In this guide I will go through the process of setting up the Mcafee Web Gateway for NTLM Domain Authentication, this will enable you to poll Active Directory so you can enable and disable various users and groups from accessing the internet through the Mcafee proxy appliance. By the end of this process you will be able to authenticate users and give them the default block category list to provide standard internet filtering.
Adding NTLM Authentication Option to Mcafee Web Gateway
The first step is to enable NTLM authentication on the Mcafee Web Appliance so we can call the setting in a rule set we wil create later. To do so select:
Policy > Authentication > Right click > Add
Once add has been selected we then need set the following:
Authentication Method > NTLM. Proxy Realm > Your Domain. Default NTLM Domain > Your Domain.
As we you can we also make sure get local and global groups are selected so we can specify in our rule set what groups can have internet access. Make sure you click save in the top right hand corner!
Creating A Rule Set To Allow Domain Users Out on Mcafee Web Gateway
Now we have the NTLM setting available we can create a rule set that calls this option, queries AD to see if you are authenticated then queries that the groups your are a member of has permission to browse the web.
We need to first create a Top Level Rule Set, to do so go to:
Rule Sets > Add > Top Level Rule Set
We now select:
Import Rule From Library
The rule set we will use is Explicit Proxy Authentication, this means that the AD users will authenticate with proxy device which goes off and confirms AD authentication. Select the following:
Rule Set Library > Authentication > Explicit Proxy Authentication > Autosolve all conflicts > Solve by referring to existing objects
We now need to edit the first sub rule in the explicit top rule, to do so:
right click > Edit
Now scroll up on the left hand MMC until you find the rule that says:
Authenticate > Authenticate - User and get group membership.
Change the setting to the NTLM rule you created in stage 1. Then click OK and Save.
We then select the second sub rule and add groups who are allowes access. To do so:
Select Authorize User Groups > Allowed User groups
Then simply select either user or group then the “+” sign and manually enter a group or username that exactly matches the AD user or Group. Make sure again you click save, this is now fully configured with ad permissions.
Obviously you can create sub rule sets for each individual AD group for what categories of URL they have access to. Below we give users the generic category list.
Enabling Internet filter Via Category
We now add the allowed/blocked category list to this rule set. To do so:
Right click Authorize User Groups > Add > Rule Set from Library > URL Filter > URL Filtering by Category > Auto Solve Conflicts
The groups you selected will now have filtering to the built in library rule for category browsing. If you want to see the more granular rule remember to unlock the rule set. As mentioned you could now create and additional rule set for other users with either more restrictive filtering or less by adding the same rule set but tinkering with what is and is not allowed. Remember to click save!