Integrating SSL Orchestrator with McAfee Web Gateway-Explicit Proxy

Introduction

The Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS), are being widely adopted by organizations to secure IP communications. While SSL/TLS provides data privacy and secure communications, it also creates challenges to inspection devices in the security stack. What if attackers are hiding malware inside the encrypted traffic?

An integrated F5 and McAfee Web Gateway solution solves the SSL/TLS challenges. F5 BIG-IP SSL Orchestrator centralizes SSL/TLS inspection. The decrypted traffic is then inspected by one or more McAfee Web Gateways, which can block previously hidden threats. This solution eliminates the blind spots introduced by SSL/TLS.

Versions Tested

This article assumes you have SSL Orchestrator configured with a Topology and Service Chain

F5 BIG-IP version 17.1

SSL Orchestrator version 11.0

McAfee Web Gateway version 11.2

McAfee Web Gateway will be configured as an Explicit Proxy

Additional Help

A demo video of this article is available below.

If setting up SSL Orchestrator for the first time refer to the Deployment Guide available HERE

For information on SSL Certificate considerations and trust, click HERE

McAfee Web Gateway (MWG) Configuration

Configure the Explicit Web Proxy as follows

Configure a Network Interface as follows

Specify the IP address and mask to be used, 10.0.0.55 255.255.255.0 in this example.

The Default Gateway will be the Self IP address SSL Orchestrator uses for explicit proxy connections, 10.0.0.1 in this example.

BIG-IP SSL Orchestrator Configuration

The BIG-IP VLAN settings should look like the following:

10.0.0.0 is the interfaces used for Explicit Proxy connections to the MWG

North_vlan is used for network connectivity from the BIG-IP to the North

South_vlan is used for network connectivity from the BIG-IP to the South

The BIG-IP Self IPs setting should look like the following:

10.0.0.1 will be used for Explicit Proxy connections to the McAfee Web Gateway

Note: in this example SSL Orchestrator is deployed with an L3 Outbound Topology. That’s what the other two Self IPs are for. Your configuration will look different if using an L2 Topology.

This article assumes you have SSL Orchestrator configured with a Topology and Service Chain.

Navigate to SSL Orchestrator > Configuration.

Create the McAfee Web Gateway Service

Under Services, click Add.

In the Service Catalog select the Inline HTTP tab then double click on McAfee Web Gateway HTTP Proxy.

Give it a name, MWG in this example.  Under Service Definition unselect the option to Auto Manage Addresses.

For the To Service VLAN select 10.0.0.1 (VLAN 10.0.0.0).

Click Add for HTTP Proxy Devices.

Enter the MWG IP address, 10.0.0.55 in this example. Set the port to 80.  Click Done.

Note: the McAfee HTTP Proxy port is specified in Configuration > Appliances > Proxies

For the From Service VLAN select 10.0.0.1 (VLAN 10.0.0.0).

Set Manage SNAT Settings to Auto Map

Click Save & Next at the bottom.

Click the name of the Service Chain.

Select the MWG Service from the left and click the arrow to move it to the right.  Click Save.

Click OK

Click Save & Next at the bottom.

Click Deploy

Click OK to the Success message.

When done it should look like the following:

From the Services screen if you expand the Pool Member Status you should see the McAfee Web Gateway

Testing the Configuration

In this example there is a Windows client that connects through the SSL Orchestrator to a Windows server running the following web site:

https://10.4.11.52

Test this connection now and it should look like the following:

In this example the MWG is configured with a Custom Category to block connections to http://10.4.11.99. When attempting to connect to this site with a web browser you should see a block page like the following:

Conclusion

This completes configuration of BIG-IP SSL Orchestrator with McAfee Web Gateway. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the MWG Service and inspected for malicious payloads or policy violations.

Related Articles

Updated Jun 08, 2023
Version 5.0
No CommentsBe the first to comment