Setup Guide Revision C. McAfee SaaS Web Protection Service

Transcription

1 Setup Guide Revision C McAfee SaaS Web Protection Service

2 COPYRIGHT Copyright 2014 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, epolicy Orchestrator, McAfee epo, McAfee EMM, Foundscore, Foundstone, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee SaaS Web Protection Service Setup Guide

3 Contents 1 Introduction 5 Requirements Setting up SaaS Web Protection Service 7 Determining Web Protection authentication Add users to Account Management (explicit user or transparent authentication) Add user details for McAfee Client Proxy WDS Connector (transparent authentication) Download WDS Connector Proxy configuration 11 Configure a static proxy setting in your browser Configure a static proxy on all your computers using Group Policy Lock down your proxy Auto-configure the Mozilla.cfg file through a login script Creating a Proxy Automatic Configuration or Web Proxy Auto-Detect file Set up WPAD Configure DNS for a WPAD script Set up a web server to use a PAC or WPAD file Basic WPAD or PAC file example Common configuration issues 21 Check a hard-coded proxy setting first Check all configurations are in lowercase Set up policy sets 25 Forensics Optimizing the WDS Connector for larger installations 27 Configure the proxy for large numbers of clients McAfee SaaS Web Protection Service Setup Guide 3

4 Contents 4 McAfee SaaS Web Protection Service Setup Guide

5 1 1 Introduction McAfee SaaS Web Protection Service provides real-time protection against web-borne threats and inappropriate content at the network perimeter before they can enter the internal network. The browser traffic for users is redirected to the SaaS Web Protection Service. As each request for web content is received, the SaaS Web Protection Service checks the content against defined policies and, if enabled, checks for known worms and viruses. Only the content that does not violate those policies and is clean of known threats is returned to the user. You can enable or disable specific web content policies in the Control Console, the comprehensive graphical interface into the SaaS Web Protection Service. Requirements After defining your Web filtering policies via your Control Console, Web Protection will redirect company Web traffic to a proxy server to initiate protections. The following must be completed prior to using the Web Protection Service: Subscribe to Web Protection Create a customer Create a domain You may want to consider implementing the Directory Integration feature within Account Management prior to using WDS Connector. In this way, you greatly increase the likelihood that user addresses in Active Directory match the addresses in the Control Console. For information regarding supported environments for Web Protection, see the latest release notes. McAfee SaaS Web Protection Service Setup Guide 5

6 1 Introduction Requirements 6 McAfee SaaS Web Protection Service Setup Guide

7 2 Setting 2 up SaaS Web Protection Service The SaaS Web Protection Service (Web Protection) stops threats before they reach the corporate network. After the Web Protection filtering policies are defined, web traffic must be redirected to a proxy server and protection then is initiated. Systematically, end-user web sessions are also filtered by Web Protection to block viruses and spyware before they reach the network, if the threat service was purchased. Contents Determining Web Protection authentication Add users to Account Management (explicit user or transparent authentication) Add user details for McAfee Client Proxy WDS Connector (transparent authentication) Determining Web Protection authentication The Access Controls window allows you to define the manner in which users are authenticated when accessing the web. For example, you can register a list of accepted IP addresses for your organization. Choose from one of the four mechanisms provided that allow you into the Web Protection system.: More than one authentication can be used in conjunction, if needed. IP address range authentication Advantages: No user logon required No passwords need to be maintained for users No software to install Can be deployed at the edge of the network using routing Disadvantages: Group policies cannot be applied (all users have one policy) No individual reporting, all reporting is grouped by the external IP address Explicit user authentication Advantages: McAfee SaaS Web Protection Service Setup Guide 7

8 2 Setting up SaaS Web Protection Service Determining Web Protection authentication Group policies can be applied (different users can have different policies) Individual reporting on a per-user basis No software to install Disadvantages: Requires users to log on once-per-browser session Passwords must be maintained and/or authenticated against corporate server Transparent authentication (WDS Connector) When using the WDS Connector, there are several best practices that are recommended. In most instances, McAfee recommends that the WDS Connector be on a dedicated server. While this is not a requirement for smaller customers, a dedicated server minimizes the likelihood that other process will interfere with WDS Connector. McAfee recommends uninstalling or disabling non-essential software from the server where the WDS Connector is installed. Advantages: No user logon required No passwords maintenance for users in the Web Protection system Group policies can be applied (different users can have different policies) Individual reporting on a per-user basis Disadvantages: Requires software to be installed on the corporate infrastructure Requires Active Directory and NTLM authentication to recognize users Requires that each user has an address in Active Directory that matches a corresponding address in the Control Console Requires that users log on to the domain interactively Requires all browser traffic to route through the WDS Connector McAfee Client Proxy (MCP) The McAfee Client Proxy is a Windows agent that seamlessly redirects HTTP and HTTPS traffic to the SaaS Web Protection servers. McAfee Client Proxy can be configured to: Always redirect for constant protection from the cloud Redirect when the user is off the corporate network, for roaming protection The McAfee Client Proxy passes to the cloud encrypted information relating to the individual user, group membership for the users, and customer account details. The system automatically identifies the user, the group, or the customer, to apply the appropriate policy. Advantages: No user login required No passwords maintenance for users in the Web Protection system Group policies can be applied (different users can have different policies) 8 McAfee SaaS Web Protection Service Setup Guide

9 Setting up SaaS Web Protection Service Add users to Account Management (explicit user or transparent authentication) 2 Individual reporting on a per-user basis Can be configured to prevent disabling the agent Work at the network level for all browsers and any other HTTP or HTTPS request Disadvantages: Windows support only Requires deployment to the endpoint (desktop or laptop) English language only Add users to Account Management (explicit user or transparent authentication) Account Management is a set of administrative screens you use to configure and manage, in a single location, the entities in the Web Protection Service. This is an option for McAfee Client Proxy. These entities include: Domains Users Other administrators, including other customer administrators, domain administrators, quarantine managers, and reports managers In addition, you use Account Management to administer groups of users that share a common filtering policy. To set up the users who will be using Web Protection Services, download the Account Management Administration Guide and follow the instructions. 1 Go to 2 Log on if required. 3 Click Reference Materials. 4 Click Account Management Administration Guide. Add user details for McAfee Client Proxy The McAfee Client Proxy can be used without defining user names. The Control Console maps user names with the Windows domain/user name information provided by the McAfee Client Proxy. The Control Console provides a utility to map user names to the users created. Task 1 Start Web Protection Policies McAfee Client Proxy Policies. 2 Click MCP User Identification Utility This utility automatically maps the user names in Active Directory to the accounts in the Control Console. If no user name information is provided, the McAfee Client Proxy utility uses group or customer specific information, to determine the policy, to use for filtering. McAfee SaaS Web Protection Service Setup Guide 9

10 2 Setting up SaaS Web Protection Service WDS Connector (transparent authentication) WDS Connector (transparent authentication) The WDS Connector SM, which is an enhancement to SaaS Web Protection Service (Web Protection), allows users to access the web through the Web Protection using existing local network domain credentials. This capability, sometimes known as transparent authentication, eliminates the need for Web Protection to authenticate a user each time they open a browser. Instead, Web Protection validates the user automatically whenever the user opens a browser. Administrators of the Web Protection service can continue to apply group policies to users, as well as track individual web usage, threats, and more. Download WDS Connector Download the WDS Connector software so you can install the software and start using the WDS Connector. Task 1 Click the Web Protection Setup tab. 2 Click the WDS Connector link. 3 Click Download WDS Connector to download and install the WDS Connector software. If you accessed the Control Console from the Windows server that you are using as the WDS Connector proxy server, you can run installation of the sofware when you download it. In this case, click Run when the first installer window appears. If you access the Control Console from a computer other than the WDS Connector proxy server, you must save the software to a USB drive, a CD, or some other means, transfer the software to the WDS Connector proxy server, then install the software. 10 McAfee SaaS Web Protection Service Setup Guide

11 3 Proxy 3 configuration After configuring Web Protection, you will need to configure your clients to use the proxy. There are four main ways of doing this: Manually configure clients to point to Web Protection and/or the WDS Connector using Internet Explorer or Firefox s proxy settings. This is an effective way of locking down the computers to point to Web Protection. However, the main issue with this setup is that it is not very flexible, so it is only recommended for small sites or sites where the majority of users are on desktops, not laptops. Also, any configuration of the local computer opens up the possibility that the user will reverse this configuration after the IT person walks away. Also discussed is how to lock down Internet Explorer and Firefox so the user cannot easily change or remove the proxy settings. Finally, you can use Group Policy to hard-code your users proxies and remove their ability to change them. Use a Proxy Auto Configuration file (PAC file) to script how a user s web browser will find and use web proxies on your network. Manually configuring clients to be hard-coded to a proxy is very problematic for users on a laptop, as that proxy is not available unless they are on the company network, either through a wired connection or VPN. A PAC file allows you to fix this issue by controlling where the browser will go for proxy information and possibly ignoring the proxy and going directly to the Internet when the proxy cannot be found. Another advantage to using PAC files is that you can define what will be proxied and what won t. For instance, while general web browsing is typically better sent through Web Protection, you might not want your critical web based applications to be funneled through a proxy. With a PAC file, you can add some intelligence to how the user s browser decides to route traffic. The Web Proxy Auto-Detect Protocol (WPAD) so that little to no changes are necessary on the client, but rather the browser uses the Automatically Detect setting to look for your configuration file on a web server. If it can t find the WPAD settings or server, the browser quickly adjusts and goes directly to the Internet. This setting is by far the easiest on the client, but is more intense for the systems administrator because it includes configuring web, DHCP, and DNS servers. Thankfully the format of the WPAD.DAT file is identical to the PAC file and we provide examples that you can copy and paste as needed in this section. If you use McAfee Client Proxy, the configuration policy for McAfee Client Proxy determines how and where the traffic is redirected. For more information, see the McAfee Client Proxy documentation on the Control Console under Web Protection Setup McAfee Client Proxy. Tasks Configure a static proxy setting in your browser on page 12 Hard-coding the Internet Explorer or Firefox settings works fine for small sites, and sites where the computers are mostly desktops. However, this setting does not work well for users on laptops that work locally and remotely as they will not have access to the Internet if they cannot get to the proxy server. Also, there is no intelligent routing or failover should the proxy be unreachable. Contents Configure a static proxy setting in your browser Configure a static proxy on all your computers using Group Policy McAfee SaaS Web Protection Service Setup Guide 11

12 3 Proxy configuration Configure a static proxy setting in your browser Configure a static proxy setting in your browser Hard-coding the Internet Explorer or Firefox settings works fine for small sites, and sites where the computers are mostly desktops. However, this setting does not work well for users on laptops that work locally and remotely as they will not have access to the Internet if they cannot get to the proxy server. Also, there is no intelligent routing or failover should the proxy be unreachable. Before you begin This configuration assumes that the client and server are not configured to block port 3128 and/or port Task 1 Start Internet Explorer. 2 Click Tools Options. 3 Click the Connections tab. 4 Click LAN Settings. 5 Select Use a proxy server for your LAN. If you are using the WDS Connector: a Enter the fully qualified domain name (preferred) or DNS resolvable server name of the server where the WDS Connector is installed. b In the Port field, enter Enter the proxy entry provided in the Activation Kit you received from provisioning. 7 in the Port field, enter Select Bypass proxy server for local addresses. When you are finished, the proxy server should look like the following example: where proxy server is the name of the server you installed in the WDS Connector. McAfee recommends using a fully qualified domain name like proxyserver.yourdomain.com instead of just a server name. 9 Click the Connections tab. If you have entries in the Dial up and Virtual Private Network settings, you need to configure the entries for the proxy as well. a Select the VPN setting, you want to configure, and click Settings. b Select Use a proxy server for this connection. 10 If you are using the WDS Connector: a Enter the fully qualified domain name (preferred) or DNS resolvable server name of the server where the WDS Connector is installed. b In the Port field, enter If you are not using the WDS Connector, McAfee recommends you select Bypass proxy server for local addresses. Enter the proxy provided in your Activation Kit. 12 In the Port field, enter port McAfee SaaS Web Protection Service Setup Guide

13 Proxy configuration Configure a static proxy on all your computers using Group Policy 3 Configure a static proxy on all your computers using Group Policy It is possible to configure all the machines in your Microsoft domain to have a hard-coded proxy setting by using Group Policy. A Group Policy-based solution for Firefox is currently not available. If you run GPEDIT.MSC on your local computer, you are editing your local computer's policy. If you run it through Active Directory Users and Computers or Group Policy Management you are editing the Group Policy on your domain controller for your entire domain. Either way, be careful! Lock down your proxy Instead of requiring all of your users to individually configure their proxy settings, you can implement a Group Policy on a Windows-based computer for Internet Explorer only. Task 1 From the Start menu, select Run. The Local Group Policy Editor dialog box appears 2 Enter gpedit.msc and click OK. The Group Policy window appears. 3 In the left pane, select User Configuration Windows Settings Internet Explorer Maintenance Connection. 4 In the right-pane, double-click the Proxy Settings option. The Proxy Settings dialog box appears. 5 Select Enable proxy settings. 6 In the HTTP field, enter the proxy server address found in your welcome letter. If you are provisioned on portal.mcafeesaas.com, use <yourdomainhere.com>.web01.mxlogic.net If you are provisioned on console.mcafeesaas.com, use <yourdomainhere.com>.web02.mxlogic.net Edit <yourdomainhere.com> so that it is specific to your organization. 7 In the Port field, enter Bypass the web proxy server. a In the Exceptions box, enter addresses of websites for which traffic must not be filtered. You can enter partial domains or IP addresses, such as *.yourdomain.com;10.*; *. Each entry should be separated by a semicolon.. b c Ensure that Do not use proxy server for local (intranet) addresses is selected. Click OK. McAfee Web Protection Service proxy servers cannot connect to servers on your organization s private corporate network (LAN). To access these private websites, you must bypass the proxy server. McAfee SaaS Web Protection Service Setup Guide 13

14 3 Proxy configuration Configure a static proxy on all your computers using Group Policy Auto-configure the Mozilla.cfg file through a login script This is one of many ways you could choose to deliver this file and edit the all.js file through a login script. The login script first checks to see if Firefox is installed, then it checks for the Mozilla.cfg file. If Firefox is installed but the Mozilla.cfg file does not exist, it copies in the file and edits the all.js file by adding a new line, then adding the pref command to the all.js file so it knows to look to the Mozilla.cfg file. Everything this script does is written to a log file so you know the full details regarding whether the install was successful. There is no impact to the user. The next time they close and open the browser, they will be locked to your proxy config. Task 1 Copy the Mozilla.cfg file to a shared drive that all users can access on your network (read only). 2 Edit your login script as follows: Don t forget to change \\server\share to your server and share name. :: Firefox Proxy Config file drop and all.js adjustment GOTO Check :Check :: First check to see if Firefox is installed, then see if the config file is there IF NOT EXIST "C:\Program Files\Mozilla Firefox" GOTO Lognofirefox IF NOT EXIST "C:\Program Files\Mozilla Firefox\mozilla.cfg" GOTO Update IF NOT EXIST "C:\Program Files\Mozilla Firefox\mozilla.cfg" GOTO Update GOTO Logalreadyinstalled GOTO End :Update :: Drop the config file and adjust all.js copy \\server\share\mozilla.cfg C:\Program Files\Mozilla Firefox :: ::Create a new line at the bottom of the all.js file ECHO. >> "C:\Program Files\Mozilla Firefox\greprefs\all.js" :: ::Add a pref to point to the new CFG file to the end of all.js ECHO pref(general.config.filename, mozilla.cfg); >> C:\Program Files\Mozilla Firefox \greprefs\all.js GOTO Loginstalled :Lognofirefox Echo %date% %time% user %username% on %computername% does not have FireFox installed >> \ \server\share \log.txt GOTO End :Logalreadyinstalled Echo %date% %time% user %username% on %computername% already has mozilla.cfg downloaded >> \\server\share\log.txt GOTO End :Loginstalled Echo %date% %time% user %username% on %computername% SUCCESS!! FireFox Proxy installed! >> \\server\share\log.txt GOTO End :End ::All done! Always test the login script on one or two computers before putting it into production. On computers that you do not want to lock down, drop the Mozilla.cfg file manually, but do not update the all.js file. This will cause the script to ignore that computer and assume it is already updated. 14 McAfee SaaS Web Protection Service Setup Guide

15 Proxy configuration Configure a static proxy on all your computers using Group Policy 3 Creating a Proxy Automatic Configuration or Web Proxy Auto- Detect file A Proxy Automatic Configuration (PAC) file and a Web Proxy Auto-Detect (WPAD) file are both simple files hosted on an internal web server that use JavaScript to tell the browser what to do before it attempts to load a web page. The advantage behind PAC and WPAD files is that they help you add intelligence to your proxy configuration so it can adjust when the computer is not connected to your network, or the proxy is down. You can also decide which sites will and won t be proxied so that business-critical websites will never be effected by the proxy. Set up WPAD When you are using the Web Proxy Auto-Detect Protocol, the browser will look first to DHCP to provide it with the location of your wpad.dat file information. If it cannot find it in DHCP, it will look to DNS before trying the Internet. You will need to configure the DHCP server to provide this information. Add Option 252 to DHCP Task 1 On the server running DHCP (or using MMC on your computer), select Start Programs Administrative Tools DHCP. 2 Right-click the DHCP server you want to edit and select Set Predefined Options. 3 Locate 252. If it does not exist: a Click Add to add a new option.. b In the Option name field, enter WPAD. c In the Code field, enter 252. d In the data field, enter select string and click OK. 4 From the Option Name drop-down list, select 252 WPAD. 5 In the String field, enter Where mywebserver is the name of the webserver that you placed your wpad.dat configuration file. This string must be all lowercase. 6 Click OK. After you make this change, this WPAD information will be published with each new IP address. So make sure it s correct in the DHCP server, that the script is functional, and to be sure to release/ renew your IP address so you can test it after clickingok. Now that you have completed the step above where you added Option 252 to your DHCP server, you have the choice of setting this for your entire DHCP server or specific scopes, or both. 7 Right-click Server Options and select Configure Options. This step must be in lowercase. 8 Select Option 252 Make sure it has the correct web server information, port, and file name. This must be in lowercase. McAfee SaaS Web Protection Service Setup Guide 15

16 3 Proxy configuration Configure a static proxy on all your computers using Group Policy 9 Click OK. 10 Open the scope in question. 11 Right-click on Scope Options and click Configure Options. 12 Select Option Fill in the server name with the name of your web server, port and wpad.dat file. These entries must be all lowercase. 14 Click OK. Configure DNS for a WPAD script Internet Explorer will look to DHCP Option 252 if the Automatically detect button is selected, so you might be wondering why we recommend you make this change to DNS as well. There are several reasons why you might want to do this: You want your proxy configuration file to work on machines that have a static IP address. You have other browsers that might prefer a DNS entry over DHCP like Firefox. You are concerned that your Automatically Detect setting is going to force the browser to hunt until it finds a config file, possibly in the wrong domain. Task For instance, if you have Automatically Detect Proxy option set on your browser, but your browser cannot find the wpad.dat file for dallas.mydomain.com, it will look for wpad information at wpad.mydomain.com, and then wpad.com before giving up. Should it find it, it will happily run the script found in any of those domains creating an obvious security and configuration issue. The assumption is that you want to provide WPAD information for your local domain. So assuming your local domain is mydomain.info you would edit the DNS server for mydomain.info and add a cname record called WPAD that points to the web server that holds the file. 1 Start DNS in MMC by going to administrative tools on the domain controller hosting your DNS. 2 Expand Forward Lookup Zones. 3 Right-click your forward lookup zone and select New Alias (CNAME). 4 In the Alias field, enter WPAD. 5 Enter the fully qualified domain name of the server that is hosting your WPAD file. 6 Click OK. 7 Click OK. Test by setting the Automatically detect option in Internet Explorer. When your browser finds a page called wpad.yourdomain.com, your proxy information is automatically updated. 8 After completing the DNS and DHCP setup instructions below, configure your browser to automatically detect proxy settings. a Start Internet Explorer. b c Select Tools Options.. Click the Connections tab. 16 McAfee SaaS Web Protection Service Setup Guide

17 Proxy configuration Configure a static proxy on all your computers using Group Policy 3 d e Select LAN settings if wired to the network. Select Automatically detect settings. Set up a web server to use a PAC or WPAD file To use a PAC or WPAD file to configure your proxies, you need to configure several things on your network. Before you begin The PAC file is much simpler than the WPAD setup because with the PAC file you are telling your browser where to find the file, so you just need to place it in the root of a web server and tell that server how to load it. However, the WPAD setup uses DHCP and DNS to figure out where the file is when the user s browser is set to Automatically detect settings, so you will need to put the file in a web server and update DHCP and DNS so the browser knows where to look for it. The PAC and WPAD file must be placed on a web server. We highly recommend an internal web server instead of an Internet facing server; we also recommend making the file read-only to keep a hacker from redirecting all your Internet traffic to their favorite spyware site. For more information about possible security issues with using a PAC file or the WPAD protocol, see technet/security/advisory/ mspx. Task 1 Copy your proxy.pac file to the root document directory on your web server. Must be the root document directory Must be the default virtual server or active virtual server Must be lowercase file name 2 Add a MIME entry to your web servers configuration so it knows how to open the file. 3 Open IIS Manager on the web server. 4 Right-click the website to add a MIME Type. 5 Click Properties. 6 In the HTTP Headers tab, click MIME Type. 7 Click New. 8 In the Extension field, enter the file name extension: pac a b In the Mime Types field, enter: application/x javascript config Click OK and then restart the IIS Service (when appropriate to do so, depending on what else this web server does). Tasks Set up web servers for Apache version 1.x on page 18 To set up web servers for Apache 1.x, complete the following steps. Set up web browsers for Apache version 2.x on page 19 To set up web servers for Apache 2.x, complete the following steps. McAfee SaaS Web Protection Service Setup Guide 17

18 3 Proxy configuration Configure a static proxy on all your computers using Group Policy Set up web servers for Apache version 1.x To set up web servers for Apache 1.x, complete the following steps. Task 1 Edit /etc/apache/httpd.conf 2 Add AddType application/x javascript config pac 3 Edit /etc/apache2/mods-available/mime.conf. 4 Add AddType application/x javascript config pac Restart the Apache Web Server, (when appropriate to do so, depending on what else this web server does). 5 Test by opening If your web browser asks you how you would like to open the proxy.pac file, then you have completed this step correctly. Configure your browser to point to the proxy.pac file in Internet Explorer by completing the following: a Click Tools Options. b c d Click the Connections tab. Click LAN settings if wired to the network, set settings to configure a VPN. In the Automatic Configuration Script field enter the URL of your web server. Web server configuration for a WPAD.DAT file: 6 Copy the wpad.dat file to the root document directory on your web server. a Must be the root document directory, not some subsite or lower directory. b c Must be the default virtual server or active virtual server. MUST be a lowercase file name or WPAD.dat will not function but wpad.dat will. 7 Add a MIME entry to your web servers configuration so it knows how to open the file. 8 Open IIS Manager on the web server. 9 To add a MIME Type, right-click the website you want. 10 Click Properties. 11 In the HTTP Headers tab, click MIME Types. 12 Click New. 13 In the extension field, enter the file name extension: pac. a In the Mime Type box, enter: application/x-javascript-config. b Click OK, then restart the IIS Service (when appropriate to do so, depending on what else this web server does). 18 McAfee SaaS Web Protection Service Setup Guide

19 Proxy configuration Configure a static proxy on all your computers using Group Policy 3 Set up web browsers for Apache version 2.x To set up web servers for Apache 2.x, complete the following steps. Task 1 Edit /etc/apache2/mods available/mime.conf 2 Add the following line: (dat for wpad, pac for.pac) a Add Type application/x-javascript-config dat b Restart the Apache Web Server (when appropriate, depending on what else this web server does). 3 Test by opening using your Internet browser. If your web browser asks you how you would like to open the wpad.dat (for example, with Notepad) then you have completed this step correctly. 4 After completing the DNS and DHCP setup instructions below, configure your browser to automatically detect proxy settings. a Start Internet Explorer. b c d e Select Tools Options. Click the Connections tab. Click LAN settings if wired to the network. Select Automatically detect settings. Basic WPAD or PAC file example The following is an example of a basic PAC or WPAD file. WPAD or PAC file example function FindProxyForURL(url, host) { return "PROXY proxyserver.example.com:3128 } Assuming your Internet Information Server or Apache Web Server and Internet Explorer are configured correctly (We ll get to that below), when your browser attempts to load a webpage, it will run this script and know to look for the proxyserver on port If it can t find it, it will send the browser directly to the Internet. This was a pretty simple example. What if you decided you wanted your proxy file to ignore your local network and computer? WPAD or PAC file that does not proxy the local host or network function FindProxyForURL(url, host) { function FindProxyForURL(url, host) { if ( isplainhostname(host) localhostordomainis(host, " ") isinnet(host, " ", " ")) return "DIRECT"; else return ""PROXY proxyserver.example.com:3128"; } If you would like to configure your PAC file to ignore specific websites, you would add the shexpmatch(url, See the following example. McAfee SaaS Web Protection Service Setup Guide 19

20 3 Proxy configuration Configure a static proxy on all your computers using Group Policy WPAD or PAC file that ignores specific websites function FindProxyForURL(url, host) { if ( isplainhostname(host) localhostordomainis(host, " ") isinnet(host, ", " ) shexpmatch(url, "*.yourcompanyname.*")) // Don t proxy mxlogic.* return DIRECT; else return ""PROXY proxyserver.example.com:3128"; } Finally, if you would like to configure your proxy server to have more intelligence in what to do if it can t find the proxy, you can provide multiple proxies or just tell it to go directly to the Internet.. else return PROXY proxyserver.example.com:3128; proxy domain.com.web02.mxlogic.net:8080; DIRECT; } In this example we are telling the browser to try the local proxy. If that fails, attempt to go directly to McAfee for proxying. If that fails, go directly to the Internet. There are lots of different options you can use in your PAC and WPAD files. Microsoft Technet has quite a few on their article at There is also a great write up on different PAC and WPAD file options here: ~jcurnow/writingeffectivepacfiles.html Other considerations One important thing to remember is that Internet Explorer does not provide any error checking for a PAC or WPAD file. If you missed a closing brace, parenthesis, or mistyped a command, your browser isn t going to tell you, it s just going to go directly to the Internet. So when you are creating your PAC file, no proxy (and you ve already confirmed a direct connection to your proxy works) might mean there is an error in your script somewhere. Also note that the browser might cache this file locally, so changes to the PAC or WPAD file on the server might not result in any changes on the client until they turn off their proxy configuration and turn it back on again in Internet Explorer or Firefox. 20 McAfee SaaS Web Protection Service Setup Guide

21 4 Common 4 configuration issues To start determining what is wrong with your proxy configuration, enter your server name and port manually into Internet Explorer or Firefox s proxy configuration, close and reopen the browser and then attempt to access a webpage. Contents Check a hard-coded proxy setting first Check all configurations are in lowercase Check a hard-coded proxy setting first If you can access a web page that means the proxy worked. If you can access endoftime.mcafee.com and get a Web Protection Page not found error message, then you know you are being filtered by the service. If you cannot get to a webpage then you know your proxy server has an issue. If you can get to a web page but are not being filtered, then a script or other automatic configuration piece is broken. Check all configurations are in lowercase As noted in several sections above, several WPAD configurations in DNS, DHCP, and in the file name of your wpad.dat file require lowercase in most systems. Check these areas carefully. A lack of error checking in Internet Explorer and Firefox: Internet Explorer might run a proxy.pac or wpad.dat file, but it won t tell you if it ran across an error, it ll just give up and go straight to the Internet. Test your scripts using the alerts as mentioned in Various Microsoft errors and bugs See Firewalls Your computers must be able to get to your proxy server where the WDS Connector is running. The router and switches at your company between the clients and the proxy server must allow the desktops and laptops to talk to the proxy server on port Your proxy server where the McAfee WDS Connector is installed must allow inbound port 3128 connections. McAfee SaaS Web Protection Service Setup Guide 21

22 4 Common configuration issues Check all configurations are in lowercase Your proxy server where WDS Connector is installed must allow a lot of port 3128 connections. Any firewall or windows configuration that limits connections can reduce the number of computers that can proxy at once resulting in a situation where some machines are proxied and others are not. Finally the proxy server must be able to talk to McAfee on port 3128 (squid) to be able to filter requests. If a server firewall or border (router) firewall is blocking this port, the proxy will not be able to function. WDS Connector Service issues Verify the WDS Connector service is running on the proxy server. In a WPAD environment, users will likely go directly to the Internet if this service is stopped or unavailable. In a hard-coded proxy config, or a PAC environment with no DIRECT, the Web Protection service being off will cause an page not found error. If using other authentication methods, ensure port 8080 is open for outbound connections. Domain Controller and User Issues Your proxy server where the WDS Connector was installed must be able to communicate with the domain controller specified during the install. If this domain controller has been firewalled off, removed, uninstalled or otherwise is not available, users will get an authentication error. The WDS Connector cannot fail over to another domain controller at this time. If you need to reset or work on the domain controller that the WDS Connector is pointing to, we recommend stopping the connector service first if you are in a PAC or WPAD environment. If you are hard-coded to this proxy server, turning off the WDS Connector or working on the DC might cause an Internet outage. WDS Connector Domain User issues The proxy server where the WDS Connector was installed must be able to communicate with the domain controller specified during the install using the user account specified during the set up process. If this user account was deleted, has expired or is locked out, users will get an authentication error. User not set up on the Control Console If a user is not created on the Control Console and attempts to proxy through the WDS Connector they will get an Authentication error. All users should be set up in advance of installing the WDS Connector. Consider using McAfee s Directory Sync to automatically update your users between your Active Directory and the McAfee Console. User Bad Password, account locked out, Account expired in Active Directory The WDS Connector looks to your Active Directory for its user information. However, if that user logged on to a computer locally they will receive a logon prompt before logging into the network. Also, if that users AD account is expired, locked out or has been deleted, this user will be asked to log in before getting a web page, and might receive an authentication error. Non-domain logon If a user logs on locally to a laptop or desktop, they will receive a logon prompt before they are allowed to access a website, just like they would had they attempted to access a server resource. 22 McAfee SaaS Web Protection Service Setup Guide

23 Common configuration issues Check all configurations are in lowercase 4 Program issues Some programs cannot authenticate using NTLM or do not like to be proxied and might cause the user to see a logon prompt instead of an error message. We typically see this on non-business related Java Apps. Sometimes clicking several times will allow it to get past this. Other times an administrator might need to deselect auto-config on the proxy. Windows updates McAfee recommends using WSUS to provide updates to your desktop and laptop computers, if you are attempting to go to update.microsoft.com you might find that the detection phase hangs and eventually returns an error message if you are going through the proxy. This is a known issue with the Microsoft Windows Update site and proxy servers including their own IAS server. The quick way around this is to turn off automatically detect before going to Windows Update. Another option is to exclude the Windows Update servers in your WPAD.DAT or Proxy.pac file. You can do this by using the shexpmatch (url, website) command in your script to have it not proxy the following sites: The website that discusses this issue and provides a work around is Web server not configured correctly Test your ability to opening using your Internet browser. If your web browser asks you how you would like to open the wpad.dat, (for example, with Notepad) then you have completed this step successfully. PAC/WPAD File Errors The PAC file contains a JavaScript function. Syntax errors in the JavaScript will prevent the PAC file from executing and will not set the proxy appropriately. The default behavior for most browsers is to set no proxy, so traffic will be direct to the Internet with no filtering. To test for syntax errors, use a JavaScript validation tool. A simple one can be found at copy and paste the contents of the PAC file into the text area and run the test. Warnings can generally be ignored, but any syntax or other errors must be addressed in order for the PAC file to function properly. McAfee SaaS Web Protection Service Setup Guide 23

24 4 Common configuration issues Check all configurations are in lowercase 24 McAfee SaaS Web Protection Service Setup Guide

25 5 Set 5 up policy sets The Policy Sets tab lists the currently defined Web browsing policies for the designated Enterprise Customer, including default and sample policies, and allows you to open the specific policy configuration tab to modify the policies. Sample Policy Sets There are three sample policy sets that you can use as a starting point for creating custom policy sets: Lenient Policy Contains the least strict set of policies Moderate Policy Contains a moderately strict set of policies Strict Policy Contains the strictest set of policies You can do any of the following: Accept the policy configurations in the default policy sets. Create, update, or delete customized policy sets. Customize or delete a sample policy set. For more information regarding setting up your policies, select Control Console Web Protection Policies. Click New and follow the instructions in Help. Policy Scheduling Link The Policy Scheduling link allows the customer to define different policies or rules for their users at different times of day or days of the week. For example, different sites may be allowed at lunch rather than during standard working hours. To set the days and time to allow customers access to specific sites, select Control Console Web Protection Policies Policy Scheduling link and follow the instructions in Help. Forensics The Web Forensics tab allows customer administrators to delve into the available log data to review their service. Administrators can filter, sort, and export data from the logs to determine specifically what any or all users, the resulting action, the bandwidth usage, the virus detection, etc. Data can be filtered by date, user, category, resulting action and more and can be sorted appropriately. This function allows the most in-depth data available to a customer about the Web Filtering Service. For additional information on how to set up filters and sort search in Forensics, select Control Console Web Protection Forensics. Follow the instructions in Help. McAfee SaaS Web Protection Service Setup Guide 25

26 5 Set up policy sets Forensics 26 McAfee SaaS Web Protection Service Setup Guide

27 6 Optimizing the WDS Connector for larger installations For customers with more than 500 clients, McAfee recommends configuring the WDS Connector to use more authorization children than the default of five. Configure the proxy for large numbers of clients Configuring for large numbers of clients is accomplished in the squid configuration file (squid.conf), which controls the behavior for the WDS Connector proxy. Customers with large numbers of clients Using any text editor (for example, notepad), open the squid.conf file (default location c:\program files\wds connector\wds connector proxy\etc\squid.conf), and replace auth_param ntlm children 5 with auth_param ntlm children 25 (Make sure there is no # before the entry.) You must restart the WDS Connector service before the changes will take effect. This number can be safely raised to 100. This sets the number of simultaneous NTLM authentications. McAfee SaaS Web Protection Service Setup Guide 27

28 6 Optimizing the WDS Connector for larger installations Configure the proxy for large numbers of clients 28 McAfee SaaS Web Protection Service Setup Guide

29 SEWS-WDS-Service-SG-8.0.0C00