McAfee Web Gateway 7.4.1

Release Notes

Revision B

McAfee Web Gateway 7.4.1

Contents

About this release

New features and enhancements Resolved issues

Installation instructions Known issues

Find product documentation

About this release

This document contains important information about the current release. We strongly recommend that you read the entire document.

McAfee^® Web Gateway (Web Gateway), version 7.4.1, is provided as a controlled release. It is a major version that introduces new features and enhancements. It also resolves issues present in previous versions.

New features and enhancements

This release of the product includes these new features and enhancements.

New solution for cloud single sign-on

A new solution has been implemented for single sign-on to applications that are made available "in the cloud" to the users of your network. This solution relies only on functions that are provided within Web Gateway.

You can use the new solution to enable single sign-on to cloud applications using POST requests under the HTTP protocol for accessing the applications. To enable access under the SAML protocol, you still need to work with McAfee^® Cloud Single Sign On.

For more information, see the Cloud Single Sign On chapter of the McAfee Web Gateway Product Guide.

New workflow for Advanced Threat Defense integration

You can configure a new workflow for scanning web objects by McAfee^® Advanced Threat Defense in addition to Web Gateway. Under this new workflow, a requested web object is forwarded to the user before it is additionally scanned.

The additional scanning is performed later on, and if the web object is found to be malicious, you receive a warning message.

For more information, see the Web filtering chapter of the McAfee Web Gateway Product Guide.

New rule set view

A new rule set view for working with rules to configure your web security policy is provided on the user interface of Web Gateway. It allows you to focus your attention on those rule elements that you will most likely want to modify.

This view is the initial view for must rule sets, but you can still proceed to a view that lets you work with the complete rules.

For more information, see the User interface chapter of the McAfee Web Gateway Product Guide.

To enhance web security, McAfee's support for Oracle Java Runtime Environment (JRE), version 1.6, also referred to as Java 6, will terminate after the release of Web Gateway, version 7.4.2. More detailed information will still be provided. JRE is required for running the user interface.

We therefore encourage you to start using JRE, version 1.7 (Java 7), now if you are not using it already.

Proxy functions for the SOCKS protocol

You can configure Web Gateway to run as a proxy that forwards web traffic under the SOCKS (sockets) protocol.

The underlying protocol of the SOCKS protocol, for example, HTTP or HTTPS, is detected on Web Gateway. If this protocol is also supported by Web Gateway, the SOCKS traffic can be filtered according to the configured web security rules.

For more information, see the Proxies chapter of the McAfee Web Gateway Product Guide.

LDAP digest authentication

You can use a new method to authenticate users, which is based on LDAP authentication. The new method uses a shared secret that must be known on both Web Gateway and on the client that a user sends requests for web access from.

The shared secret is combined with other communication parameters in what is known as the digest. A hash value is calculated for this digest and transmitted during the authentication process.

For more information, see the Authentication chapter of the McAfee Web Gateway Product Guide.

New appliance hardware

You can use the new WBG-5000-C and WBG-5500-C appliance models as hardware platforms for running the Web Gateway appliance software.

For more information, see the McAfee Web Gateway Installation Guide.

Extended welcome page for FTP proxy

The welcome page that is displayed to users when Web Gateway runs as an FTP proxy has been extended to provide more information.

Placeholders are now included for the product name, version, and build, as well as for the host name and IP address of the proxy, and for some other parameters.

Improvements in client communication

Handling communication between Web Gateway and its clients has been improved as follows:

• When a client sends additional SNI (server name indication) information about a requested destination in an initial message, this information is ignored on Web Gateway if it cannot be properly resolved, and communication with the client is continued.

• When forwarding a response from a web server to a client, Web Gateway supports content compression in gzip format for the response body.

Enlarged scope of feedback information

The scope of information that is provided by the feedback script on Web Gateway has been enlarged to include:

• Usage of inodes in a file system — An inode is required for every file in the system to track file metadata. The number of inodes is configured when a file system is created and cannot be changed later. So to monitor disk usage you need to watch free disk space, as well as the number of free inodes.

Usage of inodes is shown as the output of the df -i command in the details.txt feedback file.

• RAID status and related information — In addition to RAID status, this information includes, for example, firmware versions and disk status.

The information is shown in a separate file within the MLOS feedback folder.

• System event logs — Information about system events is collected and logged by the Baseboard Management Controller (BMC). When the Active System Console (ASC) or the SNMP subagent are running on Web Gateway, this information is not collected.

To generate system event logs, the ipmi feedback tool must be enabled. This tool is now installed by default on Web Gateway.

System event logs are listed in the ipmi_sel_txt feedback file.

Resolved issues

These issues are resolved in this release of the product. For a list of issues fixed in earlier releases, see the Release Notes for the specific release.

Bugzilla reference numbers are in parentheses.

Network communication

• Reverse DNS lookups were performed that were not required, and not logged either, for URLs with broadcast IP addresses. (908688)

• In a transparent router configuration, a large number of unnecessary duplicate acknowledge messages were sent to a client that had requested access to a web object, which slowed down the process. (909510)

• In a Proxy High Availability (Proxy HA) configuration, the director node did not distribute load to the scanning nodes. (918342)

• When Web Gateway was running in a configuration with an LDAP server and a firewall in between, the firewall closed the connection to the LDAP server upon not receiving a keep-alive message from Web Gateway in time, which was due to the default value of the relevant parameter in the Web Gateway kernel. (919518)

• Web traffic was not forwarded to a client in the passive mode of the FTP protocol, as all working threads were blocked while sending or receiving messages and client responses were slow.

(919892)

• When the High Availability proxy mode had been configured for two Web Gateway appliances, a high number of warnings with the same message text were issued on the director node. (921923)

• A POST request that had been received chunk-encoded from a client was not forwarded in this format or with a Content-Length header to the requested web server. (922418)

• No listener port was set up when a port forwarding rule was created that included host name with a dash in it for the destination that web traffic should be forwarded to. (925384)

Authentication

• When a user submitted valid credentials for an authorized override, the prompt was repeated. This was due to a failure of the quota module to handle very long user names, as, in this case, the user name had been extended in the process of LDAP authentication. (909810)

• When McAfee^® Client Proxy was running in configuration with Web Gateway, access to a website was blocked due to a failure to process the user name correctly for authentication. (913682)

• A memory leak occurred on Web Gateway, due to inappropriate use of properties for SSL certificates in an authentication-related rule set. This caused the core process to fail with term signal 11. (918314 )

• Web Gateway could not be registered on a McAfee^® ePolicy Orchestrator^® server, as the credentials that were submitted for authentication were not accepted. (929467, 931329)

Web filtering

• A file received from a web server was not forwarded to the client that had requested it and a timeout for the proxy functions occurred, as the HTML opener module took too much time to scan the file, which contained a large number of nested HTML elements. (905398)

• When Consumer Protection was listed as a URL category in a blocking rule, access to hosts with URLs falling into that category was not blocked. (908717)

• An upgrade failed on two Web Gateway appliances and the backup configuration could not be restored, due to some corrupted certificates for SSL-secured communication. (911846)

• Using a list with URLs for bypassing the SSL Scanner resulted in a session time out and getting disconnected from the user interface due to a missing file that was needed for updating URL lists.

(914256)

• Leaving the Safesearch option set to moderate, which is the default value, did not enable the function when requests to access Google sites were processed. (916161)

• Internal requests were continuously sent from Web Gateway to itself until the maximum number of simultaneous connections was exceeded, due to inappropriate use of an IP address property in a rule of the Advertising filtering rule set. (916578)

• The log file manager did not push log data as configured, due to a problem with processing file names that contained unusual strings of characters. (917826)

• An EICAR virus testing file was embedded in a PDF document, but was not detected when the full coverage option was configured for virus and malware filtering and access to the file was allowed.

(923639)

• The URL.Domain property was not properly filled with values when requests to access websites in the co.uk domain were processed. (925628)

• When a request that had been made up in a suitable way was processed on Web Gateway, a directory traversal vulnerability allowed access to files that should not have been made accessible.

(932519)

• After implementing the SSL Scanner rule set, a Stop Cycle action was contained in the rule for enabling certificate verification instead of Continue. This led to sending a response with a header for closing the connection to the client when NTLM authentication was being negotiated. (932585)

Central Management

• When several Web Gateway appliances were running as nodes in a Central Management configuration, synchronization of the user map for the PDstorage function led to a failure of the core process, after the user map had grown to a size of more than 8 MB and at least one synchronization message was still in the message queue. (933375)

• When a Web Gateway appliance that had been running as a scanning node in a Central Management configuration was replaced by a new appliance, using the same IP address but a changed MAC address, the director node did not recognize this replacement and still maintained a failure state for this node. (916012)

Monitoring

• To de-anonymize log files, the LogFileDecrypter loaded them completely, but could not handle files larger than 6 GB and thus delivered 0 byte output files. (902378)

• The log file manager did not push log data as configured, due to a problem with processing file names that contained unusual strings of characters. (917826)

• Processing of web traffic slowed down on a Web Gateway appliance, as large portions of memory were being swapped and the SNMP subagent consumed nearly two thirds of the available memory space. (923233)

• An SNMP-related debug message that should not have been displayed appeared on the system console used for administering Web Gateway. (926891)

• When queries for information about hardware drive slots were performed by the SNMP subagent on some instances of Web Gateway that were running on Intel appliances, the response was that there were no objects with the object IDs used in the queries. (930293)

• When the SNMP daemon sent a message for distributing a dashboard request from one node to another in a Central Management configuration, the response to the SNMP daemon included an error message, but the data sent with the response could still be processed correctly. (930834)

• After upgrading a Web Gateway appliance, monitoring using the SNMP subagent did not work for Dell hardware objects, as no responses were received upon sending queries with the respective object IDs to the Management Information Board (MIB). (936980)

Miscellaneous

• An administrator was able to delete a list that was used in a rule, due to a faulty rule configuration.

The rule was also incorrectly displayed after the next logon to the user interface. (910919)

• An error message announcing a next-hop proxy as down appeared in a transparent bridge mode configuration where no next-hop proxy had been set up. (917605)

• Information about the web cache partition on an appliance was lost and could not be recovered.

(920951)

• An excel attachment to a Microsoft PowerPoint file could not be opened, as its file type was not supported by the opener on Web Gateway, which led to incorrectly classifying the complete file as corrupted. (922668)

• Using the Search button on the user interface to find entries in configuration lists did not work.

(923931)

• Installing an extension on McAfee ePolicy Orchestrator to enable support of Web Gateway led to an error, as one of the involved Web Gateway components was incompatible with this version of McAfee ePolicy Orchestrator. (925429)

• When performing downloads on Web Gateway, data trickling was used as the download method after the maximum number of simultaneously displayed progress pages had been exceeded. No buffer was allocated for the data trickling, which led to a failure of the core process with term signal 11. (928174)

• Download of a McAfee-maintained list failed, due to a problem with the list preview. (939771)

Installation instructions

The requirements for installing Web Gateway, version 7.4.1, depend on the version you are currently running on an appliance.

• If you have been beta-testing version 7.4.1, we recommend that you re-image the appliance, using an image of the new version.

• When running a 7.4.x version, you can upgrade to the new version. See Upgrade from 7.4.x or 7.3.x.

• When running a 7.3.x version:

• Activate the repository for the new version. See Activate the repository.

• Upgrade to the new version. See Upgrade from 7.4.x or 7.3.x.

• When running a 7.2.x version or any earlier 7.x version:

• Create a configuration backup.

Use the options provided under Troubleshooting | Backup/Restore on the user interface to create the backup.

• Upgrade to the new version. See Upgrade from 7.2.x or earlier 7.x.

The upgrade process includes a major upgrade of the operating system. It will take several steps and more time than usual.

If the upgrade process fails or is interrupted, you can re-image the appliance using an image of the new version and install the configuration backup.

Alternatively, you can:

• Create a configuration backup.

• Re-image the appliance using an image of the new version and install the configuration backup.

• When running a 6.8.x or 6.9.x version, you must re-image the appliance using an image of the new version.

Download an image of the new version from the download page of the McAfee Content & Cloud Security Portal at https://contentsecurity.mcafee.com/software_mwg7_download.

For more information on re-imaging, see the McAfee Web Gateway Installation Guide.

Activate the repository

Activate the repository using a system console before upgrading to the new version from a 7.3.x version.

You can use a local system console, which is immediately connected to an appliance, or work remotely, using SSH.

Task

1 Log on to the appliance you want to perform the upgrade on.

2 Run the following command:

mwg-switch-repo 7.4.1

You can now upgrade to the new version. See Upgrade from 7.4.x or 7.3.x.

Upgrade from 7.4.x or 7.3.x

From a 7.4.x or 7.3.x version, upgrade to the new version on the user interface or from a system console.

Upgrade on the user interface

You can work with the options of the user interface to perform the upgrade.

Task

1 Select Configuration | Appliances.

2 On the appliances tree, select the appliance you want to perform the upgrade on.

The appliance toolbar appears on the upper right of the tab.

3 Click Update Appliance Software.

The upgrade to the new version is performed.

4 When a message informs you that the upgrade is completed and a restart of the appliance is required, click Reboot.

When the restart has been completed, a logon button appears. You can now log on to the user interface again and start working with the new version.

Upgrade from a system console

You can upgrade from a local system console, which is immediately connected to an appliance, or remotely, using SSH.

Task

1 Log on to the appliance you want to perform the upgrade on.

2 Run the following two commands:

yum upgrade yum yum upgrade

The upgrade to the new version is performed.

3 When a message informs you that the upgrade is completed and a restart of the appliance is required, run the following command:

reboot

When the restart has been completed, a logon prompt appears. You can now log on to the user interface and start working with the new version.

Upgrade from 7.2.x or earlier 7.x

When running a 7.2.x version or any earlier 7.x version, use a system console to upgrade to the new version.

You can use a local system console, which is immediately connected to an appliance, or work remotely, using SSH.

Task

1 Log on to the appliance you want to perform the upgrade on.

2 Run the following two commands:

yum upgrade yum yumconf\*

mwg-dist-upgrade 7.4.1

The upgrade to the new version is performed.

The upgrade to the new version is performed in two phases. After each phase, the appliance restarts automatically.

3 Proceed in one of the following ways to complete the installation:

• If you are using a local system console:

When the second restart has been completed, a logon prompt appears. You can now log on to the user interface and start working with the new version.

• If you are using SSH:

When the appliance restarts after the first upgrade phase, you are disconnected and the second upgrade phase begins. After this phase is completed, including the automatical restart, you can log on to the user interface and start working with the new version.

If you log on before the second upgrade phase is completed, you will see a message that this phase is still in progress. When the appliance restarts at the end of this phase, you are disconnected again. Then you need to log on again to be able to work with the new version.

You can also run the following command to view messages about the upgrade progress:

tail -F /opt/mwg/log/update/mlos2.upgrade.log

When you see that the upgrade is completed, press Ctrl+C to stop the monitoring process. You can now log on to the user interface and start working with the new version.

Known issues

For a list of known issues in this product release, see this McAfee KnowledgeBase article: KB81059.

Find product documentation

McAfee provides the information you need during each phase of product implementation, from

installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase.

Task

1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

2 Under Self Service, access the type of information you need:

To access... Do this...

User documentation 1 Click Product Documentation.

2 Select a product, then select a version.

3 Select a product document.

KnowledgeBase • Click Search the KnowledgeBase for answers to your product questions.

• Click Browse the KnowledgeBase for articles listed by product and version.

Product documentation

Every McAfee product has a comprehensive set of documentation. For Web Gateway, this includes the following:

• McAfee Web Gateway Product Guide — Describes the features and capabilities of Web Gateway, providing an overview of the product, as well as detailed instructions on how to configure and maintain it

• McAfee Web Gateway Installation Guide — Describes how to set up Web Gateway, as well as several devices that can be run with the product.

• McAfee Web Gateway Quick Start Guide — Describes high-level steps for setting up a Web Gateway version that is shipped as pre-installed appliance software on a hardware platform.

This document is shipped in printed format with the pre-installed software and the hardware.

Web Gateway, version 7.4.1, is not provided as pre-installed software.

Copyright © 2014 McAfee, Inc. Do not copy without permission.

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others.

B00