McAfee Web Gateway Cloud Service IPsec Site-to

Reference Guide
McAfee Web Gateway Cloud Service
IPsec site-to-site third-party devices
If your organization uses one of the supported third-party devices to secure your network, you can use the
IPsec protocol to secure communications between your network and McAfee Web Gateway Cloud Service
(McAfee WGCS).
®
®
IPsec site-to-site overview
To configure your network and McAfee WGCS to use IPsec, you create an IPsec VPN tunnel between the
supported device on your network and the cloud service.
Environment
•
McAfee WGCS
•
McAfee ePolicy Orchestrator Cloud (McAfee ePO Cloud)
®
®
®
™
Summary
McAfee WGCS supports IPsec site-to-site authentication using one of these devices installed on your network:
•
Fortinet FortiGate 60D
•
Dell SonicWALL TZ400
Setup includes:
•
Configuration of McAfee WGCS using the McAfee ePO Cloud management console
•
Configuration of the device
This guide covers configuration of the supported devices. For information about configuring McAfee WGCS, see
the McAfee Web Gateway Cloud Service Product Guide.
1
Considerations for configuring IPsec site-to-site
Before configuring IPsec site-to-site authentication, review the following considerations.
•
Routing only HTTP and HTTPS traffic — McAfee WGCS only handles IPsec traffic directed to ports 80 and 443
(HTTP and HTTPS traffic, respectively) through the VPN tunnel. Configure your device to route only HTTP and
HTTPS traffic through the VPN tunnel.
•
Configuring two IPsec VPN tunnels — Best practice is to configure a primary and secondary VPN tunnel. The
primary tunnel is connected to the best available point of presence (PoP), while the secondary tunnel is
connected to the second best point of presence. This practice ensures continuous IPsec support in case one
point of presence is not available.
•
Using an IPsec VPN tunnel to connect remote sites — If you have one or more remote sites that are
connected to your network by VPN, you can protect traffic and improve network latency by creating a VPN
tunnel between each site and McAfee WGCS.
•
Adding Client Proxy authentication — You can add Client Proxy authentication to IPsec site-to-site. To do so,
configure Client Proxy to use port 80 when redirecting traffic to McAfee WGCS.
•
Adding SAML authentication — You can add a SAML configuration to an IPsec location. McAfee WGCS uses
SAML to authenticate requests received from the location through the IPsec tunnel.
•
Using a NAT device — If your IPsec device is located behind a NAT device and the outgoing interface has a
private IP address, set the Local ID attribute to your public IP address.
Finding the best available points of presence
To find the point of presence closest to the device that you are configuring for IPsec authentication, you query
the Global Routing Manager (GRM). The GRM is a DNS service that routes traffic to the best available point of
presence.
From the network where your device is installed, run the nslookup command-line tool, as follows:
nslookup 1.network.c<customer id>.saasprotection.com
nslookup 2.network.c<customer id>.saasprotection.com
In response to these commands, the GRM returns the IP addresses of the best and second best points of
presence, respectively, based on the network location of your device. You need these values when configuring
the primary and secondary IPsec VPN tunnels in your device and in McAfee WGCS.
Configuring an IPsec VPN tunnel with FortiGate 60D
To secure communications between your network and McAfee WGCS, configure an IPsec VPN tunnel between
the FortiGate device installed on your network and the cloud service.
Tasks for configuring a VPN tunnel with FortiGate
Configuring a VPN tunnel with FortiGate includes these tasks.
2
1
Create a VPN tunnel.
5
Configure the policy route.
2
Configure the VPN tunnel.
6
View the status of the VPN tunnel.
3
Create a static route.
7
Configure a primary and secondary VPN tunnel.
4
Create a policy route.
Create a VPN tunnel with FortiGate
Create an IPsec VPN tunnel between the FortiGate device on your network and McAfee WGCS.
Task
1
Open the web interface that you use to configure the FortiGate device on your network.
2
From the menu, select VPN | IPsec | Tunnels, then click Create New.
The VPN Creation Wizard opens to the VPN Setup step.
3
In the Name field, specify a name for the VPN tunnel that you are configuring.
4
From the Template options, select Site to Site - Fortigate.
5
Click Next.
6
Configure the Authentication settings:
•
Remote Gateway — Specify the IP address that McAfee WGCS uses for IPsec communications. IPsec
communications are sent from your network to this address.
To find the IP address of the point of presence closest to your device, use the nslookup command-line
tool to query the Global Routing Manager.
•
Outgoing Interface — From this drop-down list, select the outgoing interface of the FortiGate device.
•
Authentication Method — Select Pre-shared Key.
•
Pre-shared Key — Specify the value of the key that you define and share with McAfee WGCS. This setting
matches the Pre-Shared Key value that you specify when configuring the VPN tunnel in McAfee WGCS. The
value's maximum length is 64 characters.
7
Click Next.
8
Configure the Policy & Routing settings:
9
•
Local Interface — From the drop-down list, select the local interface of the FortiGate device.
•
Local Subnets — Specify the internal IP address of your network in IPv4 format using CIDR notation with a
network size range of 16–32 bits. IPsec communications are sent from McAfee WGCS to this address.
This setting matches the Local Network value that you specify when configuring the VPN tunnel in McAfee
WGCS.
•
Remote Subnets — Specify the range of requested IP addresses that are sent through the VPN tunnel to
McAfee WGCS. To make sure that all traffic is sent to McAfee WGCS through the tunnel, specify this value:
0.0.0.0/0.
Click Create.
The VPN Creation Wizard displays this message: The VPN has been set up.
Configure the VPN tunnel for FortiGate
Configure the IPsec VPN tunnel using the values that McAfee WGCS supports.
Task
1
Open the web interface that you use to configure the FortiGate device on your network.
2
From the menu, select VPN | IPsec | Tunnels.
3
Select the tunnel you created, then click Edit.
3
4
Click Convert to Custom Tunnel.
5
Under the Authentication heading, set the IKE Version to 2.
6
Under the Phase 1 Proposal heading:
a
Remove the two 3DES entries from the list.
b
Verify that Group 5 is selected.
7
Under the Phase 2 Selectors heading, verify that the Local Address and Remote Address settings are correct.
8
To open the Phase 2 Proposal settings, click Advanced.
9
a
Remove the two 3DES entries from the list.
b
Verify that Group 5 is selected.
Click OK.
Create a static route for FortiGate
Using the static route, the FortiGate device directs IPsec packets through the VPN tunnel that you create and
configure.
Task
1
Open the web interface that you use to configure the FortiGate device on your network.
2
From the menu, select Router | Static | Static Routes, then click Create New.
3
Configure these settings:
•
Destination IP/Mask — Specify the IP address that McAfee WGCS uses for IPsec communications. This
setting matches the Remote Gateway value that you configure when creating the VPN tunnel in the
FortiGate interface.
To find the IP address of the point of presence closest to your device, use the nslookup command-line
tool to query the Global Routing Manager.
•
4
Gateway — Specify the FortiGate outbound IP address. This setting matches the External IP value that you
specify when configuring the VPN tunnel in McAfee WGCS.
Expand the Advanced Options, then specify a value for the Priority setting.
Review these considerations:
5
•
The static route with the lowest priority value has the highest priority.
•
Specify a value that is greater than the priority configured for the default static route, so that the default
static route always has a higher priority.
•
When configuring static routes for multiple VPN tunnels, the routes can have the same priority value.
Click OK.
Create a policy route for FortiGate
Using the policy route, the FortiGate device determines whether TCP packets are directed through the VPN
tunnel or to the Internet.
4
•
TCP packets going to ports 80 and 443 — Using the static route, the device directs these packets through the
VPN tunnel.
•
All other packets — Using the default static route, the device directs these packets to the Internet.
Task
1
Open the web interface that you use to configure the FortiGate device on your network.
2
From the menu, select Router | Static | Policy Routes, then click Create New.
3
Under If incoming traffic matches, configure these settings:
4
•
Protocol — Select TCP.
•
Incoming interface — From the drop-down list, select internal.
•
Source address / mask — Specify the internal IP address of your network in IPv4 format using CIDR notation
with a network size range of 16–32 bits. IPsec communications are sent from McAfee WGCS to this
address. This setting matches the Local Network value that you specify when configuring the VPN tunnel in
McAfee WGCS.
•
Destination address / mask — Specify the range of requested IP addresses that are sent through the policy
route to McAfee WGCS. To ensure that all traffic is sent to McAfee WGCS through this route, specify this
value: 0.0.0.0/0.
Under Then, configure this setting:
Tunnel Interface — From the drop-down list, select the outgoing interface of the FortiGate device.
5
Click OK.
Configure the policy route for FortiGate
Configure the policy route so that the FortiGate device only routes TCP packets going to ports 80 and 443 (HTTP
and HTTPS traffic, respectively) through the IPsec VPN tunnel.
Task
1
Open the web interface that you use to configure the FortiGate device on your network.
2
From the menu, select Policy & Objects | Policy | IPv4.
3
Select the policy route that you created, then click Edit.
4
From the Service drop-down list:
5
a
Under Web Access, select HTTP.
b
Click the Add icon, then under Web Access, select HTTPS.
Click OK.
View the status of the tunnel configured with FortiGate
To verify that the IPsec VPN tunnel with FortiGate is correctly configured, view the status of the tunnel.
Task
1
Open the web interface that you use to configure the FortiGate device on your network.
2
Select VPN | Monitor | IPsec Monitor.
3
In the table, locate the VPN tunnel in the Name column.
In the Status column, a green icon and up arrow show that the VPN tunnel is configured correctly.
5
Specify primary and secondary VPN tunnels for FortiGate
When configuring two VPN tunnels, specify one as the primary tunnel and the other as the secondary tunnel.
When the FortiGate device receives a packet, it searches the policy route list from top to bottom for a match. If
the policy route configured for the primary tunnel is placed above the policy route configured for the secondary
tunnel, the device routes IPsec packets to the primary VPN tunnel first.
Task
1
Open the web interface that you use to configure the FortiGate device on your network.
2
From the menu, select Router | Static | Policy Routes.
3
In the list, drag and drop the policy route configured for the primary VPN tunnel above the policy route
configured for the secondary VPN tunnel.
A confirmation message is displayed: Your changes have been saved.
Configuring an IPsec VPN tunnel with SonicWALL TZ400
To secure communications between your network and McAfee WGCS, configure an IPsec VPN tunnel between
the SonicWALL device installed on your network and the cloud service.
Configure a VPN tunnel with SonicWALL
Configure a VPN tunnel between the SonicWALL device on your network and McAfee WGCS.
Task
1
Open the web interface that you use to configure the SonicWALL device on your network.
2
Select VPN | Advanced.
3
Under the IKEv2 Settings heading, select Send IKEv2 Invalid SPI Notify.
4
Select VPN | Settings, then click Add.
5
Configure the settings on these tabs:
6
•
General
•
Network
•
Proposals
•
Advanced
To save the VPN tunnel configuration, click OK.
The VPN tunnel is added to the VPN Policies list.
SonicWALL IPsec VPN tunnel settings
When configuring a VPN tunnel between the SonicWALL device on your network and McAfee WGCS, specify
these settings.
General settings
Configure the settings on the General tab.
6
Option
Definition
Policy Type
Select Site to Site.
Authentication Method
Select IKE using Preshared Secret.
Name
Specify a name for the VPN tunnel that you are creating.
IPsec Primary Gateway Name or
Address
Specify the IP addresses of the best and second best available points of
presence, respectively.
IPsec Secondary Gateway Name or
Address
To find these addresses, use the nslookup command-line tool to query the
Global Routing Manager.
Shared Secret
Specify and confirm the secret that you define and share with McAfee WGCS.
Confirm Shared Secret
This setting matches the Pre-Shared Key value that you specify when
configuring the VPN tunnel in McAfee WGCS.
Maximum length: 64 characters
Network settings
Configure the settings on the Network tab.
Option
Definition
Local Networks
Select Choose local network from list, then select a value from the drop-down list.
This setting matches the Local Network value that you specify when configuring the VPN tunnel
in McAfee WGCS.
Remote Networks Select Use this VPN Tunnel as default route for all Internet traffic.
Proposals settings
Configure the settings on the Proposals tab.
Option
Definition
IKE (Phase 1) Proposal
Verify that the Phase 1 settings are configured like this:
• Exchange is set to IKEv2 Mode.
• DH Group is set to Group 5.
• Encryption is set to AES-128.
• Authentication is set to SHA256.
• Life Time (seconds) is set to 28800 (8 hours).
IPsec (Phase 2) Proposal
Verify that the Phase 2 settings are configured like this:
• Protocol is set to ESP.
• Encryption is set to AES-128.
• Authentication is set to SHA256.
• Enable Perfect Forward Secrecy is selected.
• DH Group is set to Group 5.
• Life Time (seconds) is set to 28800 (8 hours).
Advanced settings
Configure the settings on the Advanced tab.
7
Option
Definition
Enable Keep Alive
Select this checkbox.
VPN Policy bound to
Select the outgoing interface of the SonicWALL device.
Copyright © 2017 McAfee, LLC
McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other
marks and brands may be claimed as the property of others.
8
201707-00