McAfee Client Proxy Software

(1)

Product Guide

McAfee

®

Client Proxy 1.0.0 Software

(2)

COPYRIGHT

McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others.

LICENSE INFORMATION License Agreement

(3)

Preface

This guide provides the information you need for all phases of product use, from installation to configuration to troubleshooting.

About this guide

This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized.

Audience

McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program. • Security officers — People who determine sensitive and confidential data, and define the

corporate policy that protects the company's intellectual property.

Conventions

This guide uses the following typographical conventions and icons.

Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.

Bold Text that is strongly emphasized.

User input or Path Commands and other text that the user types; the path of a folder or program.

Code A code sample.

User interface Words in the user interface including options, menus, buttons, and dialog boxes.

Hypertext blue A live link to a topic or to a website.

Note: Additional information, like an alternate method of accessing an option.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data.

(6)

Abbreviations

This guide uses the following abbreviations: AD (Microsoft) Active Directory FTP File Transport Protocol

HTTP / HTTPS Hypertext Transfer Protocol / HTTP over Secure Sockets LDAP Lightweight Directory Access Protocol

NTLM NT LAN Manager

SaaS Software as a Service (specifically, McAfee SaaS Web Protection Service) SMS (Microsoft) Systems Management Server

TCP Transmission Control Protocol VPN virtual private network

XML Extensible Markup Language

Find product documentation

McAfee provides the information you need during each phase of product implementation, from

installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase.

Task

1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. 2 Under Self Service, access the type of information you need:

To access... Do this...

User documentation 1 Click Product Documentation.

2 Select a product, then select a version. 3 Select a product document.

KnowledgeBase _{• Click Search the KnowledgeBase for answers to your product questions.} • Click Browse the KnowledgeBase for articles listed by product and version.

Preface

(7)

1

About McAfee Client Proxy

McAfee®_{Client Proxy software is a technology that enables the McAfee Web Hybrid Security solution. It}

is designed to extend network security solutions to users working outside the corporate network by redirecting web traffic and network communications from laptops and other computers that are used when disconnected from the corporate network.

McAfee Client Proxy software extends traditional network security solutions such as McAfee®_Web

Gateway to users working outside the corporate network. It can also be used to extend the McAfee®

SaaS Web Protection Service when that service is configured for network protection. In doing this, it answers the need to secure systems such as laptops that travel back and forth between the secured environment and an open environment.

McAfee Client Proxy software is location aware, that is, software that recognizes its environment — whether inside the corporate network, connected to the network by VPN, or external to the network. When inside a McAfee Web Gateway_{‑secured network, or connected to it by VPN, it remains passive} and allows enforcement of security policies in the normal manner. When outside the network, it reroutes communication to McAfee SaaS Web Protection Service to provide the same protection. For enterprises protected with McAfee SaaS Web Protection Service, McAfee Client Proxy software can be set to always redirect to bypass the location detecting feature and only use McAfee SaaS Web Protection Service for enforcing security policies.

McAfee Client Proxy software is tamper_{‑proof. A user cannot remove the software, or terminate or} otherwise bypass the client process, without an administrator_{‑generated security key.}

Contents

About McAfee Web Hybrid

Enforcing security policies with McAfee Client Proxy The McAfee Client Proxy policy

About McAfee Web Hybrid

The McAfee Web Hybrid solution allows organizations to switch between network_{‑based and} cloud_{‑based security solutions depending on the location of the protected computer.}

Organizations have been using web gateways and other network_{‑based protection mechanisms in their} networks for years. These solutions don't solve the problem of protecting corporate equipment outside of the corporate network. When users take corporate equipment such as laptops on business travel, or to work from home, they leave the secure zone and are left with just the locally installed defenses on the laptop.

The goal of the McAfee Web Hybrid solution is to leverage and synchronize the threat protection and internet access control capabilities of McAfee Web Gateway appliances and cloud_{‑based McAfee SaaS} Web Protection Service and to allow organizations to switch between them dynamically and

automatically depending on location.

(8)

For more information on the McAfee SaaS Web Protection Service and McAfee Web Gateway appliances, and how to set them up to work with McAfee Client Proxy, see the McAfee Web Hybrid

Deployment Guide.

Enforcing security policies with McAfee Client Proxy

A typical use case is using McAfee Client Proxy to enforce security policies when a computer travels out of the corporate network.

McAfee Web Gateway appliances are widely used to apply network_{‑based security policies. McAfee} Client Proxy client software can extend those policies to computers used outside the network.

Figure 1-1 McAfee Client Proxy in a McAfee Web Hybrid Security solution

• Computer 1 is not connected to the corporate network. McAfee Client Proxy software is active and reroutes communications to McAfee SaaS Web Protection Service for enforcement of corporate web protection policies on the roaming laptop.

• Computer 2 is connected to the corporate network. McAfee Client Proxy software is passive and web traffic goes through the McAfee Web Gateway appliance for enforcement of corporate web protection policies.

1

About McAfee Client Proxy

(9)

Using McAfee Client Proxy in a pure SaaS environment

In many organizations, the McAfee SaaS Web Protection Service is used with network_{‑based security} policies. For example, firewall redirection by transparent proxy or explicit proxy plus NTLM

identification assume the user is inside the corporate network.

Also, when computers are set up to connect to the cloud server from outside the network, it is

relatively easy for a user to reset the designated proxy server in the browser settings, thus bypassing the security system.

For these and other reasons, an organization might choose McAfee Client Proxy software as the mechanism for connecting to the McAfee SaaS Web Protection Service. To facilitate this, theMcAfee Client Proxy client configuration contains an option to Always redirect, making the software active both within and outside of the corporate network.

The McAfee Client Proxy policy

McAfee Client Proxy software does not define or enforce a security policy. It defines when and how to connect to a security server to apply the security policy.

A McAfee Client Proxy policy consists of proxy server lists, bypass lists, and block lists. It also includes connection information and a user ID and password to identify which policies to apply. Data such as blocked/allowed categories and trusted/untrused hosts are synchronized with the McAfee Web Gateway appliance and McAfee SaaS Web Protection Service.

Proxy servers

McAfee Client Proxy redirects network traffic to McAfee Web Gateway or McAfee SaaS Web Protection Service servers for application of corporate security policies.

McAfee Client Proxy software is location aware. When the client software determines that the computer is disconnected from the corporate network, it starts redirecting network traffic to proxy servers. When the McAfee Client Proxy client software determines that it is connected to the corporate network directly or through VPN, it works in bypass mode. This means that the client software

intercepts the TCP connections but lets them pass to the original destination without modifying the traffic.

The main goal of McAfee Client Proxy software is to redirect HTTP and HTTPS traffic to a McAfee Web Gateway or McAfee SaaS Web Protection Service server. As it redirects HTTP and HTTPS traffic, the client software adds metadata to the request. Identification token, Windows domain username (encrypted), and the list of Windows AD groups to which the logged on user belongs (encrypted) are examples of added metadata. This information is used by the McAfee Web Gateway to verify that McAfee Client Proxy is redirecting the data, and also to determine the policy rules that apply to the request based on the end user name and the AD groups to which the user belongs.

The McAfee Client Proxy software can also redirect other protocols to proxy servers. The client software identifies protocols such as FTP and SNMP by their port number and redirects the data as_‑is without adding any metadata to the traffic.

Bypass lists

To improve performance, McAfee Client Proxy maintains lists of web destinations and processes that do not need to be redirected.

Redirection to a server enforcing a security policy carries a certain amount of overhead. Bypass lists ("ignore" lists) make the client proxy more transparent by only activating the redirection when necessary. You configure the bypass list from the Bypass List page in McAfee Client Proxy Settings.

(10)

A bypass list is a list of domain names, network addresses, and network ports that the user can connect to directly, bypassing the security policy. When web destinations considered "safe" are placed on a bypass list, connecting to them does not activate redirection to the security policy server.

The bypass list can also include process names used to connect to the internet that are considered safe. Use process bypass_{‑listing for VPN software, Microsoft update, and other processes that should} be allowed to connect directly to the internet.

A Common Catalog instance is created for each McAfee Client Proxy policy. When you edit the bypass list, you edit this instance, which is linked to the specific McAfee Client Proxy policy.

You can bypass_{‑list HTTP requests by domain name, however, you cannot specify sub‑paths within the} domain name. For example, if you add mcafee.com to the bypass list, you will also bypass redirection for http://www.mcafee.com/us/products/data‑protection/ and sales.mcafee.com.

Common Catalog

McAfee®_{Common Catalog is an ePolicy Orchestrator feature that acts as a repository for standard}

definitions used by multiple McAfee point products.

McAfee Client Proxy uses four types of content from the Common Catalog to define bypass lists: • Domain name

• Network address • Network port

• Process name (.exe)

A unique instance of the catalog for each McAfee Client Proxy policy is created automatically, and is edited on the Bypass List page. This catalog instance is linked to the McAfee Client Proxy policy.

Block lists

McAfee Client Proxy stores a list of applications that are blocked without reference to the security policy enforced by the cloud security server.

A block list is a list of processes for which network communication is permanently blocked. You configure the blocklist from the Block List page in McAfee Client Proxy Settings. Using a block list

reduces the need for redirection to the cloud server. On the other hand, it is an absolute list that might be more restrictive than the security policy if not designed carefully.

Adding a process to the block list means that all ports used by the process are blocked except those redirected by the McAfee Client Proxy client.

For example, in a standard configuration McAfee Client Proxy redirects ports 80 and 443 by default but other ports are not configured. In this situation, listing common browsers on the block list leads to HTTP/HTTPS traffic being redirected but any other traffic, such as FTP (port 21), being blocked. The Block List page gives the administrator three options:

(11)

• Allow traffic to go directly to the destination

That is, no applications are blocked automatically and blocking policy is applied by the cloud security server.

• Block traffic for all processes

Only processes specifically listed on the bypass list are allowed.

We do not recommend using this option, as it can block all network connectivity, rendering the client computer unreachable by the security server and preventing the user from working on it.

• Block traffic only for the following processes

A process list is created on the Block List page, and only those processes are blocked.

Customer ID and password

Identity is an integral part of security and policy decisions. McAfee Client Proxy software includes a customer ID in its policy definition.

In order to determine which security policy to apply and when to apply it, McAfee Client Proxy

software needs to identify the computer user. The customer ID is an XML file containing an ID number and a hashed password, provided by the McAfee Web Gateway or SaaS server administrator. Before defining a policy, the McAfee Client Proxy administrator must request the ID from the Saas or McAfee Web Gateway administrator. The exact details of how this ID is produced and distributed are beyond the scope of this document. The McAfee Client Proxy software browses to this XML file to insert the ID into the policy.

(12)

(13)

2

Setting up McAfee Client Proxy with

ePolicy Orchestrator

McAfee Client Proxy software can be configured from McAfee®_{ePolicy Orchestrator}®_{or the McAfee}

SaaS Web Protection Service Control Console. Although other alternatives exist, the client software is typically distributed to client computers with ePolicy Orchestrator.

Contents

Verify system requirements

Install the McAfee Client Proxy extension

Check in the McAfee Client Proxy client package to ePolicy Orchestrator Select a policy

Deploy McAfee Client Proxy with ePolicy Orchestrator

Verify system requirements

The following hardware is recommended for running McAfee Client Proxy software version 1.0.0 in McAfee ePO.

Table 2-1 Hardware requirements

Hardware type Specifications

Servers — Run the McAfee ePO server and

McAfee Client Proxy server software. • CPU — Intel Pentium IV 2.8 GHz or higher • RAM — 1 GB minimum

• Hard Disk — 80 GB minimum Client computers — Run the McAfee Client Proxy

client software. • CPU — Pentium III 1 GHz or higher

• RAM — 1 GB minimum

• Hard Disk — 200 MB minimum free disk space The following operating system software is currently supported.

(14)

Table 2-2 Operating systems supported

Computer type Software

Servers — Run the McAfee ePO server and McAfee Client Proxy server software.

• Windows 2003 Server Standard (SE) SP1 or later 32_{‑ or 64‑bit} • Windows 2003 Enterprise (EE) SP1 or later 32_{‑ or 64‑bit} • Windows 2008 Server Enterprise 32_{‑ or 64‑bit}

Client computers — Run the

McAfee Client Proxy client software. • Windows XP Professional SP3 or later 32‑bit • Windows Vista SP2 or later 32_{‑bit only} • Windows 7 SP1 or later 32_{‑ or 64‑bit}

The user installing McAfee Client Proxy software on the ePolicy Orchestrator servers must be a member of the local administrators group.

Install the McAfee Client Proxy extension

The McAfee Client Proxy extension creates and manages policies that define how and when endpoint computers redirect web connections for security policy enforcement.

Before you begin

Verify that the ePolicy Orchestrator server name is listed under Trusted Sites in the Internet Explorer security settings.

Task

For option definitions, click ? in the interface.

1 From the ePolicy Orchestrator interface, select Menu | Software | Extensions, then click Install Extension. 2 Click Browse and select the McAfee Client Proxy .zip file (...\MCP_EPO_PACKAGE_1_0_0_xxx_x.zip).

Click Open, then click OK.

The installer contains the following:

• MCPSRVER1000 — the McAfee Client Proxy ePolicy Orchestrator extension • coreCatalog_1.0.0.xx — a McAfee Common Catalog extension component • catalogFramework_1.0.0.xx — a McAfee Common Catalog extension component

• HelpDeskTool_1.0.0.xxx — the McAfee Help Desk extension; used to issue bypass release codes • help_mcc_100_xxx — McAfee Help module for Common Catalog

• help_mcp_100_xxx — McAfee Help module for McAfee Client Proxy • help_mhd_100_xxx — McAfee Help module for Help Desk

The installation dialog box displays the file parameters to verify that you are installing the correct extension.

3 Click OK. The extension is installed.

(15)

Check in the McAfee Client Proxy client package to ePolicy

Orchestrator

To use ePolicy Orchestrator for McAfee Client Proxy client software deployment, check the client package into the McAfee ePO master repository.

Task

1 From the McAfee ePolicy Orchestrator interface, select Menu | Software | Master Repository. 2 In the master repository, select Actions | Check In Package.

3 Select package type Product or Update (.ZIP), browse to ...\MCP_1_0_0_xxx.zip, then click Next. The Check in Package page appears.

4 Review the details on the screen, then click Save. The package is added to the master repository.

Select a policy

You can deploy different McAfee Client Proxy policies to different computer groups. Select a policy for the group before setting up the deployment.

Create subgroups under My Organization in the System Tree. See the McAfee ePolicy Orchestrator

Product Guide for more information.

Task

1 From the McAfee ePolicy Orchestrator interface, select Menu | Systems | System Tree. 2 In the System Tree, select the group or subgroup for policy assignment.

3 Select Assigned Policies.

4 From the Product list, select McAfee Client Proxy. The policy inherited from My Organization appears.

5 Click Edit Assignment. Select Break inheritance and assign the policy and settings below, then change the assigned policy (or create a New Policy) and click Save.

Deploy McAfee Client Proxy with ePolicy Orchestrator

McAfee Client Proxy endpoint software and policies can be conveniently deployed to client computers using the ePolicy Orchestrator deployment feature.

Check in the McAfee Client Proxy client software to the ePolicy Orchestrator Master Repository.

Setting up McAfee Client Proxy with ePolicy Orchestrator

(16)

Optional: Create a subgroup in the ePolicy Orchestrator System Tree for McAfee Client Proxy client computers.

Task

1 From the ePolicy Orchestrator interface, select Menu | System | System Tree.

2 In the System Tree, select the subgroup level at which to deploy McAfee Client Proxy. Leaving the subgroup at My Organization deploys to all computers managed by McAfee ePolicy Orchestrator.

If you select a subgroup under My Organization, available computers appear in the right_‑hand pane. You can also deploy McAfee Client Proxy to individual computers.

3 Click the Assigned Client Tasks tab. Under Actions, select New Client Task Assignment. The Client Task Builder wizard opens.

4 In the Product field, select McAfee Agent. In the Task Type field select Product Deployment. Click Create New Task.

5 In the Name field, type a suitable name, for example, Deploy MCP to clients. Typing a description is optional.

6 In the Products and Components field, select McAfee Client Proxy 1.0.0.xx. The Action field automatically resets to Install.

7 Click Save, then click Next.

8 Change the Schedule type to Run immediately. Click Next.

9 Review the task summary. When you are satisfied that it is correct, click Save. The task is scheduled for the next time the McAfee Agent checks for updates. To force the installation to take place immediately, issue an agent wake_{‑up call.}

After installation, the McAfee Client Proxy client starts running immediately without restarting the client computer. At this point, the client software runs without a policy file. It does not redirect data until it receives a policy file.

(17)

3

Configuring McAfee Client Proxy

McAfee Client Proxy extension is used to create policies that are deployed to the client computers. The McAfee Client Proxy policy lists servers the client computer can connect to for security policy enforcement when outside the corporate network. It defines which network ports are redirected to which servers, how the McAfee Client Proxy client software determines when it is in the corporate network or connected by VPN, and whether or not access protection is enabled. In addition, it defines a bypass list of network addresses and ports, domain names, and processes that are not redirected.

Contents

Create a McAfee Client Proxy policy Import and export policy files Cancel policy enforcement

Create a McAfee Client Proxy policy

You must configure the client and at least one proxy server in order to save and deploy a policy. The policy can also specify bypass and block lists.

McAfee Client Proxy policies are configured and stored in the ePolicy Orchestrator Policy Manager or in McAfee SaaS Web Protection Service web protection policies.

Tasks

• Create a policy on page 18

Policies are created and saved in the ePolicy Orchestrator Policy Catalog or as McAfee SaaS Web Protection Service web protection policies.

• Create a proxy server list on page 18

McAfee Client Proxy software seeks proxy server connections from the server list when outside the corporate network.

• Create a bypass list on page 19

A bypass list is a set of web destinations that the user can connect to directly, bypassing the security policy.

• Create a block list on page 20

A block list contains a list of processes for which network communication is permanently blocked.

• Configure the client on page 21

Client configuration includes the corporate network detection and VPN detection

specifications, customer ID parameters, logger settings, and access protection enabling.

(18)

Create a policy

Policies are created and saved in the ePolicy Orchestrator Policy Catalog or as McAfee SaaS Web Protection Service web protection policies.

Obtain a Unique User ID file. The ID file is provided by a McAfee Web Gateway or McAfee SaaS Web Protection Service administrator, and is required for saving a policy file. The ID file, which contains a hashed password, should be placed in a conveniently accessible location.

Create a policy in ePolicy Orchestrator Task

1 From the ePolicy Orchestrator interface, select Menu | Policy | Policy Catalog. 2 In the Product field, select McAfee Client Proxy.

The default policy assignment appears.

3 Click a link to view/edit existing policy settings, or select Actions | New Policy to create a new policy. Alternately, click Duplicate to make a copy of the McAfee Default policy to use as a starting point. See also

Customer ID and password on page 11

Create a policy in McAfee SaaS Web Protection Service Task

1 From the McAfee SaaS Web Protection Service interface, select Web Protection | Policies | McAfee Client Proxy Policies.

2 Select a policy and click Edit to view/edit existing policy settings, or click New to create a new policy.

Create a proxy server list

McAfee Client Proxy software seeks proxy server connections from the server list when outside the corporate network.

See Create a policy to create a new policy, and for policy pre_{‑requisites.}

McAfee Client Proxy client software connects to proxy servers based on the order of the proxy server list. If connection to the first server on the list fails, the client software tries the second server, and so on through the list. If a connection is lost during transmission, the client software tries to reconnect beginning with the first server on the list.

Order the proxy server list according to which servers you think will give the best service to the users of

(19)

Task

1 Do one of the following:

• In the ePolicy Orchestrator Client Proxy Settings pane, select Proxy Servers. • In the McAfee SaaS Web Protection Service MCP Details Tab, click Proxy Servers. All definitions previously added to the proxy server list are displayed.

2 Configure each proxy server you want to add to the list.

a In the Proxy Server Address field, type the IP or Hostname of a proxy server. b In the Proxy Port field, enter a port.

c Select the HTTP/HTTPS checkbox, or change to non_{‑HTTP/HTTPS ports.}

For HTTP/HTTPS traffic, configure a McAfee Web Gateway appliance or the McAfee SaaS Web Protection Service service. For non‑HTTP/HTTPS protocols, make sure the server supports that protocol.

When configuring McAfee Client Proxy software to redirect traffic to the McAfee SaaS Web Protection Service service, you must ensure that all end users have a SaaS account and that their SaaS user name (that is, email address) is mapped to their Windows domain user name to allow authentication. Failure to do this results in all requests returning access_denied_error.

3 (Optional) Select the Bypass proxy server for local addresses option.

4 In ePolicy Orchestrator, click Add. In McAfee SaaS Web Protection Service, click Save. See also

Proxy servers on page 9

Create a bypass list

A bypass list is a set of web destinations that the user can connect to directly, bypassing the security policy.

When creating a bypass list in ePolicy Orchestrator, use the Common Catalog to specify the list. McAfee Client Proxy uses only four of the definition types from the catalog: domain name, network address, network port, and process name.

If you choose to duplicate a catalog, fill in the required information and click Continue to Bypass List. If you click Duplicate, you create a duplicate policy, not a duplicate catalog.

Create a bypass list in ePolicy Orchestrator Task

1 In the ePolicy Orchestrator Client Proxy Settings pane, select Bypass List. All definitions previously added to the proxy server list are displayed.

Configuring McAfee Client Proxy

(20)

2 Select Actions | Select from Catalog | <definition type>, where <definition type> is one of the four Common Catalog types used by McAfee Client Proxy: domain name, network address, network port, or process name.

All existing Common Catalog definitions of the type are displayed. 3 Select the required definition from the list and click OK.

If the required definition does not exist, click New Item, fill in the form, then click Save. See also

Bypass lists on page 9

Create a bypass list in McAfee SaaS Web Protection Service Task

1 In the McAfee SaaS Web Protection Service MCP Details Tab, click Bypass List. 2 Highlight a definition and click Edit, or click New to add a new definition. 3 Under Type, select the required definition from the list.

4 Under Value enter the value.

5 Click New to add more definitions. When you are finished, click Save.

Create a block list

A block list contains a list of processes for which network communication is permanently blocked.

Using a block list reduces the need for redirection to the cloud server. On the other hand, it is an absolute list that might be more restrictive than the security policy if not designed carefully.

Task

For option definitions, click ? in the interface. 1 Do one of the following:

• In the ePolicy Orchestrator Client Proxy Settings pane, select Block List. • In the McAfee SaaS Web Protection Service MCP Details Tab, click Block List. All definitions previously added to the block list are displayed.

(21)

2 Select the blocking action: (ePolicy Orchestrator only) • Allow traffic to go directly to destination

That is, no processes are blocked automatically and blocking policy is applied by the cloud security server.

• Block traffic for all processes (except bypass listed processes)

We do not recommend using this option, as it can block all network connectivity, rendering the client computer unreachable by the security server and preventing the user from working on it. • Block traffic only for the following processes

3 If you selected the third option, edit the application list: (ePolicy Orchestrator only) • To add a process, type the name of the process in the Process Name field and click Add.

Adding a process to the block list means that all ports used by the process are blocked except those redirected by the McAfee Client Proxy client or explicitly configured in the bypass list. • To edit an existing process, click Edit, make the necessary changes in the Process Name field, then

click OK.

• To delete a process, click Delete.

The process is deleted without verification.

4 To edit the list in McAfee SaaS Web Protection Service, highlight an entry to edit it, or click New to add a new entry.

5 Click Save to save the changes. In ePolicy Orchestrator you can alternately click Duplicate to create a duplicate policy with the changes.

See also

Block lists on page 10

Configure the client

Client configuration includes the corporate network detection and VPN detection specifications, customer ID parameters, logger settings, and access protection enabling.

Configure the client in ePolicy Orchestrator Task

1 In the Client Proxy Settings pane, select Client Configuration.

2 In the Customer Identifier section, click Browse and select the XML file that includes the customer ID and password. Click Open.

The Unique Customer ID and Shared Password fields are filled automatically.

3 In the Traffic Redirection Settings section, select the Redirect network traffic option for Web Hybrid operation or the Always redirect operation for pure SaaS customers.

The Always redirect option overrides the corporate network and VPN detection settings.

(22)

4 In the Corporate Network Detection section, select the method of network detection.

• For detection by testing connectivity to ePolicy Orchestrator, keep the default selection.

• For corporate network detection without using ePolicy Orchestrator, select the by testing connectivity option and create a server list. For each server:

a In the Server Address field type the IP or Hostname of a server in the corporate network. b Type the port in the Server Port field.

c Click Add.

We recommend adding servers that do not use ports 80 or 443 to avoid conflicts with some captive portals that might intercept TCP connections to those ports and return OK even for non‑reachable IPs.

5 In the Corporate VPN Detection section, create a VPN server list. For each VPN server:

a In the Server Address field, type the IP address or host name of a server in the corporate network. b In the Server Port field, enter the port.

c Click Add.

6 In the Log File Settings section, select the required logging option. 7 In the Access Protection section, do the following:

a Select Enable Access Protection.

This prevents tampering with the process (MCPService), policy files, or registry keys. b Select Request Release key to allow the user to uninstall McAfee Client Proxy with an

administrator_{‑issued release key.}

We recommend uninstalling the McAfee Client Proxy client with ePolicy Orchestrator, but this is not always practical. The challenge_{‑response mechanism, similar to that used for cancelling} policy enforcement, is provided for when it becomes necessary to uninstall the client in the field.

Configure the client in McAfee SaaS Web Protection Service Task

1 In the McAfee SaaS Web Protection Service MCP Details Tab, click Details. 2 Select Enable Access Protection.

This prevents tampering with the process (MCPService), policy files, or registry keys. 3 Under Client Logging, select the required logging option.

4 If you require redirection for corporate servers or VPN, click Redirection Settings, then select Enable. 5 Click New to add a corporate server or VPN. Type the IP address or host name under Server Address

and enter a value for the port. Click Save.

(23)

Import and export policy files

Policy files can be exported as readable XML files or as XML files for import to McAfee Client Proxy. These are not the same, and there are different procedures for achieving these goals.

To save policy files in different formats, do one of the following. To save an OPG format

file to deploy to clients: 1 From the Client Proxy Settings pane of the policy, select Actions | Export Policy_{to File | McAfee Client Proxy Client File.} 2 In the File Download window, click Save.

To create an XML file for

import: From the the Actions column on the Policy Catalog page, click Export. To save a readable XML

file: 1 From the Client Proxy Settings pane of the policy, select Actions | Export Policy_{to File | McAfee Client Proxy Server File.} 2 Right_{‑click the link.}

3 In the File Download window, click Save.

Cancel policy enforcement

The disable feature allows users to request temporary cancellation of policy enforcement for legitimate reasons.

User request for a bypass key is initiated on the client computer. The administrator creates and issues the key, which is valid for a specified time period, using the McAfee®_{Help Desk tool.}

Task

1 In the system tray, click the McAfee icon, then select Manage Features | Request McAfee Client ProxyBypass.

Figure 3-1 Requesting a bypass key The Enter Release Code window appears.

(24)

2 Send all information on the release code window, along with your system user name and email address, to the McAfee Client Proxy administrator by phone, email, instant messaging, or other method.

Leave the window open. The Identification Code value changes each time you open the window, and must match the Release Code issued by the administrator. You can copy the identification code to another document, but you cannot edit it.

Figure 3-2 Enter Release Code window

3 When the administrator sends a bypass key code, enter it in the Release Code field and click OK. McAfee Client Proxy is bypassed for the time period set by the administrator.

(25)

A

Manual deployment of McAfee endpoint

software products

The preferred method of deployment of McAfee endpoint software products is with ePolicy Orchestrator. However, various methods of manual deployment are possible in cases where deployment with ePolicy Orchestrator is either unfeasible or not wanted.

Deploying with Microsoft Systems Management Server

As one example, this section describes deployment with Microsoft Systems Management Server (SMS) 2003. SMS provides a comprehensive solution for deploying and managing applications and operating systems on Windows computers and servers. When you use SMS for deployment rather than ePolicy Orchestrator, you must manually install the policy (.opg) file as well.

Tasks

• Create an installation package on page 25

Create a package for installing a McAfee endpoint software product with Microsoft Systems Management Server. This procedure does not require ePolicy Orchestrator.

• Create the advertisement on page 26

SMS packages need to be "advertised." This creates the SMS package advertisement. • Create the SMS uninstall package on page 27

Create a package for uninstalling McAfee Data Loss Prevention Endpoint software with Microsoft Systems Management Server. This procedure does not require ePolicy Orchestrator.

• Create an SMS uninstall package to run from a command line on page 27

Create a package for uninstalling McAfee endpoint software products that runs from a command line.

Create an installation package

Create a package for installing a McAfee endpoint software product with Microsoft Systems Management Server. This procedure does not require ePolicy Orchestrator.

Install Microsoft Visual C++ 2005 SP1 Redistributable Package (x86). The package can be downloaded from: http://www.microsoft.com/downloads/details.aspx?

familyid=200B2FD9_{‑AE1A‑4A14‑984D‑389C36F85647}.

Task

1 In the Systems Management Server console, right_{‑click Packages and select New | Package.}

(26)

4 In the Set Source Directory window under Source Directory Location, select the type of connection to the set_{‑up files in the source directory. Type the source directory path in the text box and click OK.} 5 In the Distribution Settings tab, select High from the Sending Priority drop_{‑down list, and click OK.}

The package appears under the Packages node of the site tree. 6 Expand the new package under the Packages node.

7 Right_{‑click Distribution Points and select New | Distribution Point. Select the server or servers you want to} be the distribution points for this package, then click Finish.

8 Right_{‑click Programs and select New | Program. Type the application name.}

9 In the Command Line text box, type the McAfee DLP command line executable, for example: msiexec /I McpInstaller.msi /qn /forcerestart

.

The .msi file name is extracted manually from the McpInstaller.x86.exe file.

We recommend restarting the managed computer after endpoint package installation. To enable this option use the

/forcerestart

parameter. To enable the installation log use /log <LogFile>

10 In the Environment tab, select Whether or not a user is logged on from the Program can run drop_{‑down list. Click} OK.

Verify that Run with Administrative Rights is selected. McAfee Data Loss Prevention Endpoint software setup requires administrator rights to complete installation successfully.

Create the advertisement

SMS packages need to be "advertised." This creates the SMS package advertisement.

Task

1 In the Systems Management Server console, right_{‑click Advertisements and select New | Advertisement.} Type the advertisement name.

2 From the Package drop_{‑down list, select the McAfee endpoint product package name.} 3 From the Program drop_{‑down list, select the McAfee endpoint product application name.}

4 Click Browse and select the collection that the McAfee endpoint product installation package should apply to, then click OK.

5 In the Schedule tab, confirm the time that the advertisement is offered, specify if the advertisement should expire, and when. Click OK.

(27)

Create the SMS uninstall package

Create a package for uninstalling McAfee Data Loss Prevention Endpoint software with Microsoft Systems Management Server. This procedure does not require ePolicy Orchestrator.

Task

2 In the General tab, type the Package Name (required), and the Version, Publisher and Language (optional). 3 In the Data Source tab, select This Package Contains Source Files, then click Set.

4 In the Set Source Directory window under Source Directory Location, select the type of connection to the set_{‑up files in the source directory. Type the source directory path in the text box and click OK.} 5 In the Distribution Settings tab, select High from the Sending Priority drop_{‑down list, and click OK.}

The package appears under the Packages node of the site tree. 6 Expand the new package under the Packages node.

7 Right_{‑click Distribution Points and select New | Distribution Point. Select the server or servers you want to} be the distribution points for this package, then click Finish.

8 Right_{‑click Programs and select New | Program. Type the program name.}

9 In the Command Line text box, type the enpoint product command line executable, for example: msiexec /x DLPAgentInstaller.msi /qn /forcerestart

The .msi file name is extracted manually from the endpoint product installer .exe file.

10 In the Environment tab, select Whether or not a user is logged on from the Program can run drop_{‑down list. Click} OK.

Create an SMS uninstall package to run from a command line

Create a package for uninstalling McAfee endpoint software products that runs from a command line.

Task

2 In the General tab, type the Package Name (required), and the Version, Publisher and Language (optional). 3 In the Data Source tab, deselect This Package Contains Source Files, then click Set.

4 Locate the UninstallString for McAfee DLP Agent.

a In the registry editor, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\Uninstall.

b Click through the entries to find DisplayName: McAfee Client Proxy. c Copy the UninstallString, for example:

MsiExec.exe /X{287AAE25‑B0F4‑4E9E‑A7FD‑8EA81FF635E1} 5 To uninstall, use the command line:

<uninstall string>/qn/forcestart

Manual deployment of McAfee endpoint software products

(28)

(29)

Index

A

abbreviations used in this guide 6

about this guide 5

B

block lists 10, 20

blocking processes 10, 20

bypass key 23

bypass list 9

bypass lists, configuring 19

C

command line uninstall 27

Common Catalog 10

configuration 17

conventions and icons used in this guide 5

corporate network detection 21

customer ID 11, 21

D

deploying MCP client 15

deploying, with ePO 15

documentation

audience for this guide 5

product-specific, finding 6

typographical conventions and icons 5

E

ePO check in 15 ePolicy Orchestrator 6, 7, 10, 13–15, 17, 21, 23

H

hardware requirements 13

I

installing MCP software 14

L

logging 21

M

McAfee SaaS Web Protection 6, 7, 9, 11, 18, 21

McAfee ServicePortal, accessing 6

McAfee Web Gateway 6, 7, 9, 11, 18, 21

MCP endpoint deploying with SMS 25 uninstall with SMS 27 MCP manager 17 Microsoft update 9

O

overview 7

P

policies creating 17

importing and exporting 23

selecting 15

processes, blocking 10, 20

proxy server list 18

proxy servers 9

S

server software requirements 13

ServicePortal, finding product documentation 6

SMS advertisements 26

SMS installation package, creating 25

SMS uninstall package, command line 27

SMS uninstall package, creating 27

supported operating systems 13

system requirements 13

T

Technical Support, finding product information 6

V

VPN 6, 7, 9, 17

VPN detection 21

W

web hybrid 7

(30)