web gateway 6.9 system configuration guide - mcafee · pdf file2 mcafee web gateway system...

Administration Guide

McAfee® Web GatewaySystem Configuration

version 6.9

2 McAfee Web Gateway System Configuration 6.9 Administration Guide

COPYRIGHTCopyright © 2011 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONSMcAfee®, the McAfee logo, Avert, ePO, ePolicy Orchestrator, Foundstone, Global Threat Intelligence, GroupShield, IntruShield, LinuxShield, MAX (McAfee SecurityAlliance Exchange), NetShield, PortalShield, Preventsys, SecureOS, SecurityAlliance, SiteAdvisor, SmartFilter, Total Protection, Type Enforcement, VirusScan, and WebShield are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANTOR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

McAfee Web Gateway System Configuration 6.9 Administration Guide 3

Contents

1 Introduction 7Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7What else will you find in this introduction? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8Using McAfee Web Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

First-level tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Configuring a sample setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Standard features of the user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

McAfee Web Gateway user documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14Documentation on main products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14Documentation on special products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

McAfee Web Gateway product licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15New licensing model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15Old licensing model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16Importing licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

2 User Management 19About user management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20LDAP/Radius authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23Role definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29Group management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30Policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32Rate limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35Web mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37E-Mail mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

User database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43User database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45LDAP synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48Backup and restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

Authentication server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53Authentication server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

Windows domain membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61Windows domain membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62NTLM authentication test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64

Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66Import language pack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71

3 Reporting 73About reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73View live reports (for policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73

View live reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74Log file management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76

Activate log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77Auto-rotation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80Auto-deletion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81Auto-pushing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83Content Reporter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87Configuring log file processing for McAfee Web Reporter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

View log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89


Contents

View log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89Live report management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89

Report activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90Load reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94Anonymization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95

View live reports (overall reporting) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96View live reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96View load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98System statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99

Rate limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100View rate limiting statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

4-Eyes-Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1024-Eyes-Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Deanonymization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Deanonymization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

4 Caching 105About caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Quick snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Quick snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107HTTP caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

HTTP caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Cachable objects list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Cache settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Cache settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Cache rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Flush cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Flush cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

5 Proxies 119Proxy configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119HTTP proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Next hop proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133ICAP services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Transparent setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Running McAfee Web Gateway in a multi-process configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

HTTPS proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Next hop proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165ICAP services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

FTP proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167Next hop proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172ICAP services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

E-mail gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Gateway settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175ICAP services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179ESMTP extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Delivery options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183Delivery options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184Routing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186Secure mail delivery list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Queue configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Queue configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Relay protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Allowed domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194IP networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196Recipient LDAP check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198


Contents

Exception lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200IP White List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200IP Black List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202Client Domain Black List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204Sender Black List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206Recipient Black List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207TrustedSource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Load limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210Load limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

POP3 access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214POP3 access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

ICAP(S) server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215ICAP(S) server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216Server settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218REQMOD settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222RESPMOD settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Progress indication methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229Progress indication methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Own host name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232Own host name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

IFP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235ICAP services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

WCCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238WCCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

6 Configuration 247About configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247Update manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

General options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248URL filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254AV engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258Spam filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Central management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264Node settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264Master settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269Site settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277Time and date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279Reboot/Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281High availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284Port forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Web interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298Dashboard / Quick snapshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Secure administration shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301General settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

SNMP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306Communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309SNMPv3 users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312Trap sinks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314MIB browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

Certificate management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319Webwasher Root CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320


Contents

Private key handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323Known Certificate Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326Client certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

DNS cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330DNS cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

File management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332Configuration data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333Error files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335Share folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336Proxy PAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337Mobile web filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

Action editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341Action Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343Action definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Wizards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348Reporting configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348Spam filter setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349LDAP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351Address space defragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355Adjust filter list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356Analyse object filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358E-mail troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369


1 Introduction

Contents

Welcome

About this guide

What else will you find in this introduction?

Using McAfee Web Gateway

McAfee Web Gateway user documentation

McAfee Web Gateway product licenses

WelcomeWelcome to the McAfee® Web Gateway System Configuration Administration Guide. It provides you with the information needed for configuring and using McAfee Web Gateway features that do not belong to particular filters, but are set to run McAfee Web Gateway as a whole.

Configuring McAfee Web Gateway to run as a proxy server or as an e-mail gateway are topics that are dealt with in this guide, as well as user management, reporting features, cache settings, and update procedures.

About this guideThe following overview lists the chapters of this guide and explains briefly what they are about:

• Introduction (this chapter) — Provides introductory information.

• User Management — Describes features that are configured with regard to the users that work with McAfee Web Gateway.

• Reporting — Describes the reporting features provided by McAfee Web Gateway.

• Caching — Describes the caching features provided by McAfee Web Gateway.

• Proxies — Describes how to set up McAfee Web Gateway for running as a proxy server, as an e-mail gateway, for ICAP server communication, and for communication according to other protocols.

• Configuration — Describes other system configuration features, such as the Update Manager or the Action Editor.


IntroductionWhat else will you find in this introduction?

What else will you find in this introduction?In addition to the overview that was given in the previous section, this introduction also:

• Explains how to handle the user interface that has been developed for working with McAfee Web Gateway, see Using McAfee Web Gateway

• Informs you about the other documents that are provided for users of McAfee Web Gateway, see McAfee Web Gateway user documentation

• Informs you about the licensing models that exist for this version of McAfee Web Gateway, see McAfee Web Gateway product licenses

Using McAfee Web GatewayA user-friendly web solution has been developed as the user interface for working with the McAfee Web Gateway features. The interface looks like this:

The following sections provide some information to make you familiar with this interface. These sections:

• List the first-level tabs of this interface and explain their meanings, see First-level tabs

• Describe a sample procedure showing how a setting is configured for a McAfee Web Gateway feature, see Configuring a sample setting

• Explain more about some standard features of this interface, see Standard features of the user interface


IntroductionUsing McAfee Web Gateway

First-level tabsThe user interface displays a number of tabs and sections for configuring the McAfee Web Gateway features. These tabs appear on the first level:

• Home, Common, URL Filter, Anti Malware, Anti Spam, SSL Scanner, User Management, Reporting, Caching, Proxies, and Configuration

However, only the following tabs are described in this guide:

User Management, Reporting, Caching, Proxies, Configuration — These tabs are for configuring features that adapt McAfee Web Gateway as a whole to the system environment it is running in.

Note: The Caching tab is only available when McAfee Web Gateway is run as an appliance.

The following tabs are not described in this document, see the corresponding guides for more information:

Home, Common – These tabs are for configuring basic and filtering features that are available in addition to the features of the individual products that can be run as parts of McAfee Web Gateway.

URL Filter, Anti Malware, Anti Spam, SSL Scanner – These tabs are for configuring the features of the individual products that can be run as parts of McAfee Web Gateway.

Note: The Anti Malware tab is used for both the McAfee Web Gateway Anti-Malware and Anti-Virus products.

Configuring a sample settingThis section explains how to configure a sample setting for a McAfee Web Gateway feature. The feature chosen here for explanation is Timeout Prevention.

To avoid timeouts on the connections to its clients, McAfee Web Gateway can send data lines in certain intervals. For this sample setting, just suppose you want to enable the feature for HTTP connections and send an empty line every 15 seconds.

These are the main steps needed for configuring the feature:

1 Navigate to the section

2 Configure settings

3 Make settings effective

In more detail, these steps include the following activities:

1 Navigate to the section

a Select the Proxies tab:

b In the navigation area on the left, select HTTP Proxy, which is located under Web Proxies:



c From the tabs provided for configuring the HTTP proxy options, select the Settings tab:

The Timeout Prevention section is located on this tab:

2 Configure settings

a Enable the feature. To do this, select the checkbox next to the section heading.

b Enter 15 in the input field labeled McAfee Web Gateway should send every ... seconds.

c Select the radio button labeled an empty line.

Note: To get help information on these settings, click the question mark in the top right corner of the section.

The section should now look like this:

3 Make settings effective

Click Apply Changes.

This completes the sample configuration.



Standard features of the user interfaceThis section explains features that are provided in the user interface for completing standard tasks, such as applying changes to your settings or searching for a term on the tabs of the user interface:

• Apply changes

• Click history

• Information update

• Logout

• Main feature enabling

• Search

• Session length

• System information

Apply changesAfter modifying the settings in one or more of the sections on a tab, you need to click Apply Changes to make effective what you have modified.

The Apply Changes button is located in the top right corner of the user interface area:

When modifying settings that belong only to a particular filtering policy, you can make the modified settings apply to all policies, nevertheless.

An arrow is displayed next to the Apply Changes button on each tab where policy-dependent settings can be configured:

Clicking this arrow will display a button, which you can use to apply changes to all policies:

When you are attempting to leave a tab after modifying its settings, but without clicking Apply Changes, an alert is displayed to remind you to save your changes:

Answer the alert by clicking Yes or No according to what you intend to do about your changes. This will take you to the tab you invoked before the alert was displayed.

Clicking Cancel will make the alert disappear, so you can continue your configuration activities on the current tab.



Click historyThe tabs you visited while configuring settings are recorded on the top left corner of the user interface area. They are recorded together with the paths leading to them.

The current tab and path are always visible in the display field:

Clicking the arrow to the right of the path display will show the click history — a list of the tabs you visited prior to this one:

Clicking any of the entries displayed in the list will take you to the corresponding tab.

Note: The click history is only recorded for the current session until you log out. After logging in to a new session, the recording of tabs and paths is reset.

Information updateSome parts of the information that is provided on the tabs of the user interface will change from time to time. In these cases, the information display is updated automatically every three seconds by McAfee Web Gateway.

So, you might have performed a manual update of the anti-virus engines. This means that the information provided in the Current Status and Log File Content sections on the corresponding AV Engine tab will begin to change continuously over a certain period of time until the update is completed.

These sections are then updated automatically every three seconds to reflect the status of the update process.

LogoutTo logout from a McAfee Web Gateway session, click the logout link, which is located in middle position at the top of the user interface area.

After logging out, the login page is displayed, where you can login again and start a new session.

Main feature enablingThere are McAfee Web Gateway settings that can only be modified if a corresponding main feature is enabled. For example, if you want to modify the settings of the Phishing Filter section on the Settings tab under Anti-Spam > Message Filters, you need to make sure the Message Filter feature itself is also enabled.

If you attempt to modify settings while the corresponding main feature is not enabled, an alert is displayed to make you aware of this situation:



SearchA Search input field and button are located in the top right corner of the user interface area:

You can start keyword queries of the entire user interface by entering a search term in the input field and clicking Search:

The search output is presented in a separate window, which displays a list of the tabs the search term was found on and the paths leading to them:

Clicking any of the entries displayed in the list will take you to the corresponding tab.

Note: To be able to use the search function, make sure JavaScript is enabled on your system.

Session lengthWhen working with the user interface, you need to mind the session length. This length can be configured in the Session Options section of the Sessions tab under Configuration > Web Interfaces.

After modifying the interval specified there, click Apply Changes to make the modification effective.

When a session has timed out, the following notification is displayed:

Click OK to acknowledge the notification. After clicking a tab or button of the user interface, the login window opens, where you can login again and start a new session.


IntroductionMcAfee Web Gateway user documentation

System informationAt the top of the user interface area, system information is provided on the current McAfee Web Gateway session. This information includes:

• Version and build of the McAfee Web Gateway software

• Name of the system McAfee Web Gateway is running on

• Name of the user logged in for the current session, for example, Admin

• Role assigned to this user, for example, Super Administrator

• Permissions granted to this user, for example, read/write

McAfee Web Gateway user documentationThis guide belongs to a series of documents provided for users of McAfee Web Gateway. The following sections give an overview of:

• The user documentation on the main products that can be run as parts of McAfee Web Gateway, see Documentation on main products

• The user documentation on McAfee Web Gateway products for special tasks and environments, see Documentation on special products

Note: The user documentation can be viewed after navigating to the Manuals tab of the user interface. It can also be viewed on the Webwasher Extranet, which is provided by McAfee.

Documentation on main productsThe table below gives an overview of the user documentation on the McAfee Web Gateway main products:

Document group Document name What about?

General documents McAfee Web Gateway Deployment Planning Administration Guide

Is McAfee Web Gateway suited to my environment?

McAfee Web Gateway Installation Guide

How to install McAfee Web Gateway?

McAfee Web Gateway Quick Configuration Guide

First steps to get McAfee Web Gateway running

McAfee Web Gateway System Configuration Administration Guide

[this document]

Features for configuring McAfee Web Gateway within the system environment

Advanced Configuration Guide More sophisticated configuration tasks

Upgrade Guide What should I know when upgrading to a new McAfee Web Gateway release?

Product documents McAfee Web Gateway URL Filter Administration Guide

Features for configuring URL filtering policies

McAfee Web Gateway Anti-Virus Administration Guide

Features for configuring anti-virus filtering policies

McAfee Web Gateway Anti-Malware Administration Guide

Features for configuring anti-malware filtering policies

McAfee Web Gateway Anti-Spam Administration Guide

Features for configuring anti-spam filtering polices

McAfee Web Gateway SSL Scanner Administration Guide

Features for configuring SSL-encrypted traffic filtering policies

Reference document McAfee Web Gateway Reference Guide

Items concerning more than one individual product, for example, features for customizing actions or log files


IntroductionMcAfee Web Gateway product licenses

Documentation on special productsThe following table gives an overview of the user documentation on the McAfee Web Gateway products for special tasks and environments.

McAfee Web Gateway product licensesWith version 6.8.4 of McAfee Web Gateway, there is a change in the way that licenses may be obtained. This applies to the license mode, which changes from the old subscription model to a perpetual model.

It also applies to the distribution of Web security features within the individual products that can be run as parts of McAfee Web Gateway and are covered by different licenses.

New licensing modelUnder the new model, two different licenses may be obtained:

• Web Security Module license — This is the base license for McAfee Web Gateway. It is included by default when McAfee Web Gateway is purchased.

The license covers all functions that are required to run McAfee Web Gateway as HTTP, HTTPS, or FTP proxy. It also includes the URL Filter and several basic filters, such as the Advertising Filter and the Privacy Filter, and furthermore the SSL Scanner and the McAfee Anti-Virus engine.

• Web Anti-Malware Module license — This license may be purchased in addition to the base license. It is an add-on item and cannot be used on its own.

The license covers the anti-malware functions of the Proactive Scanning Filter.

Note: These functions are not included in the McAfee Anti-Virus engine.

There is no limit in time to the validity of licenses obtained under this model. However, the databases that McAfee Web Gateway uses to deliver protection against threats arising from the Web need to be updated at regular intervals.

This is ensured through concluding an appropriate support contract. When a contract finishes without a prolongation, McAfee Web Gateway continues to be operative, using the existing versions of the databases.

For information on how the import of licenses under the new model affects existing installations of McAfee Web Gateway 6.8.3 and 6.8.4, see Importing licenses.

Document group Document name What about?

Special environment documents

Setting Up Webwasher on Microsoft ISA Server

Setting up McAfee Web Gateway or a product running with it in a special environment

Setting Up Webwasher with Blue Coat

see above

Setting Up NetCache with ICAP see above

NTLM Agent Set-up Guide Setting up an additional McAfee Web Gateway product to enable authentication using the NTLM method on platforms other than Microsoft Windows

HSM Agent Set-up Guide Setting up an additional McAfee Web GatewayMcAfee Web Gateway product to enable use of HSM (High Security Module) device

Appliances documents

McAfee Web Gateway Appliances Installation and Configuration Guide

Installing and configuring the McAfee Web Gateway appliances

Appliances Upgrade Guide What you should know when upgrading to a new release of the McAfee Web Gateway appliances



Old licensing modelUnder the old model, licenses could be obtained on a subscription basis for each of the individual McAfee products that could be run as parts of McAfee Web Gateway (formerly Webwasher) and delivered different Web security features.

Note: Licenses for version 6.8.4 of McAfee Web Gateway will still be available under this model for a limited period of time after its release.

The following individual products were each covered by a separate license under the old model:v

McAfee Web GatewayURL Filter

Helps you boost productivity by reducing non-business related surfing to a minimum, thus curbing your IT costs. Suppresses offensive sites and prevents downloads of inappropriate files, thus minimizing risks of legal liabilities.

McAfee Web Gateway Anti-Malware

Offers in-depth security against all kinds of malicious code, such as aggressive viruses, potentially unwanted programs, spyware, day-zero attacks and blended threats not covered by traditional anti-virus and firewall solutions. The highly efficient anti-malware engine is used in combination with the Proactive Scanning filtering technology.

McAfee Web Gateway Anti-Virus

Combines the strength of multiple anti-virus engines concurrently scanning all Web and e-mail traffic. The Proactive Scanning filtering technology additional detects and blocks unknown malicious code, not relying on time-delayed virus pattern updates. This combination provides in-depth security against a multitude of threats while offering unmatched performance through use of the Anti-Virus PreScan technology.

McAfee Web Gateway Anti-Spam

Offers complete protection of the central Internet gateway. The highly accurate spam detection filters stem the flood of unwanted spam mail before it reaches the user’s desktop. Your systems will not be impaired, the availability of valuable internal mail infrastructures, such as group servers, is thus maintained.

McAfee Web GatewaySSL Scanner

Helps you protect your network against attacks via the HTTPS protocol and prevents the disclosure of confidential corporate data, as well as infringements of Internet usage policies, thus ensuring that no one is illicitly sharing sensitive corporate materials.



Importing licensesThe table below provides information on what happens when licenses are imported to versions 6.8.3 and 6.8.4 of McAfee Web Gateway under the new licensing model and in a few other scenarios:

McAfee Web Gateway Version

Scenario Implications

McAfee Web Gateway 6.8.3 A Web Security Module license is imported.

• The anti-virus functions are enabled by default. These are the functions that are configured in the user interface under Anti Malware > Virus Scanning.

• The caching functions are not available.• The Proactive Scanning functions are disabled by

default, but the Proactive Scanning cache is enabled.

McAfee Web Gateway 6.8.3 with the Anti-Spam product included

An update to version 6.8.4 is performed.

• The anti-spam functions are still available.

The old license is going to expire, but use of the anti-spam functions is still required.

• The license period must be extended under the old model. It must not be replaced by a licence under the new model because this will not cover any anti-spam functions.

McAfee Web Gateway 6.8.4 A Web Security Module license is imported.

• The anti-virus functions are disabled by default.

McAfee Web Gateway is run with an old license for the McAfee Anti-Virus engine and a Web Anti-Malware Module license is imported.

• The anti-virus functions are enabled by default.• However, only the Secure Anti-Malware (SAM)

engine is configured as anti-virus engine that has priority.

A Web Security Module license is imported first and then a Web Anti-Malware Module license.

• The anti-virus functions are disabled by default.• Only the McAfee Anti-Virus engine is configured as

anti-virus engine that has priority.

A Web Anti-Malware Module license is imported first and then a Web Security Module license.

• The anti-virus functions are enabled by default.• No anti-virus engine is configured as having priority.

The preconfigured AVonly policy is applied.

• The anti-virus functions are enabled all the time.• The Secure Anti-Malware is configured as anti-virus

engine with the highest priority followed by the McAfee Anti-Virus engine.


2 User Management

Contents

About user management

Administrators

Policy management

User database

Authentication server

Windows domain membership

Languages

About user managementThe functions described in this chapter are accessible over the User Management tab of the user interface:

The user management functions allow you to administer users with regard to the permissions they are granted for configuring and operating McAfee Web Gateway (formerly Webwasher®).

Furthermore, they allow you to map users to the various security policies that have been set up under McAfee Web Gateway and configure authentication and language settings for users.

The upcoming sections describe how to handle these functions.

AdministratorsThe Administrators options are invoked by clicking the corresponding button under User Management. They are described in the upcoming sections:

• Accounts

• LDAP/Radius authentication

• Role definition


User ManagementAdministrators

AccountsThe Accounts tab looks like this:

There is the following section on this tab:

• Account Overview

Account OverviewUsing this section you can configure accounts for administrators and assign different rights and access privileges to them.

To add an account to the list, use the area labeled:

• Define new account — Specify the information concerning an account using the following items:

• Login — In this input field, enter the login name for an administrator.

• Password — In this input field, enter the password the administrator is to submit.

• Role — From this drop-down list, select the role that is assigned to an administrator. You can select from the roles that are available for you under your current role. Only these roles are shown here.

The pre-configured roles — Super Administrator, Policy Administrator, Administrator, and ePo User — cannot be modified.

Go to the Role Definition tab to view the permissions for the preconfigured roles and create or edit user-configured roles, see Role definition.

• SSH Public Key — In this input field, enter the SSH Public Key assigned to an administrator. To do this, click Browse next to this field and browse for the key file you want to specify here.



• Allowed policies — From this drop-down list, select the policy that the administrator is allowed access to. Select All to allow access to all policies.

Note: Only the policies you have access to, according to your account settings, appear here.

• Read only — Select this checkbox to allow only reading access to McAfee Web Gateway for an administrator.

• Add New Account — After specifying the appropriate values for the new account, click this button to add it to the list.

If this action was successful, the account is added to the list, which is displayed at the bottom of this section. To display only a particular number of list entries at a time, type this number in the input field labeled Number of entries per page and enter it using the Enter key of your keyboard.

If the number of entries is higher than this number, the remaining entries are shown on successive pages. A page indicator is then displayed, where you can select a particular page by clicking the appropriate arrow symbols.

Use the following items to perform other activities relating to the list:

• Filter — Type a filter expression in the input field of the Account or Role column or in both and enter it using the Enter key of your keyboard. The list will then display only entries matching the filter.

• Delete Selected — Select the entry you wish to delete by selecting the Select checkbox next to it and click this button. You can delete more than one entry in one go. You can, however, not delete the pre-configured roles of Super Administrator and ePo User, which are included in the list by default.

To delete all entries, select the Select all checkbox and click this button. Again, this does not include the two default entries.

To view and edit an account, click the View + Edit Details button next to it.



This will open a window where you can edit the settings that have been configured for the various accounts:

For the meaning of these settings, see the description that was given at the beginning of this subsection. An additional description of the Account Preferences section of this windows is provided further below in this subsection.

After editing the account settings, click Apply Changes to make your changes effective.

For an account that has been assigned one of the pre-configured roles, such as Super Administrator, you can only change its password. Click Change Password next to it to open the editing window and perform this change.

Account PreferencesUsing this section, you can configure the preferred settings for an administrator account. After modifying these settings, click Apply Changes to make the modification effective.

Use the following checkboxes to configure the preferred settings:

• Read only — Select this checkbox to configure a read-only permission.

• View web related settings — To have only Web-related settings displayed, make sure this checkbox is selected. The checkbox is selected by default.



• View mail related settings — To have only mail-related settings displayed, make sure this checkbox is selected. The checkbox is selected by default.

• Show change warner dialog — If you want to have a dialog window displayed that warns you to save your changes after modifying any settings, make sure this checkbox is selected. The checkbox is selected by default.

• Show configuration hash — Select this checkbox to have the hash value for the current configuration displayed in the system information lines at the top of the web interface display area.

• No LDAP/Radius check (only local password check) — If no LDAP or Radius authentication should be required for the administrator login, select this checkbox. Submitting the locally configured password will then be sufficient for accessing McAfee Web Gateway.

This setting may be used to configure an administrator account that is available for login whenever the LDAP or Radius servers are down.

LDAP/Radius authenticationThe LDAP/Radius Authentication tab looks like this:

There are two sections on this tab:

• Use LDAP to Authenticate Administrator

• Use Radius to Authenticate Administrator

Furthermore, there is a checkbox below these two sections:

• Use local account definition if LDAP and Radius authentication fail

Select this checkbox to use local account information for authenticating an administrator in case LDAP and Radius authentication fail.



Use LDAP to Authenticate AdministratorThe Use LDAP to Authenticate Administrator section looks like this:

It allows you to use the settings stored on an LDAP server for authenticating an administrator.

If you want to use this feature, select the checkbox next to the section heading. Then configure the items described below and click Apply Changes to make your settings effective.

Use the following items to configure the use of the LDAP server settings for administrator authentication:

• Use LDAP settings for HTTP Proxy — If you want to use the LDAP server settings with McAfee Web Gateway configured as HTTP proxy, make sure this radio button is selected. The radio button is selected by default.

• Use LDAP settings for ICAP server — Click this radio button to use the LDAP server settings with McAfee Web Gateway configured as ICAP server.

• Check Status — To view status information on the LDAP server settings, click this button.

This may be information about whether a connection to an LDAP server has been configured or whether the server is available.

Select the checkbox further below on this tab to use local account information for authenticating an administrator in case LDAP and Radius authentication both fail.

Use Radius to Authenticate AdministratorThe Use Radius to Authenticate Administrator section looks like this:

This section allows you to use the settings stored on a Radius server for authenticating an administrator.

If you want to use this kind of authentication, select the checkbox next to the section heading and click Apply Changes to make this setting effective.

To go to the page where the Radius server settings are configured, click Define Proxy Authentication Options.

Select the checkbox below this section to use local account information for authenticating an administrator in case LDAP and Radius authentication fail.



Role definitionThe Role Definition tab looks like this:


• Role Definition Editor

Role Definition Editor

Using this section you can view the role permissions assigned to the administrator roles that are pre-configured within McAfee Web Gateway, as well as create and edit new roles.

To create a new administrator role, use the items provided in the following area:

• Create role

Use the items in the following way:

• New role name — In this input field, enter the name of the new role you want to create.

The name must begin with an alphabetical character (A-Z). The number of the following characters is not prescribed. However, only alphabetical and numerical characters, dashes, underscores, and spaces are allowed here.

• Role to duplicate — If you want to use an existing role as starting point for your configuration of a new role, select one from the drop-down list provided here.

• Create Role — After entering a role name, click this button to add the new role to the roles list. Also, if you have selected and renamed an existing role as starting point, click this button to add the role to the list.

The roles list is displayed at the bottom of the section. You can view and edit the roles contained in this list, with the exception of three of the pre-configured roles — Super Administrator, Administrator, and Policy Administrator. These you can only view. A fourth pre-configured role, which is ePO User, can also be edited.



To display only a particular number of entries at a time, type this number in the input field labeled Number of entries per page and enter it using the Enter key of your keyboard.



• Filter — Type a filtering term in the input field of the Role column and enter it using the Enter key of your keyboard. The list will then display only entries matching the filter.

• View Role Permissions — Click this button, which is provided for each of the three pre-configured roles, to view the permissions assigned to any of them.

This will open a window where the permissions are displayed.

For a description of this window, see the subsection further below.

• Edit Role Permissions — Click this button which is provided for each user-configured role, to view and edit the permissions assigned to any of them.

This will open a window where the permissions are displayed and can be edited.

For a description of this window, see the next subsection.

• Delete Selected — Select the role you wish to delete by selecting the Select checkbox next to it and click this button. You can delete more than one role in one go, but not any of the four pre-configured roles.

To delete all user-configured roles, select the Select all checkbox and click this button. Again, this does not include the pre-configured roles.



Role Permissions windowThe Role Permissions window looks like this:

Note: This is the version for viewing and editing permissions. The version for viewing only has no Save button in the top right corner. By default, all permissions that can be configured in this window are granted.



To deny or grant a permission for the role you are configuring, deselect or select the corresponding checkbox. Click Save to make the modification effective.

For further information on what it means to configure the seniority level, as well as allowed other roles, see the next subsections.

SeniorityThe seniority level is measured by a value between 0 and 100.

It is important for determining who can deny access privileges to another administrator while being logged in at the same time. As an administrator, you can only deny privileges to administrators with seniority levels lower than your own level.

So, if your seniority level is 80 and two other administrators are logged in with seniority levels of 60 and 50, you can deny them simultaneous access or restrict it to read-only. If an administrator with a seniority level of 100 is logged in at the same time, you cannot deny this administrator anything. This administrator may, however, exclude you from reading or writing or from both.

Note that there are three pre-configured roles with administrator levels of 100, 80 and 50, respectively. These pre-configured roles cannot be changed or deleted. To view the seniority levels and other permissions for these roles, click View Role Permissions next to the role in question.

The permissions for administrators who are logged in at the same time are configured using the Access Permissions section under Home > Preferences > Preferences tab.

After specifying the appropriate value here, click Save in the top right corner of the window to make this setting effective.

Use the following input field to configure the seniority level for an administrator role:

• Seniority — Enter a value between 0 and 100 here according to the level required for this role.

Allowed Other RolesThis section allows you to configure the roles that can be assigned to another user account by a user with this role.

So, if the Administrator role is assigned to a user account, and Administrator and Policy Administrator are configured as allowed other roles for this role, the user in question can only assign one of these two roles when creating a new user account.

In this case, the user cannot assign the Super Administrator role to the account, or any other role that may be listed in this section, but is not selected.

To configure a role as allowed for being assigned by this role, select it in the list by selecting the corresponding checkbox.

After configuring all other settings in the Permissions for role ... window as required, click Save in the top right corner to make your settings effective. This will also close the window.


User ManagementPolicy management

Policy managementThe Policy Management options are invoked by clicking the corresponding button under User Management. They are described in the upcoming sections:

• Concept

• Group management

• Policy management

• Rate limiting

Note: This option is only available on appliance versions of McAfee Web Gateway.

• Rate limiting

• E-Mail mapping

ConceptThe Concept tab looks like this:


• Policy Concept



Policy ConceptThe Policy Concept section uses a diagram to explain the underlying concept of McAfee Web Gateway policy management.

Using visual means, it represents a threefold structure:

• Selecting input

• Performing a lookup

• Mapping to policy

Group managementThe Group Management tab looks like this:

There is one section on this tab:

• Process Policy Group

It is described in the following.



Process Policy GroupUsing this section, you can create a policy group. You can then assign policies as members to this group on the Policy Management tab, using the options of the Assign Policy to Group section. You can also use a group name or a regular expression related to it as a filtering term and let lists display only groups and policies matching this term.

After creating the first group, options appear for renaming and removing a group.

Use the following items to complete these activities:

• Create group — Type a group name in the input field and click Create to create a new policy group.

• Groups Filter — Type a filtering term (a group name or a regular expression) in the input field and press Enter. The lists used on this tab for renaming or removing a group will only show groups matching this term.

Click Show Policies to open a window showing the groups that match this term and their policies.

• Modify group — Select a policy group from the drop-down list and type a name that you want to rename it to in the input field. Then click Edit. The group is renamed all over the user interface.

• Select group to be removed — Select a policy group from the drop-down list and click Delete Group(s). A window opens to let you confirm the deletion. If you confirm, the group is deleted and disappears from the user interface.



Policy managementThe Policy Management tab looks like this:

There are five sections on this tab:

• Groups Filter

• Modify Policy

• Assign Policy to Group

• Create New Policy

• Duplicate Policy

They are described in the following.



Groups FilterThe Groups Filter section looks like this:

Using this section, you can filter the display of policy groups in the lists for assigning policies to groups.

Use the following input field to do this:

• Filter groups — Type a filtering term (a group name or a regular expression) in the field and press Enter. The lists for choosing a group when assigning a policy to a group will display only groups matching this term.

Modify PolicyThe Modify Policy section looks like this:

Using this section, you can reset the settings of an existing policy to their default values or delete a policy altogether.

Note: The group that a policy belongs to is shown in the Group field.

To work with a policy, select it from the drop-down list provided here and click one of the following buttons:

• Reset to default — Click this button to reset the policy to its default values.

• Delete Policy — Click this button to delete the policy.

Assign Policy to GroupThe Assign Policy to Group section looks like this:

Using this section, you can assign a policy to a group of policies.

Use the following items to do this:

• Choose policy — From the drop-down list, select a policy.

• Assign policy to group — From the drop-down list, select a group to assign the policy to.

• Assign — Click this button to assign the policy to the group.



Create New PolicyThe Create New Policy section looks like this:

Using this section, you can begin to configure a new policy by creating it first.

To configure settings for this policy use the tabs provided by this user interface for virus scanning, spam filtering, and so on. Together with these tabs, policy lists are provided, which will also include the new policy. Select it from these lists when configuring the various settings that you want to be part of the new policy.

Use the following items to create a new policy:

• New policy name — Enter a name for the new policy in this input field. The name may only contain alphanumerical characters (a-z, A-Z, 0-9) or the special characters - (dash) and _ (underline). The special characters must not be used at the beginning or end of the name.

• Assign to group — From the drop-down list, select a group to assign the new policy to.

• Create — Click this button to create the new policy. It appears in the policy lists that are provided on the tabs for configuring policy-dependent settings, assigned to the group you have selected.

ettings.

Duplicate PolicyThe Duplicate Policy section looks like this:

Using this section, you can configure a new policy by duplicating an existing one first and taking it as the starting point for configuring further settings.

Use the following items to duplicate an existing policy:

• Policy to duplicate — From this drop-down list, select the policy you want to duplicate.

• New policy name — Enter the new name here you want to give the duplicated policy. Note that this name may only contain alphanumerical characters (a-z, A-Z, 0-9) and the special characters - (dash) and _ (underline). The special characters must not be used at the beginning or end of the name.

Then click on the Duplicate button next to the name. The duplicated new policy will appear under its new name on the policy lists that are provided on the tabs for configuring policy-dependent settings.



Rate limitingThe Rate Limiting tab is only available on appliance versions of McAfee Web Gateway. It looks like this:


• Rate limiting




Rate LimitingUsing this section, you can configure limits for web usage regarding the request rate, byte transfer rate, and the number of connections that are active at the same time. The limits are configured for policy groups.

When a limit is exceeded, incoming requests are handled in the way that is configured, for example, blocked or allowed. Values configured for particular policy groups are shown in a list. Statistics on how often limits were exceeded over a given period of time are displayed on the Rate Limiting Statistics tab under Reporting.

Note: Note: When multiple instances of Web Gateway are running in a cluster configuration, for example, on a blade server, rate limiting functions are only executed on the site instances, while the master instance handles the statistics functions. On a stand-alone instance, both kinds of functions are provided.

In a cluster configuration, you can also distribute values to other instances of Web Gateway. Values are broadcast using UDP (User Datagram Protocol).

Use the following items to configure rate limits:

• UDP broadcast on port ... — Enter the number of the port for broadcasts of rate limit values.

• Policy group — From the drop-down list, select the policy group you want to configure rate limits for. To display only particular groups on the list, enter a filtering term in the Filter field.

• When limit of ... request/s is exceeded ... — Enter the number of requests per second you want to configure as a limit. From the drop-down list. select the action that should be taken if this number is exceeded.

• When limit of ... KiByte/s is exceeded ... — Enter the number of KiBytes per second you want to configure as a limit. From the drop-down list, select the action that should be taken if this number is exceeded.

• When limit of ... concurrent connections is exceeded ... — Enter the maximum number of connections you want to be running at the same time. From the drop-down list, select the action that should be taken if this number is exceeded.

• Add — After configuring rate limits for a policy group click this button. The values and the policy group appear on the rate limits list.

The rate limits lists is displayed at the bottom of this section. To display only a particular number of list entries at a time, type this number in the input field labeled Number of entries per page and enter it using the Enter key of your keyboard.

If the number of entries is higher than this number, the remaining entries are shown on successive pages. A page indicator is then displayed, where you can select a particular page by clicking on the appropriate arrow symbols.

To activate an entry, select the corresponding checkbox. To edit an entry, type values text in the appropriate input fields and select the appropriate actions. Then click Apply Changes to make these settings effective. You can edit more than one entry and make the changes effective in one go.


• Filter — Type a filtering term in this input field and enter it using the Enter key of your keyboard. The list will then display only entries matching the filter.

• Delete Selected — Select the entry you wish to delete by marking the Select checkbox next to it and click this button. You can delete more than one entry in one go.

To delete all entries, mark the Select all checkbox and click this button.



Web mappingThe Web Mapping tab looks like this:

There are three sections on this tab:

• Mapping Process

• Mapping Options

• Mapping Cache



Mapping ProcessThe Mapping Process section looks like this:

Using this section, you can configure mapping rules to assign policies to ICAP requests received in web communication according to the user information provided in these requests.

To retrieve this information, various methods are applied. For example, processing the user name, the name of the user group, or the IP address.

Furthermore, a lookup on an LDAP or NTLM server, or on a Novell eDirectory server can be configured with some methods.

You can also configure the use of an emergency policy that will overrule all mapping rules configured here in case of an emergency, such as the outbreak of a new virus.

Specify the appropriate information using the items described in the following. Click Apply Changes to make your settings effective.

Use the following items to configure mapping rules for web communication:

• Use emergency policy ... overwriting all methods — Select an emergency policy from the drop-down list provided here. This policy will be applied whenever an emergency situation occurs, such as the outbreak of a new virus.

It will overrule all policies that would otherwise be applied according to the rules and methods configured here.

• Mapping method order for REQMOD — Use the items provided in this area to configure a mapping method, which will include specifications on what is mapped (map from: IP address, user or group name), using what authentication method (map via: lookup on an LDAP or NTLM server, or a Novell eDirectory server), and what rule.

The rule will in turn specify the policy that is applied to the mapped object. You can configure more than one rule for a method.



You can also configure more than one method. Methods will then be applied in the order you position them here. Up to five methods can be configured this way.

The specifications made in this are valid for REQMOD communication. They can be applied also to RESPMOD communication, otherwise methods and rules for RESPMOD communication can be configured separately in an area below this one.

The following items are provided to configure mapping methods for REQMOD communication:

• Map from — From this drop-down list, select what you want to map: IP, User, or Group.

• Map via — From this drop-down list, select whether you want to map directly, such as a user name or an IP address to a policy, or if you want there to be a lookup first, such as a lookup on an LDAP, NTLM server, or a Novell eDirectory server.

• Using these rules — This drop-down list displays the name of the rule or rules belonging to this mapping method. The name is a combination of the information specified in the Map from and Map via fields, such as User- LDAP-1.

In order to specify more information for a rule, first click Apply Changes to make the settings specified so far effective.

Click the Edit Rules and Options button next to the rules entry in question. This will take you to another tab where you can specify the appropriate information.

To add another rule under the same name, such as User-LDAP-2, and specify information for it, select Create new rules from the list and click Edit Rules and Options.

• Use REQMOD mapping also for RESPMOD — Make sure this option is enabled if you want the same methods and rules to be applied in RESPMOD and in REQMOD communication. The option is enabled by default.

• Determine RESPMOD policy during REQMOD — Enable this option to make use of authentication information that is missing in RESPMOD, but available in REQMOD, also for RESPMOD. The setting of this option does not depend on what has been configured for the Use REQMOD mapping also for RESPMOD option above.

When a mapping method is configured based on the user name, the corresponding information may be retrieved from the Proxy Authorization header (Standard Request header). If the SSL Scanner is to be used at the same time, the Proxy Authorization header will be included only in the first REQMOD message, such as the CONNECT request, and not in any of the further requests, which are encrypted.

In this case, you can enable the option described here to retrieve the missing information also for the RESPMOD messages.

• Mapping method order for RESPMOD — Use the items provided here to configure mapping methods and rules for RESPMOD communication. The items are only made available if you have disabled the Use REQMOD mapping also for RESPMOD option.

Use the items in the same way as described above for REQMOD communication mapping.



Mapping OptionsThe Mapping Options section looks like this:

Using this section, you can configure what should happen if the mapping process fails for a user request.

After modifying this setting, click Apply Changes to make the modification effective.

Use the following radio buttons to configure the action in case of a mapping failure:

• Block request — If you want to block the request, make sure this radio button is selected. The radio button is selected by default.

• Allow request and use default policy — Select this radio button to allow the request and use the default policy for further processing.

Mapping CacheThe Mapping Cache section looks like this:

Using this section, you can configure a time interval for keeping data on mapped users in the cache. The data can be kept there even if the corresponding requests failed.

The mapping cache stores user names and IP addresses as input data and a policy names as the corresponding output data.

This stored information can be re-used, rather than each time repeating external server requests for input data. Looking up cached information is faster, which enhances system performance.

After specifying the appropriate settings, click Apply Changes to make them effective.

Use the following items to configure the mapping cache:

• Time to keep users in cache: ... minutes — In the input field provided here, enter the time interval (in minutes) for keeping user data in the mapping cache. The default time is 30 minutes.

• Cache failed requests — Select this checkbox to cache also data retrieved from requests that were not allowed.



E-Mail mappingThe E-Mail Mapping tab looks like this:


• Mapping Process

• Mapping Options

Mapping ProcessThe Mapping Process section looks like this:

Using this section, you can configure mapping rules to assign policies to e-mail messages according to the information provided in these messages. To retrieve this information, an internal scheme or an LDAP lookup can be applied.

Specify the appropriate information using the items described in the following. Click Apply Changes to make your settings effective.



Use the items provided under this heading to configure mapping rules for e-mail communication:

• Mapping method order for filtering e-mails (RESPMOD)

The following items are provided here:

Use the items provided in this area to configure a mapping method, which will include specifications on what is mapped (map from: IP address, user or group name), using what authentication method (map via: LDAP or NTLM lookup), and what rule. The rule will in turn specify the policy that is applied to the mapped object. You can configure more than rule for a method.

You can also configure more than one method. Methods will then be applied in the order you position them here. Up to five methods can be configured this way.

The specifications made in this are valid for REQMOD communication.

They can be applied also to RESPMOD communication, otherwise methods and rules for RESPMOD communication can be configured separately in an area below this one.

The following items are provided to configure mapping methods for e-mail messages RESPMOD communication:

• Mapping scheme — From this drop-down list, select the scheme you want to use for the mapping method: Internal or LDAP.

You can configure more than one method. Methods will then be applied in the order you position them here. Up to two methods can be configured this way.

In order to specify more information for a mapping scheme, click Apply Changes first to make the settings specified so far effective. Click the button Edit Rules and Options next to the scheme entry in question.

This will take you to another tab where you can specify the appropriate information.

Mapping OptionsThe Mapping Options section looks like this:

It allows you configure the use of all the methods that were selected in the Mapping Process section above for policy mapping purposes.

Use the following item to do this:

• Use all selected methods to assign policies — Enable this option to have all methods selected above applied. Then click Apply Changes to make this setting effective.


User ManagementUser database

User databaseThe User Database options are invoked by clicking the corresponding button under User Management. They are described in the upcoming sections:

• User database

• Import

• LDAP synchronization

• Backup and restore

User databaseThe User Database tab looks like this:


• LDAP Synchronization

• User Database

LDAP SynchronizationThe LDAP Synchronization section looks like this:

Using this section, you can configure synchronization of the user data base provided by McAfee Web Gateway with an LDAP server.



If users have been able to authenticate themselves on the LDAP server, their credentials are added to the user database.

After specifying this setting in an appropriate way, click Apply Changes to make it effective.

Use the following checkbox to configure LDAP synchronization:

• Allow new users to add themself to the user database if they can authenticate at the LDAP Server — Select this checkbox to enable LDAP synchronization in the way described here.

User DatabaseThe User Database section looks like this:

It allows you to add users to the McAfee Web Gateway User Database and edit user entries there.

Use the items of the following area to do this:

• Add new user

Specify the following information about the new user:

• Login name — Login name of the new user

• Real name — Real name of the new user. Input in this field is optional.

• Group(s) — User group or groups you want to assign the new user to. Input in this field is optional.

• E-mail address — E-mail address of the new user. Input in this field is optional.

• Language — Language to be used for messages to the new user. Select the language from the drop-down list provided here. Input in this field is optional.

• Password — Password the new user is to submit for authentication.

• Password (retype) — Retype the password in this input field.

• Password must be changed at next login — Select this checkbox to enforce a password change at the next login by the new user.

• Add User — After specifying the appropriate information in the area above, click this button to add the new user to the list.



The user list is displayed at the bottom of the section. To display only a particular number of entries at a time, type this number in the input field labeled Number of entries per page and enter it using the Enter key of your keyboard.


To edit an entry, type the appropriate text in the corresponding input field of the Real name, Group(s), or EMail column, or select a different language from the corresponding drop-down list.

To edit the password for a user entry, click the corresponding Edit button. This will open a separate window, where you can edit the password.

Note: The login name of a user entry cannot be edited.


• Filter — Type a filter expression in the input field of the Login Name, Real name, Group(s), or Email column or any combination of these and enter this using the Enter key of your keyboard. The list will then display only entries matching the filter.

• Delete Selected — Select the entry you wish to delete by selecting the Select checkbox next to it and click this button. You can delete more than one entry in one go.

To delete all user entries, select the Select all checkbox and click this button.

ImportThe Import tab looks like this:


• Import User Database



Import User DatabaseThis section allows you to import a file providing information about users into the user database. Furthermore, you can configure a number of settings relating to this file.

Use the following items to configure this file and import it into the user database:

• Import from — Specify the file containing the user information here. To do this, click Browse next to the input field and browse to this file.

Within this file, each line must contain information about one user only.

A line must consist of six entries separated by the column separator, with each entry providing information as follows:

a Login Name — The unique login name of the user.

b Full Name — Full name of the user.

c Groups — The groups that the user is a member of. If the user is a member of more than one group, separate group name by commas.

d E-mail address — The e-mail address of the user

e Preferred language — The language to be used for error template texts.

If you want this information to be processed, you need to configure a corresponding language selection method.

This is done in the Language Selection section on the User Management > Languages > Languages tab. The method you need to select there is User Database.

f Password — Password for the user.

This entry depends on the values you configure using the four radio buttons under Password options in this section, see below for their description.

• Column separator character — In the input field provided here, enter a character to be used for separating entries in the user import file. For example, enter the file that is imported into the user database. The default separator is the | (pipe character).

• Password options — Specify the options for the user password here.

The first four options, which are configured using radio buttons, will determine the password entry in the user import file. The user import file is the file that is imported into the user database.

The meaning of these options is as follows:

• Set random password and mail it to given email address — This will create a random password with a length of eight characters. The password is sent to the address specified in the user import file.

• Password column contains clear text password name — If this option is enabled, the password will be taken from the plain text entered in the user import file.

• Set password — The groups that the user is a member of. If the user is a member of more than one group, separate group name by commas.

• Password column contains NTLM hash (16 Bytes) — This will put a 16 byte NTLM hash in place of each password specified in the user import file. This hash is calculated as MD4 checksum based on the unicode values of the password in question.

It is written into the user database, which will then also contain entries for existing passwords that were encrypted.

• Password must be changed at next login — Enable this option to enforce a password change at the next login of a user.

For this option to work, you need to specify an end user port in the End User Port Settings section under Configuration > Web Interfaces > Ports tab.



• Overwrite existing entries — Enable this option to allow the overwriting of existing user entries in the user database.

Otherwise, the attempt to overwrite existing entries will result in an error.

• Mail password to user — Enable this option to have the password sent to the corresponding user by e-mail.

The option is always enabled and cannot be disabled if the first of the password options is also enabled, which is Set random password and mail it to given email address.

On the other hand, it is always disabled and cannot be enabled if Password column contains NTLM hash (16 Bytes) is enabled.

• Import User — Click this button to import the specified user import file with the settings configured here.



LDAP synchronizationThe LDAP Synchronization tab looks like this:


• LDAP Connection Details

• Attribute Details

• LDAP Authentication



LDAP Connection DetailsThe LDAP Connection Details section looks like this:

Using this section, you can configure some basic settings of the LDAP connection for the user database. After specifying the appropriate settings, click Apply Changes to make them effective.

Use the following input fields to configure this connection:

• LDAP server(s) — Enter the IP address of the LDAP server here.

You can add the port number after a colon, for example, 192.168.0.5:389.

You can specify more than one server. In this case, separate the IP addresses by spaces.

McAfee Web Gateway will then try to do load balancing based on a round-robin algorithm (server configurations must be the same).

• WW’s user name — Enter the name here that is used by McAfee Web Gateway itself to get authenticated when logging in to the LDAP server.

• WW’s password — Enter the password used by McAfee Web Gateway here.

Attribute DetailsThe Attribute Details section looks like this:

Using this section, you can specify where the data needed for authentication should be extracted from.



To do this, use the items provided in the following area:

• Select where attributes originate — Authentication information can be extracted from user attributes or from the attributes of the group a user belongs.

Select User or Group object to have information extracted from the corresponding attributes and specify the appropriate information using following input fields and buttons:

• User — Select the checkbox provided here if you want to extract information from user attributes and specify the following information:

• Attributes to extract

Specify the attribute or attributes that should be extracted here, separating attributes by commas.

The default attribute to be extracted is cn.

• Concatenation string

If more than one attribute is specified here, they will be concatenated using the string specified here.

So, when attributes a and b are extracted and / (slash) is specified as concatenation string, then if McAfee Web Gateway gets the values a1, a2, a3 for attribute a and b1 for attribute b, the output list will be as follows:

a1/b1

a2/b1

a3/b1

• Group object — Select the checkbox provided here if you want to extract information from group attributes and specify the following information:

• Attributes to extract — Specify the attribute or attributes that should be extracted here, separating attributes by commas. The default attribute to be extracted is cn.

• Concatenation string — If more than one attribute is specified here, they will be concatenated using the string specified here.

So, when attributes a and b are extracted and / (slash) is specified as concatenation string, then if McAfee Web Gateway gets the values a1, a2, a3 for attribute a and b1 for attribute b, the output list will be as follows:

a1/b1

a2/b1

a3/b1

• Base DN to group objects — Enter the Base DN (Distinguishing Name) for the group objects here.

This specifies the position within the LDAP tree where the search for a group name should begin.

• Group member attribute name —Make sure this radio button is selected if you want enable the use of the group member attribute and enter a name in the input field next to it.

The radio button is selected by default.

The value of the group member attribute is the unique key of an entry for a user group stored on the authentication server. It must be equal to the one specified under Base DN to group objects.

The default name for this attribute is uniquemember.

• Object class for groups — Specify an object class for groups here.

This will limit the search for group attributes to those objects that are instances of this class. The default class is groupofuniquenames.



• Filter — Select this radio button if you want use a filter and enter a filtering term in the input field in the same line.

This will limit the search for group attributes to objects with names matching the filter.

• Real name — Enter the real name of the user here that will be authenticated using the attributes specified above.

• E–mail address — Enter the e-mail address of the user here that will be authenticated using the attributes specified above.

• Language — Enter the language here that should be used for message to the use that will be authenticated using the attributes specified above.

You can also specify a default language that will be used if no user is configured. To do this, use the drop-down list labeled as follows:

• or . . . (if no mapping given or not specified for User) — Select the default language for messages to the user here.

LDAP AuthenticationThe LDAP Authentication section looks like this:

Using this section, you can configure the position within the LDAP tree where the search for a user entry should begin.


Use the following input fields to configure these settings:

• Base DN to user object — Enter the Base DN (Distinguishing Name) for the user here.

This specifies the position within the LDAP tree where the search for a user name should begin.

• UID attribute name — Make sure this radio button is selected if you want enable use of the group member attribute and enter a name in the input field next in the same line.

The radio button is selected by default.

The value of the UID attribute is the unique key of an entry for a user name stored on the LDAP server.

• Filter — Select this radio button if you want to use a filter and enter a filtering term in the input field in the same line.

This will limit the search for user attributes to objects with names matching the filter.



Backup and restoreThe Backup & Restore tab looks like this:


• Backup & Restore User Database

Backup & Restore User DatabaseThe Backup & Restore section looks like this:

It allows you to download a user database file and to restore it.


• Download User Database File — Click this button to download the current user database file.

• Restore configuration from file — To restore a configuration with a particular user database file enter the file name in this input field or browse by clicking Browse next to this field.

Click Restore to restore the configuration.


User ManagementAuthentication server

Authentication serverThe Authentication Server options are invoked by clicking the corresponding button under User Management. They are described in the upcoming section:

• Authentication server

Authentication serverThe Authentication Server tab looks like this:

At the top of this tab, there is a button labeled:

• Define Authentication Options — Click this button to configure some general options relating to authentication. This will open a window where you can specify the appropriate information.

It is described in the Define Proxy Authentication Options window section.



Furthermore, there are five sections on this tab:

• Authentication Server Settings

• Authentication Process

• NTLM and NTLM-Agent Authentication Options

• User Database Authentication Options

• Propagate Authentication Options

Authentication Server SettingsThe Authentication Server Settings section looks like this:

Using this section, you can enable the authentication server and configure a port on this server, as well as some additional settings for it. More settings can be configured in the remaining sections of this tab.

The authentication server is used for performing the transparent authentication of users. Configuring this kind of authentication involves several sections and tabs of the web interface. A description of this is given in the Transparent authentication subsection below.

If you want to use the authentication server, make sure the checkbox next to the section heading is selected.

After modifying this setting or any other setting in this section, click Apply Changes to make these settings effective.

Use the following items to configure the authentication server:

• Port — In this input field, specify the port used on the authentication server. The input format is:

[IP]: port

The default port number is 9094.

• Use SSL — Make sure this checkbox is selected if you want use of SSL encryption for communication with the authentication server. The checkbox is selected by default.

This will protect your password against being intercepted during the authentication process. Your password is also protected, even without SSL encryption, if you configure use of the McAfee Web Gateway user database with integrated authentication.

This can be done in the Authentication Process and User Database Authentication Options sections on this tab.

Configuring NTLM or the NTLM Agent in the Authentication Process section and integrated authentication in the section labeled NTLM and NTLM-Agent Authentication Options will protect your password in the same way.



• Append parameter to avoid redirection loops — Make sure this checkbox is selected if you want to append the parameter. The checkbox is selected by default.

This will help avoid redirection loops in situation like the following: The browser requests URL A. The ICAP server sends a redirect to B and the authentication server sends another redirect to A. Mozilla Firefox treats this as an endless loop and stops the request, while the Microsoft Internet Explorer does not recognise it.

McAfee Web Gateway appends a dummy parameter to A by default, which will end the loop: A -> B ->A2. The parameter is removed, however, in REQMOD communication.

• Authentication expires after ... seconds — In the input field provided here, enter the time interval (in seconds) that an authentication is to last. The default interval is 120 seconds.

After the interval configured here has expired, the ICAP server will send another redirect for the next request, in order to renew the mapping and authentication interval.

The disadvantage of configuring a longer interval here is that user switches on one system or a new assignment of the IP address to another system using DHCP will not be recognized, which makes the mapping less accurate. On the other hand, smaller intervals lead to frequent redirects.

Transparent authenticationThe following subsection provides you with some general information on the method of transparent authentication and describes a configuration procedure to set up this method on McAfee Web Gateway.

At the end some notes provide additional information.

General informationThe transparent authentication method can be configured as one of several methods to retrieve user credentials and authenticate users based on these credentials. It is usually incorporated in the process of mapping users to particular policies.

Transparent authentication relies on a mapping between IP addresses and users, whereas other methods map users and connections or requests. With this address-based method, however, it is not possible to distinguish between multiple users on a single system. The user names can be searched for in the McAfee Web Gateway user database, which has been provided for this purpose, or on an LDAP or NTLM server.

Configuring transparent authentication may be appropriate in a situation where there is no proxy in your configuration, but you still want to have authentication or policy mapping, or where there is a proxy, but it is not capable of performing the demanded authentication method.

Configuration procedureConfiguring transparent authentication involves two kinds of steps:

• Steps that are required to configure the authentication server — These include configuring the settings of the Authentication Server Settings section.

• Steps that are required to configure a policy mapping rule — These are required because transparent authentication is usually configured within the process of policy mapping. They need to be performed even if the intention is to configure only authentication and no policy mapping.



Configuring the authentication server – This part of the procedure begins with going to the Authentication Server tab under User Management > Authentication Server and configuring the settings of the Authentication Server Settings section.

It is continued by configuring the settings of the remaining sections on this tab. To get more detailed information about a setting, click the question mark in the corresponding section.

Proceed as follows:

1 Use the Authentication Server Settings section to enable the authentication server and to configure a port on it, as well as some additional parameters:

• Make sure the checkbox next to the section heading is selected. This is required to have the authentication server enabled.

• In the Port input field, specify the port used on the authentication server.

• Make sure the Use SSL checkbox is selected. Deselect it if you want to do without SSL encryption.

• In the input field labeled Transparent authentication expires after ... seconds, enter an interval (in seconds).

2 In the Authentication Process section, select an authentication method from the first drop-down list provided here.

You may also select one of the other methods in second position. A further option is to select the checkbox labeled Use login page to get credentials, and then. This will enable the use of a login page.

3 In the Authentication Process section, select an authentication method from the first drop-down list provided here.

According to the method you selected under Authentication Process, configure the corresponding options in the NTLM and NTLM-Agent Authentication Options or the User Database Authentication Options section.

Configuring a policy mapping rule – This part of the procedure will configure the settings required for a policy mapping rule that includes the use of the transparent authentication method. To get more detailed information about a setting, click the question mark in the corresponding section.

Proceed as follows:

1 Go to the Web Mapping tab under User Management > Policy Mapping.

2 Use the Mapping Process section to configure a rule for Web mapping.

Select User name and Map directly if you want to configure a policy intended for a single user, or Group name and Map directly for a policy based on the membership of a user in a particular group.

3 Click Edit Rules and Options. This will take you to the User Based Mapping tab.

4 In the User Name Location section, select Transparent authentication from the drop-down list labeled Extract user information from.

5 From the drop-down list labeled Accepted authentication methods, select a method. For example, Local or Any to allow all methods.

6 In the Add Rule section, add a rule for policy mapping.

A rule that might be added here is default = *, which will allow all authenticated users.

To specify this rule, select Default from the drop-down list of policies provided here and enter an * in the input field next to it. Click Add First to add this rule to the list.



NotesThe following should be kept in mind when configuring transparent authentication:

• POST requests will fail when the ICAP server sends a redirect to the authentication server, which is only done, however for the renewal of a mapping.

This is because for the browser the request was successful and the POST body will not be sent again after the final redirect.

• When authentication is done on a server, which is the authentication server in this case, over a proxy connection, the Microsoft Internet Explorer will not send the credentials.

The following might be configured as a workaround here:

• Use a login page for authentication.

• Configure the Internet Explorer not to use a proxy for the authentication server. This means that if McAfee Web Gateway has been set up as a cluster, all IP addresses must be excluded.

Authentication ProcessThe Authentication Process section looks like this:

Using this section, you can configure where users are authenticated. You can also configure the use of a login page for retrieving user credentials.

The login page is a template, which is stored in the conf\errors folder of the McAfee Web Gateway program files. You can create different language versions of this template.

Note: To configure a method for selecting the appropriate language template, you can only select methods that are available before the authentication process. These methods are IP and Browser. They are configured in the Language Selection section of the Languages tab under User Management > Languages.

The authentication process may involve an LDAP or NTLM server, a Radius server, or the User Database provided by McAfee Web Gateway.

Furthermore, there is also an option for configuring the use of a Novell eDirectory server, which will then take the role of an LDAP server, in order to authenticate users. On this server, information is stored about the IP addresses of authenticated users, which can be extracted and used by McAfee Web Gateway for the authentication process.

The name of the field where the IP address of a user is stored is NetworkAddress. The port number can be stored there with the address. The field is in binary format, which means that no wildcard queries can be performed for user addresses. Instead, McAfee Web Gateway periodically polls the eDirectory to retrieve the addresses of the users that logged in since the last request.

The structure of this search is reflected in a filtering term, which is configured together with the settings for the LDAP method, see further below.

Make sure the NetworkAddress field is visible when the user information is looked at via the LDAP server interface. Otherwise, McAfee Web Gateway will not be able to extract the information.

You can configure one or two methods of user authentication. They are applied in the order you specify them. A user is successfully authenticated when all of the configured methods produce a match.

After selecting a method, you can specify further settings that are relevant to this method in other sections of this tab, and in the window that appears after clicking Define Authentication Options in the top area of this tab.



For the NTLM and NTLM-Agent methods, this can be done in the NTLM and NTLM-Agent Authentication Options section, and for the User Database method in the Userdatabase Authentication Options section. Both these sections are on this tab.

For the LDAP method, there is the LDAP Authentication section in the Define Authentication Options window, where you also find the Radius Authentication section for the Radius server method.

If you select the eDirectory method, you can also configure the use of a filter for searching the user information that is needed in the authentication process. This is done in the Novell eDirectory IP Filter input field, which is provided in the LDAP Authentication section of the Define Authentication Options window.

Note: A filtering term has been entered in this field, which should not be altered since this will prevent McAfee Web Gateway from extracting the appropriate user information.

The name of the storage field on the eDirectory server has also been preconfigured as one of the additional settings of the LDAP method and should likewise not be altered.

Furthermore, you can configure the eDirector method as part of the Web mapping process. There will then be a lookup of these addresses on the eDirectory server before they are mapped to security policies.

Use the Mapping Process section on the Web Mapping tab under User Management > Policy Mapping to configure these settings.

After specifying the appropriate settings here, click Apply Changes to make them effective.

Use the following checkbox and drop-down lists to configure methods for user authentication:

• Use login page to get credentials, and then — Select this checkbox to have a login page presented to a user for entering the user credentials. After this has been completed, the authentication process will begin, using the methods configured below.

The login page will be presented when the user tries to get authenticated for the first time and whenever the authentication interval has expired.

If no login page is used, user credentials need to be submitted only when authentication is requested by a user for the first time, or, with integrated authentication on Microsoft Windows, not at all. These methods are not less secure than using a login page, but clearly more comfortable.

• Authentication process methods list 1 — Select a method for user authentication from this drop-down list. If you select an additional method from the second list, they are applied according to their order. Note that in this case, a user needs to be authenticated under both methods in order to get access.

The following methods are available: NTLM, NTLM Agent, LDAP, eDirectory, User Database, and Radius.

• Authentication process methods list 2 — Select a method for user authentication in the same way as described above from this drop-down list. You may also select None here, and have just one method for authenticating users. However, if you select a method here, this method and the one you selected from the list above, must both finish successfully in order to authenticate a user.



NTLM and NTLM-Agent Authentication OptionsThe NTLM and NTLM-Agent Authentication Options section looks like this:

Using this section, you can configure options for an authentication method that performs an NTLM lookup in order to authenticate users.

NTLM is an authentication method used by Microsoft Windows browsers, proxies and servers. It is more secure than other methods because the user password is not transmitted as plain text.

The user of the NT domain is a member of several domain groups. The ICAP server can use these groups to do the policy mapping. A list of groups must be provided by the ICAP client.

Only the Microsoft Internet Explorer supports NTLM for this kind of configuration, but there are additional utilities available for other browsers, such as Mod_NTLM for Apache, or MSNT for Squid.

If you want to do NTLM authentication on an operating system other than Windows, you can use an agent application, called the NTLM Agent, to enable this. The settings configured here will apply also for the agent application.

There is a basic and an integrated method of authenticating users. With basic authentication, the browser sends the user name and password as plain text (less secure) to McAfee Web Gateway, who plays the role of the client to exchange authentication messages with the authentication server, so McAfee Web Gateway uses the NTLM method to authenticate the user.

Integrated authentication encrypts messages going from the client browser to the authentication server and back. In this situation, McAfee Web Gateway acts as the proxy server and forwards authentication server messages to the client.

After specifying the appropriate information, click Apply Changes to make your settings effective.

Use the following items to configure this kind of authentication:

• Enable integrated authentication — Enable this option to use the integrated authentication method.

• Enable basic authentication — Enable this option to use the basic authentication method and enter the default domain used for basic authentication in the input field provided here. This is the default option.

• Select what groups to get from Domain Controller — From the drop-down list provided here, select what groups should be fetched from the domain controller: Global, Local, or both.



User Database Authentication OptionsThe User Database Authentication Options section looks like this:

This section allows you to configure the method used for authentication with the McAfee Web Gateway User Database. This method can be either integrated or basic authentication.

Integrated authentication is a challenge and response method that does not allow to recover the password during the authentication process over a sniffed connection. The password hash will be calculated with two random values, one chosen by the client and one by the server.

With basic authentication, the client puts together a user name and password and sends them as a base64 encoded request header to the corresponding destination, such as the proxy, the server, etc.

After modifying the settings in this section, click Apply Changes to make the modification effective.

There is a basic and an integrated method of authenticating users. With basic authentication, the browser sends the user name and password as plain text (less secure) to McAfee Web Gateway (who plays the role of the client to exchange authentication messages with the authentication server), so McAfee Web Gateway uses the information stored in the user database to authenticate the user.


After specifying the appropriate information, click Apply Changes to make this setting effective.

Use the following checkboxes to configure an authentication method for the McAfee Web Gateway user database:

• Enable integrated authentication — Select this checkbox if you want to use integrated authentication.

• Enable basic authentication — Make sure this checkbox is selected if you want to use basic authentication. The checkbox is selected by default.


User ManagementWindows domain membership

Propagate Authentication OptionsThe Propagate Authentication Options section looks like this:

Using this section, you can configure the propagation of information on authenticated users in a cluster. The submaster will propagate this information to the master.

This way, a user that has been authenticated successfully on a site instance needs not renew this authentication if redirected for any reason to another site instance.

If the cluster is running in a big network and is configured in a way that there are lots of submasters with each of them being responsible for a subnet, this may cause problems because IP addresses that are unique locally may not be unique in the whole cluster.

For this reason, there is the option to stop propagating authenticated users at submaster level. If this feature is enabled, a submaster will only propagate information on authenticated users to the site instances that are subscribed to it and will not them to its master. It will also does not retrieve such information from the master.

After modifying the setting configured here, click Apply Changes to make the modification effective.

Use the following checkbox to configure the propagation of user information:

• Submaster propagates authenticated users up to master — If this checkbox is selected, information on authenticated users will be propagated from the submaster instance in a cluster to its master. The checkbox is selected by default.

Windows domain membershipThe Windows Domain Membership options are invoked by clicking the corresponding button under User Management.

Note: These options are only available for instances of McAfee Web Gateway running on UNIX systems, such as Linux or Solaris.

They are described in the upcoming sections:

• Windows domain membership

• NTLM authentication test



Windows domain membershipThe Windows Domain Membership tab looks like this:


• NTLM Authentication

NTLM AuthenticationUsing this section, you can configure an account within one or more Microsoft Windows domains for an instance of McAfee Web Gateway that is running on a particular system.

An account like this is also known under the name of "machine account" or “computers”. It is used to forward user authentication requests received by McAfee Web Gateway to the domain controller.

Note: This section and tab are only available for instances of McAfee Web Gateway running on UNIX systems, such as Linux or Solaris.

The domain controller checks the user credentials to verify whether a particular user is an authenticated user within the domain, using the information stored in its database, and sends the result back to McAfee Web Gateway.

Depending on the result, a user who submitted an authentication request is allowed or denied access to the system McAfee Web Gateway is running on.

You need to configure an individual account for every instance of McAfee Web Gateway that is running on a particular system.

Note: This is also required if the McAfee Web Gateway instance is a member of a cluster in a central management or a high-availability environment since the settings described here are not distributed within the cluster.

Use the following items to configure a McAfee Web Gateway account in a Windows domain:

• Windows domain name — In this input field, type the name of the Windows domain that the McAfee Web Gateway account should be joined to.

Note: You need to type the name without extension, for example, securecomputing, instead of securecomputing.com.



• Webwasher account name — In this input field, type the McAfee Web Gateway account name, which is the machine name or “computer” name of the system McAfee Web Gateway is running on. This name must not be longer than 15 characters.

Remember that you need to specify an individual account name for every McAfee Web Gateway instance and also need to repeat the procedure of configuring all the settings described here for every instance, even if it is a member of a central management or a high-availability cluster.

• Overwrite existing account — Select this checkbox to have the account you are presently configuring overwrite an account that existed before under the same name.

In this case, you should make sure that the existing account is actually not needed anymore.

• Configured Domain Controller(s) — In this input field, specify one or more domain controllers. This should be done by typing their host name or names.

IP addresses may also be used here, but this could in some cases lead to problems with correctly assigning users to their domains. This means that a user would have to submit a domain name together with the usual credentials in order to be authenticated.

When specifying more than one controller here, separate entries by commas.

Note: Any host name you specify here must be resolvable. Also, McAfee Web Gateway will connect only to one domain controller at a time.

If more than one controller is configured, McAfee Web Gateway will try to connect to the first in the list, and in case this one is down, go through the list retrying until a connection has been established successfully.

• Administrator name — In this input field, type the name of an administrator account that has permission to execute the configuration activities required for setting up McAfee Web Gateway accounts in a Window domain.

Note: The information you specify here is only used once to complete the configuration procedure and is not stored afterwards.

• Password — In this input field, type the password for the above administrator account.

Note: This information is also only used once and not stored.

• Join domain — After specifying the appropriate information, click this button to let a McAfee Web Gateway account join a Windows domain.

If this action was successful, a corresponding entry is added to the list of accounts, which is displayed at the bottom of the section. To display only a particular number of list entries at a time, type this number in the input field labeled Number of entries per page and enter it using the Enter key of your keyboard.


To filter the list output, type a filtering term in input field at the top of the Domain column and enter it using the Enter key of your keyboard. The list will then only display entries with domain names matching this term.

To edit an entry, type the appropriate information in the corresponding input field of the Domain Controller(s) column and click Apply Changes to make the modification effective. You can edit more than one entry at a time and make the modification effective in one go.

Note: You cannot edit the information in the Domain and Account columns.



The indicator in the Status column shows the status for each entry. It can take different colors, which have the following meanings:

• Gray — The account is joined to the domain, but so far no authentication request has been submitted through this account, so it is unclear whether it is currently possible to connect to the domain controller.

The gray color is also shown when a new domain was added to the configuration, regardless of whether the red or green color was previously shown for the account.

• Red — The account is joined to the domain, but there is a problem with the connection to the domain controller.

• Green — The connection between account and domain controller is working without any problems.

To remove an account from the domain it is currently joined to, use the following button, which is provided for each entry:

• Leave domain — Click this button to make an account leave its configured domain.

NTLM authentication testThe NTLM Authentication Test tab looks like this:


• NTLM Authentication


User ManagementLanguages

NTLM AuthenticationUsing this section, you can test the settings you configured for NTLM authentication of a user in a Microsoft Windows domain.

If the test is passed successfully, information is displayed on the connection status, the authentication result for a given user, and the groups that this user is a member of within the domain.

Use the following items to perform the authentication test:

• Domain — In this input field, enter the domain that the user should be authenticated for

• User — In this input field, enter the user name

• Password — In this input field, enter the password for the above user name

• Authenticate user — After submitting information in the three fields above, click this button to perform the authentication test.

If the test was passed successfully, you will see the following information in the area below the button:

• Connection status — Status of the connection to the domain controller

• Active DC — Name of the domain controller that a connection has been established to

• Authentication result — Information whether the authentication process was performed successfully for the user in question

• User groups — Number of groups within the Windows domain that this user is a member of. A list of these groups is provided below the User groups line.

LanguagesThe Languages options are invoked by clicking the corresponding button under User Management. They are described in the upcoming sections:

• Languages

• Import language pack



LanguagesThe Languages tab looks like this:


• Supported Languages

• Language Selection

• Language Selection Parameters



Supported LanguagesThe Supported Languages section looks like this:

This section displays all languages that have been configured for sending messages to users of McAfee Web Gateway, such as error messages or notifications. From these, you can select the languages that are actually used for sending messages. McAfee Web Gateway will not support languages that have not been selected here. This is especially useful if you are customizing messages, but do not want to customize them in all available languages.

The languages that are available for McAfee Web Gateway and displayed here must have been entered in the global.ini (Windows) or global.conf (Linux/Solaris) configuration file. For a description of how to add more languages to this file, see the chapter on Language Configuration in the McAfee Web Gateway Reference Guide.

The following languages are displayed here by default: German, English, French, and Japanese. These are also the languages that user message templates are delivered for with the McAfee Web Gateway software.

You can implement the use of additional languages by importing sets of user message templates, known as "Language Packs", intoMcAfee Web Gateway. Language packs are available for Italian, Spanish, Portuguese, Chinese, and Korean. Use the items on the Import Language Packs tab under User Management > Languages to import these.

If you want McAfee Web Gateway to support other languages than those mentioned so far, you need to provide own translations of the corresponding user message templates. For information on how to implement them within McAfee Web Gateway, see also the Language Configuration chapter of the Reference Guide.

You can select more than one language here, which enables you to configure different languages for different users, with regard to their IP addresses or the security policies they have been mapped to. In the Language Selection section, you can configure methods to establish the language that is appropriate for sending messages to a particular user under particular circumstances. The Language Selection Parameters section is provided to configure settings for these methods. A configuration example is given on the online help page for this section.


Use the following items to configure the supported languages:

• German [de], English [en], etc. — Select the checkbox of the languages you want to be supported for user messages. The English checkbox is selected by default.

Language SelectionThe Language Selection section looks like this:

Using this section, you can configure methods to establish which language is appropriate for sending messages to a particular user.

Methods are applied in the order you configure them here. If no supported language is found by applying the first method, McAfee Web Gateway uses the second method in the list to look up the language, and so on. If none of the selected methods yields a supported language, the default language is used.

Note: Some of these methods and corresponding parameters can be configured with regard to web or e-mail traffic only.

After specifying the appropriate settingss, click Apply Changes to make them effective.

Use the following items to configure methods for language selection:

• Default language — From this drop-down list, select the language McAfee Web Gateway should use as default. By default, English is the default language.

• 1. Method, 2. Method, . . . — From the drop-down lists provided here, select the methods you want McAfee Web Gateway to apply for determining which language should be used in a message to a particular user.

The method you select from the first list will be applied first, and so on.

By default, only one method is selected from the first list, which is Browser, whereas no methods are selected from the remaining lists.

The following methods can be selected here:

• Browser — McAfee Web Gateway uses the browser language of a client that sent a request for sending any messages back to this client.

• IP — The language McAfee Web Gateway uses for sending messages to a client depends on the range of IP addresses the client lies within. Languages are assigned to particular ranges in the Language Selection Parameters section.

Note: This is a method for Web traffic only.

• Email — The language McAfee Web Gateway uses for sending messages depends on particular attributes of the e-mails the messages are related to. These attributes are configured in the Language Selection Parameters section.

Note: This is a method for e-mail traffic only.

• Policy — The language McAfee Web Gateway uses for sending messages depends on the policies configured for the filtering measures that caused the messages to be sent. Languages are assigned to particular policies in the Language Selection Parameters section.



• LDAP — The language McAfee Web Gateway uses for sending messages to a client depends on the language attribute and other attributes that have been stored on an LDAP server for this client. These attributes are configured in the Language Selection Parameters section.

Note: This is a method for e-mail traffic only.

• User Database — The language McAfee Web Gateway uses for sending messages to a particular user depends on the language configured for this user in the McAfee Web Gateway User Database, see User database.

Language Selection ParametersThe Language Selection Parameters section looks like this:

Using this section, you can configure parameters relating to the methods of the Language Selection section.

Note: Some of these methods and corresponding parameters can be configured with regard to web or e-mail traffic only.


Use the following items to configure language selection parameters:

• LDAP language attribute — In the input field provided here, enter the attribute that should be searched for on the LDAP server when the LDAP method is used for selecting languages.

If it can be found within the entries stored for a client on this server, McAfee Web Gateway will use the corresponding language for sending messages to this client.

Note: This method and attribute can only be configured for e-mail traffic.

Below this input field, there is a link that takes you to the Recipient LDAP Check tab, where you can configure more settings of the LDAP server.



• Language — This column provides a list of the languages McAfee Web Gateway will select from when sendingmessages. To determine which language should be selected in a given situation, you configured methods in the Language Selection section.

Use the input fields in the columns next to this column to configure parameters for each of these methods and with regard to each of the languages in the list:

• IP-Range — Enter the range of client IP addresses here that McAfee Web Gateway should send messages to in a particular language. This can be done by actually entering a range of addresses (specifying its beginning and end), or a single address, or a list of addresses.

Note: Configuring this parameter for a language is only meaningful if you have selected IP as method in the Language Selection section and that this method works for web traffic only.

• Email-Match — Enter a regular expression here that must be matched by one of the attributes of an e-mail. If there is a match, McAfee Web Gateway will send messages relating to that e-mail in a particular language.

Note: Configuring this parameter for a language is only meaningful if you have selected Email as method in the Language Selection section and that this method obviously works for e-mail traffic only.

• LDAP-Match — Enter a regular expression here that must be matched by the attributes entered for a client on an LDAP server. If there is a match, McAfee Web Gateway will send messages to that client in a particular language. Use of this attribute is made in addition to the language attribute configured above.

Note: Configuring this parameter for a language is only meaningful if you have selected LDAP as method in the Language Selection section and that this method works for e-mail traffic only.

• Policy — This column provides a list of the security policies that have been configured so far under McAfee Web Gateway.

You can configure a language for each of these policies, which will enable McAfee Web Gateway to use this language for messages relating to a filtering measure, such as Block or Allow, that was triggered under the policy in question.

Use the drop-down lists in this column to do this:

• Language — Select a language for each of the policies listed here from the dropdown list next to it.



Import language packThe Import Language Pack tab looks like this:


• Import Language Pack

Import Language Pack

Using this section you can download language packs from a Web server provided by McAfee and import it into McAfee Web Gateway. This will enable McAfee Web Gateway to display messages sent to the user, for example, error messages, in languages other than English.

For information on how to configure the use of other languages, see the Languages tab and the corresponding online help pages.

Note: The language information for French, German and Japanese is shipped with McAfee Web Gateway, so no import of a language pack is required for these languages. Language packs are available for the following languages: Spanish, Portuguese, Italian, Chinese, and Korean.

Before importing a language pack into McAfee Web Gateway, you need to download it from the Webwasher Extranet, which is provided by McAfee, and store it in a location within your local file system. To access the extranet, you need a user account and password. Within the extranet, go to Download > Language Packs to download packages for languages as required.

After a language pack has been imported, the language in question is displayed in the Supported Languages section of the Languages tab. To actually enable support for it, select the checkbox next to it and click Apply Changes (as described in the Supported Languages subsection).



Use the following items to import a language pack:

• Import language pack from — Specify the file name of the language pack you want to import in this input field.

To do this, click Browse next to the field and browse to the location where you have stored the language pack file in question.

• Import — After browsing to the appropriate language pack file, click this button to import it into McAfee Web Gateway.


3 Reporting

Contents

About reporting

View live reports (for policy)

Log file management

View log files

Live report management

View live reports (overall reporting)

View live reports (overall reporting)

Rate limiting

Deanonymization

About reportingThe functions described in this chapter are accessible over the Reporting tab of the user interface:

These functions allow you to configure the reporting features provided by McAfee Web Gateway (formerly Webwasher®), such as the viewing of live reports or log file management.

View live reports (for policy)The View Live Reports options are invoked by clicking on the corresponding button under Reporting.

These are policy-dependent options — they are configured for a particular policy. When you are configuring these options, you need to specify this policy.

To do this, select a policy from the drop-down list labeled Live Reports for policy, which is located above the View Live Reports button:

The options are are described in the upcoming section:

• View live reports

Note: For information about how to configure overall View Live Reports options — options that are not policy-dependent, see View live reports (overall reporting).


ReportingView live reports (for policy)

View live reportsThe View Live Reports tab looks like this:


• Policy Statistics

• Policy Summary Reports

• Display Options

Policy StatisticsThe Policy Statistics section looks like this:

It allows you to view detailed information on the filtering activities going on under a particular policy in your corporate network.

To view a particular kind of information, click the corresponding icon (magnifying glass with paper).

The following kind of information can be viewed:

• Filter Statistics — Shows the amount of data washed by the Advertising Filter, Privacy Filter, Security Filter and the Media Type Filter.

• Category Overview — Provides an overview of the number of requests made, broken down by category, as well as an overview of the number of external and the number of blocked requests, regardless of whether they were blocked or not.


ReportingView live reports (for policy)

Policy Summary ReportsThe Policy Summary Reports section looks like this:

It allows you to view summary reports on filtering activities performed under a particular policy in your corporate network.

Different reports can be written according to the way McAfee Web Gateway is configured; for example, (1) as proxy for client communication, or (2) filtering web requests and uploads in REQMOD communication, or (3) filtering web downloads and e-mail messages in RESPMOD communication, or in a combination of (2) and (3).

Use the following buttons to perform other activities relating to these reports:

• Export All — Click this button to export all reports to an Excel format.

• Reset All — Click this button to reset all reports.

Display OptionsThe Display Options section looks like this:

It allows you to configure the way reports are displayed.

Specify information regarding this display in the input fields described below. Click Apply Changes to make your settings effective.

The following parameters can be configured here:

• Number of displayed items — Enter the appropriate number of items here. The default number is 10.

• Automatically refresh after ... seconds — Enter the appropriate number of seconds here. The default number is 0, which means no automatic refreshing.


ReportingLog file management

Log file managementThe Log File Management options are invoked by clicking on the corresponding button under Reporting. They are described in the upcoming sections:

• Activate log files

• Auto-rotation

• Auto-deletion

• Auto-pushing

Note: A Log File Manager script performs the pushing and deleting of log files when McAfee Web Gateway is set up to run in a multi-process configuration and on McAfee Web Gateway appliances in general. The script is started in intervals of five minutes. This means that it can last up to five minutes until log files are pushed and deleted on the McAfee Web Gateway server.When an HTTP server has been set up as next hop proxy, the Log File Manager script will push log files to this proxy if it is configured as push target. The script can, however, not push log files to HTTPS and FTP next hop proxies. In this case, no next hop proxies will be used for pushing log files. The files are pushed directly to the configured FTP and HTTPS target servers instead.For more information about this script, see the Log File Manager subsection of the section titled Running McAfee Web Gateway in a multi-process configuration under Proxies.

Furthermore, a procedure is described for configuring the processing of McAfee Web Gateway log data by Secure Computing’s Secure Web Reporter, which is the reporting tool that is provided in the line of the McAfee Web security products:

• Configuring log file processing for McAfee Web Reporter



Activate log filesThe Activate Log Files tab looks like this:


• Auditing

• Activate Log Files

• Custom Log Files



AuditingThe Auditing section looks like this:

Using this section, you can configure the Audit Log. You can activate it and go from here to the Audit Log Customization tab, where you can specify the log parameters.

After modifying the setting here, click Apply Changes to make the modification effective.

Use the following items to configure this log:

• Activate Audit Log — Make sure this checkbox is selected if you want to use the Audit Log. The checkbox is selected by default.

• Customize Audit Log — Click this button to go to the Audit Log Customization tab, where you can specify the log parameters.

Activate Log FilesThe Activate Log Files section looks like this:

Using this section, you can configure the writing of log files. You can also determine whether they should be written on the ICAP client or the ICAP server. Some log files can be configured for ICAP client and server, some only for the ICAP server and some only for the ICAP client.

Enable the log files you want to have written by selecting the corresponding checkboxes. Click Apply Changes to make your settings effective.

To customize a log file, click the button in the same line, which is labeled according to the log file name; for example, Customize Audit Log. This will take you to another log, where you can configure values for customizing this log.

You can also configure your own customized log files, see the Custom Log Files section below.



Custom Log FilesThe Custom Log Files section looks like this:

Using this section, you can configure custom log files. Custom log files are log files of your own that are written by customized actions.

To create a custom log file, enter a name for it in the New name input field and click Create. The custom log file will then be displayed as a new entry in a list above the input field.

To configure a custom log file, use the following input field:

• New name — Enter a name for the new log file in this input field. Click Create next to it.

An entry for the new log file is then inserted in the custom log file list, which is displayed at the top of the section.

Next to each list entry, the following button is provided:

• Define Log Structure — Click this button to continue configuring the custom log file in question. This will take you to another tab, where you can specify the appropriate values.

To display only a particular number of list entries at a time, type this number in the input field labeled Number of entries per page and enter it using the Enter key of your keyboard.

If the number of entries is higher than this number, the remaining entries are shown on successive pages. A page indicator is then displayed, where you can select a particular page by clicking on the appropriate arrow symbols.


• Filter — Type a filter expression in the input field of the Log File Name column and enter it using the Enter key of your keyboard. The list will then display only entries matching the filter.


To delete all entries, select the Select all checkbox and click this button.



Auto-rotationThe Auto-Rotation tab looks like this:


• Auto-Rotation

Auto-RotationUsing this section, you can configure the automatic rotation of log files in order to control log file growth. The oldest log files are renamed, the current log is moved, and a new log file is created. The frequency of rotation is configured separately for each log file.

Make sure the checkbox next to the section heading is selected if you want to configure the options provided here. After configuring them, click Apply Changes to make your settings effective.

Use the following items to configure overall settings for log file rotation:

• Rotate daily at ... — In this input field, enter the time you want the rotation to be performed each day. Specify a local time value, using the 24-hour format, for example, 1 p. m. is 13.00.

• Rotate Log Files now — Click this button to rotate all log files immediately, regardless of the configured time schedule.



Use the following items to configure settings for individual log file rotation:

• Rotate if size exceeds ... MB — Enable this option and enter a size value (in MB) in the input field provided here to prevent the log file in question from becoming too large. The log file will be rotated as soon as its size exceeds the configured value.

The minimum size that can be specified here is 1 MB. It can be increased by single integer steps.

• Rotate daily — Enable this option to configure a daily rotation for the log file in question. Rotation is performed at midnight in this case.

Auto-deletionThe Auto-Deletion tab looks like this:


• Auto-Deletion



Auto-DeletionUsing this section, you can configure the automatic deletion of log files in order to control log file growth. The frequency of deletion is configured separately for each log file.

Note: A Log File Manager script performs the pushing and deleting of log files when McAfee Web Gateway is set up to run in a multi-process configuration and on McAfee Web Gateway appliances in general. The script is started in intervals of five minutes. This means that it can last up to five minutes until log files are pushed and deleted on the McAfee Web Gateway server.For more information about this script, see the Log File Manager subsection of the section titled Running McAfee Web Gateway in a multi-process configuration under Proxies.

Make sure the checkbox next to the section heading is selected if you want to configure the options provided here. After configuring them, click Apply Changes to make your settings effective.

Use the following items to configure settings for individual log file deletion:

• Keep only ... old log files at a time — Enable this option and enter the appropriate number in the input field provided here.

The oldest log file will be deleted as soon as the number of log files in the log directory exceeds the configured value.

If this option is enabled together with the option described below, old log files will be deleted until the configured values are reached for both options.

• Keep only log files of the last ... days — Enable this option and enter the appropriate number in the input field provided here.

Log files older than the date specified here will be deleted.

If this option is enabled together with the option described above, old log files will be deleted until the configured values are reached for both options.



Auto-pushingThe Auto-Pushing tab looks like this:



If you want to configure any of the options provided on this tab, you need to select the following checkbox:

• Enable auto-pushing

The options are grouped in four sections:

• Common Push Target

• Separate Push Targets

• Push Log Files After Rotation

• System Notification

Common Push TargetThe Common Push Target section looks like this:

Using this section, you can configure log file pushing as a security feature (for backup), as well as for analyzing purposes.

Log files stored on the McAfee Web Gateway server can be uploaded to another HTTP, HTTPS or FTP server. This server is a common push target — all log files are uploaded there.

Note: HTTPS and FTP servers that have been configured as next hop proxies are not available as push targets in a multi-process configuration and on appliances in general. In these cases, the pushing is performed by a Log File Manager script, which can only push log files to HTTP next hop proxies. The files are then pushed directly to the configured HTTPS and FTP target servers, see also the Log File Manager subsection of the section titled Running McAfee Web Gateway in a multi-process configuration under Proxies.

If the upload server demands authentication, you can configure a username and password to authenticate the file upload process.


Note: The Enable auto-pushing checkbox at the top of this tab must also be selected for these settings to take effect.

Use the following items to configure settings for pushing log files to a common target:

• Upload to ... every ... hours — In the first of the input fields provided here, enter the name of the upload server. The input format is:

ftp | http | https)://server[:port][/path/]

In the second input field, enter a number to specify the hourly interval for pushing log files to this server.

• Authentication — Specify login credentials in the following two input fields, in case the upload server demands authentication:

• Username — User name to be submitted for authentication to the upload server

• Password — Password to be submitted for authentication to the upload server



Separate Push TargetsThe Separate Push Targets section looks like this:

Using this section, you can configure log file pushing as a security feature (for backup), as well as for analyzing purposes.

Log files stored on the McAfee Web Gateway server can be uploaded to another HTTP, HTTPS or FTP server.

Differing from the Common Push Target section described above, you can configure an individual push target, such as an upload server, for each log file here, such as the HTTP Access Log, the Security Log, and so on.


Note: The Enable auto-pushing checkbox at the top of this tab must also be selected for these settings to take effect.



Use the following items to configure settings for pushing log files individually and to separate targets:

• Upload to ... every ... hours — In the first of the input fields provided here, enter the name of the upload server. The input format is:

(ftp | http | https)://server[:port][/path/]

In the second input field, enter a number to specify the hourly interval for pushing log files to this server.

• Push Log Files Now — Click this button to push all log files to their upload servers immediately, regardless of the configured time schedule.

Note: This button is not available when McAfee Web Gateway is run as an appliance because in this case, a Log File Manager script does the pushing. The script is started in intervals of five minutes. This means that it can last up to five minutes until log files are pushed and deleted on the McAfee Web Gateway server. For more information about this script, see the Log File Manager subsection of the section titled Running McAfee Web Gateway in a multi-process configuration under Proxies.

Push Log Files After RotationThe Push Log Files After Rotation section looks like this:

It allows you to configure the pushing of log files after their rotation.

By default, every log file that an upload server was configured for is pushed after being rotated, either manually or automatically. This does however not apply to the errors log file. This log file is only pushed according to its upload interval.

Use the following checkbox to configure log file pushing after rotation:

• Push log files after rotation — Select or deselect this checkbox to have log files pushed after rotation or not.

System NotificationThe System Notification section looks like this:

It allows you configure the sending of e-mail notifications if there was a failure in pushing log files.

Use the following items to configure these notifications:

• Send notification upon log file pushing failure — Enable this option if you want e-mail notifications to be sent in case of a log file pushing failure.

• Recipient — In this input field, enter the e-mail address of the recipient the notifications should be sent to.



• Edit notification mail server — Click this button to go to a tab where you can configure a mail server for processing your notifications.

For a description of this window, see the Notification Settings window subsection of the E-mail gateway section under Proxies.

• Send Test Messages — After configuring the sending of e-mail notifications as described above, click this button to have test messages sent.

Content ReporterThe Content Reporter tab looks like this:


• Content Reporter

Content ReporterThis section provides information on the legacy Content Reporter product, which was provided as the Webwasher reporting tool.

As a reporting tool, Content Reporter has been followed by McAfee Web Reporter.



Configuring log file processing for McAfee Web ReporterTo have log files that were created by McAfee Web Gateway processed within McAfee Web Reporter, you need to perform some configuration activities.

For information about setting up McAfee Web Reporter and configuring a log source to collect log files from McAfee Web Gateway, see the McAfee Web Reporter Setup Guide.

Under McAfee Web Gateway, you need to configure the access log file format in a way that lets it correspond to the log format read by McAfee Web Reporter.

Proceed as follows:

1 In the McAfee Web Gateway user interface, go to Reporting > Log File Management and select the Activate Log Files tab.

2 In the HTTP Access Log row, make sure the Proxy/Gateway (Client) checkbox is selected and the Web Requests (REQMOD) and Web Downloads (RESPMOD) checkboxes are deselected:

3 Click Apply Changes.

4 Click Customize HTTP Access Log. The HTTP Access Log Customization tab appears.

5 Make sure the HTTP Access Log checkbox is selected in the Write File Header section and deselected in the Encrypt Log File section.

6 In the HTTP Access Log field of the Log File Structure section, insert the log file structure that enables McAfee Web Reporter to process McAfee Web Gateway log files:

src_ip src_host "auth_user" time_stamp "req_line" status_code

bytes_to_client "referer" "user_agent" "attribute" block_res

"categories" "media_type" "virus_name"

rep_level unix_epoch

7 Click Apply Changes.


ReportingView log files

View log filesThe View Log Files options are invoked by clicking on the corresponding button under Reporting. They are described in the upcoming section:

• View log files

View log filesThe View Log Files tab looks like this:


• View Log Files

View Log FilesThis section provides a list of the log files that are maintained under McAfee Web Gateway. Using the icons on the right side of the list, you can view or save a log file.

Live report managementThe Live Report Management options are invoked by clicking on the corresponding button under Reporting. They are described in the upcoming sections:

• Report activation

• Load reports

• Anonymization


ReportingLive report management

Report activationThe Report Activation tab looks like this:




• Summary Report Activation

• Summary Report Actions

Summary Report ActivationThe Summary Report Activation section looks like this:



Using this section, you can configure the writing of summary reports. Different reports can be written according to the way McAfee Web Gateway is configured:

• As proxy for client communication

• Filtering web requests and uploads in REQMOD communication

• Filtering web downloads and e-mail messages in RESPMOD communication

• A combination of filtering web requests and uploads in REQMOD communication and filtering web downloads and e-mail messages in RESPMOD communication

Enable the reports you want to have written by selecting the corresponding checkboxes. Click Apply Changes to make your settings effective.

The activities covered by the individual reports are as follows (*** indicate reports that are only written to the ICAP client):

• Top Attributes by Bytes Transferred*** — Shows the amount of bandwidth consumed by the categories/blocked categories (depending on the configuration).

• Top Attributes by Number of Requests*** — Shows the number of hits to the categories/blocked categories.

• Top Blocked Categories by Number of Requests — Shows the number of hits to already-blocked categories.

• Top Categories by Bytes Transferred — Shows the amount of bandwidth consumed from accesses to blocked and unblocked categories.

• Top Categories by Number of Requests — Shows the number of hits to the top categories.

• Top Destinations by Bytes Transferred — Shows the amount of bandwidth consumed by accesses to the top hosts.

• Top Destinations by Number of Requests — Shows the number of hits to these hosts.

• Top E-Mail Attributes by Bytes Transferred — Shows the amount of bandwidth consumed by the categories/blocked categories of the e-mail.

• Top E-Mail Attributes by Number of Sections*** — Shows the number of sections of e-mail attributes.

• Top E-Mail Policies by Bytes Transferred*** — Shows the amount of bandwidth consumed by the top e-mail policies.

• Top E-Mail Policies by Number of Messages*** — Shows the number of messages sent to/from the top e-mail policies.

• Top Media Types by Bytes Transferred — Shows the amount of bandwidth consumed by accesses to the different media types (not including their extension).

• Top Media Types by Number of Requests — Shows the number of hits on these media types.

• Top Policies by Bytes Transferred — Shows the amount of bandwidth consumed by access to blocked and unblocked e-mail categories.

• Top Policies by Number of Requests — Shows the number of hits based on policy.

• Top Recipients by Bytes Transferred — Shows the amount of bandwidth consumed by the top recipients of e-mail messages and/or spam.

• Top Recipients by Number of Messages*** — Shows the number of messages sent to the top recipients.

• Top Sender IPs by Bytes Transferred*** — Shows the amount of bandwidth consumed by the top sender IP addresses for e-mail messages and/or spam.

• Top Sender IPs by Number of Messages*** — Shows the number of messages sent by the top sender IP addresses.



• Top Senders by Bytes Transferred*** — Shows the amount of bandwidth consumed by the top senders of e-mail messages and/or spam.

• Top Senders by Number of Messages*** — Shows the number of messages sent by the top senders.

• Top Source IPs by Bytes Transferred — Shows the amount of bandwidth consumed by the top sender source IP addresses for e-mail messages and/or spam.

• Top Source IPs by Number of Requests — Shows the number of messages sent by the top source IP addresses.

• Top Spam Recipients*** — Shows the top recipients of spam.

• Top Spam Sender IPs*** — Shows the top spam sender IP addresses.

• Top Spam Senders*** — Shows the top spam senders.

• Top Top-Level Domains by Bytes Transferred — Shows the amount of bandwidth consumed by accesses to the top-level domains; for example, .de, .com, .net, .ca.

• Top Top-Level Domains by Number of Requests — Shows the number of hits made to these domains.

• Top Users by Bytes Transferred — Shows the amount of bandwidth consumed by users accessing the Internet.

• Top Users by Number of Requests — Shows the number of hits based on users.

Summary Report ActionsThe Summary Report Actions section looks like this:

Using this section, you can export and reset summary reports.

After configuring the appropriate settings, click Apply Changes to make them effective.

Use the following items for handling summary reports:

• Export global summary reports — Enable this option to export all global summary reports to format that can be read in Microsoft Excel (CSV).

This can be useful for further processing, such as representation in a pie chart format, or for being able to view all the (up to 500) report items, rather than the top ten shown in the user interface.

If you would like to change the single-character delimiter (to a tab, or comma) between cells in Excel, this must be done manually in the global.ini or global.conf file. In the [LogFiles] section, there is an entry named ExcelSeparateChar= where you can change the character as desired.

• Export summary reports for all available policies — Enable this option to export the global summary reports as well as all current policy reports.

• Cells are separated by — In this input field, enter the delimiter you want to use between cells in Excel. This must be a single character, such as a comma.



• Export — Click this button, to export reports according to the options configured above.

• Reset global summary reports — Enable this option to reset all global summary reports. This will not reset the report refresh rate.

• Reset summary reports for all policies — Enable this option to reset the global summary reports as well as all current policy reports.

• Reset — Click this button, to reset reports according to the options configured above.

Load reportsThe Load Reports tab looks like this:


• Enable Load Reports

Enable Load Reports

Using this section, you can configure the McAfee Web Gateway load reports. These reports show the load on the various connections established for McAfee Web Gateway, such as the connection between HTTPS clients and proxy, proxy and server, and so on.

To view the reports, go to the Webwasher Load section on the View load tab under View live reports (overall reporting).

After configuring the appropriate settings, click Apply Changes to make them effective.

Use the following list to enable load reports for a particular connection type:

• Count load for connections between — Select the checkbox next to the connection type you want to enable load reports for, for example, HTTP clients – HTTP proxy. You can enable load reports for more than one connection type.



AnonymizationThe Anonymization tab looks like this:

At the top of this tab, there is a link that takes you to the Deanonymization tab and section, where you can decrypt anonymized strings.

Furthermore, there is the following section on this tab:

• Anonymization

AnonymizationThis section looks allows you to anonymize the names of user names in top ten live reports.

Use the following options to do this:

• Anonymize Web Reports — Enable this option to anonymize user names in reports on Web traffic.

• Anonymize Mail Reports — Enable this option to anonymize user names in reports on e-mail traffic.


ReportingView live reports (overall reporting)

View live reports (overall reporting)The View Live Reports options for overall reporting are invoked by clicking on the corresponding button under Reporting. They are described in the upcoming sections:

• View live reports

• View load

• System statistics

View live reportsThe View Live Reports tab looks like this:


• Overall Statistics

• Overall Summary Reports

• Display Options



Overall StatisticsThe Overall Statistics section looks like this:

It allows you to view detailed information on the overall filtering activities going on in your corporate network, regardless of any particular policy.

To view a particular kind of information, click the corresponding icon (magnifying glass with paper). The following kind of information can be viewed:

• Filter Statistics — Shows the amount of data washed by the Advertising Filter, Privacy Filter, Security Filter and the Media Type Filter.

• Category Overview — Provides an overview of the number of requests made, broken down by category, as well as an overview of the number of external and the number of blocked requests, regardless of whether they were blocked or not.

• ICAP Server Statistics — Shows the overall per client number of REQMOD, RESPMOD, OPTIONS and PROFILE requests and ICAP responses.

• ICAP Clients Statistics — Shows the overall per server number of REQMOD, RESPMOD, OPTIONS and PROFILE requests and the status of the server. Shows the overall per client number of REQMOD, RESPMOD, OPTIONS and PROFILE requests and ICAP responses.

• SMTP Statistics — Shows the overall number of sent and received e-mail messages as well as the amount of data transferred (in KB), maximum and average mail size (in KB) and the maximum and average amount of time (in milliseconds) the mail is in the system.

Overall Summary ReportsThe Overall Summary Reports section looks like this:

It allows you to view summary reports on the overall filtering activities performed in your corporate network, regardless of any particular policy.

The reports relate to the way McAfee Web Gateway is configured, as proxy for client communication, or filtering web requests and uploads in REQMOD communication or Web downloads and e-mail messages in RESPMOD communication, or in a combination of both.



Display OptionsThe Display Options section looks like this:

It allows you to configure the way reports are displayed.

Specify information regarding this display in the input fields described below. Click Apply Changes to make your settings effective.

The following parameters can be configured:

• Number of displayed items — Enter the appropriate number of items here. The default number is 10.

• Automatically refresh after ... seconds — Enter the appropriate number of seconds here. The default number is 0, which means there is no automatic refreshing.

View loadThe View Load tab looks like this:


• McAfee Web Gateway Load



McAfee Web Gateway LoadThis section provides detailed information about the load at the various McAfee Web Gateway connections, such as the connection between HTTP clients and HTTP proxy, HTTP proxy and HTTP server, and so on.

You can view the current load or the load history. To do this, use the following links, which are provided next to every type of connection:

• View Current — Click this link to view the current load.

• View History — Click this link to view the load history.

System statisticsThe System Statistics tab looks like this:


• System Statistics

System StatisticsThe System Statistics section displays information on several system statistical issues, such as the system name, the number of processors, the number of processes currently running, and others.


ReportingRate limiting

Rate limitingThe Rate Limiting options are invoked by clicking on the corresponding button under Reporting. They are described in the upcoming section:

• View rate limiting statistics

Note: These options are only available on appliance versions of McAfee Web Gateway.

View rate limiting statisticsThe View Rate Limiting Statistics tab is only available on appliance versions of McAfee Web Gateway. It looks like this:


• Rate Limiting Statistics



ReportingRate limiting

Rate Limiting StatisticsThis section displays statistics about how often rate limits were exceeded when users accessed the web. The corresponding functions are configured on the Rate Limiting tab under User Management > Policy Management. You can also export statistical data to an excel file.

The following items are used to provide rate limiting statistics:

• Policy group — From the drop-down list, select the policy group you want to view rate limiting statistics for. To have only particular groups displayed on the list, enter a filtering term in the Filter field.

• Number of hits for limit — Shows how often rate limits were exceeded for requests per second, KiBytes per second, and connections active at the same time. The current number of hits is displayed for each category, as well as hit numbers for the last hour, day, and week.

• Export hit statistics — Click an icon under Summary or Detailed to export statistical data on how often rate limits were exceeded to an excel file. Choose an individual group or all groups for data export.

4-Eyes-PrincipleThe 4-Eyes-Principle option is invoked by clicking on the corresponding button under Reporting. It is described in the upcoming section:

• 4-Eyes-Principle

4-Eyes-PrincipleThe 4-Eyes-Principle tab looks like this:

On this tab, you can configure the use of two passwords for McAfee Web Gateway settings that are especially privacy-protected.

In order to protect privacy, some McAfee Web Gateway functions can only be executed if two passwords are known. To make use of these kinds of functions that show information about anonymized users or determine how user-related data will be collected for reporting, you need to enter two passwords.

Use the following item to configure this special security feature:

• Protect privacy-protected settings by two passwords — Select the checkbox provided here. Then click Apply Changes to make this setting effective.


ReportingDeanonymization

DeanonymizationThe Deanonymization options are invoked by clicking on the corresponding button under Reporting. They are described in the upcoming section:

• Deanonymization

DeanonymizationThe Deanonymization tab looks like this:


• Deanonymization

Deanonymization

Using this section, you can resolve anonymous strings found in log files or reports. Anonymous strings are strings of characters that do not yet have a variable name assigned to them.

Use the following items to resolve an anonymous string:

• Anonymous string — Enter the string you would like to have resolved in the input field provided here and click Deanonymize next to it.

• Personalized string — Depending on the input, this output field shows the real source IP, the real user name, or the real source host.


ReportingDeanonymization


4 Caching

Contents

About caching

Quick snapshot

HTTP caching

Cache settings

Flush cache

About cachingThe features that are described in this chapter are accessible over the Caching tab of the user interface:

These features allow you to configure the caching of Web objects that are requested by users of McAfee Web Gateway (formerly Webwasher®), in order to enable a general reduction of the time that elapses until users are actually able to access the objects.

Note: These features are only available for the appliance versions of McAfee Web Gateway.

The upcoming sections describe how to handle these features. The description begins with an overview.

Quick snapshotThe quick snapshot for the caching functions is invoked by clicking the corresponding button under Caching:

It is described in the upcoming subsection:

• Quick snapshot

Before this is done, however, some general information on the quick snapshot features is provided.


CachingQuick snapshot

Handling the quick snapshotThe quick snapshot features allow you to view summary information about the parameters of the McAfee Web Gateway cache at a glance. The information is displayed with regard to a given time interval.

Percentages are calculated for the various categories of cache parameters. The percentages are shown by means of a pie chart on the left side of the section.

On the right side of the section, parameter values are shown as they developed in time, using either a stacked or a line mode.

The pie chart and the representation in stacked or line mode are handled in the same way as on the McAfee Web Gateway dashboard.

You can:

• Select and deselect categories for display by selecting and clearing the corresponding checkboxes:

• Select a time interval for display, using the Show last drop-down list:

• Select stacked or linemode for display by selecting the corresponding radio button:


CachingQuick snapshot

Quick snapshotThe Quick Snapshot tab looks like this:


CachingHTTP caching

There are four sections on this tab:

• Cache Efficiency

• Cache Bytes

• Cache Objects

• Cache Usage

Cache EfficiencyThis section displays the number of times requested objects were found within the McAfee Web Gateway cache (“Hits”) and the number of times requested objects were not found there (“Misses”) within a given time interval.

Cache BytesThis section displays the amount of bytes for requested objects that were found within the McAfee Web Gateway cache (“Bytes Hits”) and for the requested objects that were not found there (“Bytes Misses”) within a given time interval.

Cache ObjectsThis section displays the number of objects that are stored in the McAfee Web Gateway cache (“Cachable Objects”) and the number of objects that were requested by users, but not stored there (“Non-Cachable Objects”) within a given time interval.

Cache UsageThis section displays the percentage of cache utilization within a given time interval.

HTTP cachingThe HTTP Caching options are invoked by clicking the corresponding button under Caching.

If you want to enable any of these options, make sure the checkbox on this button is also selected. The checkbox is selected by default. After modifying the setting of this checkbox, click Apply Changes to make the modification effective.

These are policy-dependent options — they are configured for a particular policy. When you are configuring these options, you need to specify this policy.

To do this, select a policy from the drop-down list labeled Policy, which is located above the HTTP Caching button:

Note: You can also configure HTTP caching for every individual proxy port that is opened by McAfee Web Gateway when it is running as an HTTP proxy.

For more information on this option, see the subsection on Port Settings in the HTTP proxy section under Proxies.

The HTTP caching options are described in the upcoming sections:

• HTTP caching

• Cachable objects list


CachingHTTP caching

HTTP cachingThe HTTP Caching tab looks like this:


• Policy Dependent Settings

Policy Dependent SettingsUsing this section, you can configure actions that should be executed upon hits and misses of requested objects that are stored in the McAfee Web Gateway cache. The actions are configured for requests to web objects.


Use the following items for configuring actions:

• Action on cache hit — From the drop-down list provided here, select an action that should be executed when a requested web object was found in the cache.

The following actions are available:

• Add X-Cache Header — An X-Cache header is added to the request.

• Allow — The request is allowed. This action is configured by default.

• Block — The request is blocked.

• Action on cache miss — From the drop-down list provided here, select an action that should be executed when a requested web object was not found in the cache.

For the actions that are available, see the list under Action on cache hit.


CachingHTTP caching

Cachable objects listThe Cachable Objects List tab looks like this:


• Cachable Objects

Cachable ObjectsUsing this section, you can specify the web objects that should be stored in the McAfee Web Gateway cache.

To do this, use the area labeled:

• Add new entry

Specify an object or object type using the following items:

• From the drop-down box in the upper line of the area, select String or International Domain Name. In the input field next to it, enter a string to specify the object.

You may also use shell expressions to specify an object type.

Select International Domain Name here if you want to enter non-ASCII characters and the string should be used for the domain part of an URL In some countries like Germany, Sweden or Japan, domain names with non-ASCII characters are allowed.

The IDNA (International Domain Names in Applications) standard describes how a web browser should convert such a domain name into pure ASCII notation used by DNS. McAfee Web Gateway uses the pure ASCII notation as well, therefore all IDN strings must be converted.

This is done automatically when you select International Domain Name and enter a string with non-ASCII characters.

Note: You cannot use shell expressions with IDN strings.


CachingHTTP caching

• From the first drop-down box in the lower line of the area, select an option to specify the object type that the string entered above should correspond to.

Select None if you do not want to specify an object type.

Select Web to specify the URL type for an object. Then select one of the following options from the drop-down box next to the first box:

• Any URL — Any type of URL will do for the object that should be stored.

• HTTP Request URL — The URL of the object that should be stored must be the one that is used in the HTTP request made for it.

• HTTP Response URL — The URL of the object that should be stored must be the one that is used in the HTTP response sent upon the request made for it.

• Description — In this input field you may enter a description of the object or object type that should be stored.

Note: Input in this field is optional.

Then use the following item to complete the configuration procedure:

• Add to Cachable Objects List — After specifying the information for the object, click this button to add it to the list. This addition will be valid only under the policy you are currently configuring.

To add an object to the list for all policies, select the checkbox labeled Add to all policies before clicking the button.

If an object that was configured under another policy is already on the list, the setting of the Add to all policies checkbox will have no effect.

The configuration activities you are completing here will specify an object or object type that should be stored on the Cachable Objects List.

Note: You can also specify which objects should not be included in this list. This is done using the White List. To go there, click the Whitelist link provided here.

The Cachable Objects List is displayed at the bottom of this section. To display only a particular number of list entries at a time, type this number in the input field labeled Number of entries per page and enter it using the Enter key of your keyboard.


To edit an entry, type the appropriate text in the corresponding input field.

Click Apply Changes to make these settings effective. You can edit more than one entry and make the changes effective in one go.





• Move Up, Move Down — Select the entry you wish to move by selecting the Select checkbox next to it and click either of these buttons, depending on where you want to move the entry.

The position an entry takes in the list is important since whenever a URL is matched by more than one entry, the entry that is first in the list wins, which means the rule in question is executed while other rules in the list are ignored.


CachingCache settings

Cache settingsThe Cache Settings options are invoked by clicking the corresponding button under Caching. They are described in the upcoming sections:

• Cache settings

• Cache rules

Cache settingsThe Cache Settings tab looks like this:


• Caching

• Complete Fetch Rules



CachingThe Caching section looks like this:

Using this section, you can configure a maximum size that should not be exceeded by objects stored in the McAfee Web Gateway cache.

After specifying the appropriate setting, click Apply Changes to make it effective.

Use the following item to configure the size limit:

• Do not cache objects larger than — In the input field provided here, enter the size (in kilobytes) that should not be exceeded by a cached object.

Using the drop-down list next to the field, you can select the unit: Byte, KB, MB, or GB. The default size is 5242 KB.

Complete Fetch RulesThe Complete Fetch Rules section looks like this:

Using this section, you can configure McAfee Web Gateway to complete the download of a requested object after the corresponding client connection has been closed.

If you want to use this feature, make sure the checkbox next to the section heading is selected. The checkbox is selected by default.

After modifying this setting or the settings for determining the conditions under which the download should be completed, click Apply Changes to make the modification effective.

Use the following items to configure the size limit:

• Webwasher should complete a download even after the client has cancelled the connection if at least ... % are completed and the download is bigger than ... KB — In the two input fields provided here enter the percentage of completion and a minimum size that should be reached to let McAfee Web Gateway fully complete the download of an object.

Using, the drop-down list next to the byte input field, you can select the unit: Byte, KB, MB, or GB.

The default percentage is 85 % and the default minimum size is 1024 KB.



Cache rulesThe Cache Rules tab looks like this:


• Cache Revalidation Rules

Cache Revalidation RulesUsing this section, you can configure rules to determine the way web objects are cached and delivered by McAfee Web Gateway.

To do this, use the area labeled:

• Add new rule

Specify a rule using the following items:

• URL matches — In this input field enter a string to specify a URL that should be stored in the cache. You may also use shell expressions to specify a URL type.

• Always validate cache content — If you want a URL to be validated each time it is requested by a user, make sure this radio button is selected. The radio button is selected by default.

• Validate content (at least) every ... — To configure the validation of a requested URL after a given time interval has elapsed, select this radio button.

McAfee Web Gateway will perform a validation whenever either the interval configured here has elapsed or the expiration date of the URL, which is determined on the basis of data received from the corresponding web server, depending on which of the two events happens earlier.

If neither of the two intervals has elapsed when a URL is requested, no validation will take place.

To configure the validation interval, select a time unit (seconds, minutes, hours, days) from the drop-down list provided here and enter the corresponding number in the input field.



• Override Response Header — If you want McAfee Web Gateway to ignore the expiration date of a URL, select this checkbox. This date is determined on the basis of data received with the response header from the corresponding web server.

A validation will then only be performed if the URL is requested and the interval configured under Validate content (at least) every . . . has elapsed.

• Description — In this input field you may enter a description of the rule you are presently configuring.

Note: Input in this field is optional.

Then use the following item to complete the configuration procedure:

• Add to Cache Rule List — After specifying the information for a rule, click this button to add it to the list.

The Cachable Rule List is displayed at the bottom of this section. To display only a particular number of list entries at a time, type this number in the input field labeled Number of entries per page and enter it using the Enter key of your keyboard.


Within the list, you can disable or enable a rule by selecting the Enabled checkbox of the corresponding entry.

After modifying this setting, click Apply Changes to make it effective. You can disable or enable more than one entry and make the changes effective in one go.

To edit an entry, type the appropriate text in the corresponding URL and Description input fields, specify the validation period using the corresponding input field and drop-down list under Period, and select or clear the Override checkbox.






The position an entry takes in the list is important since whenever a URL is matched by more than one entry, the entry that is first in the list wins, which means the rule in question is executed while other rules in the list are ignored.


CachingFlush cache

Flush cacheThe Flush Cache options are invoked by clicking the corresponding button under Caching. They are described in the upcoming section:

• Flush cache

Flush cacheThe Flush Cache tab looks like this:


• Flush Cache

Flush CacheUsing this section, you can configure the settings for the flushing of the McAfee Web Gateway cache and perform a flush.

Use the items provided under the following heading to configure the cache flush settings:

• Clear HTTP Cache of — The settings that you can configure here are as follows:

• URLs matching — Select this radio button to restrict the cache flush to particular URLs. In the input field provided here enter one or more URLs.

You may also use the following shell expressions to specify a URL type: * and ?.

• cached files bigger than — Select this radio button to restrict the cache flush to objects exceeding a given size limit. In the input field provided here enter this size (in kilobytes). The default size is 1024 KB.

• cached files older than — Select this radio button to restrict the cache flush to objects older than a given period of time. In the input field provided here enter the number of hours to specify this time. The default time is 24 hours.


CachingFlush cache

• cached files of mediatype — Select this radio button to restrict the cache flush to particular media type. From the drop-down list here select the media type; for example, application/1bk.

• everything — If you want to flush the cache completely, make sure this radio button is selected. The radio button is selected by default.

After specifying the appropriate settings, use the following item to complete the flushing procedure:

• Flush — Click this button to perform the flush.


5 Proxies

Contents

Proxy configuration

HTTP proxy

HTTPS proxy

FTP proxy

E-mail gateway

Delivery options

Queue configuration

Relay protection

Exception lists

Load limits

POP3 access

ICAP(S) server

Progress indication methods

Own host name

IFP

WCCP

Proxy configurationThe functions described in this chapter are accessible over the Proxies tab of the user interface:

They allow you to set up McAfee Web Gateway (formerly Webwasher®) for running as a proxy server or as an e-mail gateway, and for communication according to various other protocols, such as ICAP, IFP, or WCCP.

Two more functional groups are available here when the license that McAfee Web Gateway is running with does not include the Anti-Spam product:

• Queue Handling

• Message Handling

These are usually available under the Anti Spam tab, which is then not visible. If they are available under the Proxies tab, corresponding buttons are added to the navigation panel on the left side of the interface area. They are grouped there with the E-Mail-Gateway buttons.

For a description of these functions, see the relevant sections of the McAfee Web Gateway Anti-Spam Administration Guide.

120 McAfee Web Gateway System Configuration 6.9 6.8.7 Administration Guide

ProxiesHTTP proxy

HTTP proxyThe HTTP Proxy options are invoked by clicking the corresponding button under Proxies.

If you want to enable any of these options, make sure the checkbox on this button is also selected. The checkbox is selected by default.

After modifying the setting of this checkbox, click Apply Changes to make the modification effective.

The options are described in the upcoming sections:

• Settings

• Next hop proxies

• Authentication

• ICAP services

• Transparent setup

Note: This tab is only available for appliance versions of McAfee Web Gateway.

When McAfee Web Gateway is run on the high-end appliance models, you can improve performance by setting up a single proxy process and linking it to multiple filtering processes.

More information about this is provided in an additional section:

• Running McAfee Web Gateway in a multi-process configuration

McAfee Web Gateway System Configuration 6.9 6.8.7 Administration Guide 121

ProxiesHTTP proxy

SettingsThe Settings tab looks like this:


• Port Settings

• Proxy Options

• Timeout Prevention

• IP Forwarding

In addition to the description of these sections, the window for configuring port settings is also described:

• Port Settings window


ProxiesHTTP proxy

Port SettingsThe Port Settings section looks like this:

This section displays a list of the ports that are opened by McAfee Web Gateway as listener ports for the ICAP client when McAfee Web Gateway is configured as an HTTP proxy. You can add entries to the list and edit or delete them.

Note: This section is also used for configuring McAfee Web Gateway as HTTPS proxy.

The default port has the port number 9090. This port is entered by default in the list and cannot be deleted. You may, however, change the port number.

Use the following button to add a port to the list:

• Add Proxy Port — Click this button to open a window where you can specify information on a new port and enter it in the list.

For a description of this window, see the Port Settings window subsection below.

The following information is provided in the list for each port:

• Address — IP address and port number of the port. The specification of the IP address is optional and may therefore not be displayed here.

• Allow access from — IP addresses of the sites that should have access to the port. An * in this field means that every site is allowed access.

• Policy — Policy that will be applied during communication with ICAP clients over the port.

This is not part of the authentication process for a client, but of the policy mapping that maps this client to a particular policy.

If no policy is selected here, there will be no particular policy for communication with a client over this port. Instead, the policy that was configured for the ICAP server will be used.

On the other hand, if a policy is selected here, the policy that was configured for the ICAP server will no longer be used.

• Transparent Proxy — Information whether McAfee Web Gateway is configured as a transparent proxy during communication with ICAP clients over this port.

• Transparent SSL — Information whether McAfee Web Gateway is configured to handle SSL connections in communication with HTTP and HTTPS clients over this port like transparent connections over this port.

Note: This option is only available for appliance versions of McAfee Web Gateway.

• HTTP Caching — Information whether the caching feature is enabled. This feature is enabled by default.

Note: This option is only available for appliance versions of McAfee Web Gateway.

To edit an entry, type the appropriate text in the input fields of the Address and Allow access from columns, select a policy from the Policy drop-down list in the same line, and select or deselect the corresponding Transparent Proxy, Transparent SSL, and HTTP Caching checkboxes as required.



ProxiesHTTP proxy

Use the following item to delete entries that are in the list:


To delete all entries, with the exception of the default listener port, select the Select all checkbox and click this button.

Port Settings windowThe Port Settings window opens after clicking Add Proxy Port. It looks like this:

Using this window you can add a port to the list of listener ports that are opened by McAfee Web Gateway for communication with ICAP clients when McAfee Web Gateway is configured as HTTP or HTTPS proxy.

Use the following items to add a port the list:

• Port — In this input field, specify the IP address and the port number of the port.

The input format is: [IP]: port

Note: For security reasons, McAfee Web Gateway runs under plain user rights (as opposed to root rights). Hence you cannot choose a privileged port (below 1024) at runtime. If you choose a privileged port, you have to restart McAfee Web Gateway to make it available.

• Allow access from — In this input field, specify the IP addresses of the sites that should have access to the port.

The input format is: (IP | IP/NetMask | IP range) [, (IP | IP/NetMask | IP range)]*.

Entering an * in this field means to allow every site access.

• Use Policy — From the drop-down list provided here, select a policy that will be applied during communication with ICAP clients over this port.


If no policy is selected here, there will be no particular policy for communication with a client over this port. Instead, the policy that was configured for the ICAP server will be used. On the other hand, if a policy is selected here, the policy that was configured for the ICAP server will no longer be used.


ProxiesHTTP proxy

• Serve non-proxy requests (transparent proxy) — Select this checkbox to configure McAfee Web Gateway as transparent proxy during communication with ICAP clients over this port.

Note: This option is only available when McAfee Web Gateway is running on an appliance.

• Handle proxy SSL connections like transparent connections (Transparent SSL) — Select this checkbox to let McAfee Web Gateway accept SSL connections when communicating with HTTP and HTTPS clients over this port, but handle them as if they were transparent connections.

Note: This option is only available when McAfee Web Gateway is running on an appliance.

Transparent handling means that McAfee Web Gateway will not try to verify the Common Name of the server certificate and will not use the IP address received with the CONNECT header to issue a certificate, but will use the data provided by the original certificate.

If a Web server presents a bad certificate (regarding the Common Name), McAfee Web Gateway will not detect this and pass it on to the client. There the Common Name mismatch will be visible.

Note: This feature applies when a Sidewinder firewall passes HTTPS traffic transparently onto McAfee Web Gateway. Sidewinder will then create a CONNECT header with the original destination IP address as host name.

If this was treated as a normal proxy request by McAfee Web Gateway, it would nearly always result in a Common Name mismatch.

• Use Port for HTTP Caching — If you want to use the port you are configuring here for HTTP caching, make sure this checkbox is selected. The checkbox is selected by default.

Note: This option is only available when McAfee Web Gateway is running on an appliance and if available, it is enabled by default.

• Add — After specifying the appropriate information about a port, click this button to add it to the list.

If the addition was successful, a corresponding message is displayed in this window. You can then go on to add another port to the list.

• Close — Click this button to close the window and return to the Settings tab.

Proxy OptionsThe Proxy Options section looks like this:


ProxiesHTTP proxy

Using this section, you can specify a number of settings for the ICAP client communicating with McAfee Web Gateway when it is configured as HTTP proxy.

Note that this section is also used for configuring McAfee Web Gateway as HTTPS proxy.

So, whenever HTTP is mentioned in the following, the statement in question is valid also with regard to an HTTPS configuration.


Use the following items to configure these proxy options:

• ... retries on server overload when connected directly — Select a number from the drop-down list provided here to configure how many times a retry will be performed over a direct connection when the server is overloaded.

• Add ’Via’ header to HTTP header — Select this option to let McAfee Web Gateway add a Via header to the REQUEST and RESPONSE headers.

The Via header is used to track message forwards, avoid request loops, and identify the protocol capabilities (HTTP 1.0 or 1.1) of all senders along the request/response chain.

• Treat FTP over HTTP as native FTP — If this option is enabled, while McAfee Web Gateway is being used as a proxy server, no user data will be transmitted, unless username and password are already provided by the URL

There are two kinds of FTP requests: those coming from a native FTP client using the real FTP, and those coming via HTTP but for URLs beginning with ftp://.

For the latter, the last HTTP proxy in the chain has to convert the HTTP commands into native FTP in order to connect to the FTP server. McAfee Web Gateway can establish direct connections, as well as make use of parent HTTP and FTP proxies.

Native FTP requests will always use the configured next hop FTP proxy (if any) or direct FTP connections.

FTP requests over HTTP usually check for the HTTP proxy settings and use the next hop HTTP proxy (if any) or direct FTP connections.

Enabling the present option will change this behavior and let an FTP request that came in via HTTP use the next hop FTP proxy settings, while the next hop HTTP proxy settings are ignored.

This means that these requests will use the configured next hop FTP proxy (if any) or direct FTP connections.

• Send error message for CONNECT request via HTTPS — Select this checkbox if you want McAfee Web Gateway to send an error message to a client that submits a CONNECT request via HTTPS.

• Perform REQMOD request for CONNECT header — Defines if for the CONNECT header (in a proxy deployment) or the pseudo CONNECT header (in a transparent environment) a REQMOD request will be done.

Note: This setting will be ignored if the HTTPS proxy is licensed and enabled.

• Initial connection timeout — In the input field provided here, enter the time interval (in seconds) for the timeout that may elapse at the beginning when a connection is set up.

If this interval elapses without any communication activities having occurred, no further attempts are made to set up the connection.

• Persistent connection timeout — In the input field provided here, enter the time interval (in seconds) for a persistent connection timeout.

If this interval elapses without any communication activities having occurred on the connection between McAfee Web Gateway and the client, the connection is closed down.


ProxiesHTTP proxy

• Dead client timeout — In the input field provided here, enter the time interval (in seconds) for a persistent connection timeout.

If this interval elapses without any communication activities having occurred on the connection from the side of the client, the connection is closed down.

Note: This value applies also when McAfee Web Gateway is configured as ICAP server or HTTPS proxy.

• Maximum header length — In the input field provided here, enter the maximum length (in bytes) for the header of a request sent by the client to McAfee Web Gateway.

If this length is exceeded, the request is denied by McAfee Web Gateway.

Note: This value applies to all headers that are parsed in McAfee Web Gateway communication, including the ICAP header and the HTTP response header sent by the server.

• Ports allowed for CONNECT requests — In the input field provided here, enter the port or ports you want to allow for CONNECT requests. Separate multiple entries by commas.

To allow all ports for CONNECT requests, enter an *.

Regardless of the value configured here, a CONNECT to port 443 is always allowed. Port 443 is the port that an SSL server usually listens on. There are, however, SSL servers that do not listen on this port. In this case, you can tell McAfee Web Gateway which ports belong to SSL-secured connections.

Use the Transparent SSL Scanning Setup section on the Settings tab under Proxies > HTTPS Proxy for this purpose.

Timeout PreventionThe Timeout Prevention section looks like this:

Using this section, you can configure methods for preventing timeouts on client connections.

McAfee Web Gateway tries to forward data as soon as it becomes available, but there are situations in which this philosophy does not hold: an antivirus scanner needs to see the complete file for many file types before it can scan for viruses.

This means that the HTTP proxy server cannot forward any data to the browser until the complete file is received on the gateway and the scan process is complete.

Depending on the length of the file and the network connection, it can take a long time, while a browser connection could even time out (other third-party ICAP servers attached to the HTTP proxy RESPMOD pipe could also show the behavior of not returning any data before the complete file is received).

For situations such as these, McAfee Web Gateway provides methods for preventing timeouts, by sending either an empty line or an HTTP header line every n seconds.

This feature should be used depending on your network configuration and your filter settings.

The Timeout Prevention feature is not enabled by default. To enable it select the checkbox next to the section heading. After configuring its settings, click Apply Changes to make them effective.


ProxiesHTTP proxy

Use the following items to configure timeout prevention:

• Webwasher should send every . . . seconds — Enter the number of seconds here to determine the frequency of applying the methods configured below.

• an empty line — This method sends empty lines before the HTTP response.

It works with many Internet browsers, but could fail with intermediate proxy servers (between McAfee Web Gateway and the client) because it does not strictly follow the HTTP standard protocol.

• an HTTP header line — This method is fully backed by the HTTP standard. According to this, the first line of the reply header (the status line) is sent at the beginning, and then some additional header lines are sent to keep the connection alive.

There is, however, no guarantee that all intermediate proxies accept a header that is split into many TCP frames.

A second disadvantage is that McAfee Web Gateway already replied with a special status code and is not able to change this again, such as after a virus is detected. In this case, the user would see an error message, but it would be transferred with a 200 OK reply code, which is not ideal.

IP ForwardingThe IP Forwarding section looks like this:

Using this section, you can configure the forwarding of a client IP address.

Another proxy in the chain may need information about this address. So, you can tell McAfee Web Gateway to include the client IP address as an HTTP header field.

This will determine where the client IP address is forwarded, such as to the next hop proxy, Web server, and so on.

The IP Forwarding option is not enabled by default. To enable it, select the checkbox next to the section heading. After specifying a header field name, click Apply Changes to make this setting effective.

Use the following input field to configure IP forwarding:

• as . . . header — Enter the header field name here that will determine where a Client IP address is forwarded. By default, this field name is X-Forwarded-For.


ProxiesHTTP proxy

Next hop proxiesThe Next Hop Proxies tab looks like this:


• Use Next Hop Proxies

Use Next Hop Proxies

Using this section, you can configure next hop proxies for HTTP connections. You can specify the URLs that next hop proxies should be used for, as well as the mode of this usage and the next hop proxies to be used.

The Use Next Hop Proxies feature is not enabled by default. To enable it, select the checkbox next to the section heading. Click Apply Changes to make this setting effective.

Furthermore, use the following items to configure next hop proxies:

• Do not use next hops for local addresses — Enable this option to prevent the use of next hop proxies for local addresses.

Click Apply Changes to make this setting effective.

Local addresses have no dots (.) within their specifications. So, after enabling this option, you can fine-tune McAfee Web Gateway in an intranet and enter the name of a local server in the browser, such as server_name, instead of typing a URL, such as http://server_name.fooo.com.

McAfee Web Gateway will then contact this local server directly without using the configured proxy.

Tip: Using this option speeds up internal connections and reduces load on the proxy server.

• if URL matches — Enter a matching term here. If an URL matches this term, it will use the next hop proxies configured further below in the usage mode configured for them.


ProxiesHTTP proxy

• and DNS lookup results in — Specify a particular IP address, or an IP address with a NetMask, or an IP range here.

If the address information that the above URL is resolved to by the Domain Name Server matches the address or the masked address specified here, or is found within the address range specified here, the next hop proxies and usage configured below will be applied.

The input format is:

(IP | IP/NetMask | IP range) [, (IP | IP/NetMask | IP range)]

If you enter an asterisk (*), all existing IP addresses are specified. This means that the next hop proxies configured below will be used anyway. No DNS lookup is then performed, as there is nothing to look up in this case.

• use mode — From this drop-down list, select the mode to be used for the URLs and next hop proxies specified here. The following modes are available:

• None — This mode uses no next hop proxies. Direct connections will be used instead.

• specific — In this mode, one specific next hop is set for the URLs configured above.

• failover — In this mode, the first next hop given in the participants list is tried first. If it fails, it will be retried until the configured retry maximum for it has been reached.

Then the second next hop proxy in the participants list is tried, etc.

• round robin — In this mode, the next hop proxy is used that is next in the participants list to the one that was used last.

This means also that the participants is used in a circular manner: If the end of the list has been reached, selection of next hop proxies will restart from the beginning.

• participating next hops — In this input field, enter the next hop proxies that should be used for the URLs specified here.

To do this, type a proxy name or select one from the drop-down list to the right of this input field. You can add more than one proxy by repeating this operation.

The drop-down lists shows select one to add as its topmost entry. If no next hop proxies have been configured yet, the topmost entry reads no next hops defined.

To configure next hop proxies, click Define Next Hop Proxies, which is located further to the right.

This will open a window, where you can specify the information required to configure a next hop proxy.

For the description of this window, see the Available proxies subsection further below.

• Add Entry to List — After specifying the appropriate information about a next hop proxy, click this button to add it to the list.

The list of next hop proxies is displayed at the bottom of this section. For each entry, it provides the information that is specified when a new entry is added.

You can edit list entries, move them up and down in the list, or delete them.

To display only a particular number of entries at a time, type this number in the input field labeled Number of entries per page and enter it using the Enter key on your keyboard.


To edit an entry, type the appropriate text in the input fields of the URL, and IP, use mode and participating next hops columns. Click Apply Changes to make this setting effective. You can edit more than one entry and make the changes effective in one go.


ProxiesHTTP proxy

The list also contains an entry with * as value for the URL parameter. It is always in last position within the list and cannot be deleted. By editing this entry, you can configure a next hop proxy setting for all URLs that are not represented by a particular entry in the list.

Since the * entry is last in the list, it becomes effective only after all other list entries were read by McAfee Web Gateway and used for establishing next hop proxy connections.

By default none is specified as mode for the * entry, which means that there will be no next hop proxy connections for URLs that are not otherwise included in the list.


• Filter — Type a filter expression in the input field above the URL, use mode or participating next hops or in a combination of them and enter this using the Enter key of your keyboard.

The list will then display only entries matching the filter.




The position an entry takes in the list is important since whenever there is more than one entry in the list containing information on a particular URL or next hop proxy, the entry that is first in the list wins.

Available proxiesThe section in this window allows you to configure next hop proxies for all kinds of connections. These will then be available for selection on the Use Next Hop Proxies tab.

After specifying the appropriate settings for a next hop proxy, it is added to the list of available next proxies by clicking Add.

The list is displayed at the bottom of the section. You can modify the settings for each proxy that is shown in the list.

Use the following items for configuring available next hop proxies:

• Name — In this input field, enter the name of the next hop proxy you want to configure.

If you leave the field empty, a name will be generated by McAfee Web Gateway, such as pxy1, and inserted in this field after clicking Add.

The name can be modified after the new proxy has been included in the list.

• Proxy server address — In the input fields provided here, enter the address of the server you want to make available as next hop proxy:

• Host — Enter the IP address or URL of this server here.

• Port — Enter the port number of the port for connecting to this server here.

• Proxy authorization — In the input fields provided here, enter the credentials that McAfee Web Gateway should use for authentication at the next hop proxy:

• Username — Enter the IP address or URL of this server here.

• Password — Enter the password here.

• Connection behavior — Use the items provided here to configure the connection behavior:

• Retry . . . times on failure for this proxy — From the drop-down list provided here, select the number of retries you want to configure for a next hop proxy. You can configure up to three retries.

When the maximum number of retries has been reached, McAfee Web Gateway will try to establish a connection using another next hop proxy, according to what has been configured on the Use Next Hop Proxies tab; for example, failover or round robin.


ProxiesHTTP proxy

• Do not retry proxy for . . . minutes when it has reached . . . times within 10 seconds its maximum number of retries — In the input fields provided here, enter the time information that will cause a connection break—an interval during which McAfee Web Gateway will not retry a next hop proxy after a connection to it could not be established in a given situation.

In the first input field, enter the time (in minutes) that the connection break should last.

In the second input field, specify how often the maximum number of retries must have been reached within 10 seconds before the connection break is started.

• use persistent connections — If you want McAfee Web Gateway to use persistent connections to the next hop proxies, make sure this checkbox is selected. The checkbox is selected by default.

McAfee Web Gateway will try to meet this requirement by establishing persistent connections, but may fail to do so in some situations.

You will then see that the failed counter in the list of available next proxies displays an increased value for the connection to the next hop proxy in question.

In this case, you might deselect the checkbox to disable the option.

Caution: Disabling this option will reduce performance.

• Add — After specifying the appropriate information for the server you want to make available as next hop proxy, click this button to add it to the list of available next hop proxies.

The list of available next hop proxies is displayed at the bottom of this section. For each entry, it provides the information that is specified when a new entry is added. Furthermore statistical figures are displayed on the reliability of next hop proxies.

You can edit list entries, delete them and reset the statistics.



To edit an entry, click the View Details and Edit link in the same line. This will reopen the window and this section with the information concerning the next hop proxy in question, so you can modify it.

After completing the modification, click Modify, which is provided now instead of the Add button, to make it effective. If you want to clear the information before modifying the settings for a next hop proxy, click Clear Input.

Apart from the information that was specified when a new entry was added to the list, such as the proxy name and address, the list displays statistical figures on the reliability of each next hop proxy.

The following information is provided in the columns of the list:

• reliability — Reliability of a next hop proxy.

The reliability is calculated as the percentage of attempts to establish a connection to the next hop proxy that were successful in relation to the overall number of attempts.

• tried — Number of times that McAfee Web Gateway tried to establish a connection to a proxy.

• failed — Number of times that an attempt by McAfee Web Gateway to establish a connection to a proxy failed.

• last fail — Date and time of the last time that an attempt by McAfee Web Gateway to establish a connection to a proxy failed.


ProxiesHTTP proxy

• do not retry reached — Date and time of the last time that a situation was reached where McAfee Web Gateway did not retry a next hop proxy over a given period of time.

The length of this period depends on what you configured under Do not retry proxy for . . . minutes when it has reached . . . times within 10 seconds its maximum number of retries, see above.

If the do not retry situation is still on, McAfee Web Gateway will currently not retry the next hop proxy in question, the date and time values are displayed in red.


• Filter — Type a filter expression in the input fields above the Name, Proxy, or Port columns or in a combination of them and enter this using the Enter key of your keyboard. The list will then display only entries matching the filter.



• Reset Statistics — Click this button to reset the statistical figures shown in the list for reliability of next hop proxies.

• Reset do not retry — Click this button to reset the statistics only for the do not retry reached parameter.

To return to the Next Hop Proxies tab, click Close.

The next hop proxy you added to the list, will also appear and be available in the list of next hop proxies, which is displayed at the bottom of the Use Next Hop Proxies section on that tab.


ProxiesHTTP proxy

AuthenticationThe Authentication tab looks like this:


• Define Proxy Authentication Options — Click this button to configure some additional options relating to all kinds of proxies. This will open the Define Proxy Authentication Options window where you can specify the appropriate settings.

Furthermore, there are five sections on this tab:


• Authentication Options


• User Database Authentication Options

• IP Forwarding

In addition to this, two sample procedures are described here. One is for the eDirectory authentication method and the other is for skipping authentication, which you may wish to do in some situations:

• Configuring the eDirectory authentication method

• Skipping authentication


ProxiesHTTP proxy


Using this section, you can configure where users are authenticated. The authentication process may involve an LDAP or NTLM server, a Radius server, or the User Database provided by McAfee Web Gateway.

Furthermore, there is also an option for configuring the use of a Novell eDirectory server, which will then take the role of an LDAP server, in order to authenticate users.

On this server, information is stored about the IP addresses of authenticated users, which can be extracted and used by McAfee Web Gateway for the authentication process. The name of the field where the IP address of a user is stored is NetworkAddress. The port number can be stored there with the address.

The field is in binary format, which means that no wildcard queries can be performed for user addresses. Instead, McAfee Web Gateway periodically polls the eDirectory to retrieve the addresses of the users that logged in since the last request. The structure of this search is reflected in a filtering term, which is configured together with the settings for the LDAP method, see further below.

Make sure the NetworkAddress field is visible when the user information is looked at via the LDAP server interface. Otherwise, McAfee Web Gateway will not be able to extract the information.

You can select two of the methods mentioned above and configure them for user authentication here. The methods are applied in the order you configure them. A user is successfully authenticated only if both of the configured methods produce a match.

After selecting a method, you can specify further settings that are relevant to this method in other sections of this tab and in the window that appears after clicking the Define Proxy Authentication Options button in the top area of this tab.

For the NTLM and NTLM-Agent methods, this can be done in the NTLM and NTLM-Agent Authentication Options section, and for the User Database method in the User Database Authentication Options section on this tab.

For the LDAP method, there is the LDAP Authentication section in the Define Proxy Authentication Options window, where you also find the Radius Authentication section for the Radius server method.

If you select the eDirectory method, you can also configure the use of a filter for searching the user information that is needed in the authentication process.

This is done in the Novell eDirectory IP Filter input field, which is provided in the LDAP Authentication section of the Define Proxy Authentication Options window.

A filtering term has been entered in this field, which should not be altered since this will prevent McAfee Web Gateway from extracting the appropriate user information.

The name of the storage field on the eDirectory server has also been preconfigured as one of the additional settings of the LDAP method and should likewise not be altered.

Furthermore, you can configure the eDirectory option as part of the Web mapping process. There will be a lookup of these addresses then on the eDirectory server before they are mapped to security policies configured within McAfee Web Gateway.

Use the Mapping Process section of the Rate limiting tab under User Management to configure these settings.

A sample procedure for configuring the eDirectory authentication method is provided in the Configuring the eDirectory authentication method section.

In some situations, you may also wish to skip authentication, for example, when an application is not able to handle authentication, and to connect to the Internet through McAfee Web Gateway, for example, with the Microsoft Windows Media Player.


ProxiesHTTP proxy

Furthermore, there may be users who need to access internal domains without authenticating, for example, employees of a McAfee corporation, www.mcafee. com would be a domain that users need to access without authenticating. A procedure for cases like this is provided in the Skipping authentication section.


Use the following drop-down lists to configure user authentication:

• Authentication methods list 1 — Select a method for user authentication from this drop-down list.

If you select an additional method from the second list, they are applied according to their order. In this case, a user needs to be authenticated under both methods in order to get access.

The following methods are available: NTLM, NTLM Agent, LDAP, eDirectory, User Database, and Radius.

• Authentication methods list 2 — Select a method for user authentication in the same way as described above from this drop-down list.

If you select an additional method here, they are applied according to their order. In this case, a user needs to be authenticated under both methods in order to get access.

You may also select None here, and have just one method for authenticating users.

Configuring the eDirectory authentication methodThe following procedure describes how to configure an authentication method that uses the information stored on a Novell eDirectory server.

This method is then configured as part of a web mapping that maps users of a given group to a particular policy.

It is also shown how to specify the appropriate settings for the LDAP server configuration.

Proceed as follows:

1 In the Authentication Process section of the Authentication tab, select eDirectory as method from the first drop-down list.

2 Click Apply Changes to make this setting effective.

3 Go to the Web Mapping tab under User Management > Policy Management.

4 In the Mapping Process section of that tab, set up a mapping method that maps users based on their IP addresses and using the eDirectory authentication method.

To do this, select the following in the first line under Mapping Order for REQMOD:

• From the Map from drop-down list, select IP.

• From the Map via drop-down list, select via eDirectory.

The resulting scheme is then displayed under Using these rules.

5 Click Edit rules and options in the same line. This will take you to the IP based mapping tab, where you can set up mapping rules for authenticated users.

6 On this tab, leave the default settings of the first three sections as they are.

Note: Using the Standard Meta (ICAP) Header (X-Client-IP) for the IP address search will work fine as long as McAfee Web Gateway is configured as proxy.

7 In the Add Rule section, add a rule that maps the users of a given group to a particular policy:

• Select a policy from the drop-down list provided here; for example, edirpolicy.

If no existing policy suits your needs, configure a new one using the Create New Policy section on the Management tab under User Management > Policy Management.


ProxiesHTTP proxy

• Type the name of the user group in the input field next to the list; for example, edirgroup.

The users of this group must be stored on the eDirectory server together with information specifying the group.

8 Click Add First to add the rule to the rules list, which is displayed below the Add Rule section under Current Rules.

9 Click Configure LDAP Server at the top of this tab, to go to the LDAP Connection tab, where you can configure the eDirectory server that takes the role of an LDAP server in this configuration.

10 On this tab, enter the following in the LDAP Connection Details section:

• In the LDAP server(s) field, type the host name or IP address of the eDirectory server.

• In the WW’s user name field, specify a user name, such as admin, and where to begin the search for it in the eDirectory, such as under edirfolder. Use the format required for LDAP configuration: cn=admin, o=edirfolder.

• In the WW’s password field, type a password for the user name configured above.

11 In the Attribute Details section, proceed as follows:

• Leave the User checkbox deselected and select the Group object checkbox.

This setting is required to configure group-based mapping, which this procedure is about. To configure user-based mapping, do it the other way round.

Note: You cannot configure both kinds of mapping at the same time.

For user-based mapping, you would also have to leave cn as value in the Attributes to extract field, see below.

• Make sure that cn is the value in the Attributes to extract field.

According to the LDAP format, this is the code for the attribute that contains the group name in a search for user groups (or the user name in a search for individual users). It is also the default value here.

• In the Base DN to group objects field, specify where to begin the search for the users of a given group within the eDirectory, such as under the edirfolder.

Use the LDAP format again: o=edirfolder.

• In the Group member attribute name field, leave uniquemember, and in the Object class for groups field, leave groupofuniquenames as default values.

12 In the LDAP Authentication section, enter the following:

• In the Base DN to user object field, type o=edirfolder again.

Note: This setting and the following are also required for user-based mapping.

• In the UID attribute name field, type cn.

13 Click Apply Changes to make these settings effective.

This completes the sample procedure.

You can now login as user of a group, such as edirgroup, that is stored on the eDirectory server under edirfolder to see if the mapping was performed successfully.

The mapping was successful if you can now access web objects as is allowed under the settings of edirpolicy.


ProxiesHTTP proxy

Skipping authenticationThis procedure shows how to create a web mapping above any other mappings that require authentication. The new mapping will match to the HOST header of a user’s request instead of the user name or group, so authentication will not be required.

Proceed as follows:

1 In the Authentication Options section of the Authentication tab, make sure the Always authenticate client checkbox is deselected.

2 Click Apply Changes to make this setting effective.

3 Go to the Web Mapping tab under User Management > Policy Management.

4 In the Mapping Process section of that tab, move all methods entered under Mapping Order for REQMOD down one row.

5 In the first row, enter a new mapping method, selecting the following settings:

• From the Map from drop-down list, select User.

• From the Map via drop-down list, select map directly.

• From the Using these rules drop-down list, select Create new rules.

6 Click Edit rules and options in the same row. This will take you to the User based mapping tab.

7 In the User Name Location section, configure the following settings:

• From the Extract user information from drop-down list, select User defined request header.

• In the User defined meta or request header input field, enter a header for an application, such as Windows Media Player, or destination, such as www.securecomputing.com, that should be allowed to skip authentication:

• For an application, type User-Agent.

• For a destination, type Host.

8 In the Mapping Options section, configure the following settings:

• Deselect the Input value must exist checkbox.

• Select or deselect the Enable shell expressions in mapping rules checkbox, according to your requirements.

• Make sure the Add domain name to user name checkbox is deselected.

9 In the Add Rule section, add a rule that maps a particular policy to the user-agent of an application or to a destination host:

• From the drop-down list, select this policy.

• In the input field, enter the value for the user agent or host according to what you have configured in Step 7:

• For example, for the user agent, type Windows-Media-Player, NSPlayer.

• Fore example, for the host, type www.securecomputing.com.

• Click Add First or Add Last, according to where you want to place the rule.

10 Click the Go back to Web mapping methods link. This takes you back to the Web Mapping tab.

11 In the Mapping Process section, click the Edit rules and options button next to the method in the last row under Mapping method order for REQMOD.

This takes you to the User based mapping or Group based mapping tab, depending on the type of the method.


ProxiesHTTP proxy

12 In the Mapping Options section of that tab, make sure the Input value must exist checkbox is selected.

This ensures authentication is required for anything that does not match the preceding rules.

This completes the procedure. Authentication is now skipped for the application or destination you configured.

Define Proxy Authentication Options windowThe Define Proxy Authentication Options window looks like this:

It enables you to configure further settings for some of the authentication methods that are configured in the Authentication Process section. These settings are valid for all kinds of proxies and also for transparent authentication.

There are four sections in this window:

• NTLM Agent Setup

• LDAP Authentication

• Radius Authentication

• Login Window Name


ProxiesHTTP proxy

NTLM Agent SetupMcAfee Web Gateway can run on Microsoft Windows as well as on other operating systems such as Linux or Solaris. If it is running on Windows, it can directly do NTLM authentication with the domain controller.

If you want to use NTLM authentication with McAfee Web Gateway on a different operating system, you can do this via McAfee Web Gateway’s NTLM Agent.

The NTLM Agent may also be useful for Windows deployments if the connection between McAfee Web Gateway and the domain controller is limited by a firewall, because the connection to this agent requires only a single free definable port to be opened.

The NTLM Agent is an application you can download from the Resource Center (or the McAfee Web Gateway Extranet). It must be installed on the domain controller or on any other system of the domain that can communicate with the domain controller via NTLM.

You can set up more than one NTLM Agent for high availability and/or to handle NTLM authentication with multiple separated domains.

McAfee Web Gateway is using a proprietary protocol to communicate with the NTLM Agent. By default, connections to the NTLM Agents are encrypted. This can be changed by deselecting the checkbox labeled Use encrypted connections to NTLM Agents within the NTLM Agent Setup section.

If the clients use NTLM challenge response with McAfee Web Gateway, no passwords are transmitted, but only the response to the challenge. The request still contains the user name and possibly group information.

If the clients use Basic authentication with McAfee Web Gateway, the password is transmitted, and McAfee Web Gateway passes it on to the NTLM Agent.

We therefore recommend to use encrypted connections with the NTLM Agent.

The SSL connection switch is common to all NTLM Agents specified.

You must also switch off the SSL connection switch at the NTLM Agents to get a successful connection.

The status of the NTLM Agent connections is shown on the correspondingWeb interface page and (in case of an error) also on the home page of this interface.

In case of an error, more status information may be available in the errors log file and at the NTLM agent’s user interface.

If the NTML Agent is not running on the domain controller, you should make sure that the service pack version installed on the system it is running on is the same as that on the domain controller.

To set up an NTML Agent, proceed as follows:

1 Within the web interface, go to the Authentication tab under Proxies > HTTP Proxy.

2 In the Authentication Process section, select NTML-Agent as the authentication method.

This option is offered in each of two drop-down lists. Priority will be given to the authentication method selected from the first list.

3 Specify a list of the NTLM Agents that McAfee Web Gateway should connect to.

To specify an NTML Agent, enter the IP address of the system running this agent in the input field within the NTML Agent Setup section.

Also specify a port number in case the default port 9531 is not used.

• Example 1: 192.168.42.100 (specifies a connection to the NTLM Agent running on 192.168.42.100 on default port 9531).

• Example 2: 192.168.42.101:1234 (specifies a connection to the NTLM Agent running on 192.168.42.101 on port 1234).

If you are deploying multiple NTLM Agents for the same domain, list their IP addresses and ports in a comma-separated list.


ProxiesHTTP proxy

• Example 3: 192.168.42.100,192.168.42.101:1234

McAfee Web Gateway will use a round robin load balancing scheme to connect to these agents.

If you want to use a list of NTLM Agents only for a special domain, type the @ sign and the domain name after the NTLM Agents list.

• Example 4: 192.168.42.100,192.168.42.101:[email protected].

If the domain name is omitted, the agents of the list are connected for all domains that are not specified in other lists.

To separate multiple NTLM Agents domain lists, use the ; (semicolon).

• Example 5: 192.168.42.100,192.168.42.101:[email protected]; [email protected];102.168.42.222:2345

This example will use the two agents on the systems with IPs .100 and .101 in round robin load balancing with all requests for the example.org domain. It will use the agent on the system with IP .200 for the example2. org domain, and the agent on IP .222 for all other domains.

If you are deploying multiple NTLM Agents for the same domain, list their IP addresses and ports in a comma-separated list.

• Example 6: 192.168.42.100,192.168.42.101:1234.

4 Click Apply Changes to make your settings effective.

LDAP AuthenticationUsing this section, you can configure a number of settings that are needed when LDAP is used as a group policy method for authentication on the ICAP server and HTTP proxy.

The ICAP client usually receives a list of attributes from the LDAP server and the ICAP server only assigns a policy. But if you select LDAP as authentication method on the ICAP server, this data will be retrieved twice, first by the HTTP proxy and then by the ICAP server. Configuring the settings as described below enables you to avoid this doubled effort.


Use the items in the following two areas to configure LDAP authentication settings:

• Specify connection details — In this area, use the following input fields to enter details of the connection to the LDAP server:

• LDAP server(s) — Enter the host name or IP address of the LDAP server here. The port number may also be specified, after a colon, such as 192.168.0.5:389.

You can specify more than one server, separated by spaces. In this case, McAfee Web Gateway will try to perform load balancing based on a roundrobin algorithm (all servers need to be configured in the same way for this).

No failover is performed, however, by McAfee Web Gateway. If McAfee Web Gateway is already running and an LDAP server is working, but then becomes unavailable, a request to this server will fail.

If you start McAfee Web Gateway and an LDAP server is not responding from the beginning, it will be removed from the list and only the other servers will be used.

• Username for Webwasher to log into LDAP server — Enter the name here McAfee Web Gateway should use to authenticate itself when trying to access the information stored on the LDAP server.

If the server permits even an anonymous user to access this information, no input is required here.

When several instances of McAfee Web Gateway are running in a cluster, one of them is configured as master. If the LDAP authentication method is used within this cluster, site instances can only connect to the master if a user admin has been configured for it.


ProxiesHTTP proxy

This means that you need to enter admin as user name here if the McAfee Web Gateway instance you specify it for is the master of the cluster.

• Webwasher’s password — Enter the password here that goes with the user name specified for McAfee Web Gateway.

• Select where User attributes originate — In this area, use the following input fields to specify where to look for the attributes that are needed to authenticate a user:

• Base DN to user object — Enter the elements of the LDAP tree here that indicate where the search for a user name entry should begin; for example, cn=Users, dc=global, dc=com.

• UID attribute name — If you want to use the UID attribute, which is a unique key, in the search for a user name entry on the LDAP server, make sure this radio button is selected. The radio button is selected by default.

In the input field provided here, enter the attribute name, such as sAMAccountName.

If a user name submitted for authentication matches the key that is the value of this attribute, the user is authenticated successfully.

By selecting this option you enable a simple search relying only on the UID attribute.

To enable a complex search, use the Filter option described below, or the Novell eDirectory IP Filter option (if yo have configured eDirectory as authentication method).

• Filter — If you want to enable a complex search for a user name entry on the LDAP server, select this radio button.

This search is compatible with all kinds of LDAP servers, using query filters for the following attributes: user name, user group name, and mail group name.

In the input field provided here, enter a complex filter condition.

• Example: A complex filter condition relying on the user name and the user group name could be specified as follows: (&(groupid=internet)(uid=%u))

With this sample condition, the user name needs to match the UID, but it must also be a member of the Internet user group, which might have been configured to include all users that are allowed access to the Internet. All other users are blocked by the authentication process.

The variable used to represent the user name must be %u, as shown above. No other variables are allowed here for this.

• Novell eDirectory IP Filter — A complex search for a user attributes on the Novell eDirectory server is performed with the following filtering condition, which has been entered in this field and should not be altered: (&(objectClass=user)(loginTime>%u)

Within this condition, the %u variable represents the time of the last update in the search for user attributes performed by McAfee Web Gateway.

The complete condition searches for entries that are of the user object class and have been stored since that last update.

• Novell eDirectory network address attribute — This attribute is the name of the field where the IP address of a user is stored on the eDirectory server. It is NetworkAddress and must not be altered.


ProxiesHTTP proxy

Radius AuthenticationUsing this section, you can configure the connection to the Radius server, where the user data is stored that can be looked up for authentication purposes. The protocols supported on this connection are PAP/SPAP.

In order to enable a failover, you can configure a primary and a secondary Radius server.

Furthermore, you can configure the use of group information within the authentication process.

Note: Note that McAfee Web Gateway does not use the failover configured here to do load balancing, but only to perform a retry in case a problem occurs while authenticating a user.

Depending on the type of problem, McAfee Web Gateway proceeds in the following way:

1 If authentication fails, although communication itself went on correctly, such as in the case of a wrong password, no retry is performed.

2 If communication fails, such as when an error message was received after sending the user credentials or a given time interval elapsed with no response from the Radius server, the secondary server is tried using the same credentials.

Note: The Radius server timeout is 5 seconds by default, and that it cannot be configured within this web interface, but only using the command line interface.

3 McAfee Web Gateway counts the number of errors that occurred on each server. If the secondary server has fewer errors than the primary server, McAfee Web Gateway will try the secondary server first for the next instances of user authentication.

After a given time, or if the error number ratio changes, McAfee Web Gateway will bring the primary and the secondary server back to their originally configured order.

This procedure is only performed, however, when authenticating ordinary users. Administrator authentication always starts with a fresh Radius server setup, and the primary server is always tried before the secondary server in this case.

In order to include information on the group that a user belongs to in the authentication process, you can specify the appropriate attributes of the Radius server response. This is done using coded values as they are defined in RFC 2865.

An attribute that is specified in this way may either be a simple attribute or a vendor specific attribute.

According to RFC 2865, 25 is the value for the Class attribute, which may be filled in the server’s response with a user group name. This is an example of how a simple attribute could be used for the authentication process.

Note: The Radius server can also be configured to let a different attribute with a different code value contain the group name, even if this code is not defined in RFC 2865.

The code value defined for a vendor specific attribute in RFC 2865 is 26.

However, for the structure of this attribute, it is only defined that it should begin with the vendor ID (which is needed because there may be attributes belonging to different vendors in a Radius server response) and that this ID should be followed by a number of sub-attributes, the code values and content types of which are defined by the vendor in question.

While it cannot be taken for granted that all vendors will actually adhere to this sub-attribute structure, McAfee Web Gateway is able to find all information contained within the sub-attributes of a vendor specific attribute.

The value you need to configure for this is 0 (see also below).


Use the following input fields to configure the Radius server connection:

• Primary Radius server — Enter the server address and port number for the primary Radius server here.

The input format is: host[:port]



ProxiesHTTP proxy

• Secondary Radius server — Enter the server address and port number for the secondary Radius server here.

The input format is: host[:port]

The default port is 1812.

• Shared Secret — Enter the string here, such as password1, that should be used as password for Radius authentication.

Note: This password will be valid for both the primary and the secondary server.

• Default domain name — Enter the name of the domain here that a user account should belong to by default when Radius authentication is performed.

This may be the account of an ordinary user or an administrator account.

• Group name in Radius response attribute — Use the following items to specify the attribute that contains the user group information in a response from a Radius server:

• no group name

If you do not want to include user group information in the authentication process, make sure this radio button is selected. The radio button is selected by default.

• value of attribute with code — Select this radio button to include user group information in the authentication process that is contained in a simple attribute.

In the input field provided here, enter the value for the attribute code.

For example, enter 25 to specify the Class attribute, as defined in RFC 2865. Other codes may also be used here, including those not defined in RFC 2865. The default code value is 0.

• vendor specific attribute with vendor ID — Select this radio button to include user group information in the authentication process that is contained in a vendor specific attribute, consisting of a vendor ID as main attribute and one or more sub-attributes.

In the input field provided here, enter the vendor ID.

The code value for this main attribute, which is 26, will then be added by McAfee Web Gateway. The default value in this field is 0, which means no vendor ID is configured.

Note: A vendor ID is required to provide any vendor specific information.

• and sub-attribute type — In this input field, enter a numeric value to specify the type of subattributes following the vendor ID.

Note: A particular vendor may not use an attribute structure consisting of sub-attributes.

To enable McAfee Web Gateway to find all the information contained in a vendor specific attribute, regardless of its structure, make sure 0 is entered here. This is also the default value.

Login Window NameUsing this section, you can configure the realm parameter in the header of an authentication message that McAfee Web Gateway is forwarding to perform proxy authentication. This parameter is also known as login window name.

Furthermore, you can configure that a protocol is appended to the real parameter.


Use the following items to configure the login window name:

• Realm value — In this input field, enter the value for the realm parameter. The default value is Webwasher.

• Append protocol to Realm — Select this checkbox to have a protocol appended to the realm parameter.


ProxiesHTTP proxy

Authentication OptionsThe Authentication Options section looks like this:

Using this section, you can configure options with regard to whether authentication is required or not for a client and what to do in case the authentication server is down.

When McAfee Web Gateway has been configured as HTTP proxy on a system and the authentication server is running on a different system, which may be the case, for example, in a blade server environment, the HTTP proxy should be bypassed in the authentication process.

When the authentication server is running on one system and McAfee Web Gateway, configured as HTTP proxy, on another, a request for authentication that a client sends to the server will first be directed to the proxy.

However, since the host names do not match, the proxy will not recognize that the client request is internal and will redirect it to the authentication server to get authenticated before access can be allowed. This will lead to an endless redirection loop and to avoid the loop, the HTTP proxy must be bypassed in this situation.

The bypassing can be configured on the browser you are using and can be part of a domain policy. To configure this, for example, on the Microsoft Internet Explorer, go to Tools > Internet Options > Connections > LAN Settings > Advanced, where you will find the option Do not use proxy servers for addresses beginning with ...

After specifying the appropriate information here, click Apply Changes to make your settings effective.

Use the following checkboxes to configure authentication options:

• Always authenticate client — Select this checkbox to make authentication required for any client request.

McAfee Web Gateway will then try to authenticate the client until it is successful or until it finds that the authentication server is down. In this latter case, the setting of the option described below will apply.

• Allow Internet access when authentication server is down — Select this checkbox to allow a client request in case McAfee Web Gateway has found that the authentication server is down.


Using this section, you can configure the NTLM authentication method, which retrieves information that is stored in the database of a Microsoft Windows domain controller in order to authenticate users. This method can be used by browsers, proxies and servers. It offers more security than other methods because the user password can be transmitted in an encrypted format.

You can also use an agent application, the NTLM Agent, for enabling this authentication method. The settings that are configured here will also apply to this agent application.


ProxiesHTTP proxy

There is a basic and an integrated way of applying this authentication method. With basic authentication, the client browser sends the user name and password in plain text (less secure). Integrated authentication encrypts messages going from the client browser to the server and back.

In the process of user authentication, McAfee Web Gateway contacts the corresponding domain controller and retrieves a list of global domain groups that this user is a member of, or a list of local groups on the domain controller, or both.

You can also specify a default domain that is used to verify membership of a user if no other information is available.

The ICAP server can retrieve information on user groups to perform policy mapping. A list of these groups must be provided by the ICAP client.

Note: The user and user group information required for policy mapping should not be stored in a subdirectory of the domain controller since it may not be possible to retrieve it from there. It should be stored, in \company.com, rather than in \company.com\e-mail aliases.

If you are using the NTLM Agent, a tool like NTLMTest.exe will enable you to view a list of the groups the domain controller actually sends to the NTLM Agent, which forwards it to McAfee Web Gateway. Ask your support team for this tool and install it on the system the NTML Agent is running on.

After specifying the appropriate information here, click Apply Changes to make your settings effective.

Use the following items to configure the NTLM and NTLM-Agent authentication methods:

• Enable integrated authentication — If you want to use the integrated authentication method, make sure this checkbox is selected. The checkbox is selected by default.

• Enable basic authentication — If you want to use the basic authentication method, select this checkbox.

• Default domain — In this input field, type the name of the domain that should be used as default in the process of user authentication.

• Select what groups to get from Domain Controller — From the drop-down list provided here, select what groups should be retrieved from the domain controller: Global, Local or both.

User Database Authentication OptionsThe User Database Authentication Options section looks like this:

Using this section, you can configure authentication by means of using the information stored in a user database.

There is a basic and an integrated method of authenticating users.

With basic authentication, the browser sends the user name and password as plain text (less secure) to McAfee Web Gateway (who plays the role of the client to exchange authentication messages with the authentication server), so McAfee Web Gateway uses the information stored in the user database to authenticate the user.



Use the following items to configure this kind of authentication:

• Enable integrated authentication — Enable this option to use the integrated authentication method. This is the default option.

• Enable basic authentication — Enable this option to use the basic authentication method.


ProxiesHTTP proxy

IP ForwardingThe IP Forwarding section looks like this:

Using this section, you can configure the header that is forwarded to the ICAP server and also to the Web server or next hop proxy if required.


Use the following items to configure the forwarding of headers:

• IP from header ... — If you want the IP address that is forwarded to the ICAP server to be taken from a particular header, make sure this checkbox is selected and enter this header in the input field provided here.

The checkbox is selected by default. The default header is X-Forwarded-For.

• Client IP — Select this checkbox if you want the IP address of the client to be forwarded to the ICAP server.

ICAP servicesThe ICAP Services tab looks like this:


• Services

• List of Available ICAP Services

• Bypass ICAP Server

In addition to the description of these sections, the window that is provided for configuring ICAP services is described in a separate section:

• ICAP Service Definition window


ProxiesHTTP proxy

ServicesThe Services section looks like this:

Using this section, you can configure the ICAP client services that should be used for REQMOD and RESPMOD communication.


Use the following input fields to configure ICAP client services:

• REQMOD services — Type the ICAP client services that should be used for REQMOD communication in this field. If there is more than one service, separate them by the | (pipe character).

You can also enter a service by selecting it from the drop-down list next to this input field.

• RESPMOD services — Type the ICAP client services that should be used for RESPMOD communication in this field. If there is more than one service, separate them by the | (pipe character).

You can also enter a service by selecting it from the drop-down list next to this input field.

List of Available ICAP ServicesThe List of Available ICAP Services section looks like this:

It displays a list of the services that are available for being configured in the Services section above.

To add a service to the list, click the ICAP Service Definition link that is provided here. This will open a window for adding services. It is described in the upcoming subsection.


ProxiesHTTP proxy

ICAP Service Definition windowThe ICAP Service Definition window looks like this:

It allows you to add an ICAP service to the list and displays this list. For these purposes, three sections are provided in the window:

• Add Service Name and URI

• General ICAP Services Options

• Service Name List

Add Service Name and URIUsing this section, you can specify information on an ICAP service and add it to the services list.

Note: The settings you configure here will apply to the HTTP, HTTPS and FTP proxies, as well as to the e-mail gateway and to IFP communication.

The services that are added here are particular ICAP services used in addition to the internal services. These include services for virus scanning, content filtering, as well as for McAfee Web Gateway services on remote machines, such as when load balancing is performed.

You can also configure services for use of the ICAP client set up.

When adding a service, a Uniform Resource Identifier (URI, also known as URL) is specified. This is a short string that identifies resources in the web such as documents, images, downloadable files, services, electronic mailboxes, and other resources.

It makes resources available under a variety of naming schemes and access methods such as HTTP, HTTPS, and FTP, and makes e-mails addressable in the same way.


ProxiesHTTP proxy

Furthermore, you can configure additional options to enable bypassing in case of connection errors, limit the use of an ICAP server when no message body or URL parameter needs to be filtered, and ensure that not more connections are activated than the ICAP server can handle at the same time.

Use the following items to specify and add a service:

• Service Name — In this input field, enter the name of the ICAP service.

• URIs — In this input field, enter one or more URIs for the service. Begin a new line for each of them. The input format for a URI is: icap://192.168.3.6:1344/wwreqmod.

• Enable bypass on ICAP server error — Select this checkbox to enable a bypass in case there is an error due to the ICAP server connection.

• Limit ICAP usage to encapsulated (HTTP(S)/FTP) requests/responses that have a body — Select this checkbox to limit the use of an ICAP server. The server will only be used then for processing HTTP, HTTPS or FTP requests or responses if these have a message body encapsulated.

This way, you can configure an ICAP service on a client for use with particular Data Leakage Prevention (DLP) products that do not need to see non-body traffic.

Enabling this option is well suited for ICAP communication in REQMOD mode, where most messages have no body, but rather not in RESPMOD mode. Make sure, however, not to enable the option in REQMOD mode for an ICAP service that is used under McAfee Web Gateway.

This would have an impact on filtering since McAfee Web Gateway filters such as the URL Filter or the Generic Header Filter would then only be applied to requests with a body.

When combining this restriction with the one below, which limits the use of an ICAP server to requests with URL parameters, McAfee Web Gateway uses a union of the two, not their intersection, so for DLP deployments it would make sense to enable both restrictions and call ICAP servers only for POST requests and GET requests with parameters.

• Limit ICAP usage to encapsulated (HTTP(S)/FTP) requests with URL parameters — Select this checkbox to limit the use of an ICAP server in another regard. The server will only be used then for processing HTTP, HTTPS or FTP requests if these have URL parameters. An indicator for this is the question select that these requests contain.

This way, you can configure an ICAP service on a client for use with particular Data Leakage Prevention (DLP) products that do not need to see requests without URLs.

When combining this restriction with the one above, which limits the use of an ICAP server to requests and responses with message bodies, McAfee Web Gateway uses a union of the two, not their intersection, so for DLP deployments it would make sense to enable both restrictions and call ICAP servers only for POST requests and GET requests with parameters.

• Respect max concurrent connections limit of ICAP server — Select this checkbox to prevent McAfee Web Gateway as ICAP client from setting up more connections at the same time than the ICAP server is capable of handling.

This maximum value is configured on the ICAP server and communicated to the client when responding to an OPTIONS request.

• Maximal number of passive ICAP servers — In this input field, enter the maximum number of ICAP servers you want to allow passive status for. This status can be assigned to a server when you are running a farm of several ICAP servers in a multi-process configuration.

The maximum number cannot be higher than number of all servers -1 and will only be reached if none of the servers that are configured as active fails. The default number of passive servers is 0.

• Add — After specifying the appropriate information for an ICAP service, click this button to add it to the list.

The list is displayed in the Service Name List section further below in this window.


ProxiesHTTP proxy

General ICAP Services OptionsUsing this section, you can configure that connections are queued when an ICAP server is overloaded. This is done by specifying the time that the queues should wait. During this time, McAfee Web Gateway will retry for the overloaded server several times until the timeout has been reached.

Requests will then either bypass the service or get blocked, according to what has been configured under the Enable bypass on ICAP server error option of the Add Service Name and URI section.

When a server is overloaded and the queuing option enabled, McAfee Web Gateway will print a message to the errors log once every minute, but not more than 50 times as a maximum.

OPTIONS requests are omitted while the server is in overload situation.

Configuring this queuing option, will help ICAP servers with Data Loss Prevention (DLP) functionality bridge peak situations, whereas it makes little sense for servers that are called for each request anyway.

Note: This option will work only if the Respect max concurrent connections limit of ICAP server option of the Add Service Name and URI section is also enabled.

After specifying a value here for the first time or after modifying it, you need to restart McAfee Web Gateway to make it effective.

Use the following input field to configure the queuing of connections for an overloaded ICAP server:

• Queue connections for . . . milliseconds while ICAP Server is overloaded — Enter the time (in milliseconds) here that queued connections should wait.

By default, 0 milliseconds are configured here, which means that there will be no queuing in an overload situation.

Service Name ListThis section displays a list of the ICAP services.



To edit an entry, select or clear the checkbox next to the service name in order to activate or deactivate it, type the appropriate information in the corresponding URIs input field, and select or deselect the Bypass enabled, Limit ICAP Usage, and Respect Connection Limit checkboxes in the same line.


Note: You cannot change the settings for internal services, which are also displayed in this list, except for the Bypass enabled and Limit ICAP Usage options.

To close the window and return to the ICAP Services tab, click Close.

To edit an entry, type the appropriate text in the input field of the URIs column and select or clear the Bypass enabled checkbox.


• Filter — Type a filtering term in the input field of the Service Name or URIs column or in both and enter this using the Enter key of your keyboard. The list will then display only entries matching the filter.




ProxiesHTTP proxy

Bypass ICAP ServerThe Bypass ICAP Server section looks like this:

Using this section, you can configure a bypassing of the ICAP Server for requests made to particular hosts. These hosts are entered in a bypass list.

To add a host to the list, use the input field provided here. Enter the IP address, host name or URL, omitting http://.

Click Add.

The bypass list is displayed at the bottom of this section.

To display only a particular number of list entries at a time, type this number in the input field labeled Number of entries per page and enter it using the Enter key of you keyboard.


To edit an entry, type the appropriate text in the input field of the corresponding line.

Click Apply Changes to make the modification effective. You can edit more than one entry and make the changes effective in one go.


• Filter — Type a filter expression in the input field above the list and enter it using the Enter key of your keyboard. The list will then display only entries matching the filter.




ProxiesHTTP proxy

Transparent setupThe Transparent Setup tab looks like this:

Note: This tab is only available for appliance versions of McAfee Web Gateway.


• Packet forwarding

Information on the transparent mode of using the SSL encryption is given in an additional section:

• Transparent SSL

Packet forwarding

Using this section, you can configure the source IP address and port number of the server that data packets should be forwarded, or redirected to, by McAfee Web Gateway under the HTTP or HTTPS protocol.

The server addresses that may be specified here are the addresses of the network interfaces of your McAfee Web Gateway appliance.

You can also specify a source IP for traffic that should be included in the forwarding, as well as a source IP for traffic that should be excluded.

To configure these settings may be useful when McAfee Web Gateway is running on your appliance as the default gateway that provides a proxy port for HTTP and HTTPS clients.

This proxy port must be configured in transparent mode, which can be done by adding it on the Settings tab under Proxies > HTTP Proxy with the Transparent Proxy option enabled.

Under Allow access from, you can enter the IP addresses of the clients you want to allow access over this proxy port, according to where you expect relevant traffic from.

Note: McAfee Web Gateway can only handle this kind of packet forwarding under the HTTP and HTTPS protocols, not under protocols such as FTP or SMTP.

Furthermore, there are some limitations when using the SSL Scanner here. For more information on these, see the next section.


ProxiesHTTP proxy

If you want to use this feature, select the checkbox next to the section heading. After specifying this and other settings of this section, click Apply Changes to make them effective.

You also need to reboot the McAfee Web Gateway appliance in order to let any specification or modification of settings take effect. Click Reboot to restart the McAfee Web Gateway appliance.

Use the following items to configure packet forwarding under HTTP and HTTPS:

• Inbound device — From this drop-down list, select the interface that inbound traffic will use for accessing the McAfee Web Gateway appliance.

• Source IP include —In this input field, enter a source IP address for data packets that should be redirected in any case.

A data packet will then be redirected only if its address matches the one specified here and, furthermore, not the one specified under Source IP exclude.

Input in this field is optional, but if it is entered, its format must be like this: 10.120.22.0/24.

The last two digits are the network mask. You may also enter a part of a source IP address.

• Source IP exclude — In this input field, enter a source IP address for data packets that should not be redirected.

A data packet will then be redirected only if its address does not match the one specified here and, furthermore, matches the one specified under Source IP include.



• Original destination ports — In this input field, enter the port numbers that data packets should have in their destination addresses in order to be redirected.

Redirection will then be performed only for packets where the destination addresses match one of the values configured here.

If you enter more than one port number here, separate them by commas.

• Redirect to — From the drop-down lists provided here, select the IP address of the server that packets should be redirected to, as well as a port number on this server.

You may choose from the addresses of all the interface devices the McAfee Web Gateway appliance is equipped with, as well as from the addresses of the proxy ports that are currently configured.

The proxy ports are configured on the Settings tab under Proxies > HTTP Proxy. Make sure to enable the Transparent Proxy option when configuring a proxy there.

• Reboot — After specifying the appropriate information, click this button to reboot the appliance and make your settings effective.

Transparent SSLThis section provides additional information on the use of the SSL Scanner when McAfee Web Gateway is running on an appliance.

The SSL Scanner can be used on this appliance if McAfee Web Gateway has been configured to act as transparent proxy. McAfee Web Gateway will be able to provide transparent SSL scanner functions then if the corresponding data packets are redirected to the proxy port.

This can either be achieved by using WCCP protocol (Web Cache Communication Protocol) as protocol or by configuring McAfee Web Gateway as default gateway and enabling the transparent proxy mode.

In this mode, the proxy port that the packages are redirected to will be able to handle transparent requests.

Note: You need version 2 of WCCP if you want to use this protocol to enable transparent SSL functions under McAfee Web Gateway.


ProxiesHTTP proxy

To configure a proxy port for handling transparent requests, go to the Settings tab under Proxies > HTTP proxy and in the Port Settings section of this tab, add a proxy port with the Transparent Proxy option enabled.

By default, McAfee Web Gateway will treat requests with original destination port 443 as SSL encoded traffic. If you want to have McAfee Web Gateway treat also requests with other destination ports this way, you need to enter these ports in the global.ini (Windows) or global.conf (Linux and Solaris) configuration file.

With these settings configured, McAfee Web Gateway will add a pseudo-CONNECT header to the address of the original destination host (original_dst_IP: original_dst_Port) and pass this on to further processing.

When McAfee Web Gateway issues a certificate, it copies the data from the original server certificate.

The usual security measures, including decryption, certificate verification, content scanning, and encryption, all work, but there are the following limitations:

• If the REQMOD server blocks the pseudo-CONNECT header, there will usually be a Common Name mismatch in the certificate that McAfee Web Gateway returns.

The client asks for /www.name.de/, but gets the IP address back. This may happen when using the McAfee Web Gateway URL Filter.

When transparent authentication has expired, there will even be two Common Name mismatches:

• The REQMOD request will be blocked and the redirect to the authentication server will contain the IP address (client requests name, but gets IP address – first mismatch).

• After successful authentication, there will be a redirect to the IP address.

When executing this redirect, the REQMOD request will pass and McAfee Web Gateway will return a certificate with the copied subject name of the server certificate (client requests IP address, but gets name — second mismatch).

• McAfee Web Gateway will not check the server certificate for a Common Name mismatch. This check is disabled.

• As McAfee Web Gateway copies the subject information from the original certificate, the client may observe a Common Name mismatch (this would also be the case without McAfee Web Gateway).

• If the certificate check wizard is used to enter a certificate in the global certificate list, this will only be found during filtering if entered via IP.

If there is an incident and you are using the incident manager to fill the lists, for example, by setting up a Block & Log Incident action — it will also be found.


ProxiesHTTP proxy

Running McAfee Web Gateway in a multi-process configurationWhen McAfee Web Gateway is run on the high-end appliance models, which are McAfee Web Gateway 1900 and 2900, you can improve performance by setting up a single proxy process and linking it to multiple filtering processes, using the ICAP protocol.

The proxy process then acts as ICAP client, while each of the filtering processes takes the role of an ICAP server:

Load balancing and failover functions are provided by the proxy process that acts as ICAP client.

Furthermore, the filtering processes are controlled by special guarding processes. When it is detected that an active filtering process consumes too much memory or is overloaded or has been running too long, it is restarted after completing or timing out all its current transactions and set to a passive state, while one of the processes that have been passive so far takes its place.

Requests that are sent to McAfee Web Gateway all go through the single binary that runs the proxy process. This process handles the tasks that cannot easily be distributed among multiple processes, such as NTLM authentication or access log writing. It is also responsible for displaying key parameters of all filter processes on the dashboard.

Data that requires filtering is, however, forwarded to the filtering processes, which are performed by the various filtering engines running under McAfee Web Gateway.

A script is provided for enabling the multi-process configuration, see:

• Enabling and disabling a multi-process configuration

Note: To ensure an unimpeded performance of your McAfee Web Gateway appliance, we recommend that you do not enable the multi-process configuration on appliance models where there is less than 4 GB RAM available.

You can also use this script for viewing the current state of an appliance with regard to whether the multi-process configuration is enabled or not and for toggling this state to either enabled or disabled.

Note: Multiple processes with a proxy process for providing common functions can only be run in the way described here if McAfee Web Gateway is configured as proxy process. It cannot be run in configurations where a third-party product is used as proxy and McAfee Web Gateway only acts as an ICAP server. The multi-process must not be enabled in such configurations and must be disabled if it is already running. Also in a multi-process configuration, McAfee Web Gateway cannot be configured as ICAP server.

The following subsections provide further information about the multi-process configuration:

• Failover and load balancing

• Viewing the dashboard

• Log File Manager


ProxiesHTTP proxy

Enabling and disabling a multi-process configurationThere is a quick method for enabling or disabling a multi-process configuration on a McAfee Web Gateway appliance. This method uses the MPClusterSetup.sh script, which is delivered with the appliance software and stored in the /bin folder after installation.

The script can be executed in command-line mode. When it is executed, it prints the current status of the multi-process configuration, which is enabled or disabled, and asks you whether you want to change this status.

If yes, it updates the configuration files as needed, which saves you the effort of updating them manually, and restarts the McAfee Web Gateway appliance, with the multi-process configuration either enabled or disabled.

Failover and load balancingIn a multi-process configuration, a failover can be performed for an ICAP server when it has crashed or for maintenance reasons.

An ICAP server can be up or down. Furthermore, a server that is up can internally be set to “passive”, which means that it is not involved in the load balancing.

A passive server that is not down will be set to “active”, however, when one of the active servers fails. On a McAfee Web Gateway 2900 appliance, up to six ICAP servers are included in a multi-process configuration, two of which could be passive:

You can configure the maximum number of passive servers via the user interface, using the window for setting up ICAP services, see the ICAP Service Definition window subsection.

This number cannot be higher than number of all servers -1 and will only be reached if none of the servers that are configured as active fails. The default number of passive servers is 0.

Viewing the dashboardThe key parameters of a multi-process configuration are displayed on the McAfee Web Gateway dashboard under Home > Webwasher. These are:

• McAfee Web Gateway ICAP Server Requests

• McAfee Web Gateway Memory Utiilization

• Number of McAfee Web Gateway Threads

Values for these parameters are shown separately for the proxy process that acts as ICAP client and for the filtering processes that take the role of ICAP servers.

The ICAP client process is identified by 0 as process number, while the ICAP server processes are numbered from 1 to n, according to the number of processes that have been implemented.


ProxiesHTTP proxy

The following graphics show sample values for these parameters:

For more information about the dashboard parameters, see the section on the dashboard in the appropriate documents, for example, in the McAfee Web Gateway URL Filter Administration Guide.

Log File ManagerA Log File Manager script performs a number of activities in a multi-process configuration and on McAfee Web Gateway appliances in general.

The script pushes log files from the server that has been implemented for running McAfee Web Gateway to other servers, such as an HTTP, HTTPS, FTP, or file server. Furthermore, it handles the deletion of log files. The rotation of log files, however, is not done by the script and remains a McAfee Web Gateway core function.

Note: The script is started in intervals of five minutes. This means that it can last up to five minutes until log files are pushed and deleted on the McAfee Web Gateway server.

In a multi-process configuration, the script also merges the rotated log files for individual processes into one common log folder and sorts them according to their time stamps. This folder is a subfolder of the /conf folder.

The merger does not include error.log and exception.log files. These are stored separately in the /conf folder, where they can be identified by process number and time stamp.

Push targetsWhen an HTTP proxy server has been set up as next hop proxy, the script pushes log files on to this proxy if it has been configured as push target. The script can do this pushing, however, only for HTTP proxies.

When HTTPS or FTP servers are configured as push targets, the script will not push log files to the HTTPS or FTP next hop proxies that may have been set up at this time. In this case, no next hop proxies will be used for pushing log files at all. The files are pushed directly to the configured FTP and HTTPS target servers instead.


ProxiesHTTPS proxy

HTTPS proxyThe HTTPS Proxy options are invoked by clicking the corresponding button under Proxies.




• Settings


• Authentication

• ICAP services



ProxiesHTTPS proxy

There are several sections on this tab. These vary according to whether you are currently running McAfee Web Gateway on an appliance or not:

• SSL Protocol Versions

• Supported Ciphers

• Transparent SSL Scanning Setup

Note: This section is only provided for appliance versions of McAfee Web Gateway.

• SSL Session Cache

• Proxy Options

• SSL Accelerator Card

Note: This section is not provided for appliance versions of McAfee Web Gateway. It is also not shown on the above screenshot, but is described in the following.

• Bypass SSL Scanner

Note: The same port settings and options are configured for McAfee Web Gateway as HTTPS proxy or HTTP proxy. The Port Settings and Port Options sections are not shown on this tab, but can be navigated to using the HTTP Proxy Settings link at the top. For a description of these sections, see the Settings subsection of the HTTP proxy section.

SSL Protocol VersionsThe SSL Protocol Versions section looks like this:

Using this section, you can configure protocol versions for SSL communication. You can configure different protocols with regard to the communication between a client browser and McAfee Web Gateway, and between McAfee Web Gateway and the requested server.

After specifying the appropriate settings for both kinds of communication, click Apply Changes to make them effective.

Use the following checkboxes to configure protocols:

• TLS version 1 — This checkbox allows you to configure a protocol version for both kinds of communication that can be described as follows: “The TLS protocol provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.” (Taken from RFC 2246.)

This is the strictest of the protocol versions available here. If you want to use it, make sure the checkboxes are selected accordingly. By default, the checkboxes are selected for both kinds of communication.

• SSL version 3 — This checkbox allows you to configure a protocol version that is the current standard for creating an encrypted link between a Web server and a browser.

If you want to use it, make sure the checkboxes are selected accordingly. By default, the checkboxes are selected for both kinds of communication.

• SSL version 2 — This checkbox allows you to configure an earlier version of 3.0. Since there are several vulnerabilities with this version, its use is not recommended.


ProxiesHTTPS proxy

Supported CiphersThe Supported Ciphers section looks like this:

Using this section, you can configure a cipher string. This may be used for several of the activities that are performed in the process of SSL scanning, such as encryption, exchange of keys and authentication.

Ciphers are symbols used for encrypting and decrypting the data traffic that is conducted according to the SSL and TSL network protocols.

To read an explanation of the cipher string format and view a list of permitted cipher strings, go to www.openssl.org/docs/apps/ciphers.html. This is one of the Web pages provided by the OpenSSL project.

After specifying this setting, click Apply Changes to make it effective.

Use the following input field to configure a cipher string:

• Cipher list — Enter an appropriate cipher string here. For the string format, see the page mentioned above. The default string is: ALL:!ADH:+RC4:@STRENGTH.

Transparent SSL Scanning SetupThe Transparent SSL Scanning Setup section looks like this:

Note: This is only available for appliance versions of McAfee Web Gateway.

Using this section, you can provide information on port numbers that may be needed for scanning SSL-secured communication when McAfee Web Gateway is running in a transparent configuration.

McAfee Web Gateway does then not not receive a CONNECT header, which is needed for the initial REQMOD request. This is why McAfee Web Gateway assembles a "pseudo" CONNECT header, using the destination IP address.

When there is no real CONNECT header, McAfee Web Gateway is also not able to use header information for determining whether a connection is SSL-secured. The destination port is used for this purpose instead. You can tell McAfee Web Gateway then which ports should be treated as belonging to SSL-secure connections.

Note: This feature is available on appliances for filtering HTTPS traffic in transparent mode and can be used not only on McAfee Web Gateway appliances that are run with a CGLinux operating system, but on any Linux-based McAfee Web Gateway appliance.


Use the following input field to specify ports for SSL-secured connections:

• Ports treated as SSL — Enter the destination port numbers of connections here that McAfee Web Gateway should treat as SSL-secured. Separate port numbers by commas.


ProxiesHTTPS proxy

SSL Session CacheThe SSL Session Cache section looks like this:

Using this section, you can configure the time period over which the settings of an SSL session can be stored in a session cache.

Settings stored in a cache can be used to establish the corresponding connections for further sessions. Using the stored settings will considerably reduce the time needed for establishing a connection.


Use the following input field to configure a cache storing period:

• TTL ... seconds

Specify an appropriate storing time period (in seconds) here.

Proxy OptionsThe Proxy Options section looks like this:

Using this section, you can configure options for the communication between the ICAP clients and McAfee Web Gateway when it is configured as HTTPS proxy.

You can configure how often a retry is performed by a client when the server is overloaded and whether a REQMOD request should be performed for the CONNECT header submitted by a client.


Use the following drop-down list to configured these proxy options:

• ... retries on server overload when connected directly — Select a number from the drop-down list provided here to configure how many times a retry will be performed over a direct connection when the server is overloaded. The default number is 2.

• Perform REQMOD request for CONNECT header — Make sure this checkbox is selected if you want to have this request performed. The checkbox is selected by default.

If the request is performed in a transparent environment, the IP address of a connection (not the host name) will be inspected with regard to the information stored in the URL Filter Database. It may happen that the IP address is not categorized within that database, whereas the host name is. This means that a request may be blocked in a transparent configuration, but allowed in a proxy deployment.

Furthermore, the request will only be done with the host or IP address as URL. This may cause unexpected behavior if the categorization of the host differs from that of the accessed path.

On the other hand, if no REQMOD request is performed, contacting the Web server is always required, even for requests that are blocked. Furthermore, the Tunneling by Category function is not available, nor are host-based actions on the (global) certificate list.

Note: Some authentication scenarios require that the initial REQMOD request is performed.


ProxiesHTTPS proxy

• but perform this request in a transparent setup after the handshake — Select this checkbox to have the REQMOD request performed after the handshake if the HTTPS proxy has been set up in transparent mode.

Note: This mode can only be configured when McAfee Web Gateway is running on an appliance.

Performing the REQMOD request after the handshake, and not before it, as it would otherwise be done, means that the Common Name provided in the client certificate will be accepted as host name. Otherwise, if the REQMOD request was performed before the handshake, only the IP address of the destination host would be available.

In order to use the Common Name in this way, it is required that Certificate Verification has been enabled on the SSL Scanner tab and that the certificate in question has proven to be valid under the verification procedure.

SSL Accelerator CardThe SSL Accelerator Card section looks like this:

Note: This section is not provided with appliance versions of McAfee Web Gateway.

The section allows you to configure the use of an SSL accelerator card. This may be helpful for time-consuming public-key cryptography operations.

Depending on the type of accelerator card and on your system, CPU load will be reduced and speed may increase due to the additional hardware making the public-key algorithm (also known as RSA) computations. There are also SSL accelerator cards enabling you to store private keys.


Use the following drop-down list to configure the use of an SSL accelerator card:

• SSL Accelerator card used — Select the appropriate card from this list. The default is None and means no card is used.

Bypass SSL ScannerThe Bypass SSL Scanner section looks like this:

Using this section, you can configure a bypassing of the SSL Scanner for requests that were sent from the hosts that are specified here.


ProxiesHTTPS proxy

There will be no decryption or certificate verification for these requests.

Use the following items to configure a bypass:

• Input field — Enter a host name or IP address here, omitting HTTPS://, to specify the host you want to configure a bypass for.

• Add — Click this button to add a host to the list.

Example:

In order to use your system for Webex meetings, while the Scan Encrypted Traffic option is enabled on the SSL Scanner tab, you need to configure a bypass for the relevant URLs since under this scanning option, Webex meetings are not allowed.

Enter the following host name and IP addresses in the input field, one after the other, and click Add each time:

*.webex.com

62.109.201.70

62.109.201.70

The bypass list is displayed at the bottom of the section.



To edit an entry, type the appropriate text in the input field of the Connection column. Click Apply Changes to make this setting effective. You can edit more than one entry and make the changes effective in one go.


• Filter — Type a filtering term in the input field of the Connection column and enter it using the Enter key of your keyboard. The list will then display only entries matching the filter.




ProxiesHTTPS proxy


When using the HTTPS protocol, next hop proxies are configured in the same way as under the HTTP protocol.

For a description of the relevant options, see therefore the subsection on Next hop proxies under HTTP proxy.


ProxiesHTTPS proxy


When using the HTTPS protocol, authentication is configured in the same way as under the HTTP protocol.

For a description of the relevant options, see therefore the subsection on Authentication under HTTP proxy.


ProxiesHTTPS proxy


When using the HTTPS protocol, ICAP services are configured in the same way as under the HTTP protocol. However, the option to bypass the ICAP server is not available then.

For a description of the other options, see the subsection on ICAP services under HTTP proxy.


ProxiesFTP proxy

FTP proxyThe FTP Proxy options are invoked by clicking the corresponding button under Proxies.

If you want to enable any of these options, you also need to select the checkbox that is on this button. Click Apply Changes to make this setting effective.


• Settings


• Authentication

• ICAP services



• Port Settings

• FTP Options


ProxiesFTP proxy


This section displays a list of the ports that are opened by McAfee Web Gateway as listener ports for the ICAP client when McAfee Web Gateway is configured as FTP proxy.

You can add entries to the list and edit or delete them. Furthermore, you can configure the data port.

FTP uses a control connection (where all replies are sent) that is always initiated by the client as in any classic TCP/IP client-server protocol.

But as soon as some file or directory content is downloaded, a second connection (the data connection) is set up, where the data transfer occurs.

Use the following button to add a port to the list:

• Add Proxy Port — Click this button to open a window where you can specify information on a new listener port and enter it in the list.

For a description of this window, see the Port Settings window subsection below.

The default port has the number 2121. This port is entered by default in the list and cannot be deleted. You may, however, change the port number.

The following information is provided in the list for each listener port:

• Address — IP address and port number of the listener port.

The specification of the IP address is optional and may therefore not be displayed here.

• Allow access from — IP addresses of the sites that should have access to the listener port. An * in this field means that every site is allowed access.

• Policy — Policy that will be applied during communication with the ICAP client over the listener port.


If no policy is selected here, there will be no particular policy for communication with a client over this listener port. Instead, the policy that was configured for the ICAP server will be used.

To edit an entry, type the appropriate text in the input fields of the Address and Allow access from columns, and select a policy from the Policy drop-down list in the same line as required.


Use the following item to delete entries that are in the list:


To delete all entries, with the exception of the default listener port, select the Select all checkbox and click this button.


ProxiesFTP proxy

Use the following item to configure the FTP data port:

• Data Port — Specify the data port here. The input format is as follows:

• port — The default port number is 2020.

Security Alert: For security reasons, McAfee Web Gateway runs under plain user rights (as opposed to root rights). So, you cannot choose a privileged port (below 1024) at runtime. If you choose a privileged port, you have to restart McAfee Web Gateway to make it available.

Port settings windowThe Port Settings window opens after clicking the Add Proxy Port button. It looks like this:

Using this window you can add a port to the list of listener ports that are opened by McAfee Web Gateway for communication with the ICAP client when McAfee Web Gateway is configured as FTP proxy.

Use the following items of this window to configure the port settings and add the port the list:

• Port — In this input field, specify the port by entering an IP address and a port number. The input format is: [IP]: port.

Security Alert: For security reasons, McAfee Web Gateway runs under plain user rights (as opposed to root rights). So, you cannot choose a privileged port (below 1024) at runtime. If you choose a privileged port, you have to restart McAfee Web Gateway to make it available.

• Allow access from — In this input field, specify the IP addresses of the sites that should have access to the listener port. The input format is: (IP | IP/NetMask | IP range) [, (IP | IP/NetMask | IP range)]*. Entering an * in this field means to allow every site access.

• Use Policy — From the drop-down list provided here, select a policy that will be applied during communication with the ICAP client over the listener port.


If no policy is selected here, there will be no particular policy for communication with a client over this listener port. Instead, the policy that was configured for the ICAP server will be used.

On the other hand, if a policy is selected here, the policy that was configured for the ICAP server will no longer be used.

• Add — After specifying the appropriate information about a listener port, click this button to add it to the list.

If the addition was successful, a corresponding message is displayed in this window. You can then go on to add another port to the list.


ProxiesFTP proxy

• Close — Click this button to close the window and return to the Settings tab.

FTP OptionsThe FTP Options section looks like this:

Using this section, you can configure the handling of FTP requests. After modifying the settings in this section, click Apply Changes to make the modification effective.

Use the following items to configure options for FTP requests:

• Allow clients to use passive FTP connections — If this option is enabled, McAfee Web Gateway will allow the client to use the passive connection mode for data connections between the client and McAfee Web Gateway.

The option is enabled by default. Active connections are always allowed.

FTP uses a control connection initiated by the client as in any classic TCP/IP client-server protocol. But whenever some file or directory content is downloaded, a second connection (the data connection) is set up.

The default is for FTP to have an active data connection, where the server initiates the data connection to the client.

This may, however, cause problems for a firewall policies, which usually do not allow external connections into the corporate network.

A passive data connection is initiated by the client over the port the client received in response to its PASV command. The passive mode is optional, as not all clients and servers support it.

Since McAfee Web Gateway is a proxy itself, it connects to both the client and the server.

• Webwasher uses passive FTP connections — If this option is enabled, McAfee Web Gateway will issue the PASV command in order to initiate a passive data connection to the FTP server. If the FTP server does not support this, no data connection will be possible.

The option is enabled by default. It may be used in case a firewall policy does not allow active connections.

• Anonymous password — This option can be used in case FTP over HTTP is enabled and McAfee Web Gateway has been configured as proxy server. No user data is then transmitted unless the username and password are not already provided in the URL.

In the input field provided here, enter a password, which is the email address.

This will enable you to continue as usual, by logging on to a remote FTP server as anonymous and submitting your password.


ProxiesFTP proxy

• Use absolute addressing on FTP server — If you want only absolute network addresses to be used in FTP commands, mark this checkbox.

Communication between McAfee Web Gateway and an FTP server uses relative addressing by default. However, some FTP servers have problems with using relative addresses, so by enabling this option you can make sure only absolute addresses are used.


When using the FTP protocol, next hop proxies are configured in the same way as under the HTTP protocol.

For a description of the relevant options, see the subsection on Next hop proxies under HTTP proxy.


ProxiesFTP proxy



• Define Proxy Authentication Options — Click this button to configure some additional options relating to all kinds of proxies. This will open a window where you can specify the appropriate information.

The options of this window are described in the Define Proxy Authentication Options window subsection of the Authentication section under HTTP proxy.

Furthermore, there are three sections on this tab:


• Authentication Options



Using this section, you can configure the order authentications methods are applied during the authentication process.

Specify the appropriate order and click Apply Changes to make your settings effective.


ProxiesFTP proxy

To specify this order, select the authentication method you want to be applied first from the first of the two drop-down lists provided here.

From the second drop-down list, select the method you want to be applied afterwards.

More information on the authentication process methods is provided in the Authentication Process subsection of the HTTP proxy section, and also in the subsections below.

Authentication OptionsThe Authentication Options section looks like this:

Using this section, you can configure what to do in case the authentication server is down.

The following item is provided here for this purpose:

• Allow Internet access when authentication server is down — Enable this option if you want to allow a client request in case McAfee Web Gateway has found that the authentication server is down.

Click Apply Changes to make this setting effective.


Using this section, you can configure options for an authentication method that performs an NTLM lookup in order to authenticate users.

NTLM is an authentication method used by browsers, proxies and servers. It is more secure than other methods because the user password is not transmitted as plain text.

The user of the NT domain is a member of several domain groups. The ICAP server can use these groups to do the policy mapping. A list of groups must be provided by the ICAP client.

If you want to do NTLM authentication and the operating system McAfee Web Gateway is running on is not Windows, you can use an agent application, the NTLM Agent, to enable this.

The settings configured here will apply also for the agent application. For this application, see also the settings in the NTML Agent Setup field.

There is a basic and an integrated method of authenticating users.

With basic authentication, the browser sends the user name and password as plain text (less secure) to McAfee Web Gateway, who plays the role of the client to exchange authentication messages with the authentication server, so McAfee Web Gateway uses the NTLM method to authenticate the user.

With the FTP protocol, only this authentication method can be configured.


This can be useful if McAfee Web Gateway does user authentication, applies policies and forwards requests to the caching proxy.

After authenticating the user, McAfee Web Gateway contacts the corresponding Domain Controller and can retrieve either a list of global (domain) groups that the user is a member of, a list of local groups on the domain controller, or both.


ProxiesFTP proxy

NTLM authentication can be configured as part of a policy mapping based on user and user group information. Information about user groups is stored in a directory on the domain controller.

It is important that this information is not be stored in a subdirectory since it may not be possible to retrieve it from there. For example, it should be stored in \COMPANY.com rather than in \COMPANY.com\E-Mail Aliases.

If you are using the NTLM Agent, a tool like NTLMTest.exe will enable you to view a list of the groups the domain controller actually sends to the NTLM Agent, which forwards it to McAfee Web Gateway. Ask your support team for this tool and install it on the system the NTML Agent is running on.


Use the following items to configure NTLM and NTLM-Agent authentication:

• Enable basic authentication — Enable this option to use the basic authentication method and enter the default domain used for basic authentication in the input field provided here.

• Select what groups to get from Domain Controller — From the drop-down list provided here, select what groups are to be fetched from the domain controller: Global, Local, or both.


When using the FTP protocol, ICAP services are configured in the same way as under the HTTP protocol.

For a description of the relevant options, see therefore the subsection on Authentication under HTTP proxy.


ProxiesE-mail gateway

E-mail gatewayThe E-Mail Gateway options are invoked by clicking the corresponding button under Proxies.




• Gateway settings

• ICAP services

• Notifications

• ESMTP extensions

Gateway settingsThe Gateway Settings tab looks like this:

There are six sections on this tab:

• Port Settings

• SMTP Welcome Message

• HELO Name

• Relaxed Domain Name



• Address to Policy Mapping Options

• Release Using Policy


It allows you to configure the listening port for the e-mail server.


Use the following input field to configure the listening port:

• Port — Enter the port number of the listener port here. The default port number is 25. It is highly recommended not to change it, since many mail clients do not allow it to be configured.

You may also enter the IP address of the e-mail server.

The input format is: [IP:]Port

SMTP Welcome MessageThe SMTP Welcome Message section looks like this:

It allows you to configure a welcome message that will be sent to every connected e-mail client in order to identify the server.


Use the following input field to configure a welcome message.

• Message — Enter a text string for the welcome message here. The default message is WW SMTP server ready.

HELO NameThe HELO Name section looks like this:

It allows you to configure the name that is used in the HELO request McAfee Web Gateway sends to the mail server to identify itself when delivering e-mails.

After sending a HELO request to this server, McAfee Web Gateway waits for the server response.


Use the following input field to configure the HELO name:

• Name — Enter the HELO name here. A fully qualified domain name is required as input in this field.

The field is left blank by default. With no input here, McAfee Web Gateway will use the name of the system it is currently running on.



Relaxed Domain NameThe Relaxed Domain Name section looks like this:

It allows you to configure the special characters that should be allowed in a domain name, such as the _ (underscore).


Use the following input field to do configure special characters in a domain name:

• Characters — Enter the special characters you want to allow for domain names here.

Address to Policy Mapping OptionsThe section labeled Address to Policy Mapping Options looks like this:

It allows you to configure actions that are to performed when a request to map an e-mail to particular policy fails.

A PROFILE request, which is a non-standard ICAP method, is made to map the sender or recipient of an e-mail to a particular policy. This request may fail because the ICAP server is down or was replaced by another server.


Use the following radio buttons to configure an action:

• Use default policy — If this radio button is selected, the default policy is used for the e-mail in question regardless of its recipient. The radio button is selected by default.

• Don’t filter e-mail — If this radio button is selected, the e-mail is not filtered.

• Repeat address mapping request later — If this radio button is selected, the request to map the e-mail to the policy that was configured for it will be repeated at the next attempt to filter e-mails.

Release Using PolicyThe Release Using Policy section looks like this:

It allows you to configure the policy that should be applied to an e-mail upon being released.

After specifying this setting, click Apply Changes to make it effective Use the following drop-down list to configure a release policy:

• Policy — Select a policy from this list. After being released, an e-mail will then be moved to the inbound queue and processed according to this policy. Selecting None means an e-mail is moved directly to the outbound queue after being released.



By default, AVonly is selected here as a policy, which will ensure all e-mails are virus-selected before being released.


When using the E-Mail Gateway, ICAP services are configured in the same way as under the HTTP protocol, except for the option to bypass the ICAP server, which is not available then.

For a description of the other options, see the subsection on ICAP services under HTTP proxy.



NotificationsThe Notifications tab looks like this:


• System Notifications

The window that opens when the Edit Notification Mail Server button is clicked in this section is described in an additional section:

• Notification Settings window

System Notifications

Using this section, you can configure e-mail notifications relating to special events, which are sent to the e-mail address of a recipient.


Use the following items to configure e-mail notifications:

• Send notification if a problem with SMTP Gateway detected — To send a notification in this situation, select the checkbox provided here and enter the recipient of the notification in the Recipient input field.

• Send notification if a non processable mail detected — To send a notification in this situation, select the checkbox provided here.

The recipient is the same as specified above.

• Send notification if SMTP Gateway stopped due to high recovery rate — To send a notification in this situation, select the checkbox provided here.




• Send notification if mail is being processed more than ... minutes — To send a notification in this situation, select the checkbox provided here.

In the input field, enter the number of minutes that must elapse before a notification is sent. The default number is 10.


• Edit Notification Mail Server — To configure the settings for the server used to process notifications, click this button.

This will open a window where you can enter the appropriate values. It is described in the next subsection.

• Send Test Messages — After configuring notifications, click this button to send test messages.

Notification Settings windowAfter clicking the button labeled Edit Notification Mail Server in the System Notifications section, the Notification Settings window opens:

In this window, you can specify the settings of the mail server that is used to send the notifications you configured on the Notifications tab.

After configuring these settings, click OK to make them effective. Click Cancel to close the window without configuring any server settings.

Use the following input fields to configure the server settings:

• SMTP server address — Enter the IP address of the server here.

• SMTP server port — Enter the port number here of the port that is used on the server for sending the notifications. The default port number is 25.

• HELO name — Enter the name here that McAfee Web Gateway should send in a HELO request to the notification mail server in order to identify itself.

• Sender — Enter the sender address of the e-mails here that are sent as notifications.

The default address is Webwasher@localhost.



ESMTP extensionsThe ESMTP Extensions tab looks like this:


• ESMTP Extensions

ESMTP Extensions

Using this section, you can configure ESMTP extensions. After configuring an extension, the communication between the client and the McAfee Web Gateway server will be conducted in Enhanced SMTP (ESMTP) mode.

If an extension has been configured, this is announced to the client in the welcome message it receives from the McAfee Web Gateway server.


The meaning and usage of the ESMTP extensions is as follows:

• SIZE Extension — There is a size limit for sending messages to the McAfee Web Gateway server. In the welcome message, the client is notified of this.



• 8BIT MIME Extension — The McAfee Web Gateway server accepts messages with Body Type = 8 bit. In the welcome message, the client is notified of this.

Note: The target server may, however, not accept messages with this body type. In this case, the McAfee Web Gateway server is unable to deliver the client message.

• DSN Extension — The McAfee Web Gateway server may generate a Delivery Status Notification (DSN) after forwarding a message from the client. In the welcome message, the client is notified of this.

The notification mode must be specified by the client. The client can specify any the following options (combinations of the last three options are permitted):

• never - No notifications will be sent to the client.

• relayed - The client is notified after a message has been forwarded to the target server.

• delayed - The client is notified if a message has been forwarded to the target server, but is delayed, such as it is unknown so far whether the target server received this message.

• failed - The client is notified if the delivery of a message to the target server has failed.

Another option is provided for notifications to the postmaster:

• Send a copy to postmaster — Enable this option if you want a copy of every notification to be sent to the postmaster.

To specify the postmaster’s address, the address the notifications are sent to, invoke the Notifications tab.

In the System Notifications section, enter the address in the Recipient input field provided together with the option labeled Send notification if a problem with SMTP Gateway detected.

• Add original subject to the generated notification — Enable this option if you want the subject of the e-mail in question to be included in the notification to the postmaster.

• STARTTLS Extension — The TLS (Transport-Layer Security) method will be used for communication between the McAfee Web Gateway server and the client. This is a method enabling private, authenticated communication within the Internet.

Whenever a client wants to establish an SSL-secured connection, McAfee Web Gateway sends a server certificate to identify itself. You can either have McAfee Web Gateway issue the certificate or import an externally issued certificate.

You can also enforce the use of this extension for particular servers. To specify them, the following input field is provided:

• Enforce TLS for ... — Enter the server or servers here that you want to enforce the use of TLS for. The input format is: IP | IP/NetMask | IP range) [, (IP | IP/NetMask | IP range)]* ).

If you specify an *, all servers will be forced to use TLS.

To configure the certificate McAfee Web Gateway sends to the client for authentication, use the input fields and buttons of the following area:

• Certificate Options — The following options are provided here:

• Use McAfee Web Gateway certificate with CN ... — This is the default option. McAfee Web Gateway will issue the certificate and sign it with its own CA. In the input field provided here, enter the name of the certificate file.

This will work well as long as only well-known clients will connect that have the Webwasher Root CA installed. The private key handling is done as has been configured for the SSL Scanner and HTTPS web interface and digest. To change these settings, go to Configuration > Certificate Management > Private Key Handling.


ProxiesDelivery options

Externally issued certificateThis option enables you to use a certificate issued by an external CA. To view the certificate, click the certificate link provided here. In addition to a single certificate, you can also import the certificate chain that belongs to it.

Note: In a central-management cluster, you can import the certificate for the master instance or an individual site instance only and exclude it from being distributed by the master to the site instances. To do this, you need to select the E-mail certificate checkbox in the Local Master Settings and Local Site Settings sections on the Master Settings and Site Settings tabs respectively, under Configuration > Central Management.

• Send certificate chain — Select this checkbox to import also the certificate chain.

• Import certificate — Use the Browse button next to this input field to browse to a certificate. Then click Import to import it.

• Import certificate chain — If you have selected the Send certificate chain checkbox, use the Browse button next to this input field to browse to a certificate. Then click Import to import it together with its certificate chain.

There are two options of configuring the decrypting of the handshake for an imported certificate:

• by this McAfee Web Gateway instance — With this option, the handshake will be done by the McAfee Web Gateway instance that a client connects to. Use the Browse button next to the input field labeled Import private key to browse to a private key for the handshake.

Furthermore, you need to provide a passphrase in the Passphrase input field. Click Import to import the private key.

• by remote service using HSM Agent with key — With this option, the handshake will be done by a remote service, which is handled by the McAfee Web Gateway HSM Agent. Enter a key ID in the input field provided here to specify the key that is required for the remote service to perform the handshake.

You also need to configure the HSM Agent connection in order to be able to use this option. To do this, go to Configuration > Certificate Management > Private Key Handling.

Delivery optionsThe Delivery Options are invoked by clicking the corresponding button under Proxies. They are described in the upcoming sections:

• Delivery options

• Routing rules

• Secure mail delivery list



Delivery optionsThe Delivery Options tab looks like this:


• E-Mail Delivery Options

• Secure E-Mail Delivery

E-Mail Delivery OptionsThe E-Mail Delivery Options section looks like this:

Using this section, you can configure how McAfee Web Gateway should deliver scanned e-mails. This can be done using DNS and routing rules or using an another gateway.

The routing rules are configured on the Routing Rules tab under Delivery Options.


Use the following items to configure e-mail delivery:

• Use DNS and routing rules — Select this radio button to configure the use of DNS and routing rules.

• Use another gateway for e-mail delivery — Select this radio button to configure the use of another gateway. Specify this gateway by entering the appropriate information in the following input fields:



• Gateway address — Enter the IP address or URL of the gateway you want to use in this input field. You can specify more than one gateway here.

The input format is: IP or URL [:port] [, IP or URL [:port], ...]

• Port of that gateway — In this input field, enter the port number for this gateway. The default port number is 25.

• Number of retries on gateway overload — From the drop-down list provided here, select a number to configure how many times McAfee Web Gateway should retry to deliver an e-mail when the first attempt failed due to a gateway overload.

Secure E-Mail DeliveryThe Secure E-Mail Delivery section looks like this:

It allows you to configure if McAfee Web Gateway should use encrypted connections to deliver e-mails.

For the encryption, the TLS (Transport Layer Security) feature is used. You can have McAfee Web Gateway look up in a list whether TLS encryption is to be used for connections to destination servers or intermediate gateways, or let it depend on the ability of a remote system to use TLS encryption.

Note that McAfee Web Gateway will not check the server certificate for a connection, which means that the connection is encrypted, but not authenticated.

Enable the options provided here according to your requirements and click Apply Changes to make effective what you configured.

The meaning of these options is as follows:

• Use secure mail delivery list — McAfee Web Gateway will look up in this list whether a connection to an individual server or a domain or to a gateway must be TLS encrypted or not. If there is more than one entry in the list relating to a particular system, the first match wins.

If TLS encryption must be used, but the remote mail server does not support it, the e-mail in question will stay in the outbound queue. You can configure McAfee Web Gateway to send a notification to the administrator in this case.

Enable the following option to do this:

• Send notification if TLS is required, but not supported by remote mail server — A notification will be sent to the address you enter in the Recipient input field.

To be able to send notifications you need to configure the notification mail server. Clicking the button labeled Edit Notification Mail server will open a window where you can do this. For a description of this window, see the Notification Settings window subsection of the Notifications section.To test the settings you have configured, click Send Test Message.

• Use TLS if it is supported by remote mail server — McAfee Web Gateway will use TLS encrypted connections if this is supported by the remote mail server, but this will only be done if the server was not found in the secure delivery list or the lookup for this list is deactivated.



Routing rulesThe Routing Rules tab looks like this:


• LDAP Lookup

• List Options

• Add Rule

• Current Rules



LDAP LookupThe LDAP Lookup section looks like this:

It allows you to perform an LDAP lookup before an e-mail is delivered to a recipient.

The LDAP server will then be searched for entries concerning particular attributes of this recipient.

To perform the lookup, select the checkbox next to the section heading and specify the attributes you want to be searched for. You can specify the following attributes:

• Recipient attribute — Attribute of an individual user listed on the LDAP server. This is a user within your network who is allowed to receive e-mails.

• Group attribute — Attribute of a user group listed on the LDAP server. The users of this group are within your network and are allowed to receive e-mails.

• Mail group attribute — Attribute of a mail group listed on the LDAP server. The users of this group are within your network and are allowed to receive e-mails.

To specify an attribute, select the attribute type and enter the attribute name in the corresponding input field.

You can apply additional rules to the result of this query, using the following option:

• Apply static rules to the result of LDAP query — Select this checkbox to apply rules that are configured using the Add Rule section, which is located also on this tab. If any rules have been set up so far, they are listed in the Current Rules section below Add Rule.

These rules map mail servers to domains. An e-mail that is sent to a recipient within a particular domain is then routed to the mail server that has been configured for it. By applying these rules to the result of the LDAP query, you can improve the routing process.

So, the following rules may have been set up:

mail_server_for_germany = germany

mail_server_for_usa = usa

An LDAP lookup where user location was specified as recipient attribute might yield the value Germany as the result for a particular e-mail. Application of the rules would then route this e-mail to the mail_server_for_germany mail server.

Select this option if you want apply these rules. Click Apply Changes to make your settings effective.

You can also specify a list of domains for the LDAP lookup. The attribute search will then be restricted to these domains. Click the word here at the bottom of the section to go to the Recipient LDAP Check tab, which is used for specifying the domains.

This tab is located under Proxies > Relay Protection. It also provides a link that takes you to a tab for configuring more LDAP server settings.



List OptionsThe List Options section looks like this:

Using this section, you can configure some additional options for specifying domain names.

You can enable shell expressions in these names and specify the separator that is used when more than one domain name is listed.

Use the following checkbox and input field to configure these options:

• Enable shell expressions in domain names — Select this checkbox to enable shell expressions in domain names.

• Values separation string — In this input field, enter the character you want to use for separating domain names.

By default, the , (comma) is used for this purpose, but you may want to configure a different separator in order to allow commas within domain names.

Add RuleThe Add Rule section looks like this:

Using this section, you can configure rules for mapping mail servers to domains.

For example, if you would like to have all e-mails that are addressed to somedomain.net sent to your corporate mail server, enter a rule like mailserver=somedomain.net.

If McAfee Web Gateway processes incoming mails addressed to yourcompany.com, you may create a rule to send these mails directly to the mail server, or McAfee Web Gateway may ask the DNS server to resolve yourcompany.com to a list of mail servers and send it to itself.

Another solution may be to have a local DNS server, with a local MX entry for your domain.

On a method to configure a routing for e-mails that overrules the existing routing rules, see the Adding the X-WW-Route header subsection below.

Use the input field provided here to add a rule to the rules list. The input format is:

IP or URL [:port] [, IP or URL [:port], ...] = domain

After entering a rule, click the Add First or Add Last button, to add it at the corresponding position of the list.

The position an entry takes in this list is important since whenever there is more than one entry containing information on a particular mail server or domain, the entry that is first in the list wins.

You can, however, change the position of an entry after adding it by editing the list in the Current Rules List section, for more information see the section below this section.

Note: It is only displayed if at least one rule has been configured.



Adding the X-WW-Route headerIn some situations, you may want to overrule the settings that have been configured for routing e-mails, and route an e-mail to a particular mail server.

This can be done by creating a customized action that adds a header to the e-mail in order to send it to that server.

Another way to achieve this would be to configure the Generic Header Filter accordingly.

The name of the additional header that overrules existing routing rules is X-WW-Route. To have this header added to an e-mail as part of a customized action, go to Configuration > Action Editor. Create a new action, and from the parameter list provided on the Action Definition tab, select Custom Headers.

Add this parameter to the action, and configure it further by entering X-WWRoute in the Name input field on the Action Parameter tab. In the Value input field enter the domain name, the IP address, or the fully qualified name of the server that the e-mails should be sent to.

If you want to use the Generic Header Filter for configuring the addition of the X-WW-Route header, go to the corresponding tab under Common > Generic Header Filter and enter the following values in the input fields provided there:

• Condition Header — X-WW-To

• Condition Value — <Recipient address of the e-mail; for example, [email protected]>

• Result Header — X-WW-Route

• Result Value — Recipient address of the mail server the e-mail should be sent to; for example, 10.10.10.10:25>

Furthermore, make sure that None is selected under Action on Match and that the SMTP and Mail checkboxes are both selected.

Current RulesThe Current Rules section looks like this:

It displays a list of the rules that are currently configured for domain routing. You can edit entries in the list, move them up and down and also delete them.



To edit an entry, type the appropriate text in the input fields of the Rule column. Click Apply Changes to make this setting effective. You can edit more than one entry and make the changes effective in one go.

Use the following items to perform various activities relating to the list:

• Filter — Type a filter expression in the input field of the Rule column and enter it using the Enter key of your keyboard. The list will then display only entries matching the filter.






The position an entry takes in the list is important since whenever there is more than one entry in the list containing information on a particular mail server or domain, the entry that is first in the list wins.

Secure mail delivery listThe Secure Mail Delivery List tab looks like this:


• Secure Mail Delivery List

Secure Mail Delivery ListThis section looks provides a list ofmail servers, server domains and gateways that McAfee Web Gateway can relay e-mails to. The list also shows whether a TLS encrypted connection must be used or not when relaying e-mails to one of the systems entered here.

You can add entries to the list, and also edit them, move them up and down or delete them.

To add an entry to the list, use the area labeled:

• Add new entry to the list — Specify the information concerning the system you want to enter in the list using the following items:

• Domain — In this input field, enter a domain or host name or an IP address to specify the remote system that McAfee Web Gateway should relay e-mails to.



• Description — Input in this field is optional. You can enter a text string here describing the system entered above.

• use encrypted communication — Select the checkbox next to these words if a TLS encrypted connection is required for relaying e-mails to this system.

After specifying the appropriate information, click Add Entry to add the new entry to the list.

If this action was successful, the entry is added to the list, which is displayed at the bottom of this section. For each entry, the list provides the information that is specified when a new entry is added (see above).



To edit an entry, type the appropriate text in the input fields of the Domain or Comment column or enable or disable the checkbox in the column labeled Use TLS. Click Apply Changes to make this setting effective. You can edit more than one entry and make the changes effective in one go.


• Filter — Type a filter expression in the input field of the Domain or Comment column or in both and enter it using the Enter key of your keyboard. The list will then display only entries matching the filter.




The position an entry takes in the list is important since whenever there is more than one entry in the list containing information on a particular mail server or gateway, the entry that is first in the list wins.

This means that if the first entry for a particular mail server has the Use TLS feature disabled, no TLS encryption will be used for relaying e-mails to this server, although there may be an entry later on in the list for this same server with TLS encryption enabled.


ProxiesQueue configuration

Queue configurationThe Queue Configuration options are invoked by clicking the corresponding button under Proxies. They are described in the upcoming section:

• Queue configuration

Queue configurationThe Queue Configuration tab looks like this:


• Queue Configuration

Queue Configuration

Using this section, you can configure the message queues for the SMTP gateway. A list of existing queues is displayed here. You can edit queues, create new ones, move them up and down within the list and delete them.

Note: For any changes to take effect, restart McAfee Web Gateway manually.

Use the following items to configure message queues:

• Filter — Type a filter expression in the input field of the Queue Name column and enter it using the Enter key of your keyboard. The list will then display only entries matching the filter.

• Edit — Click this button to edit the corresponding queue. This will take you to another tab, where you can specify the appropriate changes.

• Delete Selected — Select the queue you wish to delete by selecting the Select checkbox next to it and click this button. You can delete more than one queue in one go.


ProxiesRelay protection

To delete all queues, select the Select all checkbox and click this button.

• Create New — After clicking this button a new queue is added to the list, which is named NewQueue. Click the Edit button to go to another tab, where you can specify further information regarding this queue.

• Move Up Selected, Move Down Selected — Select the queue you wish to move by selecting the Select checkbox next to it and click either of these buttons, depending on where you want to move the entry.

The position a queue takes in the list is important since whenever there are queues in the list that have been configured to accept incoming e-mails, the first queue in the list wins, which means that incoming e-mails are directed to it and not to the queues following it in the list.

You might have configured a Problemincoming queue for processing e-mails, where the sender domain cannot be resolved.

At the same time, there is the Inbound queue, which accepts all incoming e-mails.

If the Inbound queue is placed in the list before Problemincoming queue, no e-mails will ever reach the Problemincoming queue because the Inbound queue gets all incoming e-mails, including the unresolvables and any others.

Relay protectionThe Relay Protection Options options are invoked by clicking the corresponding button under Proxies. They are described in the upcoming sections:

• Allowed domains

• IP networks

• Recipient LDAP check



Allowed domainsThe Allowed Domains tab looks like this:

At the top of this tab is a button labeled:

• Define IP Networks — Click this button to go to the IP Networks tab.

When configuring mapping rules for allowed domains, networks need also to be configured, which is don on this tab, see IP networks.

Furthermore, there are three sections on this tab:

• Shell Expressions

• Add Rule

• Current Rules

Shell ExpressionsThe Shell Expressions section looks like this:

It allows you to configure the use of shell expressions when specifying the domains that are allowed to be relayed. Furthermore, you can configure a string for separating domain entries here.


To enable the use of shell expressions, select the checkbox next to the section heading.



To configure a separator, use the following input field:

• Values separation string — Enter the string you want to use for separating domain entries here.

The default separator is the , (comma).


Using this section, you can configure the domains that incoming e-mail messages may be relayed to.

After mapping these domains to client IPs, messages sent from there will be accepted by McAfee Web Gateway. If no mapping is configured here only messages sent from the local host will be accepted.

In order to be mapped, a client IP must also have been configured in the Add Rule section of the IP Networks tab.

If all incoming messages should be relayed to your corporate network by McAfee Web Gateway, the rule could be as follows: internet=yourcompany.com.

In order to make this a valid rule, however, you also need to configure Internet on the IP Networks tab

Tip: Use an * (asterisk) to include all client IPs.

Enter a mapping rule you want to configure in the input field provided here.

The input format is: IP network = (domain [, domain] | *)

After entering a rule, click the Add First or Add Last button. The rule will then be added to the list in the corresponding position.

The list is displayed in the section below.

Current RulesThe Current Rules section looks like this:

It displays a list of the rules that have been configured to map networks to domains for relay protection.

You can edit rules, move them up and down in the list, or delete them.

To display only a particular number of list entries at a time, type this number in the input field labeled Number of entries per page and enter it using the Enter key of your keyboard. If the number of entries is higher than this number, the remaining entries are shown on successive pages. A page indicator is then displayed, where you can select a particular page by clicking the appropriate arrow symbols.

To edit a rule, type the appropriate text in the input field of the Rule column.



Click Apply Changes to make this setting effective. You can edit more than one rule and make the changes effective in one go.


• Filter — Type a filter expression in the input field below the Rule column and enter it using the Enter key of your keyboard. The list will then display only entries matching the filter.




The position an entry takes in the list is important since whenever there is more than one entry in the list containing information on a particular network or domain, the entry that is first in the list wins.

IP networksThe IP Networks tab looks like this:


• Add Rule

• Current Networks




Using this section, you can configure networks by mapping them to client IP adresses.

Networks that have been configured in this way, may be specified when configuring mapping rules for domains on the Allowed Domains tab, see the Allowed domains section.

Enter a mapping rule you want to configure in the input field provided here.

The input format is: network = (IP [, IP] | IP/NetMask | IP range | *)

network=* means that the provided network name will be mapped to all possible IP addresses, for example, 1.0.0.0 – 233.255.255.255.

After entering a rule, click the Add First or Add Last button. The rule will then be added to the list in the corresponding position.


Current NetworksThe Current Networks section looks like this:

It displays a list of the rules that have been configured to map networks to IP addresses. You can edit rules, move them up and down in the list, or delete them.



To edit a rule, type the appropriate text in the input field of the Rule column.

Click Apply Changes to make this setting effective. You can edit more than one rule and make the changes effective in one go.


• Filter — Type a filter expression in the input field below the Rule column and enter it using the Enter key of your keyboard.

The list will then display only entries matching the filter.






The position an entry takes in the list is important since whenever there is more than one entry in the list containing information on a particular network or domain, the entry that is first in the list wins.

Recipient LDAP checkThe Recipient LDAP Check tab looks like this:

At the top of this tab, there is a checkbox and a button:

• Enable recipient LDAP check — Enable this option to configure an LDAP check for recipient domains, using the items provided in the section below.

• Configure LDAP Server — To configure an LDAP server, which is needed in order to perform a recipient LDAP check, click this button. This will take you to the LDAP Connection tab, where you can configure thes server.

The options of this tab correspond to that of the LDAP synchronization tab, see the LDAP Synchronization section.

In addition to the options that are described there, the LDAP Connection tab includes the UID value prefix option when provided for configuring settings of the e-mail gateway.

This value is prefixed by some servers to the e-mail address that is an attribute of the user information stored on the LDAP server in order to specify the protocol. The default is SMTP.


• Domain for LDAP Check



Domain for LDAP CheckThe Domain for LDAP check section looks like this:

Using this section, you can add a domain to the list of domains that an LDAP check is performed for.

To add a recipient domain to the list, use the area labeled:

• Add new recipient domain — Enter the domain you want to have an LDAP check performed for in the input field provided here, such as company.mail.

Configure also the following two options, either enable or disable them:

• deactivate — Enable this option if you want to just enter the domain in the list, but not yet activate the checking function. This may be done later by selecting the corresponding checkbox in the list, see below.

• do not reject — Enable this option to have e-mails from all senders of the configured domain rejected, with the exception of the sender specified here. This option can also be modified by editing the list, see below.

Click the Add to Domain List button.

If this action was successful, the entry is added to the list, which is displayed at the bottom of this section.



To sort the list in ascending or descending order, click the symbol next to the Domain column heading.

To edit an entry, type the appropriate text in the input field of the Domain column and enable or disable the deactivate and do not reject checkboxes.



• Filter — Type a filter expression in the input field of the Domain column and enter it using the Enter key of your keyboard. The list will then display only entries matching the filter.




ProxiesException lists

Exception listsThe Exception Lists options are invoked by clicking the corresponding button under Proxies. They are described in the upcoming sections:

• IP White List

• IP Black List

• Client Domain Black List

• Sender Black List

• Recipient Black List

• TrustedSource

IP White ListThe IP White List tab looks like this:


• Add Rule





It allows you to add an address or a range of addresses to the White List for the SMTP gateway. If an IP address is on this list, it means that a client with this address will always be allowed to connect to the gateway.

Enter the rule you want to add to the list in the input field provided here. The input format is:

network = ( IP [, IP] | IP/NetMask | IP range) | *

After entering a value, click the Add First or Add Last button. A new entry will then be added to the list in the corresponding position.



It displays a list of the IP addresses or ranges of addresses that have been included in the White List for the SMTP gateway.

For each entry, it provides the information that is specified when a new entry is added (see above). You can edit list entries, move them up and down in the list, or delete them.

To display only a particular number of entries at a time, type this number in the input field labeled Number of entries per page and enter it using the Enter key of your keyboard. If the number of entries is higher than this number, the remaining entries are shown on successive pages. A page indicator is then displayed, where you can select a particular page by clicking the appropriate arrow symbols.

To edit an entry, type the appropriate text in the input field of the Rule column.

Click Apply Changes to make this setting effective. You can edit more than one entry and make the changes effective in one go.








The position an entry takes in the list is important since whenever there is more than one entry in the list containing information on a particular IP address, the entry that is first in the list wins.

IP Black ListThe IP Black List tab looks like this:


• Add Rule



It enables you to add an IP address or a range of addresses to the Black List for the SMTP gateway. If an IP address is on this list, it means that a client with this address will not be allowed to connect to the gateway.

Enter the address you want to have blacklisted in the input field provided here. The input format is:

network = (IP [, IP] | IP/NetMask | IP range) | *)

After entering a value, click the Add First or Add Last button. A new entry will then be added to the list in the corresponding position. The list is displayed in the section below.




It displays a list of the IP addresses or ranges of addresses that have been included in the Black List for the SMTP gateway.

For each entry, it provides the information that is specified when a new entry is added (see above). You can edit list entries, move them up and down in the list, or delete them.


To edit an entry, type the appropriate text in the input field of the Rule column.

Click Apply Changes to make this setting effective. You can edit more than one entry and make the changes effective in one go.






The position an entry takes in the list is important since whenever there is more than one entry in the list containing information on a particular IP address, the entry that is first in the list wins.



Client Domain Black ListThe Client Domain Black List tab looks like this:


• Client Domain Black List

Client Domain Black ListThe allows you to add a domain to the Client Domain Black List for the SMTP gateway. If a domain is on this list, a client with an IP address belonging to this domain will be treated in one of the following two ways when sending a request:

• The client is not allowed to connect to the server.

• The client is allowed to connect to the server, but e-mails sent using this connection are not accepted.

Which of these two methods is used depends on a parameter that is set in the Load Limits section of the Load limits tab.

The parameter is labeled Do not accept connection if client domain is in the black list or server is overloaded. If it is enabled, the first of the two methods is used, otherwise the second is used.

A reverse DNS lookup is performed to determine whether a client address belongs to particular domain.

Note: The Client Domain Black List allows you to easily block e-mails from dial-up users; for example, e-mails from tisdip.tiscali.de, which is a dial-up domain used by Tiscali, or from dip0.t-ipconnect.de and dip.t-dialin.net, which are dial-up domains for Telekom. In general, users will use mail servers that have been set up by their providers, rather than running their own SMTP servers on their home computers. Telekom users would use one of smtprelay.t-online.de, securesmtp.t-online.de, or smtpmail.tonline.de, and Tiscali users would use smtp.tiscalinet.de.

To add a domain to the list, use the area labeled:

• Add new domain — Enter the domain you want to have blacklisted in the input field provided here, such as company.mail.




• deactivate — Enable this option if you want to just enter the sender in the list, but not yet activate the filtering function.

This may be done later by selecting the corresponding checkbox in the list (see below).

• do not reject — Enable this option to have e-mails from all senders of the configured domain rejected, with the exception of the sender specified here.

This option can also be modified by editing the list (see below).

Click Add to Blacklist.

If this action was successful, the entry is added to the list, which is displayed at the bottom of this section.




To edit an entry, type the appropriate text in the input field of the Domain column and select to enable or deselect to disable the deactivate and do not reject checkboxes.








Sender Black ListThe Sender Black List tab looks like this:


• Sender Black List

Sender Black ListThis section looks llows you to add a sender to the Sender Black List for the SMTP gateway. If a sender is on this list, e-mails from this sender will be rejected even before they have been fully transmitted.

To add a sender to the list, use the area labeled:

• Add new sender — Enter the sender you want to have blacklisted in the input field provided here, such as company.mail.


• deactivate — Enable this option if you want to just enter the sender in the list, but not yet activate the filtering function.


• do not reject — Enable this option to have e-mails from all senders of the configured domain rejected, with the exception of the sender specified here.


Click Add to Sender Black List.

If this action was successful, the sender is added to the list, which is displayed at the bottom of this section.












Recipient Black ListThe Recipient Black List tab looks like this:


• Recipient Black List



Recipient Black ListThis section allows you to add a recipient to the Recipient Black List for the SMTP gateway. If a recipient is on this list, e-mails to this recipient will be rejected even before they have been fully transmitted.

To add a recipient to the list, use the area labeled:

• Add new recipient — Enter the recipient you want to have blacklisted in the input field provided here, such as company.mail.


• deactivate — Enable this option if you want to just enter the recipient in the list, but not yet activate the filtering function.


• do not reject — Enable this option to have e-mails from all recipients of the configured domain rejected, with the exception of the recipient specified here.


Click Add to Recipient Black List.

If this action was successful, the recipient is added to the list, which is displayed at the bottom of this section.












TrustedSourceThe TrustedSource tab looks like this:


• TrustedSource score

TrustedSource score

Using this section, you can configure the rejection of e-mails depending on an evaluation of their sender IP addresses. This evaluation is performed using DNS queries that are sent to the TrustedSource server, from where a reputation score is returned.

This feature is not enabled by default. If you want to use it, select the checkbox next to the section heading. After specifying this setting or after modifying the score setting, click Apply Changes to make these settings effective.

Use the following input field to modify the TrustedSource score:

• Reject connection if score is more than — Enter a value here for the reputation score. If the TrustedSource server returns a score higher than this value for a sender IP address, the e-mail in question will be rejected.

A score higher than 80 means that no legitimate traffic is to be expected from a sender. For this reason, 80 is the default value.


ProxiesLoad limits

Load limitsThe Load Limits options are invoked by clicking the corresponding button under Proxies. They are described in the upcoming section:

• Load limits

Load limitsThe Load Limits tab looks like this:


• Load Limits

• DoS Attack

• Gateway Performance


ProxiesLoad limits

Load LimitsThe Load Limits section looks like this:

Using this section, you can configure load limits to determine when the server is overloaded. Limits may depend on various criteria, such as the size of e-mails sent to the server, the volume of mail queues, or the number of recipients of an e-mail.

After reaching a configured load limit, the server is overloaded. If a client sends an e-mail to the overloaded server, the connection is accepted, but a message will be sent in return informing the client about this overload. The e-mail sent by the client will not be accepted.

If the server is overloaded, it continues with processing e-mails that were accepted so far. This means the number of e-mails still in the queues will eventually reach a level below the configured load limits. As soon as this is the case, new connections and e-mails will be accepted.

For example, if a configured load limit of 10,000 e-mails has been reached for the inbound queue, and the server processes one e-mail, the actual load is reduced to 9,999. Then the next time a client tries to connect to the server to send an inbound e-mail, it will be accepted.

After modifying any of the settings in this section, click Apply Changes to make the modification effective.

Use the following checkboxes and input fields to configure load limits:

• Do not accept connection if client domain is in the black list or server is overloaded — Select this checkbox if you do not want to allow a client sending an e-mail to connect to the server in case of a server overload. The connection is then dropped and even the return message mentioned above will not be sent.

Furthermore, the client will not be allowed to connect to the server if its IP address belongs to a domain that has been entered in the Client Domain Black List. A reverse DNS lookup is performed to establish the domain an IP address belongs to.

• Do not accept mails bigger than . . . KB — Make sure the checkbox provided here is selected if you want the server overload to depend on the size of an e-mail. The checkbox is selected by default.

Accept the default size, or enter a different value (in kilobytes) in the corresponding input field. The default size is 10240 KB.

• Do not accept mails if there are more than . . . mails in the . . . queue — Make sure the checkbox provided here is selected if you want the server overload to depend on the number of e-mails in a particular queue, such as the Inbound queue. The checkbox is selected by default. The default values are 10000 and Inbound.

Accept the default number and queue, or enter different values in the corresponding input fields.

• Do not accept mails if there are more than . . . mails in the . . . queue — Make sure the checkbox provided here is selected if you want the server overload to depend on the number of e-mails in yet another queue, such as the Outbound queue. The checkbox is selected by default.

Accept the default number and queue, or enter different values in the corresponding input fields. The default values are 10000 and Outbound.


ProxiesLoad limits

• Do not accept mails if there are more than . . . recipients — Make sure the checkbox provided here is selected if you want the server overload to depend on the number of the recipients of an e-mail. The checkbox is selected by default.

Accept the default number and queue, or enter a different value in the corresponding input field. The default number is 200.

DoS AttackThe DoS Attack section looks like this:

Using this section, you can configure actions that will be taken in case a DoS (Denial of Service) attack has been attempted against the SMTP gateway.

You can also configure a time interval and volumes with regard to an attack.

Depending on these, the configured actions will take effect.


Use the following checkboxes and input fields to configure DoS attack options:

• Block Gateway for . . . minutes in case of multiple clients attack — Select this checkbox if you want to block the gateway for some time after DoS attack by more than one client. For this time interval, accept the default number of minutes, or enter a different number in the input field. The default number is 6.

If there are any further requests during this time, the clients thatmade these requests will not be allowed to connect to the gateway.

• Add single client to IP black list — Select this checkbox in case a DoS attack is launched by only one client and you want to add the client IP address to a black list.

This means that from now on, a client with this address will not be allowed to connect to the gateway when sending a request.

To have the action executed, the attack must consist of more than a given number of requests within a given time interval. For the corresponding parameters, see below.

• Enable message to be written to system log — Select this checkbox if you want to have a message written to the system log after a DoS attack has been launched either by a single client or by multiple clients.

Accept the default text in the Message text input field, or enter a new one.

The default text is %d by %u (generated %t by %o).

To have the action executed, the attack must consist of more than a given number of requests within a given time interval. For the corresponding parameters, see below.


ProxiesLoad limits

• Action taken when, within a time span of . . . seconds — Accept the default interval required for a DoS attack—the interval within which a given number of requests must have been exceeded in order to have this classified as a DoS attack, or enter a different value in the input field. The default interval is 60 seconds.

• a single client sendsmore than . . . requests — In the input field provided here, enter the number of requests sent by a single client that must have been exceeded within the above time interval in order to have this classified as a DoS attack. The default number is 300.

• all clients sendmore than . . . requests — In the input field provided here, enter the total number of requests sent by more than one client thatmust have been exceeded within the above time interval in order to have this classified as a DoS attack. The default number is 10000.

Gateway PerformanceThe Gateway Performance section looks like this:

Using this section, you can configure load limits and other measures to improve the gateway performance.


Use the following input fields and checkboxes to configure limits and other parameters for a better gateway performance:

• Max number of filtering processes at one time — Accept the default number for these processes, or enter a different value in this input field. The default number is 50.

• Max number of mail delivery processes at one time — Accept the default number for these processes, or enter a different value in this input field. The default number is 50.

• Max number of mail export processes at one time — Accept the default number for these processes, or enter a different value in this input field. The default number is 50.

• Max number of DNS check processes at one time — Accept the default number for these processes, or enter a different value in this input field. The default number is 50.

• Adjust number of threads depending on the current load — Select the checkbox provided here to adjust thread numbers.

• Stop gateway after . . . recoveries within last 10 minutes — Select the checkbox provided here and accept the default number of gateway restarts that must be exceeded before the gateway is shut down, or enter a different value in the input field. The default number is 5.


ProxiesPOP3 access

POP3 accessThe POP3 Access options are invoked by clicking the corresponding button under Proxies.

If you want to enable any of these options, you also need to select the checkbox that is on this button. Click Apply Changes to make this setting effective.

The options are described in the upcoming section:

• POP3 access

POP3 accessThe POP3 Access tab looks like this:


• Port Settings

Port SettingsUsing this section, you can configure access to the POP3 server for your preferred mail client. You need to configure the listener port for this server and specify the IP addresses you want restrict access to the server to (if there are any).

If you would like to use your preferredmail client tomanage queues, you should first enable POP3 Access in the navigation bar, then define the listener port for the POP3 server and finally restrict access to specific IP addresses if necessary.

You also need to configure your mail client by setting up an Internet account for it and specifying the incoming mail server, in this case, the McAfee Web Gateway IP address or the name of the system McAfee Web Gateway is running on. Furthermore, you need to configure the outgoing mail server.

The account name is the same as the queue name configured in the conf/smtpqueues.dat configuration file, such as spam, infected, policy, and so on. The rest of the settings needs to be done in this conf/smtpqueues.dat file, where a password will be required for each queue accessible via POP3.


ProxiesICAP(S) server

After specifying the appropriate information here, click Apply Changes to make these settings effective.

Use the following input fields to configure access to the POP3 server:

• Port — Enter the port number for listener port on the POP3 server here. The default port number is 110.

Tip: It is highly recommended not to change it, since many mail clients do not allow it to be configured.

• Allow access from — In this input field, enter the IP addresses that you want to restrict access to the POP3 server to.

The input format is as follows: (IP | IP/NetMask | IP range) [, (IP | IP/NetMask | IP range)]*.

Entering an * (asterisk) here would mean that every site is allowed access.

ICAP(S) serverThe ICAP(S) Server options are invoked by clicking the corresponding button under Proxies. They are described in the upcoming sections:

• ICAP(S) server

• Server settings

• REQMOD settings

• RESPMOD settings



ICAP(S) serverThe ICAP(S) Server tab looks like this:


• Port Settings (ICAP)

• Port Settings (ICAPS)

• Client Authentication

Port Settings (ICAP)The Port Settings section for ICAP server settings looks like this:

Above this section is a checkbox labeled:

• Enable ICAP server — Ensure this checkbox is selected if you want to configure the ICAP server functions for McAfee Web Gateway.

Using this Port Settings (ICAP) section, you can configure the listener port for the ICAP server and who is allowed access over this port.


Use the following input fields to configure the port settings for the ICAP server:



• Port — Specify the listener port here. The input format is: [IP]: port


• Allow access from — Specify the IP addresses here that should have access to the listener port.


Tip: Type * (asterisk) to allow everyone access.

Port Settings (ICAPS)The Port Settings section for ICAPS server settings looks like this:

Above this section is a checkbox labeled:

• Enable ICAPS server — Select this checkbox is selected if you want to configure the ICAPS server functions for McAfee Web Gateway.

Using this Port Settings (ICAPS) section, you can configure the listener port for the ICAPS server and who is allowed access over this port.


Use the following input fields to configure the port settings for the ICAPS server:

• Port — Specify the listener port here. The input format is: [IP]: port


• Allow access from — Specify the IP addresses here that should have access to the listener port.



Client AuthenticationThe Client Authentication section looks like this:

Using this section, you can configure a restriction for certificates that are submitted for client authentication. You can select a Certificate Authority (CA) and have only certificates issued by this CA accepted.

Note: This restriction can only be configured when you are using the ICAPS server.

If you want to use this feature, select the checkbox next to the section heading.

After specifying this setting and selecting the CA, click Apply Changes to make these settings effective.

Use the following drop-down list to configure client authentication:

• Accept only certificates issued by — Select the CA you want to trust here.



Server settingsThe Server Settings tab looks like this:


• ICAP Options

• Additional ICAP Headers

• Remember Infected URLs



ICAP OptionsThe ICAP Options section looks like this:

Using this section, you can configure a number of options with regard to ICAP communication.


Use the following items to configure ICAP communication:

• Never split ICAP headers — Select this checkbox to forbid the splitting of ICAP headers for ICAP clients that cannot handle ICAP responses with encapsulated HTTP headers and ICAP response headers sent in separate TCP/IP packets.

• Wait for complete ICAP request — Select one of the radio buttons provided under this option to enable waiting for the complete ICAP request in different modes.

This may be required for ICAP clients that are not able to receive parts of the filtered HTTP response, while other parts of the same file are still being sent to McAfee Web Gateway.

McAfee Web Gateway’s normal behavior is to try to filter HTTP data chunk by chunk to reduce the latency time.

McAfee Web Gateway prefers this option to be disabled, while NetCache 5.2 FCS users running ICAP/1.0 in RESPMOD need to enable it.

NetCache 5.2R1 and later releases allow the disabling of this option.

If you are running McAfee Web Gateway together with Blue Coat’s Security Gateway using ICAP, the option also needs to be enabled, which means you should configure Always as value for this kind of configuration.

Use the radio buttons provided here to configure values for the Wait ... option as follows:

• Never — Never wait for the complete ICAP request. This value is configured by default.

• Only for FTP requests — Only wait for the complete ICAP request in case of FTP requests.

• Only for REQMOD requests — Only wait for the complete ICAP request if the ICAP client is a Bluecoat ProxySG Appliance and at the same time the filtering of REQMOD uploads is not enabled. Otherwise, this option is not needed for the Bluecoat client.



To verify if the filtering of REQMOD uploads is enabled, go to the REQMOD Settings tab and verify the option labeled Apply configured filters on uploaded and posted data is enabled.

Note: If you configure this value, data trickling and progress pages will not be activated.

• Always — Always wait for the complete ICAP request.

Note: If you configure this value, data trickling and progress pages will not be activated.

• Do not send early 204 responses — Select this checkbox to forbid the sending of these responses for ICAP clients that support 204 responses at the end of ICAP messages, but do not handle them if sent before the end of a request.

If the ICAP client supports early 204 responses (as all built-in McAfee Web Gateway ICAP clients do), you should not configure this values for better performance.

• Bypass RESPMOD for blocked requests (request satisfaction mode) — Make sure this checkbox is selected if you want to bypass filtering for block messages that McAfee Web Gateway receives as responses from the ICAP server.

Note: McAfee Web Gateway is running as ICAP client in this configuration and that this setting is an ICAP client setting, though it is configured on the Server Settings tab. The checkbox is selected by default.

The blocking of a request occurs due to a corresponding result of REQMOD filtering. The filtering is performed by the ICAP server, which may also be provided by McAfee Web Gateway, or may be another ICAP server that has been configured to support McAfee Web Gateway.

In case the filtering is done by an ICAP server that is not McAfee Web Gateway, you may prefer to have the block message that the ICAP client receives from this ICAP server filtered in RESPMOD mode by McAfee Web Gateway before it is sent back to the browser that submitted the request.

If McAfee Web Gateway is the ICAP server, RESPMOD filtering is not needed and can be bypassed since the response originates from McAfee Web Gateway.

• Strict ICAP RFC compliance — Select this checkbox to ensure that the ICAP server communication strictly adheres to the mode specified in the corresponding RFC document.

The strict mode is, however, not supported by some ICAP clients.

• Preferred preview size — In the input field provided here, enter the number of bytes for the preferred preview size.

This size equals the number of bytes McAfee Web Gateway shows in the OPTIONS response. An ICAP client should send this number of bytes in a REQMOD or RESPMOD request first.

The client should then wait for McAfee Web Gateway to either indicate that the rest of the data is also needed, or McAfee Web Gateway is not interested in seeing the data, and the file is allowed unfiltered.

The default value is 30 bytes. A value of 0 bytes means that only the ICAP header is sent in response modification before the ICAP client waits for a response.

To disable the option, enter a negative value here.

• Maximum chunk size — In the input field provided here, enter the maximum chunk size that should be used in ICAP communication. The default size is 5120 KB.

• ISTag: ... — Click Change ISTag Now provided here to change the ISTag.

The ISTag is similar to a version number for an ICAP service. Whenever the version changes, the ICAP client will no longer use responses that McAfee Web Gateway has previously given, but will ask McAfee Web Gateway again for each request or response.

McAfee Web Gateway does not increment the version number when you change McAfee Web Gateway settings or update the URL filter database, because the changes often are not relevant enough to be applied to everyone in your network at once.



You may prefer to configure the caching parameters, so the time span in question does not grow too much before cached responses are automatically invalidated.

If you decide, however, that all cached responses should be invalidated at once, click the button to change the ISTag, but be aware that this could generate a higher load until the cache gets refilled.

Additional ICAP HeadersThe Additional ICAP Headers section looks like this:

Using this section, you can configure the logging of URL categories at the ICAP client site.

Categories will appear in a log file field named Attribute, according to the logging range you configure here Furthermore, the field will contain information on whether the blocking was due to RTC or the Access Control List.

Note that there is also a log file field named categories, which is not used to store these categories and is not available at the client site.


Use the following radio buttons and checkbox to configure the logging of URL categories:

• Do not send categories to the ICAP client — If you do not want to have categories sent to the ICAP client make sure this radio button is selected. The radio button is selected by default.

• Send all categories to the ICAP client — Select this radio button to have all categories sent to the ICAP client.

• Send only the blocked categories to the ICAP client — Select this radio button to have only blocked categories sent to the ICAP client.

• Send range of values of the ’X-Attribute’ header in OPTIONS response — Select this checkbox to enable this compatibility setting, which simplifies the co-operation between ICAP server and client.

The X-Attribute header is a type of REQMOD/RESPMOD header. Some ICAP clients may require a range of values of this header in the OPTIONS response.

So, if you are using a client that relies on this data, as is the case with Blue Coat, you should enable this option.

Remember Infected URLsThe Remember Infected URLs section looks like this:

It allows you configure a time interval for storing the names of virus-infected files. These files will be rejected immediately by McAfee Web Gateway.

Use the following item to configure this interval:

• Virus-infected file names will be stored for ... seconds

Enter a value for the time interval (in seconds) in the input field provided here. The default interval is 1800 seconds.



REQMOD settingsThe REQMOD Settings tab looks like this:


• REQMOD Options

• REQMOD Response Caching

• Additional REQMOD Response Headers



REQMOD OptionsThe REQMOD Options section looks like this:

Using this section, you can configure the way ICAP requests are modified.


Use the following items to configure ICAP request modification:

• Handle internal requests in REQMOD — Enable this option to handle internal request in REQMOD.

Due to restrictions in version 1.0 of the ICAP protocol, internal requests, such as access to the McAfee Web Gateway user interface, can usually not be handled in REQMOD communication.

These are requests that address McAfee Web Gateway under the name of -web.washer-. If your ICAP client is able to accept non-error HTML data in REQMOD satisfaction responses, you can use the option described here to handle these requests also in REQMOD communication.

• Apply configured filters on uploaded and posted data — Enable this option to apply configured filters on uploaded and posted data.

This will let the REQMOD server look into the body of a request, which is a useful feature for URL filtering on parameters, Anti Virus scanning and blocking files by media type.

• Retain original ’User Agent’ field — Enable this option to retain the original User Agent field.

Retaining this field means not to change the text string used by programs to identify themselves towards HTTP, e-mail and news servers. This identification is needed for usage tracking and other purposes, such as displaying web pages in a way that is best suited to the properties of your browser.

It is recommended not to disable this option for the following reason. Some Web servers respond differently to requests when different user agents are involved. Therefore, if the original user agent header of a request is somehow manipulated, this might lead to unexpected behavior on the side of the Web server.

For example, when there is an option for switching from HTTP to HTTPS mode on a Web site, switching back to HTTP might no longer be possible if the original user agent is not retained.

• Suppress unsupported content encodings — Enable this option to suppress unsupported content encodings.

The most common content encodings are UTF-8 (utf-8), and Latin-1 (iso-8859-1). There may be others that are not supported, so you can suppress them using this option.

• Forbid partial downloads (HTTP) — Enable this option to forbid partial downloads for HTTP requests.

Partial downloads can be useful when a download was aborted for one reason or other. In this case, a client could continue the download from where it was interrupted, rather than starting from the beginning.



Partial downloads may, however cause problems when McAfee Web Gateway uses filters, such as the Anti Virus filter since it may not be able to find a virus in an incomplete file. Successful virus scanning might therefore be impeded, due to partial downloads.

Unintentional partial downloads may occur when both Anti Virus and data trickling are enabled. McAfee Web Gateway may have started forwarding bytes to a client before the connection is aborted due to a virus being found in the file.

The client becomes aware of this abort, and attempts a partial download of the rest of that file, which may leave McAfee Web Gateway unable to detect the virus.

If magic bytematching is enforced, some partial downloads may be blocked due to an untypical file header, which also limits virus scanning capabilities.

It is therefore recommended to forbid partial HTTP downloads while the McAfee Web Gateway content security filters are enabled.

• Forbid partial file transfers (FTP) — Enable this option to forbid partial downloads for file transfers.

For the reasons given in the description of the Forbid partial downlloads (HTTP) option, it is also recommended to forbid partial FTP downloads while the McAfee Web Gateway content security filters are enabled.

• REQMOD resource name — In this input field, enter the name of the resource used for REQMOD communication.

This name should correspond to the resource name for request modification that has been configured on the ICAP client.

• Max REQMOD connections — In the input field provided here, enter the number of connections an ICAP client is allowed to open as a maximum McAfee Web Gateway does not have a limit for the connection count, but there may be restrictions due to the hardware or operating system you are using.

Also, the more filters are enabled and the more connections are open at the same time, the more time McAfee Web Gateway needs to handle an individual ICAP request. So if this value is set very high, an ICAP client might think that McAfee Web Gateway is no longer responding since the response time has grown too much.

In case your ICAP client tells you that it cannot handle more connections, but your ICAP server is not on very high load, increase this value.

If your ICAP client believes that McAfee Web Gateway is down although it is still running, decrease this value.

REQMOD Response CachingThe REQMOD Response Caching section looks like this:

Using this section, you can configure the way REQMOD response are cached.

The ICAP server either sends a modified version of the request back to the ICAP client, a valid HTTP response such as an error message saying access to a particular URL is not allowed, or, if the client indicates that it supports 204 responses, an indication that no modification is required.




Use the following items to configure REQMOD response caching:

• Cacheability — From the drop-down list provided here, select a value to let the ICAP client cache responses for everyone at all times, for the current user group, or for a single user only.

When running multiple McAfee Web Gateway group policies, a REQMOD response may not be valid for everybody. By default, McAfee Web Gateway determines for what group the response is valid by the chosen policymethod. By selecting a different value here, you can override McAfee Web Gateway.

Note: A response cannot be cached if the HTTP request was modified by the Cookie Filter, the Referer Filter or the appended User Agent.

• Default Caching Age — In the input field provided here, enter a time interval to determine how long a response is cached.

The caching age is usually determined by the time schemes that have been set for a given URL filter database category. If a category is allowed until 3 p.m., the response for a URL falling in this category will also be valid until 3 p.m. If a URL is not in the URL filter database, the caching value configure here is used for it.

Note: A response cannot be cached if the HTTP request was modified by the Cookie Filter, the Referer Filter or the appended user agent.

• Min Caching Age — In the input field provided here, enter a time interval to determine how long a response is cached at least.

Use this option to make sure a given URL is not requested again and again in very short intervals, although it is not cacheable. Regardless of what was calculated, the caching interval will never be smaller than this value.

Note that this could disable privacy filters if caching is forced to get responses that should not be cached.

To disable the McAfee Web Gateway cache-control feature, specify a negative value for this option, as well as for Max Caching Age, see below.

• Max Caching Age — In the input field provided here, enter a time interval to determine how long a response is cached as a maximum.

Use this option limit the time responses are cached. Regardless of what was calculated, the caching interval will not be greater than this value.

This can be very useful if you do not like changing the ISTag with every to McAfee Web Gateway or URL filter database change. The ICAP client will ask McAfee Web Gateway after this maximum value has been set to re-validate the response.

To disable the McAfee Web Gateway cache-control feature, specify a negative value for this option, as well as for Min Caching Age, see above.

Enter the ICAP client services to use for RESPMOD here. You can enter multiple services, separated by a | (pipe character).



Additional REQMOD Response HeadersThe Additional REQMOD Response Headers section looks like this:

Using this section, you can add a header to a response sent in REQMOD mode to an ICAP client that submitted a request.

You can also let the additional header specify that a next-hop proxy is used for routing client requests. You can then make the use of a next-hop proxy depend on the filtering policy.

Use the following input field to add a header:

• Header Definition — Type a name and value for the header. To specify multiple headers, type a name and value for each of them. Then click Apply Changes.


header name = value [, header name = value, ...]

To let the header specify the use of a next-hop proxy, depending on a policy, type:

X-NextProxy-PseudoDest = %g

where the value for X-NextProxy-PseudoDest serves as a term within a condition for using next-hop proxies that must be matched. %g is a variable for the name of the policy used when a request is processed.

A condition for using a next-hop proxy is configured on the Next Hop Proxies tab under Proxies > HTTP Proxy (or HTTPS Proxy or FTP Proxy). Usually, it combines a URL and an IP address. If both match, a next-hop proxy from the list of available proxy servers is used.

When an additional header is sent in the way described here, the policy name specified by %g is evaluated. If a condition has been configured that contains this policy name (and the IP address matches, too), this will enable the use of a next-hop proxy.

Configuring the use of a next-hop proxy depending on a policy is subject to the following limitations:

• Under transparent SSL, the feature will not work if the REQMOD request sent for the pseudo-CONNECT call takes places after the handshake.

• Under FTP, several REQMOD requests are sent, however, use of a next-hop-proxy is determined by the last request before the control connection is set up.

• If Do not use next hops for local addresses is selected on the Next Hop Proxies tab under Proxies > HTTP Proxy (or HTTPS Proxy or FTP Proxy), no next-hop proxy will be used since the policy name contains no . (dot) and will therefore be taken for a local address.

In this case, if you still want to use a next-hop proxy, change the %g variable to %g.com.



RESPMOD settingsThe RESPMOD Settings tab looks like this:


• RESPMOD Options

• Additional RESPMOD Response Headers



RESPMOD OptionsThe RESPMOD Options section looks like this:

Using this section, you can configure the way ICAP responses are modified.


Use the following items to configure ICAP response modification:

• Use URL Filtering in RESPMOD (HTTP, FTP) — Enable this option to perform URL filtering in RESPMOD (HTTP, FTP) communication.

This will increase system load compared to filtering URLs in REQMOD communication, but is still an option in case REQMOD communication is not available on your preferred ICAP client.

• Support ’X-Hash-Id’ calculation — Enable this option to support X-hash-ID calculation.

With this option enabled, NetCache is able to detect if an object is equal to another object that was rejected according to a different policy, so Net- Cache would not unnecessarily store another copy of it.

This feature uses a combination of information on policies and a hash over the object in question.

• RESPMOD resource name — In this input field, enter the name of the resource used for RESPMOD communication.

This name should correspond to the resource name for request modification that has been configured on the ICAP client.

• Max RESPMOD connections — In the input field provided here, enter the number of connections an ICAP client is allowed to open as a maximum McAfee Web Gateway does not have a limit for the connection count, but there may be restrictions due to the hardware or operating system you are using.

Also, the more filters are enabled and the more connections are open at the same time, the more time McAfee Web Gateway needs to handle an individual ICAP request. So if this value is set very high, an ICAP client might think that McAfee Web Gateway is no longer responding since the response time has grown too much.

In case your ICAP client tells you that it cannot handle more connections, but your ICAP server is not on very high load, increase this value.

If your ICAP client believes that McAfee Web Gateway is down although it is still running, decrease this value.


ProxiesProgress indication methods

Additional RESPMOD Response HeadersThe Additional RESPMOD Response Headers section looks like this:

Using this section, you can configure one or more additional RESPMOD response headers. These will provide additional information that a Web server sends back to a client browser in response to receiving an HTTP request, such as date, size, server data, and so on.


Use the following input field to configure additional headers:

• Header Definition — Specify the additional RESPMOD response headers here. The input format is:

Header = Value[, Header = Value]

Progress indication methodsThe Progress Indication Methods options are invoked by clicking the corresponding button under Proxies. They are described in the upcoming section:

• Progress indication methods

Progress indication methodsThe Progress Indication Methods tab looks like this:




• Progress Indication Options

• Progress Pages

• Data Trickling

Progress Indication OptionsThe Progress Indication Options section looks like this:

It allows you to configure the time interval that is to elapse before progress indication starts. This applies to all progress indication methods configured under McAfee Web Gateway.


Use the following input field to configure this interval:

• Start progress indication after ... seconds — Enter the appropriate time interval (in seconds) here. The default interval is 5 seconds

Progress PagesThe Progress Pages section looks like this:

Using this section, you can configure the use of progress pages as method of progress indication. Progress pages indicate to a client the progress made when an object is downloaded and filtered.

On a progress page, there are two buttons to stop a download or to stop it and return to the starting page:

• Cancel — Clicking this button will stop a download that is in progress immediately.

• Back — Clicking this button will stop a download that is in progress after 12 to 20 seconds and return to the page from where it was started.

To configure progress pages,make sure the checkbox next to the section heading is selected. After specifying the appropriate information, click Apply Changes to make your settings effective.

Use the following items to configure progress pages:

• Use progress pages only for these clients — Specify the clients you want to configure progress pages for in this input field.

Enter user agent names to specify clients and separate them by the | (pipe sign).

• Update Interval ... seconds — In the input field provided here, enter the time (in seconds) that is to elapse before the next update of a progress page is performed. The default interval is 5 seconds.

• Force sending progress page before filtering archives bigger than ... KB — Use this option to specify that progress pages are used before the filtering of an archive begins, whenever its size exceeds a given value. Enter this value (in kilobytes) in the input field provided here.



Data TricklingThe Data Trickling section looks like this:

Using this section, you can configure the use of the data trickling method.

This method allows you to determine the number of bytes that should be sent to the McAfee Web Gateway ICAP server in one go.

Since some browsers do not display anything at all when only very few bytes are transferred, you can configure the size of the first forwarded chunk of data.

To configure data trickling, make sure the checkbox next to the section heading is selected. The checkbox is selected by default.


Use the following items to configure data trickling:

• Size of first forwarded chunk ... bytes — In the input field provided, here enter a byte value to specify the size of the first chunk that is forwarded when data trickling is enabled.

• Forward ... bytes for every ... KBs received — Use this option, to specify the sizes of the data chunk (in bytes) that is forwarded after receiving a data chunk of a given size (in kilobytes).

Use the two drop-down lists provided here to select the corresponding values.

• Continue trickling during filtering — Enable this option to ensure that data trickling is continued during the filtering process.

• Ensure trickling during filtering archives bigger than ... KB — Enable this option, to ensure that data trickling is used whenever the size of an archive that is being filtered exceeds a given value. Enter a value for this size (in kilobytes) in the input field provided here.


ProxiesOwn host name

Own host nameThe Own Host Name options are invoked by clicking the corresponding button under Proxies. They are described in the upcoming section:

• Own host name

Own host nameThe Own Host Name tab looks like this:


• Internal Requests

• End User Requests

• Proactive Scanning



Internal RequestsThe Internal Requests section looks like this:

Using this section, you can configure the use of an own host name for McAfee Web Gateway.

This may be needed in the default error messages to include the McAfee Web Gateway icon or in cleaned-up HTML code to insert place holder items. Depending on the network configuration, McAfee Web Gateway can then be accessed one or the other way.

Use the radio buttons described below to configure an own host name for McAfee Web Gateway.

Click Apply Changes to make your settings effective.

The following options can be configured:

• Use IP address of machine running Webwasher — The IP address of the machine running McAfee Web Gateway can be used in most environments and is the default option for deployments with external ICAP clients.

McAfee Web Gateway can then be accessed using an address and path name, such as http://127.0.0.1:9090/wwfile?name=images/logo_ww.gif

• Use the internal Host -web.washer- — This internal URL can be used when McAfee Web Gateway is addressed as a proxy server from all clients. McAfee Web Gateway can then be accessed using an address and path name, such as http://-web.washer-/wwfile?name=images/logo_ww.gif.

The -web.washer- part of the address will direct the browser to the McAfee Web Gateway proxy.

Note: This option will only work for REQMOD communication, which means that a REQMOD service must have been enabled on the client in question. Furthermore, the server must be told to handle internal requests in REQMOD.

To configure this, go to the REQMOD Settings tab under Proxies > ICAP(S) Server. In the REQMOD Options section, make sure the Handle internal requests in REQMOD option is enabled.

• Use the internal Path -web.washer- — This internal path can be used when McAfee Web Gateway is addressed as a transparent proxy server from all clients. In this case, it may not be possible to connect to the McAfee Web Gateway application directly.

McAfee Web Gateway can then be accessed using an address and path name, such as /-web.washer-/wwfile?name=images/logo_ww.gif.

In this case, the browser would not know that it is actually addressing McAfee Web Gateway, and only a relative path name is given. Again, the -web.washer part of the address will ensure that the appropriate location is reached.

Note: This option will only work for REQMOD communication, which means that a REQMOD service must have been enabled on the client in question. Furthermore, the server must be told to handle internal requests in REQMOD.

To configure this, go to the REQMOD Settings tab under Proxies > ICAP(S) Server. In the REQMOD Options section, make sure the option Handle internal requests in REQMOD option is enabled.

• Use other host or URL — Another host or URL should only be used if there is no contact from the intranet to the system McAfee Web Gateway is running on, or if you know the McAfee Web Gateway address better than McAfee Web Gateway itself.



If McAfee Web Gateway cannot be contacted, enter any other accessible Web server here, as well as a path on that server in order to specify the location that files need to be copied to from the McAfee Web Gateway installation.

Please contact the McAfee Web Gateway support team for more information.

End User RequestsThe End User Requests section looks like this:

Using this section, you can configure a host name for end users to contact McAfee Web Gateway upon receiving an SMTP digest.

If an SMTP Digest is distributed, the recipients need to contact McAfee Web Gateway to have their messages released or deleted. Depending on the network configuration, McAfee Web Gateway can be accessed one or the other way.

Use the radio buttons described below to configure a host name for McAfee Web Gateway.

Click Apply Changes to make your settings effective.

The following options can be configured:

• Use IP address of machine running Webwasher — The IP address of the machine running McAfee Web Gateway can be used in most environments and is the default option for deployments with external ICAP clients.

• Use the internal URL -web.washer- — The internal URL can be used by all clients for addressing McAfee Web Gateway as a proxy server.

• Use other host or URL — Another host or URL should only be used if there is no connection from the intranet to the system McAfee Web Gateway is running on, or if you know the McAfee Web Gateway address better than McAfee Web Gateway itself.

If McAfee Web Gateway cannot be contacted, enter any other accessible Web server here, as well as a path on that server in order to specify the location that files need to be copied to from the McAfee Web Gateway installation.

Please contact support for further information.

Proactive ScanningThe Proactive Scanning section looks like this:

Using this section, you can configure a host specification for requests directed to the Proactive Scanning filter of McAfee Web Gateway.

After specifying this information, click Apply Changes to make this setting effective.


ProxiesIFP

Use the following radio buttons and input field to specify a host for Proactive Scanning requests:

• Use IP address of machine running Webwasher — If you want to use the IP address of the machine running McAfee Web Gateway for specifying the host, make sure this radio button is selected. The radio button is selected by default. The IP address can be used in transparent proxy mode, for deployments with external ICAP clients, and in other configurations.

• Use host ... — Specify another host name you want to configure in the input field provided here.

The default host name is -web.washer- and should be used when McAfee Web Gateway is immediately addressed as proxy server.

IFPThe IFP options are invoked by clicking the corresponding button under Proxies. They are described in the upcoming sections:

• Settings

• ICAP services



• TCP Port Settings

• Filter Message Mode


ProxiesIFP

TCP Port SettingsThe TCP Port Settings section looks like this:

Using this section, you can configure the listener port of an IFP server and who is allowed access over this port.


Use the following input fields to configure these port settings:

• Port — Specify the listener port here. The input format is: [IP]: port. The default port number is 4005.

• Allow access from — Use this field to configure the IP addresses that should have access to each listener port that is opened by McAfee Web Gateway.


(IP | IP/NetMask | IP range) [, (IP | IP/NetMask | IP range)]*)


Filter Message ModeThe Filter Message Mode section looks like this:

Using this section, you can configure the sending of filter messages to the user.


Use the following items to configure the filter message mode:

• Send directly — Enable this option to send the content of a filter message to the IFP client, from where it is forwarded to its final destination.

This is the preferred method since it is more efficient with regard to time and memory. It is also the default option.

In the following situations, however, a direct sending may fail:

• An error page + HTTP header is larger than 3071 bytes.

• An IFP client fails to forward data because there are ASCII 0 characters in between.

This may occur if:

• Content encoding GZIP is used for filter messages.

• Customer-defined filter messages are sent in UTF-16 or other encodings.

• Use redirect mechanism — Enable this option to save the content of a filter message locally, such as on the IFP server, and send its URL for access to this content to the IFP client, from where it is again forwarded to the user.

The user needs to send another request in order to retrieve the message content.


ProxiesIFP



• Services

• List of Available ICAP Services

ServicesThe Services section looks like this:

Using this section, you can configure services for the IFP server communication.

Since the IFP protocol provides only the requested URL and no other header, body or protocol information, only REQMOD services may be configured.

Due to the limitations of the IFP protocol, some McAfee Web Gateway filters will not be available when this protocol is used:

• Parts of the Safe Search enforcer

• Cookie filter

• Header filter

• Filters working with the body of a request, such as the Web upload filter, the Anti-Virus filter, and parts of the Filter-By-Expression filter.



ProxiesWCCP

Use the following input field to configure ICAP services for the IFP protocol:

• REQMOD services — Specify the service you want to configure, such as internal, in this input field.

To do this, type its name or select a service by selecting it from the dropdown list next to this field. You can specify more than one service here.

The input format is: service1 [| service2]

List of Available ICAP ServicesThe List of Available ICAP Services section looks like this:

It displays a list of the services that are available for being configured in the Services section above.

WCCPThe WCCP (Web Cache Communication Protocol) options are invoked by clicking the corresponding button under Proxies.

If you want to enable any of these options, select the checkbox on this button. Click Apply Changes to make this setting effective.

Note: The WCCP options are only available under McAfee Web Gateway when it is running on an appliance.

Furthermore, these options can be used for redirecting traffic under McAfee Web Gateway with HTTP as basic protocol and version 1 or 2 of WCCP. To use them with the HTTPS protocol, you need to have version 2 of WCCP.


• WCCP


ProxiesWCCP

WCCPThe WCCP tab looks like this:


• WCCP

• WCCP Current Status

• Packet Forwarding


ProxiesWCCP

In addition to the description of these sections, a sample procedure for WCCP configuration is described in the following subsection:

• Setting up WCCP using the L2-rewrite method with masking

WCCPThe WCCP section looks like this:

Using this section, you can configure the use of the WCCP (Web Cache Communication Protocol) protocol under McAfee Web Gateway.

This includes the settings of the router that will redirect traffic under this protocol, as well as of the redirection method, and of the ports that traffic should be addressed in order to get redirected.

The WCCP protocol allows the redirecting of traffic by a router or a switch with routing functions. These forward the traffic to another server, which may server as cache or filtering engine.

When WCCP is used under McAfee Web Gateway, the server that the traffic gets forwarded to is an instance of McAfee Web Gateway, running as McAfee Web Gateway server. You can set up a configuration with more than one instance of McAfee Web Gateway to enable load balancing.

Under the WCCP protocol, requests that clients send to the Internet will first go to the router, where they are redirected.

This means the requests are forwarded to McAfee Web Gateway or, in case there is more than one McAfee Web Gateway instance in the configuration and the appropriate forwarding method is selected, one of these instances. There the requests are filtered and then sent back to the router, which routes them on to the Internet.

Data packets that should be redirected are identified by the router through the port numbers in their destination addresses.

Packets with non-matching port numbers will not be redirected. Note that under the WCCP protocol data packets are termed “buckets”.

Two different methods can be configured for forwarding packets from the router to McAfee Web Gateway.

Under the GRE-encapsulated method (GRE = Generic Routing Encapsulation) packets get encapsulated by the router for further handling within the redirection process.

When the L2-rewrite method (L2 = Layer 2) is applied, the MAC addresses of the clients that submitted requests are rewritten and replaced by the McAfee Web Gateway MAC addresses for redirecting.


ProxiesWCCP

Note that this method enables you to use more than one McAfee Web Gateway instance for load balancing purposes.

The rewriting is completed within layer 2 of the standard communication model, which allows faster communication than the other method.

Furthermore, two different methods can be configured for assigning packets to instances of McAfee Web Gateway in case there is more than one of them in the configuration.

The hashmethod uses a hash algorithm to assign packets to particulars McAfee Web Gateway instances.

The mask method uses a mask for this purpose. The mask is a numerical value, which is applied in binary format to either the source IP address of a request or the destination IP address or to both by means of a binary AND.

The result of the addition then determines which instance the data packet that was sent with the request is assigned to. By default, the mask is applied to both the source and destination IP addresses.

You can change this default by modifying the WCCP.BucketHashInput setting in the global.conf configuration file. Set BucketHashInput = 1 for having the mask applied to the source IP address only, set it to 2 for having the mask applied to the destination IP address only, or set it to 3, which is also the default value, for having the mask applied to both addresses.

In order to be able to use the router or switch, which is provided by Cisco Systems, you also need to configure a number of settings there. For these, please refer to the Cisco documentation in general.

A sample procedure for setting up both the Cisco router and McAfee Web Gateway, using the L2-rewrite method with masking, is provided in the next subsection.

WCCP is a protocol that allows the redirection of traffic in co-operation with various other protocols. Note that McAfee Web Gateway can only handle WCCP under the HTTP and HTTPS protocols, not under other protocols, such as FTP or SMTP.

Note: WCCP is available under McAfee Web Gateway only when McAfee Web Gateway is running on an appliance.


After any modification of the port settings you need to reboot the McAfee Web Gateway appliance to make the changes effective. A Reboot button is provided for this purpose in the last section on this tab.

Use the following items to configure basic WCCP settings within McAfee Web Gateway:

• Router — In this input field, enter the IP address or DNS name of the router that should be used for redirecting traffic. You can specify more than one router here and also enter a multicast IP address. Use commas to separate entries.

Note: Specifying more than one router or a multicast IP address is only possible under WCCP v2.

• WCCP v2 — If you want to use version 2 of WCCP, make sure this radio button is selected. The radio button is selected by default.

Use the following items to configure further settings for WCCP:

• Service ID — In this input field, enter a service ID, which is required for using version 2 of WCCP. Note that this ID must be the same as the one you specified when configuring the router. The default service ID is 51.

• Ports to be forwarded — In this input field, enter the port numbers of the ports that packets should have in their destination addresses to let the router know these packets should be redirected.

The forwarding service that is configured under version 2 of WCCP can provide redirection for up to 8 ports in packet destination addresses.

For communication with an SSL server, you need to enter port number 443 here since an SSL server usually listens on this port.

There are, however, SSL servers that do not listen on this port. In this case, you can tell McAfee Web Gateway which ports belong to SSL-secured connections.


ProxiesWCCP

Use the Transparent SSL Setup section on the Settings tab under Proxies > HTTPS Proxy for this purpose.

• Forwarding method — To select a forwarding method, make sure the corresponding radio button is selected:

• GRE-encapsulated — Make sure this radio button is selected if you want to use the GREencapsulated method. The radio button is selected by default.

• L2-rewrite — Select this radio button to enable the L2-rewrite method.

From the drop-down list provided here, select the interface for the connection between the router and McAfee Web Gateway, such as eth1.

• Assignment method — To select an assignment method, make sure the corresponding radio button is selected:

• Assign by hash — Make sure this radio button is selected if you want to make use of a hash algorithm for assigning the McAfee Web Gateway instances. The radio button is selected by default.

• Assign by mask — Select this radio button to enable assignment by mask.

• MD5 authentication key — If you want to use this key, select the checkbox next provided here, and in the input field, enter a key for authentication of WCCP data packets using the MD5 digest algorithm.

Use of this key is optional.

• WCCP v1 — Select this radio button if you want to use version 1 of WCCP.

Only one port is configured under this version of the protocol, which is port 80. Only packets that have this port number in their destination addresses will be redirected.

Note: No authentication key is used here.

Setting up WCCP using the L2-rewrite method with maskingThe following is a sample procedure for setting up version 2 of WCCP, using the L2-rewrite method with masking. It tells you what to configure both on the Cisco router and under McAfee Web Gateway.

Before you begin with the configuration steps required on the side of the Cisco router, make sure you have set it up with the appropriate image and license.

Then proceed as follows:

1 Login to the router or switch via telnet, ssh, a modem, etc.

2 Enable routing, using the following command: ip routing

3 Set up WCCP with service ID 51 and a password.

Note: 51 is the default service ID used for configuring WCCP under McAfee Web Gateway: ip wccp 51 password <password>

4 Configure the interfaces that are required to enable the routing.

Note: You need an interface connecting the router to the Internet (interface 1 in the following sample setting).

Furthermore, you need two interfaces connecting the router to the two instances of McAfee Web Gateway (2 and 11), and finally one that connects the router to the clients (12).

Note also the following:

• The client interface is configured with a redirect in parameter in order to make the redirect work and have client addresses rewritten with the McAfee Web Gateway addresses.

• The no switchport entry is needed to enable routing on the port in question.


ProxiesWCCP

• The entry containing the group-listen parameter is only required in case you are using a multicast address.

interface GigabitEthernet0/1

no switchport

ip address 172.17.0.2 255.255.255.0

ip wccp 51 group-listen

!


no switchport

ip address 10.150.107.254 255.255.255.0


!


!


!


!


!


!


!


!


!


no switchport

ip address 10.150.109.1 255.255.255.0

!


no switchport

ip address 10.150.110.2 255.255.255.0

ip wccp 51 redirect in



ProxiesWCCP

5 Set up a default gateway, as it is usually done in router configuration:

ip default-gateway 172.17.0.1

ip classless

ip route 0.0.0.0 0.0.0.0 172.17.0.1

ip http server

This completes the activities that are required on the side of the Cisco router.

To save the router configuration, you may use the following command:

copy running-config startup-config

To display detailed information on the WCCP transactions, enter the following command:

sh ip wccp 51 detail

For more information in general, please refer to the Cisco documentation.

6 Configure the proxy port or ports you are using under McAfee Web Gateway in transparent mode.

To do this, go to the Settings tab under Proxies > HTTP Proxy and proceed as follows:

• In the Port Settings section of that tab, select the Transparent Proxy checkbox in the row or rows belonging to the proxy port or ports in question.

• Restart McAfee Web Gateway to make the modification of the port settings effective.

7 In the WCCP section of the WCCP tab, configure the settings that are required for using the WCCP protocol under McAfee Web Gateway:

• In the Router input field, enter the address of the router, such as 172.17.0.2.

• Select the WCCP v2 radio button.

• Ensure 51 is entered in the Service ID input field.

Note: Note that you also used this service ID when configuring the Cisco router.

• In the Ports to be forwarded input field, enter the port numbers of the ports that should be used for WCCP traffic, such as 80, 8080, 443.

• Under Forwarding method, select the L2-rewrite to radio button and select the interface for connecting McAfee Web Gateway to the router, such as eth1.

• Under Assignment method, select the Assign by mask radio button.

• Click Apply Changes to make your settings effective.

This completes the activities required on the McAfee Web Gateway side. In the WCCP Current Status section, there should now be entries that show there is a working connection, see below:


ProxiesWCCP

WCCP Current StatusThe WCCP Current Status section looks like this:

This section provides information on some non-persistent communication parameters of WCCP.

This includes the times and dates of messages that are exchanged between router and McAfee Web Gateway appliance to handle the redirection of data packets.

Data packets are assembled under WCCP into groups called "buckets" when redirected for load balancing purposes. The buckets that are currently handled by McAfee Web Gateway are also displayed in this section.

If a cluster of McAfee Web Gateway instances has been configured, buckets can be handled by different instances.

In this case, the instance with the lowest IP address assigns the buckets to the other instances. This need not necessarily be the master of the cluster.

Information is updated every few seconds by McAfee Web Gateway.

The following information is displayed:

• Current time — Date and time of the information displayed in the fields below.

• Last ’HereIam’ sent — Date and time when this protocol message was last sent.

• Last ’ISeeYou’ received — Date and time when this protocol message was last received.

• Last ’RedirectAssignment’ sent — Date and time of the information when an assignment of buckets, such as groups of data packets, was last redirected by the McAfee Web Gateway instances in a cluster.

• Last change in group membership — Date and time of the information when the grouping of data packets into buckets was last changed.

• This Webwasher distributes load — Information as to whether or not the current instance of McAfee Web Gateway assigns buckets, such as groups of data packets, to other instances in a cluster for load balancing purposes.

• Participating router — Router or routers that participate in the redirecting of data packets.

Packet ForwardingThe Packet Forwarding section looks like this:

Using this section, you can configure the IP address and port number of the server that data packets should be forwarded, or redirected to, by McAfee Web Gateway under WCCP.

This configuration is required if you want to use this protocol for McAfee Web Gateway.

The server addresses that may be specified here are the addresses of the network interfaces of your McAfee Web Gateway appliance.

You can also specify a source IP for traffic that should be included in the forwarding, as well as a source IP for traffic that should be excluded.

After modifying any of the settings in this section, reboot the McAfee Web Gateway appliance to let the changes take effect. A Reboot button is provided here for this purpose.

Use the following items to configure data forwarding under WCCP:

• Source IP include — In this input field, enter a source IP address for data packets that should be redirected in any case.

A data packet will then be redirected only if its address matches the one specified here and, furthermore, not the one specified under Source IP exclude.



• Source IP exclude — In this input field, enter a source IP address for data packets that should be not be redirected. A data packet will then be redirected only if its address does not match the one specified here and, furthermore, matches the one specified under Source IP include Input in this field is optional, but if it is entered, its format must be like this: 10.120.22.4/32.


• Redirect to — From the drop-down lists provided here, select the IP address of the server that packets should be redirected to, as well as a port number on this server.

You may choose from the addresses of all the interface devices the McAfee Web Gateway appliance is equipped with, as well as from the addresses of the proxy ports that are currently configured.

The proxy ports are configured on the Settings tab under Proxies > HTTP Proxy. Remember to enable the Transparent Proxy option when configuring proxy there.

• Reboot — After specifying the settings in this section, or changing the port settings in the WCCP section above, click this button in order to make these settings effective.


6 Configuration

Contents

About configuration

Update manager

Central management

Appliance

Web interfaces

Secure administration shell

SNMP interface

ePolicy Orchestrator

Certificate management

DNS cache

File management

Action editor

Wizards

Maintenance

Debugging

LDAP

NTLM

About configurationThe functions described in this chapter are accessible over the Configuration tab of the user interface:

These functions allow you to configure features of McAfee Web Gateway (formerly Webwasher®) that are provided in addition to the system configuration features already described here.

Additional features include the update manager, central management, the action editor, and debugging.


ConfigurationUpdate manager

Update managerThe Update Manager options are invoked by clicking the corresponding button under Configuration. They are described in the upcoming sections:

• General options

• URL filter

• AV engine

• Spam filter

• CRLs

General optionsThe General Options tab looks like this:



There are five sections on this tab:

• Update Server Summary

• Centralized Update

• Write System Log

• Connection Options

• System Notifications

Update Server SummaryThe Update Server Summary section looks like this:

This section shows the addresses and locations of the download servers that are currently in use for McAfee Web Gateway.

Centralized UpdateThe Centralized Update section looks like this:

Using this section, you can configure the distribution of updates in a cluster of McAfee Web Gateway instances by the master.

Note: This will only work in a homogeneous cluster, such as in a cluster where all instances of McAfee Web Gateway run under the same operating system and have the same version.

With this update method, master and sites instances in a McAfee Web Gateway cluster will behave as follows: The master distributes regular updates to the site instances.

The updates are retrieved from the McAfee Web Gateway download server.

After a new update has been downloaded, the master broadcasts an update notification to the site instances.

Before the site instances perform an update, which may be a regular update or an update initiated manually by the user, or after receiving an update notification from the master, they connect to the master requesting this update.

If the request fails, which can be seen from a status code other than 200 or 304, the site instances try to connect to the McAfee Web Gateway download server themselves in order to get the update.

If you want to use this update method, select the checkbox next to the section heading.

Then click Apply Changes to make this setting effective.



Write System LogThe Write System Log section looks like this:

Using this section, you can configure that information on update activities of McAfee Web Gateway is always written to a system log file. The name of this file is update.log.

If you want to have this information written to the log file, select the checkbox next to the section heading.


Connection OptionsThe Connection Options section looks like this:

Using this section, you can configure the connections to the update server.

You can configure a direct connection to this server or use a proxy.

Furthermore, you can specify how many times a retry should be performed in case of a server overload.


Use the following items to configure the update server connections:

• Use direct connection to update server — If you want to use a direct connection to the update server, make sure this radio button is selected. The radio button is selected by default. To specify the number of retries, use the following drop-down list:

• Retries on server overload — Select the number here that a retry should be performed if the update server does not respond due to being overloaded.

You can select up to three retries.

• Use update proxy — If you want to use an update proxy, select this radio button. From the drop-down list provided here select the connection mode for this proxy.

The following modes are available:

• none — In this mode, no proxy is used.

• specific — In this mode, one specific proxy is used, which is specified in the input field next to this drop-down list.

• failover — In this mode, the first of the proxies specified in the input field next to this drop-down list is also tried first.

If it fails, it will be retried until the configured retry maximum has been reached. Then the second proxy is tried, and so on.



• round robin — In this mode, the proxy is used that is next to the one that was used last.

If the last proxy has been reached among those that were specified, selection of proxies will restart from the beginning.

In the input field next to the drop-down list, enter the proxy or proxies that should be used for connecting to the update server.

To do this, type a proxy name or select an entry from the drop-down list to the right. If you want to use more than one proxy, repeat the selection.

The drop-down list should show select one to add as its topmost entry. If no next hop proxies have been configured yet, the topmost entry reads no proxies defined.

To configure proxies, click Define Next Hop Proxies. This will open a window for configuring these proxies. The window is described in the next subsection.





• Name — In this input field, enter the name of the next hop proxy you want to configure. If you leave the field empty, a name will be generated by McAfee Web Gateway, such as pxy1, and inserted in this field after clicking Add.








• Connection behavior — Use the items provided here to configure the connection behavior:


When the maximum number of retries has been reached, McAfee Web Gateway will try to establish a connection using another next hop proxy, according to what has been configured on the Use Next Hop Proxies tab, such as failover or round robin.

• Do not retry proxy for . . . minutes when it has reached . . . times within 10 seconds its maximum number of retries — In the input fields provided here, enter the time information that will cause a connection break—an interval during which McAfee Web Gateway will not retry a next hop proxy after a connection to it could not be established in a given situation.





• use persistent connections — If you want McAfee Web Gateway to use persistent connections to the next hop proxies, make sure this checkbox is selected. The checkbox is selected by default.

McAfee Web Gateway will try to meet this requirement by establishing persistent connections, but may fail to do so in some situations.

You will then see that the failed counter in the list of available next proxies displays an increased value for the connection to the next hop proxy in question.

In this case, you might clear the checkbox to disable the option. Note, however, that this will reduce performance.


The list of available next hop proxies is displayed at the bottom of this section. For each entry, it provides the information that is specified when a new entry is added. Furthermore statistical figures are displayed on the reliability of next hop proxies.

You can edit list entries, delete them, and reset the statistics.

To display only a particular number of entries at a time, type this number in the input field labeled Number of entries per page and enter it using the Enter key of your keyboard. If the number of entries is higher than this number, the remaining entries are shown on successive pages.

A page indicator is then displayed, where you can select a particular page by clicking the appropriate arrow symbols.


After completing the modification, click Modify, which is provided now instead Add, to make it effective. If you want to clear the information before modifying the settings for a next hop proxy, click Clear Input.



• reliability — Reliability of a next hop proxy.


• tried — Number of times that McAfee Web Gateway tried to establish a connection to a proxy.

• failed — Number of times that an attempt by McAfee Web Gateway to establish a connection to a proxy failed.

• last fail — Date and time of the last time that an attempt by McAfee Web Gateway to establish a connection to a proxy failed.


The length of this period depends on what you configured under Do not retry proxy for . . . minutes when it has reached . . . times within 10 seconds its maximum number of retries, see above.



• Filter — Type a filter expression in the input fields above the Name, Proxy, or Port columns or in a combination of them and enter this using the Enter key of your keyboard. The list will then display only entries matching the filter.






• Reset do not retry — Click this button to reset the statistics only for the do not retry reached parameter, see above.


The next hop proxy you added to the list, will also appear and be available in the list of next hop proxies, which is displayed at the bottom of the Use Next Hop Proxies section on that tab.

System NotificationsThe System Notifications section looks like this:

Using this section, you can configure e-mail notifications to be sent to a recipient’s e-mail address. Click Apply Changes to make your settings effective.

Use the following options for configuring e-mail notifications:

• Send notification upon URL filter database update failure or category enhancements — Enter the recipient for this notification in the Recipient input field.

• Send notification upon AntiVirus engine and signature update failure — Enter the recipient for this notification in the Recipient input field.

• Send notification upon Anti Spam rule set update failure — Enter the recipient for this notification in the Recipient input field.

Furthermore, you can configure the following options for sending an SNMP trap:

• Send an SNMP trap if a database update has been successful or was not required — Clicking the SNMP trap link will take you to a page where you can configure the settings for the trap sink, such as the SNMP recipient.

• Send an SNMP trap if a database update failed — Clicking the SNMP trap link will take you to a page where you can configure the settings for the trap sink, such as the SNMP recipient.

To configure the settings for the server used to process notifications, click Edit Notification Mail Server. This will open a window where you can enter values for these settings.

For a description of this window, see the Notification Settings window in the Notifications subsection of the E-mail gateway section.



URL filterThe URL Filter tab looks like this:


• Current Status

• Log File Contents

• Automatic Update

• Manual Update



Current StatusThe Current Status section looks like this:

This section shows the current status of the URL Filter Database. The following information is provided:

• Database version — Version of the URL Filter Database

• Status — Status of the URL Filter Database

Prior to the completion of the database update, there may be the following messages:

• OK — Everything is working.

• Preparing URL lists — Building lists internally.

• Updating URL lists — Incorporating incremental list in order to update.

• Saving list — An internal list was created and is being saved on the hard disk.

• Error during update — In this case, you need to look for a new list, or retry later on.

• Unknown Error — A failure of another type has occurred in one of the above processes.

Upon completion of the database update, there may be the following messages:

• Downloading files — File download is in progress.

• Server authentication failed — This may be due to a licensing problem.

• Error during file download — An error stopped the files from downloading, retry later on.

• Time of last update — Time when the last update of the URL Filter Database was performed

Log File ContentsThe Log File Contents section looks like this:

It displays the last 10 lines of the URL Filter Database update log file.



Automatic UpdateThe Automatic Update section looks like this:

Using this section, you can configure the time range for an automatic update of the URL Filter Database.

Select the checkbox provided here if you want to do this and fill in the input fields as required. After configuring these settings, click Apply Changes to make them effective.

Use the following input fields to configure an automatic update:

• Check and perform updates every ... hours — In this input field, enter the number of hours that are to elapse before a new update is performed.

• If update fails, repeat it after ... minutes — In this input field, enter the number of minutes for the retry interval.

Manual UpdateThe Manual Update section looks like this:

This section allows you to perform a manual update of the URL Filter Database.

Use the following items to perform this update:

• Incremental update — Select this radio button to update the incremental lists on demand without affecting the automatic update settings.

• Full update — Select this radio button to update the entire database from the Internet.

• Local update from ’C:\Programme\Webwasher CSM\conf\smartfilter\’ — Select this radio button to manually update lists from another source, such as from a SmartFilter list that is located in a corresponding folder as displayed here.

For this kind of update, you need to make sure that the list file itself, as well as a number of other files are stored in this folder.

You need different kind of files for a full and an incremental update:

• For a full update, you need to store the following files in the SmartFilter folder:

• sfcontrol.download – This file contains the list of for a full update

• sfcontrol.download.info – Input in this file is optional. You may insert text providing information on the update in there.

• For an incremental update, you need to store the following files in the SmartFilter folder:

• sfcontrol.download.info – Input in this file is optional. You may insert text providing information on the update in there.



• sfcontrol.download.current – This file must contain one single line of text stating the version of the SmartFilter list you want to update to.

Furthermore, you need to store several incremental update files in this folder. The name for all of them is sfcontrol.download.<number>, with <number> varying in the following way:

a You need an update file with a number for the version of the SmartFilter list that is currently used by McAfee Web Gateway, but this number increased by one. So if the current version is 1000, name the file sfcontrol.download.1001.

b You need a particular number of update files, with the initial number increased by one until you reach the number of the list version you want to update to. For example, if you want to update to version 1008, you need to store the update files sfcontrol.download.1001, sfcontrol.download.1002, and so on, until sfcontrol.download.1008.

The complete list of incremental files would then look like this:

sfcontrol.download.1001








• Do It Now — After specifying the appropriate information using the items described above, click this button to perform the manual update.



AV engineThe AV Engine tab looks like this:

There are six sections on this tab:

• Current Status


• ISTAG Change


• Restart

• Manage 3rd Party AntiVirus Engine Update



Current StatusThis section shows the current status of the anti virus engines and signature files. The following information is provided:

• Anti Virus Engine — Versions of the anti virus engines that have been configured to run under McAfee Web Gateway.

• Update Status — Status of the updates that have been performed for the anti virus engines.

• Time of last update — Time when the last update was performed for an anti virus engine.

Log File ContentsThis section displays the last 10 lines of the anti virus update file.

ISTAG ChangeUsing this section, you can configure an ISTAG change to be performed after each update, which will lead to a clearing of the cache content.

The ISTAG version is a kind of version number for an ICAP service. Whenever this version changes, the ICAP client no longer uses responses previously given by McAfee Web Gateway, but asks again for each request and response.

By changing the ISTAG after each update of the signature file, the ICAP client, such as a NetCache client, is told to clear all cached content after the update has been completed.

If you want to have an ISTAG change performed, make sure the checkbox provided here is selected. It is selected by default.

Automatic UpdateUsing this section, you can configure the time range for an automatic update of the anti-virus signature file. McAfee Web Gateway will check according to the configured range, whether a new version is available and will download this version if this is the case.

The usage of the checkbox, input field and button provided here is as follows:

• Check and perform updates every ... minutes — Select the checkbox provided here if you want to configure an automatic update. In the input field, enter the number of minutes that are to elapse before a new update is performed.

• Do It Now — Click this button to perform the update immediately.

RestartUsing this section, you can restart the anti-virus engine.

Click the following button:

• Restart AV Engine — Click this button to restart the anti-virus engine after changing a local anti-virus file.

Manage 3rd Party AntiVirus Engine UpdateUsing this section, you can enable updates of the third-party anti-virus engines. It depends on what is included in your license whether particular anti-virus engines, such as the Avira or the Sophos engine, appear in this section.

After changing these settings, click Apply Changes to make your changes effective.

Use the following checkboxes to enable anti-virus engine updates:

• Avira update enabled — When selected, an update of the anti-virus engines includes the third-party Avira engine.

According to what is covered by your license, a checkbox for a different or an additional anti-virus engine will appear here, which you can use in the same way.

Note: This option is disabled by default.



Spam filterThe Spam Filter tab looks like this:


• Current Status



• Manual Update


This section shows the current status of the spam filter database.



The following information is provided:

• Database Version — Version of the database containing the spam filter rules.

• SpamCatcher Engine version — Version of the engine used for spam filtering.

• Status — Status of the updates that have been performed for the spam filter rules.

• Time of last update — Time when the last update was performed for the spam filter rules.


It displays the last 10 lines of the spam filter rules update log file.


Using this section, you can configure the time range for an automatic update of the spam filter rules.

McAfee Web Gateway will check according to the configured range, whether a new version is available and will download this version if this is the case.

There is a checkbox provided here, which is labeled:

• Check and perform updates every ... minutes — Select this checkbox if you want to configure an automatic update. In the input field, enter the number of minutes that are to elapse before a new update is performed.

Manual UpdateThe Manual Update section looks like this:

Using this section, you can perform a manual update of the spam filter rules.



CRLsThe CRLs tab looks like this:


• Current Status




This section shows the current status of the CRLs (Certificate Revocation Lists) update. The following information is provided:

• Status — Status of the CRLs updates.

• Time of last update — Time when the last CRLs update was performed.




It displays the last 10 lines of the CRLs update log file.


Using this section, you can configure a time interval for an automatic CRLs update. McAfee Web Gateway will check according to the configured range, whether a new version is available and will download this version if this is the case.

Select the checkbox provided here if you want to configure an automatic update. After modifying this setting and specifying the time interval, click Apply Changes to make the modification effective.

Use the following items to configure an automatic update:

• Update every ... hours — In this input field, enter a time interval (in hours) that should elapse before the next update is performed.

• Do It Now — Click this button to perform the update immediately.


ConfigurationCentral management

Central managementThe Central Management options are invoked by clicking the corresponding button under Configuration. They are described in the upcoming sections:

• Node settings

• Master settings

• Site settings

Node settingsThe Node Settings tab looks like this:


• Current Instance Status

• Instance Role

• Proxy Server Options



Current Instance StatusThe Current Instance Status section looks like this:

In this section, information is displayed about the status of the current instance—the McAfee Web Gateway instance you are presently configuring.

You are told how this instance has been configured and if it has been configured correctly. The information is displayed with a square in green, yellow or orange color, and a message text.

A green square means that the instance has been configured correctly. A yellow or orange square means that there is something missing in the configuration, with the orange color indicating a more serious fault.

Messages that can appear in this section are:

• Green square - This McAfee Web Gateway instance is running as a standalone server

• Green square - 2 site instances are subscribed at this master

• Yellow square - No site instances are subscribed at this master

• Orange square - The master of this site instance has not been configured or is unreachable

Instance RoleThe Instance Role section looks like this:

Using this section, you can configure a role for an instance of McAfee Web Gateway.

In a group of multiple servers (nodes) running McAfee Web Gateway (called a "cluster"), one McAfee Web Gateway instance can act as the master instance, which means that all configuration changes are to be performed on this system.

The other McAfee Web Gateway instances in this cluster can then be configured as site instances. Since site instances retrieve their configuration from the master, every configuration task you perform on the master instance is replicated to all site instances.

In addition to the options of configuring McAfee Web Gateway as a master or a site instance, you can configure it to take the role of a sub-master. A sub-master performs the roles of master and site instance at the same time. So, other site instances can subscribe themselves at a sub-master like they can at a master.

Optionally, a sub-master can take over the role of the master in case the master goes offline, and there will be a failover of the McAfee Web Gateway administration from the master to the sub-master as soon as this happens.



Furthermore, you can configure McAfee Web Gateway for running on a standalone server, such as a system that is not participating in a cluster at all.

Note: You can exclude settings from being transferred from the master to the site instances, and also protect settings that have been configured on a site instance against being overwritten by settings transferred from the master. If settings on a site instance are protected in this way, they can only be changed on this instance.

The meaning of the options provided in this section is as follows:

• Yes, act as a cluster node of the following role — Configures this instance of McAfee Web Gateway for running in a McAfee Web Gateway cluster.

• Master instance — Configures this instance of McAfee Web Gateway to run as a master.

• Take over sub-master’s configuration in case it has been changed while this master was offline — Configures the taking over of McAfee Web Gateway settings from a sub-master.

• Site Instance — Configures this instance of McAfee Web Gateway to run as a site instance.

• Sub-Master instance (act as both master and site) — Configures this instance of McAfee Web Gateway to run as a sub-master instance.

• Notify the parent master’s site instances whenever its availability changes — Configures a notification to be sent to the site instances of the master whose role this sub-master is to take over. The notification will be sent each time the master goes offline or goes online again.

• No, act as a standalone server — Configures this instance of McAfee Web Gateway for not running in a McAfee Web Gateway cluster. This is the default option.

Select the options you want to configure for the current McAfee Web Gateway instance. Then click Apply Changes to make your settings effective.

Proxy Server OptionsThe Proxy Server Options section looks like this:

Using this section, you can specify whether a proxy server should be used for communication between this instance of McAfee Web Gateway and its master instance (given it is a site instance), or its site instances (given it is a master instance).

After specifying the appropriate settings click Apply Changes to make them effective.

Use the following items to configure a proxy server:

• Do not use a proxy server — No proxy server will be used and the instance will communicate directly with its master instance or its site instances.

• Use next hop proxies as specified for ... — The server that has been configured as web proxy will be used as next hop proxy. This is the default option.

Click the link provided here to view or change the proxy server that has been configured so far.

• (For using other next hop proxies) — If you want to use other next hop proxies, select this radio button and configure them here. To do this, proceed as follows:

From the drop-down list select the connection mode. The following modes are available:

• none — In this mode, no proxy is used.



• specific — In this mode, one specific proxy is used, which is specified in the input field next to this drop-down list.

• failover — In this mode, the first of the proxies specified in the input field next to this drop-down list is also tried first.

If it fails, it will be retried until the configured retry maximum has been reached. Then the second proxy is tried, and so on.

• round robin — In this mode, the proxy is used that is next to the one that was used last.

If the last proxy has been reached among those that were specified, selection of proxies will restart from the beginning.

In the input field next to the drop-down list, enter the next hop proxy or proxies that should be used. To do this, type their names or select an entry from the drop-down list to the right. If you want to use more than one proxy, repeat the selection.

The drop-down list should show select one to add as its topmost entry. If no next hop proxies have been configured yet, the topmost entry reads no proxies defined.

To configure next hop proxies, click Define Next Hop Proxies. This will open a window for configuring these proxies.

The window is described in the subsection below.





• Name — In this input field, enter the name of the next hop proxy you want to configure. If you leave the field empty, a name will be generated by McAfee Web Gateway, such as pxy1, and inserted in this field after clicking Add.









When the maximum number of retries has been reached, McAfee Web Gateway will try to establish a connection using another next hop proxy, according to what has been configured on the Use Next Hop Proxies tab, such as failover or round robin.



• Do not retry proxy for . . . minutes when it has reached . . . times within 10 seconds its maximum number of retries — In the input fields provided here, enter the time information that will cause connection break—an interval during which McAfee Web Gateway will not retry a next hop proxy after a connection to it could not be established in a given situation.




The list of available next hop proxies is displayed at the bottom of this section.

For each entry, it provides the information that is specified when a new entry is added. Furthermore, statistical figures are displayed on the reliability of next hop proxies.

You can edit list entries, delete them and reset the statistics.



After completing the modification, click Modify, which is provided now instead Add, to make it effective. If you want to clear the information before modifying the settings for a next hop proxy, click Clear Input.



• reliability — Reliability of a next hop proxy


• tried — Number of times that McAfee Web Gateway tried to establish a connection to a proxy

• failed — Number of times that an attempt by McAfee Web Gateway to establish a connection to a proxy failed

• last fail — Date and time of the last time that an attempt by McAfee Web Gateway to establish a connection to a proxy failed


The length of this period depends on what you configured under Do not retry proxy for . . . minutes when it has reached . . . times within 10 seconds its maximum number of retries.



• Filter —Type a filter expression in the input fields above the Name, Proxy, or Port columns or in a combination of them and enter this using the Enter key of your keyboard. The list will then display only entries matching the filter.






• Reset do not retry — Click this button to reset the statistics only for the do not retry reached parameter, see above.


The next hop proxy you added to the list will also appear and be available in the list of next hop proxies, which is displayed at the bottom of the Use Next Hop Proxies section on that tab.

Master settingsThe Master Settings tab looks like this:


• Local Master Settings

• Allow Incompatible Site Versions

• List of Subscribed Sites



Local Master Settings

Using this section, you can specify the settings that will not be replicated from the master to the site instances.

When running several instances of McAfee Web Gateway, you can apply configuration changes on just one instance— the master instance—while changes will be replicated to all the instances that have subscribed to the master instance, such as the site instances.

Whenever you perform an action using the web interface of the master instance, a corresponding action is performed on each site instance. Thus all settings are applied to these instances, unless they are configured to be excluded from this procedure.

Note: Settings related to licensing, the master/site configuration itself, and web interface passwords are never replicated to site instances.

Select the checkboxes for the settings you do not want to be replicated. Then click Apply Changes to make this configuration effective.

Allow Incompatible Site VersionsThe Allow Incompatible Site Versions section looks like this:

Using this section, you can specify that site instances in a cluster are allowed to subscribe at the master even if they are running a McAfee Web Gateway version that is older or newer than the one running currently on the master.

By default, the master does no allow sites that are incompatible in this sense.

The default is set this way because synchronizing the configuration of the master to that of a site might damage the configuration of this site.

A site is incompatible as soon as the McAfee Web Gateway version running on it differs from the master’s version on a major, medium, or minor level. So, a 6.8.3 version would make the site in question incompatible to a master running 6.8.4.

To allow incompatible site versions, select the checkbox next to the section heading. Then click Apply Changes to make this setting effective.

List of Subscribed SitesThe List of Subscribed Sites section looks like this:

This section lists all the site instances that have subscribed to the master instance.

Any changes effected on the master instance will simultaneously be applied to these instances.

Sites instance will not appear in this list whenever the master is unable to log on to these sites.



Site settingsThe Site Settings tab looks like this:


• Master Instance Addresses

• Authentication

• Contact Interval

• Local Site Settings



Master Instance AddressesThe Master Instance Addresses section looks like this:

In order to obtain settings from the McAfee Web Gateway master instance for a site instance, you need to specify the master instance in this section. You can specify more than one master instance.

The meaning of the input fields and the checkbox provided for this purpose is as follows:

HTTPS to communicate with this master instance. The following input fields and buttons are provided in this section:

• Host Names or IPs — Name or IP address of the master instance. More than one instance may be entered here. The format is: Host | IP) [, (Host | IP)]*

• Web interface port — Port number of the host that is to be the master instance. The default port number is 0.

• Use HTTPS to communicate with the master instance — Enable this option if you have configured HTTPS connections to be used for communication between master and site instances.

After configuring these settings, click Apply Changes to make them effective.

AuthenticationThe Authentication section looks like this:

Since site instances need to authenticate themselves as admin, which is the administrator account of the master instance when subscribing for change notifications, the admin password of the master instance must be configured on the individual site instances as well.

To allow the master instance to log back on to a site instance whenever there is a configuration activity on the master instance, the admin password of the site instance is sent to the master instance, along with the subscription. It is sent in encrypted form, but using HTTPS is also recommended.

Specify a password for the admin accounts on both the master and the site instance. Then click Apply Changes to make these settings effective.


ConfigurationAppliance

Contact IntervalThe Contact Interval section looks like this:

Using this section, you can configure a time interval for reconnecting to the master instance, should the master instance be down or unavailable for any reason.

Furthermore, you can configure a time interval for requesting a configuration update from the master instance.


Use the following input fields to configure these intervals:

• Contact master instance every ... minutes — Enter the time interval (in minutes) here that should elapse before the site instance contacts the master again.

• Request the whole configuration every ... minutes from master — Enter the time interval (in minutes) here that should elapse before the site instance requests an update of the configuration settings from the master.

The value that you enter is rounded to achieve a multiple of the value you entered under Contact master instance every ... minutes.

The minimum value is 30 minutes. Enter 0 to let the site never request a configuration update from the master.

Local Site Settings

Using this section, you can specify the settings that a site instance should not retrieve from its master instance.

Note: Settings related to licensing, the master/site configuration itself, and web interface passwords are never retrieved from the master instance.

Select the checkboxes for the settings you do not want to be obtained from the master instance. Then click Apply Changes to make this configuration effective.

ApplianceThe Appliance options are invoked by clicking the corresponding button under Configuration.

Note: These options are only available in an appliance version of McAfee Web Gateway.


• General

• Interfaces

• Routes

• Time and date

• Reboot/Shutdown

• Update

• High availability

• Port forwarding



GeneralThe General tab looks like this:


• General

GeneralThe General section allows you to configure some general settings for an appliance.

After modifying these settings, you need to commit them and reboot the appliance in order to make the modification effective.

For this purpose, corresponding buttons are provided on the Commit Settings tab.

Use the following items to configure the general settings:

• Host Name — Name of a McAfee Web Gateway appliance

• Default Gateway IP Address — IP address of the network gateway that a McAfee Web Gateway appliance has been configured for

• First Name Server — IP address of the first name server that is used by a McAfee Web Gateway appliance

• Second Name Server — IP address of the second name server that is used by a McAfee Web Gateway appliance

The second name server will be used as a fallback system in case the first name server is not available for some reason or other.



InterfacesThe Interfaces tab looks like this:


• Network Interfaces

• Bonding

Network InterfacesThe Network Interfaces section looks like this:

It allows you to configure and activate the network interfaces within your system.

After changing these options, you need to reboot the appliance in order to make the modification effective. For this purpose, a link is provided here that takes you to the Reboot/Shutdown tab.



Use the following checkboxes and input fields to configure the network interfaces:

• Activate — If you want to activate a particular interface, select this checkbox in the corresponding line.

• Interfaces — The fields in this column display the interfaces that are available within your network.

• IP Address — In this input field, enter the IP address for the corresponding interface.

• Network Mask — In this input field, enter the network mask for the corresponding interface.

• Media — If you want to use a media option for a particular interface, enter it in this field.

You should, however, do this only if you are sure that it will have no unforeseen impact on your configuration.

The following media types are available as options:

• 100baseT4

• 100baseTx-FD

• 100baseTx-HD

• 10baseT-FD

• 10baseT-HD

• Description — Use this input field to enter a text describing the interface in the same line. Input in this field is optional.

BondingThe Bonding section looks like this:

It allows you to configure bonding interfaces.

After changing these options, you need to reboot the appliance in order to make the modification effective. For this purpose, a link is provided here that takes you to the Reboot/Shutdown tab.

Use the following items to configure bonding:

• Number of bonds — In this input field, specify the number of bonding interfaces you want to use. Maximum value is 10.

• MIIMON — Use this input field to configure the frequency (in ms) of MII link monitoring. This value is mandatory. A good value is 100.

To setup a bonding interface, use the following procedure:

• Select the Bonding checkbox. Fill in Number of Bonds and MIIMON values. Reboot the appliance. After reboot, the bonding interfaces should show up in the Network Interfaces list.

• In the IP address field of the physical interface (eth0, eth1, ...), add the name of the bonding interface they should be part of, such as bond0. The network mask is not used for these interfaces.

• Activate your bonding interfaces and configure IP address and network mask for them.

• Reboot the appliance again to make the configuration active.



To edit an entry, type the appropriate text in the input fields of the Number of Bonds or MIIMON field. Then click Apply Changes to make these settings effective.

You can edit more than one entry and make the changes effective in one go.

RoutesThe Routes tab looks like this:


• Static routes

Static routesThis section looks allows you to configure static routes for communication towards particular destinations via a particular gateways and interfaces. After specifying the values for a new static route, you add it to a list of routes.

If you want to configure a static route as default route, you need to enter the corresponding gateway address in the Default Gateway IP Address input field on the General tab.

You should also make sure that you configure static routes only if really needed.

With an incorrectly configured route, it may be impossible to connect to the appliance over the network. In this case you would have to log in at the appliance directly in order to correct a configuration error.

After adding a route to the list, you need to commit these settings and reboot the appliance in order to make the settings effective.

For this purpose, corresponding buttons are provided on the Commit Settings tab.

Use the following items to configure static routes:

• Destination — In this input field, add the IP address of a destination.

• Gateway — In this input field, add the IP address of the gateway that should be used to reach the destination.



• Interface — From this drop-down list, select an interface on the gateway that is used to reach the destination.

• Description — In this input field, you can enter a text describing the static route. Input in this field is optional.

• Add Route — After specifying the appropriate information in the fields above, click this button to add the new static route to the list.

The list is displayed at the bottom of this section.



To edit an entry, type the appropriate text in the input fields of the Destination Gateway or Description columns or select an interface from the Interface drop-down list.

Then click Apply Changes to make these settings effective. You can edit more than one entry and make the changes effective in one go.


• Filter — Type a filtering term in the input field of the Destination column and enter it using the Enter key of your keyboard. The list will then display only route entries matching the filter.

• Delete Selected — Select the route entry you wish to delete by selecting the Select checkbox next to it and click this button. You can delete more than one entry in one go.




Time and dateThe Time and Date tab looks like this:


• Time and Date

Time and DateThis section allows you to configure the system time for your appliance. You can set a date, a time and a time zone. Furthermore, you can configure the use of NTP for determining the system time of your appliance.

The current system time is displayed at the top of this section. By default, the UTC time zone is used.

After modifying these settings, you need to reboot the appliance in order to make the modification effective. However, this does not apply to a manual reset of time and date, which will become effective without a reboot.

For this purpose, you can use the options provided on the Reboot/Shutdown tab.

Use the following items to configure system time and date:

• Set manually — If you want to set the system time of your appliance manually, make sure the radio button provided here is selected. The radio button is selected by default.

Then use the items in this area for a manual setting of date and time:

• New System Date — Select a month, a day, and a year from the drop-down lists provided here. Then click Set in the same line.

New System Time — Select an hour, a minute, and a second from the drop-down lists provided here. Then click Set in the same line. The 24-hour-format is used here (1 p.m. = 13:00).



• Use NTP to synchronize system time — If you want to synchronize the system time of your appliance with NTP time, select the radio button provided here. Then use the following items for NTP synchronization:

• Primary NTP — In this input field enter the primary NTP system.

• Secondary NTP — In this input field enter the secondary NTP system.

• Select Timezone — From the drop-down list provided here, select the time zone that should be valid for the system time of your appliance.

Then click Apply Changes and reboot the appliance.

Reboot/ShutdownThe Reboot/Shutdown tab looks like this:


• Commit Settings

Commit SettingsThis section looks allows you to reboot or shutdown an appliance. If an appliance is running in a cluster of McAfee Web Gateway appliances, you can perform a reboot or shutdown for all cluster members.

Performing a reboot will also make the settings effective that you have configured prior to this reboot. The same will happen when you shutdown the appliance.

Use the following buttons to perform these activities:

• Reboot — Click this button to reboot an appliance.

The appliance will then go into the munix mode to apply the settings to the system and to reinitialize the RSBAC settings.



Select the Send to cluster checkbox before clicking this button if you want to reboot all McAfee Web Gateway appliances in a cluster.

• Shutdown — Click this button to shutdown an appliance.

Select the Send to cluster checkbox before clicking this button if you want to shutdown all McAfee Web Gateway appliances in a cluster.

UpdateThe Update tab looks like this:


• Status

• Check for Updates

• Update Log

StatusThe Status section looks like this:

It displays information on the status of the appliance, including the update status.

The following display fields are provided in this section:

• Appliance Version — Current version of an appliance.

• Update Status — Status of the update activities for an appliance.



Check for UpdatesThe Check for Updates section looks like this:

It allows you to contact the update server and view the new software versions that are currently available.

McAfee Web Gateway provides an update server with a directory structure enabling an appliance to scan for available updates. To connect to this server, use the following path:

https://appliance.webwasher.com/update

To view new software versions on this server, click Contact.

If no new versions are available, it means that no update is needed for the appliance. In other words, the appliance is up to date.

A corresponding message is then displayed in the Status section on the upper part of the tab:

If the search results in finding new versions, these will be shown in the Update Search Results section, which is then displayed on the tab:

The results are listed in the following field:

• Appliance Change Log — This field lists the search results for new versions of software packages that are part of the appliance software, such as the kernel.

For each new version of a software package, the features and fixes are listed that are new in this package compared to the version of the package currently installed on the appliance.

If a new version of the McAfee Web Gateway application software was found, its new features and fixes are shown together with the information on other packages.



If the search for new software versions shows that there are actually such versions, you can download and install them.

For this purpose, the Update Appliance section is then displayed on the tab, providing a button labeled Download and Install:

To download and install the new versions, click this button.

If the appliance is running in a cluster McAfee Web Gateway appliance, you can install the new versions on all cluster members.

To do this, select the checkbox labeled Send to cluster before clicking the button.

The new versions will be installed on all members of the cluster. If a new version of a software package already exists on a cluster member, however, no update will be performed for this package.

After clicking the button, the Downloading New Version section is displayed on the tab:

It informs you about the status of the download process.

After this process is completed, the appliance reboots itself. With this reboot, the new software versions are installed on the appliance.

Any update activities that were performed in this way are logged and displayed in the Update Log section at the bottom of the tab.

Update LogThe Update Log section looks like this:

It displays the last ten line of the appliance update log file. This file records any update activities that were performed for an appliance.



High availabilityThe High Availability tab looks like this:


• Cluster Status

• Heartbeat

• Cluster IP

They are described in the following.

Furthermore, there is a subsection describing the removal of a node when there is another node with the same name in the high-availability cluster:

• Removing a stale node from the cluster information database

Another subsection provides a sample procedure for setting up a high-availability cluster for two instances of McAfee Web Gateway:

• Configuring two nodes in a high-availability cluster



Cluster StatusThe Cluster Status section looks like this:

This section displays the status of the high-availability cluster that the McAfee Web Gateway appliance you are presently configuring belongs to.

Status information is provided on:

• The number of nodes in the high-availability cluster that are currently online

• The number of resources that have been configured for the high-availability cluster

HeartbeatThe Heartbeat section looks like this:

Using this section, you can configure the settings of the Heartbeat daemon.

This daemon is the core of the high-availability solution that can be run in a cluster of McAfee Web Gateway instances running on multiple appliances.

A cluster like this is here referred to as high-availability cluster.

The settings include the interface on the appliance in question that is used for sending and receiving heartbeat messages, as well as the authentication key that is required for an incoming heartbeat message in order to be accepted.

Furthermore, you can configure that the Heartbeat daemon is started whenever the appliance is booted.

The Heartbeat daemon uses information from a database of its own, which is the Cluster Information Database (CIB). This database is replicated across all nodes in the high-availability cluster, and changes in the information stored there are distributed by the Heartbeat program to all nodes.

To retrieve information from this database, the cibadmin -Q -o resources, cibadmin -Q -o nodes, and cibadmin -Q -o constraints commands can be used.

Another task you need to complete in order to achieve high-availability for a cluster of McAfee Web Gateway instances, is to set up a cluster IP address for all nodes of the high-availability cluster. This is done in the Cluster IP section.

Note: It is recommended that you use the same network interface for running the Heartbeat system and for managing traffic coming in on the cluster IP address. This recommendation applies especially to smaller environments, for example, when you have only two instances of McAfee Web Gateway installed.In larger environments, you can have one network interface for running the Heartbeat system and another one for managing traffic on the cluster IP address. However, a network failure on the traffic interface might not be detected in this configuration.

The Cluster IP section further below provides information on the settings of the cluster IP address, as well as more information on the high availability cluster in general.



You also need to configure the use of a time server since time must be synchronized for each cluster node. It is recommended to configure a server outside the cluster for this purpose.

The Use NTP to synchronize system time feature on the Time and Date tab may be used here.

Note: All nodes participating in the Heartbeat system must be connected to the same network (broadcast domain), and that the node names must be unique.

There may be a situation, such as after re-installation of a node, where two nodes with the same name exist in high-availability cluster. Each node still has its own IP address then, but one of them is offline all the time.

You should remove this "stale" node in order to retain a consistent structure for your high-availability cluster. How to do this is described in the next subsection.

After modifying the default settings configured in this section, you need to reboot the appliance to make the modification effective. A link to the Reboot/Shutdown tab is provided at the bottom of the section.

If you have configured central management for the cluster that the appliance is a member of, the settings are transferred to all other appliances in the cluster after the reboot and replicated there.

For configuring central management, use the tabs provided under Configuration > Central Management.

Use the following items to configure the Heartbeat daemon:

• Start on Boot — Select this checkbox to have the Heartbeat daemon started whenever the appliance is booted.

• Heartbeat Interface — In this input field enter the interface on the appliance that should be used for sending and receiving heartbeat messages.

• Authentication Key — In this input field enter the authentication key that is required for an incoming heartbeat message in order to be accepted on the appliance.

Removing a stale node from the cluster information databaseIn a high-availability cluster, there may be two nodes with the same names, such as after re-installation of a node.

Each of these nodes has its own IP address, but one of them is offline all the time. The Cluster Information Database (CIB) has entries for both nodes.

To remove the "stale" node, you need to delete the corresponding entry in the database. Proceed as follows:

1 Shutdown the entire high-availability cluster, using the following command:

/etc/init.d/heartbeat stop

2 Remove the host cache file on each node:

rm /var/lib/heartbeat/hostcache

3 Restart the high-availability cluster:

/etc/init.d/heartbeat start

4 Delete the entry for the stale node:

cibadmin --cib_delete --obj_type nodes --crm_xml ’<node id="IDSTRING"/>’

where IDSTRING is the ID of the node that should be removed.



Cluster IPThe Cluster IP section looks like this:

Using this section, you can set up an IP address that is valid for multiple nodes in a high-availability cluster of McAfee Web Gateway appliances, configure its settings, enable or disable it, and suspend or resume individual nodes.

The settings include the interface on the appliance where the IP address is configured, as well as the maximum number of nodes it can be used for.

Furthermore, you can configure a hash algorithm for determining the node that will be the recipient of a given ICMP/TCP/UDP packet with the cluster IP address as its destination. This is required since this address is valid for all nodes in the high-availability cluster.

The hash will make use of information contained in the packet, such as its source IP address or source port. You can configure which of these two options should be used for the hash.

Configuring the source IP address ensures that the same McAfee Web Gateway proxy is always used for a packet with a given source IP address.

Note, however, that this method may cause difficulties when several clients are "hidden" behind one NAT box or proxy with a single source IP address.

In a NAT environment, using the source IP address plus the source port for the hash seems to be an adequate solution to avoid ambiguities.

The disadvantage of this method is that it breaks up the processing of progress pages and quota management, and possibly other functions. So it should not be used unless the technical limitations caused by it are sufficiently clear.

Load sharing is achieved through an iptables module that uses the hash algorithm to determine whether a given node should process a packet or not. For this purpose, the algorithm divides the traffic into portions known as "buckets".

The buckets that a given node is responsible for can be looked up in the /proc/net/ipt_CLUSTERIP/<cluster ip address>.

Failover is also ensured since in case a node fails, the buckets that this node was responsible for are migrated to other nodes. Active connection to the failing node will then break down, of course, and the failing node is taken out of the high-availability cluster.

The failover can also be performed manually, using the cgctl clusterip --suspend command on the node in question, which suspends the cluster IP address for it. The cgctl clusterip --resume command can then be used to re-enable the cluster IP address.

The same functions can be executed by clicking Suspend or Resume in this section, see below.

After enabling them, the specified settings are made effective for the Heartbeat daemon that is running on the appliance you are presently configuring.

This daemon must be configured and activated prior to the cluster IP address.

It transfers these settings after enabling to all other appliances in the high availability cluster and replicates them there.

The cluster IP address is thus configured for all nodes of the high-availability cluster, which means it needs to be set up only on one node in order to become valid also on the other nodes.



To view the address, use the ip addr show command.

Note that configuring a cluster IP address in the way described here is an easy way to implement load sharing and failover in a small installation.

The number of nodes that is incorporated in this solution should not be higher than 10, though. Otherwise the administrative overhead caused by implementing this solution will impede the smooth operation of the high-availability cluster.

For medium and large installations, it is therefore recommended that you use a dedicated hardware solution to implement load sharing and failover facilities.

When implementing the cluster IP address, you should bear in mind that traffic for this address will arrive at all nodes of the high-availability cluster, which means that the bandwidth of the smallest node limits the amount of traffic that can be processed.

Also with this solution, McAfee Web Gateway can only be configured to run as proxy, while it is not possible to configure it as ICAP server, or to use the WCCP protocol, or to set up transparent authentication via the cluster IP address.

For troubleshooting a high-availability cluster, the crm_mon command may be used, as well as several commands for administering the Cluster Information Database (CIB), which is maintained by the Heartbeat daemon, see the corresponding online help page.

Furthermore, a sample procedure for configuring two McAfee Web Gateway instances to run as nodes in a high-availability cluster is described in the next subsection.

Use the following items to configure the cluster IP address in a high-availability cluster:

• Cluster IP — In this input field enter the IP address.

• Cluster IP Interface — In this input field enter the interface on an appliance that the cluster IP address is assigned to. Remember that this interface will be the same for all nodes of the high availability cluster.

• Hash Algorithm — From the drop-down list provided here, select a hash algorithm for determining the node that will be the recipient of a packet with the cluster IP address as its destination.

There are two algorithms available, differing with regard to the type of packet information they use for the hash.

On the limitations that exist for both types, see the information provided further above.

The following can be configured here:

• sourceip — The IP address of the packet source is used for computing the hash that determines the recipient node.

• sourceip-sourceport — The IP address and port number of the packet source is used for computing the hash that determines the recipient node.

• Maximum Nodes — In this input field enter the maximum number of nodes that will be included in the high-availability cluster, using this cluster IP address.

• Enable Cluster IP — After specifying the appropriate information, click Enable provided here to make the cluster IP address and its settings effective.

• Disable Cluster IP — Click Disable provided here to disable a cluster IP address.

• Suspend Current Node — Click this button to suspend the current node from being a member of the high-availability cluster.

• Resume Current Node — Click this button to resume membership in the high-availability cluster for the current node.



Configuring two nodes in a high-availability clusterThe following sample procedure describes how to configure two instances of McAfee Web Gateway running on different appliances to run as nodes in a high-availability cluster.

It is recommended to join the two instances in a small central management cluster before configuring the high-availability settings. This means that one of the instances is configured as master and the other as site instance.

The high-availability settings are then configured only on the master instance, from where they are distributed to the site instance.

An alternative way of configuring high-availability for two instances of McAfee Web Gateway would be to join them to an existing central management cluster before configuring the high-availability settings.

In this case, you would have to configure both instances as site instances of the existing master instance and then configure the high-availability settings on that master instance.

To configure two nodes in a newly created high-availability cluster, proceed as follows:

1 Login to the McAfee Web Gateway instance on the first appliance, and in the web interface of that instance go to the Node Settings tab under Configuration > Central Management.

2 In the Instance Role section on that tab, select Yes, act as a cluster node of the following role, and select Master instance.


Leave the other settings that can be configured for a master instance on the Master Settings tab at their default values, or modify them according to your requirements.

For more information on these settings, see the corresponding online help pages.

4 Login to the McAfee Web Gateway instance on the second appliance, and in the web interface of that instance go to the Site Settings tab under Configuration > Central Management.

5 On this tab, configure the following settings:

• In the Host Names or IPs input field of the Master Instances Addresses section, type the host name or IP address of the master instance.

• In the Web Interface Port input field, type the port number of the port that should be used for communication between the master and the site instance.

• In the Password input fields of the Authentication section, type a password to allow the site instance to login to the web interface of the master instance and another to allow the master to login on the site instance.

Retype both passwords.

• In the Contact Interval section, type 30 as value of the time interval (in minutes) for requesting synchronization from the master. This is the minimum interval, you may also configure a higher value here.


Leave the other settings on this tab at their default values, or modify them according to your requirements. For more information on these settings, see the corresponding online help pages.

7 In the web interface of the instance you configured as master, go to the High-Availability tab under Configuration > Appliance, and configure the following settings in the Heartbeat section of that tab:

• Select the Start on Boot checkbox to have the Heartbeat daemon started whenever the appliance is booted.

• In the Heartbeat interface input field, type the name of the interface on the appliance that should be used for sending and receiving heartbeat messages, such as eth0.



• In the Authentication Key input field, type the key that is required for an incoming heartbeat message in order to be accepted on the appliance, such as SuperSecretKeyZZZ.

For more information on these settings, see the corresponding online help pages.

8 Reboot the appliance that this instance of McAfee Web Gateway is running on to make the Heartbeat settings effective. Click Reboot on the Reboot/Shutdown tab to do this.

9 In the Cluster IP section, configure the following settings, see the explanations given above for more information on them:

• In the Cluster IP input field, type the cluster IP address for the high availability cluster, such as 10.150.34.103.

• In the Cluster IP interface input field, type the name of the interface on the appliance that the cluster IP address is assigned to, such as eth0.

• From the Hash Algorithm drop-down list, select either the sourceip or the sourceip-sourceport algorithm for determining the node that will be the recipient of a packet with the cluster IP address as its destination.

• In the Maximum Nodes input field, type the maximum number of nodes to be included in the high-availability cluster that uses this cluster IP address, such as 2.

10 Click Enable to make the cluster IP address and its settings effective.

This completes the sample configuration procedure.

After the contact interval that you configured has elapsed, the high-availability settings should be distributed from the master to the site instance and the high availability cluster should be working.

You should then be able to ping both nodes of the high-availability cluster using the cluster IP address.



Port forwardingThe Port Forwarding tab looks like this:


• Port Forwarding

Port ForwardingThis section allows you to configure the forwarding of local ports.

After adding a port to the list or changing or removing a port, you need to reboot the appliance in order to make the modification effective. For this purpose, a link is provided here that takes you to the Reboot/Shutdown tab.

Use the following items to configure port forwarding:

• Port — In this input field, type the local port that is going to be forwarded.

• Source — Use this input field to specify the source IP address or network of clients that are allowed access through this port.

To specify a single host, type its IP address, for example, 192.168.100.5. For a subnet, type its IP address range, for example, 192.168.100.0/24. Multiple entries separated by spaces are possible.

• Destination — In this input field, enter the IP address of the destination host.

• Destination Port — In this input field, specify the destination port.

• Add Port — After specifying the appropriate information in the fields above, click this button to add the new port to the list.

The list is displayed at the bottom of this section. To display only a particular number of list entries at a time, type this number in the input field labeled Number of entries per page and enter it using the Enter key of your keyboard.


ConfigurationWeb interfaces


To edit an entry, type the appropriate text in the input fields of the Port, Source, Destination Host, or Destination Port columns.

Then click Apply Changes to make these settings effective. You can edit more than one entry and make the changes effective in one go.


• Delete Selected — Select the port entry you wish to delete by selecting the Select checkbox next to it and click this button. You can delete more than one entry in one go.


Web interfacesThe Web Interfaces options are invoked by clicking the corresponding button under Configuration.


• Ports

• Sessions

• Dashboard / Quick snapshots



PortsThe Ports tab looks like this:


• Web Interface Port Settings (HTTP)

• Web Interface Port Settings (HTTPS)

• End User Port Settings

• Web Interface Options



Web Interface Port Settings (HTTP)The Web Interface Port Settings section for HTTP connections looks like this:

Using this section, you can configure the web interface port for HTTP connections.


After modifying this setting or any other setting in this section, click Apply Changes to make the modification effective.


• Port — Enter the port number of the listener port here, such as 9999.

In addition to a port number, you can also enter the IP address of the interface you want to configure this port for, which means you could enter 10.150.34.33:9999.


If you also enter an IP address, it is checked whether this address is valid—whether it is an IP address of a network interface that is known within your local system. If the address is invalid, a message is displayed to inform you about it. The port number you entered will not be processed in this case, and the existing port number will remain in use.

So, to change a port number using this field you need to either enter a valid IP address with the port number or the port number without an IP address.

A redirect will then be performed in order to use the port number you just configured for access to the web interface. This redirect will, however, only be performed if you are actually using an HTTP connection to access the web interface.

Note: When a port number is transferred in a cluster to synchronize the master’s settings with those of the site instances, only the port number itself is transferred, which means that if an IP address was also specified, it is ignored in the synchronization process.

If you want to exclude port numbers from being transferred in this process, enable the Listener Ports option in the Local Site Settings section on the Site Settings tab under Configuration > Central Management to forbid synchronization of port numbers on a site instance.

Enable the same option in the Local Master Settings section on the Master Settings tab to forbid it for port numbers on a master instance.

• Allow access from — Use this field to configure the IP addresses that should have access to each port that is opened by McAfee Web Gateway.

The input format is: (IP | IP/NetMask | IP range) [, (IP | IP/NetMask | IP range)]*

An asterisk (*) means that everyone is allowed access.

If this the same port is specified here as for the HTTP proxy, this setting will be ignored.



Web Interface Port Settings (HTTPS)The Web Interface Port Settings section for HTTPS connections looks like this:

Using this section, you can configure the web interface port for HTTPS connections.


After modifying this setting or any other setting in this section, click Apply Changes to make the modification effective.


• Port — Enter the port number of the listener port here. For example, 9999.

In addition to a port number, you can also enter the IP address of the interface you want to configure this port for, which means you could enter 10.150.34.33:9999.


If you also enter an IP address, it is checked whether this address is valid—whether it is an IP address of a network interface that is known within your local system. If the address is invalid, a message is displayed to inform you about it. The port number you entered will not be processed in this case, and the existing port number will remain in use.

So, to change a port number using this field you need to either enter a valid IP address with the port number or the port number without an IP address.

A redirect will then be performed in order to use the port number you just configured for access to the web interface. This redirect will, however, only be performed if you are actually using an HTTPS connection to access the web interface.

Note also that when a port number is transferred in a cluster to synchronize the master’s settings with those of the site instances, only the port number itself is transferred, which means that if an IP address was also specified, it is ignored in the synchronization process.

If you want to exclude port numbers from being transferred in this process, enable the Listener Ports option in the Local Site Settings section on the Site Settings tab under Configuration > Central Management to forbid synchronization of port numbers on a site instance.

Enable the same option in the Local Master Settings section on the Master Settings tab to forbid it for port numbers on a master instance.

• Allow access from — Use this field to configure the IP addresses that should have access to each port that is opened by McAfee Web Gateway.


An asterisk (*) means that everyone is allowed access.



End User Port SettingsThe End User Port Settings section looks like this:

Using this section, you can configure an internal port that is available for end users who want to access McAfee Web Gateway. This can be either the web interface port, which is the port also used by administrators, or an additional port that you specify here.

Furthermore, you can specify that HTTPS connections must be used for access to McAfee Web Gateway.

The internal port will be available for end users accessing McAfee Web Gateway in order to change their passwords, handle e-mail digests, or edit the e-mail white list.


Using this section, you can configure options for using the web interface.

You can enforce the use of basic authentication as a method for access and specify a login window name that should be used for this purpose.

Note: It does not make sense to configure a session length when basic authentication is enforced here. Even if your session times out, you will be automatically authenticated at the next request. For this reason, there is also no logout link provided at the top of the web interface area when basis authentication is enforced.


Use the following items to configure an internal port for access to McAfee Web Gateway:

• Use web interface Port — If you want to enforce basic authentication for access to the web interface, select this checkbox.

If the web interface port should be used, make sure this radio button is selected. The radio button is selected by default.

• Use Additional Port — If you want to use an additional port, select this radio button. Then specify the port settings using the following input fields:

• Port — Specify the additional port here. The input format is: [IP]: port


• Allow access from — Specify the range of IP addresses that should have access to McAfee Web Gateway here. The input format is: (IP | IP/NetMask | IP range) [, (IP | IP/NetMask | IP range)]|*

Note: Type * to allow everyone access.

• use HTTPS connections — If HTTPS connections should be required for access to McAfee Web Gateway, make sure this checkbox is selected.

The checkbox is selected by default.



Web Interface OptionsThe Web Interface Options section looks like this:

Using this section, you can configure options for using the Web interface that is provided as interface to the user.

You can enforce the use of basic authentication as a method for access and specify a login window name that should be used for this purpose.

Note that it does not make sense to configure a session length when basic authentication is enforced here. Even if your session times out, you will be automatically authenticated at the next request.

For this reason, there is also no logout link provided at the top of the web interface area when basis authentication is enforced.


Use the following checkbox and input field to configure these options:

• Force usage of Basic authentication — If you want to enforce basic authentication for access to the web interface, select this checkbox.

• Login window name — Enter the name of the login window here. The default name is McAfee Web Gateway configuration.

After specifying values for these settings, click Apply Changes to make them effective.



SessionsThe Sessions tab looks like this:


• Session Options

• Session Overview

Session OptionsThe Session Options section looks like this:

Using this section, you can configure the length of a McAfee Web Gateway session. This will apply to sessions of the Web interface that is provided as interface for the user of McAfee Web Gateway, as well as to those of the SSH interface.


Use the following input field to configure the session length:

• Session length ... minutes — Enter a time interval (in minutes) for the session length here.



Session OverviewThe Session Overview section looks like this:

This section displays all McAfee Web Gateway sessions that are currently active. For each session the following information is provided:

• User — User name of the user who is logged in for the session.

• TTL — Time that the session has lasted so far (in minutes and seconds).

• Status — Status the user of a session has with regard to session mode and access privileges.

• Interface — Protocol used for the session.

• from IP — IP address that the user has logged in from to the session.



Dashboard / Quick snapshotsThe Dashboard / Quick Snapshots tab looks like this:


• Enable/Disable/Consolidation

• Time Intervals

• Frequent Media Types Counter


ConfigurationSecure administration shell

Enable/Disable/ConsolidationUsing this section, you can configure the display of the dashboard and the various quick snapshots. Furthermore, you can configure the consolidation of data, specifying for the dashboard and every quick snapshot whether the corresponding data should be consolidated.

Data consolidation can be configured for data concerning a Centralized Management Cluster or a Multi-Process Clusters or both.

To disable or enable display or data consolidation for a component, select or deselect its checkbox in the appropriate column. Since the consolidation of data for a Centralized Management Cluster requires additional network traffic, it is not enabled by default for any component, unlike the other options.

After modifying any of the settings provided here, click Apply Changes to make the modification effective.

Display and consolidation of data concerning a Centralized Management Cluster or a Multi-Process Cluster can be configured for the:

• Dashboard

• Common Quick Snapshot

• URL Filter Quick Snapshot

• Anti-Malware Quick Snapshot

• Anti-Spam Quick Snapshot

• SSL Scanner Quick Snapshot

Time Intervals

Using this section, you can configure the time that should elapse before a file with dashboard data is written to disk or an update of the dashboard is displayed. Furthermore, you can configure the time between queries for data that are retrieved through periodically performed queries.

After modifying any of the settings in the input fields provided here, click Apply Changes to make the modification effective.

Frequent Media Types CounterUsing this section, you can reset the counter that counts frequent media types processed by the McAfee Web Gateway filters, for example, you can set it to zero. Media types are counted by hits and by volumes.

The results of this counter are displayed in the Frequent Media Types by Hits and Frequent Media Types by Volumes sections on the Quick Snapshot tab under Common > Quick Snapshot.

Use the following item for the reset:

• Reset Frequent Media Types Counter — Click this button to reset the counter.

Secure administration shellThe Secure Administration Shell options are invoked by clicking the corresponding button under Configuration.

If you want to enable any of these options, you also need to select the checkbox that is on this button. Then click Apply Changes to make this setting effective.


• General settings



General settingsThe General Settings tab looks like this:


• Port Settings

• Server Host Keys

• Authentication

• Protocol Options




Using this section, you can configure the listener port for the administration shell server. For security reasons, you can also restrict access to this port to particular IP addresses.



• Port — Enter the port number of the listener port for the administration shell server here. The default port number is 9092.

The input format is: [IP:] Port

• Allow access from — Enter the IP addresses that should have access to each port opened by McAfee Web Gateway here.


Tip: Entering an * here means that everyone is allowed access.

Server Host KeysThe Server Host Keys section looks like this:

Using this section, you can generate the server host key that is needed for identification of the administration shell server.

This key is also known as public key. It is one of a pair of keys, where the other key is a private key that no one has access to.

Clients having a copy of this public key can verify whether the server also owns the corresponding private key, and thereby verify the identity of the server.

The public key and the private key are both encryption keys, with the private key allowing both encryption and creation of digital signatures. A private key on a client is only known to the corresponding user.



This ensures trustworthy identification of the server as well as confidentiality of data and digital signatures.

Public and private keys can make use of the RSA (Rivest Shamir Adleman) or DSA (Digital Signature Algorithm) crypto systems, on which the Diffie-Hellmann key type exchange method is applied.

With RSA encryption, you need not type a password when connecting to other hosts on the network that recognize your public key.

The meaning of the items provided in this section is as follows:

• RSA/DSA Key Type — Use this key type list to select either the RSA or the DSA key type and generate the corresponding keys by clicking Generate at the right end of the line in question.

A fingerprint and the bit strength can also be displayed for these keys.

You can also import a private key. To do this, use the following items in the lower part of the section:

• Key type — Select the type (RSA or DSA) of the private key from the drop-down list provided here.

• File — Click Browse next to this input field to browse for the file containing the private key.

• Passphrase — In this input field, enter a passphrase for the private key.

Note that the security of your passphrase is extremely important as it is used to authenticate you to any server you wish to connect to. Be aware of any unencrypted network connections.

Should someone figure out this passphrase, this person would have access to all the servers you are using.

Passphrases should be between 25 and 80 characters, and can consist of multiple words (spaces are acceptable) as well as digits, and should not be something obvious, such as the name of a person, a place name, etc.

• Import — After specifying input for the above fields, click this button to import the private key.

AuthenticationThe Authentication section looks like this:

It allows you to configure authentication methods for administrators with regard to using logon credentials and public keys.

To configure credentials and keys that can be used here, click the Administrators link provided in this section. This will take you to the Accounts tab under User Management > Administrators.

After modifying any of these settings here, click Apply Changes to make the modification effective.

Use the following checkboxes to configure authentication methods:

• Password authentication with web interface logon credentials — If you want administrators to authenticate themselves by submitting logon credentials for access to the web interface including a password, make sure this checkbox is selected.


• Public key authentication — If you want administrators to authenticate themselves using a public key, make sure this checkbox is selected.



ConfigurationSNMP interface

Protocol OptionsThe Protocol Options section looks like this:

Using this section, you can specify methods for negotiations between the administration shell server and its clients.

The methods will be applied in the order they have been entered in the input fields provided here.

To disable a method delete it from the corresponding input field.

After doing this or specifying any other information, click Apply Changes to make these settings effective.

Use the following input fields to configure protocol options:

• Session encryption ciphers — Ciphers are message formats that render communication unreadable except to the intended recipient, such as DES (Data Encryption Standard), AES (Advanced Encryption Standard), Blowfish, and so on.

The input format is: Method [, Method]*

• Message authentication algorithms — The algorithms used for authenticating messages.

The input format is: Method [, Method]*

• Key-exchange methods — Includes means for securely distributing encryption keys to all parties involved, such as the Diffie-Hellmann algorithm.

The input format is: Method [, Method]

• Compression — Methods of reducing the size of a given file to something more manageable.

The input format is: Method | none) [, (Method | none)]

SNMP interfaceThe SNMP Interface options are invoked by clicking the corresponding button under Configuration.



• Agent

• Communities

• SNMPv3 users

• Trap sinks

• MIB browser



AgentThe Agent tab looks like this:


• Port Settings

• System Information

• Protocol Options


Using this section, you can configure the transport protocol and the listener port to be used for the SNMP Agent.



The transport protocol is either UDP or TCP. While SNMP agents naturally run on port 161, McAfee Web Gateway uses port 9161 to allow it to run side-by-side with an existing SNMP agent (of the operating system).

When running on a UNIX operating system, changing the port to 161 or anything below 1024 will require a restart of McAfee Web Gateway.

The following options are provided in this section:

• UDP Port — Make sure this option (default) is enabled if you want to use UDP as transport protocol for the SNMP Agent.

Enter a port number in the corresponding input field if you do not want to use 9161 (default) as the listener port. The format for specifying a port is: [IP:] Port

• TCP Port — Enable this option if you want to use TCP as transport protocol for the SNMP Agent.

Enter a port number in the corresponding input field if you do not want to use 9161 (default) as the listener port. The format for specifying a port is: [IP:] Port

• Allow access from — In this input field, enter the IP addresses of the sites you allow to have access to each port opened by McAfee Web Gateway. The format for specifying IP addresses is: IP | IP/NetMask | IP range) [,(IP | IP/NetMask | IP range)]*

The default is an asterisk *, which means to allow access to all sites.

System InformationThe System Information section looks like this:

Using this section, you can specify information on the McAfee Web Gateway software you are currently configuring for use with the SNMP Agent.

The following input fields are provided here for specifying information:

• Description — Description of the McAfee Web Gateway software. Here you can state the release of this software or the purpose it is used for on the corresponding system.

• Object ID — Numerical system description of the McAfee Web Gateway software.

This is the description used by the MIB (Management Information Base) system. Within this system, a numerical description is assigned as an ID to each of the objects administered by the system. A short form for Object ID is: OID.

The objects can also be displayed in a MIB tree, see the MIB browser section.

Example of an Object ID (OID): 1.3.6.1.4.1.1457.2.1.1.1.1.3. This is the Object ID of a particular version of the McAfee Web Gateway software.

• Contact Person — E-mail address of the administrator responsible for maintaining the McAfee Web Gateway software.



• Physical location — Physical location of the system the McAfee Web Gateway software is running on. Here you can enter information specifying a room or a floor in a building, such as Delta Building, 1st floor.

Protocol OptionsThe Protocol Options section looks like this:

It allows you to configure the version of the SNMP protocol to be used for communication with the SNMP Agent Specifying more than one version here will enable simultaneous use of the features provided by each of them.

The following protocol options can be configured:

• Allow SNMP protocol version 1 — This option is enabled by default.

• Allow SNMP protocol version 2c — This option is enabled by default.

• Allow SNMP protocol version 3 — This version of the SNMP protocol provides a number of new security features, introducing a comprehensive approach to security issues known as the User-Based Security Model (USM).

This option is disabled by default. For this reason, access from an SNMPv3 user account is not possible during the setup phase of the SNMP Agent.



CommunitiesThe Communities tab looks like this:


• Communities

• Client Lockout



CommunitiesThe Communities section looks like this:

Using this section, you can configure the communities that are allowed access to the SNMP Agent.

In terms of SNMP communication, a community is a particular host system or group of systems that is allowed access to the SNMP Agent and to the objects managed by this agent. Communities are specified through their Internet addresses or host names.

Access is allowed either as read-only access (public mode) or as unrestricted access (private mode).

Accordingly, passwords are configured for communities, which are either private or public and are termed “community strings”.

To add a community to the list, use the area labeled:

• Add community — Specify the appropriate information using the following items:

• Community String — Enter a community string (password) for the community you are presently configuring in this input field.

• Allowed from — Specify the community you want to allow access to the SNMP Agent in this input field.

This is done by entering a host name or an IP address or any other of the values of the input format. The input format is: Host | IP/NetMask | default | *

Entering default or an asterisk * will allow access to any community under the configured community string and access mode (public or private).

• Allow Root OID — Input in this field is optional. You can specify the root ID here that is assigned to the community as an object managed by the MIB (Management Information Base) system.

A root ID is specified in the following way: 1.2.6.3 ...

• Read-Only Access — Enable this option to allow read-only access (public mode) for the community in question.



• Add — After specifying the appropriate information, click this button to add the new community to the list.

If this action was successful, there is now an entry for this community in the communities list, which is displayed at the bottom of the section.



To edit an entry, type the appropriate text in the input fields provided with each entry or select to enable or deselect to disable the corresponding Read-Only Access checkbox.

Then click Apply Changes to make your settings effective. You can edit more than one entry and make the changes effective in one go.


• Filter — Type a filter expression in the input field of the Community column and enter it using the Enter key of your keyboard. The list will then display only entries matching the filter.



Client LockoutThe Client Lockout section looks like this:

Using this section, you can configure options to protect the SNMP Agent against malicious ways of access.

You can specify the maximum number of authentication failures that is allowed before access to the SNMP is denied, as well as the duration of this lockout.

A display field shows how many clients have been locked out at a given time.

When configuring options in this section, make sure the checkbox next to the section heading is selected. After specifying the appropriate values for these options, click Apply Changes to make your settings effective, The following items are provided in this section:

• Lockout after ... authentication failures — Maximum number of authentication failures before the lockout becomes effective. The default number is 15.

• Lock for ... minutes — Duration of the lockout. The default duration is 30 minutes.

• Number of locked clients — This display field shows the number of clients that have been locked out.

Click Reset next to this field to display its the current value.



SNMPv3 usersThe SNMPv3 Users tab looks like this:


• SNMPv3 Users

SNMPv3 Users

Using this section, you can configure the user accounts that are allowed access to the SNMP Agent according to SNMP protocol version 3.

In SNMPv3, the User-based Security Model (USM) allows to authenticate users through password hashes.

This means, the password itself is no longer delivered between peer computer systems, but an irreversible derivative of it, calculated through either the MD5 or SHA1 hash algorithm.

Optionally, the SNMP Agent can encrypt all data transmitted for this user account, using either the Digital Encryption Standard (DES) algorithm, as described in RFC 3414, or the newer Advanced Encryption Standard (AES, also known as “Rijndael”) algorithm, as described in RFC 3826.

To configure SNMPv3 user accounts, you need to enable the SNMPv3 version of the SNMP protocol first. To do this, go to the Protocol Options section of the Agent tab.

To add an SNMPv3 user to the list, use the area labeled:

• Add user — Specify the appropriate information using the following items:

• User Name — Enter the name of the user that an account is being configured for in this input field.

• Password — Enter a password for the user in this field. Note that it has to be at least 8 characters long.

This is done by entering a host name or an IP address or any other of the values of the input format. The input format is: Host | IP/NetMask | default | *

Entering default or an asterisk * will allow access to any community under the configured community string and access mode (public or private).



• Allow Root OID — Input in this field is optional. You can specify the root ID here that is assigned to the user account as an object managed by the MIB (Management Information Base) system.

A root ID is specified in the following way: 1.2.6.3 ...

• Authentication — Select an authentication method for this user by enabling either the MD5 (default) or SHA algorithm.

The selected algorithm is used to calculate a hash format of the user password, which is then transmitted during the authentication procedure.

• Encryption — Select an encryption method for the data transferred from this user account by enabling either the DES (default) or SHA algorithm.

The selected algorithm is then used as the encryption method. Enable None if you do not want an encrypted data transfer.

• Read-Only Access — Enable this option to allow read-only access (public mode) for the user in question. Otherwise access will be unrestricted.

• Add — After specifying the appropriate information, click this button to add the new user to the list.

If this action was successful, the community is displayed in the user list, which is displayed at the bottom of this section.



Trap sinksThe Trap Sinks tab looks like this:


• Trap Sinks

Trap Sinks

Using this section, you can configure host systems that are to receive event notification messages called “traps” in SNMP terminology. The receiving systems are also known as “trap sinks”.

SNMP specifies a procedure for event notification called “trap”. Based on this procedure, the SNMP Agent can be configured to send a trap whenever a particular event occurs. The trap is sent to a “trap sink”, which is a host system providing a trap daemon listening on a particular port to receive the trap.

Usually, this daemon is running on the system as part of an SNMP management application.

A trap can be sent to each trap sink that has been configured to receive it.

Traps are sent in an asynchronous fashion, which means the sending agent does not wait for acknowledgment, nor does it perform the retransmission of a trap.

You can configure the settings for sending traps in the global configuration file, which is named global.ini when running McAfee Web Gateway on a Microsoft Windows operating system or global.conf on Linux.

For an example showing how to set values for sending traps after a system restart, see Configuring the sending of traps after a system restart.

To add a trap sink to the list, use the area labeled:

• Add trap sink

Specify the appropriate information using the following items:

• Host — Specify the host system (the trap sink) that is to receive traps from the SNMP Agent in this input field. To do this, enter a host name or an IP address.



• Port — Enter the port number for the port of the host system where a trap daemon is listening to receive traps.

• Community string — Enter a community string (password) here for access to the host system that is being configured as a trap sink.

Note: This community string allows only read-access (public mode).

• Send SNMPv2c traps — Enable this option if you want traps to be sent by the SNMP Agent using SNMP protocol version 2c. Otherwise traps are only sent using SNMP protocol version 3.

• Add — After specifying the appropriate information, click this button to add the new trap sink to the list.

If this action was successful, the trap sink is displayed in the trap sink list, which is displayed at the bottom of this section.

Configuring the sending of traps after a system restartTraps can be sent upon various events, for example, after a system restart or shutdown. You can configure different ways of trap sending for these events.

The standard way is to send a trap after every system restart or shutdown. When McAfee Web Gateway runs as an appliance on a hardware platform, this also applies to restarts and shutdowns that occur when memory defragmentation is performed.

However, the standard trap will only provide information on the restart or shutdown and not on the memory defragmentation that is the reason for this behavior. So there is also an option to send alternative traps that are more informative.

Similarly, standard or alternative traps can be sent when the system restarts after a multi-processing ICAP server has entered the maintenance mode.

Trap sending is configured by modifying settings in the global configuration file. When configuring trap sending for memory defragmentation or ICAP servers entering the maintenance mode, which are events that only occur on appliances, it is the global.conf file that you need to work with.

To configure trap sending for these events, proceed as follows:

1 In the global.conf configuration file, go to the SNMPAgent section.

2 Go to the RestartTrapBehavior parameter. It is by default set to 0, which means no trap is sent after a system restart.

3 Set the parameter to an appropriate value:

1 – A standard trap is sent when a system restart occurs due to memory defragmentation.

2 – An alternative trap is sent when a system restart occurs due to memory defragmentation.

16 – A standard trap is sent when a system restart occurs after a multi-processing ICAP server has entered the maintenance mode.

32 – An alternative trap is sent when a system restart occurs after a multi-processing ICAP server has entered the maintenance mode.

Note: Values can be added in meaningful ways and assigned to the parameter to configure trap sending for both events.For example, 33 (= 1 + 32) means a standard trap is sent when a system restart occurs due to memory defragmentation, while an alternative trap is sent when a system restart occurs after a multi-processing ICAP server has entered the maintenance mode.

4 Save the global configuration file.



MIB browserThe MIB Browser tab looks like this:


• MIB Browser



MIB Browser

Using this section, you can view the objects managed by the SNMP Agent in a MIB tree. To view this tree structure a MIB browser is used.

Within a MIB tree, every individual object is represented under its object type and assigned to a particular object category.

Each object category is itself assigned to an object category on a higher level, which creates a hierarchical structure of categories (the MIB tree) ending in a top level category (iso).

So, the system currently running the SNMP Agent is represented under the system object type. The categories above this object type are iso.org.dod.internet.mgmt.mib-2.

This means that mib-2 is the category the system is immediately assigned to.

The individual system represented under system has a number of objects assigned as attributes to it, which are also displayed in the MIB tree, such as the system name, which is represented under sysName. sysName is preceded by a little arrow to show there is more information available for this entry.

Click sysName to display its value, the actual system name, such as lupus. Other properties of sysName are displayed together with its value.

The properties of attribute objects are shown on the MIB browser tab in a separate area below the MIB tree.

Every category, object type or attribute is also identified within the MIB by a complex number. They are displayed in brackets behind the name of an item.

For example, 1.3.6.1.2.1.1.5 is the equivalent of iso.org.dod.internet.mgmt.mib-2.system.sysName. The number and the name chain are different formats of the object ID (OID) of an object.

You can browse for sections of the MIB tree using a root OID—an OID not leading completely down to the object type level.

So, browsing for 1.3.6.1 would display all objects available within the internet category of the MIB tree.

The meaning and usage of the input field and the display fields provided in this section is as follows:

• Root OIDs — Enter a root OID in this input field to browse for a particular section of the MIB tree, such as 1.3.6.1 for the Internet category.

Click Browse to display this section in the MIB Tree Area below this input field.

• MIB Tree Area — In this area, the MIB tree or a section of it is displayed. The section can be specified by entering a root ID in the Root OIDs input field above this area.

To show the items assigned to another item within the MIB tree, expand its structure by clicking the + sign preceding it.

If an item is preceded by a little arrow, information about its properties, such as its value or OID, is available in the Object Properties Area below this area. Click the item to display this information.

Click Expand All or Collapse All just below the bottom right corner of this area to expand or collapse a MIB tree section.

• Object Properties Area — In this area, the properties of an object selected from the MIB tree are displayed. An object can be a scalar or a table object.

Accordingly, only one set of properties is displayed for a scalar object; for example, ifNumber, the number of interface available on a system.

For a table object, a table of property sets is displayed, such as ifTable, an object providing information about several interfaces sorted in rows with properties for each instance of an interface.


ConfigurationePolicy Orchestrator

The following properties are shown for an object:

• Name — Name of the object as displayed in the MIB tree; for example, SNMPv2-MIB::sysName.0.

This is the format for displaying the name of an object. It contains the category (SNMPv2) of the corresponding object type (system) and the object name itself (sysName).

The last part of the name is a .0 extension, indicating that the end of an OID chain has been reached.

• OID — OID of the object; for example, 1.3.6.1.2.1.1.5.0.

• Value — Value of the object, such as lupus. For the example used here, it means the name of the system running the McAfee Web Gateway software is lupus.

• Type — Type of the data providing the object value; for example, OCTET STRING.

• Description — Text describing the object—a name assigned by the administrator to a managed node. If the name is unknown, the value is a zero-length string.

ePolicy OrchestratorThe ePolicy Orchestrator options are invoked by clicking the corresponding button under Configuration. They are described in the upcoming section:

• ePolicy Orchestrator

ePolicy OrchestratorThe ePolicy Orchestrator tab looks like this:


• Data Collection


ConfigurationCertificate management

Data Collection

Using this section, you can configure a collection of data that is performed to forward some dashboard and status information to an ePO server.

Upon installation of an ePO server plugin, an administrator account will be set up that allows login to McAfee Web Gateway as a user who requests the data. The account is enabled as soon as you enable this data collection feature, see below. The default password is webwasher. The data will be supplied by means of a previously configured XML structure.

Note: The ePO server plugin is available on the Webwasher Extranet, which is provided by McAfee. To access this location, you need a user name and password. After login, go from the Home page to Download > Beta Versions and download the ePO Server package. Alternatively, you can also download the plugin from another download area within McAfee. A number of configuration steps are then required to enable the integration of the ePO server plugin and McAfee Web Gateway, which was formerly known as Webwasher. Information on how to do this is provided in the online help of the ePO server and in an integration document in PDF format. First instructions on the topic can be found in the following document: Installing ePO Server and Configuring MWG, which can also be downloaded from the Beta Versions page of the Webwasher Extranet.

To enable the data collection, select the checkbox next to the section heading. After modifying this setting or the detailed settings explained below, click Apply Changes to make the modification effective.

Use the following items to configure details of the data collection:

• User that retrieves data — From this drop-down list, select the user who will log in to McAfee Web Gateway to retrieve the data for the ePO server.

• Data will be collected each ... minutes — In this input field, enter the time interval (in minutes) for collecting the data. The default interval is 60 minutes.

The next point in time that is scheduled for collecting data is also displayed.

Certificate managementThe Certificate Management options are invoked by clicking the corresponding button under Configuration. They are described in the upcoming sections:

• Webwasher Root CA

• Private key handling

• Known Certificate Authorities

• Client certificates



Webwasher Root CAThe Webwasher Root CA tab looks like this:


• Import Certificate Authority

• Generate New Certificate Authority



Import Certificate AuthorityThe Import Certificate Authority section looks like this:

Using this section, you can import an existing Certificate Authority (CA) for signing new certificates. You can also import the private key for this CA.

If you are importing a subordinate CA, you can also specify a chain file, which is a file providing information on the complete certificate chain that belongs to the CA. This information is sent to the client when the SSL handshake is performed.

Use the following input fields and buttons to import a certificate authority:

• Certificate — In this input field enter the certificate you want to import. To do this, browse for the certificate, which is contained in a *.pem file.

Make sure the certificate you are importing is base64-encoded.

• Private Key — In this input field enter the private key for the certificate. To do this, browse for the private key certificate, which is contained in a *.pem file.

Make sure the private key you are importing is base64-encoded.

• Password — If the private key is protected by a password, you need to provide here.

• Certificate Chain — Use this input field to specify a certificate chain, which is a file providing information on the complete certificate chain. To do this, browse for this file.

Make sure the file you are importing is base64-encoded.

• Import — After specifying the appropriate information in the input fields described above, click this button to import the CA.



Generate New Certificate AuthorityThe section labeled Generate New Certificate Authority section looks like this:

Using this section, you can generate a new certificate authority.

The purpose of generating a new root CA (Certificate Authority) for McAfee Web Gateway is to have your own individual root CA containing correct data, rather than sharing a common root CA with other McAfee Web Gateway customers.

If you do not create a new root CA, administrators of McAfee Web Gateway installations might be able to decrypt traffic since administrators also know the private key of domain certificates.

Creating or importing a new CA will generate a new private key for the domain certificates.

To generate a new root CA, fill in the input fields provided in this section: Organization*, Organizational Unit, and so on. Input is mandatory for the fields marked with an * (asterisk).

Then click Generate to generate the new CA.



Private key handlingThe Private Key Handling tab looks like this:


• HSM Agent Setup

• Certificate Issuing Options

• Handshake Options

HSM Agent SetupThe HSM Agent Setup section looks like this:

Using this section, you can configure settings for the connections to one or more HSM (Hardware Security Module) Agents. Before you proceed with configuring these settings, make sure you have set up the HSM Agents in question.



Use the following items to configure settings for HSM Agent connections:

• HSM Agents — Enter the IP addresses or host names of the HSM Agents you have set up in this input field. The input format is as follows: ip[:port][;ip[:port]]

McAfee Web Gateway then tries to establish the connections, which will result in either a positive feedback or an error message.

• Use encrypted connections to HSM Agents — Make sure this option is enabled if you want to use SSL-secured communication with HSM Agents.

• Use client certificate to authenticate to HSM Agents — Make sure this option is enabled if you also want to have two-sided authentication between an SSL scanner and an HSM Agent.

In this case you have to import the client certificate that was generated with the HSM Agent in question.

An input field is provided here, together with a button for searching a certificate.

The certificate file for an agent can be found in the SSL2/private folder. Its name is agentcertkey.pem.

Furthermore, there are two buttons for importing a certificate in different ways:

• Import client certificate — Click this button to import a client certificate on the current SSL Scanner node.

• Import and distribute client certificate — If the generated certificate is valid for all SSL scanner nodes, click this button to have it distributed on all of them. Otherwise, you need to import a node-specific client certificate on each SSL scanner node.

Note: If you are using client certificate authentication for HSM Agents in a McAfee Web Gateway cluster, you need to import a valid client certificate on each new SSL scanner node in case you extend the cluster.

Only in the simple case (one client certificate for all nodes) can this be done on the master instance by re-importing the existing certificate and checking this distributing option.

In the complex case, you need to import a certificate on each new node, using the web interface.

Certificate Issuing OptionsThe Certificate Issuing Options section looks like this:

Using this section, you can configure the signing of certificates.

You can move the private key of a CA to an HSM Agent for signing a certificate. Before configuring the ID of this key, make sure a connection to the HSM Agent has been set up.

Furthermore, you can import the CA, which is usually created by the HSM Agent, on the SSL scanner.

Use the following items to configure the signing of certificates:

• Signing operation of new server certificates will be done

• by this Webwasher instance — Enable this option to have the certificate signed by the current instance of McAfee Web Gateway.



• by remote service using HSM Agent with key this Webwasher — Enable this option to have the certificate signed by a remote service using the HSM Agent.

To configure this option, a key ID must be entered in the input field provided here. Before enabling the option, import the certificate, see below.

• Certificates are valid for . . . days — Enter the number of days the certificates issued by this CA should be valid in the input field provided here. After the certificates have expired, the SSL scanner will issue them again if required.

This setting can be configured regardless of whether the current McAfee Web Gateway instance or the HSM Agent is used for signing a certificate.

Below this input field, another one is provided for searching and importing the certificate, using the Browse and Import root certificate buttons next to it.

Handshake OptionsThe Handshake Options section looks like this:

Using this section, you can configure the decrypting of the SSL handshake with the client.

The private key needed for this can also be provided by the HSM Agent.

Before configuring the ID of the key in question, make sure a connection to the HSM Agent has been set up.

Use the following items to configure handshake decryption:

• Decrypting of handshake will be done

• by this Webwasher instance — Enable this option to have the handshake decrypted by the current instance of McAfee Web Gateway.

• by remote service using HSM Agent with key — Enable this option to have the handshake decrypted by a remote service using the HSM Agent. To configure this option, a key ID must be entered in the input field provided here.

• Send certificate chain in handshake — Enable this option for configuring the SSL scanner to send the certificate chain during the handshake.

Usually, the certificate chain contains only the Webwasher CA. If the Webwasher CA is not self-signed, however, the chain contains all certificates down to the root CA.

If you have rolled out the Webwasher CA in your company, there is no need for sending the chain.Login name for an administrator.



Known Certificate AuthoritiesThe Known Certificate Authorities tab looks like this:


• View Certificate Authority

• Known Certificate Authorities

• Automatic CRL URL Retrieval



View Certificate AuthorityThe View Certificate Authority section looks like this:

In allows you to view information on a Certificate Authority (CA). This is information relating to he CA you selected in the Known Certificate Authorities section below.

You can modify one item of this information, such as the URL for CRL download.

The following information is provided here:

• Valid time span — Time span over which the CA is valid.

• URI for CRL download — URI (URL) that can be downloaded to obtain a Certificate Revocation List (CRL).

This information can be modified. To do this, type appropriate text in this field. Then click Modify at the bottom of the section.

• Number of revoked certificates — Number of certificates that have been issued and revoked by this CA.

The number of revoked certificates can only be displayed if it is known which URL to use for obtaining the CRL.

To provide this URL, you can either enter it or modify its entry in the URI for CRL download field, or enable the option for automatic URL retrieval.

The option for automatic URL retrieval is enabled in the Automatic CRL URL Retrieval section, which is also located on this tab.



Known Certificate AuthoritiesThe Known Certificate Authorities section looks like this:

Using this section, you can view a list of known Certificate Authorities (CAs) and import new CAs, which are added to this list.

To import and add new CA, use this area:

• Add certificate(s) — The following items are provided here:

• Certificate(s) file — In this input field, enter the certificate file for the CA you want to import, click Browse next to the field.

Make sure the file you are importing is base64-encoded.

• Import — After browsing to the certificate file, click this button to import it.

If the certificate file was imported successfully, a corresponding entry is added to the list, which is displayed at the bottom of this section. To display only a particular number of list entries at a time, type this number in the input field labeled Number of entries per page and enter it using the Enter key of your keyboard.



• Filter — Type a filter expression in the input field provided here and enter it using the Enter key of your keyboard. The list will then display only CAs matching the filter.

• View — To view a CA, click this icon in the same line of the list.



• Delete Selected — Select the CA you wish to delete by selecting the Select checkbox next to it and click this button. You can delete more than one CA in one go.

To delete all CAs, select the Select all checkbox and click this button.

Automatic CRL URL RetrievalThe Automatic CRL URL Retrieval section looks like this:

It allows you to configure the storing of URLs for downloading CRLs (Certificate Revocation Lists).

These will be extracted from the vendor certificates and the issuing CAs when the certificate chain is inspected during the verification of a signature.

If you want to use this option, make sure the checkbox provided here is selected.

Note: A URL will not be overwritten if it has already been stored.

Client certificatesThe Client Certificates tab looks like this:


• Client Certificates


ConfigurationDNS cache

Client CertificatesUsing this section, you can add client certificates to the list of certificates. A private key and a passphrase must also be specified for this purpose.

The list will be searched in order to authenticate a client that provides a certificate after being requested by the server to do so.

To add a certificate to the list, use the area labeled:

• Add client certificate — Specify the information concerning the system you want to enter in the list using the following input fields and button:

• Certificate file — Enter the certificate file name here. To do this, browse for a certificate file, click Browse next to this input field.

Make sure the certificate file you want to add is base64-encoded.

• Private key file — Enter the name of the private key file here. To do this, browse for a private key file, click Browse next to this input field.

Make sure the private key file you want to add is base64-encoded.

• Passphrase — Enter a passphrase for the private key here.

• Import — After specifying the appropriate information in the input fields described above, click this button to import the certificate.

If the certificate was imported successfully, a corresponding entry is added to the list, which is displayed at the bottom of this section.

DNS cacheThe DNS Cache options are invoked by clicking the corresponding button under Configuration.



• DNS cache


ConfigurationDNS cache

DNS cacheThe DNS Cache tab looks like this:


• DNS Caching

• Flush DNS Cache

DNS CachingThe DNS Caching section looks like this:

Using this section, you can configure the time that entries for requests to a Domain Name Server (DNS) should be stored in the McAfee Web Gateway cache.


Use the following input field to configure the caching time:

• Time to live for DNS entries: . . . sec. — Enter the time (in seconds) here that DNS entries should be stored in the cache. The default time is 3600 seconds.


ConfigurationFile management

Flush DNS CacheThe Flush DNS Cache section looks like this:

It allows you to remove all entries for requests to a Domain Name Server (DNS) from the McAfee Web Gateway cache.

Use the following button to do this:

• Flush DNS Cache — Click this button to perform the flushing of DNS entries.

File managementThe File Management options are invoked by clicking the corresponding button under Configuration.


• Configuration data

• Error files

• Share folder

• Proxy PAC

• Mobile web filter



Configuration dataThe Configuration Data tab looks like this:


• Backup Configuration

• Restore Configuration

Backup ConfigurationThe Backup Configuration section looks like this:

Using this section, you can create and download a configuration backup. You can include additional in the download, such as the user database, the progressive lockout data, or the Welcome Page data.

In addition to the data mentioned, a backup configuration contains only configuration files. It does not contain, statistics or log files, which need to be stored separately.

Furthermore, the backup file created here is not meant to be sent to the support team for troubleshooting.

When contacting the support team, please use the feedback script that is provided for this purpose.



Use the following input fields and button for your backup activities:

• Include User Database — If you want to include this database, make sure this checkbox is selected.


• Include Progressive lock-out data — To include this data, select this checkbox.

• Include Welcome Page data — To include this data, select this checkbox. The checkbox is selected by default.

• Download Configuration Backup — After specifying the appropriate information, click this button to create and download the backup file.

This is a single file containing all configuration files in compressed form.

Restore ConfigurationThe Restore Configuration section looks like this:

Using this section, you can restore a McAfee Web Gateway configuration that was previously backed up and stored.

Use the following input field and buttons for restoring:

• Restore configuration from file — To restore a previously saved configuration, click the Browse button next to this input field and select the desired file or enter the complete path leading to the file.

Then click Restore.

Restoring a configuration will not overwrite any configuration files immediately. For this to happen, you have to restart McAfee Web Gateway manually.

Note: You can only restore a configuration to a McAfee Web Gateway version running on a particular machine if it was backed up on the same machine.



Error filesThe Error Files tab looks like this:


• Manage ErrorTemplates

Manage ErrorTemplatesThis section looks like allows you to manage the error templates used by McAfee Web Gateway. You can download templates from the corresponding McAfee Web Gateway folder and upload them from an external location.

This may be useful if you want to modify templates in order to adapt them to your corporate standards.

Use the following items to perform the download or upload:

• Download all (tar.gz) — Click this button to download all error templates.

The templates are stored in the conf/errors folder of the McAfee Web Gateway installation directory.

If you are using error templates in different languages, they will be stored in subfolders with corresponding language short names, such as en, fr, de, etc.

The download will provide a file in tar.gz format.

• Upload error files from — In this input field, enter the path and file name for an upload of error templates or browse to it by clicking Browse next to this field.

Then click Upload to perform the upload.



Share folderThe Share Folder tab looks like this:


• Manage Share Folder

Manage Share FolderThis section allows you to manage the files in the McAfee Web Gateway share folder. You can download files from this folder and upload them to it from an external location.

This may be useful if you want to modify files in order to adapt them to your corporate standards.

Use the following items to perform the download or upload of shared files:

• Download all (tar.gz) — Click this button to download all files from the share folder.

The templates are stored in the lib/files folder of the McAfee Web Gateway installation directory under UNIX and in the bin\files folder of the same directory under Windows.

The download will provide a file in tar.gz format.

• Upload files from — In this input field, enter the path and file name for an upload of files from the share folder or browse to this folder it by clicking Browse next to the field.

Then click Upload to perform the upload.



Proxy PACThe Proxy PAC tab looks like this:


• Client Configuration

Client ConfigurationUsing this section, you can upload a proxy.pac file to enable central administration of your proxy configuration. You can also configure the length of time that a proxy.pac file should be stored for on a client.

Proxy Automatic Configuration is a proxy mode where the proxy configuration is described in a file using JavaScript, called a PAC file, with .pac as file extension.

The file is maintained by the network administrator and requires no user updating (hence "automatic"). As a browser user, you only need a URL provided by your administrator.

Proxy Automatic Configuration has two advantages over normal configurations:

• Network-based .pac files are centrally administered and easy to update. Network administrators usually share the .pac files via HTTP.

If there are server changes or network outages, the .pac file can be changed, and your browser configuration will be automatically updated when the new .pac file is loaded.

• You can use complicated network environments with a single configuration. PAC has support for load balancing and failover.

All of today’s current browsers have the facility to use .pac files. The Javascript contained within a .pac file can perform tasks and make decisions based on the URL you are browsing to, the IP address of your browser, which proxy should service the traffic and which other proxies should be used alternatively.

A method that may be used in order to ensure that browsers are able to find the central proxy .pac file is using the WPAD (Web Proxy Autodiscovery Protocol) standard.



This standard defines two alternative ways for the administrator to publish the location of a proxy configuration file: DHCP (Dynamic Host Configuration Protocol) and DNS (Domain Name System).

Before fetching its first page, a web browser implementing the WPAD method sends the local DHCP server a DHCPINFORM query, and uses the URL from the WPAD option in the server’s reply.

If the DHCP server does not provide the desired information, DNS is used.

So, if the network name of a user’s system is pc.department.branch.example.com, the browser will try the following URLs in turn until it finds a proxy configuration file:

• http://wpad.department.branch.example.com/wpad.dat

• http://wpad.branch.example.com/wpad.dat

• http://wpad.example.com/wpad.da

• http://wpad.com/wpad.dat

Note: These are examples and not live URLs.

If you want to make use of the proxy .pac file method, click the link provided in this section to access a proxy .pac file, or use the following items to upload one:

• Upload proxy.pac from ... — In this input field, enter the path and file name for the proxy .pac file. You can either type this information or click Browse to browse to a location where a proxy .pac file is stored.

• Upload files from — After specifying a proxy .pac file in the input field, click this button to upload it.

To configure the maximum amount of time that a proxy.pac file should remain stored on a client, use the following input field:

• Clients should store proxy.pac only for . . . seconds — Enter a time length (in seconds) here. The default length is 3600 seconds.



Mobile web filterThe Mobile Web Filter tab looks like this:


• Policy TTL

• Add Policy

• View Policies

Policy TTLThe Policy TTL section looks like this:

Using this section, you can configure how long clients should store the Mobile Web Filter policy files that were downloaded from the McAfee Web Gateway server.

These files can be accessed via http[s]://<IP address used to access Webwasher> /mwf?name= <name of the policy file>.

For <name of the policy file>, you need to enter the ID that was specified when uploading the file, see the Add Policy section.

On the McAfee Web Gateway server, the files are stored in the conf\mwf subfolder, which is created during the installation of McAfee Web Gateway.




Use the following input field to configure the time that policy files should be stored:

• Clients should store their policy files for . . . seconds — Enter the time (in seconds) here. The default value is 3600 seconds.

Add PolicyThe Add Policy section looks like this:

Using this section, you can upload a Mobile Web Filter policy file containing filter policy settings for use on the clients to the McAfee Web Gateway server.

On this server, these files are stored in the conf\mwf subfolder, which is created during the installation of McAfee Web Gateway.


• Upload policy file — Click Browse next to this input field to browse to the policy file you want to upload.

• Policy ID — In this input field enter an ID for the policy file. This ID is used for accessing a policy file, see the syntax description on the help page for the Policy TTL section.

• Upload — After specifying the appropriate information in the input fields above, click this button to perform the upload.

View PoliciesThe View Policies section looks like this:

This section displays a list of the Mobile Web Filter policy files that have been uploaded to the McAfee Web Gateway server.

Note that these files contain filter policy settings that were configured for use on the clients, not the settings that are usually configured under McAfee Web Gateway.

To view or upload a file, click its name and select the corresponding option from the menu, which is then displayed.

To delete a file, click the icon preceding its name.


ConfigurationAction editor

Action editorThe Action Editor options are invoked by clicking the corresponding button under Configuration.

The Action Editor is provided for configuring actions of your own, which can be used in addition to the pre-configured actions McAfee Web Gateway is shipped with.

These are also known as built-in actions. To view a list of the built-in actions, click the question mark above the tabs.

The options of the Action Editor are described in the upcoming sections:

• Action Editor

• Notifications

Furthermore, there is a description of the Action Definition tab. This tab is provided for configuring further the settings of an action that has been newly created and for editing existing user-configured actions:

• Action definition

Action EditorThe Action Editor tab looks like this:


• Actions



Actions

Using this section, you can configure your own actions and add them to the list of built-in actions, which are the actions McAfee Web Gateway was shipped with. You can also edit actions you have previously configured yourself.

Note: To make any of the settings you configure here effective, you need to restart McAfee Web Gateway manually.

The actions can in turn be configured for the various filters of McAfee Web Gateway, and are executed when a filter applies.

To view a list of the built-in actions, click the question mark above the tab. The list is also provided in the Built-in actions section of the chapter on Actions in the McAfee Web Gateway Reference Guide.

In the upper part of this section, a list is displayed of the actions that have been configured by users so far.



To edit an action, click Edit next to it. This will take you to the Action Definition tab, where you can modify the settings of the action. The tab is described in the next subsection.





To configure a new action use the following items at the bottom of the section:

• Create New — After clicking this button, a NewAction entry is displayed in the list of user-configured actions.

Continue the configuration of the new action by clicking Edit next to it.

This will take you to the Action Definition tab, where you can modify the settings of the action. The tab is described in the next subsection.

• Create New From Existing — This button allows you to use an existing action as starting point for configuring a new action. A drop-down list showing all built-in and user-configured actions is also provided.

To use one of these actions as starting point, select it and click the button. Another entry will then be added to the list named <existing action> New.

To continue the configuration of this action, click Edit as described above.



NotificationsThe Notifications tab looks like this:


• Notification Recipients

Notification Recipients

Using this section, you can configure the recipients of e-mail notifications. You can also configure the settings of the notification server and send test e-mails.

These settings will apply only under a particular policy. Select this policy from the drop-down list above the section.


Use the following items to configure notifications:

• Recipient for general notifications — In this input field, type the e-mail address of the recipient that notifications should be sent to on general occasions.

• Recipient for virus notifications — In this input field, type the e-mail address of the recipient that notifications should be sent to if a virus threat has occurred.

• Postmaster addresses — In this input field, type one or more e-mail addresses for notifications to the postmaster.

• Edit Notification Mail Server — Click this button to open a window where you can configure the settings of the mail server that is used for sending notifications.

For a description of this window, see the System Notifications subsection of the Notifications section under E-mail gateway.

• Send Test Messages — After configuring the notification settings, click this button to send test e-mail messages.



Action definitionThe Action Definition tab looks like this:

At the top of the tab, there is a link that takes you back to the Actions tab.


• Action Definition

A sample procedure for configuring an action is also described here:

• Configuring an action for dropping e-mails

This is followed by a subsection that lists and describes shortly the parameters that can be configured with an action:

• Parameter List

Action Definition

Using this section, you can configure the settings of a newly created action or edit the settings of an already existing user-configured action.

You can specify or edit the name of the action and also what should be executed for this action with regard to Web and e-mail traffic. Furthermore, you can configure a number of additional action parameters.

Note: To make any of the settings you configure here effective, you need to restart McAfee Web Gateway manually.

The action settings are entered in a special configuration file. For more information about this file, see the section on this file in the Actions chapter of the Reference Guide.

A sample procedure for a user-configured action is described in the next subsection.



Use the following items to configure an action:

• Name of Action — Use this input field to specify or edit the name of an action.

• Web Action — From this drop-down list, select the activity that should be performed for web traffic as part of this action.

• Email Action — From this drop-down list, select the activity that should be performed for e-mail traffic as part of this action.

• Apply Above Changes — After specifying the appropriate information, click this button to make your settings effective.

In the lower part of the section, a list is displayed showing the parameters that have been configured for the action so far. A short description of the parameters that are available here is given in the Parameter List subsection further below.

Next to each parameter name, the current parameter value is shown in brackets if it is not too long.

Caution: Only non-default parameters are shown here. If you set the value of a parameter to its default, it will disappear from the list.

Use the following items to delete or edit list entries:

• Delete Selected — Select the entry you wish to delete by selecting the checkbox in the Select column next to it and click this button. You can delete more than one entry in one go.


• Edit Selected — Select the entry you wish to edit by selecting the checkbox in the Select column next to it and click this button, or just click the parameter name.

This will take you to the Action Parameter tab for that particular parameter, where you can modify its settings.

After completing the modification, you are returned to the Action Definition tab and the changed settings are shown in the parameter list of the action you are currently configuring.

To add a parameter to the list for an action, use the following items at the bottom of the section:

• Parameters — From the drop-down list provided here, select a parameter you want to configure for an action.

• Add — After selecting a parameter, click this button. This will take you to the Action Parameter tab for that particular parameter, where you can configure its settings.

Upon completion of these configuration activities, you are returned to the Action Definition tab and the parameter in question is added to the parameter list of the action you are currently configuring.

Configuring an action for dropping e-mailsThe following is a sample procedure for a user-configured action. The action drops an e-mail if the corresponding filter applies and sends a notification to the sender of the e-mail.

The first steps of this procedure have already been performed on the Actions tab. There, you clicked Create New and Edit, which took you to the Action Definition page.

Now continue with the following steps:

1 In the Name of Action input field, edit the name of the action. So far it is NewAction. Enter Drop Mail and Notify Sender as action name.

2 From the Web Action drop-down list, select Block as the action that is to be executed if the filter applies.

3 From the Email Action drop-down list, select Drop.

4 Click Apply Above Changes to make these initial settings effective.



5 This step and the following are performed to configure the parameters of the action.

In most cases, it is a good idea to begin with specifying a value for the Protocol Selection parameter. This will determine the type of communication the action is configured for, such as web or e-mail communication.

Select Protocol Selection from the Parameter drop-down list and click Add. This takes you to the Action Parameter tab, where you can further configure the parameter settings.

6 In the Action Parameter section of that tab, select Email from the Protocol drop-down list and click Apply Changes or Go Back.

This takes you back to the Action Definition tab, where you can continue with adding another parameter to the action.

On this tab, you will also see the Protocol Selection parameter you have just added as an entry in the Parameter List.

The value you configured for this parameter, such as Email, is displayed in brackets behind the parameter name.

7 Continue with configuring the Filter Selection parameter. It is used to determine the filters that the action is intended for.

Accordingly, the action will only be displayed for selection in drop-down lists on the web pages that are used for configuring these filters.

Select Filter Selection from the Parameter drop-down list and click Add. This takes you to the corresponding Action Parameter tab.

8 In the Action Parameter section of that tab, enter the word Spam to specify the spam filter.

Then click Apply Changes and Go Back . This takes you back to the Action Definition tab, where you can continue with adding another parameter to the action.

9 Continue with configuring the Notify parameter. Under this parameter, you specify who should be notified and what the notification should look like.

Select Notify from the Parameter drop-down list and click Add. This takes you to the corresponding Action Parameter tab.

10 In the Action Parameter section of that tab, there is another section embedded, which is labeled Add Element. Specify the values for the Notify parameter using the input fields and the drop-down list provided in the embedded section:

• Template Name - This input field is used to enter the name of the template file that is to appear as a notification. It is entered without an extension.

The template file must have been created before and stored in a folder under the McAfee Web Gateway program files. On a Windows platform, this would be the conf\errors folder.

Enter emailblocked as template name.

• Email Subject - This input field is used to enter the text that is to appear as subject line of the notification.

Enter The mail has been blocked as subject line.

• Recipient - This input field is used to enter the recipient of the notification.

Variables can be entered here.

Enter %sender as recipient. The notification will then be sent to sender of the e-mail that was blocked.



• Option String - This drop-down list provides a number of options for activities that will be performed together with the notification, including the blocked mail or its header with the notification.

Select All as an option. This will cause all available activities to be performed.

11 After specifying the settings for the parameter as described above, click Add in the embedded section.

The values specified in this section are now displayed in a list further below this labeled List of Notify Elements.

12 Click Apply Changes and Go Back. This takes you back to the Action Definition tab.

You will see the Notify parameter added to the Parameter List, but no values are displayed due to their complexity.

This completes the configuration of the Drop Mail and Notify sample action.

In order to make it available for configuring the filter you specified, such as the spam filter, you need to restart McAfee Web Gateway manually.

Parameter ListThe following list provides short descriptions of the parameters that can be configured with an action:

Parameter Meaning

Custom Headers Add customized header to HTTP/SMTP message

Custom Logs Write to customized log file

Custom Meta Headers Add customized meta header to ICAP message

Custome Parameters Add customized parameters to transaction

Delay (SMTP) Delay e-mail

Email Footer Add footer to e-mail

Email Header Add header to e-mail

Error Template Use specific error template

Filter Anti Selection Specify where not to show action in web interface

Filter Selection Specify where to show action in web interface

HTTP-Error Change code number for HTTP error

Notify Send notification messages

Notify-Gateway Use non-standard gateway for notifications

Progressive Lock-out Lock out user for increasing time intervals

Protocol Selection Show for Web/e-mail only in web interface

Queue-Copy Write copy of e-mail to queue

Quota Use time and/or volume quota

Redirect URL Redirect to other URL

Severity Change default severity of action

Sleep Delay action by “sleeping” interval

Subject-Prefix Insert string at beginning of subject

Syslog Write to system log file

Time Scheme Name Apply time scheme to action

Trap Event Send SNMP trap message

Warning Template Add coaching/quota template


ConfigurationWizards

WizardsThe McAfee Web Gateway wizards are provided to assist you in completing a number of configuration tasks. They are invoked by clicking the corresponding button under Configuration.

Each wizard is provided under a tab of its own. The wizards are briefly described in the upcoming sections:

• Reporting configuration

• Spam filter setup

• LDAP configuration

Reporting configurationThe Reporting Configuration tab looks like this:

The Reporting Configuration Wizard, which you can work with using this tab, simplifies the process of configuring live reports and log files.

After answering either Yes or No to the questions listed, click Configure. Your answers will be processed and the results will be listed as either unchanged or updated.

Authentication is required in order to be able work with this wizard. This means that you have to submit two passwords after clicking Configure.



Spam filter setupThe Spam Filter Setup tab looks like this:

The Spam Filter Setup Wizard, which you can work with using this and the following tabs, will assist you in configuring the SMTP gateway for maximum protection against spam.

There are 8 steps to the configuration procedure. Click the question marks on this and the following tabs to display help information about the settings for each step.

After specifying the appropriate settings for a step, click Save and Continue at the bottom of the tab to proceed to the next step.



LDAP configurationThe LDAP Configuration tab looks like this:

The LDAP Configuration Wizard, which you can work with using this and the following tabs, will assist you in configuring the LDAP settings used for authentication and policy mapping.

There are four kinds of LDAP configuration tasks that are assisted by his wizard:

• LDAP authentication at the HTTP proxy

• LDAP authentication at the ICAP server

• LDAP authentication at the SMTP gateway.

• LDAP synchronisation with the User Database

The number of steps needed depends on the configuration task you select. Click the question marks on this and the following tabs to display help information about the settings for each step.

After specifying the appropriate settings for a step, click Continue at the bottom of the tab to proceed to the next step.


ConfigurationMaintenance

MaintenanceThe Maintenance options are invoked by clicking the corresponding button under Configuration.

Note: These options are only available for appliance versions of McAfee Web Gateway.

They are described in the upcoming section:

• Address space defragmentation

Address space defragmentationThe Address Space Defragmentation tab looks like this:


• Address Space Defragmentation

Address Space Defragmentation

Long running processes with dynamic memory allocations and deallocations will end up with fragmented address space after some time. Even as free memory is available, used memory blocks are scattered over the entire address space, dividing the available memory into smaller continuous memory blocks.

With ongoing fragmentation the probability to successfully allocate a continuous block of a given size decreases. The Address Space Defragmentation feature will try to defragment the address space so memory intense tasks like engine updates and some filters will not fail.

Address Space Defragmentation will make the services that are usually delivered by McAfee Web Gateway unavailable for a short period of time. You can configure a preferred time window where your appliance is most likely not under load to perform this maintenance task.



ConfigurationDebugging

Use the following items to configure address space defragmentation:

• Check for Address Space Fragmentation every ... — Select a specific weekday on which McAfee Web Gateway should check for address space fragmentation.

• Try to perform Address Space Defragmentation between ... — Select a timeframe during which McAfee Web Gateway should check for address space fragmentation. The time values must be entered in 24-hours format as HH:MM, for example, 20:00 for 8:00 PM.

• Enforce Address Space Defragmentation during configured period — Normally, McAfee Web Gateway will only run defragmentation if address fragmentation reaches a given threshold, depending on the current load on the appliance. With this setting, you can force McAfee Web Gateway to run defragmentation once during the configured period.

If McAfee Web Gateway cannot find a suitable point for running the defragmentation process, this setting will have it run at the end of the configured period.

DebuggingThe Debugging options are invoked by clicking the corresponding button under Configuration. They are described in the upcoming sections:

• Debugging

• Tracing

• Adjust filter list

• Analyse object filtering

• E-mail troubleshooting



DebuggingThe Debugging tab looks like this:


• Exception Logging

• SSL Debug Logging

• SMTP Debug Logging

• Notify on Termination

Exception LoggingThe Exception Logging section looks like this:

Using this section, you can provide a method for tracing McAfee Web Gateway. When an exception occurs, exception logging writes these (thrown) exceptions to the exception log file.

Note that this is a time and bandwidth consuming feature. You should therefore only enable it after consulting the McAfee Web Gateway support team.

To enable exception logging, select the checkbox next to the section heading.




SSL Debug LoggingThe SSL Debug Logging section looks like this:

Using this section, you can configure SSL debug logging. The logging data is written in the ssl/log folder. You can select a level of detail for the logging process.

After selecting a level, click Apply Changes to make this setting effective.

Use the following drop-down list to configure SSL debug logging:

• Level of detail — Select the level of detail for the SSL debug logging here. There are five levels, ranging from no logging to verbose logging.

SMTP Debug LoggingThe SMTP Debug Logging section looks like this:

Using this section, you can configure SMTP debug logging. The logging data is written in the SMTP debug log file. You can select a level of detail for the logging process.

After selecting a level, click Apply Changes to make this setting effective.

Use the following drop-down list to configure SMTP debug logging:

• Level of detail — Select the level of detail for the SMTP debug logging here. There are seven levels, ranging from no logging to extremely verbose logging.

Notify on TerminationThe section labeled Notify On Termination looks like this:

Using this section, you can configure a notification to be sent to an administrator upon unexpected program termination.

The activities that are performed if this notification is enabled include sending an e-mail as well as an SNMP trap notification to the administrator and filing a syslog entry.

To enable the notification, make sure the checkbox next to section heading is selected. The checkbox is selected by default.




TracingThe Tracing tab looks like this:


• Connection Tracing

Connection Tracing

Using this section, you can trace the connections used for communication with McAfee Web Gateway. Since this a is time-consuming and data-intensive feature, however, you should configure it only after consulting the McAfee Web Gateway support team.

To enable the feature, select the checkbox next to the section heading. After specifying this setting or the setting for the single source IP in this section, click Apply Changes to make these settings effective.

You can also restrict the tracing process to one single source IP. To do this, use the following input field:

• Trace connection only for source IP — Enter the IP address for the connection you want to trace here. Make also sure that the checkbox provided in this field is selected.

To view a list of the traced connections, click the list of traced connections link provided below the input field. The list will be displayed in a separate browser window.



Adjust filter listThe Adjust Filter List tab looks like this:

When configuring settings on this tab, you need to specify the policy these settings are relating to. To do this, select a policy from the drop-down list at the top of the tab.


• Filter Tracing



Filter Tracing

Using this section, you can trace the activities performed by any of the McAfee Web Gateway filters. Since this feature uses a large amount of operating memory and disk space, it should be turned on only as part of a diagnostic procedure and turned off promptly when it is no longer required.

The filters tracing folder is found in the filters directory of the McAfee Web Gateway program files under logs. Should an object be blocked, the reason why it was blocked is also written into the log file.

Use the items in the following area to configure filter tracing:

• Select a filter — Select a filter from the drop-down list provided here in order to add it to the list of filters you want to retrieve tracing information for.

If you want detailed information on this filter, select the Print filter details checkbox after selecting the filter.

Furthermore, use the following items:

• Add Filter — After specifying the appropriate information, click this button to add a filter to the tracing list.

• Add All Filters — Click this button to add all filters to the list that are available within McAfee Web Gateway and can be traced.

If you want detailed information on all these filters, select the Print details for all filters checkbox before clicking the button.

• Delete All Filters — Click this button to delete all filters on the tracing list.

The filter tracing list is displayed at the bottom of this section.



To activate or deactivate tracing or the Print details function for a particular filter, select or clear the corresponding checkboxes.

Then click Apply Changes to make these settings effective. You can edit more than one filter entry and make your settings effective in one go.



• Delete Selected — Select an entry you wish to delete by selecting the Select checkbox next to it and click this button. You can delete more than one entry in one go.




Analyse object filteringThe Analyse Object Filtering tab looks like this:


• Analyse Object Filtering

Analyse Object FilteringThis section allows you to trace and analyze the filtering that was performed by McAfee Web Gateway for a particular object.

Use the following items to analyse the filtering of an object:

• URL — In this input field, enter the URL of the object you want to trace filtering for.

• Select policy — From the drop-down list provided here, select the policy the settings of this sections are relating to.

• Use next hops — Select this checkbox if you want to use next-hop proxy servers for the tracing.

Specify this proxy server in the following input fields:

• Analyse Filtering — After specifying the appropriate information, click this button to perform the filtering analysis for the object in question.

• Rotate Filter Log — Click this button to renew the content of the log file and remove older entries from it.



E-mail troubleshootingThe E-Mail Troubleshooting tab looks like this:

Caution: The actions and settings provided in these sections affect the e-mail gateway directly and are applied immediately without further warning or confirmation.

They should therefore only be used under guidance of the McAfee Web Gateway support team, as an incorrect usage may result in loss of e-mail or other unwanted behaviour.


• SMTP Gateway

• Queues

SMTP GatewayThe SMTP Gateway section looks like this:

It displays the status of the SMTP Gateway and allows you to suspend and resume this gateway.

The following information on the gateway status is provided:

• Status — Status of the gateway, such as Running.

• Mode — Mode the gateway is running in, such as Normal.



Use the following buttons to change the gateway status:

• Suspend Gateway — Click this button to suspend the gateway.

• Resume Gateway — Click this button to let the gateway resume its activities after being suspended.

QueuesThe Queues section looks like this:

This section allows you to manage the e-mail queues maintained by McAfee Web Gateway.

A list of the e-mail queues is shown in this section. The meaning and usage of its columns is as follows:

• Queue Name — Name of an e-mail queue, such as Inbound, Infected, etc.

• Actions — This column provides the following action buttons:

• Reset delayed — Click this button to reset a queue.

• Drop Mails — Click this button to drop all e-mails in a queue.

• Disable Accept — Click this button to disable the acceptance of e-mails for a queue.

This is a toggle button. After clicking it for disabling e-mail acceptance, it reads Enable Accept and can be used for enabling it.

• Disable Processing — Click this button to have no more e-mails processed in a queue.

This is a toggle button. After clicking it for disabling e-mail processing, it reads Enable Processing and can be used for enabling it.

• View — This column provides the following links:

• Entries — Click this link to view the entries in a queue.

• Performance — Click this link to view performance data related to a queue.


ConfigurationLDAP

LDAPThe LDAP options are invoked by clicking the corresponding button under Configuration. They are described in the upcoming section:

• LDAP

LDAPThe LDAP tab looks like this:


• Connection Options

• LDAP Certificate File

Furthermore a sample procedure is provided for setting up an SSL-secured connection to an LDAP server:

• Setting up secure LDAP


ConfigurationLDAP

Connection OptionsThe Connection Options section looks like this:

Using this section, you can configure the settings for the connection to the LDAP server that is used when the LDAP method is applied in order to authenticate users.


• Enable LDAPv3 support — Select this checkbox if you want use version 3 of the LDAP protocol for handling the traffic on the connection to the LDAP server.

This version offers an improved recognition of encodings used for authentication credentials.

• Don’t follow referrals — Select this checkbox to prevent McAfee Web Gateway from sending an LDAP request to another server when the required information could not be found on the LDAP server the request was originally sent to.

In this case, the original LDAP server might send McAfee Web Gateway a reference to another server where the required information may be found.

The required information can be the authentication of a user or other LDAP information, such as on group membership.

If the checkbox is not selected, McAfee Web Gateway will send a request to another server when referred to it by the original server.

• Print unhandled errors into errors.log — Select this checkbox to print errors into the errors.log file that have been left unhandled because they are of an unknown type and no method of handling them is available.

• Print handled errors into errors.log — Select this checkbox to print errors into the errors.log file that are of a known type and could therefore be handled.

• List of handled errors to print — In this input field, enter the error type numbers for the handled errors that you want to print into the errors.log file. Only errors with the numbers listed here will then be printed. Separate list entries by commas.

• Search limit in seconds — In this input field, enter the time (in seconds) that should not be exceeded when a search is performed on the LDAP server for information needed to authenticate a user, or for other information, such as group membership information.

The default time is 5 seconds.

• Live-check in minutes — In this input field, enter the time (in minutes) that should elapse before McAfee Web Gateway sends another live-check message to the LDAP server to see whether the LDAP server has closed the connection.

If this is so, McAfee Web Gateway re-opens it and sends authentications requests as required.


ConfigurationLDAP

Otherwise, if the connection is found to be still open, or the timeout has not yet elapsed, McAfee Web Gateway sends authentication requests immediately. The default timeout is 5 minutes.

• Default local client charset — In this input field, enter the charset clients should use by default for encoding user names and passwords they send in requests to McAfee Web Gateway.

If these strings contain characters that are included in the extended ASCII charset, as is the case with French, German or Japanese name, it is required under LDAPv3 that McAfee Web Gateway converts them to UTF-8 before sending it to the LDAP server.

In order to be able to do this, McAfee Web Gateway needs to know the source encoding that is used on the clients. By default, ISO-8859-1 is used there, unless you specify a different charset here.

LDAP Certificate FileThe LDAP Certificate File section looks like this:

Using this section, you can import an LDAP server certificate for communication over an SSL-secured (LDAP-S) connection between McAfee Web Gateway and an LDAP server.

The LDAP server certificate may be a single certificate, contained in a .txt file. Or a chain of certificates may have been issued for a server. In this case, you need to import the whole chain, contained in a .txt file, with one certificate after another entered in the file.

Note: This section cannot be used to import certificates for authenticating clients, which are sometimes also submitted in LDAP-S communication.

Use the following items to import an LDAP server certificate file:

• Certificate(s) file — In this input field enter the name of the file you want to import. Type the name or browse to where the file is located within your file system, using the Browse button next to the field.

Make sure the file contains only base64-encoded certificates.

• Import — After entering the file name into the input field above, click this button to import the file.

Setting up secure LDAPThe following is a sample procedure to set up Secure LDAP for McAfee Web Gateway, which means there will be an SSL-secured connection for the traffic going on between McAfee Web Gateway and the LDAP server. A short form for referring to Secure LDAP is LDAP-S.

Note that you need to enable the Enable LDAPv3 support option described above, in order to be able to complete this procedure.

On the LDAP server, two different methods may be used for maintaining and providing information about users and user groups: an Active Directory may be installed there, or the server may be configured as an OpenLDAP server.

Descriptions are given here for both types of servers. Furthermore, it is described how to create the LDAP client and server certificates that are needed for the SSL-secured communication.

The individual steps of the procedure are grouped into four sections:

• Setting up an Active Directory to support LDAP-S

• Creating an LDAP server certificate

• Creating an LDAP client certificate

• Setting up a secure connection to an OpenLDAP server


ConfigurationLDAP

Setting up an Active Directory to support LDAP-S1 Make the Active Directory capable of handling LDAP-S. To do this, install the required Microsoft Windows

components, which are Certificate Services and Internet Information Services (IIS):

• Under Microsoft Windows, open the Add or Remove Programs window.

• Use the Windows Component Wizard to select Certificate Services and Internet Information Services (IIS). Click OK after selecting each of them.

• Navigate to Internet Information Services >. . . (Name of the local computer) > Web Sites > Default Web Site.

• Make sure you have Certsrv installed. Otherwise install it, using the Windows Components Wizard once again.

2 The LDAP-S connection has now been set up. To verify that it is really working, proceed as follows:

• Using the Run window, enter the ldp command and click OK. This will open the ldp page.

Note: Note that the ldp command is not included in a default installation of the Active Directory, so you need to install it additionally from the Support folder of the Micorsoft Windows CD.

• In the Connect window, enter the fully qualified name of the LDAP server, the port number, and select the SSL checkbox. Then click OK.

Note: Note that the default port number is 636.

3 Bind to the administrator — In the Bind window, enter a user name and password, select the Domain checkbox, and enter the domain name in the input field next to it. Then click OK.

4 You should now see a number of messages displayed, showing that the LDAP-S connection is working and an administrator has been bound to it.

Another method to verify that the LDAP-S connection is working may be used under Linux or another Unix system with openssl installed. Enter the following command:

openssl s_client -connect YOUR_LDAP_SERVER:636 -showcerts

where the port number is the one you configured in Step 2.

5 Create a text file for storing the certificate keys that will be used as source for the LDAP library functions within McAfee Web Gateway. Give it a name with .lst as extension, such as keys.lst.

When you have successfully tested the LDAP-S connection as described in Step 4, copy the certificate that is provided by the server into this text file.

Later on, more certificates will be added here, an LDAP server certificate and, if the server requires that the client submits a certificate, an LDAP client certificate, too.

How to create these certificates is described in the next two sections.

Creating an LDAP server certificate1 Browse to the Active Directories Web Server using the following address:

https://127.0.0.1/certsrv/Default.asp

2 Click Download a CA certificate, certificate chain, or CRL.

3 On the page that is then displayed, click Download CA certificate chain.

4 When asked whether to save the downloaded certificate chain file, which is in p7b format, click Save and save it within your file system.

5 On the Linux system or on another Unix system with openssl installed, change the format of the file from p7b to pem.

Use a command like the following to do this: openssl pkcs7 -inform DER -in certnew.p7b -print_certs -text -out filep7b.pem


ConfigurationLDAP

6 Open the .pem file, copy the certificate it contains and append it to the content of the text file you created for storing the certificates, such as keys.lst, see also Step 5 of the previous section.

7 In the McAfee Web Gateway web interface, go to the LDAP tab under Configuration > LDAP.

8 In the LDAP Certificate File section, browse to the location of the file containing the certificate keys, such as keys.lst, and click Import to import it into McAfee Web Gateway.

Creating an LDAP client certificate1 If the LDAP server requires that the client submits a certificate, you need to create one.

On a Linux system or another Unix system with openssl installed, enter a command to begin generating a certificate. T

The command could look like this: openssl genrsa_1024 > certfile.key where certfile is an example of the file name.

2 Change the name extension of the certificate file to csr: openssl req -new -key certfile.key > certfile.csr

3 Enter the information that is needed for generating the certificate as follows:

• Country Name — DE

• State or Province Name — North Rhine - Westphalia

• Locality Name — Paderborn

• Organization Name — Secure Computing Corporation

• Organizational Unit Name — System Test

• Common Name — testsystem.testnet.webwasher.com

• Leave other fields, such as Email Address, empty, or enter information there as required.

4 After the certfile.csr has been generated, open it and copy its content to your buffer ("cut and paste").

5 Browse to the certsrv page that is provided under Microsoft Windows using the following command: https://127.0.0.1/certsrv/

6 Click Request a certificate, and on the pages that are then displayed, click: advanced certificate request and then: Submit a certificate request a base64 -encoded CMC or PCKS#10 file, or submit a renewal request by using a base64-encoded PCKS#7 file.

7 In the Saved Request window of the page you reached through the latter link, insert the content of the certificate file that you stored in your buffer in Step 4.

8 When asked whether to save this file, which is in cer format, click Save and save it within your file system.

9 On the Linux system or on another Unix system with openssl installed, change the format of the new certificate file from cer to pem.

Use a command like the following to do this: openssl -x509 -in certfilenew.cer -inform DER -out certfile.pem -outform PEM.

10 Open the certfile.pem, copy the certificate it contains and append it to the content of the text file you created for storing the certificates, such as keys.lst, see also Step 5 of the first section.

11 Import this file, such as keys.lst, into McAfee Web Gateway, using the LDAP Certificate File section of the LDAP tab under Configuration > LDAP, as described in Step 7 and Step 8 of the previous section.


ConfigurationLDAP

Setting up a secure connection to an OpenLDAP server1 Download the distribution of the server software you want to use from the OpenLDAP Web site and install

it on your system, such as on a Debian Linux system, or a Kubuntu or Ubuntu Linux system.

Use the following command to do this: aptget - install slapd ldap -utils

Then follow the instructions you are given.

2 At one point, you will be asked a number of questions to create your self-signed certificate. Enter the appropriate information when prompted.

When asked for the Common Name, be sure to enter the fully qualified domain name you are using for the LDAP server.

To set up the certificate, use commands like the following:

sudo mkdir /etc/ldap/ssl cd /etc/ldap/ssl

sudo openssl req -newkey rsa:1024 -x509 -nodes -out

server.pem -keyout server.pem -days 3650

Note: The self-signed certificate has been set here to be valid for 10 years. Adjust this as required by setting the -days parameter accordingly. The Common Name entry, which may be shown as YOUR name) []:, must be set to the server name, such as testsystem.testnet.webwasher.com.

The other entries may be left at their default settings. Just press Enter when prompted.

3 Modify the settings required for the LDAP-S configuration:

a Edit the slapd.conf file, which is located in the /etc/ldap folder. After editing, the relevant part of the file should look like this:

# SSL:

TLSCipherSuite HIGH:MEDIUM:SSLv2

TLSCACertificateFile /etc/ldap/ssl/server.pem

TLSCertificateFile /etc/ldap/ssl/server.pem

TLSCertificateKeyFile /etc/ldap/ssl/server.pem

b Edit the initial parameter settings, which are stored under /etc/default/slapd.conf.

The relevant part of the configuration file looks like this:

# slapd normally serves ldap only on all TCP-ports 389.

# slapd can also service requests on TCP-port 636 (ldaps)

# and requests via unix sockets

# Example usage:

#SLPAD_SERVICES=”ldap://127.0.0.1:389/ldaps:///ldapi:///”

SLAPD_SERVICES="ldaps://YOUR_LDAP_SERVER/"

Replace YOUR_LDAP_SERVER by the fully qualified domain name matching the Common Name that was also configured when creating the self-signed certificate, such as testystem.testnet.webwasher.com.

Furthermore, make sure YOUR_LDAP_SERVER resolves to 127.0.0.1, otherwise there might be problems down the road.

4 Restart the LDAP server with: sudo /etc/init.d/slapd

5 A good test to see if the server is running correctly would again be: openssl s_client -connect YOUR_LDAP_SERVER:636 -showcerts

Note: The debug mode is quite helpful for installation and troubleshooting of an LDAP server when an SSL-secured connection has been set up for it.


ConfigurationLDAP

To implement this mode, stop the server with: /etc/init.d/slapd stop

Then restart it with: slapd -d 16383 -h ldaps://YOUR_LDAP_SERVER:636

This will create a lot of debug output indicating problems.

Note: It is not recommended to use this command and create the debug output when running the server in productive mode.

6 If a client certificate is needed on the LDAP server, create one in the same way as for the Active Directory, see the previous section.

You can copy the certificate for the LDAP server, which is stored under etc/ldap/ssl/server.pem, and insert it in the text file that was created for the certificate keys and stored under /opt/webwashercsm/keys.lst, see also Step 10 of the previous section.

7 Add information about users, groups, etc. to the server database, as it is usually done in LDAP configuration.

The database is located at /var/lib/ldap/ and can be filled using the ldapadd command. This command takes ldif files as parameters, which should contain all necessary information about the LDAP directory.

The following is an example of an ldif file:

dn: o=testnet

objectClass: organization

o: testnet

dn: cn=admin,o=testnet

objectClass: person

cn: admin

sn: x

description: "administration account"

dn: ou=atlanta,o=testnet

objectClass: organizationalUnit

ou: atlanta

dn: ou=miami,o=testnet

objectClass: organizationalUnit

ou: miami

dn: cn=sandra,ou=atlanta,o=testnet

objectClass: inetOrgPerson

uid: sandra

sn: x

cn: sandra

userPassword: 123

mail: [email protected]


ConfigurationLDAP

employeeType: vip

Use the following command to create this directory structure on the LDAP server:

ldapadd -h 127.0.0.1 -x -f testnet.ldif -W -D "cn=admin, o=testnet"

8 Edit some more settings in the configuration file stored under /etc/ldap/slapd.conf:

suffix: "o=testnet"

rootdn: "cn=admin,o=testnet"

rootpw: *******

and:

access to *

by dn="cn=admin,o=testnet" write

by * read

9 Make the LDAP directory structure known to McAfee Web Gateway.

To do this, go to the Authentication tab under Proxies > HTTP Proxy, and in the Authentication Process section, click Define Proxy Authentication Options.

This will open a window, where you need to enter the following settings in the LDAP Authentication section:

LDAP server(s): ldaps://testsystem/testnet/webwasher.com

Username for Webwasher to log into LDAP server: cn=admin,

o=testnet

Webwasher’s password: *******

Base DN to user object: ou=atlanta,o=testnet

UID attribute name: cn

Use a command like the following to do this:

openssl -x509 -in certfilenew.cer -inform DER -out certfile.pem

-outform PEM

10 Restart the LDAP server.

The administrator should now be granted sufficient rights, and the user sandra should be able to authenticate with password 123.


ConfigurationNTLM

NTLMThe NTLM option are invoked by clicking the corresponding button under Configuration. They are described in the upcoming section:

• NTLM

NTLMThe NTLM tab looks like this:


• NTLM Global Options

NTLM Global Options

Using this section, you can configure global options for NTLM authentication.

Note: Some of these options are only available if McAfee Web Gateway is running on a Linux or Solaris operating system.


Use the following items to configure global options for NTLM authentication:

• Enable NTLM cache — Select this checkbox to enable use of the NTLM cache.

This allows Webwasher to reduce load on the domain controller by storing authenticated user credentials in an internal cache. The NTLM cache should not be enabled, however, when several users share the same IP address, for example, when using a Citrix server.

• NTLM cache TTL (seconds) — Enter the time (in seconds) here that a user name from a cached IP address should be trusted. The default time is 30 seconds.


ConfigurationNTLM

• NTLM Agent operation timeout (seconds) — Enter the time (in seconds) here that McAfee Web Gateway should wait for a reply from the NTLM Agent before it assumes that the connection is broken. The default time is 15 seconds.

Settings for the following options will be valid under Linux and Solaris only:

• Default local client charset — Enter the charset here that should be used by default to convert user credentials containing national characters to unicode.

• Default prefix for invalid group IDs — Enter a prefix here that McAfee Web Gateway may use by default to compose a group name for invalid group IDs. This name will be a concatenation of the prefix specified here and the invalid user ID in question.

This may be required because lists of user groups sometimes return orphan IDs that cannot be resolved to group names. If you do not enter a prefix here, these IDs will be skipped by McAfee Web Gateway.

• NTLM request timeout — Enter the time here that McAfee Web Gateway should wait for a reply from the domain controller before it assumes that the connection is broken.

• SRV record TTL — Enter a value here to specify how often McAfee Web Gateway should retrieve a list of domain controllers from the DNS server when it needs to establish a new connection.

• Trusted domains list TTL — Enter a value here to specify how often McAfee Web Gateway should retrieve a list of trusted domains from the connected domain controller.

700-3126B00

web gateway 6.9 system configuration guide - mcafee · pdf file2 mcafee web gateway system...

Documents