McAfee Web Gateway

The current documentation is based on McAfee Web Gateway version 7.7.

Prerequisites

  • McAfee Web Gateway is installed and license is activated
  • Nullafi Shield ICAP service is started and configured (with backing configuration and activity databases, and Web Management Console).

Configure McAfee Web Gateway to use Shield ICAP server

  1. In your browser navigate to the McAfee Web Gateway's user interface. By default it is accessible via http://<IP address>:4711 or https://<IP address>:4712. Default user/password combination is admin/webgateway
  2. Choose Policy
  3. Under the Rule Sets tab select **Add → Rule Set from Library...

image

  1. Select ICAP Client → ICAP Client from the rule set list and click OK

image

  1. Select the newly created ICAP Client under Rule Sets and click on Edit... next to ReqMod server

image

  1. In the Edit List (ICAP Server) window under List content double-click on the first item. In the new Edit ICAP Server window change the URI for the Shield instance. It should look like icap://<Shield hostname or IP>:<ICAP port>/reqmod. Click OK to close the Edit ICAP Server window and click OK again to close the ReqMod server editor window

image

  1. Repeat steps 5-6 to set the RespMod server. The URI for the Shield ICAP server should be icap://<Shield hostname or IP>:<ICAP port>/respmod
  2. After everything is configured click Save Changes in the top-right corner. McAfee is now configured to use Shield.

Enabling SSL Scanner

If you want to inspect contents in HTTPS connections, you should enable SSL Scanner in Mcafee Web Gateway.

  1. In your browser navigate to the McAfee Web Gateway's user interface. By default it is accessible via http://<IP address>:4711 or https://<IP address>:4712. Default user/password combination is admin/webgateway
  2. Choose Policy
  3. Under Rule Sets select the SSL Scanner rule which is disabled by default

image

  1. Check Enable option and click Save Changes. McAfee is now configured to decrypt HTTPS traffic and send it to the Shield ICAP server unencrypted

Troubleshooting

  • To use the Mcafee Web Console, you need to enable java in your browser and add the Web Console's url to the trusted sites in Java Config.
  • There are notifications or even non-working web pages after enabling SSL Scanner: you should download and install the SSL certificate used by Web Gateway to your browser. You can get the certificate under Policy → Settings → SSL Client Context with CA → Default CA. Click Export... next to Certificate Authority and import the created file to your browser's trusted root certificates