threat Intelligence system
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, select a rule set for URL filtering.
In the default rule set system, rule sets for URL filtering are nested in the rule sets for content
filtering.
The rules appear on the settings pane.
3
Make sure Show details is selected.
4
Find the rule that uses a category blocking list.
By default, this is the rule Block URLs whose category is in Category BlockList.
5
In the rule criteria, click the settings name.
This name appears next to the URL.Categories property. By default, it is Default.
The Edit Settings window opens. It provides the settings for the URL Filter module.
6
Configure these settings as needed.
7
Click OK to close the window.
8
Click Save Changes.
See also
URL Filter settings on page 345
URL Filter settings
The URL Filter settings are used for configuring the way the URL Filter module retrieves information
from the Global Threat Intelligence system.
Extended List
Settings for extended lists
Table 11-14 Extended List
Option
Definition
Use the extended list
Provides a list for selecting an extended list.
Add
Opens the Add List window for adding an extended list.
Edit
Opens the Edit List (Extended List) window for editing the selected extended list.
Rating Settings
Settings for retrieving rating information on URLs based on categories and reputation scores
McAfee Web Gateway 7.6.0
Product Guide
345
11
Web filtering
URL filtering
Table 11-15 Rating Settings
Option
Definition
Search the CGI parameters for
rating
When selected, CGI parameters are included in the search for information.
Search for and rate embedded
URLs
CGI (Common Gateway Interface) parameters in a URL trigger scripts or
programs when the URL is accessed. Information on CGIs is considered
when categorizing a URL.
When selected, embedded URLs are included in the search for information
and rated.
Information on an embedded URL is considered when categorizing the
embedding URL.
Searching for embedded URLs can impact performance.
Do a forward DNS lookup to
rate URLs
When selected, a DNS lookup is performed for a URL that no relevant
information has been found for.
The IP address that was looked up is used for another search.
Do a backward DNS lookup for
unrated IP-based URLs
When selected, a backward DNS lookup, based on its IP address, is
performed for a URL that no relevant information has been found for.
The host name that was looked up is used for another search.
Use the built-in keyword list
When selected, the built-in keyword list is included in the search.
Only use online GTI web
reputation and categorization
services
When selected, information on URL categories and reputation scores is
only retrieved from the Global Threat Intelligence system.
Use online GTI web reputation
and categorization services if
local rating yields no results
When selected, information on URL categories and reputation scores is
only retrieved from the Global Threat Intelligence system if the search in
the internal database yielded no results.
Use default GTI server for web
reputation and categorization
services
When selected, the appliance connects to the default server for retrieving
information on URL categories and reputation scores from the Global
Threat Intelligence system.
• IP of the server — Specifies the IP address of the server used to connect to
the Global Threat Intelligence system when the default server is not
used.
Format: <domain name> or <IPv4 address> or <IPv4 address mapped
to IPv6 address>
Regular IPv6 addresses cannot be specified here.
• Port of the server — Specifies the port number of the port on this server that
listens to requests from the appliance.
Allowed range: 1–65535
Advanced Settings
Advanced settings for the URL Filter module
346
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
URL filtering
11
Table 11-16 Advanced Settings
Option
Definition
Treat connection problems to When selected, problems arising on the connection from the appliance to the
the cloud as errors
Global Threat Intelligence server are logged as errors.
Properties for error handling are set and eventually rules from an Error
Handler rule set are executed.
Do a backward DNS lookup
also for private addresses
When selected, private IP addresses are included in the backward DNS
lookup.
Excluding these addresses from the lookup leads to an increase in
performance for URL filtering.
This option is disabled by default.
The lookup includes the following types of addresses:
• IPv4
• Private addresses
• Zeroconf addresses
• IPv6
• Link local addresses
• Site local addresses
• Unique local addresses
Settings for configuring a proxy the appliance can use to connect to the Global Threat Intelligence™
system
Table 11-17 Proxy Settings
Option
Definition
Use upstream proxy
When selected, the appliance uses a proxy for connecting to the Global Threat
Intelligence server on which lookups for URL category information, also known as
“in-the-cloud” lookups, can be performed.
IP or name of the proxy Specifies the IP address or host name of the proxy.
Port of the proxy
Specifies the number of the port on the proxy that listens for lookup requests
from the appliance.
User name
Specifies a user name for the appliance when logging on to the proxy.
Password
Sets a password for an appliance.
Set
Opens a window for setting a password.
Settings for logging URL filtering activities on the appliance
McAfee Web Gateway 7.6.0
Product Guide
347
11
Web filtering
URL filtering
Table 11-18 Logging
Option
Definition
Enable
logging
When selected, URL filtering activities are logged on the appliance.
Log level
Provides a list for selecting the log level.
If this option is not selected, the following logging options are grayed out.
Log levels are as follows:
• 00 FATAL — Logs only fatal errors.
• 01 ERRORS — Logs all errors.
• 02 WARNING — Logs errors and warnings.
• 03 INFO — Logs errors, warnings, and additional information.
• 04 DEBUG1 ... 013 DEBUG9 — Log information required for debugging URL filtering
activities.
The amount of logged information increases from level DEBUG1 to DEBUG9.
• 14 TRACE — Logs information required for tracing URL filtering activities.
• 15 ALL — Logs all URL filtering activities
(Log area) Provides a set of options for including different areas of URL filtering activities into the
logging.
• LOG_AREA_ALL — When selected, all URL filtering activities are logged.
• LOG_AREA_NETWORK — When selected, activities regarding the network connections used
for URL filtering are logged.
• LOG_AREA_DATABASE_SEARCH — When selected, activities regarding the retrieval of data
for URL filtering from the internal database are logged.
• LOG_AREA_DNS — When selected, activities regarding a DNS lookup that is performed for
URL filtering are logged.
• LOG_AREA_URL — When selected, activities for handling URLs, such as parsing them, are
logged.
• LOG_AREA_CLOUD — When selected, activities regarding the retrieval of information from
the Global Threat Intelligence system are logged.
Best practices - Using URL properties to whitelist web objects
URL properties, such as URL, URL.Host, URL.Host.BelongsToDomains, and others, can be used in the
criteria of rules to whitelist web objects.
When a web object is whitelisted, users are allowed to access it, for example, to view a web page or
download a file. Whitelisting rules are inserted into appropriate rule sets within the rule set system of
Web Gateway. They usually stop further rule processing with regard to the current request for
accessing a web object to prevent other rules from blocking this access.
Different URL properties can be used for different kinds of whitelisting. To allow access to an individual
web object, for example, to ensure users can download a particular file, the URL property is best used
together with a list that contains the full URL for this file.
The following examples explain which URL properties are best used for different kinds of whitelisting
and how to do it.
348
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
URL filtering
11
In addition to this, some tips and examples are given regarding the:
•
Values that different URLs are set to when a sample URL is processed that has been sent to Web
Gateway in a request for web access
•
Use of the two operators is in list and matches in list in the criteria of a rule
•
Good and bad entries in the lists that are used with different URL properties
Whitelisting individual web objects – URL
Goal
Allow users to access individual web objects.
For example, download the file Stinger.exe, which can be accessed using the URL
http://download.mcafee.com/products/mcafee-avert/Stinger/Stinger.exe.
How to do it Use the URL string property with a list of full URLs in the criteria of a rule.
The rule could, for example, be configured as follows:
URL is in list URLWhiteList –> Stop Rule Set
If you add the URL http://download.mcafee.com/products/mcafee-avert/Stinger/Stinger.exe to the list
URLWhiteList, the file Stinger.exe is whitelisted when the rule is processed.
In a similar way, you can block access to the file using the following rule from the default
URL Filtering rule set:
URL matches in list URLBlockList –> Block
If you add the URL in question to the list URLBlockList, the file is blocked when the rule is
processed.
If the matches in list operator is used instead of is in list, expressions containing wildcards can be
entered into the list that is used by the property. The property can then also be used to whitelist
multiple web objects.
However, if all web objects provided by a particular host should be whitelisted, this can be achieved
more easily using the URL.Host property.
Whitelisting hosts – URL.Host
Goal
Allow users to access the web objects that are provided on particular hosts.
For example, download the file Stinger.exe or any other file that is provided on the
host download.mcafee.com.
How to do
it
Use the URL.Host string property with a list for host names in the criteria of a rule.
A rule that the URL.Host property is used in could, for example, be configured as follows:
URL.Host is in list HostWhiteList –> Stop Rule Set
If you add the host download.mcafee.com to the list HostWhiteList, all web objects that are provided
by this host are whitelisted when the rule is processed.
If the matches in list operator is used instead of is in list, expressions containing wildcards can be
entered into the list that is used by the property. The property can then also be used to whitelist
multiple hosts.
McAfee Web Gateway 7.6.0
Product Guide
349
11
Web filtering
URL filtering
However, if all hosts within a particular domain should be whitelisted, this can be achieved more easily
using the URL.Host.BelongsToDomains property.
Whitelisting domains – URL.Host.BelongsToDomains
Goal
Allow users to access the web objects that are provided within particular domains.
For example, download the file Stinger.exe and any other file that is provided by the host
download.mcafee.com, as well as any other downloadable file provided by any other host
within the domain mcafee.com.
How to
do it
Use the URL.Host:BelongsToDomains Boolean property with a list of domain names in
the criteria of a rule.
The rule could, for example, be configured as follows:
URL.Host.BelongsToDomains("Domain List") equals true –> Stop Rule Set
If you add the domain mcafee.com to the list Domain List, all web objects within this domain are
whitelisted when the rule is processed.
The list Domain List is configured as a parameter of the URL.Host:BelongsToDomains property, which
is of the Boolean type.
When, for example, the URL http://download.mcafee.com/products/mcafee-avert/Stinger/Stinger.exe
is processed, the value of the property (true or false) depends on whether the mcafee.com domain
has been entered into the list Domain List or not.
The following example shows which entries in the list Domain List lead to a match when the property
is used for whitelisting:
mcafee.com
dell.com
k12.ga.us
twitter.com
xxx
Then the criteria:
URL.Host.BelongsToDomains("Domain List") equals true
matches for the following URLs:
https://contentsecurity.mcafee.com
https://my.mcafee.com
http://my.support.dell.com
http://www.dekalb.k12.ga.us
http://twitter.com
http://www.twitter.com
any.site.xxx
but not for:
https://www.mymcafee.com
350
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
URL filtering
11
http://www.treasury.ga.us
http://malicioustwitter.com
Using the URL.Host.BelongsToDomains property also avoids the effort of creating more complicated
solutions to achieve the same, for example:
•
Using two entries in a list of wildcard expressions, such as:
twitter.com
*twitter.com
•
Using a single, complex entry in a list of wildcard expressions, such as:
regex((.*\.|.?)twitter\.com)
Property values for a sample URL
When the sample URL http://www.mcafee.com/us/products/web-gateway.aspx is processed, the URL
properties below are set to different values as follows.
Property
Value for sample URL
URL
http://www.mcafee.com/us/products/web-gateway.aspx
URL.Host
www.mcafee.com
URL.Host.BelongsToDomain true or false
In the list that is configured as a parameter of this property, the
following would have to be entered for the domain: mcafee.com.
URL.FileName
web-gateway.aspx
URL.Path
/us/products/web-gateway.aspx
URL.Protocol
http
Use of operators for different types of matches
It makes an important difference whether the is in list or matches in list operator is used in the criteria
of a rule.
Operator
Description
is in list
Requires an exact string match.
If there are wildcard characters in a list entry, they are interpreted as literal strings.
matches in list Allows and evaluates wildcards in list entries.
Good and bad entries in lists for URL properties
Entries in the lists that are used by the different URL properties can be good are bad, according to how
they fit in with the intended use of a property. The following are examples of good and bad list entries.
McAfee Web Gateway 7.6.0
Product Guide
351
11
Web filtering
URL filtering
URL property
Good and bad list entries
URL with is in list operator
Good
http://www.mcafee.com/us/products/web-gateway.aspx
The full URL is entered, as it is required for this property. No
wildcards are specified, as these are not evaluated when the is in
list operator is used.
Bad
www.mcafee.com/us/products/web-gateway.aspx
The entry does not specify the full URL, as the protocol
information, http://, is not included.
URL with matches in list
operator
Good
http://www.mcafee.com/*
This entry contains a wildcard for allowing access to any web
object provided by the host www.mcafee.com, which is appropriate
when the matches in list operator is used.
The entry will not match for http://mcafee.com/.
regex(htt(p|ps)://(.*\.|\.?)mcafee.com(\/.*|\/?))
This entry is more complex, as it uses regular expressions. When
matched, it allows access, under the HTTP or HTTPS protocol, to
any web object within the domain mcafee.com and its subdomains.
regex(htt(p|ps)://(.*\.|\.?)mcafee.(com|co.us)(\/.*|\/?))
This entry is the same as the previous, but shows how other
top-level domains, such as .com or .co.us, can be whitelisted.
Bad
*.mcafee.com*
The entry does not exclude unwanted matches, for example, a
match for the URL http://malicious-download-site.cc/
malicious-file.exe?url= www.mcafee.com.
352
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
URL filtering
URL property
Good and bad list entries
URL.Host with is in list
operator
Good
11
www.mcafee.com
A host name is entered, which fits in with the intended use for this
property. No wildcards are specified, which is appropriate when the
is in list operator is used.
Bad
mcafee.com
The entry specifies a domain name (mcafee.com), whereas the
value of the property is a host name (www.mcafee.com if, for
example, the URL http://www.mcafee.com/us/products/
web-gateway.aspx is processed).
No match will be produced this way.
*.mcafee.com
The entry contains a wildcard, which is not evaluated when the is
in list operator is used.
*.mcafee.com/us*
The entry includes path information (/us), which does not fit in
with the intended use of the property.
In addition to this, a wildcard is specified, which is not evaluated
when the is in list operator is used.
McAfee Web Gateway 7.6.0
Product Guide
353
11
Web filtering
URL filtering
URL property
Good and bad list entries
URL.Host with matches in
list operator
Good
*.mcafee.com
The entry matches for on any host within the domain mcafee.com,
but not for mcafee.com itself.
regex((.*\.|\.?)mcafee.com)
The entry uses regular expressions to whitelist the domain
mcafee.com and any of the hosts within it.
Bad
*.mcafee.com*
The entry does not exclude unwanted matches, for example,
http://www.mcafee.com .malicious-download-site.cc/.
*.mcafee.com/us*
The entry includes path information (/us), which does not fit in
with the intended use of the property.
URL.HostBelongsToDomains
Good
mcafee.com entered in the list Domain List, which is configured as
a parameter of the property.
The entry matches for the mcafee.com domain and all hosts within
it, for example, www.mcafee.com or secure.mcafee.com.
www.mcafee.com
The entry does not specify a domain, but is valid. It only whitelists
the host www.mcafee.com.
This can also be achieved by adding the entry to a list for
the URL.Host property used together with the is in list
operator.
Bad
*.mcafee.com
The entry contains a wildcard, which does not fit in with the
intended use of the property.
The property was rather developed to avoid the effort of using
wildcards in list entries. Instead it requires an exact domain match,
for example, a match for mcafee.com.
URL Filtering rule set
The URL Filtering rule set is the default rule set for URL filtering.
Default rule set – URL Filtering
Criteria – Always
Cycles – Requests (and IM), responses, embedded objects
The rule set contains the following rules.
Allow URLs that match in URL WhiteList
URL matches in list URLWhiteList –> Stop Rule Set
354
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
URL filtering
11
The rule uses the URL property to check whether a given URL is on the specified whitelist. If it is,
processing of the rule set stops and the blocking rules that follow the whitelisting rule are not
processed.
You can use this rule to exempt URLs from filtering to make sure they are available to the users of
your network and do not get blocked by any of the following blocking rules. Whitelisting also
increases performance because it avoids the effort of retrieving information about the respective
URLs.
Block URLs that match in URL BlockList
URL matches in list URL BlockList –> Block<URLBlocked> — Statistics.Counter.Increment
(“BlockedByURLFilter”,1)<Default>
The rules uses the URL property to check whether a given URL is on the specified blocking list. If it
is, processing of all rules stops and the request for access to the URL is not passed on to the
appropriate web server. Access to it is blocked this way.
The action settings specify a message to the requesting user.
The rule also uses an event to count blocking due to virus and malware infections. The event
parameters specify the counter that is incremented and the size of the increment. The event settings
specify the settings of the Statistics module, which executes the counting.
Enable SafeSearchEnforcer
Always –> Continue — Enable SafeSearchEnforcer<Default>
The rule enables the SafeSearchEnforcer, which is an additional module for filtering access to web
sites with adult content.
The enabling is done by executing an event. The settings of the module are specified with the event.
Processing continues with the next rule.
Allow uncategorized URLs
List.OfCategory.IsEmpty(URL.Categories<Default>) equals true –> Stop Rule Set
The rule uses the List.OfCategory.IsEmpty property, which has the URL.Categories property as a
parameter, to check whether the list of categories for categorizing a URL is empty. This would mean
that the URL is uncategorized, as it could not be assigned to any of the existing categories.
Specifying the URL.Categories property as a parameter ensures that it is a particular list of
categories that is checked. It is the list that is the value of this property.
To provide a list of categories as the value for the URL.Categories property, the URL Filter module is
called, which retrieves this list from the Global Threat Intelligence system. The module runs with the
specified Default settings.
If a URL is uncategorized, processing of the rule set stops and the blocking rules that follow this rule
are not processed. The request for the URL is forwarded to the appropriate web server and, unless
access to the URL is blocked in the response or embedded object cycle, the user is allowed to access
the web object that was requested by submitting the URL.
Block URLs whose category is in URL Category BlockList
URL.Categories<Default> at least one in list Category BlockList –> Block<URLBlocked> —
Statistics.Counter.Increment (“BlockedByURLFilter”,1)<Default>
The rule uses the URL.Categories property to check whether one of the categories a given URL
belongs to is on the specified blocking list. The URL Filter module, which is called to retrieve
information on these categories, runs with the Default settings, as specified with the property.
If one of the URL’s categories is on the list, processing of all rules stops and the request for access to
the URL is not passed on to the appropriate web server. Access to it is blocked this way.
The URLBlocked action settings specify that the user who requested this access is notified of the
blocking.
The rule also uses an event to count blocking due to URL filtering in the same way as the blocking
rule for individual URLs in this rule set.
McAfee Web Gateway 7.6.0
Product Guide
355
11
Web filtering
URL filtering
Block URLs with bad reputation
URL.IsHighRisk<Default> equals true –> Block<URLBlocked> — Statistics.Counter.Increment
(“BlockedByURLFilter”,1)<default>
The rules uses the URL.IsHighRisk property to find out whether a URL has a reputation that lets
access to it appear as a high risk. If the value for this property is true, processing of all rules stops
and the request for access to the URL is not passed on to the appropriate web server. Access to it is
blocked this way.
The reputation score is retrieved by the URL Filter module, which runs with the settings specified
after the property.
The URLBlocked action settings specify that the user who requested this access is notified of the
blocking.
The rule also uses an event to count blocking due to URL filtering in the same way as the blocking
rule for individual URLs in this rule set.
URL filtering using the Dynamic Content Classifier
URLs can be categorized for filtering by the Dynamic Content Classifier.
The Dynamic Content Classifier (DCC) is another source of category information with regard to URLs,
in addition to the local database and the Global Threat Intelligence service.
You can configure use of the Dynamic Content Classifier when lookups for URL category information
involving the other two sources yield no results.
Configure use of the Dynamic Content Classifier
You can configure use of the Dynamic Content Classifier for detecting URL categories when other
methods of detection yield no results.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, select a rule set with rules for URL filtering.
In the default rule set system, this is, for example, the URL Filtering rule set.
The rules appear in the settings pane.
3
Make sure Show details is selected.
4
Select the rule for handling URL categories that you want to configure use of the Dynamic Content
Classifier for.
In the URL Filtering rule set, this is, for example, the rule Block URLs whose category is in Category BlockList.
5
Click the settings of the URL Filter module in the rule criteria.
In the sample rule, these are the Default settings in the criteria URL.Categories <Default> at least one in list
Category BlockList.
The Edit Settings window opens. It provides the settings of the URL Filter module.
6
Under Rating Settings, make sure Enable the Dynamic Content Classifier if GTI web categorization yields no results is
selected.
7
[Optional] Edit the list of URL categories the Dynamic Content Classifier should detect.
a
Above the list Categories that will be dynamically detected, click the Edit icon.
The Edit window opens.
356
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
URL filtering
b
Under DCC category, expand the Supported Categories folder.
c
Select or deselect URL categories as needed.
d
Click OK.
11
The Edit window closes and the selected categories appear on the list.
You can remove a URL category from the list by clicking the Delete symbol and confirming in the
window that opens.
8
Click OK to close the Edit Settings window.
9
Click Save Changes.
The Dynamic Content Classifier is now involved in detecting whether a URL that is submitted in a
request for web access falls into one of the configured URL categories.
Using your own URL filter database
URL filtering can be performed using information that is retrieved from a database of your own.
URL filtering on a Web Gateway appliance uses information about the categories that URLs fall into
and the web reputation scores that are assigned to them. This information is retrieved from the local
URL filter database, the Global Threat Intelligence system, or the Dynamic Content Classifier,
depending on how the settings of the module for URL filtering are configured.
The information in the local database is the result of storing categories and web reputation scores
there after they have been determined for particular URLs by the Global Threat Intelligence system.
When a lookup in the local database yields no results, the other two information sources can
additionally be used.
Instead of the local database, you can use a database of your own, containing information on URL
categories and web reputation scores. To replace the local database, you need to specify the URL of
the server that your database resides on when configuring the Central Management settings.
You can use your own database as the source that is searched first to retrieve URL filtering
information, but also disable the other two sources and restrict the filtering process to using the
information stored in your database.
Configure use of your own URL filter database
To retrieve URL filtering information from a database of your own, configure the use of this database
as part of the Central Management settings.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance that should use your database information and click
Central Management.
3
Scroll down to Advanced Update Settings.
4
In the Enter a special custom parameter for an update server field, enter the URL of the server that your
database resides on.
5
Click Save Changes.
When database information is used to filter URLs on the appliance, it is not retrieved from the local
database, but from your own database.
McAfee Web Gateway 7.6.0
Product Guide
357
11
Web filtering
URL filtering
You can additionally disable other sources of URL filtering information to restrict the filtering process to
the information stored in your own database.
Restrict URL filtering to using database information
To use only database information for URL filtering, disable use of the Global Threat Intelligence system
and the Dynamic Content Classifier.
If you configured the use of your own URL filter database, filtering information is retrieved only from
this database.
Task
1
Select Policy | Settings.
2
Under Engines | URL Filter, select the URL Filter settings you want to disable information sources for.
3
Under Rating Settings, deselect the following two checkboxes one after another:
4
•
Enable the Dynamic Content Classifier if GTI web categorization yields no result
•
Use online GTI web reputation and categorization services if local rating yields no result
Click Save Changes.
URL filtering using an IFP proxy
URL filtering can be performed on requests to web access submitted under the IFP protocol.
To perform URL filtering on such requests, you need to:
•
Set up an IFP proxy.
•
Implement suitable filtering rules.
Filtering activities for IFP requests are displayed on the dashboard of the user interface. Connection
tracing can also be performed for these activities.
Setting up an IFP proxy
To process and filter requests for web access that users submit from their client systems under the IFP
protocol, the proxy functions of the appliance must be appropriately configured. An IFP proxy must be
set up that intercepts these requests and makes them available for URL filtering.
To set up the proxy, you need to specify a number of settings on the user interface under Configuration |
Proxies. These settings include:
•
Enabling or disabling the proxy
•
List of proxy ports, specifying for each proxy:
•
•
IP address and port number
•
Message mode (Indicates whether a block message is sent as a redirect or as normal message
under the IFP protocol)
Maximum number of concurrent IFP requests
Using this setting, you can prevent an overloading of the IFP proxy.
Rules for filtering IFP requests
There is no default or library rule set for controlling the process of filtering IFP requests. However, you
can create a rule set of your own and also make use of the IFP proxy functions in existing rule sets.
358
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
URL filtering
11
When creating a rule set for filtering IFP requests, you need to specify use of the IFP protocol as the
rule set criteria to ensure the rule set is applied to requests that are submitted under this protocol.
This is achieved by including the Connection.Protocol property in the criteria and configuring the IFP
protocol as its operand.
As the IFP protocol covers only requests, you can exclude filtering responses and embedded objects as
activities that the rule set should apply to.
The rules in the rule set can be the same as in the default URL Filtering rule set.
If you want to perform URL filtering only for requests sent under the IFP protocol, we recommend that
you delete the default URL Filtering rule set and use only the IFP filtering rule set you have created in
the way described here.
Using the IFP proxy functions in existing rule sets can be an option, for example, if you have
authentication implemented for requests submitted under various other protocols and want to add
authentication for IFP requests.
The Authentication Server (Time/IP-based Session) library rule set contains an embedded rule set with
rules that check whether there is already an authenticated session for a client that a request is
received from. Otherwise a rule redirects a request to the authentication server.
The embedded rule set covers protocols such as HTTP or HTTPS. Using the Connection.Protocol
property, you can extend the criteria to include the IFP protocol.
Restrictions for IFP filtering
When using an IFP proxy for filtering URLs, you should be aware of the following restrictions:
•
Limited use of SafeSearch Enforcer
When performing IFP filtering, you the SafeSearch Enforcer will only work for filtering search
requests that are carried out using Google.
The reason for this is that only Google uses URLs for submitting the search criteria while all other
search providers use cookies. However, cookies cannot be processed by the IFP proxy on an
appliance.
•
HTTP proxy required for some functions
An HTTP proxy must be set up in addition to the IFP proxy if you want to do the following:
•
Redirect IFP requests that are blocked due to a filtering rule to a blocking page to let a block
message appear on the client of the user who sent the request.
•
Authenticate users on the appliance by having their credentials verified on the internal
authentication server.
•
Restrict web usage of users by implementing the Time Quota library rule set.
McAfee Web Gateway 7.6.0
Product Guide
359
11
Web filtering
URL filtering
IFP filtering activities on the dashboard
The dashboard on the user interface provides information on several IFP filtering activities.
•
Number of IFP requests processed
This information is shown under Web Traffic Summary | Requests per protocol.
•
Domains that access to was requested most often (counting the number of requests)
Among these requests can be such that were submitted under the IFP protocol.
This information is shown under Web Traffic | Top Level Domains by Number of Requests.
•
Websites that were most often the destinations of requests (counting the number of requests)
Among these requests can be such that were submitted under the IFP protocol.
This information is shown under Web Traffic | Destinations by Number of Requests.
Connection tracing for IFP filtering activities
Connection tracing can be performed for filtering IFP requests.
When connection tracing is enabled, connection tracing files are created and stored. They can be
accessed on the user interface under the Troubleshooting top-level menu.
Configure the IFP Proxy settings
You can configure the IFP proxy settings to set up a proxy that enables the processing of requests for
web access submitted under this protocol.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, expand the appliance you want to configure the IFP proxy settings for and
click Proxies (HTTP(S), FTP, ICAP, and IM).
3
On the settings pane, scroll down to the IFP Proxy section.
4
Configure the settings in this section as needed.
5
Click Save Changes.
IFP Proxy settings
The IFP Proxy settings are used for configuring a proxy that intercepts requests for web access
submitted under the IFP protocol and makes them available for URL filtering.
IFP Proxy
Settings for configuring an IFP proxy
360
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
URL filtering
11
Table 11-19 IFP Proxy
Option
Definition
Enable IFP proxy
When selected, an IFP proxy is enabled on an appliance.
IFP port definition list
Allows you to create a list of ports that listen for IFP requests.
Maximum number of concurrent IFP
requests allowed.
Limits the number of IFP requests that are processed at the same
time to the specified value.
You can use this setting to prevent an overloading of the IFP proxy.
The following table describes an entry in the IFP port definition list.
Table 11-20 IFP Port Definition
Option
Definition
Listener address
Specifies the IP address and port number of a port that listens to IFP
requests.
Send error message as
redirect
When set to true, a user who sent a request is informed, for example, about a
blocking of the request, by redirecting the request to an error message page.
Otherwise the relevant information is sent as a normal message under the IFP
protocol.
Comment
Provides a plain-text comment on a port that listens to IFP requests.
Create a rule set for filtering IFP requests
You can create a rule set with rules that filter requests for web access submitted under the IFP
protocol.
Task
1
Select Policy | Rule Sets, then click Add and select Rule Set.
The Add New Rule Set window opens.
2
In the Name field, enter a suitable name for the rule set, for example Filter IFP Requests.
3
Under Applies to, deselect Responses and Embedded Objects.
4
Under Apply this rule set, select If the following criteria is matched.
5
Configure the rule set criteria.
a
Under Criteria, click Add and select Advanced criteria.
The Add Criteria window opens
b
From the properties list, select Connection.Protocol.
c
From the operators list, select equals.
d
In the input field for operands, type IFP.
e
Click OK.
The Add Criteria window closes and the criteria appears in the Criteria field.
6
Click OK.
The Add New Rule Set window closes and the new rule set appears on the rule set tree.
McAfee Web Gateway 7.6.0
Product Guide
361
11
Web filtering
URL filtering
When the rule set has been created, you need to insert rules for URL filtering into it. You can, for
example, copy rules from the default URL Filtering rule set and adapt them as needed.
Modify an authentication rule set to include the IFP protocol
You can include the IFP protocol in the criteria of an authentication rule set to enable authentication
for requests that are submitted under that protocol.
Task
1
Import an authentication rule set from the library.
a
Select Policy | Rule Sets , then click Add and select Top Level Rule Set.
The Add Top Level Rule Set window opens.
b
Click Import rule set from Rule Set Library.
The Add from Rule Set Library window opens.
c
From the Rule Set Library list, select the Authentication (Time/IP-based Session) rule set.
d
In the Import conflicts area, select the conflict that is listed and under Conflict Solution choose a
conflict-solving strategy.
e
Click OK.
The Add from Rule Set Library window closes and the rule set appears on the rule set tree.
2
Expand the rule set and select the embedded Check for Valid Authentication Session rule set.
The criteria and rules of the embedded rule set appear on the settings pane.
3
Click Edit. The Edit Rule Set window opens.
4
Modify the rule set criteria.
a
Under Criteria, click Add and select Advanced criteria.
b
From the properties list, select Connection.Protocol.
c
From the operators list, select equals.
d
In the input field for operands, type IFP.
e
Click OK.
The Add Criteria window closes and the criteria appears in the Criteria field.
f
5
Under Criteria combination remove the closing parenthesis after the letter e and insert one after d.
Click OK.
The Edit Rule Set window closes.
6
362
Click Save Changes.
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Media type filtering
11
Media type filtering
Media type filtering ensures that the users of your network cannot access media that belong to
particular types, such as images, audio, or streaming media, when these types are not allowed under
your web security policy.
This way you can, for example, prevent your users from consuming too many resources.
The media type filtering process includes several elements, which contribute to it in different ways.
•
Filtering rules control the process.
•
A blocking list is used by a rule to block access to media that belong to particular types.
A default process for media type filtering is implemented on Web Gateway after the initial setup. You
can modify this process to adapt it to the requirements of your web security policy.
To configure media type filtering, you can work with:
•
Key elements of rules — After clicking the default Media Type Filtering rule set on the
rule sets tree, you can view and configure key elements of the default rules for the
filtering process.
•
Complete rules — After clicking Unlock View in the key elements view, you can expand
the Media Type Filtering rule set on the rule sets tree, which lets the nested Upload
Media Types and Download Media Types rule sets appear.
Clicking either of them lets you view their default rules for the filtering process
completely. You can configure all their elements, including the key elements, and also
create new rules or delete rules.
You cannot return from this view to the key elements view unless you discard all changes
or re-import the rule set.
Filtering rules
The rules that control the media type filtering process are usually contained in one media type filtering
rule set. It can have two nested rule sets with rules for filtering media types that are uploaded to and
downloaded from the web.
When the default process is implemented, a rule set for media type filtering with two nested rule sets
is included. The name of the nesting rule set is Media Type Filtering, those of the nested rule sets are
Upload Media Types and Download Media Types.
A media type filtering rule can use a list of media types. It can also rely on the use of a suitable
property in its criteria, such as the MediaType.IsAudio or MediaType.IsVideo properties.
Blocking list
A blocking list is used by a rule for blocking media that belong to particular types. There can be a
blocking list for media that should not be uploaded from within your network to the web, as well as
one for media that should not be downloaded from the web to your network.
McAfee Web Gateway 7.6.0
Product Guide
363
11
Web filtering
Media type filtering
Configure key elements for media type filtering
Configure key elements of the rules for media type filtering to adapt important parts of the filtering
process to the requirements of your web security policy.
Task
1
Select Policy | Rule Sets.
2
On the rule set tree, select the Media Type Filtering rule set.
Key elements of the rules for the filtering process appear in the configuration pane.
3
Configure the key elements as needed.
4
Click Save Changes.
Key elements for media type filtering
The key elements for media type filtering deal with important parts of this filtering process.
Block Media Types in Uploads
Key elements for filtering media that are uploaded to the web
Table 11-21 Block Media Types in Uploads
Option
Definition
Media types to block Clicking Edit opens a window to let you edit the Upload Media Type Block List that is
used by a rule.
You can add, modify, and remove entries on the list.
Block Media Types in Downloads
Key elements for filtering media that are downloaded from the web
Table 11-22 Block Media Types in Downloads
Option
Definition
Media types to block
Clicking Edit opens a window to let you edit the Download Media Type Block
List that is used by a rule.
You can add, modify, and remove entries on the list.
Block undetectable media types When selected, a rule is enabled that blocks media if no type could be
detected for them.
Block unsupported media types When selected, a rule is enabled that blocks media if it belongs to a type
that cannot be handled on Web Gateway.
Block multimedia
When selected, a rule is enabled that blocks media if it belongs to the
multimedia type.
Block streaming media
When selected, a rule is enabled that blocks media if it is streaming media.
Configure media type filtering using the complete rules view
You can configure media type filtering to adapt this process to the needs of your network.
To configure URL filtering, you can work with the key elements view or the rules view.
364
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Media type filtering
11
Task
1
Review the rules in the rule set for URL filtering.
By default, this is the URL Filtering rule set.
2
Modify these rules as needed.
You can, for example, do the following.
•
Enable or disable blocking rules and the whitelist rule
•
Edit the lists used by these rules
A yellow triangle next to a list name means the list is initially empty and you need to fill the
entries.
•
3
Modify the settings of the URL Filter module
Save your changes.
Properties for media type filtering
Most media type filtering rules in the default rule set use the MediaType.EnsuredTypes property in
their criteria. Using other properties lets media type filtering be executed in a different way.
There is, for example, the MediaType.NotEnsuredTypes property. If you use this property in the
criteria of a blocking rule, the rule blocks media whose types are on a block list even if the probability
that they actually are of this type is less than 50%.
You could use this property to make sure a media type gets blocked under all circumstances.
The following table lists the properties that are available for rules in media type filtering.
Table 11-23 Media type filtering properties
Property
Description
MediaType.EnsuredTypes
Property of media that have their types ensured with a probability of
more than 50%
This level of probability is assumed if a media type signature from an
internal list on the appliance can be found in the object code of the
media.
MediaType.NotEnsuredTypes
Property of media for which the probability that they actually are of
their respective types is less than 50%
MediaType.FromFileExtension Property of media for which types are assumed based on the
extensions of the media type file names
Extensions and the media types associated with them are looked up in
an internal catalog on the appliance. There are, however, extensions
that are used by more than one media type.
MediaType.FromHeader
Property of media for which types are assumed according to the
content type field of the headers sent with the media
Headers are read and evaluated in a standardized format. To filter
headers in their original formats, you can use the Header.Get
property.
MediaType.IsSupported
Property of embedded or archived media that can be extracted by the
opener module of the appliance.
List.OfMediaType.IsEmpty
Property of media with types that are not on an internal list
McAfee Web Gateway 7.6.0
Product Guide
365
11
Web filtering
Media type filtering
Modify a media type filtering rule
You can modify a media type filtering rule to filter a different kind of media types by changing the
property in the rule criteria. Then you also need to create a new filter list for use by the modified rule.
Tasks
•
Create a filter list for a modified rule on page 366
You can create a new filter list for use in a modified media type filtering rule.
•
Replace a property in a media type filtering rule on page 366
You can replace the property in the criteria of a media type filtering rule with a different
property to let the rule filter a different kind of media types.
Create a filter list for a modified rule
You can create a new filter list for use in a modified media type filtering rule.
Task
1
Select Policy | Lists.
2
On the Custom Lists branch of the lists tree, select Media Type and click Add.
The Add List window opens.
3
In the Name field, type a name for the new list, for example, Not Ensured Download Media Type
Blocklist.
4
[Optional] In the Comment field, type a plain-text comment on the new list.
5
[Optional] Click the Permissions tab and configure who is allowed to access the list.
6
Click OK.
The Add List window closes and the new list appears on the lists tree under MediaType.
You can now fill the entries for the new list to let the media type filtering rule know what to block or
allow.
Replace a property in a media type filtering rule
You can replace the property in the criteria of a media type filtering rule with a different property to let
the rule filter a different kind of media types.
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, select a rule set for media type filtering, for example, the nested Download
Media Type rule set in the Media Type Filtering rule set.
3
Select a rule, for example, Block types from Download Media Type Blocklist, and click Edit.
The Edit Rule window opens with the Name step selected.
4
Click Rule Criteria and under Criteria select the rule. Then click Edit.
The Edit Criteria window opens.
366
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Media type filtering
5
6
11
Edit the rule criteria as follows:
a
From the list of properties in the left column, select a new property, for example,
MediaType.NotEnsuredTypes (instead of MediaType.EnsuredTypes).
b
From the list of operands in the right column, select Not Ensured Download Media Type Blocklist.
Click OK.
The window closes and the modified criteria appears under Rule Criteria.
7
Click Finish.
The Edit Rule window closes and the modified rule appears within the nested rule set that you
selected..
8
Click Save Changes.
Media Type Filtering rule set
The Media Type Filtering rule set is the default rule set for media type filtering.
Library rule set – Media Type Filtering
Criteria – Always
Cycles – Requests (and IM), responses, embedded objects
The following rule sets are nested in this rule set:
• Upload Media Type
This rule set is not enabled by default.
• Download Media Type
Upload Media Type
This nested rule set blocks the upload of media belonging to particular media types. It is processed
in request cycles when users request to upload media to the web, as well as in embedded object
cycles when objects are embedded in media.
Nested library rule set – Upload Media Type
Criteria – Always
Cycles – Requests (and IM) and embedded objects
The rule set contains the following rule:
Block types from list Upload Media Type Blocklist
Media.TypeEnsuredTypes at least one in list Upload Media Type Blocklist –> Block<Media Type (Block
List)> — Statistics.Counter.Increment (“BlockedByMediaFilter”, 1)<Default>
The rule uses the Media.TypeEnsuredTypes property to check for media that have their type ensured
if they are on the specified list. If they are, access to the media type is blocked and processing rules
stops.
The rule uses an event to count blocking due to media type filtering. The event parameters specify
the counter that is incremented and the size of the increment. The event settings specify the settings
of the Statistics module, which executes the counting.
Processing continues with the next request that is received on the appliance.
McAfee Web Gateway 7.6.0
Product Guide
367
11
Web filtering
Application filtering
Download Media Type
This nested rule set blocks the download of media belonging to particular media types. It is
processed in response cycles when web servers send media in response to user requests for
downloading them, as well as in embedded object cycles when objects are embedded in media.
Nested library rule set – Download Media Type
Criteria – Always
Cycles – Responses and embedded objects
The rule set contains the following rule.
Block types from list Download Media Type Blocklist
Media.TypeEnsuredTypes at least one in list Download Media Type Blocklist –> Block<Media Type
(Block List)> — Statistics.Counter.Increment (“BlockedByMediaFilter”, 1)<Default>
The rule uses the Media.TypeEnsuredTypes property to check for media that have their type ensured
if they are on the specified list. If they are, access to the media type is blocked and processing rules
stops.
The rule uses an event to count blocking due to media type filtering. The event parameters specify
the counter that is incremented and the size of the increment. The event settings specify the settings
of the Statistics module, which executes the counting.
Processing continues with the next request that is received on the appliance.
Application filtering
Application filtering ensures that the users of your network cannot access unwanted applications,
which could be, for example, Facebook, Xing, and others. The filtering process application names and
reputation scores and blocks access accordingly. Filtering can also be applied to individual functions of
applications.
The following elements are involved in this process:
•
Filtering rules that control the process
•
Application lists that are used by rules to block applications
•
Application system lists that are updated in intervals
Update status and statistics of the application filtering process are shown on the dashboard.
Rules for application filtering
The rules that control application filtering are usually contained in one rule set. They block access to
applications and individual functions of applications using the following two methods:
•
Block applications and individual functions that are on a list
•
Block applications that are assigned a particular risk level
To block applications and individual functions according to a list, the Application.Name property is
used.
The value of this property is the name of an application or an individual function of an application that
appears in a request sent by a user who wants to access the application or application function. If this
name is on a blocking list, access is blocked, as, for example, the following rule does it.
368
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Application filtering
11
Name
Block applications according to list
Criteria
Application.Name is in list Unwanted Applications
Action
–>
Block<Application Blocked>
To block applications according to their risk levels, properties, such as Application.IsMediumRisk or
Application.IsHighRisk are used, which have true or false as their values.
Risk evaluation is based on the reputation score for an application that is assigned to it by the Global
Threat Intelligence system. If the risk for allowing access to an application is considered to be high, it
means it has a bad reputation.
If an application reaches or exceeds this level, access to it is blocked, as, for example, the following
rule does it.
Name
Block high-risk applications
Criteria
Application.IsMediumRisk equals true OR Application.isHighRisk
equals true
Action
–> Block<Application Blocked>
Both methods rely on the application system lists. Only applications and application functions that are
on these lists can appear on a list that is used by an application filtering rule.
The risk levels for applications and application functions are also those that are shown on the
application system lists.
For logging purposes, there are the Application.To String and Application.Reputation properties, which
are the name of a requested application converted into a string and a numerical value for its
reputation score, respectively.
You can use these properties in rules that record information in log file entries.
Application filtering is not performed by default on an appliance. However, you can import the
Application Control rule set from the library.
You can then review the rules in this rule set, modify or delete them, and also create your own rules.
Blocking lists
Blocking lists are used by rules to block access to applications that are requested by users. The rules
in the library rule set include lists that are already filled with several application names.
You can add application names to a list from the library rule set or remove them and also create your
own lists. If you add application names, you must take them from the application system list.
In the same way, you can create and edit lists with names of application functions.
Application system lists
The applications and application functions that can be blocked by application filtering rules appear on
lists, which are provided by the appliance system and updated in intervals.
You can view these lists by expanding the Application Name folder under System Lists on the lists tree
of the Lists tab. This folder contains a number of subfolders for different types of applications, for
example, File Sharing or Instant Messaging.
McAfee Web Gateway 7.6.0
Product Guide
369
11
Web filtering
Application filtering
A subfolder contains a list of applications, providing the following information for each of them:
•
Application name (or application name with application function)
•
Comment
•
Risk level
•
Description of the application (or application function)
A function of an application appears in parentheses after the application name, for example,
Orkut(Orkut Chat). If you include an application function in the list of a blocking rule, only this
function is blocked, not the complete application.
The following is an example of an entry for an application in a system list:
MessengerFX | Risk: Minimal: A web-based instant messaging service
The next example shows an entry for an application function:
Orkut(Orkut Chat) | Risk: High: Allows users to send instant messages.
Application filtering information on the dashboard
The dashboard provides the following information on application filtering:
•
Update status of the application list
•
Statistics on applications and application functions that have actually been blocked
Configure application filtering
You can configure application filtering to adapt this process to the needs of your network.
Complete the following high-level steps.
Task
1
Import the Application Control rule set.
2
Review the rules in this rule set and modify them as needed.
You can, for example, do the following.
•
Enable or disable blocking rules
•
Edit the lists used in rules by adding or removing applications
•
Create lists of your own and use them instead of or in addition to the existing lists
•
Change the reputation levels used in rules by replacing the relevant properties, for example, by
replacing Application.IsHighRisk with Application.IsMediumRisk
You can also create blocking rules of your own.
3
370
Save your changes.
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Application filtering
11
Create a list for application filtering
You can create a list for use in an application filtering rule and fill it with entries for applications or
individual functions of applications that should be blocked.
Task
1
Select Policy | Lists and click the Add icon.
The Add List window opens.
2
3
Configure general list settings.
a
In the Name field, type a name for the list, for example, Unwanted Applications.
b
From the Type list, select Application Name.
c
[Optional] Click the Permissions tab and configure who is allowed to access the list.
d
[Optional] In the Comments field, type a plain-text comment on the list.
Click OK.
The Add List window closes and the list appears on the list tree under Custom Lists | Application Name.
4
Select the list and, above the settings pane, click the Edit icon.
The Edit window opens with a collection of folders that contain application names.
5
Fill the list with entries for applications or individual functions of applications.
a
Expand a folder that contains an application or application function that name you want to add
to the list, for example, Instant Messaging Web Applications.
b
Select an application or application function, for example, MessengerFX or Orkut(Orkut Chat).
You can select multiple applications or application functions at once, you can select items from
multiple folders at once, and you can select complete folders.
c
Click OK.
The Edit window closes and the selected applications and application functions appear on the list.
You can also add a complete folder and afterwards delete the entries for applications or
application functions that you do not want to include.
6
Click Save Changes.
You can use the list you created in the criteria of an application filtering rule, for example, to let the
criteria match if the name of an application or application function that access is requested to appears
on the list.
Modify the risk level in an application filtering rule
You can modify the risk level in a rule that filters applications according to the risk they present to web
security, for example, from high to medium. This increases web security because a blocking action can
then be triggered even if an application is only a medium risk.
Before you begin
The following procedure assumes that you have imported the Application Control rule set
from the library.
McAfee Web Gateway 7.6.0
Product Guide
371
11
Web filtering
Application filtering
Task
1
Select Policy | Rule Sets.
The Add New Rule Set window opens.
2
Expand the Application Control rule set, then expand the nested Block Applications in Request Cycle rule set.
The general settings and rules of the nested rule set appear on the settings pane.
3
Make sure Show details is selected.
4
Select the rule Block web applications with high risk and click Edit.
The Edit Rule window opens.
5
Under Steps, select Rule Criteria and in the Criteria section, select the upper part of the complex criteria
(the one that uses the Application.IsHighRisk property), then click Edit.
The Edit Criteria window opens with the Application.IsHighRisk property selected in the properties list.
6
From the properties list, select Application.IsMediumRisk.
7
Click OK.
The Edit Criteria window closes and the modified criteria appears in the Criteria section.
8
Click Finish.
The Edit Rule window closes and the rule with the modified criteria appears on the settings pane.
9
Click Save Changes.
Application Control rule set
The Application Control rule set is a library rule set for application filtering.
Library rule set – Application Control
Criteria – Always
Cycles – Requests (and IM), responses
The following rule sets are nested in this rule set:
•
Block Applications in Request Cycle
•
Block Applications in Response Cycle
Block Applications in Request Cycle
This nested rule set handles application filtering in the request cycle.
Nested library rule set – Block Applications in Request Cycle
Criteria – Always
Cycle – Requests (and IM)
The rule set contains the following rules:
Block instant messaging applications
Application.Name is in list Instant Messaging –> Block<Default>
372
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Application filtering
11
The rule uses the Application.Name property to check whether the name of an application is
contained in a specified list. If it is, it blocks a request for this application.
The action settings specify a message to the requesting user.
The rule is not enabled by default.
Block web applications with high risk
Application.HighRisk equals true AND Application.Name is in list Web Browsing and Web
Conferencing –> Block<Default>
The rule uses the Application.HighRisk property to check the reputation score of an application and
the Application.Name property to check whether the name of this application is contained in a
specified list. If the reputation score reaches or exceeds the high-risk level and the application name
is also on the list, it blocks a request for this application.
The action settings specify a message to the requesting user.
Block Facebook chat
Application.ToString (Application .Name) equals "Facebook.Chat" –> Block<Default>
The rule uses the Application.To String property to check whether the name of an application is equal
to a specified string. For this purpose, the name of the application is converted into a string. If the
converted application name equals the specified string, a request for the application is blocked.
The action settings specify a message to the requesting user.
The rule is not enabled by default.
Block Applications in Response Cycle
This nested rule set handles application filtering in the response cycle.
Nested library rule set – Block Applications in Response Cycle
Criteria – Always
Cycle – Responses
The rule set contains the following rule:
Applications to be looked for in response cycle
Application.Name is in list of Applications to Search for in Response Cycle –> Block<Default>
The rule uses the Application.Name property to check whether the name of an application is
contained in a specified list. If it is, it blocks a request for this application.
The action settings specify a message to the requesting user.
The rule is not enabled by default.
Block web applications with high risk
Application.HighRisk equals true AND Application.Name is in list Web Browsing and Web
Conferencing –> Block<Default>
The rule uses the Application.HighRisk property to check the reputation score of an application and
the Application.Name property to check whether the name of this application is contained in a
specified list. If the reputation score reaches or exceeds the high-risk level and the application name
is also on the list, it blocks a request for this application.
The action settings specify a message to the requesting user.
Block Facebook chat
Application.ToString (Application .Name) equals "Facebook.Chat" –> Block<Default>
McAfee Web Gateway 7.6.0
Product Guide
373
11
Web filtering
Streaming media filtering
The rule uses the Application.To String property to check whether the name of an application is equal
to a specified string. For this purpose, the name of the application is converted into a string. If the
converted application name equals the specified string, a request for the application is blocked.
The action settings specify a message to the requesting user.
The rule is not enabled by default.
Streaming media filtering
Streaming media filtering ensures that web objects of this media type are detected when they are
received on Web Gateway and handled according the configured rules.
When virus and malware filtering is implemented on Web Gateway, web objects that are sent to it are
scanned for infections. To achieve a comprehensive scanning result, the web object needs to be
scanned completely.
However, streaming media is never "complete", so if the usual scanning method is applied to it, it will
not deliver a result, as it would for other, non-streaming media.
Processing streaming media would also be delayed endlessly, as the scanning process would never
finish.
This means that once a web object has been detected to be streaming media, you can block it to
prevent the users of your network from accessing web objects that have not been scanned for
infections.
Or you let streaming media skip virus and malware scanning and allow your users to access media of
this type unscanned.
The following elements on Web Gateway are involved in the filtering process:
•
Filtering rules that control the process
•
A module that calculates the probability for web objects that they are streaming media
The module sets the value of a suitable property to true if the probability for a web object to be
streaming media reaches or exceeds a configured value.
Streaming media filtering is usually applied in the response cycle of the filtering process to deal with
streaming media sent by web servers in response to user requests.
Rules for streaming media detection
To block or allow web objects that are streaming media with a given probability you can set up a rule
that uses the StreamDetector.IsMediaStream property.
If the value of this property is true, access to a web object would be blocked by the following rule.
Name
Block access to streaming media
Criteria
Action
StreamDetector.IsMediaStream<Streaming Detection> equals true –> Block<Streaming Media
Blocked>
374
McAfee Web Gateway 7.6.0
Product Guide
11
Web filtering
Streaming media filtering
It would be allowed by the following rule:
Name
Allow access to streaming media
Criteria
Action
StreamDetector.IsMediaStream<Streaming Detection> equals true
–>
Continue
The value of the StreamDetector.IsMediaStream property is provided by the Stream Detector module.
Streaming media filtering is not performed by default on Web Gateway. If you want to have it done,
you need to create a rule like the ones described above.
We recommend to use this rule not in a rule set of its own, but to insert it into another, suitable rule
set, for example, in a media type filtering rule set.
The default Gateway Anti-Malware rule set contains a rule that lets streaming media skip virus and
malware filtering. In this rule set, the skipping rule is placed before the rule that lets web object be
scanned by the Anti-Malware scanning module.
Additional properties for streaming media filtering
When the StreamDetector.IsMediaStream property is set to true, two additional properties are given
related values. The value of the StreamDetector.Probability property is the percentage that was
actually calculated for a web object, for example, 60 or 70.
The value of the StreamDetector.MatchedRule property is the name of the rule that matched.
You can use these additional properties in rules that record information in log file entries.
Module for streaming media detection
The probability that web objects are streaming media is calculated by the Stream Detector module
(also known as filter or engine), which uses information about URL categories, content-type headers,
source IP addresses, and other items for its calculation. The result of a probability calculation is a
percentage.
The types of streaming media that can be detected in this way include the following:
•
Flash-based video
•
RealMedia
•
IC9 streams
•
MP3 streams
•
MS WMSP
You can configure settings for this module and name them, for example, Streaming Media Detection.
The settings include the minimum probability that must be reached for a web object to be considered
as streaming media.
Configure streaming media filtering
You can configure streaming media filtering to adapt this process to the needs of your network.
Complete the following high-level steps.
McAfee Web Gateway 7.6.0
Product Guide
375
11
Web filtering
Streaming media filtering
Task
1
Create a streaming media filtering rule that blocks web objects if the probability that they are
streaming media reaches or exceeds a configured level.
2
Insert this rule in a suitable rule set, for example, in a media type filtering rule set.
You can modify the rule later on by increasing or reducing the probability level. This is done by
configuring the settings of the Stream Detector module.
3
Save your changes.
Configure the streaming media detection module
You can configure the module that calculates the streaming media probability for a given web object to
adapt it to the requirements of your network.
Task
1
Select Policy | Settings.
2
Select Stream Detector and click Add.
The Add Settings window opens.
3
In the Name input field, type a name for the settings.
4
[Optional] In the Comment input field, type a comment on the settings.
5
[Optional] Click the Permissions tab and configure who is allowed to access the settings.
6
Under Streaming Detector, configure settings for the module as needed.
7
Click Save Changes.
Best practices - Configuring the Stream Detector
Configuring the Stream Detector, you can set up a way to handle streaming media. The recommended
way is to perform a special kind of scanning when the Stream Detector has found that a web object
belongs to this media type.
Virus and malware filtering on Web Gateway usually requires that web objects are completely
downloaded and scanned by the Anti-Malware module (also known as engine or filter). However, as
completeness can never be achieved for streaming media, the usual scanning method will not deliver
results, but delay processing of this media type endlessly.
Streaming media must therefore be handled in a special way. Two components on Web Gateway are
available for this:
•
The Stream Detector detects that a web object is streaming media.
•
The Media Stream Scanner scans streaming media chunk-by-chunk.
Compared to the usual method, the Media Stream Scanner performs a less intensive way of scanning.
Following the progress made by the Media Stream Scanner, streaming media is also delivered
chunk-by-chunk to the client that a download request was received from. If an infection is detected in
a chunk, the process is stopped, and this chunk and the rest of the streaming media are not delivered.
The Stream Detector is a separate module on Web Gateway, not a part of the Anti-Malware module
like the Media Stream Scanner.
376
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Streaming media filtering
11
A suitable rule calls both components to perform their jobs. It is contained in the default Gateway
Anti-Malware rule set.
However, the rule is not available in older versions of McAfee Web Gateway. So we recommend that
you do the following:
•
Inspect your rule set system.
•
If the rule is not included in the default Gateway Anti-Malware rule set or any other rule set you are
using for virus and malware filtering, configure the rule in one of these rule sets.
Make sure you place it immediately before the rule that triggers the usual anti-malware scanning.
Rule for streaming media filtering
The default rule for streaming media filtering looks as follows:
Name
Start Media Stream Scanner on streaming media and skip
anti-malware scanning
Criteria
Action
Event
Cycle.Name equals "Response" AND
StreamDetector.IsMediaStream<Default Streaming Detection>
equals true
–> Stop Ruleset – Enable Media
Stream
Scanner
In the default Gateway Anti-Malware rule set, this rule is placed immediately before the rule that
triggers the usual anti-malware scanning.
When the Stream Detector finds that a web object is streaming media, the rule stops processing for
this rule set and starts the Media Stream Scanner, so the special way of scanning streaming media is
performed and the rule for the usual scanning is skipped.
The criteria part that uses the Cycle.Name property ensures that the rule only applies in the response
cycle of processing when web objects are received on Web Gateway from the web, in response to a
request that was forwarded.
Settings for the Stream Detector
The settings for the Stream Detector module can be accessed on the settings tree under Stream Detector.
The name of the default settings is Default Streaming Detection.
The default settings include only the following option:
Minimal probability — Sets the probability of being streaming media that is sufficient for treating a web
object as streaming media.
•
The probability is measured in percent and configured as a number from 1 to 100.
•
The probability is found by the Stream Detector. If the minimal probability is reached, the
StreamDetector.IsMediaStream property, which is used in the default rule for streaming media
filtering, is set to true.
•
The default minimal probability is 60. We recommend that you leave this value unchanged.
McAfee Web Gateway 7.6.0
Product Guide
377
11
Web filtering
Global whitelisting
Stream Detector settings
The Stream Detector settings are used to configure the module that calculates the probability for web
objects that they are streaming media.
Streaming Detector
Setting for the module that calculates streaming media probabilities
Table 11-24 Streaming Detector
Option
Definition
Minimal probability Sets the probability (in percent, specified by a number from 0 to 100) that is
sufficient for a web object to be considered as streaming media.
Global whitelisting
Global whitelisting ensures that all further filtering is skipped for the web objects that are whitelisted,
so access to them cannot be blocked.
The global whitelisting process includes several elements, which contribute to it in different ways.
•
Filtering rules control the process.
•
Whitelists are used by rules to let some web objects skip further filtering.
A default process for global whitelisting is implemented on Web Gateway after the initial setup. You
can modify this process to adapt it to the requirements of your web security policy.
To configure global whitelisting, you can work with:
•
Key elements of rules — After clicking the default Global Whitelist rule set on the rule
sets tree, you can view and configure key elements of the default rules for the filtering
process.
•
Complete rules — After clicking Unlock View in the key elements view, you can view the
default rules for the filtering process completely, configure all their elements, including
the key elements, and also create new rules or delete rules.
You cannot return from this view to the key elements view unless you discard all changes
or re-import the rule set.
Filtering rules
The rules that control global whitelisting are usually contained in one rule set.
Whitelisting rules are placed and processed in this rule set. If any of them applies, the following rule
sets are skipped and no further filtering is performed for the whitelisted objects.
You can review these rules, modify or delete them, and also create your own rules.
When the default rule set system is implemented, a rule set for global whitelisting is included. Its
name is Global Whitelist.
Whitelists
Whitelists are used by whitelisting rules to let particular web objects skip further filtering. There can
be whitelists for URLs, media types, and other types of objects.
378
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Global whitelisting
11
You can add entries to these lists or remove entries. You can also create your own lists and let them
be used by the whitelisting rules.
Configure global whitelisting
You can configure global whitelisting to adapt this process to the needs of your network.
Complete the following high-level steps.
Task
1
Review the rules in the rule set for global whitelisting.
By default, this is the Global Whitelisting rule set.
2
Modify these rules as needed.
You can, for example, do the following:
•
Enable or disable whitelisting rules
•
Edit the lists used by the whitelisting rules
A yellow triangle next to a list name means the list is initially empty and you need to fill the
entries.
•
3
Create whitelists of your own and let them be used by the whitelisting rules
Save your changes.
Global Whitelist rule set
The Global Whitelist rule set is the default rule set for global whitelisting.
Default rule set – Global Whitelist
Criteria – Always
Cycles – Requests (and IM), responses, embedded objects
The rule set contains the following rules.
Client IP is in list Allowed Clients
Client.IP is in list Allowed Clients –> Stop Cycle
The rule uses the Client.IP property to check whether the IP address of a client that a request was
sent from is on the specified whitelist.
If it is, the rule applies and stops the current processing cycle. The request is then forwarded to the
appropriate web server.
URL.Host matches in list Global Whitelist
URL.Host matches in list Global Whitelist –> Stop Cycle
The rule uses the URL.Host property to check whether the host that a URL sent in a request provides
access to is on the specified whitelist.
If it is, the rule applies and stops the current processing cycle. The request is then forwarded to the
web server that is the requested host.
McAfee Web Gateway 7.6.0
Product Guide
379
11
Web filtering
SSL scanning
SSL scanning
SSL scanning ensures that SSL-secured web traffic can be processed and made available to other
filtering functions.
The SSL scanning process includes several elements, which contribute to this it in different ways.
•
SSL scanning rules control the process.
•
Whitelists and other lists that are used by the rules to let web objects skip SSL scanning and to
perform other functions within the process.
•
SSL scanning modules, which are called by the rules, perform certificate verification and other
functions within the process .
To configure SSL scanning, you can work with:
•
Key elements of rules — After clicking the default SSL Scanner rule set on the rule
sets tree, you can view and configure key elements of the default rules for the filtering
process.
•
Complete rules — After clicking Unlock View in the key elements view, you can view the
default rules for the filtering process completely, configure all their elements, including
the key elements, and also create new rules or delete rules.
You cannot return from this view to the key elements view unless you discard all changes
or re-import the rule set.
SSL scanning rules
The rules that control SSL scanning are usually contained in one rule set that has several nested rule
sets. Each of the nested rule sets controls a particular function of the SSL scanning process:
•
Handle the CONNECT call — There is a rule set with rules for handling the CONNECT call, which
is sent at the beginning of SSL-secured communication under the HTTPS protocol.
•
Verify certificates — There are rule sets for verifying certificates that are submitted by clients
and servers in SSL-secured communication, for example, by verifying the common names in these
certificates.
This part of the process allows verification for both explicit proxy and transparent setups.
•
Enable content inspection — Another rule set contains rules for enabling the inspection of
content that is transferred in SSL-secured communication.
To find out whether an object is infected, the rule calls the Anti-Malware module, which scans the
object and lets the rule know about the result.
Whitelisting rules can be placed and processed in this rule set before the blocking rule. If any of them
applies, the blocking rule is skipped and the whitelisted objects are not scanned.
You can review the rules that are implemented on the appliance for SSL scanning, modify or delete
them, and also create your own rules.
When the default rule set system is implemented, a rule set for SSL scanning is included. Its name is
SSL Scanner. However, the rule set is not enabled initially.
Whitelists and other lists for SSL scanning
Whitelists are used by the SSL scanning rules to let web objects skip parts of the process. For
example, a certificate whitelist exempts certificates from undergoing verification.
380
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
SSL scanning
11
Other lists used in SSL scanning contain the port numbers that are allowed in CONNECT calls if these
are to be accepted or the servers that require a special kind of certificate verification because a
particular method of exchanging keys cannot be applied on them.
You can add entries to these lists or remove entries. You can also create your own lists and let them
be used by the SSL scanning rules.
Modules for SSL scanning
The following modules (also know as engines) are called by the SSL scanning rules to perform
different parts of the SSL scanning process:
•
SSL Scanner — Handles certificate verification or the enabling of content inspection, depending on
the settings it runs with.
Accordingly, the module is called by the rules for certificate verification and content inspection with
different settings.
•
Modules for setting the client context — Handle the submitting of a certificate for the appliance
to the clients that send requests to it in SSL-secured communication.
When this certificate is submitted, the certificate authority (CA) that issued the certificate can be
sent with it or not. Accordingly, there is a module for submitting a certificate with and another
module for submitting a certificate without its certificate authority.
The SSL Scanner rule set of the default system, uses the method of submitting a certificate with its
certificate authority.
A default certificate authority is available for use after the initial setup. However, we recommend
that you provide a certificate authority of your own for further use.
•
Certificate Chain — Handles the building of a certificate chain
When building the chain, the module uses a list of certificate authorities for the certificates that are
included in the chain. You can add certificate authorities to existing lists and also add new lists.
Configure SSL scanning
You can configure SSL scanning to adapt this process to the needs of your network.
Complete the following high-level steps.
Task
1
Enable the rule set for SSL scanning and review the rules in this rule set.
By default, this is the SSL Scanner rule set.
2
Modify these rules as needed.
You can, for example, do the following:
•
Replace the default root certificate authority (CA) for signing certificates that the appliance
sends to its clients by a certificate of your own.
This can be a certificate authority that you create yourself on the user interface or one that you
import from your file system.
•
Enable or disable whitelisting rules, for example:
•
The default rule for skipping certificate verification when a certificate that was submitted by
a client is on a whitelist
•
The default for skipping content inspection when the host of a requested URL is on a whitelist
McAfee Web Gateway 7.6.0
Product Guide
381
11
Web filtering
SSL scanning
•
Edit the lists used by the whitelisting rules
A yellow triangle next to a list name means the list is initially empty and you need to fill the
entries.
3
•
Create whitelists of your own and let them be used by the whitelisting rules
•
Modify the settings of the modules involved in SSL scanning.
•
SSL Scanner module
•
SSL Client Context module
•
Certificate Chain module
Save your changes.
Configure the modules for SSL scanning
You can configure the modules for SSL scanning to modify the way SSL-secured web traffic is
processed.
The following modules are involved in SSL scanning and can be configured:
•
SSL Scanner module
•
SSL Client Context module
•
Certificate Chain module
Task
1
Select Policy | Rule Sets.
2
On the rule sets tree, find the rule set for SSL scanning.
By default, this is the SSL Scanner rule set.
3
Expand the rule set and select the nested rule set that contains the rule with the settings for the
module you want to configure.
For example, to configure the SSL Scanner module, expand the nested Handle CONNECT Call rule
set. It contains by default the rule Enable certificate verification with the Default certificate
verification settings for the SSL Scanner module.
The rules of the nested rule set appear on the settings pane.
4
Make sure Show details is selected.
5
Find the rule with the settings for the module you want to configure.
This could be, for example, the Enable certificate verification rule that was mentioned above.
6
Within the rule, click a settings name.
For example, in the rule event of Enable certificate verification, click Default certificate verification.
The Edit Settings window opens. It provides the settings for a module, for example, the SSL Scanner
module.
382
7
Configure these settings as needed.
8
Click OK to close the window.
9
Click Save Changes.
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
SSL scanning
11
Replace the default root certificate authority
You can replace the default root certificate authority that is provided after the initial setup for signing
the certificates that the appliance sends to its clients by a certificate authority of your own.
You can create a new root certificate authority on the user interface or import one from your file
system.
Tasks
•
Create a root certificate authority on page 383
You can create a root certificate authority (CA) for signing the certificates the appliance
sends to its clients and use it instead of the default certificate authority.
•
Import a root certificate authority on page 383
You can import a root certificate authority (CA) for signing the certificates the appliance
sends to its clients and use it instead of the default certificate authority.
Create a root certificate authority
You can create a root certificate authority (CA) for signing the certificates the appliance sends to its
clients and use it instead of the default certificate authority.
Task
1
Select Policy | Settings.
2
On the Engines branch of the settings tree, go to SSL Client Context with CA and select the settings you
want to use the new certificate authority for.
3
Click Generate New.
The Generate New Certificate Authority window opens.
4
In the Organization and Locality fields, type suitable information for your own certificate authority.
5
[Optional] In the Organizational unit and State fields, type suitable information. From the Country list,
select a country.
6
In the Common name field, type a common name for your own certificate authority.
7
[Optional] In the Email address field, type an email address of your organization.
8
From the Valid for list, select the time that your certificate authority should be valid.
9
[Optional] In the Comment field, type a plain-text comment on the certificate authority.
10 Click OK.
The new certificate authority is generated.
11 Click Save Changes.
Import a root certificate authority
You can import a root certificate authority (CA) for signing the certificates the appliance sends to its
clients and use it instead of the default certificate authority.
Task
1
Select Policy | Settings.
2
On the settings tree, select SSL Client Context with CA and click the settings you want to use the
imported certificate authority for.
McAfee Web Gateway 7.6.0
Product Guide
383
11
Web filtering
SSL scanning
3
Click Import.
The Import Certificate Authority window opens.
4
Enter the name of the certificate authority file in the Certificate field by clicking Browse and browsing
to a suitable file.
The file must be encoded in PEM (Privacy-enhanced mail) format.
5
Enter the name of the certificate key file in the Private key key field by clicking Browse and browsing to
a suitable file.
The file must be encoded in PEM format. The key must have a length of at least 2048 bit.
6
[Conditional] If the private key is protected by a password, type it in the Password field.
Only unencrypted keys and key that are AES-128-bit encrypted can be used here.
7
[Conditional] If the certificate authority is part of a certificate chain and you want to provide
information on this chain with the certificate, enter the name of the file containing the information
in the Certificate chain field by clicking Browse and browsing to a suitable file.
The file must be encoded in PEM format.
8
Click OK.
The certificate authority is imported.
9
Click Save Changes.
Client certificate list
The client certificate list is a list of certificates that can be sent to a web server when a client request
is received on an appliance in SSL-secured communication and passed on to the appropriate web
server.
The certificate is sent when the web server asks for it at the initial and subsequent handshakes, as
SSL renegotiation is performed.
A rule event tells the appliance to use a client certificate for communication with the web server. The
certificate can then be selected from the client certificate list.
In this case, the private key for the certificate must be provided by the client that sent the request.
Alternatively, a preconfigured certificate can be used that is always sent to the web server.
The rule event that triggers the use of a certificate from the client certificate list can belong to rules
that apply to CONNECT requests (even in transparent setups) or to rules in rule sets for certificate
verification that have CERTVERIFY as value for the Command.Name property in their criteria.
You can configure settings for the rule event that include a client certificate list and the instruction to
use it. The settings can also specify that the private key for the certificates that the clients of the
appliance provide is stored unencrypted.
384
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
SSL scanning
11
Create a client certificate list
You can create a list of client certificates that can be sent to web servers in SSL-secured
communication.
Task
1
Select Policy | Settings.
2
On the settings tree, select SSL Client Certificate Handling and click Add.
The Add Settings window opens with the Add Settings tab selected.
3
Configure general settings parameters.
a
In the Name field, type a name for the settings.
b
[Optional] In the Comments field, type a plain-text comment on the settings.
c
[Optional] Click the Permissions tab and configure who is allowed to access the settings.
4
Under Client Certificate Handling, make sure the option Use client certificate from Known client certificates list if client
has proven ownership is selected.
5
On the toolbar of the Known client certificates list, click Add.
The Add Client Certificate window opens.
6
Click Import to import a client certificate.
The Import Client Certificate window opens.
7
Import a client certificate.
a
Next to the Certificate field, click Browse, and within the local file manager that opens, browse to a
suitable certificate file and select it.
The file manager closes and the certificate file name appears in the field.
b
Next to the Private key field, click Browse, and within the local file manager that opens, browse to a
suitable key file and select it.
The file manager closes and the key file name and password appear in the Private key and Password
fields.
c
Click OK.
The window closes and the certificate file information appears in the Import Client Certificate window.
d
8
[Optional] In the Comments field, type a plain-text comment on the certificate.
Click OK.
The Add Client Certificate window closes and the certificate file name and comment (if provided) appear
in the Known client certificates list.
Repeat Steps 5 to 8 for any other certificate you want to add to the list.
9
Click OK to close the Add Settings window.
10 Click Save Changes.
McAfee Web Gateway 7.6.0
Product Guide
385
11
Web filtering
SSL scanning
SSL Client Certificate Handling settings
The SSL Client Certificate Handling settings are used for configuring client certificates that are sent to
web servers in SSL-secured communication.
SSL Client Certificate Handling
Settings for configuring SSL client certificates
Table 11-25 SSL Client Certificate Handling
Option
Definition
Use client certificate from
When selected, the client certificate that is sent to a web server in
Known client certificates list SSL-secured communication is taken from the list of known client certificates.
if client has proven
However, the certificate is only taken from this list if it is proven that the
ownership
client whose request the appliance forwards to a server is the owner of this
certificate.
After selecting this radio button, the Known Client Certificates section appears,
which provides settings for configuring a list of certificates.
Always use predefined client When selected, the same client certificate is always sent to a web server in
certificate
SSL-secured communication.
After selecting this radio button, the Predefined Client Certificate section appears,
which provides settings for configuring a single certificate
Known client certificates
Settings for configuring a list of known client certificates that can be sent to a web server
Table 11-26 Known client certificates
Option
Definition
List of known client certificates Provides a list of client certificates that can be sent to a web server
in SSL-secured communication.
The following table describes the elements of an entry in the list of known client certificates.
Table 11-27 Known client certificates – List entry
Option
Definition
Certificate
Specifies the name of a client certificate.
Comment
Provides a plain-text comment on a certificate.
Predefined client certificate
Settings for configuring a client certificate that is always sent to a web server
Table 11-28 Predefined client certificate
Option
Definition
Subject, Issuer, Validity,
Extensions
Provides information on the client certificate that is currently used for sending
to a web server.
Import
Opens the Import Client Certificate window for importing a client certificate.
After the import, information on the client certificate appears under Subject,
Issuer, and in the other information fields.
Export
386
McAfee Web Gateway 7.6.0
Opens your local file manager to let you store a client certificate in a suitable
location.
Product Guide
Web filtering
SSL scanning
11
Table 11-28 Predefined client certificate (continued)
Option
Definition
Export Key
Opens your local file manager to let you store the private key for a client
certificate in a suitable location.
Certificate Chain
Displays a certificate chain if one has been imported with a client certificate.
SSL Scanner settings
The SSL Scanner settings are used for configuring the way certificates are verified and content
inspection is enabled for SSL-secured web traffic.
Enable SSL Scanner
Settings for configuring certificate verification or the enabling of content inspection
Table 11-29 Enable SSL Scanner
Option
Definition
SSL scanner function
Selects the function that is performed by the SSL Scanner module.
• Certificate verification — When selected, the module verifies certificates
submitted in SSL-secured communication.
• SSL inspection — When selected, the module inspects the content of web
objects transmitted in SSL-secured communication.
SSL protocol version
When selected, the module inspects the content of web objects transmitted in
SSL-secured communication.
• TLS 1.0 — When selected, TLS (Transport Layer Security) version 1.0 is used.
• SSL 3.0 — When selected, SSL version 3.0 is used .
Server cipher list
Specifies a string of Open SSL symbols used for decrypting server data.
The SSL Scanner module uses different strings for default certificate
verification and for verifying certificates from servers that do not support the
EDH (Ephemeral Diffie-Hellman) method.
SSL session cache TTL
Limits the time (in seconds) for keeping the parameter values of a session in
SSL-secured communication stored in the cache to the specified value.
Allow handshake and
renegotiation with servers
that do not implement RFC
5746
When selected, the SSL Scanner module performs these activities also in
communication with web servers that fail to comply with the specified
standard.
Allow Alternative Handshakes
Settings for handshakes in SSL-secured communication that use alternative parameter values
McAfee Web Gateway 7.6.0
Product Guide
387
11
Web filtering
SSL scanning
Table 11-30 Allow Alternative Handshakes
Option
Definition
Use alternative handshake When selected, the SSL Scanner module uses alternative parameter values
settings after handshake after the first attempt to perform a handshake in SSL-secured communication
failure
has failed.
SSL protocol version
Selects the version of the protocol the SSL Scanner module follows when it
performs an alternative handshake.
• TLS 1.0 — When selected, TLS (Transport Layer Security) version 1.0 is used
• SSL 3.0 — When selected, SSL version 3.0 is used
Server cipher list
Specifies a string of Open SSL symbols used for decrypting server data.
The SSL Scanner module uses different strings for default certificate
verification and for verifying certificates from servers that do not support the
EDH (Ephemeral Diffie-Hellman) method.
SSL Client Context with CA settings
The SSL Client Context with CA settings are used to configure the sending of certificates with information
about the certificate authority to the clients of a Web Gateway appliance.
Define SSL Client Context (Certificate Authority)
Settings for sending a certificate to the clients with information about the certificate authority
388
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
SSL scanning
11
Table 11-31 Define SSL Client Context (Certificate Authority)
Option
Definition
(Current
certificate and
default root
certificate
authority)
Under Subject, Issuer, and other field names. information about the certificate is
provided that is currently sent to the clients of an appliance in SSL-secured
communication.
Information is also provided about the root certificate authority (root CA) that
signed this certificate.
After the initial setup, the certificate is signed by the default root certificate
authority. This certificate authority is McAfee.
The certificate is therefore called a self-signed certificate, as McAfee signed a
certificate for one of their own products. Self-signed certificates are not trusted by
all partners in SSL-secured communication.
For further administration of the SSL functions on Web Gateway, we recommend
that you create your own root certificate authority.
Use the Generate New option to create this certificate authority.
Certificate Authority
Provides several options for performing activities that are related to a certificate
authority.
• Generate New — Opens a window for generating a new certificate authority.
• Import — Opens a window for importing a certificate authority.
The window provides an option for importing a file with information about a
certificate authority and the certificate that was signed by it.
Additionally, you can include a file with information about the chain of certificate
authorities that were involved in the validation process.
The file with information about the certificate chain can be a file that you
created and stored in the file system before.
In this case, the file will contain information about the following:
• The certificate that an appliance sends as server to its clients
• The intermediate certificate authorities, one of which signed the
certificate, while the others each validated another certificate authority
• The root certificate authority, which is the first instance that validated
another certificate authority
When importing a certificate chain file, you must make sure that it only
contains information about the intermediate certificate authorities.
All other information must be removed from the file. Otherwise the
import will fail.
• Export — Lets you browse to a location within your file system that you can export
a certificate authority file to.
• Export key — Lets you browse to a location within your file system that you can
export the key file for a certificate authority to.
McAfee Web Gateway 7.6.0
Product Guide
389
11
Web filtering
SSL scanning
Table 11-31 Define SSL Client Context (Certificate Authority) (continued)
Option
Definition
Send certificate
chain
When selected, the appliance sends information on the chain of certificates and
certificate authorities that were involved in the process of validating a certificate
with this certificate to its clients.
To retrieve this information, you must include the certificate chain when using the
option for importing a certificate authority.
The appliance sends the certificate that is configured here as a server to its clients.
The certificate is therefore also referred to as the server certificate.
The server certificate is considered to exist on level 0. When a certificate authority
signs this certificate to validate it, it is done on level 1.
When an additional certificate authority validates the first certificate authority, it is
done on level 2. With each additional certificate authority that is involved, the level
increases by one.
Certificate chain
Provides information on a certificate chain.
After importing a certificate authority file with information about the certificate
chain, the information appears in this field.
Use custom domain
key
When selected, a key is sent with the certificate that you have configured on your
own.
This key is used for sending certificates throughout the domain of a Web Gateway
appliance.
Custom domain key
Provides the following options for handling a custom domain key.
• Import Key — Lets you browse to a location within your file system that you can
import a custom domain key file from.
• Export Key — Lets you browse to a location within your file system that you can
export a custom domain key file to.
Digest
Provides a list for selecting a digest mode.
RSA server key size
Limits the size of the key file for a certificate.
Certificates that are Limits the time (in days) that a certificate signed by the certificate authority
signed by the CA are configured here is valid.
valid for
Client cipher list
Specifies a string of Open SSL symbols used for decrypting client data.
SSL session cache
TTL
Limits the time (in seconds) that SSL session parameters are stored in the cache.
Perform insecure
renegotations
When selected, Web Gateway renegotiates the parameters for the SSL-secured
communication even if this is insecure to do.
Send empty
plain-text fragment
When selected, an empty plain-text fragment is sent with the certificate to the
clients.
SSL protocol version Selects the version of the protocol that the SSL scanning module follows when
dealing with handshakes.
• TLS 1.2 — When selected, TLS (Transport Layer Security) version 1.2 is used.
• TLS 1.1 — When selected, TLS (Transport Layer Security) version 1.1 is used.
• TLS 1.0 — When selected, TLS (Transport Layer Security) version 1.0 is used
• SSL 3.0 — When selected, SSL version 3.0 is used.
390
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
SSL scanning
11
SSL Client Context without CA settings
The SSL Client Context without CA settings are used to configure the sending of certificates with no
information about the certificate authority to the clients of a Web Gateway appliance.
Define SSL Client Context (Without Certificate Authority)
Settings for sending a certificate to the clients with no information about the certificate authority
Table 11-32 Define SSL Client Context (Without Certificate Authority)
Option
Definition
Select server certificate by host Provides a list of certificates that are sent to the clients and the host
or IP
systems that they have been retrieved from. A host system is identified by
a host name or an IP address.
The certificates are sent from an appliance in its role as a server to the
clients. The certificates are therefore referred to as server certificates.
Table 11-33 Select server certificate by host or IP — List entry
Option
Definition
Host
Specifies the host name or IP address of the host system that a certificate is retrieved
from.
Server Certificate Provides information on the certificate that is currently sent from an appliance in its
role as a server to its clients.
When adding an entry for a new certificate to the list, you can generate or import the
certificate. Options for performing these activities are provided in the window for
adding a list entry under Server Certificate.
• Generate — Opens a window for generating a new certificate.
• Import — Opens a window for importing a certificate.
The window provides an option for importing a file with information about a
certificate.
Additionally, you can include a file with information about the chain of certificate
authorities that were involved in the validation process.
The file with information about the certificate chain can be a file that you
created and stored in the file system before.
In this case, the file will contain information about the following:
• The certificate that an appliance sends as server to its clients
• The intermediate certificate authorities, one of which signed the
certificate, while the others each validated another certificate authority
• The root certificate authority, which is the first instance that validated
another certificate authority
When importing a certificate chain file, you must make sure that it only
contains information about the intermediate certificate authorities.
All other information must be removed from the file. Otherwise the import
will fail.
• Export — Lets you browse to a location within your file system that you can export a
certificate authority file to.
• Export key — Lets you browse to a location within your file system that you can export
the key file for a certificate authority to.
McAfee Web Gateway 7.6.0
Product Guide
391
11
Web filtering
SSL scanning
Table 11-33 Select server certificate by host or IP — List entry (continued)
Option
Definition
HSM
Provides information on a Hardware Security Module that is used to protect the
certificate information.
Certificate chain
Provides information on the chain of certificates and certificate authorities that were
involved in the validation of the certificate that is sent to the clients.
Comment
Provides a plain-text comment on a certificate.
Table 11-34 Define SSL Client Context (Without Certificate Authority) — Continued
Option
Definition
SSL Scanner functionality
When selected, traffic is only processed using the SSL scanning functions
applies only to client connection on the connection from an appliance to its clients.
Client cipher list
Specifies a string of Open SSL symbols used for decrypting client data.
SSL session cache TTL
Limits the time (in seconds) that SSL session parameters are stored in the
cache.
Perform insecure renegotations
When selected, Web Gateway renegotiates the parameters for the
SSL-secured communication even if this is insecure to do.
Send empty plain-text fragment
When selected, an empty plain-text fragment is sent with the certificate to
the clients.
SSL protocol version
Selects the version of the protocol that the SSL Scanner module follows
when dealing with handshakes.
• TLS 1.2 — When selected, TLS (Transport Layer Security) version 1.2 is
used.
• TLS 1.1 — When selected, TLS (Transport Layer Security) version 1.1 is
used.
• TLS 1.0 — When selected, TLS (Transport Layer Security) version 1.0 is
used.
• SSL 3.0 — When selected, SSL version 3.0 is used.
Certificate Chain settings
The Certificate Chain settings are used for configuring the module that handles the building of
certificate chains.
Certificate Verification
Settings for building a chain of certificates
Table 11-35 Certificate Verification
Option
Definition
List of certificate authorities Provides a list for selecting a list of certificate authorities (CAs) that sign the
certificates in a certificate chain.
The following table describes the elements of a list entry
Table 11-36 List of certificate authorities
Option
Definition
Certificate authority
Specifies the name of a certificate authority.
Certificate revocation list Specifies the list providing information on when a certificate signed by this
certificate authority becomes invalid and the URI used to access the list.
392
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
SSL scanning
11
Table 11-36 List of certificate authorities (continued)
Option
Definition
Trusted
When selected, a certificate authority is trusted on the appliance.
Comment
Plain-text comment on a certificate authority
SSL Scanner rule set
The SSL Scanner rule set is the default rule set for SSL scanning.
Default rule set – SSL Scanner
Criteria – Always
Cycles – Requests (and IM)
The following rule sets are nested in this rule set:
• Handle CONNECT Call
• Certificate Verification
• Verify Common Name (proxy setup)
• Content Inspection
• Verify Common Name (transparent setup)
Handle CONNECT Call
This nested rule set handles the CONNECT call in SSL-secured communication and enables certificate
verification.
Nested library rule set – Handle CONNECT Call
Criteria – Command.Name equals “CONNECT”
Cycles – Requests (and IM)
The rule set criteria specifies that the rule set applies when a request is received on the appliance that
contains the CONNECT command, which is sent in the opening phase of SSL-secured communication.
The rule set contains the following rules:
Set client context
Always –> Continue – Enable SSL Client Context with CA <Default CA>
The rule enables the use of a server certificate that is sent to a client.
The event settings specify the McAfee Web Gateway root certificate authority (CA), which is
implemented on the appliance after the initial setup, as the default issuer of this certificate.
The Continue action lets processing continue with the next rule.
Tunneled hosts
URL.Host is in list SSL Host Tunnel List –> Stop Cycle
The rule lets requests for access to hosts with a URL that is on the specified whitelist skip SSL
scanning.
Restrict destination ports to Allowed CONNECT Ports
URL.Port is not in list Allowed Connect Ports –> Block<Connect not allowed>
McAfee Web Gateway 7.6.0
Product Guide
393
11
Web filtering
SSL scanning
The rule blocks requests with destination ports that are not on the list of allowed CONNECT ports.
The action settings specify a message to the requesting user.
Enable certificate verification without EDH for hosts in no-EDH server list
URL.Host is in list No-EDH server –> Block<Connect not allowed> Stop Rule Set – Enable SSL
Scanner<Certificate Verification without edh>
The rule enables the certificate verification for requests sent from a host on the no-EDH (Ephemeral
Diffie-Hellman) server list.
The action settings specify a message to the requesting user.
The event settings specify running in verification mode for the SSL Scanner module and a special
cipher string for data encryption on non-EDH hosts.
Enable certificate verification
Always –> Stop Rule Set – Enable SSL Scanner<Default certificate verification>
The rule enables certificate verification.
The event settings specify that the SSL Scanner module runs in verification mode.
Certificate Verification
This nested rule set handles the CERTVERIFY call in SSL-secured communication. It lets whitelisted
certificates skip verification and blocks others according to particular criteria.
Nested library rule set – Certificate Verification
Criteria – Command.Name equals “CERTVERIFY*
Cycles – Requests (and IM)
The rule criteria specifies that the rule set applies if a request is received on the appliance that
contains the CERTVERIFY command, which is sent to request the verification of a certificate.
The following rule set is nested in this rule set:
•
Verify Common Name (proxy setup)
The rule set contains the following rules:
Skip verification for certificates found in Certificate Whitelist
SSL.Server.Certificate.HostAndCertificate is in list Certificate Whitelist –> Stop Rule Set
The rule lets whitelisted certificates skip verification.
Block self-signed certificates
SSL.Server.Certificate.SelfSigned equals true –> Block <Certificate incident>
The rule blocks requests with self-signed certificates.
The action settings specify a message to the requesting user.
Block expired server (7 day tolerance) and expired CA certificates
SSL.Server.Certificate.DaysExpired greater than 7 OR
SSL.Server.CertificateChain.ContainsExpiredCA<Default> equals true –> Block <Certificate incident>
The rule blocks requests with expired server and CA certificates.
The action settings specify a message to the requesting user.
394
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
SSL scanning
11
Block too long certificate chains
SSL.Server.CertificateChain.PathLengthExceeded<Default> equals true –> Block <Certificate
incident>
The rule blocks a certificate chain if it exceeds the path length.
The settings in the property specify a list for the module that checks the certificate authorities.
The action settings specify a message to the requesting user.
Block revoked certificates
SSL.Server.CertificateChain.ContainsRevoked<Default> equals true –> Block <Certificate incident>
The rule blocks a certificate chain if one of the included certificates has been revoked.
The settings in the property specify a list for the module that checks the certificate authorities.
The action settings specify a message to the requesting user.
Block unknown certificate authorities
SSL.Server.CertificateChain.FoundKnownCA<Default> equals false –> Block <Certificate incident>
The rule blocks a certificate chain if none of the certificate authorities (CAs) issuing the included
certificates is a known CA.
The settings in the property specify a list for the module that checks the certificate authorities.
The action settings specify a message to the requesting user.
Block untrusted certificate authorities
SSL.Server.FirstKnownCAIsTrusted<Default> equals false –> Block <Certificate incident>
The rule blocks a certificate chain if the first known CA that was found is not trusted.
The settings in the property specify a list for the module that checks the certificate authorities.
The action settings specify a message to the requesting user.
Verify Common Name (proxy setup)
This nested rule set verifies the common name in a certificate. It applies to requests sent in explicit
proxy mode.
Nested library rule set – Verify Common Name (proxy setup)
Criteria – Connection.SSL.TransparentCNHandling equals false
Cycles – Requests (and IM)
The rule criteria specifies that the rule set applies if a request is received on a connection used in
SSL-secured communication and verification of the common name is not performed in transparent
mode.
The rule set contains the following rules:
Allow matching hostname
URL.Host equals Certificate.SSL.CN –> Stop Rule Set
The rule allows a request if the URL of the requested host is the same as the common name in the
certificate.
Allow wildcard certificates
Certificate.SSL.CN.HasWildcards equals true AND URL.Host
matches.Certificate.SSL.CN.ToRegex(Certificate.SSL.CN) –> Stop Rule Set
McAfee Web Gateway 7.6.0
Product Guide
395
11
Web filtering
SSL scanning
The rule allows requests to hosts sending certificates that have wildcards in their common names
matching the URLs of the hosts.
To verify that a common name containing wildcards matches a host, this name is converted into a
regular expression.
Allow alternative common names
URL.Host is in list Certificate.SSL.AlternativeCNs –> Stop Rule Set
The rule allows requests to hosts with alternative common names in their certificates if the host
matches at least one of them.
Block incident
Always –> Block <Common name mismatch>
If any of the rules for allowing matching common names applies, processing of the rule set stops and
this rule is not processed. Otherwise, requests are blocked by this rule because it is then a common
name mismatch.
The action settings specify a message to the requesting user.
Content Inspection
This nested rule set completes the handling of a CERTVERIFY call. It lets some requests skip content
inspection according to particular criteria and enables inspection for all others.
Nested library rule set – Content Inspection
Criteria – Command.Name equals “CERTVERIFY*
Cycles – Requests (and IM)
The rule criteria specifies that the rule set applies if a request is received on the appliance that
contains the CERTVERIFY command, which is sent to request the verification of a certificate.
The rule set contains the following rules:
Skip content inspection for hosts found in SSL Inspection Whitelist
Connection.SSL.Transparent equals false AND URL.Host matches in list SSL Inspection Whitelist –>
Stop Rule Set
The rule lets requests sent to whitelisted hosts skip content inspection. It applies only in
non-transparent mode.
Skip content inspection for CN found in SSL Inspection Whitelist
Connection.SSL.Transparent equals true AND Certificate.SSL.CN matches in list SSL Inspection
Whitelist –> Stop Rule Set
The rule lets requests with whitelisted common names in their certificates skip content inspection. It
applies only in transparent mode.
The rule is not enabled initially.
Do not inspect connections with client certificates
Connection.Client.CertificateIsRequested equals true –> Stop Rule Set
The rule lets requests skip inspection if they require the use of client certificates.
The rule is not enabled initially.
Enable content inspection
Always –> Continue – Enable SSL Scanner<Enable content inspection>
The rule enables content inspection.
396
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
SSL scanning
11
The event settings specify that the SSL Scanner module runs in inspection mode.
If any of the rules for skipping content inspection applies, processing of the rule set stops and this
last rule, which enables the inspection, is not processed. Otherwise, content inspection is enabled by
this rule.
Verify Common Name (transparent setup)
This nested rule set verifies the common name in a certificate. It applies to requests sent in explicit
proxy mode. It applies only to requests sent in transparent mode.
With requests sent in explicit proxy mode, the host name that is compared to the common name is
taken from the CONNECT request that a client sends.
As in transparent mode no CONNECT request is sent, the host name is taken from the request for web
access that a client sends.
Nested library rule set – Verify Common Name (transparent setup)
Criteria – Connection.SSL.TransparentCNHandling equals true AND Command.Name does not equal
“CONNECT” AND Command.Name does not equal “CERTVERIFY”
Cycles – Requests (and IM)
The rule criteria specifies that the rule set applies if a request is received on a connection used in
SSL-secured communication and verification of the common name is performed in transparent mode.
The rule set contains the following rules:
Allow matching hostname
URL.Host equals Certificate.SSL.CN –> Stop Rule Set
The rule allows a request if the URL of the requested host is the same as the common name in the
certificate.
Allow wildcard certificates
Certificate.SSL.CN.HasWildcards equals true AND URL.Host
matches.Certificate.SSL.CN.ToRegex(Certificate.SSL.CN) –> Stop Rule Set
The rule allows requests to hosts sending certificates that have wildcards in their common names
matching the URLs of the hosts.
To verify that a common name containing wildcards matches a host, this name is converted into a
regular expression.
Allow alternative common names
URL.Host is in list Certificate.SSL.AlternativeCNs –> Stop Rule Set
The rule allows requests to hosts with alternative common names in their certificates if the host
matches at least one of them.
Block incident
Always –> Block <Common name mismatch>
If any of the rules for allowing matching common names applies, processing of the rule set stops and
this rule is not processed. Otherwise, requests are blocked by this rule because it is then a common
name mismatch.
The action settings specify a message to the requesting user.
McAfee Web Gateway 7.6.0
Product Guide
397
11
Web filtering
Hardware Security Module
Hardware Security Module
Use of a Hardware Security Module (HSM) enhances security when dealing with private keys for the
certificates that are sent to servers and clients in SSL-secured communication.
Keys for SSL-certificates can be public or private. If you are using private keys and do not want to
expose them, you can store them on a Hardware Security Module, which is a separate hardware
component that is installed on a Web Gateway appliance.
When a certificate is imported and a private key is needed for enabling its use, the key is referenced
by its ID (also known as key name) while remaining protected on the hardware component.
This method of key handling provides greater security than storing private keys in a file within your
file system, as this file might easily be opened and read.
Installing and accessing a Hardware Security Module
A Hardware Security Module is made available on a PCI card, which is installed together with the
appropriate drivers on an appliance that Web Gateway runs on.
When the module card is installed, you can access the module by logging on to the appliance from a
system console. To perform activities on the module, such as generating keys or unlocking them, you
enter suitable commands in the command line.
For more information on how to install a Hardware Security Module card and perform activities on the
module, see the documentation of the McAfee partner who provides the module (Thales).
Key handling on a Hardware Security Module
All cryptographic operations related to using a private key for a certificate are performed on the
Hardware Security Module.
Keys can be generated on the module, but can also be imported to it. To be available on Web Gateway
they are loaded by the HSM Agent, which is a component of the Web Gateway appliance system.
To enable the loading of keys, you must make the key ID known to the agent by adding it in string
format to a list on the user interface of Web Gateway.
Communication with the agent is handled by the HSM server, which is set up on a Web Gateway
appliance that has a Hardware Security Module installed. The setup is configured on the user interface
of Web Gateway.
Generating private keys usually includes the use of passwords or an Operator Card System (OCS) to
create additional security. Keys can also be generated, however, without any of these additional
options. If a key is protected by a password or OCS, you must unlock it before you can use it, which is
done on the Hardware Security Module.
Using a private key on a Hardware Security Module for a certificate
The user interface of Web Gateway provides options for importing a certificate as part of several
settings. When an HSM server is configured, selecting a private key for the certificate from a Hardware
Security Module is included within these options.
To make the key available for the certificate, it is referenced by its ID, which can be selected from a
list.
398
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Hardware Security Module
11
Extended use of a Hardware Security Module
Use of a Hardware Security Module on a Web Gateway appliance can be extended as follows.
•
Using a Hardware Security Module remotely — A Hardware Security Module can be used by
other Web Gateway appliances within your network that have no module installed.
An HSM server is configured on the appliance that has the module installed. Appliances that have
no modules installed are configured as the clients of this server, which enables them to connect to
the server and load private keys. This configuration is performed on the user interface of Web
Gateway.
•
Generating a private key for a root certificate — Your company can set up a security
infrastructure, which includes a root certificate authority for use throughout the company. The root
certificate authority on Web Gateway can be configured as an intermediate certificate authority that
is subordinate to the company-wide root certificate authority.
A certificate issued by the company-wide root certificate authority is then created for the
intermediate certificate authority on Web Gateway. The private key for this certificate is generated
on the Hardware Security Module.
For more information, see Working with a security infrastructure in this document.
Administrator responsibilities in key handling
To enhance security in key handling, responsibilities can be assigned to different administrators.
For example, one administrator might be responsible for generating private keys on a Hardware
Security Module, while the Web Gateway administrator uses the keys when configuring certificates on
the user interface of Web Gateway.
The Web Gateway administrator must be sure to know the key IDs that were generated, as
well as the key passwords that might additionally have been set.
Logging key operations
Key operations involving the Hardware Security Module are logged on Web Gateway and displayed on
the dashboard of its user interface under SSL Scanner Statistics as Remote Private Key Operations.
Use a Hardware Security Module for key handling
To enhance security for the private keys of the certificates used in SSL-secured communication, you
can work with a Hardware Security Module. You can generate keys on the module, store them, and
perform other activities.
The following steps can be in the responsibility of different administrators.
Task
1
Prepare a Web Gateway appliance for running a Hardware Security Module, which is made available
on a PCI card.
a
Install the PCI card with the Hardware Security Module on the appliance.
b
From a system console, install the drivers for the Hardware Security Module.
For more information about how to install the PCI card, see the McAfee Web Gateway Installation
Guide.
McAfee Web Gateway 7.6.0
Product Guide
399
11
Web filtering
Hardware Security Module
For more information about installing the module drivers, see the documentation of the McAfee
partner who provides the module (Thales).
2
From a system console, create a Security World and (optionally) an Operator Card Set for the keys
on the Hardware Security Module. Then generate keys or import them and remember the key IDs.
For more information about creating these items, see the documentation of the McAfee partner
who provides the module (Thales).
3
On the user interface of Web Gateway, configure one of the following use options:
•
Local use of the module
Set up an HSM server for local use on an appliance that has a Hardware Security Module
installed.
•
4
Remote use of the module
•
Set up an HSM server for local use on an appliance that has a Hardware Security Module
installed. Then allow remote use of the module for the clients of this server.
•
Configure the appliances that have no module installed, but are to use it remotely, as HSM
clients.
From a system console, unlock the keys on the Hardware Security Module that are protected by a
password or an Operator Card Set.
For more information about unlocking keys, see the documentation of the McAfee partner who
provides the module (Thales).
You can now select keys when importing certificates on the user interface of Web Gateway.
See also
Configure local use of a Hardware Security Module on page 400
Configure remote use of a Hardware Security Module on page 401
Select a private key on a Hardware Security Module on page 401
Configure local use of a Hardware Security Module
You can configure local use of a Hardware Security Module to let it only be used on the appliance that
has the module installed.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance you want to configure local use of the module for, then
click Hardware Security Module.
3
Under HSM Server, select Start local HSM server.
4
In the Keys to be loaded list, add entries for the keys that you want to be available for loading.
For each key, enter its key ID in string format.
5
Click Save Changes.
See also
Hardware Security Module settings on page 403
400
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Hardware Security Module
11
Configure remote use of a Hardware Security Module
Configure remote use of a Hardware Security Module to make it available to appliances within your
network that have no module installed.
Task
1
Select Configuration | Appliances.
2
On the appliances tree, select the appliance with the module that you want to configure remote use
for, then click Hardware Security Module.
3
Configure an HSM server on this appliance.
a
Under HSM Server, select Start local HSM server.
b
In the Keys to be loaded list, add entries for the keys that you want to be available for loading.
For each key, enter its key ID in string format.
4
c
Click Allow remote connections.
d
In the HSM server port definition list, add one or more ports that listen to client requests.
e
Under Server identification, generate or import a certificate for the server. Then export it to a
location where you can import it from when configuring the clients.
For each appliance that you want to configure as an HSM client:
a
On the appliances tree, select an appliance that has no module installed, then click Hardware
Security Module.
b
Under HSM Client, select Use remote HSM server.
c
In the Remote server list, add an entry for the HSM server.
Enter host name and listener port and import the server certificate.
d
5
Under Client identification, generate or import a certificate for the client. Then export it to a location
where you can import it from when configuring the list of permitted clients.
Under HSM Server, add an entry for each HSM client to the Permitted clients list.
Enter the host name and import the client certificate.
6
Click Save Changes.
Select a private key on a Hardware Security Module
To select a private key on a Hardware Security Module for a certificate, reference the key by selecting
its ID from a list.
Private keys on a Hardware Security Module can be used when importing certificates as part of the
configuration activities for settings that are related to filtering SSL-secured communication. These
settings include:
•
SSL Client Certificate Handling
•
SSL Client Context with CA
•
SSL Client Context without CA
The following sample procedure uses a private key for importing a certificate within the SSL Client Context
with CA settings.
McAfee Web Gateway 7.6.0
Product Guide
401
11
Web filtering
Hardware Security Module
Task
1
Select Policy | Settings.
2
On the Engines branch of the settings tree, expand SSL Client Context with CA, and select the Default CA
settings.
3
Under Define SSL Client Context, click Import next to Certificate Authority.
The Import Certificate Authority window opens.
4
Click Browse next to Certificate, then locate and import a certificate file.
5
Select HSM next to Private key source.
A list with the IDs for the available keys opens.
6
Select a key ID, then click Import to import the certificate with its key information.
7
Click Save Changes.
Working with a security infrastructure
You can work with a security infrastructure that exists within your company to generate a certificate
for the root certificate authority on Web Gateway. The private key for this certificate is retrieved from
a Hardware Security Module.
Many companies have a security infrastructure that provides elements, such as certificate and keys,
for use in SSL-secured communication. This infrastructure usually includes a root certificate authority
for company-wide use.
With regard to the public keys that are usually included in a security infrastructure, this structure or a
part of it is sometimes referred to as PKI (Public Key Infrastructure).
The root certificate authority on Web Gateway can be configured as an intermediate authority under
the company-wide root certificate authority. A certificate issued by the company-wide root certificate
authority is required for this configuration.
To create this certificate, a certificate signing request is submitted to Web Gateway from a system
console. The request also specifies a private key on the Hardware Security Module that is installed on
Web Gateway.
Create a certificate using a security infrastructure
You can have a certificate issued by a company-wide root certificate authority within a security
infrastructure and use it as the certificate for the root certificate authority on Web Gateway.
Task
1
Generate a private key for the certificate on the Hardware Security Module and remember the key
ID.
For more information about how to generate a key, see the documentation of the McAfee partner
who provides the module (Thales).
402
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Hardware Security Module
2
11
Use a certificate signing request to generate a certificate for the root certificate authority on Web
Gateway.
a
On a system console that is connected to a Web Gateway appliance, log on as root
administrator.
b
Run the following openssl command. For <key ID>, specify the ID of the key that you
generated in step 1.
openssl req -engine chil -keyform engine -new -sha256 -key <key ID> -out mwg.csr
The command delivers a file with the certificate as its output. The file name and extension are
mwg.csr, as specified in the command.
3
Store the certificate file within your file system.
You can now import the stored certificate when configuring a root certificate authority for Web
Gateway within the settings for filtering SSL-secured communication.
Hardware Security Module settings
The Hardware Security Module settings are used to configure the handling of certificate keys on a local
or remote Hardware Security Module.
HSM Server
Settings for a Hardware Security Module on the Web Gateway appliance that you are currently
configuring
Table 11-37 HSM Server
Option
Definition
Start local HSM
server
When selected, a Hardware Security Module is run on this appliance for storing and
loading keys.
The module is provided on a server that other Web Gateway appliances in your
network can connect to as clients to load the keys that are stored on the module.
Keys to be loaded
Provides a list of the key IDs for the keys that are stored on the Hardware Security
Module and can be loaded for use with a certificate.
For each key that you want to use on Web Gateway, you need to add the key ID in
string format to this list.
The key IDs become known when keys are generated or imported on the Hardware
Security Module.
The following table describes an entry in the key list.
Table 11-38 Keys to be loaded – List entry
Option
Definition
String
Specifies the key ID for a key that is stored on the Hardware Security Module.
Comment
Provides a plain-text comment on a key.
McAfee Web Gateway 7.6.0
Product Guide
403
11
Web filtering
Hardware Security Module
Option
Definition
Allow local connections
When selected, the keys that are stored on this Hardware Security Module can
be used for connections that are set up on this appliance.
Allow remote
connections
When selected, the keys that are stored on this Hardware Security Module can
be used remotely for connections that are set up by other Web Gateway
appliances within your network.
If you select this option, you need to specify the ports of the HSM server on this
appliance that are available for remote connections.
HSM server port
definition list
Provides a list of the ports on the HSM server.
Permitted clients
Provides a list of other appliances in your network that can run as clients of the
HSM server and use the Hardware Security Module for loading keys.
The following tables describe the entries in the list of HSM server ports and the permitted clients list.
Table 11-39 HSM server port definition list – List entry
Option
Definition
Listener address IP address and port number of a port on the HSM server that listens to requests for
setting up a remote connection.
Provides a plain-text comment on a port.
Comment
Table 11-40 Permitted clients – List entry
Option Definition
Host
Specifies the host name or IP address of a Web Gateway appliance in your network that is
permitted to load the keys that are stored on the Hardware Security Module on this
appliance.
Certificate Provides a certificate that a client submits when connecting to the HSM server.
Comment Provides a plain-text comment on a permitted client.
Server Identification
Settings for the certificate that the HSM server submits when connecting to its clients
A certificate issued by the McAfee root CA is provided by default for the HSM server after the
initial setup of a Web Gateway appliance.
We recommend that you replace this certificate by a certificate of your own.
Table 11-41
Server Identification
Option
Definition
Subject, Issuer, Validity, Extensions,
Private key
Provide information on the certificate that is currently in use.
Server certificate
Provides buttons for performing various activities with regard to a
server certificate:
• Generating a certificate
• Importing a certificate
• Exporting a certificate
• Exporting a certificate key
404
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Hardware Security Module
11
HSM Client
Settings for configuring the use of a Hardware Security Module that resides on another Web Gateway
appliance in your network
Table 11-42 HSM Server
Option
Definition
Use remote HSM
server
When selected, this appliance uses the keys that are stored on a Hardware
Security Module that resides on another Web Gateway appliance in your network.
The module is provided on a server that this appliance can connect to as a client.
If you select this option, you need to specify a server or multiple servers in a list.
Remote server
Provides a list of other Web Gateway appliances in your network running a
Hardware Security Module on a server that this appliance can connect to as a
client.
The following table describes an entry in the list of remote servers.
Table 11-43 Remote server – List entry
Option Definition
Host
Specifies the host name or IP address of a Web Gateway appliance in your network that
runs a Hardware Security Module on a server.
Certificate Certificate that the server submits when connecting to a client.
Comment Provides a plain-text comment on a remote server.
Client Identification
Settings for the certificate that this appliance submits when connecting as a client to an HSM server
A certificate issued by the McAfee root CA is provided by default for this client after the
initial setup of a Web Gateway appliance.
We recommend that you replace this certificate by a certificate of your own.
Table 11-44
Server Identification
Option
Definition
Subject, Issuer, Validity, Extensions,
Private key
Provide information on the certificate that is currently in use.
Client certificate
Provides buttons for performing various activities with regard to a
client certificate:
• Generating a certificate
• Importing a certificate
• Exporting a certificate
• Exporting a certificate key
McAfee Web Gateway 7.6.0
Product Guide
405
11
Web filtering
Advanced Threat Defense
Advanced Threat Defense
After a web object has been scanned by Web Gateway for infections by viruses or other malware, it
can additionally be scanned by the McAfee Advanced Threat Defense (Advanced Threat Defense) web
security product.
®
Advanced Threat Defense uses a sandboxing approach for scanning, which means that the behavior of
a particular web object in a "sandbox" environment is analyzed. The scanning result is recorded in a
report and delivered to Web Gateway.
The additional scanning performed by Advanced Threat Defense is also referred to as offline scanning
or background scanning.
To enable the use of Advanced Threat Defense, suitable rules must be implemented on Web Gateway.
You can import rule sets that contain such rules from the rule set library.
To configure the use of Advanced Threat Defense on Web Gateway, you can work with:
•
Key elements of rules — After importing the library rule sets for the use of Advanced
Threat Defense and clicking them on the rule sets tree, you can view and configure key
elements of the rules for the additional scanning process.
•
Complete rules — After clicking Unlock View in the key elements view, you can view the
rules for the additional scanning process completely, configure all their elements,
including the key elements, and also create new rules or delete rules.
You cannot return from this view to the key elements view unless you discard all changes
or re-import the rule set.
Options for configuring the use of Advanced Threat Defense
You can configure different options to implement an additional scanning by Advanced Threat Defense.
•
Forwarding a web object depending on the additional scanning — When this option is
configured, the result of the additional scanning by Advanced Threat Defense determines whether a
web object is forwarded to the user who requested it.
If a web object is found to be safe, it is forwarded, otherwise not.
•
Forwarding a web object before the additional scanning — When this option is configured, a
web object is forwarded to the user who requested it. before the additional scanning by Advanced
Threat Defense.
If a web object is found to be infected, a warning message is sent to the administrator of the
network that the user sent his request from.
You can also configure that a web object is not scanned a second time by Advanced Threat Defense if
it has been scanned before. In this case, the existing report that was produced after the first scanning
is evaluated once again.
Availability of Advanced Threat Defense
For use with Web Gateway, the Advanced Threat Defense web security software is delivered
pre-installed on the same hardware platform, where it runs as an appliance on a separate server.
Several instances of the product can also run on different servers and be used to support Web
Gateway. Each instance of the product must be installed on its own hardware platform.
406
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Advanced Threat Defense
11
Workflows for using Advanced Threat Defense
Different workflows can be configured when Advanced Threat Defense is used to perform an additional
scanning of web objects.
Forwarding a web object depending on the additional scanning
The following diagram shows the workflow that forwards a web object to a user depending on the
scanning result of Advanced Threat Defense.
Figure 11-1 Web object is forwarded depending on additional scanning result
1
A user sends a request to access a web object, for example, a file, from a system within your
network that is a client of Web Gateway.
2
If the request passes filtering according to the configured rules, Web Gateway forwards it to the
appropriate web server.
A progress page is sent to the client, telling the user to wait while the request is processed.
3
The web server sends the object to Web Gateway.
4
If the criteria for using Advanced Threat Defense are met, Web Gateway passes the object on for
scanning.
To retrieve information on the scanning progress, Web Gateway queries Advanced Threat Defense
in regular intervals.
5
When Advanced Threat Defense has completed the scanning, it lets Web Gateway know whether
the object is malicious or not.
6
Depending on this information, Web Gateway allows the user to access the requested object or
sends a block page, which states that access is blocked and gives a reason for the blocking.
McAfee Web Gateway 7.6.0
Product Guide
407
11
Web filtering
Advanced Threat Defense
Criteria for additional scanning by Advanced Threat Defense
Web Gateway uses the functions of Advanced Threat Defense for scanning a web object after the
object has been scanned by the anti-malware engines on Web Gateway.
The Advanced Threat Defense library rule set uses this probability in its criteria. The default value that
must be reached for the criteria to match is 60. This means that only if scanning a web object on Web
Gateway results in a malware probability of 60 percent or more, is it passed on to Advanced Threat
Defense.
When configuring the use of Advanced Threat Defense, you can increase or lower this value and,
consequently, let this product support Web Gateway more or less frequently.
It is therefore important that, on the rule sets tree, the rule set for Advanced Threat Defense is placed
behind the rule set for the normal anti-malware functions on Web Gatewayy, which is usually the
Gateway Anti-Malware default rule set.
The Anti-Malware module (or engine) runs with two different settings, when Web Gateway and
Advanced Threat Defense work together: one for the Web Gateway part and one for the part of the
supporting product.
The default names of the two settings are Gateway Anti-Malware and Gateway ATD.
One important point in which the settings differ from each other is that the Gateway ATD settings have
the option for using Advanced Threat Defense selected, whereas this option is deselected in the other
settings.
Configuration elements for using Advanced Threat Defense
To enable the additional scanning of web objects by Advanced Threat Defense, suitable rules must be
implemented on Web Gateway. You can import rule sets that contain such rules from the rule set
library. After importing this rule set, a list and settings are also implemented.
Rule sets for the additional scanning
There is a rule set for forwarding a web object depending on the additional scanning, as well as a rule
set for forwarding a web object before the additional scanning and delivering any warning information
afterwards.
•
Advanced Threat Defense library rule set — This rule set implements the workflow that lets a
web object additionally be scanned by Advanced Threat Defense and forwarded to the user
depending on the scanning result.
After importing this rule set, a list and settings are also implemented.
408
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Advanced Threat Defense
•
11
ATD - Init Offline Scan nested library rule set — This nested rule set has the same criteria as
the rule set that forwards a web object to the user depending on the result of the additional
scanning.
The rule set applies if previous scanning by Web Gateway has resulted in a configured degree of
probability that a web object is infected, the web object is on the list of web objects that can be
scanned, and a particular object size is not exceeded.
The rule set contains only one rule that uses the Antimalware.MATD.InitBackgroundScan property
in its criteria. The value of this property is true by default.
In this case, data for the current transaction is recorded. This includes all data that is related to a
request for web access and the response to it from a web server, such as the IP address of the
client, authentication information, the URL of the web server, and the requested web object that
was sent as the body of the response message.
An internal request is sent to initiate scanning by Advanced Threat Defense. After this has been
completed, the requested web object is forwarded to the user while the scanning is performed later
on, using the data that was recorded.
If the value of the Antimalware.MATD.InitBackgroundScan property is false, scanning by Advanced
Threat Defense could not be initiated and a rule event is used to display an error message.
•
ATD - Handle Offline Scan nested library rule set — This nested rule set has the
Antimalware.MATD.IsBackgroundScan property for its criteria. The value of this criteria is true by
default.
In this case, the data that was recorded by the rule in the ATD - Init Offline Scan rule set, is used
by Advanced Threat Defense to scan the web object specified by the data.
The rule set has a rule that uses an event to increase a counter if a scanned web object has been
found to be infected, a rule that uses another event to create and send a message about the
infected web object to the administrator, and finally a rule that stops the processing cycle.
List and settings for the additional scanning
The Advanced Threat Defense library rule set provides rules for enabling the use of Advanced Threat
Defense on Web Gateway and forwarding a requested web object to the user depending on the
scanning result.
After importing this rule set, a list and settings are also implemented.
•
Advanced Threat Defense Supported Types list — This list is used within the criteria of the
library rule set. Only web objects belonging to the media types on this list are passed on to
Advanced Threat Defense for scanning.
The list contains several media types by default. You can add media types to the list or remove
them.
•
Gateway ATD settings — These are settings for the Anti-Malware module (or engine) on Web
Gateway, which handles virus and malware filtering, including the additional use of Advanced
Threat Defense.
McAfee Web Gateway 7.6.0
Product Guide
409
11
Web filtering
Advanced Threat Defense
The settings include mainly options for configuring the following:
•
Communication between Web Gateway and the server that Advanced Threat Defense runs on
•
Severity grade that lets a web object, for example, a file, be classified as malicious
When an object is scanned by Advanced Threat Defense, the result is a severity grade on a
scale from 0 to 5 (very high severity).
You can set a value on this scale, for example, 3, which means all objects with a scanning result
of 3 or higher are considered to be malicious.
For these objects, the Antimalware.Infected property is set to true, so a rule that uses this
property in its criteria will block a web object and prevent it from being passed on to the user
who requested access to it.
Using an existing Advanced Threat Defense scanning report
A report that is generated by Advanced Threat Defense after scanning a web object can be used by
Web Gateway to evaluate this object and handle access to it.
When using an existing report, Web Gateway will not trigger a new scanning run on Advanced Threat
Defense. If more than one report exists, the latest report is used for evaluation. Hash values are
calculated internally on Web Gateway to determine whether a web object is the same as another
object, so the same report can be used.
To use an existing scanning report on Web Gateway, you need to implement a rule with the
Antimalware.ATD.GetReport property. If the value of this Boolean property is true, it means that a
particular web object has been found to have already been scanned by Advanced Threat Defense and
a report for this scan has been retrieved.
This report can be made available to other rules, for example, to a rule with the Antimalware.Infected
property, which evaluates the report to find out whether an object is infected.
Options for using an existing scanning report
There are several options for using an existing scanning report to handle access to web objects.
•
Allow a file when a scanning report shows that it is not infected — There are files that are
uploaded manually to Advanced Threat Defense where they are scanned and a report is generated.
Web Gateway then allows users to download such a file if a report exists for it and this report
shows that the file is not infected.
If a scanning report does not exist for a web object, the Antimalware.ATD.GetReport property can still
be used in suitable rules. In these rules, the value of this property is false, as no scanning report was
retrieved.
410
•
Allow a file if no scanning report is available and scan this file offline — If no scanning
report exists for a file that was requested for downloading, are rule can allow a user to download
the file and let an offline scan be performed. After the scanning, a report is generated and
forwarded to the administrator of the user's network.
•
Block a file if no scanning report is available and scan this file offline — If no scanning
report exists for a file that was requested for downloading, a rule can block access to the file and
let an offline scan be performed. After the scanning, a report is generated and forwarded to the
administrator of the user's network .
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Advanced Threat Defense
11
Sample rules for using an existing scanning report
There is no preconfigured rule set for using an existing Advanced Threat Defense scanning report in
the default rule set system or the rule set library. You can, however, create suitable rules and a rule
set for them on your own.
The following sample rules implement the solution that lets files be uploaded manually to Advanced
Threat Defense. Downloading a file is allowed if the report that was generated by Advanced Threat
Defense shows that the file is not infected.
The name of the rule set might be Use Existing Advanced Threat Defense Scanning Report. It must
have the same criteria regarding media types as the Advanced Threat Defense library rule set and
apply for all processing cycles.
The rule set should contain the following rules:
•
A rule that uses the Antimalware.ATD.GetReport property to retrieve an existing scanning report
•
A rule that evaluates files using this report and blocks access if the report shows that they are
infected
The rule that retrieves the report might look as follows:
Name
Allow files that have been scanned before
Criteria
Antimalware.ATD.GetReport
equals false
Action
–> Block
<BlockedByMATD>
Event
– Statistics.Counter.Increment"
(BlockedByMATD",1)<Default>
The rule blocks access to a file if no report exists for it. In this case, the next rule is not processed.
This rule evaluates a report. It might look as follows:
Name
Block infected files
Criteria
Antimalware.Infected <Gateway
ATD> equals true
Action
–> Block
<BlockedByMATD>
Event
– Statistics.Counter.Increment
("BlockedByMATD",1)<Default>
In both rules, a counter records how often files were blocked when Advanced Threat Defense functions
were used.
Using an ongoing Advanced Threat Defense scanning run
While a scanning run is being performed by Advanced Threat Defense, the results of this run can be
used not only for processing the request that it was started for, but also for other requests to access
the same web object.
To let the results of one scanning run be used for processing multiple requests, the requests must be
received on Web Gateway while the scanning is still going on. Hash values are calculated internally on
Web Gateway to determine whether a web object is the same as another object, so it can be decided
whether requests for the same object are received.
To use the results of one scanning run for multiple requests to access the same object, you need to
enable an option within the Gateway ATD settings for the Anti-Malware module (or engine). must be
enabled. The name of this option is Re-use running task if same sample is being analyzed.
McAfee Web Gateway 7.6.0
Product Guide
411
11
Web filtering
Advanced Threat Defense
There is no preconfigured rule set in the default rule set system or the rule set library for using the
results of one scanning run when multiple requests for the same object are received. You can,
however, create suitable rules and a rule set for them on your own.
Limiting object sizes for scanning by Advanced Threat Defense
The size of objects that are additionally scanned by Advanced Threat Defense must be checked to
comply the size limits that exist for this product.
There are some restrictions for Advanced Threat Defense with regard to the size of web objects that
can be scanned. The general size limit is 125 MB, which means that web objects of any type must not
exceed this limit.
Other size limits exist for particular types of web objects. For example, the size limit for archives is 10
MB.
For more information about existing size limits and ways to change these limits for particular types of
web objects, see the McAfee Advanced Threat Defense Product Guide.
Configuring size limits on Web Gateway
On Web Gateway, you can configure rules that block web objects of different types if they exceed a
particular size limit. By inserting these rules in a rule set for handling Advanced Threat Defense
scanning activities, you can make sure that only web objects with suitable sizes are passed on to
Advanced Threat Defense.
If you have imported the library rule sets for Advanced Threat Defense, you can insert the size limit
rules there. Some of these rule sets contain a rule for uploading web objects to Advanced Threat
Defense.
By inserting the size limit rules before this rule, web objects that exceed the size limits are blocked
and the rule for uploading to Advanced Threat Defense is not executed.
Rule for setting a size limit
The following sample rule assumes that archives must not exceed a size limit of 10 MB if they are to
be scanned by Advanced Threat Defense and that no special size limit exists for executable files, so
only the general size limit for Advanced Threat Defense applies to this type of web objects.
So, the rule blocks archives and executable files that exceed the respective size limits.
Name
Limit object size for scanning by Advanced Threat Defense
Criteria
(MediaType.IsArchive equals true AND Body.Size greater than 10000000)
Action
–>
Block<ATD limit>
OR (MediaType.IsExecutable equals true AND Body.Size greater than 125000000)
To extend the size check to other types of web objects, suitable parts must be added to the rule
criteria. For example, if you want to cover audio files as well, a criteria part must be added that uses
the MediaType.IsAudio property instead of the media type properties that are so far used in the sample
rule.
To let the user who sent a request involving an over-sized object to the web know that and why this
request was blocked, you can configure appropriate settings for the block action. In the sample rule,
these settings are named ATD limit.
412
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Advanced Threat Defense
11
Configure the use of Advanced Threat Defense
You can configure the use of Advanced Threat Defense for additionally scanning web objects after they
have been scanned by Web Gateway. Another option is to let a scanning report that has been
generated for a web object by Advanced Threat Defense be evaluated on Web Gateway to handle
access to this object.
If an existing scanning report for a web object is evaluated, Web Gateway will not trigger a new
additional scanning run by Advanced Threat Defense for this object.
Tasks
•
Configure scanning by Advanced Threat Defense on page 413
Configure additional scanning by Advanced Threat Defense after a scanning run by Web
Gateway has been completed.
•
Configure use of an existing Advanced Threat Defense scanning report on page 414
If you do not want a new scanning run to be performed on a web object, you can let an
existing Advanced Threat Defense scanning report be used to evaluate the web object.
Configure scanning by Advanced Threat Defense
Configure additional scanning by Advanced Threat Defense after a scanning run by Web Gateway has
been completed.
Task
1
Configure Advanced Threat Defense to integrate it into your network.
For more information, see the McAfee Advanced Threat Defense Product Guide.
2
On the user interface of Web Gateway, complete the following activities:
a
Import the rule set for one of the two additional scanning workflows from the rule set library.
These rule sets are located in the Gateway Anti-Malware rule set group.
•
Advanced Threat Defense — For forwarding web objects depending on the additional
scanning
On the rule sets tree, place this rule set after the rule set for scanning by Web Gateway. By
default, this is the Gateway Anti-Malware rule set.
•
ATD - Offline Scanning with Immediate File Availability — For forwarding web objects before
the additional scanning
After importing this rule set, the following two rule sets appear on the rule sets tree.
•
ATD - Init Offline Scan — This rule set that initiates the additional scanning.
On the rule sets tree, place this rule set after the rule set for scanning by Web Gateway.
By default, this is the Gateway Anti-Malware rule set.
•
ATD - Handle Offline Scan This rule set handles the additional scanning once it has been
initiated.
On the rule sets tree, place this rule set after the rule sets that perform global or common
activities and before the rule sets that perform particular filtering activities.
For example, on the default rule sets tree, place this rule set after the Common Rules rule
set and before the Media Type Filtering rule set.
McAfee Web Gateway 7.6.0
Product Guide
413
11
Web filtering
Advanced Threat Defense
b
To enable monitoring of Advanced Threat Defense scanning activities on Web Gateway, import
the ATD Scanning Log and Block on ATD Errors rule sets from the rule set library and add them
to the existing Log Handler and Error Handler rule sets, respectively.
c
Add media types to the list for supported media types or remove them as needed. After
importing either of the library rule sets, the name of this list is Advanced Threat Defense
Supported Types.
After importing a rule set, you can work with this list on the key elements view of the rule set.
d
Configure the settings for scanning by Web Gateway.
By default, the name of these settings is Gateway Anti-Malware.
After importing a rule set, you can work with these settings on the key elements view of the rule
set.
e
Configure the settings for scanning by Advanced Threat Defense.
After importing either of the library rule sets, the name of these settings is Gateway ATD.
After importing a rule set, you can work with these settings on the key elements view of the rule
set.
f
Save your changes.
Configure use of an existing Advanced Threat Defense scanning report
If you do not want a new scanning run to be performed on a web object, you can let an existing
Advanced Threat Defense scanning report be used to evaluate the web object.
There are several options for using an existing scanning report. The following task assumes that:
•
Scanning reports were generated for web objects that were uploaded manually to Advanced Threat
Defense and scanned.
•
Web Gateway allows access if a report shows that a web object is not infected and blocks it if no
report exists.
Complete the following high-level steps:
Task
1
Create a rule set for the rules that handle the use of an existing Advanced Threat Defense scanning
report.
2
In this rule set, create the following.
3
4
414
•
A rule that retrieves a scanning report for a file and blocks access to a file if no report exists for
it
•
A rule that evaluates a scanning report and blocks a file that is infected according to the report
Configure the Gateway ATD settings of the Anti-Malware module.
a
Make sure Re-use previous detection ... is selected.
b
[Optional] Under Maximum detection age, modify the time limit for excluding older reports as
needed. This limit is 30 minutes by default.
Save your changes.
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Advanced Threat Defense
11
Configure key elements for using Advanced Threat Defense
Configure key elements for additional scanning by Advanced Threat Defense to adapt important parts
of the scanning process to the requirements of your web security policy.
Task
1
Import the Advanced Threat Defense or the ATD - Offline Scanning with Immediate File Availability rule set from the
rule set library.
2
On the rule sets tree, select the rule set that you have imported.
Key elements of the rules for the scanning process appear in the configuration pane.
3
Configure the key elements as needed.
4
Click Save Changes.
See also
Key elements for using Advanced Threat Defense on page 415
Key elements for using Advanced Threat Defense
The key elements of the rules for using Advanced Threat Defense in the process of additionally
scanning web objects deal with important parts of this process.
Different key elements can be configured for the rules in the rule sets that are implemented for the
additional scanning.
•
•
•
Advanced Threat Defense — When this rule set is implemented, the following groups of key
elements can be configured:
•
Enable Advanced Threat Defense for These Supported Media Types
•
Gateway Anti-Malware Settings
•
Gateway Advanced Threat Defense Settings
ATD - Init Offline ScanAdvanced — When this rule set is implemented, the following groups of key
elements can be configured:
•
Enable Advanced Threat Defense for These Supported Media Types
•
Gateway Anti-Malware Settings
ATD - Handle Offline Scan — When this rule set is implemented, the following group of key
elements can be configured:
•
Gateway Advanced Threat Defense Settings
The key elements of these rule sets are described in the following.
Enable Advanced Threat Defense for These Supported Media Types
Key element for selecting web objects that are eligible for additional scanning by Advanced Threat
Defense
McAfee Web Gateway 7.6.0
Product Guide
415
11
Web filtering
Advanced Threat Defense
Table 11-45 Enable Advanced Threat Defense for These Supported Media Types
Option
Definition
Media types to insert Clicking Edit opens a window to let you edit the Advanced Threat Defense Supported
Media Types list that is used by a rule.
Only web objects that belong to media types on this list will additionally be scanned
by Advanced Threat Defense if also the other criteria are met.
You can add, modify, and remove entries on the list.
Gateway Anti-Malware Settings
Key element for configuring the scanning by the Anti-Malware module before the additional scanning
by Advanced Threat Defense
Table 11-46 Gateway Anti-Malware Settings
Option Definition
Settings
Clicking Edit opens a window to let you edit the settings for the Anti-Malware module when it
runs with the module components that are usually available on Web Gateway.
This scanning is performed before any scanning by Advanced Threat Defense. Depending on
the result of this scanning, additional scanning by Advanced Threat Defense is performed or
not.
Gateway Advanced Threat Defense Settings
Key element for configuring additional scanning by Advanced Threat Defense
Table 11-47 Bypass scanning for these agents and hosts
Option Definition
Settings
Clicking Edit opens a window to let you edit the settings for the Anti-Malware module on Web
Gateway when the scanning is actually performed by Advanced Threat Defense.
Configure settings for using Advanced Threat Defense
You can configure settings for the Anti-Malware module (or engine) on Web Gateway to enable the use
of Advanced Threat Defense for scanning web objects.
Task
1
Select Policy | Settings.
2
On the Engines branch of the settings tree, expand Anti-Malware and select the settings for configuring
the use of Advanced Threat Defense.
After importing the Advanced Threat Defense library rule set, the name of these settings is Gateway
ATD.
3
Configure these settings as needed.
4
Click Save Changes.
See also
Gateway ATD settings on page 418
416
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Advanced Threat Defense
11
Monitoring the use of Advanced Threat Defense
Several methods are available for monitoring the scanning activities that are performed by Advanced
Threat Defense when it is used to support Web Gateway.
The monitoring can be done on Web Gateway and on McAfee Content Security Reporter.
Monitoring the use of Advanced Threat Defense on Web Gateway
On Web Gateway, you can implement rule sets with rules for logging information about the scanning
jobs that Advanced Threat Defense performs and for handling errors that occur during these jobs.
You can also review Advanced Threat Defense activities on the dashboard of the user interface.
•
Log Handler — The ATD Scanning Log rule set can be imported from the Logging group of rule
sets in the rule set library.
The rule set contains a logging rule that records information about each scanning job Advanced
Threat Defense performs on a web object that was passed on to it by Web Gateway.
This information includes:
•
Severity grade that is the result of scanning
•
Server that Advanced Threat Defense runs on
•
Task ID for a scanning job
•
Hash value for a scanning job
To create the log entries that provide this information, the rule uses suitable properties.
•
Error Handler — The Block on ATD Errors rule set can be imported from the Error Handling group
of rule sets in the rule set library.
It contains blocking rules for handling errors that occur when Advanced Threat Defense performs a
scanning job.
The rules use the appropriate error IDs in their criteria. The error IDs range from 14010 to 14012.
A rule in the Block on Anti-Malware Engine Errors rule set covers the range from 14002 to 14050.
The Block on ATD Errors rule set should, therefore, be placed before this anti-malware rule set.
Otherwise, the blocking rules in the Block on ATD Errors rule set would never be processed and
only block messages with text that is related to anti-malware errors in general would be sent to
users.
•
Anti-Malware properties — Several properties are available for monitoring the activities of
Advanced Threat Defense. Their names begin with Antimalware.MATD, for example,
Antimalware.MATD.Server or Antimalware.MATD.Report.
These properties are used in the logging rules of the ATD Scanning Log rule set.
When a scanning job has been performed by Advanced Threat Defense, the value of the
Antimalware.MATD.Report property is a report on this job. The report is provided as a string that
represents the data structure of a JavaScript Object Notation (JSON) object.
Using JSON properties together with the Antimalware.MATD.Report property, you can extract report
information.
McAfee Web Gateway 7.6.0
Product Guide
417
11
Web filtering
Advanced Threat Defense
•
Dashboard — The dashboard charts and tables show how the following data evolved during a
particular time interval.
•
Under Executive Summary: Number of requests for web objects that were blocked due to the
scanning results found by Advanced Threat Defense.
•
Under Malware Statistics: Number of requests for web objects that were passed on to Advanced
Threat Defense for scanning, number of requests that were blocked due to the scanning results,
and the time consumed for the scanning.
Monitoring the use of Advanced Threat Defense on Content Security Reporter
®
With McAfee Content Security Reporter, you can collect data about the scanning activities that
Advanced Threat Defense performs when it is used to support Web Gateway.
•
To collect the data, configure both Web Gateway and Advanced Threat Defense as log sources.
•
To view the data, register the server that Advanced Threat Defense runs on. You can then view the
data on the dashboard monitor.
For more information, see the McAfee Content Security Reporter Product Guide.
Gateway ATD settings
The Gateway ATD settings are used for configuring the use of Advanced Threat Defense for scanning
web objects that have been passed on to it from Web Gateway.
Select Scanning Engines and Behavior
Settings for selecting a combination of scanning engines and their behavior in case one of them
detects an infection
Table 11-48 Select Scanning Engines
Option
Definition
Full McAfee coverage: The recommended
high-performance configuration
When selected, the McAfee Gateway Anti-Malware engine and the
McAfee Anti-Malware engine are active.
Web objects are then scanned using:
Proactive methods + Virus signatures
This option is selected by default.
Layered coverage: Full McAfee coverage
plus specific Avira engine features — minor
performance impact
When selected, the McAfee Gateway Anti-Malware engine, the
McAfee Anti-Malware engine, and, for some web objects, also the
third-party Avira engine are active.
Web objects are then scanned using:
Proactive methods + Virus signatures + Third-party module
functions for some web objects
Duplicate coverage: Full McAfee coverage
and Avira engine — less performance and
more false positives
When selected, the McAfee Gateway Anti-Malware engine, the
McAfee Anti-Malware engine, and the third-party Avira engine are
active.
Web objects are then scanned using:
Proactive methods + Virus signatures + Third-party module
functions
418
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Advanced Threat Defense
11
Table 11-48 Select Scanning Engines (continued)
Option
Definition
Avira only: Only uses Avira engine — not
recommended
When selected, only the Avira engine is active.
Web objects are then scanned using:
Third-party module functions
McAfee Advanced Threat Defense only:
Send files to an MATD appliance for deep
analysis through sandboxing
When selected, only scanning by Advanced Threat Defense is
active.
Web objects are then scanned using:
Advanced Threat Defense functions
This option is by default selected.
Stop virus scanning right after an engine
detected a virus
When selected, engines stop scanning a web object as soon as
one of them has detected an infection by a virus or other
malware.
MATD Setup
Common part of the settings for configuring the use of Advanced Threat Defense
Table 11-49 MATD Setup
Option
Definition
User name
Specifies the user name Web Gateway submits when trying to connect to
Advanced Threat Defense.
Password
Specifies the password Web Gateway submits when trying to connect to
Advanced Threat Defense.
Clicking Set opens a window for setting the password.
Server list
Provides a list of servers that Advanced Threat Defense runs on.
List of certificate
authorities
Provides a drop-down list for selecting a list of known certificate authorities
Severity threshold to
indicate a malicious file
Sets a threshold for the severity grade of the malicious features that is
detected in a web object, for example, a file, when scanned by Advanced
Threat Defense.
These certificate authorities will be used to refer to when communication
between Web Gateway and Advanced Threat Defense is going on in
SSL-secured mode under the HTTPS protocol.
If this threshold is reached, the object is classified as malicious and the value
of the Antimalware.Infected property is set to true.
The threshold is set on slider scale with values ranging from 0 to 5 (very high
severity).
Reuse previous detection,
McAfee Web Gateway will
retrieve latest report from
MATD based on the hash
of the file
When selected, the severity grade that was found for a web object at its last
scanning by Advanced Threat Defense is used for classifying it as malicious or
not.
Maximum detection age
Sets the maximum time (in minutes) that might elapse after a severity grade
has been found for a web object before this value can no longer be used to
classify the object as malicious or not.
When this option is selected, the following option becomes accessible.
The default maximum time is 30 minutes.
McAfee Web Gateway 7.6.0
Product Guide
419
11
Web filtering
Advanced Threat Defense
Table 11-49 MATD Setup (continued)
Option
Definition
Reuse running task if
same sample is analyzed
When selected, a running task is used for evaluation if it is the same web
object that is analyzed.
Send client IP to MATD
server
When selected, the IP address of a client that has sent a request for
downloading a web object is sent to the server on which Advanced Threat
Defense is running.
The following table describes an entry in the server list.
Table 11-50 Server list – List entry
Option
Definition
String
Specifies the name of a server that Advanced Threat Defense runs on.
Comment
Provides a plain-text comment on a server.
Network Setup
Settings for configuring the connection to the server that Advanced Threat Defense runs on
Table 11-51 Network Setup
Option
Definition
Connection timeout Sets the time (in seconds) that elapses before the connection to a server is closed
when no response is received from it.
The default time is 5 seconds.
Scan timeout
Sets the time (in minutes and seconds) that Advanced Threat Defense is allowed for
scanning a web object.
If this time is exceeded, Web Gateway records it as an error.
Minutes — Time allowed in minutes
Seconds — Time allowed in seconds
The default time is 10 minutes.
Poll interval
Sets the time interval (in seconds) that elapses before the next attempt is made to
retrieve information from Advanced Threat Defense about the progress made in
scanning a web object.
The default time is 20 seconds.
Advanced Threat Defense rule set
The Advanced Threat Defense rule set is a library rule set for enabling Web Gateway to work with
Advanced Threat Defense when filtering web objects.
Library rule set – Advanced Threat Defense
Criteria – Antimalware.Proactive.Probability<Gateway Anti-Malware> greater than or equals 60 AND
MediaType.EnsuredTypes at least one in list Advanced Threat Defense Supported Types
Cycles – Responses, Embedded Objects
420
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Advanced Threat Defense
11
The rule set criteria specifies that the rule set applies if the following is true:
•
As a result of previous scanning by the anti-malware engines on Web Gateway, the probability that
a web object is malicious equals or exceeds 60 percent
•
The media type of the object is on the list of supported types for scanning by Advanced Threat
Defense.
The rule set contains the following rules.
Enable progress page
Always –> Continue – Enable Progress Page<Default>
The rule enables an event that lets a page be shown to indicate the progress made when a web
object is downloaded to a client.
Upload file to ATD and wait for scanning result
Antimalware.Infected<Gateway ATD> –> Block<Virus Found> –
Statistics.Counter.Increment("BlockedByMATD",1)<Default>
The rule uses the Antimalware.Infected property to check whether a web object, for example, a file,
is infected by a virus or other malware.
The scanning that is required for this check is performed under the Gateway ATD settings, which
means it is carried out by Advanced Threat Defense.
If the object is found to be infected, the process of forwarding the object to the requesting client is
blocked and a block message is shown to the user who requested access to the object.
The block action is recorded by the statistics counter.
ATD - Offline Scanning with Immediate File Availability rule set
The ATD – Offline Scanning with Immediate File Availability rule set is a library rule set for enabling
Web Gateway to work with Advanced Threat Defense when filtering web objects.
When this rule set is implemented, a web object is forwarded to the user who requested it before it
has been additionally scanned by Advanced Threat Defense, so the object is immediately available to
the user.
If the scanning result is that the web object is infected, a message is sent to the administrator of the
network that the user sent the request from.
This use of the scanning functions of Advanced Threat Defense is also known as offline scanning or
background scanning.
After importing this rule set, the following two rule sets are implemented and appear on the rule sets
tree:
•
ATD - Init Offline Scan
•
ATD - Handle Offline Scan
A rule set with the name ATD - Offline Scanning with Immediate File Availability is not implemented.
ATD - Init Offline Scan
This rule set initiates the additional scanning by Advanced Threat Defense.
McAfee Web Gateway 7.6.0
Product Guide
421
11
Web filtering
Advanced Threat Defense
Library rule set – ATD - Init Offline Scan
Criteria – Antimalware.Proactive.Probability<Gateway Anti-Malware> greater than or equals 60 AND
MediaType.EnsuredTypes at least one in list Advanced Threat Defense Supported Types AND
Body.Size less than 30000000
Cycles – Responses, Embedded Objects
The rule set criteria specifies that the rule set applies if the following is true:
•
As a result of previous scanning by Web Gateway, the probability that a web object is malicious
equals or exceeds 60 percent.
•
The media type of the object is on the list of supported types for scanning by Advanced Threat
Defense.
•
The web object does not exceed a particular size.
The rule set contains the following rule.
Offline scanning with immediate file availability
Antimalware.MATD.InitBackgroundScan(5) equals false –> Block<ATD Communication Failed>
When this rule is processed, all data related to the request for web access that has been sent to Web
Gateway is recorded, including the response that was received from the requested web server. The
response usually includes in its body the requested web object, for example, a file. The body with the
web object is stored on Web Gateway.
An internal request is also created within Web Gateway to initiate the scanning by Advanced Threat
Defense. Web Gateway then waits for an answer to this internal request to see whether the request
is accepted and the scanning will be performed.
The time that Web Gateway waits for this answer is measured in seconds and a parameter of the
Antimalware.MATD.InitBackgroundScan property. By default, this time is 5 seconds. You can
configure this time by editing the property parameter.
If no answer to the internal request is received within the configured time, the property is set to
false, so this criteria matches and the rule applies. A message is then sent to inform the
administrator that the additional scanning by Advanced Threat Defense could not be executed.
If the answer is received within the configured time, the web object is forwarded to the user.
Further handling of the additional scanning is performed by the next rule set..
Library rule set – ATD - Handle Offline Scan
Criteria – Antimalware.MATD.IsBackgroundScan equals true
Cycles – Requests, Embedded Objects
The rule set criteria specifies that the rule set applies if the value of the
Antimalware.MATD.IsBackgroundScan is true.
It is true if the additional scanning by Advanced Threat Defense has successfully been initiated by the
rule in the preceding rule set . In this case, the data that was recorded and stored by this rule is used
by Advanced Threat Defense to scan a requested web object.
The rule set contains the following rules.
Upload file to ATD and wait for scanning result
Antimalware.Infected<Gateway ATD> equals true –> Continue –
Statistics.Counter.Increment("BlockedByMATD",1)<Default>
422
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Data loss prevention
11
The rule uses the Antimalware.Infected property to check whether a web object, for example, a file,
is infected by a virus or other malware. The scanning that is required for this check is performed
under the Gateway ATD settings, which means it is carried out by Advanced Threat Defense.
For this purpose, the previously stored web object is forwarded from Web Gateway to Advanced
Threat Defense.
If the scanning result is that the web object is infected, this is recorded by a statistics counter.
Offline scanning with immediate file availability
Antimalware.Infected<Gateway ATD> equals true –> Block<Virus Found> – Set
User-Defined.MessageText =
"Client.IP: "
+ IP.ToString(Client.IP)
+ "Requested URL: "
+ URL
+ "Virus name: "
+ ListOfString.ToString (Antimalware.VirusNames<Gateway.ATD>, ","
Email.Send ("Administrator@", "MATD offline scan detected a virus",
User-Defined.MessageText)<Default>
When the rule is processed, it is checked whether the value of the Antimalware.Infected property is
true.
If it is, it means the scanning that was performed by Advanced Threat Defense has found a web
object to be infected by a virus or other malware.
A warning message is then created and sent to the administrator for the network of the user who
sent the request to access the web object. The message contains information on the request that
was recorded by the rule of the preceding rule set.
Stop cycle
Always –> Stop Cycle
This rule stops the processing cycle. It is always executed after the preceding rules have been
processed.
Data loss prevention
Data loss prevention (DLP) ensures that sensitive content is not allowed to leave your network. The
prevention process detects this content and blocks traffic going out to the web accordingly.
The following elements are involved in this process:
•
Data loss prevention rules that control the process
•
Default classifications and a dictionary that you fill with entries for data loss prevention
•
Data loss prevention modules, which are called by the rules that are processed to find out about
sensitive content
You can also use data loss prevention rules to keep inappropriate content from entering your network.
However, this can have an impact on performance.
The data loss prevention process can be applied to text contained in the body that is sent with a
request or response or to any other text that is contained in requests or responses, for example, URL
parameters or headers.
McAfee Web Gateway 7.6.0
Product Guide
423
11
Web filtering
Data loss prevention
When you are running the appliance together with a DLP solution that uses an ICAP server for the
filtering process, you can implement a rule set to ensure the smooth flow of data between the
appliance and the ICAP server.
Data loss prevention rules
Data loss prevention is not implemented by default on the appliance, but you can import the Data Loss
Prevention rule set from the library.
You can then review the rules of this rule set, modify or delete them, and also create your own rules.
A data loss prevention rule blocks, for example, a request if the text that is sent as its body includes
sensitive content. To find out whether this is true for a given request body, the rule calls a module that
inspects the body. To know what is considered sensitive, the module refers to the default
classifications on the system lists or to dictionary entries, according to what is configured.
When a request or response is processed, its body text is stored as the value of the Body.Text
property. Before body text can be stored and inspected, it must be extracted. The Composite Opener
module performs the opening jobs. A rule in a rule set of the Common Rules rule set enables the
opener by default.
A request body could, for example, be a text file that uploading to the web is requested for. The value
of a suitable body-related property in the rule criteria would then have to be true for the rule to apply
and execute the blocking.
The following rule uses the DLP.Classification.BodyText.Matched property in this way. If a request
includes sensitive content in its body, this is detected by the data loss prevention module. The value of
the property is set to true, and the request is blocked.
Name
Block files with SOX information
Criteria
DLP.Classification.BodyText.Matched<SOX> equals true
Action
–> Block<DLP.Classification.Block>
When this rule is processed, the data loss protection module knows, due to its settings, that it has to
look for content that is sensitive with regard to the SOX (Sarbanes-Oxley) regulations, which deal with
responsibilities of public companies.
Events can be added to the rule to log information on data loss prevention or to increment a counter
that counts how often it has occurred that a request is blocked due to this rule.
Default classifications and dictionary entries
Default classifications and dictionary entries are used in data loss prevention to specify sensitive
content that should be prevented from leaving your network.
However, you can also use system lists and dictionary entries to specify inappropriate content, such as
discriminatory or offensive language, that should not be allowed to enter your network. Inappropriate
content could, for example, be specified this way to let a rule block content sent from web servers in
response to requests.
The library rule set for data loss prevention contains a nested rule set for processing body text in the
response cycle.
424
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Data loss prevention
11
Default classifications and dictionary entries differ in the following ways:
•
Default classifications — Provide information for detecting different kinds of sensitive or
inappropriate content, for example, credit card numbers, social security numbers, or medical
diagnosis data.
Default classifications are contained in folders and subfolders on system lists and updated by the
appliance system. You can view the system lists under DLP Classification in the System Lists branch of
the lists tree, but you cannot edit or delete them.
When you edit the settings of the module that handles classifications, you can select suitable
subfolders from the folders on these lists and create a list with classifications for data loss
prevention in your network.
•
Dictionary entries — Specify sensitive or inappropriate content, for example, names of persons
or keywords indicating content that should not leave your network
The dictionary is created as part of the settings for the module that handles this list.
Creating a dictionary and filling it with entries for sensitive or inappropriate content is a means to
configure the data loss prevention process beyond what is possible by using the default
classifications on the system lists. This way you can adapt the process to the requirements of your
network.
Data loss prevention modules
The job of the data loss prevention modules (also known as engines) is to detect sensitive or
inappropriate content in the body text of requests and responses and also in any other text that is
sent with requests and responses.
When composite objects, such as archive documents, bodies of POST requests, and others, are sent
with requests or responses, they are also included in the data loss prevention process. To account for
such objects, the data loss prevention rules are also processed in the embedded objects cycle.
Depending on what the data loss prevention modules find out, body-related properties in rule criteria
are set to true or false, so web traffic is eventually blocked or allowed.
There are two modules that differ in their use of lists for detecting relevant content:
•
Data Loss Prevention (Classifications) — Uses default classifications on system lists for data
loss prevention
•
Data Loss Prevention (Dictionaries) — Uses dictionaries with entries for sensitive and
inappropriate content that you provide yourself for data loss prevention
When configuring settings for the modules, you let them know which content to look for. The default
classifications and dictionary entries that specify the content are among the settings parameters.
Search methods for data loss prevention
There are different methods of searching content that should be prevented from leaving or entering
your network.
•
A search can aim at finding out whether a given request or response body includes portions of
content that are specified as sensitive or inappropriate.
•
A search can begin with a portion of content, for example, an URL parameter or header, and find
out whether it is sensitive or inappropriate according to what you have configured.
For the first method, you can use the DLP.Classification.BodyText.Matched property that was already
shown in a sample rule.
McAfee Web Gateway 7.6.0
Product Guide
425
11
Web filtering
Data loss prevention
For the second, you can use the DLP.Classification.AnyText.Matched property. This property takes a
string parameter for the content portion that is checked for being on a system list or in a dictionary.
Depending on what you are working with, you would use the two already mentioned parameters with
system lists and DLP.Dictionaries.BodyText.Matched and, DLP.Dictionaries.AnyText.Matched with the
dictionary.
Logging data loss prevention
Additional properties are provided for logging the results of the data loss prevention process. They
allow you to log this data, for example, using an event in a rule.
When the value of DLP.Classification.BodyText.Matched is true for the body text of a request or
response that was processed, the following applies for the relevant logging properties:
•
DLP.Classification.BodyText.MatchedTerms contains a list of the matching terms from the body text
•
DLP.Classification.BodyText.MatchedClassifications contains a list of the matching classifications
When the value of DLP.Dictionary.BodyText.Matched is true, DLP.Dictionary.BodyText.MatchedTerms
contains a list of all matching terms.
Similarly, matching terms and classifications can be logged for the search method that looks for
matches of a given text string.
When the value of DLP.Classification.AnyText.Matched is true:
•
DLP.Classification.AnyText.MatchedTerms contains a list of matching terms found in text other than
body text.
•
DLP.Classification.AnyText.MatchedClassifications contains a list of matching classifications found in
text other than body text.
When the match is in a dictionary, DLP.Dictionary.AnyText.Matched is true and
DLP.Dictionary.AnyText.MatchedTerms contains a list of matching terms.
Information on data loss prevention results is also shown on the dashboard.
Preventing loss of medical data
The following is an example of data loss prevention that assumes medical data must be prevented
from leaving the network of an American hospital.
Default classifications for preventing the loss of medical data are contained in the HIPAA (Health
Insurance Portability and Accountability Act) folder. In addition to this default information, the names
of the doctors who are working in the hospital are entered in a dictionary to ensure they also do not
leave the network.
The following activities need to be completed for configuring data loss prevention in this example:
426
•
Configure settings for the Data Loss Prevention (Classifications) module that include the default
HIPAA classifications
•
Configure settings for the Data Loss Prevention (Dictionaries) module that include the doctors'
names as dictionary entries
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Data loss prevention
•
11
Make sure the rule that activates the Composite Opener is enabled
In the default rule set system, this rule is contained in the Enable Opener rule set, which is nested
in the Common Rules rule set.
•
Create a rule that checks content according to the configured settings
The rule must be included in a rule set that applies in the request cycle for request to upload data
from the hospital network to the web.
This rule set can be a nested rule set of the default rule set for data loss prevention or a rule set
that you create yourself.
In this example, the rule checks only text contained in the body of a request. It could look as
follows:
Name
Prevent loss of HIPAA data and doctors' names
Criteria
Action
DLP.Classification.BodyText.Matched<HIPAA> equals true AND –> Block<DLP.Classification.Block>
DLP.Dictionary.BodyText.Matched<Doctors'Names> equals true
Configure data loss prevention
You can configure data loss prevention to keep sensitive content from leaving your network. You can
also use it to keep inappropriate content from entering.
Complete the following high-level steps.
Task
1
Import the Data Loss Prevention rule set from the library.
2
Review its rules and modify them as needed.
You can, for example:
•
Configure settings for data loss prevention using default classifications.
•
Configure settings for data loss prevention using dictionary entries.
•
Modify other settings parameters.
•
Create rules of your own.
You can also create your own rule set for data loss prevention instead of using the library rule set.
3
Make sure the Composite Opener is enabled, so the body text sent with requests and responses
can be inspected.
In the default rule set system, this rule is contained in the Enable Opener rule set, which is nested
in the Common Rules rule set.
4
If you want to run data loss prevention with ICAP, you can import another rule set from the library
and modify its rules as needed.
5
Save your changes.
McAfee Web Gateway 7.6.0
Product Guide
427
11
Web filtering
Data loss prevention
Configure data loss prevention using default classifications
You can configure data loss prevention by selecting default classifications from system lists and
entering them in a list that is included in the settings of the data loss prevention module for
processing classifications.
Task
1
Select Policy | Settings.
2
On the settings tree, select Data Loss Prevention (Classifications) and click Add.
The Add Settings window opens.
3
4
Configure general settings parameters:
a
In the Name field, type a name for the settings.
b
[Optional] In the Comment field, type a plain-text comment on the settings.
c
[Optional] Click the Permissions tab and configure who is allowed to access the settings.
On the toolbar of the DLP Classifications inline list, click the Edit icon.
An Edit window opens with a tree structure of folders containing subfolders with default
classifications.
5
Expand a folder, for example, SOX Compliance, and select a subfolder, for example, Compliance Reports.
Then click OK.
You can also select several subfolders of a folder at once, select folders from different subfolders,
or select complete folders with all their respective subfolders.
The Edit window closes and the subfolder or subfolders appear in the DLP Classifications inline list.
6
Click Save Changes.
Configure data loss prevention using dictionary entries
You can enter text and wildcard expressions that specify sensitive or inappropriate content into as
entries in a dictionary for data loss prevention.
After importing the library Data Loss Prevention rule set, use of a dictionary with entries specifying
sensitive or inappropriate content is not yet implemented. You need to create appropriate settings to
implement it and fill the dictionary with entries.
Tasks
428
•
Create settings with a dictionary on page 429
For data loss prevention that uses dictionary entries, you must create settings that include
a dictionary.
•
Fill the dictionary with entries on page 429
After creating settings with a dictionary, you can fill the dictionary with entries.
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Data loss prevention
11
Create settings with a dictionary
For data loss prevention that uses dictionary entries, you must create settings that include a
dictionary.
Task
1
Select Policy | Settings.
2
On the settings tree, select Data Loss Prevention (Dictionaries) and click Add.
The Add Settings window opens.
3
Configure general settings parameters:
a
In the Name field, type a name for the settings.
b
[Optional] In the Comment field, type a plain-text comment on the settings.
c
[Optional] Click the Permissions tab and configure who is allowed to access the settings.
You can now fill the dictionary with entries.
Fill the dictionary with entries
After creating settings with a dictionary, you can fill the dictionary with entries.
Task
1
Within the settings you have created for data loss prevention using dictionary entries, click the Add
icon on the toolbar of the Dictionary inline list.
The Add DLP Dictionary Entry window opens.
2
Under Type of data to search, select Text or Wildcard expression.
3
In the Text or wildcard expression field, enter a text string or a wildcard expression.
4
[Optional] Specify additional information for an entry:
•
•
If you have entered a text string, select one of the following options or any combination of
them:
•
Case-sensitive
•
At start of word
•
At end of word
If you have entered a wildcard expression, select Case-sensitive or leave it deselected as needed.
5
[Optional] In the Comment field, type a plain-text comment on an entry.
6
Click OK.
The Add DLP Dictionary Entry window closes and the new entry appears in the dictionary.
Repeat Steps 1 to 6 to add more entries.
7
Click OK in the Add Settings window.
The window closes and the new settings appear on the settings tree under Data Loss Prevention
(Dictionaries).
McAfee Web Gateway 7.6.0
Product Guide
429
11
Web filtering
Data loss prevention
Data Loss Prevention (Classifications) settings
The Data Loss Prevention (Classifications) settings are used for configuring entries in classification lists
that specify sensitive or inappropriate content.
DLP Classifications Parameters
Settings for configuring the use of classification lists when searching for sensitive or inappropriate
content
Table 11-52 DLP Classifications Parameters
Option
Definition
Tracking policy
Sets the scope of the search for sensitive or inappropriate content in the body text
of requests and responses.
The search is carried out for all classifications that have been selected. You can,
however, configure it in the following ways:
• Minimum — The search stops when an instance of sensitive or inappropriate
content has been found for a particular classification or if no instance could be
found. It is then continued for the next classification.
This goes on until all classifications have been processed.
• Maximum — The search tries to find all instances of sensitive or inappropriate
content for a particular classification. When the search is completed for a
classification, it continues with the next.
This goes on until all classifications have been processed.
DLP Classifications Provides a list for selecting entries in classification lists from the system lists
provided under DLP Classification on the lists tree.
The following table describes an entry in the DLP Classifications list
Table 11-53 DLP Classifications Parameters – List entry
Option
Definition
DLP Classification
Provides information about detecting sensitive or inappropriate content.
Comment
Provides a plain-text comment on an entry.
Advanced Parameters
Settings for configuring advanced functions for data loss prevention
Table 11-54 Advanced Parameters
Option
Definition
Reported context width Limits the number of characters shown around a matching term in a list to the
specified value.
The matching term is the value of the DLP.Classification.Matched.Terms property.
Context list size
Limits the number of matching terms shown in a list to the specified value.
The matching terms are the values of the DLP.Classification.Matched.Terms
property.
430
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Data loss prevention
11
Data Loss Prevention (Dictionaries) settings
The Data Loss Prevention (Dictionaries) settings are used for configuring text and wildcard expressions
that specify sensitive or inappropriate content.
DLP Dictionary Parameters
Settings for configuring text and wildcard expressions specifying sensitive or inappropriate content
Table 11-55 DLP Dictionaries Parameters
Option
Definition
Tracking policy Sets the scope of the search for sensitive or inappropriate content in the body text of
requests and responses.
The search is carried out for all dictionary entries that have been created. It can,
however, be configured in the following ways:
• Minimum — The search stops when an instance of sensitive or inappropriate content
has been found for a particular dictionary entry or if no instance could be found. It is
then continued for the next entry.
This goes on until all entries have been processed.
• Maximum — The search tries to find all instances of sensitive or inappropriate content
for a particular dictionary entry. When the search is completed for an entry, it
continues with the next.
This goes on until all entries have been processed.
Dictionary
Provides a list for entering text strings and wildcard expressions that are sensitive or
inappropriate content or match with it.
The following table describes an entry in the Dictionary list.
Table 11-56 Dictionary – List entry
Option
Definition
Text or wildcard expression Specifies a text string or wildcard expression that is sensitive or inappropriate
content or matches with it.
Comment
Provides a plain-text comment on a text string or wildcard expression.
Advanced Parameters
Settings for configuring advanced functions for data loss prevention
Table 11-57 Advanced Parameters
Option
Definition
Reported context width Limits the number of characters shown around a matching term in a list to the
specified value.
The matching term is the value of the DLP.Dictionary.Matched.Terms propertyContext list size
Limits the number of matching terms shown in a list to the specified value.
The matching terms are the values of the DLP.Classification.Matched.Terms
property.
McAfee Web Gateway 7.6.0
Product Guide
431
11
Web filtering
Data loss prevention
Data Loss Prevention rule set
The Data Loss Prevention (DLP) rule set is a library rule set for preventing sensitive content from
leaving your network or inappropriate content from entering it.
Default rule set – Data Loss Prevention (DLP)
Criteria – Always
Cycles – Requests (and IM), responses, embedded objects
The following rule sets are nested in this rule set:
•
DLP in Request Cycle
•
DLP in Response Cycle
This rule set is not enabled by default.
DLP in Request Cycle
This nested rule set blocks requests that are sent from clients of our network to web servers if it is
detected that sensitive content is involved. For example, a request to upload a file to the web that has
sensitive content is blocked.
Nested library rule set – DLP in Request Cycle
Criteria – Cycle.TopName equals "Request"
Cycles – Requests (and IM) and embedded objects
The rule set criteria specifies that the rule set applies when a request is processed on the appliance.
The rule set contains the following rules:
Block files with HIPAA information
DLP.Classification.BodyText.Matched <HIPAA> equals true –> Block<DLP.Classification.Block> –
Statistics.Counter.Increment (“BlockedByDLPMatch”,1)<Default>
The rule uses the DLP.Classification.BodyText.Matched property to check whether the body of the
request that is currently processed contains text that is considered to be sensitive content. This text
could, for example, be in a file that uploading to the web is requested for.
Text is considered to be sensitive content according to the HIPAA health care regulations. Use of the
relevant information is configured as part of the module settings, which are specified after the
property name.
If there is sensitive content in the text of a request body, the request is blocked. The settings of the
Block action specify a message to the requesting user.
The rule also uses an event to count blocking due to a data loss prevention match.
Block files with Payment Card Industry information
DLP.Classification.BodyText.Matched <Payment Card Industry> equals true –>
Block<DLP.Classification.Block> – Statistics.Counter.Increment (“BlockedByDLPMatch”,1)<Default>
The rule uses the DLP.Classification.BodyText.Matched property to check whether the body of the
request that is currently processed contains text that is considered to be sensitive content. This text
could, for example, be in a file that uploading to the web is requested for.
Text is considered to be sensitive content according to the regulations that apply for payment cards.
A credit card number would, for example, be content under these regulations. Whether there is
sensitive content in a text, is detected using appropriate information in the same way as for the
HIPAA-related rule.
432
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Data loss prevention
11
If there is sensitive content in the text of a request body, the request is blocked. The settings of the
Block action specify a message to the requesting user.
The rule also uses an event to count blocking due to a data loss prevention match.
Block files with SOX information
DLP.Classification.BodyText.Matched <SOX> equals true –> Block<DLP.Classification.Block> –
Statistics.Counter.Increment (“BlockedByDLPMatch”,1)<Default>
The rule uses the DLP.Classification.BodyText.Matched property to check whether the body of the
request that is currently processed contains text that is considered to be sensitive content. This text
could, for example, be in a file that uploading to the web is requested for.
Text is considered to be sensitive content according to the regulations of the Sarbanes-Oxley (SOX)
act on public company accountability. Board meeting minutes would, for example, be sensitive
content under this act. Whether there is sensitive content in a text, is detected using appropriate
information in the same way as for the HIPAA-related rule.
If there is sensitive content in the text of a request body, the request is blocked. The settings of the
Block action specify a message to the requesting user.
The rule also uses an event to count blocking due to a data loss prevention match.
DLP Response Cycle
This nested rule set blocks responses that are received on the appliance from web servers if it is
detected that they contain inappropriate content, for example, discriminatory or offensive language.
Nested library rule set – DLP Response Cycle
Criteria – Cycle.TopName equals "Response"
Cycles – Responses and embedded objects
The rule set criteria specifies that the rule set applies when a response is processed on the appliance.
The rule set contains the following rule:
Acceptable use
DLP.Classification.BodyText.Matched <Acceptable Use> equals true –>
Block<DLP.Classification.Block> – Statistics.Counter.Increment (“BlockedByDLPMatch”,1)<Default>
The rule uses the DLP.Classification.BodyText.Matched property to check whether the body of the
response that is currently processed contains text that is considered to be sensitive content. This text
could, for example, be in a file that is sent in response to a download request.
The module that ls called by the rule to find out whether there is inappropriate content in the
response body uses appropriate information from classification lists. Use of these lists is configured
as part of the module settings, which are specified after the property name.
If there is inappropriate content in the text of a response body, the response is blocked. The settings
of the Block action specify a message to the user who the response should have forwarded to.
The rule also uses an event to count blocking due to a data loss prevention match.
McAfee Web Gateway 7.6.0
Product Guide
433
11
Web filtering
Data loss prevention
Preventing data loss using an ICAP server
When you have implemented data loss prevention with an ICAP server that handles the filtering
process, you can configure settings and implement a rule set to ensure the smooth flow of data
between the appliance and the ICAP server.
You can use a solution called nDLP for data loss prevention. Within this solution, data that users want
to upload from your network to the web is filtered to prevent data loss. The filtering is done on an
ICAP server. The data flow is as follows:
•
Data sent from the client systems of your users is forwarded to the appliance.
•
The appliance provides an ICAP client that sends REQMOD requests with the user data to the ICAP
server.
•
The requests are filtered on the server by modifying them according to the ICAP protocol and
passed on to the web servers that are the destinations of the requests.
After importing the Data Loss Prevention with ICAP rule set from the library, rules that are
implemented on the appliance control the sending of requests to the ICAP server.
According to these rules, a request is not forwarded if:
•
The body of the request contains no data and the request does not include URL parameters.
•
The body of the request exceeds a given size (default: 50 MB).
Together with the rule set, settings are imported that you need to configure. These include a list of the
ICAP servers that the appliance can forward requests to.
You can also configure the ICAP client on the appliance not to open more connections for sending
requests than a particular ICAP server can handle at the same time.
Create an ICAP server list for data loss prevention
When running the nDLP solution for data loss prevention, which uses an ICAP server for filtering data,
you need to configure a list of these servers.
Task
1
Select Policy | Settings.
2
On the settings tree, select ICAP Client and click the ReqMod settings.
3
Configure the the ICAP server list that is provided under these settings as needed.
4
Click Save Changes.
ICAP Client settings
The ICAP Client settings are used for configuring communication in REQMOD mode between an ICAP
client on the appliance and ICAP servers.
ICAP Service
Settings for ICAP servers that the ICAP client on the appliance sends requests to
434
McAfee Web Gateway 7.6.0
Product Guide
Web filtering
Data loss prevention
11
Table 11-58 Select Scanning Engines
Option
Definition
List of ICAP Servers Provides a list for selecting a list of servers that are used in ICAP communication.
Requests coming in from ICAP clients are distributed to the servers in the selected
list in round-robin mode. For this purpose, the list is checked in intervals of 60
seconds.
The following table describes an entry for an ICAP server in a server list.
Table 11-59 Entry in a list of ICAP servers
Option
Definition
URI
Specifies the URI of an ICAP server.
Format: ICAP://<IP address>:<port number>
Respect max concurrent
connections limit
When selected, the ICAP client on the appliance does not open more
connections at the same time for sending requests than the ICAP
server can handle.
Comment
Provides a plain-text comment on an ICAP server.
Data Loss Prevention With ICAP rule set
The Data Loss Prevention with ICAP rule set is a library rule set for configuring the data flow between
the appliance and an ICAP server in a solution for data loss prevention.
Library rule set – Data Loss Prevention With ICAP
Criteria – Criteria — URL.Host does not equal “ ”
Cycles – Requests (and IM) and embedded objects
The rule set criteria specifies that t