Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

KevinGallaugher
F5 Employee
F5 Employee

on ‎06-Jun-2023 05:00 - edited on ‎12-Jun-2023 13:15 by Community Manager

Introduction

SSL Orchestrator centralizes & manages decryption of SSL/TLS traffic.  This enables security and monitoring tools to view the decrypted content and analyze it for threats and other anomalies.  SSL Orchestrator removes the burden of decrypting content from your security tools so they perform better and are more scalable.

An integrated F5 and McAfee Web Gateway solution eliminates the blind spots introduced by SSL/TLS encrypted content.

Versions Tested

This article assumes you have SSL Orchestrator configured with a Topology and Service Chain

  • F5 BIG-IP version 17.1
  • SSL Orchestrator version 11.0
  • McAfee Web Gateway version 11.2
  • McAfee Web Gateway will be configured as a Transparent Proxy

Additional Help

McAfee Web Gateway (MWG) Configuration

Configure the Transparent Web Proxy as follows and click the plus sign under Port Redirects

Screen Shot 2023-05-18 at 10.04.29 AM.png

Set the Destination proxy port to 80 and click OK

Screen Shot 2023-05-18 at 10.07.44 AM.png

Click Save Changes

Screen Shot 2023-05-18 at 10.11.00 AM.png

Configure the Network Interfaces as follows

Screen Shot 2023-05-18 at 10.12.43 AM.png

Specify the IP address and mask to be used for eth2, 10.0.0.55 255.255.255.0 in this example.

Screen Shot 2023-05-18 at 10.14.32 AM.png

Specify the IP address and mask to be used for eth3, 10.1.1.5 255.255.255.0 in this example.
The Default Gateway will be a Self IP address on SSL Orchestrator, 10.1.1.1 in this example.

BIG-IP SSL Orchestrator Configuration

The BIG-IP VLAN settings should look like the following

Screen Shot 2023-05-18 at 10.21.28 AM.png

  • 10.0.0.0 is the interface used for Transparent Proxy connections to the MWG
  • 10.1.1.0 is the interface used for Transparent Proxy connections to SSL Orchestrator
  • North_vlan is used for network connectivity from the BIG-IP to the North
  • South_vlan is used for network connectivity from the BIG-IP to the South

The BIG-IP Self IPs setting should look like the following

Screen Shot 2023-05-18 at 10.24.36 AM.png

  • 10.0.0.1 will be used for Transparent Proxy connections to the McAfee Web Gateway
  • 10.1.1.1 will be used for Transparent Proxy connections from the McAfee Web Gateway

Note: in this example SSL Orchestrator is deployed with an L3 Outbound Topology. That’s what the other two Self IPs are for. Your configuration will look different if using an L2 Topology.

This article assumes you have SSL Orchestrator configured with a Topology and Service Chain.

Navigate to SSL Orchestrator > Configuration

Screen Shot 2023-05-04 at 10.38.36 AM.png

Create the McAfee Web Gateway Service

Under Services, click Add.

Screen Shot 2023-05-04 at 10.40.33 AM.png

In the Service Catalog select the Inline HTTP tab then double click on McAfee Web Gateway HTTP Proxy.

Screen Shot 2023-05-04 at 10.41.59 AM.png

Give it a name, MWG in this example.
Under Service Definition unselect the option to Auto Manage Addresses.

Screen Shot 2023-05-04 at 10.43.44 AM.png

Set the Proxy Type to Transparent

Screen Shot 2023-05-18 at 10.29.44 AM.png

For the To Service VLAN select 10.0.0.1 (VLAN 10.0.0.0).
Click Add for HTTP Proxy Devices.

Screen Shot 2023-05-04 at 10.45.50 AM.png

Enter the MWG IP address, 10.0.0.55 in this example.  Click Done.

Screen Shot 2023-05-04 at 10.48.05 AM.png

For the From Service VLAN select 10.1.1.1 (VLAN 10.1.1.0)

Screen Shot 2023-05-04 at 10.52.02 AM.png

Enable Port Remap.  Set the Remap Port to 80.

Screen Shot 2023-05-18 at 10.32.25 AM.png

Set Manage SNAT Settings to Auto Map

Screen Shot 2023-05-04 at 12.27.18 PM.png

Click Save & Next at the bottom.

Screen Shot 2023-05-04 at 10.53.05 AM.png

Click the name of the Service Chain.

Screen Shot 2023-05-04 at 10.53.55 AM.png

Select the MWG Service from the left and click the arrow to move it to the right.  Click Save.

Screen Shot 2023-05-04 at 10.54.59 AM.png

Click OK

Screen Shot 2023-05-04 at 10.56.18 AM.png

Click Save & Next at the bottom.

Screen Shot 2023-05-04 at 10.57.18 AM.png

Click Deploy

Screen Shot 2023-05-04 at 10.58.06 AM.png

Click OK to the Success message.

Screen Shot 2023-05-04 at 10.59.06 AM.png

When done it should look like the following:

Screen Shot 2023-05-04 at 11.00.03 AM.png

From the Services screen if you expand the Pool Member Status you should see the McAfee Web Gateway

Screen Shot 2023-05-04 at 11.01.11 AM.png

Testing the Configuration

In this example there is a Windows client that connects through the SSL Orchestrator to a Windows server running the following web site:

https://10.4.11.52

Test this connection now and it should look like the following:

Screen Shot 2023-03-29 at 11.37.25 AM.png

In this example the MWG is configured with a Custom Category to block connections to http://10.4.11.99. When attempting to connect to this site with a web browser you should see a block page like the following:

Screen Shot 2023-05-04 at 11.03.03 AM.png

Conclusion

This completes configuration of BIG-IP SSL Orchestrator with McAfee Web Gateway. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the MWG Service and inspected for malicious payloads or policy violations.

 

Related Articles

Labels:
Version history
Last update:
‎12-Jun-2023 13:15
Updated by:
Community Manager
Contributors
Copyright © 2023 Khoros, LLC