McAfee Client Proxy 2.0

(1)

Product Guide

Revision B

McAfee Client Proxy 2.0

for Windows and Mac OS

(2)

COPYRIGHT

TRADEMARK ATTRIBUTIONS

Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence, McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfee Total Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION License Agreement

(3)

Managing McAfee Client Proxy with McAfee ePO

2 Completing the setup using McAfee ePO 13 Supported ePO . . . 13

Check the system requirements . . . 14

Download and install the product files . . . 14

Install the extension . . . 15

Check in the Client Proxy client package . . . 15

Deploy to end-user computers using McAfee ePO . . . 16

3 Configuring and using McAfee Client Proxy with McAfee ePO 17 Configurable policy options . . . 17

Proxy server list . . . 17

Client configuration . . . 18

Bypass list . . . 18

Block list . . . 19

Configure a policy . . . 19

Configure the proxy servers . . . 19

Configure the client settings . . . 20

Configure the Bypass List . . . 21

Configure the Block List . . . 21

Assign the policy using McAfee ePO . . . 21

(4)

Managing McAfee Client Proxy with McAfee SaaS Web

Protection Control Console

5 Completing the setup using the Control Console 33

Check the system requirements . . . 33

Download and install the product files . . . 34

6 Configuring Client Proxy using the Control Console 35 Configurable policy options . . . 35

Create a policy using the Control Console . . . 37

Configure the proxy servers . . . 37

Configure the bypass list . . . 38

Configure the block list . . . 38

Deploy to end-user computers using other systems . . . 39

View status and configuration details . . . 39

Suspend policy enforcement . . . 39

7 Maintaining McAfee Client Proxy on your system 41 Upgrade McAfee Client Proxy on your system . . . 41

Install a hotfix . . . 42

Uninstall McAfee Client Proxy . . . 42

Index 43

(5)

Preface

This guide provides the information you need to work with your McAfee product.

Contents

About this guide

Find product documentation Conventions

About this guide

This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized.

Audience

McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program. • Security officers — People who determine sensitive and confidential data, and define the

corporate policy that protects the company's intellectual property.

(6)

3 Select Do not clear my filters.

4 Enter a product, select a version, then click Search to display a list of documents.

Conventions

This guide uses these typographical conventions and icons.

Book title, term,

emphasis Title of a book, chapter, or topic; a new term; emphasis.

Bold Text that is strongly emphasized. User input, code,

message Commands and other text that the user types; a code sample; a displayedmessage.

Interface text Words from the product interface like options, menus, buttons, and dialog boxes.

Hypertext blue A link to a topic or to an external website.

Note: Additional information, like an alternate method of accessing an

option.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system,

software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardware

product.

(7)

1

Introduction

McAfee®

Client Proxy is endpoint client software for Microsoft Windows and Mac OS X that is an essential component of the McAfee®

Web Protection hybrid deployment solution. The Client Proxy technology allows you to apply your organization's web security policy to a computer, regardless of its location.

Contents

How Client Proxy works Deployment options

(8)

How Client Proxy works

McAfee Client Proxy extends network security solutions to computers outside the corporate network. End users receive automatic protection, regardless of their location (for example, a laptop or mobile computing device in a hotel or coffee shop).

McAfee Client Proxy redirects web traffic and network communications to either a McAfee®

Web Gateway appliance or McAfee®

SaaS Web Protection service. Regardless of the location of the end-user device (whether it is inside the corporate network, connected by VPN, or outside the corporate

network), the Client Proxy software enforces your organization's policies. It determines whether to route the web request, deny access, or bypass a proxy server.

Figure 1-1 Client Proxy workflow

1

Introduction

(9)

When an end user is working within the corporate network, Client Proxy software:

1 Communicates with McAfee®

ePolicy Orchestrator®

(McAfee ePO™

) or other servers configured within the policy.

2 Recognizes that the end user is working within the corporate network.

3 Remains passive, allowing web traffic and network communications to pass through. When an end user is working outside the corporate network, Client Proxy software:

1 Recognizes that the end user is working outside the corporate network.

2 Redirects all web traffic and network communications to the McAfee SaaS Web Protection service. All web traffic and network communication requests sent by Client Proxy to the SaaS Web

Protection Service include end-user and AD group information that is applied to your organization's policy.

3 If the sent end-user information is mapped to a SaaS Web Protection service user account, the Client Proxy software applies the associated policy to the existing user account.

• If McAfee SaaS Web Protection does not recognize the sent end-user information as a mapped SaaS Web Protection user account, Client Proxy software applies the AD group information. If one or more AD groups match the end-user information, SaaS Web Protection service applies the associated policy or a combination of associated policies. • When the sent end-user and AD group information are both unrecognized by SaaS Web

Protection service, the proxy uses the default web policy.

For organizations that use McAfee SaaS Web Protection service, Client Proxy also provides the option to always redirect web traffic and network communications to SaaS Web Protection service, regardless of the end user's location.

Deployment options

Client Proxy software can be deployed either with McAfee ePO, or using a third-party deployment solution.

Deploying with McAfee ePO

We highly recommend using McAfee ePO to deploy McAfee endpoint software, especially in a large enterprise. It provides a single management platform that enables policy management and product enforcement. In this case, McAfee ePO is installed and configured on the administrator operating system. The end user installing the Client Proxy software on McAfee ePO servers must be a member of the local administrator group.

Introduction

(10)

Table 1-1 Example of the high-level process

Deployment with McAfee ePO Deployment with third-party

solutions 1 Install the Client Proxy extension .zip file so it is available in

McAfee ePO.

2 Check in the Client Proxy packages for Microsoft Windows and Mac OS X to the McAfee ePO Master Repository.

This release only includes a client package for Mac OS X. The Client Proxy 2.0 manager in McAfee ePO, however, supports the Client Proxy version 1.2 clients for Microsoft Windows as well. If you are supporting both operating systems, McAfee ePO deploys the appropriate clients to the endpoint computers.

3 Download the XML file from the Control Console that the Client Proxy extension imports when creating a policy.

4 Create policies that meet the needs of your network.

5 Deploy Client Proxy software to end-user computers within your corporate network.

1 Use McAfee SaaS Web

Protection to create policies that meet the needs of your network.

2 Follow the instructions of the third-party solution to create and deploy the installation package.

3 Deploy configured policies to end-user computers in your corporate network with Control Console.

1

Introduction

(11)

Managing McAfee Client Proxy

with McAfee ePO

Chapter 2 Completing the setup using McAfee ePO

Chapter 3 Configuring and using McAfee Client Proxy with McAfee ePO

(12)

(13)

2

Completing the setup using McAfee ePO

To set up McAfee Client Proxy in your corporate network, download and install the Client Proxy installation files on the administrator operating system. Deploy the Client Proxy software to end-user computers.

Contents

Supported ePO

Check the system requirements Download and install the product files Install the extension

Check in the Client Proxy client package

Deploy to end-user computers using McAfee ePO

Supported ePO

This release of Client Proxy is compatible with these McAfee ePO versions. • McAfee ePO 4.6.8

• McAfee ePO 5.1.0 • McAfee ePO 5.1.1 • McAfee ePO 5.3.0

We don't guarantee that Client Proxy works with other versions of McAfee ePO.

(14)

Check the system requirements

Verify that your network systems meet the hardware and operating system requirements.

Table 2-1 Hardware requirements

Hardware type Specifications

Servers — Run the McAfee ePO

software and Client Proxy extension.

• CPU — Intel Pentium IV 2.8 GHz or higher • RAM — 1 GB minimum (2 GB recommended) • Hard disk — 80 GB minimum

End-user computers — Run the

Client Proxy software. • RAM — 1 GB minimum (2 GB recommended)

• Hard disk — 300 MB minimum free disk space (500 MB recommended)

Table 2-2 Operating system requirements

Computer type Software

Servers — Run the McAfee ePO

software and Client Proxy extension.

• Windows Server 2003 Standard (SE) SP1 or later, 32-bit or 64-bit

• Windows Server 2003 Enterprise (EE) SP1 or later, 32-bit or 64-bit

• Windows Server 2008 Enterprise SP1 or later 32- or 64-bit • Windows Server 2012, 64-bit

Client Proxy software. OS X 10.8 (Mountain Lion), 10.9 (Mavericks), or 10.10(Yosemite)

Download and install the product files

Download the Client Proxy product files from the McAfee Content & Cloud Security Portal and install them on the administrator operating system. Client Proxy also supports McAfee ePO Software Manager.

Task

1 Download the product files.

a Log on to the operating system as an administrator.

b Go to the McAfee Content & Cloud Security Portal.

c Enter your user name and password, then click Login.

d Select Software | McAfee Web Gateway | Tools | McAfee Client Proxy. e Select and save the .zip files for your operating system.

• Client Proxy server software for McAfee ePO: MCPSRVER1000_2.0.0.x_package.zip • Client Proxy client software for Mac OS X: Mcpdistribution.zip

2 Install the server software, and check the client package into McAfee ePO.

(15)

Install the extension

Install the Client Proxy extension .zip file so it is available in McAfee ePO. For option definitions, click ? in the interface.

Task

1 From the McAfee ePO interface, select Menu | Software | Extensions.

2 Click Install Extension.

3 Click Browse to locate the Client Proxy extension file (MCPSRVER1000_2.0.0.x_package.zip), then click Open | OK.

The Install Package window appears.

4 Click OK.

The MCPSRVER1000_2.0.0.x_package installs.

The package installs the Client Proxy manager, Common Catalog, Help Desk, and the related Help files.

Check in the Client Proxy client package

Check in the Client Proxy package to the McAfee ePO Master Repository. For option definitions, click ? in the interface.

Task

1 From the McAfee ePO interface, select Menu | Software | Master Repository.

2 From the Actions menu, select Check In Package.

3 In the Check In Package window, select the package type (ZIP), then click Browse.

4 Select the Client Proxy OS X client (McpDistribution.zip) file you downloaded earlier, click Open then

Next.

5 Review the information, then click Save.

6 If you are deploying both Microsoft Windows and Mac OS X clients, repeat the check-in for the Client Proxy MCP_1_2_0_x.zip file.

McAfee Client Proxy appears in the Packages in Master Repository list.

Completing the setup using McAfee ePO

(16)

Deploy to end-user computers using McAfee ePO

Deploy Client Proxy software to end-user computers using McAfee ePO.

Task

1 From the McAfee ePO interface, select Menu | Systems | System Tree.

2 From the System Tree list, select the subgroup level to deploy Client Proxy.

• Select the My Organization subgroup to deploy Client Proxy to all computers managed by McAfee ePO.

• To deploy Client Proxy to the individual computers available in the right pane, select a subgroup under My Organization.

3 Click the Assigned Client Tasks tab.

4 From the Actions menu, select New Client Task Assignment. The Client Task Assignment Builder wizard opens.

5 Configure the Client Task Assignment Builder options.

a From the Product menu, select McAfee Agent.

b From the Task Type menu, select Product Deployment, c Click Create New Task.

The Product Deployment window appears.

6 Configure the Product Deployment options.

a Enter a task name and optional description.

b Select a Target platform.

c In the Products and Components field, select McAfee Client Proxy from the drop-down list. The remaining fields automatically populate.

d Configure the remaining options. e Click Save.

7 Click Next.

8 From the Schedule type drop-down list, select Run immediately, then click Next.

9 Review the task summary, then click Save.

The task is scheduled for the next time the McAfee Agent checks for updates. To force the installation to run immediately, issue an agent wake-up call.

After installation, Client Proxy runs immediately without restarting the end-user computer.

Client Proxy does not redirect data until a policy is configured.

(17)

3

Configuring and using McAfee Client

Proxy with McAfee ePO

Use McAfee ePO to manage and configure the options that define the Client Proxy policies enforced on end-user computers.

Contents

Configurable policy options Configure a policy

Users and permission sets View end-user installation data Suspending policy enforcement Export the policy to an XML file

Configurable policy options

Policy options allow you to tune multiple settings when you configure policies. The following are configurable policy options available in McAfee ePO.

Proxy server list

The proxy server list identifies available McAfee Web Gateway appliances, McAfee SaaS Web Protection servers, and McAfee ePO.

When McAfee Client Proxy detects that an end-user computer is disconnected from the corporate network, network traffic is automatically redirected to McAfee Web Gateway appliances or McAfee

(18)

• connect to the first proxy server that is accessible based on their order in the following list — Client Proxy connects to the first proxy server in the Proxy Server List. If the connection to the first proxy server in the list fails, the software attempts a connection on the second proxy server in the list. If the connection is lost during transmission, the software reconnects with the first proxy server in the list.

• connect to the proxy server that has the fastest response time — Client Proxy connects to the closest proxy server in the Proxy Server List based on the proxy server response time. If the connection to the closest proxy server fails, the software attempts to connect to the second closest proxy server. If the connection is lost during transmission, the software reconnects with the original closest proxy server.

When HTTP/HTTPS traffic is redirected, Client Proxy adds metadata to the request, such as: • Identification tokens

• Encrypted domain user names • AD groups

The proxy server uses this metadata to verify that Client Proxy is redirecting the network traffic, then determines the policy definitions configured in the associated policy.

Client configuration

Client Configuration options define how Client Proxy behaves inside and outside the corporate network for end users.

• Customer Identifier — Client Proxy includes a customer ID with a required secret key in its policy definition to ensure that client identities are securely protected. The customer ID also determines which policy to apply and when to apply it.

• Traffic Redirection — Client Proxy redirects network traffic to proxy servers, whether inside the corporate network, connected by VPN, or outside of the corporate network.

• Corporate Network Detection — When the end-user computer is inside the corporate network, stops redirecting web traffic through the proxy.

• Corporate VPN Detection — When the end-user computer is connected to the corporate VPN, stops redirecting web traffic through the proxy.

• Log File Settings — Enables client logging, which adds a log file to each end-user computer that identifies errors and troubleshooting information.

• Active Directory Groups — A group filter that allows you to define the group information provided to the filtering proxy.

• Access Protection — Prevents the end user from uninstalling, deleting, renaming, or tampering with Client Proxy from their computer.

Access protection is not supported on OS X.

Bypass list

Each policy maintains a list of McAfee®

Common Catalog definitions for Client Proxy to bypass when network traffic is redirected to the proxy server.

The bypass list can include domain names, network addresses, network ports, and processes that end-user computers connect to directly.

(19)

Block list

Each policy maintains a list of processes that are permanently blocked from network communication. The block list reduces the amount of network traffic redirected to the proxy server, but can also apply unintended Internet access restrictions to end-user computers.

Configure a policy

Use McAfee ePO to create and configure policies that are deployed to end-user computers. For option definitions, click ? in the interface.

Task

1 From the McAfee ePO interface, select Menu | Policy | Policy Catalog.

2 From the Product drop-down list, select McAfee Client Proxy 2.0.0. The default policy assignment appears.

3 Click the policy name to open a policy for editing.

4 To create a new policy, click New Policy. The Create a New Policy dialog box appears.

5 Use the drop-down list to select an existing policy as a base. In the Name field, type a name for the policy, enter any additional information in Notes, then click OK.

Tasks

• Configure the proxy servers on page 19

Configure the proxy servers for Client Proxy to redirect network traffic. • Configure the client settings on page 20

Configure the settings that define how deployed Client Proxy policies behave inside or outside the corporate network.

• Configure the Bypass List on page 21

Configure and add the web definitions to the Bypass List that end-user computers directly connect to by bypassing the policy.

• Configure the Block List on page 21

To reduce the amount of network traffic redirected to the proxy server, configure and add processes to the Block List that are permanently blocked from communicating with the network.

• Assign the policy using McAfee ePO on page 21

Assign policies to specific end-user computers within your corporate network.

Configure the proxy servers

Configuring and using McAfee Client Proxy with McAfee ePO

(20)

3 In the Proxy Server List, select how Client Proxy connects to the proxy servers using these options: • connect to the first accessible Proxy Server based on their order in the list below

• connect to the Proxy Server which has the fastest response time

4 Add proxy servers to the Proxy Server List.

At least one proxy server definition is required in order to save the policy. a In the Proxy Server Address field, type the proxy server IP address or host name.

b In the Proxy Port field, type the port for the proxy server.

c To direct HTTP/HTTPS requests to the Web Gateway appliance or SaaS Web Protection service, select the HTTP/HTTPS checkbox.

d In the Non-HTTP/HTTPS Redirected Ports field, type the non-HTTP/HTTPS redirected ports. For non-HTTP/HTTPS protocols, make sure that the server supports the protocol. e Click Add.

The proxy server appears in the Proxy Server List.

5 In the Actions column, click the arrows to change the order of proxy servers in the Proxy Server List.

6 By default, Client Proxy bypasses local address. Deselect the checkbox if you want Client Proxy to redirect all requests.

Do not attempt to save the policy at this point. The Customer Identifier field information on the Client Configuration page is required before you can save the policy.

Configure the client settings

Configure the settings that define how deployed Client Proxy policies behave inside or outside the corporate network.

For option definitions, click ? in the interface.

Task

1 From the Client Proxy Settings menu, select Client Configuration.

2 In the Customer Identifier section, click Browse, select the ID file, then click Open. This file is provided by the Web Gateway or SaaS Web Protection administrator. The Unique Customer ID and Shared Password fields are automatically populated.

3 Configure the remaining options.

Access Protection is not supported on Mac OS X endpoints.

(21)

Configure the Bypass List

Configure and add the web definitions to the Bypass List that end-user computers directly connect to by bypassing the policy.

Creating a bypass list in McAfee ePO uses McAfee®

Common Catalog to specify the list. Client Proxy uses only four of the definition types from the catalog: domain name, network address, network port, and process name.

Process names can now be either Microsoft Windows format (test.exe) or Mac OS X format (test).

Task

1 From the Client Proxy Settings menu, select Bypass List.

2 From the Actions menu, select Add bypass list item, then select a web definition type. The Choose from existing values dialog box appears.

3 Do one of the following:

• Select at least one existing item.

• Click New Item, enter the required information, then click Save.

4 Click OK.

Configure the Block List

To reduce the amount of network traffic redirected to the proxy server, configure and add processes to the Block List that are permanently blocked from communicating with the network.

Task

1 From the Client Proxy Settings menu, select Block List.

2 Select an option for how to handle network traffic.

3 In the Process Name field, type the name of a process to block, then click Add.

4 Click Save.

Assign the policy using McAfee ePO

Assign policies to specific end-user computers within your corporate network. For option definitions, click ? in the interface.

Task

1 Select Menu | Systems | System Tree.

(22)

7 From the Assigned policy drop-down list, select the policy.

8 Choose whether or not to lock policy inheritance.

9 Click Save.

Assign a Client Task to schedule the policy deployment to the endpoints.

Users and permission sets

We recommend creating specific administrator roles and permissions in McAfee ePO for the Client Proxy catalog administrator.

McAfee ePO defines roles and permissions in terms of Permission Sets. A default permission set installed with the product, MCP Catalog Admin, gives the Client Proxy administrator view and change permissions for policies and certain Common Catalog items and actions. You can also assign an auditor role by adding view permission to one of the existing reviewer permission sets, or by creating a new permission set. You assign users to permission sets using Active Directory.

View end-user installation data

View the number of end-user computers that have successfully installed Client Proxy within the past month.

Task

1 From the McAfee ePO interface, select Menu | Reporting | Queries & Reports.

2 From the Groups list, expand Shared Groups, then select McAfee Client Proxy.

3 Create a query.

Option Definition

Select a query

type. 1 Click the Query tab, then select Actions | New.

The Query Builder opens with the Result Types view active.

2 From the Feature Group list, select Policy Management.

3 Choose from these options: • Applied Client Tasks

• Applied Policies

• Client Task Assignment Broken Inheritance • Policy Assignment Broken Inheritance

4 Click Next. Select a query

layout. 1 From the Display Results As list, select a graph or table for the query layout. Select a layout for your query that best displays your data.

2 Select the display options you want from the available lists.

(23)

Select query

columns. 1 From the Available Columns list, select which columns to apply to your query.

2 In Selected Columns, select, drag, and position each column.

3 To move to the Filter page, click Next. Configure

properties. From the Available Properties list, select which properties to use for filtering yourquery, and the appropriate values for each. Run the query. Click Run.

Save the query. 1 To view the Save Query page, click Save.

2 Type a name for the query, add any notes, and select a group.

3 Click Save.

4 Create a report.

Select a query. 1 Click the Report tab, then select Actions | New.

The Report Builder opens with the Report Layout view active.

2 From the Toolbox menu, select Query Chart, and drag it to the Report Layout area. The Configure Query Chart dialog box appears.

3 From the Query drop-down list, select MCP: Endpoint Install Success/Failed events in last

month.

4 Configure the remaining query options, then click OK. Customize the

report. 1 In the Name, Description and Group tab, type a name, description, and which group_{to use.}

2 Use the Header and Footer and Page Setup tabs to specify how you want the query to appear in the report.

3 Use the Runtime Parameters tab to select report_{‑level filters.} Generate the

report. Click Run._{You can choose to run the report to get the information immediately, save to use} it another time, or configure its appearance further by adding additional content.

Suspending policy enforcement

A user can request permission to access or transfer sensitive information for a limited time.

(24)

Removing endpoint software (Microsoft Windows only)

A similar mechanism can be used to uninstall the Client Proxy software. McAfee Client Proxy is protected from unauthorized removal. We recommend the Client Proxy administrator uninstall the software using McAfee ePO. In cases where McAfee ePO removal is not possible, an uninstall key can be generated, and the software removed by normal means.

Generate a release code

To temporarily cancel policy enforcement on end-user computers, an end-user requests a bypass release code. The administrator uses McAfee®

Help Desk to create and issue the code, which is valid for a specified time period, and returns it to the user.

Task

1 Do one of the following:

• On Mac OS X computers: from the McAfee menulet on the status bar, select McAfee Endpoint

Protection for Mac Preferences, then select Client Proxy.

• On Microsoft Windows computers: click the McAfee icon on the system tray, then select Manage

Features | Disable McAfee Client Proxy.

2 Copy the Identification Code and Revision ID from the window and send it to the Client Proxy administrator, along with your End user name and matching End user email address.

Both identification code and revision ID are mandatory in a release code request.

Optional information you can also include are computer name and business justification.

3 When the administrator supplies a release code, type the code in the Release Code field. • On Mac OS X computers: Click Release.

• On Microsoft Windows computers: Click OK.

• The release code works only with the ID code and revision number specified. The revision number is verified when the code is generated.

• The Identification Code changes each time the Client Proxy window opens. Do not close the window until you fill out the Release Code field with a code from the administrator.

Clicking another tab (General or Update changes the identification code. Remain on the Client Proxy tab until you receive a release code.)

• You can copy and paste the ID code, but you cannot modify it.

Policy enforcement is canceled for the time period specified by the administrator when creating the release code.

Export the policy to an XML file

For troubleshooting purposes, export the McAfee Client Proxy policy to an XML file. For option definitions, click ? in the interface.

Task

1 From the McAfee ePO interface, select a policy.

(25)

3 Click the McAfee Client Proxy Server File link.

The other link, McAfee Client Proxy Client File, creates an OPG file you can import to other clients. 4 Save the file.

5 Click OK.

(26)

(27)

4

Maintaining McAfee Client Proxy using

McAfee ePO

Perform maintenance tasks to ensure Client Proxy operates as intended.

Contents

Upgrade Client Proxy using McAfee ePO Install a hotfix

Uninstall Client Proxy

Upgrade Client Proxy using McAfee ePO

Download, install, and deploy the latest version of Client Proxy. For option definitions, click ? in the interface.

Task

1 Download the latest version of the product files.

a Go to the McAfee Content & Cloud Security Portal.

b Enter your user name and password, then click Login. c Select Software | McAfee Web Gateway | Tools | McAfee Client Proxy.

d Select and save the appropriate .zip file.

Client Proxy also supports McAfee ePO Software Manager.

(28)

d Click OK.

e Verify that the extension is installed, and select Menu | Software | Extensions.

3 Check in the package.

a Select Actions | Check in Package. The Check in Package window appears.

b Select the package type, then click Browse.

c Choose the Client Proxy .zip file you downloaded earlier, then click Open. McAfee Client Proxy appears in the Packages in Master Repository list.

4 Deploy the upgrade.

a Select Menu | Systems | System Tree.

b From the System Tree list, select the subgroup level to deploy Client Proxy endpoint software. c Click the Assigned Client Tasks tab.

d From the Actions menu, select New Client Task Assignment. e Configure the Client Task Assignment Builder options.

f Click Create New Task.

g Configure the Product Deployment options. h Click Save.

i Click Next.

j From the Schedule type drop-down list, select Run immediately, then click Next.

k Review the task summary, then click Save.

Install a hotfix

McAfee occasionally releases Client Proxy hotfixes to address product issues.

If the hotfix includes release notes, use the release notes instructions to install the hotfix. If the hotfix does not have release notes, use the following task.

Task

1 Go to the McAfee Content & Cloud Security Portal.

2 Enter your user name and password, then click Login.

3 Select Software | McAfee Web Gateway | Tools | McAfee Client Proxy.

4 Select and save the hotfix installation file for your operating system.

5 Run the hotfix installation file.

(29)

Uninstall Client Proxy

To fully uninstall McAfee Client Proxy, remove the extension and package from McAfee ePO, then remove the software from the administrator operating system.

Contents

Remove the extension from McAfee ePO Remove the package from McAfee ePO

Remove the extension from McAfee ePO

Remove the McAfee Client Proxy extension from McAfee ePO. For option definitions, click ? in the interface.

Task

1 Log on to McAfee ePO as an administrator.

2 Select Menu | Software | Extensions.

3 From the Extensions list, select McAfee Client Proxy.

4 Click Remove.

Remove the package from McAfee ePO

Remove the McAfee Client Proxy package from the McAfee ePO Master Repository. For option definitions, click ? in the interface.

Task

1 Select Menu | Software | Master Repository.

2 From the McAfee Client Proxy Actions column, click Delete.

Maintaining McAfee Client Proxy using McAfee ePO

(30)

(31)

Managing McAfee Client Proxy

with McAfee SaaS Web

Protection Control Console

Chapter 5 Completing the setup using the Control Console

Chapter 6 Configuring Client Proxy using the Control Console

(32)

(33)

5

Completing the setup using the Control

Console

To set up McAfee Client Proxy in your corporate network using a system other than McAfee ePO, download and install the Client Proxy installation files from the Control Console.

Contents

Check the system requirements Download and install the product files

Check the system requirements

Verify that your network systems meet the hardware and operating system requirements.

Table 5-1 Hardware requirements

Hardware type Specifications

End-user computers — Run the Client Proxy

software. Microsoft Windows endpoints:

• CPU — Pentium III 1 GHz or higher • RAM — 1 GB minimum

• Hard disk — 200 MB minimum free disk space Mac OS X endpoints:

• RAM — 1 GB minimum

(34)

Table 5-3 Operating system requirements — 64 bit

Computer type Software

Client Proxy software. • Windows 7 SP1 or later • Windows 8 or 8.1

• OS X 10.8 (Mountain Lion), 10.9 (Mavericks), or 10.10 (Yosemite)

Download and install the product files

Download the Client Proxy product files from the McAfee Content & Cloud Security Portal or Control Console, and install them on the administrator operating system.

To download the Client Proxy product files from the Control Console, you must first have a SaaS Web Protection service account.

Task

1 Log on to the operating system as an administrator.

2 Download the product files.

Option Steps

McAfee Content & Cloud

Security Portal

3 Select QuickLinks | Downloads | McAfee Web Gateway Downloads | Tools | McAfee Client

Proxy.

4 Select and save the .zip file for your operating system. Control

Console 1 Log on to the Control Console as an administrator.

2 Select Web Protection | Setup | McAfee Client Proxy.

3 Click Download MCP.

4 Select and save the .zip file for your operating system.

3 Install the product files. Do one of the following:

Option Description

On Microsoft Windows computers • Run McpInstaller.x64.exe OR

• Run McpInstaller.x86.exe

Follow the on-screen prompts to complete the installation.

On Mac OS X computers Run McpDistribution.dmg.

Follow the on-screen prompts to complete the installation.

(35)

6

Configuring Client Proxy using the

Control Console

Use the Control Console to manage and configure the options that define the Client Proxy policies enforced on end-user computers.

Contents

Configurable policy options

Create a policy using the Control Console

Deploy to end-user computers using other systems View status and configuration details

Suspend policy enforcement

Configurable policy options

Policy options allow you to tune multiple settings when you configure policies. The following are configurable policy options available in the Control Console.

Customer ID and secret key

Client Proxy includes a customer ID and secret key in its policy definition to ensure that client identities are securely protected.

Use the ePO Export button to download the customer ID XML file for use with McAfee ePO. If you are using McAfee ePO, we recommend using McAfee ePO to manage Client Proxy policies instead of the

(36)

• Connect to the first proxy server that is accessible based on their order in the following list — Client Proxy connects to the first proxy server in the proxy servers list. If the connection to the first proxy server in the list fails, the software attempts a connection on the second proxy server in the list. If the connection is lost during transmission, the software reconnects with the first proxy server in the list.

• Connect to the proxy server that has the fastest response time — Client Proxy connects to the closest proxy server in the proxy servers list based on the proxy server response time. If the connection to the closest proxy server fails, the software attempts to connect to the second closest proxy server. If the connection is lost during transmission, the software reconnects with the original closest proxy server.

When HTTP/HTTPS traffic is redirected, Client Proxy adds metadata to the request, such as: • Identification tokens

• Encrypted domain user names • AD groups

The proxy server uses this metadata to verify that Client Proxy is redirecting the network traffic, then determines the policy definitions configured in the associated policy.

Bypass list

Each policy maintains a list of definitions for Client Proxy to bypass when network traffic is redirected to the proxy server.

The bypass list can include domain names, network addresses, network ports, and processes that end-user computers connect to directly.

Block list

Each policy maintains a list of processes that are permanently blocked from network communication. The block list reduces the amount of network traffic redirected to the proxy server, but can also apply unintended Internet access restrictions to end-user computers.

Redirection settings

Client Proxy communicates with internal proxy servers to verify that the end user is working inside the corporate network.

Client Proxy also checks a list of corporate servers to detect when an end-user computer is connected through VPN.

When Client Proxy detects that an end user is working inside the corporate network or through VPN, the software stops redirecting web traffic and network communication.

(37)

Create a policy using the Control Console

Policies are created and saved as McAfee SaaS Web Protection policies. Use the Control Console to create and configure policies that are deployed to end-user computers.

Before you begin

Request a customer ID and password from the Web Gateway or SaaS Web Protection administrator.

To use Client Proxy with SaaS Web Protection, the SaaS Web Protection service must be activated.

Task

1 From the Control Console interface, select Web Protection | Policies | McAfee Client Proxy Policies.

2 In the Secret Key field, enter your secret key.

A secret key must be entered to enable Client Proxy policies. 3 Click New.

The New McAfee Client Proxy Policy dialog box appears.

4 Click the Details tab.

a In the Name field, type the policy name.

b Type an optional description.

c To prevent uninstallation, interruption, and policy manipulation, select the Enable Access Protection checkbox.

d To provide the administrator with ability to generate release code, select the Request Release key for manual uninstall checkbox.

e Define the Client Logging level.

Tasks

• Configure the proxy servers on page 37

Configure the proxy servers for McAfee Client Proxy to redirect network traffic. • Configure the bypass list on page 38

Configure and add the web definitions to the bypass list that end-user computers directly connect to by bypassing the policy.

• Configure the block list on page 38

To reduce the amount of network traffic redirected to the proxy server, configure and add processes to the block list that are permanently blocked from communicating with the

Configuring Client Proxy using the Control Console

(38)

3 Add proxy servers to the policy.

a In the Proxy Server Address field, type the proxy server IP address or host name.

b In the Port field, type the port for the proxy server.

c To direct HTTP/HTTPS requests to the Web Gateway or SaaS Web Protection servers, select Yes from the HTTP/HTTPS drop-down list.

d In the Non-HTTP/HTTPS Redirected Ports field, type the non-HTTP/HTTPS redirected ports. For non-HTTP/HTTPS protocols, make sure the server supports the protocol. 4 Configure the remaining options.

a In the Additional Ports field, type any additional ports to redirect as HTTP/HTTPS traffic.

b To bypass Client Proxy for local addresses in your internal network, select the Bypass the McAfee Client Proxy for local addresses checkbox.

To remove a proxy server, click Delete.

Configure the bypass list

Configure and add the web definitions to the bypass list that end-user computers directly connect to by bypassing the policy.

Task

1 Click the Bypass List tab.

2 Click New.

3 From the Type drop-down list, select a type.

4 In the Value field, type the value.

To remove a definition from the bypass list, click Delete.

Configure the block list

To reduce the amount of network traffic redirected to the proxy server, configure and add processes to the block list that are permanently blocked from communicating with the network.

Task

1 Click the Block List tab.

2 Click New.

3 In the Executable Name field, type a value.

To remove a process from the block list, click Delete.

(39)

Deploy to end-user computers using other systems

We recommend using McAfee ePO to deploy McAfee endpoint software products.

Various methods of manual deployment are possible in cases where deployment with McAfee ePO is either unfeasible or not wanted. One such method is described in McAfee KnowledgeBase article

KB59769. After deploying the client software with one of these methods, deploy the policy manually.

Task

1 Create a policy in Web Gateway or SaaS Web Protection. Save the policy to a file named mcppolicy.opg.

2 Copy the policy file to the following folder on the Mac OS X endpoint computer: /usr/local/ McAfee/Mcp/policy/.

View status and configuration details

View status and configuration details using the McAfee menulet.

Task

1 From your OS X-based system, click the McAfee menulet and select About McAfee Endpoint Protection for

Mac.

In the Client Proxy section, the following information is displayed:

• Client Proxy version and build number • Policy modified date • Policy name • Proxy server

• Policy revision

2 From the menulet, select the dashboard.

The message: Client Proxy: Redirecting indicates that you are connected to the proxy server.

Suspend policy enforcement

To temporarily cancel policy enforcement on end-user computers, end users request a release code from the administrator.

The end user requests a release code for their computer. The administrator uses Help Desk to create and issue the code, which is valid for a specified time period. The procedure is described in the

Configuring and using McAfee Client Proxy with McAfee ePO chapter.

Configuring Client Proxy using the Control Console

(40)

(41)

7

Maintaining McAfee Client Proxy on your

system

View the Client Proxy status and configuration details, or uninstall the software from the administrator operating system.

Contents

Upgrade McAfee Client Proxy on your system Install a hotfix

Uninstall McAfee Client Proxy

Upgrade McAfee Client Proxy on your system

Download and install the latest version of Client Proxy.

Upgrading Client Proxy requires manual installation or use of a third-party deployment solution, depending on the number of endpoint computers to be upgraded.

Task

1 Copy all existing policy files to a temporary file on your system.

4 Select Software | McAfeeWeb Gateway | Tools | McAfee Client Proxy

(42)

Install a hotfix

McAfee occasionally releases Client Proxy hotfixes to address product issues.

If the hotfix includes release notes, use the release notes instructions to install the hotfix. If the hotfix does not have release notes, use the following task.

Task

3 Select Software | McAfee Web Gateway | Tools | McAfee Client Proxy.

4 Select and save the hotfix installation file for your operating system.

5 Run the hotfix installation file.

6 Follow the on-screen prompts to complete the installation.

Uninstall McAfee Client Proxy

To fully uninstall Client Proxy, remove the software from the administrator operating system.

(43)

Index

A

about this guide 5

access protection 17, 20

active directory groups 17, 20

C

conventions and icons used in this guide 6

corporate network detection 17, 20

corporate VPN detection 17, 20

customer ID 17, 20

D

deployment options 9

documentation

audience for this guide 5

product-specific, finding 5

typographical conventions and icons 6

E

end-user computer requirements 14, 33

ePolicy Orchestrator 8

H

hardware requirements 14, 33

I

installation hotfix 28, 42 product files 14, 34

L

McAfee ePO (continued) deploy 9, 16

end-user installation data, view 22

extension, install 15

extension, remove 29

package, check in 15

package, remove 29

policy, configure 19

Proxy Server List, configure 19

upgrade the software 27

McAfee SaaS Control Console block list, configure 38

bypass list, configure 38

proxy servers, configure 37

McAfee SaaS Web Protection service 19

McAfee SaaS Web Protection Service 17, 35, 37

McAfee ServicePortal, accessing 5

McAfee Web Gateway 8, 17, 19, 35, 37

McAfee Web Protection Service 8

O

operating system requirements 14, 33

(44)

R

release code 24, 39

reports 22

S

server software requirements 14, 33

ServicePortal, finding product documentation 5

setup

system requirements 14, 33

status and configuration details 39

supported management platform versions 13

T

technical support, finding product information 5

traffic redirection 17, 20

U

upgrade the software 41

V

(45)