Product Guide. McAfee Web Gateway Cloud Service

Transcription

1 Product Guide McAfee Web Gateway Cloud Service

2 COPYRIGHT Copyright 2017 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection, epolicy Orchestrator, McAfee epo, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Web Gateway Cloud Service Product Guide

3 Contents 1 Product overview 5 What is McAfee WGCS? Key features How McAfee WGCS works McAfee web security technologies Account management Policy management 9 Global policy model Using the Policy Browser Viewing feature policies Viewing rules Viewing catalogs Download and install SSL certificates on client systems Working with user groups Active Directory synchronization Add a local user group Rename the local user group Work with rules and feature policies Add a rule Create a rule by importing a URL list Create a rule using exceptions Edit a rule Reorder the rules Delete a rule Create a list Delete a list Managing the URLs Create a block page Edit the Policy Details Change the assigned policy View the user actions Export the audit logs Error conditions Authentication 35 Authentication and policy decisions How McAfee WGCS implements the authentication options How the authentication process works IP range authentication Enable or disable IP range authentication Configuring IP range authentication Import a list of IP address ranges Export a list of IP address ranges SAML authentication McAfee Web Gateway Cloud Service Product Guide 3

4 Contents Benefits of SAML authentication SAML authentication high-level steps SAML configuration overview Considerations when configuring SAML authentication Configuring SAML in the management console SAML authentication settings IPsec site-to-site authentication Configuring IPsec site-to-site authentication Considerations for configuring IPsec site-to-site Enable or disable IPsec site-to-site authentication Add an IPsec location Delete an IPsec location Edit the IPsec site-to-site settings IPsec site-to-site settings Adding SAML authentication to IPsec site-to-site Configuring policy rules for IPsec VPN traffic Index 51 4 McAfee Web Gateway Cloud Service Product Guide

5 1 Product overview McAfee Web Gateway Cloud Service (McAfee WGCS) is a globally available, enterprise cloud service that provides comprehensive web protection through in-depth content scanning and integration with other McAfee web security technologies. Contents What is McAfee WGCS? Key features How McAfee WGCS works McAfee web security technologies Account management What is McAfee WGCS? The web protection service protects your organization from security threats that arise when end users access the web. The service scans and filters web traffic between end users in your organization and the cloud. It blocks traffic that is not allowed by the web protection policy you configure. It protects users working inside or outside your network. For example, the service protects users who are working in a coffee shop or hotel. Using the web protection service, you can prevent sophisticated threats, implement your organization's Internet use policy, and promote productivity. For example, you can control access to file upload websites. Through hundreds of web content, application, and media type categories, you have fine-grained control over web use inside and outside the network. As a service running on a cloud platform, McAfee WGCS is managed 24/7 by a team of McAfee security experts. You purchase a subscription to the service, and there is no hardware or software to install. The cloud services platform consists of globally distributed nodes called points of presence (PoP). The Global Routing Manager (GRM) is a DNS service that is responsible for intelligent traffic routing, load sharing, and failover. The GRM routes traffic to the best available point of presence. The web protection service is managed and configured using the McAfee epolicy Orchestrator Cloud (McAfee epo Cloud) platform and console. McAfee WGCS can be deployed with or without McAfee Client Proxy. Client Proxy software is installed on the computers of end users in your organization. The software is location-aware and redirects end-user requests to the cloud service when users are working outside the network. Client Proxy is managed and configured using the McAfee epolicy Orchestrator (McAfee epo ) or McAfee epo Cloud platform and console. McAfee WGCS can be integrated with Client Proxy when the software is managed using either platform. End-user computers are referred to as client or endpoint computers. Endpoint computers are sometimes called the endpoint. McAfee Web Gateway Cloud Service Product Guide 5

6 1 Product overview Key features Key features McAfee WGCS provides these key security features. URL filtering using whitelists, blacklists, and reputation categories based on risk levels determined by McAfee Global Threat Intelligence (McAfee GTI) SSL scanning, including full decryption and content inspection Web filtering: Web content filtering using the Web Category Filter Web application filtering using Access Protection Media type filtering using the Media Type Filter Anti-Malware filtering that blocks malware in-line and includes traditional anti-virus and behavior emulation technology SAML, IP range, and IPsec site-to-site authentication of end users requesting cloud access Web protection reporting: productivity, web activity, web policy enforcement, and web security overview How McAfee WGCS works The web protection service protects your organization from malware, spyware, viruses, phishing URLs, targeted attacks, and blended threats through an in-depth detection process. The threat detection process consists of these high-level steps. 1 Using signature-based anti-virus technology with URL category and reputation data from McAfee GTI, McAfee WGCS filters known threats from web traffic, while allowing known good traffic to pass. This step of the process detects about 80% of web-based threats. 2 The remaining web traffic is not known to be good or bad. Suspicious unknown traffic is then inspected by the Gateway Anti-Malware Engine. Using emulation technology, dynamic web content and active code are observed in a controlled environment to understand intent and predict behavior. This step of the process detects almost 100% of the remaining web-based threats. Known as zero-day malware, these threats are new or changed malware files that do not yet have signatures. McAfee web security technologies McAfee WGCS uses information and intelligence provided by proven McAfee web security components and technologies. These components and technologies dynamically update the web protection service as web security information and intelligence change. The components and technologies are fully integrated with the service. Minimal configuration is required in the user interface. Web security components and technologies include: 6 McAfee Web Gateway Cloud Service Product Guide

7 Product overview Account management 1 McAfee GTI Evaluates website reputation based on past behavior and assigns websites to categories of high, medium, low, and unverified risk. McAfee GTI collects, analyzes, and distributes data in real time from more than 100 million sensors in more than 120 countries. Filters Simplify policy rules by assigning similar websites, web applications, and file types to groups. Web Category Filter Assigns websites to categories based on content. Using this filter, you allow or block access to specified content, such as blocking access to gambling sites. Access Protection Assigns web applications to categories by type. Using this filter, you allow or block access to web applications individually or by category. For example, you can block file uploads to file-sharing applications in the cloud. Media Type Filter Categorizes files by document type or audio or video format. Using this filter, you allow or block access to specified media types, such as blocking access to streaming media. Gateway Anti-Malware Engine Filters web traffic, detecting and blocking zero-day malware in-line using emulation technology before end-user devices are infected. Account management In the management console, you can synchronize an on-premise Active Directory with McAfee epo Cloud. You can also apply your web protection policy to local user groups that you create and name. Active Directory synchronization You can create, populate, and maintain your organization's on-premise Active Directory accounts in the McAfee epo Cloud System Tree. For more information, see the McAfee epolicy Orchestrator Cloud Product Guide. Local user group feature You can manually create and name local user groups and then add them to policy rule actions. This feature is part of the Policy Web, Cloud Data Policy interface. McAfee Web Gateway Cloud Service Product Guide 7

8 1 Product overview Account management 8 McAfee Web Gateway Cloud Service Product Guide

9 2 2 Policy management In the McAfee epo Cloud management console, you manage the web security policy that determines how McAfee WGCS filters web traffic and allows or blocks access to web content, applications, and objects. Contents Global policy model Using the Policy Browser Download and install SSL certificates on client systems Working with user groups Work with rules and feature policies View the user actions Export the audit logs Error conditions Global policy model The McAfee WGCS policy model is based on one set of policies that is applied globally across your organization. You configure one set of policies that apply globally to all users and groups in your organization. To customize the application of the policy set to specific users or groups, you then configure exceptions to the rules that make up the policies in the set. McAfee Web Gateway Cloud Service Product Guide 9

10 2 Policy management Using the Policy Browser Using the Policy Browser The Policy Browser interface for managing your policies is designed around the concept of providing information contextually. The type of information you see depends on your installed options, the current area of the interface, and the choices that you make. The interface for managing your policies is organized to provide protection around key feature areas relevant to the McAfee products and services you use. Figure 2-1 Default policy browser (all features shown collapsed for clarity) These key feature areas are: Global Settings, where you maintain the Global URL Whitelist and Global Blacklist that apply to all users and policies. SSL Scanner, where you configure your SSL (Secure Sockets Layer) scanning settings. Web Reputation, where you configure response to a website depending on its reputation level. Web Category Filter, where you configure the category-based scanning settings, protecting users from inappropriate website categories. Access Protection, where you configure the web-based applications available to your users. Media Type Filter, where you configure the types of file formats that can your users can access. Anti Malware Filter, where you configure settings for filtering the malware. Viewing feature policies In each key feature area on the interface, one or more feature policies relate to that area. A feature policy provides varying degrees of restriction on its key feature areas. Each policy has its own set of rules and exceptions. For example, a restrictive feature policy most likely blocks access to most locations for most users. A lenient policy allows access to most locations for most users. By default, your product includes several policies for each feature area. These policies are configured with commonly used settings for different industry, educational, and government sectors. For example, some organizations prefer less restrictive settings, so that their employees, or students, can make the best business or educational use of the Internet. A government defense department must be much more restrictive. For most situations, it is useful to maintain two policies for each feature: one that you use in normal day-to-day situations, and another, more restrictive policy when investigating a security concern. 10 McAfee Web Gateway Cloud Service Product Guide

11 Policy management Using the Policy Browser 2 To view the available feature policies for each feature area, select each policy by clicking the policies drop-down list. Figure 2-2 View policies by selecting them from the policies drop-down list After the drop-down list is expanded, all feature policies relating to that area are displayed. In each policy, you can configure as many rules as you need. Policy Details Clicking a feature policy name for example, Limited, or Permissive displays the Policy Details pane. Figure 2-3 Typical Policy Details pane for McAfee Web Gateway Cloud Service policies From the Policy Details pane, you can see the name of the feature policy, and can view and edit the block pages used by the feature policy. Also, you can copy the block page and use it to create another block page. You can view the details for any policy, whether it is enabled or disabled. A disabled policy icon marks policies that are not currently in use. You can also view feature policy-specific information: Table 2-1 Feature policy-specific information Feature Policy SSL Scanner Web Category Filter Additional information Download SSL certificate bundle link Block Uncategorized Sites checkbox When you select this option, all uncategorized sites are blocked, even sites that are listed in the URL Whitelist in subsequent areas. Enforce Secure Search checkbox McAfee Web Gateway Cloud Service Product Guide 11

12 2 Policy management Using the Policy Browser If you navigate to a different feature policy, the Policy Details pane remains open, but does not update until you click the new feature policy name. Viewing rules Each feature policy contains a set of rules. Rules run in a top-down order, with each rule configured to take the selected action when the rule matches. Figure 2-4 Example feature policy rules Each feature policy can contain specific types of rules. Table 2-2 Rule types Feature Global Settings SSL Scanner Web Reputation Allowable rules Global URL Whitelist URLs that are considered safe and evaluated before any other rules in this feature. Matching URLs bypass the rest of the rules in this feature. Global Blacklist URLs that are considered not safe and evaluated before any other rules in this feature. Matching URLs bypass the rest of the rules in this feature and access is blocked. URL Whitelist URLs that are applied to the SSL Scanner feature. SSL Web Category Inspect or do not inspect traffic based on the URL category. SSL Web Application Inspect or do not inspect SSL traffic based on the Web Application list being used. all other SSL connections (catch-all rule) Applies to any request that is not matched already in the rules for this feature. URL Whitelist URLs that are applied to the Web Reputation feature. Web Reputation Allow or block sites based on their Global Threat Intelligence (GTI) reputation score. Web Category Filter URL Whitelist URLs that are applied to the Web Category Filter feature. Web Categories Allow or block requests based on the URL category. all other web categories (catch-all rule) Applies to any request that is not matched already in the rules for this feature. Access Protection Web Application URL Whitelist URLs that are applied to the Access Protection feature. Web Applications Allow or block requests based on the web application detected in the request. all other web applications (catch-all rule) Applies to any request that is not matched already in the rules for this feature. 12 McAfee Web Gateway Cloud Service Product Guide

13 Policy management Using the Policy Browser 2 Table 2-2 Rule types (continued) Feature Media Type Filter Anti-Malware Filter Allowable rules URL Whitelist URLs that are applied to the Media Type Filter feature. Media Type Allow or block requests based on the media type detected in the request. all other media (catch-all rule) Applies to any request that is not matched already in the rules for this feature. URL Whitelist URLs that are applied to the Anti-Malware Filter feature. Anti-Malware Scan Block requests for malicious files based on the gateway antimalware (GAM) probability. Rule Details Clicking a rule displays the Rule Details pane. From this pane, you can see the name of the rule, and whether it is enabled or disabled. You can also see the configured primary action, and any exceptions that are configured. Figure 2-5 Rule Details pane The top area of the Rule Details pane shows the primary object the object or list where the rule applies and its status. The Rule Details contains: Table 2-3 Rule details menu Menu item Enable Rule Disable Rule Add Action Close Description Enable the currently selected rule so that it is used to evaluate your users' web requests. To prevent a rule being used to evaluate your users' web requests, select Disable Rule. Where applicable for the selected feature and rule, add additional actions to the rule. Close the Rule Details card. The primary object depends on context. When you select different types of rules, only relevant primary objects are displayed. The currently selected primary action is displayed. McAfee Web Gateway Cloud Service Product Guide 13

14 2 Policy management Using the Policy Browser Table 2-4 Available primary actions for different types of rules Rule type Available primary actions Notes Application rules Anti-Malware rules Allow, Block Allow, Block, Send to Sandbox, Bypass You cannot create Anti-Malware rules. The Send to Sandbox and Bypass actions are only available when the Cloud Threat Detection service has been purchased. Global URL Blacklist Block You cannot create Blacklist rules; the only blacklist exists in the Global Settings feature. Catch-all rules Global URL Whitelist Media-Type rules Allow, Block Always Allow Allow, Block Web Reputation rules Allow, Block You cannot edit the Web Reputation primary object. You cannot create Web Reputation rules. SSL Scanner rules Web Category rules URL Whitelist rules Inspect, Do not inspect Allow, Block Allow In each primary action, any configured exception objects, where permitted, are shown. Table 2-5 Descriptions of the actions Action Allow/Block Always Allow Inspect/Do no inspect Send to Sandbox/Bypass (only available for Cloud Threat Detection service) Description An Allow action causes the web request to bypass the current feature, and progress to the next feature in the top-down list. The Block action stops all further processing and blocks the request. Applicable to the Global URL Whitelist only, Always Allow allows the web request through, and stops all further processing by the remaining features. The Inspect action causes the SSL information to be decrypted before being passed to the next feature in the list. Do not inspect stops the SSL information being decrypted, effectively stopping all further processing by the remaining features. The Send to Sandbox action causes the files to be forwarded to the Cloud Threat Detection service for further analysis. The Bypass action prevents the file being sent to the Cloud Threat Detection service. Importance of the rule order When an Always Allow action is triggered, all subsequent rules are skipped and are not evaluated in relation to the current request. For Allow actions, all remaining rules in the current feature policy are skipped, and processing continues in the next feature policy. For Allow or Always Allow actions, the triggering item is allowed. Consider the order you use to sort your rules for each feature policy. Place the most stringent rules at the beginning of rule list, progressing down to the final catch-all rule last in the list. 14 McAfee Web Gateway Cloud Service Product Guide

15 Policy management Using the Policy Browser 2 Importance of the action order The last action in the Rule Details pane is considered the primary action, and acts as the catch-all action. For example, if the last action is Block, any traffic that does not match the actions above it is blocked. See also Enable or disable a rule on page 22 Object details The object details pane provides a method of viewing relevant items in your rules. Figure 2-6 Object details pane The information displayed in the object details pane changes as you move through the workflow for your tasks. This changing information ensures that you always see options relating to your current workflow. For example, when the Web Reputation rule is selected, you can enable or disable the rule, and you can add exceptions. You cannot edit the description for the Web Reputation rule. When permitted by the current stage in your workflow, you can edit the items that appear in the selected object. Some areas of the interface can contain many selectable entries. These areas include a search field to allow you to easily find what you are looking for. Catch-all rules Catch-all rules provide a method of configuring feature policies that take effect if no other rules are triggered. Catch-all rules are included in the SSL Scanner, Web Category Filter, Access Protection, and Media Type Filter policies. Catch-all rules appear last in the list of rules for the relevant feature policies, and cannot be deleted or reordered. This type of rule can be disabled. McAfee Web Gateway Cloud Service Product Guide 15

16 2 Policy management Download and install SSL certificates on client systems Viewing catalogs Catalogs hold groups of related data, for example, block pages, lists of web categories, lists of web application types, and lists of media types. The Catalog pane is displayed on the right side of the screen. Figure 2-7 Catalog pane The content of the catalog pane depends on the selected feature area and rules. Download and install SSL certificates on client systems Installing SSL certificates enables McAfee WGCS to scan your SSL traffic. Certificates must be installed on each device that communicates with McAfee WGCS. Detailed information about installing the SSL certificates on different browsers and operating systems is included in the certificate bundle. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 From the Policy Browser, select SSL Scanner. 16 McAfee Web Gateway Cloud Service Product Guide

17 Policy management Working with user groups 2 3 Click the policy name, for example, No SSL Inspection or Basic Coverage, to the right of the SSL Scanner area. 4 In the Policy Details pane, click Download SSL certificate bundle. When prompted, save the.zip file locally. 5 Extract the files from the.zip file and share the files with the end user. 6 Follow the instructions for your browsers and operating systems contained in the Importing_Certificates_into_Browsers.pdf document (included in the certificate bundle.zip file). Working with user groups Configure local user groups or use Active Directory Services to connect to your Active Directory so that you can apply policies to different groups of users. s Active Directory synchronization on page 17 By integrating the user groups from your Active Directory into the web protection policies, you can create policies that are applied to specific groups of users. Add a local user group on page 17 You can add local user groups to your feature policies to customize the protection for your users. Rename the local user group on page 18 As an administrator, you can rename the user groups to your choice. Active Directory synchronization By integrating the user groups from your Active Directory into the web protection policies, you can create policies that are applied to specific groups of users. See Active Directory synchronization in the McAfee epolicy Orchestrator Product Guide for detailed information about synchronizing your local AD. Add a local user group You can add local user groups to your feature policies to customize the protection for your users. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the feature to change. 3 In the feature area, select the feature policy and rule where you want to add the local user group. 4 In the Rule Details pane, select. You cannot add a user group to the current primary action. 5 Click from the Catalog pane. To add an existing user group, click besides the required one. 6 Click New User Group. 7 (Optional) Type a name for the user group. 8 Click Save to update the rule. McAfee Web Gateway Cloud Service Product Guide 17

18 2 Policy management Work with rules and feature policies Rename the local user group As an administrator, you can rename the user groups to your choice. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the feature to change. 3 Select the local user group to be renamed. 4 Click from the object details pane. 5 Click Rename. To delete the user group, click Delete. 6 Type the new name for the user group. 7 Click Save to update the local user group. Work with rules and feature policies Use the following tasks when creating or changing rules and feature policies. 18 McAfee Web Gateway Cloud Service Product Guide

19 Policy management Work with rules and feature policies 2 s Add a rule on page 19 You can add rules to your feature policies to customize the protection for your users. Create a rule by importing a URL list on page 20 You can create a URL list rule by importing a.csv file with the URLs into a URL list. You then add this URL list to the new rule. Create a rule using exceptions on page 21 Create a rule using exceptions to specify user groups, and you can provide or deny certain access to the user groups. Edit a rule on page 21 There are several ways you can edit rules to meet your protection requirements. Reorder the rules on page 24 Move the rules to change the order in which they are applied. The rules are applied from the top down. Delete a rule on page 24 Deleting unwanted rules helps to organize and understand your feature policies. Create a list on page 25 You can create lists and add them to Web Category, Media Type, Site lists, and Application rules. Delete a list on page 26 You can delete unused primary objects, sitelists, web categories, and user-defined objects from the catalog list. Managing the URLs on page 26 By adding a URL to the URL list, you can control the website that your users access. The added URLs are maintained in the URL list, which you can edit as needed. Also, the URLs can be exported to back up the information. Create a block page on page 29 Block pages are displayed when your users are prevented from accessing a particular URL, document, or other web request. You can create different block pages for individual feature policies. Edit the Policy Details on page 30 From the Policy Details pane, you can edit the given policy name and assigned block page. Change the assigned policy on page 31 Each feature can have only one active feature policy applied to it at a time. Use this task to change the feature policy assigned to a feature. Add a rule You can add rules to your feature policies to customize the protection for your users. Where the new rule is placed depends on the options you choose, and what you currently have selected: If you have an existing rule selected, the new rule is placed immediately above it. If you do not have a rule selected, the new rule is placed last in the selected key protection area. If a catch-all rule exists, the new rule is placed above it. If you choose to add a whitelist, it is placed below the last whitelist rule in the browser. You cannot add a rule if you are editing the rule details of another rule. Some rule types, for example, Anti-Malware rules and Web Reputation rules are created by default, and you cannot add more rules of these types. McAfee Web Gateway Cloud Service Product Guide 19

20 2 Policy management Work with rules and feature policies 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 From the Policy Browser, click of the feature policy, then select New Rule. 3 In the Catalog pane, select the required catalog type from the drop-down list. 4 Click besides the selected list. Best practice: Use the Search field to filter the items available for selection. 5 In the Rule Details pane, select the required action to the added list. 6 Click Save. See also Change the Rule Details on page 22 Create a rule by importing a URL list You can create a URL list rule by importing a.csv file with the URLs into a URL list. You then add this URL list to the new rule. Before you begin Ensure that you have an existing comma-separated values file with the list of the URLs to be imported. The file can optionally include a header row. The list must contain comma-separated values. Each line contains one URL, followed by the "," separator and either "true" or "false". "true" indicates that the URL has the "All subdomains" parameter selected, "false" deselects "All subdomains". The URL and the true/false value are case insensitive. There must not be any spaces in or at the end of each line. As an example, the entries in the file can look like: example.org,true 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 From the Policy Browser, click of the feature policy that relates to the rule to be added. 3 Select New Rule. 4 In the Catalog pane, select the URL List from the drop-down list and click and select Import New URL List. 5 In the Import List dialog box, browse to the previously created list of URLs. If the.csv file includes a first row with header information, make sure that you select This file contains a header row. 20 McAfee Web Gateway Cloud Service Product Guide

21 Policy management Work with rules and feature policies 2 6 Click Import. The content of the file creates a URL list rule. If duplicate URLs are contained in the.csv file, the import pauses and you are notified of the duplicate entries. You can then continue with the import or end without importing the URL list. 7 After the URLs listed in the file are imported, accept the default URL list name, or type a new name for the URL list. By default, the new list takes the name of the.csv file used to import the URL list. 8 Click Save. 9 To add the list to the new rule, click to the right of the newly added URL list. 10 Accept the default rule name, or type a new name. By default, the new rule takes the name of the selected URL list. 11 Click Save. See also Export a list of URLs on page 28 Create a rule using exceptions Create a rule using exceptions to specify user groups, and you can provide or deny certain access to the user groups. Assume that you are creating a rule to deny executive user group to access social networking sites. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 Create a new rule in Access Protection feature area. a From the Policy Browser, click of the feature policy. b Select New Rule. 3 Assign the required rule type. a From the Catalog pane, select Web Applications from the drop-down list. b From the Catalog pane, click to the right of the Social Networking. In the Rule Details pane, you see that rule name is now Social Networking. 4 Assign the required user groups. a In the Rule Details pane, click located next to the Block option to display the list of User Groups. b In the Catalog pane, click to the right of Executives. You can add one or more user groups to an action. 5 In the Rule Details pane, click Save. Edit a rule There are several ways you can edit rules to meet your protection requirements. McAfee Web Gateway Cloud Service Product Guide 21

22 2 Policy management Work with rules and feature policies s Enable or disable a rule on page 22 Not all rules in a feature policy need be active at any given time. You can enable or disable rules to suit your requirements. Change the Rule Details on page 22 In the Rule Details pane, you can add or remove user group exceptions, or edit the primary objects in the currently selected rule. Add an action to a rule on page 23 To enforce a rule, additional actions are added to the rule. Change an action to primary action on page 23 The primary action for a rule can be considered as the catch-all action. In the Rule Details pane, the primary action is displayed last in the pane. Remove an action from a rule on page 24 The unwanted actions added to the rule can be removed. Enable or disable a rule Not all rules in a feature policy need be active at any given time. You can enable or disable rules to suit your requirements. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the feature to change. 3 In the feature area, select the feature policy and rule to be edited. 4 In the Rule Details pane, click and select the required option (Enable rule or Disable rule) from the available options. If you are trying to disable a catch-all rule, another confirmation appears. Click OK to proceed. 5 Click Save. Change the Rule Details In the Rule Details pane, you can add or remove user group exceptions, or edit the primary objects in the currently selected rule. Some rule types have limitations on what can be edited. For example, with Anti-Malware rules you cannot perform reordering the actions, deleting the rule, removing the default exception from the Block action and removing the Send to Sandbox action. You can create exceptions for most rule types. For example, a rule can allow your employees to access the Internet. You can then define an exception in this rule that prevents guest users and contractors from this access. The following workflow shows how to change the rule details for the Allow action. Changing the Block action uses a similar workflow. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the feature to change. 3 In the feature area, select the feature policy and rule to be edited. 22 McAfee Web Gateway Cloud Service Product Guide

23 Policy management Work with rules and feature policies 2 4 In the Rule Details pane, make sure the Allow action is selected. You cannot edit the active action in Rule Details. For example, if the Allow action is active and you want to edit its details, first make the Block action active. Move Block to the last position in the actions list. Then, make your required changes to the Allow action. 5 Click located next to Allow. 6 In the Group Catalog, do one or more of the following: Add a group to the selected rule In the Group Catalog, click to the right of the user group to be added to the Allow action. If a user group is already assigned to the action, then to the same action. is not displayed. You cannot add an object twice The selected user group is grayed out in the catalog, and is added to the Allow action. Remove a group from the selected rule From the existing groups in Rule Details, click for the group to be removed. 7 Click Save. The selected user group is removed from the Allow action. Add an action to a rule To enforce a rule, additional actions are added to the rule. Depending on your selected feature area and rule, additional actions can be added. If no additional actions are available for your selected feature and rule, the Add Action option is grayed out in the menu. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the feature to change. 3 In the feature area, select the feature policy and rule to be edited. 4 In the Rule Details pane, click and select Add Action. The new action is added to the rule as the secondary action. 5 Click Save. Change an action to primary action The primary action for a rule can be considered as the catch-all action. In the Rule Details pane, the primary action is displayed last in the pane. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the feature to change. 3 In the feature area, select the feature policy and rule to be edited. McAfee Web Gateway Cloud Service Product Guide 23

24 2 Policy management Work with rules and feature policies 4 In the Rule Details pane, click next to the action to be made the primary action. The action to be changed shows. 5 Click. 6 Click Move Down until the selected action is the last action. 7 Click Save. Remove an action from a rule The unwanted actions added to the rule can be removed. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the feature to change. 3 In the feature area, select the feature policy and rule to be edited. 4 In the Rule Details pane, click next to the action to be removed. 5 Click and select Remove Action. 6 Click Save. Reorder the rules Move the rules to change the order in which they are applied. The rules are applied from the top down. Before you begin You cannot reorder rules when the rule is in edit mode. If the rule is being edited, save or cancel your changes before you reorder the rules. You cannot reorder a catch-all rule, which must appear last in the list. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the required feature. 3 Select the rule to be moved. 4 In the selected feature, click and select Reorder Rule. 5 Click or until the selected rule is in the required position. 6 Click Save. Delete a rule Deleting unwanted rules helps to organize and understand your feature policies. You cannot delete: 24 McAfee Web Gateway Cloud Service Product Guide

25 Policy management Work with rules and feature policies 2 Catch-all rules Web Reputation rules Anti-Malware rules 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the required feature. 3 Select the rule to be deleted. 4 In the selected feature, click and select Delete Rule. 5 Click Delete to confirm the deletion. The rule is permanently deleted from the policy. Create a list You can create lists and add them to Web Category, Media Type, Site lists, and Application rules. Two methods exist for creating a list: Create a list using the new option. Create a copy of an existing list. This task shows the process to create a list, and the options to create a list by copying an existing list. You cannot create lists for User Groups. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 From the Policy Browser, select the feature. 3 In the feature area, select the required feature policy and rule. 4 In the Catalog pane, select the catalog type and do one of the following choices: Click and select New List. Select the list to be copied, and click, then select Copy List. You can rename the list if needed. The names New List and Copy List are changed according to the selected catalog type. For user group catalog type, the copy option is available only for the local user group. 5 From the pick list, add the required items to the new list. Click to add the item. If you are removing an item from the new list, click icon next to the item. If you are creating a list for URL lists, no pick lists are available. Instead, type the required URLs, or copy and paste a list of URLs into the URL field. 6 Click Save to add the new list to your configuration. McAfee Web Gateway Cloud Service Product Guide 25

26 2 Policy management Work with rules and feature policies Delete a list You can delete unused primary objects, sitelists, web categories, and user-defined objects from the catalog list. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the rule. 3 In the Catalog pane, select catalog type. 4 In the selected catalog type, click the list to be deleted. The object details pane displays the selected list and its items. 5 In the object details pane, click, then click Delete. You cannot delete the object or list if it is configured as rule in any of the features. 6 Click Delete to confirm. Managing the URLs By adding a URL to the URL list, you can control the website that your users access. The added URLs are maintained in the URL list, which you can edit as needed. Also, the URLs can be exported to back up the information. Formatting domain names for URL lists The supported domain name formats are: host.domain.tld/path host.domain.tld domain.tld/path domain.tld host DNS name of the host domain Name of the subdomain tld Top-level domain path Path to the web resource The path and any subpaths are automatically included, which is the same as placing an asterisk after the path in the domain name. All subdomains setting This setting determines whether policy rules are applied to the domain and all subdomains or to the domain only. To specify all subdomains: In the Policy Browser Select All subdomains when adding a URL to a URL list. In a.csv file specifying a URL list Set the value in the Subdomain(True/False) column to True. Specifying all subdomains has the same effect as adding "*." at the beginning of each domain name. Example: *.host.domain.tld/path 26 McAfee Web Gateway Cloud Service Product Guide

27 Policy management Work with rules and feature policies 2 Add a URL to a URL list URL lists enable you to control the websites that your users can access. You can add a list of websites. Whitelists and blacklists are similar to other URL lists, except that: The Global URL Whitelist only has the Always Allow action. Feature-specific whitelists only have the Allow action. Blacklists only have the Block action. You cannot configure exceptions for blacklists or whitelists. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the feature to change. 3 In the feature area, select the feature policy and rule to be edited. 4 From the Catalog pane, select the catalog type URL Lists and click the required URL list to be edited. The object details pane displays the details of the selected URL list. 5 In the object details pane, click and select Edit. 6 In the URL field, enter the URL to be added. The URL is checked as you enter it, to prevent duplicate entries being added. 7 (Optional) Select All subdomains to add all sites under the URL. 8 Click Add. 9 Click Save to update the rule. Edit a URL in a URL list URL lists enable you to control the websites that your users can access. They list websites that can be added to policies. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the feature to change. 3 In the feature area, select the feature policy and rule to be edited. 4 From the Catalog pane, select the catalog type URL Lists and click the required URL list to be edited. The object details pane displays the details of the selected URL list. 5 Click in the object detail pane, and select Edit. 6 Select the URL and make the required changes in the URL field. 7 Click Done to include the edited URL in the URL list. If you want to add a URL during editing, click. 8 Click Save to update the rule. McAfee Web Gateway Cloud Service Product Guide 27

28 2 Policy management Work with rules and feature policies Export a list of URLs Exporting lists of URLs is a useful way of backing up information. You can then import the exported information to other rules, or import the information to other systems. The exported URLs are saved in CSV format. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 Select the rule that contains the list of URLs to be exported to a CSV file. 3 In the Catalog pane, select the catalog type URL Lists and click the required list. 4 Under the object details pane, click and select Export 5 Follow the workflow for the browser you are using to save the file. The list is saved to a file named after the sitelist object. For example, exporting the list of URLs from a sitelist named Blocked URLs creates a file named Blocked URLs.csv. Import a list of URLs Importing lists is a convenient way of adding URLs to your system. The URL list to be imported must be in CSV format. Before you begin Ensure that you have an existing comma-separated values file with the list of the URLs to be imported. The file can optionally include a header row. The list must contain comma-separated values. Each line contains one URL, followed by the "," separator and either "true" or "false". "true" indicates that the URL has the "All subdomains" parameter selected, "false" deselects "All subdomains". The URL and the true/false value are case insensitive. There must not be any spaces in or at the end of each line. As an example, the entries in the file can look like: example.org,true 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 Select the rule in the feature area. 3 In the Catalog pane, select the catalog type URL Lists and click the required list. 4 Under the object details pane, click and select Import. 5 Browse to the.csv file with the URLs to be imported. If the.csv file includes a first row with header information, make sure that you select This file contains a header row. 28 McAfee Web Gateway Cloud Service Product Guide

29 Policy management Work with rules and feature policies 2 6 Click Import. A status message is displayed. If duplicate URLs are contained in the.csv file, the import pauses and you are notified of the duplicate entries. You can then continue with the import or end without importing the URL list. 7 To overwrite any existing URLs with the imported values, click Replace. 8 Click Save. Create a block page Block pages are displayed when your users are prevented from accessing a particular URL, document, or other web request. You can create different block pages for individual feature policies. Create a block page using the New Block Page or by copying an existing page. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 From the policies drop-down list in the feature header of the policy browser, select the feature policy to be changed. 3 Click the feature policy name, for example Limited, or Permissive. 4 In the Policy Details pane, click next to Block page. 5 In the Catalog pane, under Block Pages catalog types do one of the following choices: Click and select New Block Page Select the block page to be copied, and click, then select Copy Block Page. To add an existing block page, click besides the block page to be added. McAfee Web Gateway Cloud Service Product Guide 29

30 2 Policy management Work with rules and feature policies 6 In the block page dialog box, edit the name of the block page as needed, and change the content and formatting of the message. Use tokens in the block page to reflect information about the web requests that trigger the blocking action and the block message. Table 2-6 Available tokens for use in block pages Token {URL} {REASON} {IP} {RULE} {WEB_CATEGORY} {URL_REPUTATION} {MEDIA_TYPE} Description The requested URL. A combination of the reason for the block action and the specifics of the reason. The IP address of the client system. The name of the current rule. A list of categories that the requested URL matches. The reputation score for the requested URL. The Media Type classification for the requested file. {MALWARE_PROBABILITY} The probability that the file is malicious. {MALWARE} {APPLICATION} {USERNAME} {PROXYNAME} Information about the detected malware The name of the web application. Information about the user that made the web request. Details of the proxy used (if applicable). Each block page has a maximum content limit of 1 MB. 7 Click Save. The new block page is added to the respective catalog type. 8 To use the newly created block page for the selected policy, click to the right of the block page in the Catalog pane. The block page is added to the Policy Details pane 9 Click Save. To edit or delete a block page, select the block page and click required operation. in the object details pane to perform the Edit the Policy Details From the Policy Details pane, you can edit the given policy name and assigned block page. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 From the policies drop-down list in the feature header of the policy browser, select the feature policy to be changed. 3 Click the feature policy name, for example Limited, or Permissive. 30 McAfee Web Gateway Cloud Service Product Guide

31 Policy management View the user actions 2 4 In the Policy Details pane, change the feature policy name or edit the block page as required. For some feature types for example, SSL Scanner, Web Category Filter, you can also enable options specific to that feature. 5 Click Save. Change the assigned policy Each feature can have only one active feature policy applied to it at a time. Use this task to change the feature policy assigned to a feature. Before you begin Ensure that the feature has at least two feature policies configured. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 Select the relevant key feature area, and click the policy drop-down list to view the available policies. By default, the currently activated policy is selected. 3 Select a new policy from the list. 4 Click Activate Policy. 5 Click Yes to confirm the change. The newly selected feature policy is activated. View the user actions Details of the changes made to your policies are logged on the McAfee epo Cloud Audit Log page. Use the Audit Log to maintain and access a record of all user actions. Each time a policy or rule is created, changed, deleted, or when rules are reordered, details of the changes are included in the McAfee epo Cloud Audit Log. You can view the history of user actions. 1 From the McAfee epo Cloud menu, click User Management Audit Log. 2 To find specific entries, select the required time period from the Preset drop-down list, or use the Quick find field, then click Apply. Quick find searches through the User Name, Priority, Action, and Details fields. McAfee Web Gateway Cloud Service Product Guide 31

32 2 Policy management Export the audit logs Details of the changes to policies and rules are shown for the selected parameters. These details include the ID for each entry, and the hierarchy of the object or rule. Export the audit logs You can export the information contained in your audit logs for analysis outside of McAfee epo Cloud. 1 From the McAfee epo Cloud menu, click User Management Audit Log 2 Search for specific entries by selecting the required time period from the Preset drop-down list, or using the Quick find field, then click Apply. 3 Click the Actions button, and select Export Table. 4 Define the configuration information for the exported information. Option Compress files File format What to do with exported files Description Export all files in one.zip file. Select the format for the exported information. If you select PDF output, define the page size and the page orientation. You can also include information about your selected filtering criteria, and add a cover page to the PDF report. Enter the Recipients details, the Subject, and information for the message Body. 5 Click Export. Error conditions When working with products that interact with web servers, potential error conditions can occur. These error conditions can also be caused when multiple administrators making concurrent changes to policies. Error conditions typically fall into one of the following categories: Data errors Network connection errors Saving errors Data errors Data errors occur when data is unavailable or cannot be found. Typical reasons for these data errors are: The requested data was deleted or cannot be found. A server-side error occurred while the data request was being processed. If a data error occurs, an error message tells you the data is unavailable. This message includes a Reload button to attempt to reload the data. If the data is still not available, another message tells you the retry was unsuccessful. If the requested data was previously deleted, the error message gives information about the deleted data. 32 McAfee Web Gateway Cloud Service Product Guide

33 Policy management Error conditions 2 Network connection errors As with many web services, communication errors are common between the system you are using, and the web server and database hosting the services. Often, network communication errors are short-lived, and the service automatically reconnects when communication is restored. You can also manually retry the connection. Saving errors Saving errors occur when an administrator clicks Save, but the save is unsuccessful. Reasons for a save being unsuccessful include: A general error occurs where the server was busy or overloaded. Someone else deleted the rule before you tried to save it. An object in the rule being saved no longer exists. McAfee Web Gateway Cloud Service Product Guide 33

34 2 Policy management Error conditions 34 McAfee Web Gateway Cloud Service Product Guide

35 3 Authentication 3 McAfee WGCS applies your web security policy to web requests from end users after they are authenticated. Contents Authentication and policy decisions How McAfee WGCS implements the authentication options How the authentication process works IP range authentication SAML authentication IPsec site-to-site authentication Authentication and policy decisions McAfee WGCS makes policy decisions based on the information returned by each authentication option. Client Proxy authentication This option is available when Client Proxy is installed on end-user computers running Windows or Mac OS X and integrated with McAfee WGCS. Client Proxy returns your organization's ID and the names of any groups to which the end user belongs to McAfee WGCS. McAfee WGCS makes policy decisions based on group membership. IP range authentication Select this option when you want McAfee WGCS to authenticate end users based on their IP addresses. McAfee WGCS makes policy decisions based on the IP address ranges configured for your organization. SAML authentication Select this option when you want to specify the identity provider that authenticates end users in your organization. Authentication can be by any method. For example, users can be authenticated by an on-premise Active Directory service, Facebook, or Google. The authentication result and identity information are returned to McAfee WGCS in SAML assertions that contain attribute name-value pairs. McAfee WGCS makes policy decisions based on the group ID attribute value in the SAML assertions. IPsec site-to-site authentication Select this option when you want to secure communications between your network and McAfee WGCS using an IPsec VPN tunnel. McAfee WGCS makes policy decisions based on the customer ID associated with the source IP address of the IPsec communications it receives and a pre-shared key. How McAfee WGCS implements the authentication options Implementation depends on the authentication option. The authentication options are: McAfee Web Gateway Cloud Service Product Guide 35

36 3 Authentication How the authentication process works Client Proxy Client Proxy software installed on the endpoint adds headers to each HTTP or HTTPS request. The headers are encrypted using the shared secret. McAfee WGCS detects the headers, decrypts them using the shared secret, and identifies the end user. Configure Client Proxy authentication in the Policy Catalog in the McAfee epo or McAfee epo Cloud management console. Configuration is not required in the Web Protection interface. IP range McAfee WGCS checks whether the source IP address in the TCP packet that it receives is included in the IP address ranges that the customer configured as safe. If the address is included, McAfee WGCS authorizes the request. SAML The SAML option uses cookie authentication. The cookie contains user and group names. If no cookie is present in the request, McAfee WGCS redirects the request to the identity service configured for the domain name in the address entered by the end user. The identity service authenticates the user and redirects the request back to McAfee WGCS with the cookie. McAfee WGCS evaluates the cookie and extracts the user's identity. IPsec site-to-site IPsec site-to-site is a transport protocol rather than an authentication method. McAfee WGCS authenticates the IPsec VPN tunnel and the customer, but not the end user. If you add Client Proxy or SAML authentication to IPsec site-to-site, McAfee WGCS can use these methods to authenticate requests that are received through the VPN tunnel. How the authentication process works How McAfee WGCS processes web requests and performs authentication depends on several factors, including the port number where the request is received and whether IPsec site-to-site is configured. Client Proxy authentication McAfee WGCS checks for and performs Client Proxy authentication before any other authentication method. This is true when IPsec site-to-site authentication is configured and when it is not. You can combine the user authentication provided by Client Proxy with the security provided by IPsec site-to-site. To add Client Proxy authentication to IPsec site-to-site, verify that Client Proxy is configured to use port 80 when redirecting traffic to McAfee WGCS. SAML authentication Port 8084 is reserved for SAML authentication. If SAML and IPsec site-to-site authentication are configured, you can add the SAML configuration to each IPsec location. Authentication process without IPsec site-to-site configured When IPsec site-to-site is not configured, McAfee WGCS processes web requests according to the number of the port where they are received. Ports 80, 8080, 8081 McAfee WGCS processes web requests received on these ports as follows: 1 Client Proxy McAfee WGCS first checks for Client Proxy headers in the web request. If they are present, Client Proxy authentication is performed. 2 IP range If the web request does not contain Client Proxy headers, McAfee WGCS then checks whether the source IP address is included in the IP address ranges that the customer configured as safe. If the source IP address is included, McAfee WGCS authorizes the request. 3 If neither Client Proxy nor IP range authentication is performed, the web request is not authorized. Port 8084 SAML authentication is performed on all web requests received on port McAfee Web Gateway Cloud Service Product Guide

37 Authentication IP range authentication 3 Authentication process using IPsec site-to-site When IPsec site-to-site is configured, McAfee WGCS processes web requests received through the IPsec VPN tunnel as follows. 1 Client Proxy McAfee WGCS first checks for Client Proxy headers in the web request. If they are present, Client Proxy authentication is performed. 2 SAML If the web request does not contain Client Proxy headers, McAfee WGCS then checks whether a SAML configuration is associated with the IPsec configuration. If the association exists, SAML authentication is performed. 3 If neither Client Proxy nor SAML authentication is performed, the customer is authenticated, but the end user is not identified. IP range authentication You configure ranges of IP addresses that are considered safe in the management console. Then, McAfee WGCS authenticates users who send web requests from these addresses. In the IP range authentication user interface, you can: Enable or disable IP range authentication. Configure IP address ranges. Import a list of IP address ranges. Export a list of IP address ranges. Enable or disable IP range authentication You can enable or disable IP range authentication as needed. 1 From the McAfee epo Cloud menu, select Web Protection Authentication Settings. 2 From the Authentication Settings drop-down list, select IP Range. The Details pane opens on the right. 3 To enable IP range authentication, select the IP Range Authentication checkbox. To disable IP range authentication, deselect the checkbox. 4 Click Save. Configuring IP range authentication You configure ranges of IP addresses using Classless Inter-Domain Routing (CIDR) notation. CIDR notation specifies: A routing prefix to a network An IP address or range on the specified network CIDR syntax consists of an IPv4 or IPv6 address followed by a forward slash and a decimal number. The decimal number specifies the number of bits in the routing prefix and is called the network size in bits. IPv4 networks are allowed to range in size from 24 bits to 32 bits. A 24-bit IPv4 network consists of 256 addresses. IPv6 networks are allowed to range in size from 120 bits to 128 bits. A 120-bit IPv6 network consists of 256 addresses. McAfee Web Gateway Cloud Service Product Guide 37

38 3 Authentication IP range authentication Protocol Network size (bits) CIDR notation (example) Specified IP address range IPv /24 From to IPv :db8:1234:0:0:0:0:ff00/120 From 2001:db8:1234:0:0:0:0:ff00 to 2001:db8:1234:0:0:0:0:ffff Add an IP address range When configuring IP Range authentication, you can add an IP address or range to the IP Address Ranges list. 1 From the McAfee epo Cloud menu, select Web Protection Authentication Settings. 2 From the Authentication Settings drop-down list, select IP Range. The Details pane opens on the right. 3 From the IP Address Ranges menu, select Configure IP Range. The configuration field opens. 4 Using CIDR notation, enter an IPv4 or IPv6 address or range, then click Add. The entry is added to the IP Address Ranges list. 5 Continue adding IP addresses or ranges as needed, then click Save. Change an IP address range When configuring IP Range authentication, you can change an IP address or range in the IP Address Ranges list. To add an IP address or range instead of changing it, click the add (+) icon. 1 From the McAfee epo Cloud menu, select Web Protection Authentication Settings. 2 From the Authentication Settings drop-down list, select IP Range. The Details pane opens on the right. 3 From the IP Address Ranges menu, select Configure IP Range. The configuration field opens. 4 In the IP Address Ranges list, select the entry that you want to change. The entry is displayed in the configuration field. 5 Edit the entry, then click Done. The IP Address Ranges list is updated with the new entry. 6 Continue changing IP addresses or ranges as needed, then click Save. 38 McAfee Web Gateway Cloud Service Product Guide

39 Authentication IP range authentication 3 Delete an IP address range When configuring IP Range authentication, you can delete an IP address or range from the IP Address Ranges list. 1 From the McAfee epo Cloud menu, select Web Protection Authentication Settings. 2 From the Authentication Settings drop-down list, select IP Range. The Details pane opens on the right. 3 From the IP Address Ranges menu, select Configure IP Range. 4 To delete an IP address or range, click the delete (x) icon to the right of the range. 5 Click Save. Import a list of IP address ranges You can replace the IP Address Ranges list with a list that you import from a.csv file. Before you begin Review these considerations before importing a list of IP address ranges from a.csv file: The file contains one IP address or range per line. The first line in the file can contain a header. If so, select the This file contains a header row checkbox when you import the file. 1 From the McAfee epo Cloud menu, select Web Protection Authentication Settings. 2 From the Authentication Settings drop-down list, select IP Range. The Details pane opens on the right. 3 From the IP Address Ranges menu, select Import IP Range List. The Import List dialog box opens. 4 Browse to the.csv file with the list of IP addresses and ranges that you want to import, then click Import. The Import Status dialog box opens. 5 To confirm the import, click Replace. The values in the IP Address Ranges list are replaced by the values in the.csv file. 6 Click Save. Export a list of IP address ranges You can save the IP Address Ranges list to a.csv file for backup, for editing, or for import later. 1 From the McAfee epo Cloud menu, select Web Protection Authentication Settings. 2 From the Authentication Settings drop-down list, select IP Range. The Details pane opens on the right. McAfee Web Gateway Cloud Service Product Guide 39

40 3 Authentication SAML authentication 3 From the IP Address Ranges menu, select Export IP Range List. The Opening IP_range_list_null.csv dialog box opens. 4 Select Save File, then click OK. 5 Specify a file name and location, then click Save. SAML authentication Using SAML 2.0 authentication, McAfee WGCS supports organizations that want to use their own identity service to authenticate end users. In addition to the end user, the SAML specification defines these roles: Identity provider Authenticates the end user and provides assertions attesting to the user's identity. The identity provider is any identity service that your organization specifies. Service provider Decides whether to provide the service requested by the end user based on the identity information received from the identity provider. The end user is requesting access to a web resource. As the service provider, McAfee WGCS forwards the user's request to the cloud with the identity information or blocks the request. The identity provider and service provider communicate using a request-response protocol: SAML request The service provider sends a request for authentication to the identity provider. SAML response The identity provider sends a response with one or more SAML assertions about the end user to the service provider. Benefits of SAML authentication SAML authentication provides these benefits. SAML authentication: Supports any identity provider and authentication method, as long as the authentication request, response, and result are exchanged using the SAML 2.0 protocol. Eliminates passwords from the exchange of information between the SAML parties. McAfee WGCS does not require a password from the end user. Instead, the identity provider shares all authentication and identity information in the form of SAML assertions. SAML authentication high-level steps Before applying your organization's web policy to the end user, McAfee WGCS requires the user identity and group information provided by the SAML authentication process. The SAML authentication process consists of these high-level steps. 40 McAfee Web Gateway Cloud Service Product Guide

41 Authentication SAML authentication 3 1 The end user requests access to a web resource. The request includes the URL of the resource, but no identifying information about the user or the user's organization. 2 McAfee WGCS receives the request and returns a block page, prompting the user for an address. 3 The user returns an address. 4 McAfee WGCS looks up the domain name, which is part of the end user's address, in the list of configured domains. If the domain name exists, the cloud service initiates SAML authentication by redirecting the SAML request in a cookie through the user's browser to the identity provider configured for that domain. The SAML request includes these values: Entity ID Identifies McAfee WGCS as the issuer of the SAML request. This value is assigned by your organization. Service provider URL Specifies the URL that McAfee WGCS uses for SAML communication. This URL has a constant value: 5 To validate the SAML request, the identity provider looks up the entity ID and service provider URL. If they are configured, the identity provider authenticates the end user, then redirects the SAML response in a cookie through the user's browser to McAfee WGCS. The response contains SAML assertions attesting to the user's identity and providing information about the user and the user's groups. McAfee Web Gateway Cloud Service Product Guide 41

42 3 Authentication SAML authentication The SAML response includes these values: Entity ID Identifies the identity provider as the issuer of the SAML response. This value is assigned by your organization. Identity Provider URL Specifies the URL of the identity provider service. This value is provided by your organization. 6 To validate the SAML response, McAfee WGCS looks up the entity ID and identity provider URL. If they are configured and the user is authenticated, McAfee WGCS applies your organization's web policy to the end user and allows or blocks access to the requested web resource. SAML configuration overview SAML authentication requires configuration in your identity provider, on the client computers in your organization, and in the management console. Configuration in your identity provider For SAML communication with McAfee WGCS, configure your identity provider to use this URL: Because the cloud service consumes SAML assertions sent by the identity provider, this setting is known as the Assertion Consumer Service (ACS) URL. Several SAML settings are configured in the management console and in your identity provider. For SAML authentication to succeed, these settings must match exactly. Configuration in the client browsers For SAML authentication using McAfee WGCS, configure the client browsers in your organization to send web requests to port 8084, as follows: c<customer_id>.saasprotection.com:8084 Configuration in the management console Configuring SAML authentication in the management console includes these overall tasks: Authentication Settings user interface Configure the SAML authentication settings. Policy Management user interface Configure SSL scanning. Considerations when configuring SAML authentication Before configuring SAML authentication, review these considerations. Setting up SSL scanning SSL scanning is required for SAML authentication. Enabling SAML authentication automatically enables SSL scanning, which you configure in the Policy Management user interface. To set up SSL scanning: 1 Configure an SSL scanner policy. 2 Download the SSL certificate bundle. 3 Install the SSL certificates on the browsers and operating systems running on the client computers in your organization. For more information about SSL scanning, see the Policy management chapter. 42 McAfee Web Gateway Cloud Service Product Guide

43 Authentication SAML authentication 3 Whitelisting the identity provider URL When configuring McAfee WGCS as the proxy server using a PAC file or other proxy configuration method, whitelist the identity provider URL. Failing to take this step can cause SAML communications between the end user and the cloud service to enter an infinite loop. Configuring SAML in the management console In the SAML authentication user interface, you can configure SAML authentication and enable or disable the configuration. s Enable or disable SAML authentication on page 43 You can enable or disable SAML authentication as needed. Configure SAML authentication on page 43 After configuring SAML authentication, you can use your own identity provider and share authentication and identity information with McAfee WGCS in the form of SAML assertions. Enable or disable SAML authentication You can enable or disable SAML authentication as needed. 1 From the McAfee epo Cloud menu, select Web Protection Authentication Settings. 2 From the Authentication Settings drop-down list, select SAML. The Details pane opens on the right. 3 To enable editing, click the pencil icon, then select an option: To enable SAML authentication Select the Enable SAML Authentication checkbox. To disable SAML authentication Deselect the Enable SAML Authentication checkbox. 4 Click Save. Configure SAML authentication After configuring SAML authentication, you can use your own identity provider and share authentication and identity information with McAfee WGCS in the form of SAML assertions. Before you begin To configure SAML authentication, you need the following information: Names of one or more domains that identify your organization URL of your identity provider Entity ID assigned to McAfee WGCS by your organization Entity ID assigned to your identity provider by your organization Name of attribute that uniquely identifies end users Name of attribute that lists group memberships McAfee Web Gateway Cloud Service Product Guide 43

44 3 Authentication SAML authentication Names of groups in your organization Certificate for verifying signed SAML responses and assertions Several SAML settings are configured in the management console and in your identity provider. For SAML authentication to succeed, these settings must match exactly. 1 From the McAfee epo Cloud menu, select Web Protection Authentication Settings. 2 From the Authentication Settings drop-down list, select SAML. The Details pane opens on the right. 3 To enable editing, click the pencil icon, then configure the domains, SAML request, and SAML response fields and settings. 4 To provide a certificate, click the pencil icon. The Edit Certificate dialog box opens. 5 Download the certificate file from your identity provider service and open the file in a text editor. Copy the contents of the file, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, and paste the contents in the dialog box, then click Save. The dialog box closes and the certificate is saved. 6 Click Save. SAML authentication is configured and saved. SAML authentication settings To configure SAML authentication, provide values for these settings. Table 3-1 SAML authentication settings Option Enable SAML Authentication Domain(s) Definition When selected, enables SAML authentication. Specifies a list of domain names (one per line). McAfee WGCS uses these values to identify your organization. McAfee WGCS looks up the domain name, which is part of the end user's address, in the list of configured domains. If the domain name exists, the cloud service initiates SAML authentication by redirecting the SAML request in a cookie through the user's browser to the identity provider configured for that domain. Request McAfee WGCS uses these settings when sending SAML requests to the identity provider. Entity ID Uniquely identifies the service provider issuing the SAML request. Example: McAfeeWGCS The identity provider uses the entity ID to identify SAML requests sent by McAfee WGCS. You also specify this setting when configuring SAML authentication in the identity provider service. The value that you specify in the identity provider must exactly match the value that you specify in the management console. 44 McAfee Web Gateway Cloud Service Product Guide