MWG Installation 10.1.x IG-INSTALLATION-0521-EN
MWG Installation 10.1.x IG-INSTALLATION-0521-EN
TRADEMARK ATTRIBUTIONS
McAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes,
McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee,
LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE
GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE
CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE
RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU
DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF
APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
1 Installation overview 5
Which type of installation do you need? . . . . . . . . . . . . . . . . . . . . . . . . . . 5
First-time installation workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Upgrade installation workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
AWS environment installation workflow . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Azure platform installation workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Blade server installation workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2 System requirements 17
Physical and virtual appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
System requirements for a physical appliance . . . . . . . . . . . . . . . . . . . . . . . . 17
System requirements for a virtual appliance . . . . . . . . . . . . . . . . . . . . . . . . 18
AWS environment requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Azure platform requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Blade servers as hardware platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
8 Install Web Gateway in L2 Transparent mode as a virtual cloud resource on AWS or Azure 59
Install Web Gateway in L2 Transparent mode as a virtual cloud resource on AWS . . . . . . . . . . . 59
Install Web Gateway in L2 Transparent mode as a virtual cloud resource on Azure . . . . . . . . . . 61
10 Troubleshooting installation 73
Solve problems with connecting to download servers . . . . . . . . . . . . . . . . . . . . . 73
Activate Web Gateway with a temporary license key . . . . . . . . . . . . . . . . . . . . . . 74
Reimage a Web Gateway appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Upgrading Web Gateway with the mwg-update tool . . . . . . . . . . . . . . . . . . . . . 75
Upgrade Web Gateway offline with the mwg-update tool . . . . . . . . . . . . . . . . . 76
mwg-update command line tool . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Working with Web Gateway using a browser without Java support . . . . . . . . . . . . . . . . 77
Contents
Which type of installation do you need?
First-time installation workflow
Upgrade installation workflow
AWS environment installation workflow
Azure platform installation workflow
Blade server installation workflow
First-time installation
When you install Web Gateway for the first time in your local network, you can install it as a physical or virtual
appliance.
• Physical appliance
If you install Web Gateway as a physical appliance, you set it up on a hardware platform. The appliance
software is preinstalled or can be downloaded.
• Preinstalled software — When you purchase a new hardware platform for Web Gateway, the appliance
software is preinstalled on this platform.
• Downloaded software — You download the software in ISO or USB format from the Content & Cloud
Security Portal, then install it.
• Virtual appliance
If you install Web Gateway as a virtual appliance, you set it up on a virtual machine that you create on a
suitable host system.
You download the appliance software in ISO format from the Content & Cloud Security Portal, then install it.
Upgrade installation
When you have already installed Web Gateway in your local network, you can upgrade the appliance software
after a new version or an update is released.
You can install an upgrade on the Web Gateway interface or from a system console that is connected to the
appliance system.
• Main release
After three new versions of Web Gateway have been released, an update of the third version is provided as
a main release, usually, the second or third update.
For example, after versions 8.0, 8.1, and 8.2 are released, the 8.2.2 update might be released as a main
release.
• Controlled release
All new versions and updates that are not released as main releases are controlled releases.
You can upgrade to every controlled release or upgrade only when a main release happens.
A new version is usually released every four months, so it takes a year until three of them have been released.
This means that if you only upgrade to main releases, you upgrade once in a year.
It also means, however, that you'll have to wait longer for the new features and enhancements that are
included in every new product version.
1 Make sure the system requirements are met for the type of installation that you want to complete.
• When installing Web Gateway as a physical appliance that runs on a hardware platform with preinstalled
software, connect and turn on the hardware platform.
• When setting up Web Gateway as a physical appliance running on a hardware platform with downloaded
software:
• Download the software and copy it to some installation media.
• Connect the hardware platform and insert the installation media, the turn it on.
4 Accept the default initial configuration settings or Implement your own settings.
After completing the installation, you can work with Web Gateway and use its features to protect your network
against threats arising from the web.
You can upgrade from the Web Gateway interface or a system console.
1 Download a software image of the new version from the Content & Cloud Security Portal.
1 From a system console, connect to the appliance where you want to upgrade.
3 Continue with the upgrade from the Web Gateway interface or the system console.
1 From a system console, connect to the appliance where you want to upgrade,
3 Upgrade to version 7.8.2 from the Web Gateway interface or the system console. Complete the same
steps as for upgrading from version 7.8.2 or later.
4 After completing the upgrade to version 7.8.2, upgrade to the new version:
a From a system console, connect to the appliance where you want to upgrade.
c Upgrade from the Web Gateway interface or the system console. Complete the same steps as for
upgrading from version 7.8.2 or later.
1 Download a software image of the new version from the Content & Cloud Security Portal.
1 Choose an Amazon instance type based on the amount of web traffic that will pass through Web Gateway
according to your planning.
2 Create or import a pair of SSH keys, which are required for authentication when you access an instance of
Web Gateway within AWS.
After connecting to Web Gateway, you can log on to its interface and work with its features within the AWS
environment.
3 Configure Network Address Translation to enable Internet access for Web Gateway.
4 Use Hyper-V to install the downloaded Web Gateway appliance software on another virtual machine that is
hosted by the server.
After completing the installation, you can log on to the Web Gateway interface and work with its features.
1 Get the blade system enclosure ready for installing Web Gateway.
2 Download the Web Gateway appliance software from the Content & Cloud Security Portal and use one of
the following devices to install the software on a blade server.
Each of the devices can be used with one or two types of enclosure.
• Transparent router
When you have completed the installation, you can log on to the Web Gateway interface and work with its
features to protect your network.
Contents
Physical and virtual appliances
System requirements for a physical appliance
System requirements for a virtual appliance
AWS environment requirements
Azure platform requirements
Blade servers as hardware platforms
Shipped items
• Hardware platform (models vary) with appliance software
The recommended minimum memory size on a hardware platform is 8 GB. If you are using an older model
with less than this memory, you can upgrade.
• Power cord
• Network cables
• USB-PS/2 adapter cable (if you use a PS/2 keyboard for the initial configuration)
Installation media (CD/DVD and USB drive) with the appliance software were also shipped to you. They are not
required for the installation, but you can use them for re-imaging the appliance.
• Oracle Java Runtime Environment (JRE), version 1.8, also referred to as Java 8, or later
JRE is required if you require Java support for working with the Web Gateway interface. You can, however,
work with this interface and not require Java support.
This browser allows you to work with the Web Gateway interface. You can, however, work with this
interface and not use a browser.
• VMware ESXi
The following table shows the versions of this VMware that we recommend for use with particular versions of
Web Gateway. VMware versions that are not recommended can still be run here.
We further recommend using the latest update of the recommended VMware version, ESXi 6.0, ESXi 6.5, and so
on, that you are actually working with.
We also recommend this for Web Gateway (MWG). Use the latest update of the particular version, MWG 7.8.x.x,
8.x.x, and so on, that you are working with.
No = Not recommended
Yes = Recommended
Virtual machine
Specifications depend on how you are using a virtual appliance.
Setup procedures differ for each VMware type. The following table provides some more common setup
parameters and values. Parameter names can also differ.
For parameters that are not listed, use the default values in the procedures.
• For MWG 7.6.1, 7.6.2, 7.7.0, 7.7.1, 7.7.2, 7.8.0, and 7.8.1:
For this reason, the default settings must be changed to let the virtual appliance use a static MAC address.
• AMI ID — ID for an instance of Web Gateway that you want to set up in an AWS environment
This ID is displayed on the AWS console that is used for the setup when the instance is ready for launching.
By comparing the displayed number with the number in a list, you can verify that this is indeed the instance
that you want to launch.
The instance ID changes for an instance when it is run in different regions. The mapping of IDs to regions
can also be looked up in a list.
• AWS account number — Number of the Amazon Web Services account that is owned by McAfee
The account number is also displayed on the AWS console when an instance is ready for launching.
For the list of valid AMI IDs and regions, as well as for the account number, see the download section of the
McAfee Content & Cloud Security Portal at https://contentsecurity.mcafee.com/software_mwg7_download.
For Web Gateway, only Amazon instance types belonging to the HVM type group are supported.
Which instance type you choose depends on what you plan to use the Web Gateway instance for, for example,
testing or production.
You should also take into account network performance and the number of NICs that you plan to run with the
instance.
The following table shows some common use cases and Amazon instance types that you can choose.
Web caching is not included among the features of Web Gateway when run in an AWS environment, which
reduces the requirements for available hard-disk space.
System requirements
This is required to complete the installation:
• Azure account
• AzCopy
You should also consider network performance and the number of NICs that you plan to run with Web
Gateway.
This table shows some common use cases and Azure size types from which you can choose.
Web caching is not included among the features of Web Gateway when run on Azure, which reduces the
requirements for available hard-disk space.
Table 2-5 Specifications for the size type of an Azure virtual machine
Use RAM (in GB) Hard-disk space (in GB) CPU cores Azure size types
Functional testing (user interface based 4 80 4 Standard_B2s
on Java applet or desktop client)
Functional testing (HTML-based user 8 80 4 Standard_B2ms
interface)
Standard_D2s_v3
Restrictions
These network modes, which can be configured for Web Gateway in other environments, are not supported on
Azure:
• Proxy HA
• Transparent Router
• ProLiant BL460c G8
• M3 (c3000)
• M7 (c7000)
Contents
Set up a physical appliance with preinstalled software
Set up a physical appliance with downloaded software
Set up a virtual appliance
Set up a virtual appliance with Hyper-V
Implement the initial configuration settings
Log on to the Web Gateway interface
Activate Web Gateway
License replacement
Configure more initial settings
Default serial system console settings
Enable additional mitigation for CPU vulnerabilities
Restrictions when running Web Gateway in FIPS-compliant mode
Task
1 Connect the appliance to power and the network.
4 Work with the configuration wizard to implement the initial configuration settings.
After implementing the initial configuration settings, you can log on to the interface and activate the Web
Gateway appliance.
When the appliance is activated, you can perform other administration activities on the user interface. As one of
these activities, we strongly recommend updating the appliance software.
When this update is performed, the appliance software is upgraded to the latest update of the version that is
preinstalled.
For example, if version 7.8.1.2 is preinstalled, which belongs to version 7.8.1, and the latest update within this
range is 7.8.1.3, the software on your Web Gateway appliance is upgraded to this version.
Task
1 Use a browser to go to the McAfee Content & Cloud Security Portal at https://contentsecurity.mcafee.com/.
3 Beginning on the home page of the portal, select Software | McAfee Web Gateway 7 | Download.
4 Click the icon for the exact software version you want to download.
6 Copy the downloaded software to a CD/DVD or a USB drive to have it available for the installation.
Task
1 Connect the appliance to power and the network.
3 Insert the CD/DVD or the USB drive with the downloaded software.
• Select the drive for the CD/DVD or USB format, then press Enter.
• Select the option that assigns the CD/DVD or USB drive the highest priority.
• Select Boot Manager and select the drive for the CD/DVD or USB format. Then press Enter.
• Select the drive for the CD/DVD or USB format, then press Enter.
If you select the FIPS mode, several restrictions are imposed on running Web Gateway to meet the
requirements of this United States federal security standard.
The downloaded software is installed on the appliance. When this installation is completed, the
configuration wizard appears.
You can now work with the configuration wizard to implement the initial configuration settings.
See also
Restrictions when running Web Gateway in FIPS-compliant mode on page 35
Task
1 Use a browser to go to the McAfee Content & Cloud Security Portal at https://contentsecurity.mcafee.com/.
3 Beginning on the home page of the portal, select Software | McAfee Web Gateway 7 | Download.
4 Click the ISO icon for the exact software version you want to download.
Task
1 Connect a keyboard and monitor to a suitable host system.
The appliance software is installed on the virtual machine. When this installation is completed, the
configuration wizard appears on the monitor of the host system.
You can now work with the configuration wizard to implement the initial configuration settings.
If your VMware type is ESXi and you are running a Vsphere client, you can use one of the following methods to
make the appliance software available on the host system:
• Insert a CD/DVD with the appliance software into the host system (as was already described)
• Store the appliance software on a local disk or the data store of the host system
• Store the appliance software on a USB drive and insert it into the host system
Multiple virtual appliances can be set up this way on one hardware system, allowing you to work with multiple
separate operating systems.
Task
1 Install a suitable Microsoft Windows server product on the system where you want to run Web Gateway.
When configuring the virtual appliance settings make sure that dynamic memory is disabled, as this
feature is not supported on Web Gateway.
For more detailed information about how to perform this setup, see the Microsoft Windows documentation on
Hyper-V and KB85837.
Task
1 Press Esc in response to all prompts of the configuration wizard until the root password is configured.
2 When asked for the root password, enter and repeat it, then confirm it with OK.
3 When asked to allow remote root logon with SSH, click Yes or No.
When the initial configuration settings are implemented, the appliance restarts and the appliance volume
wizard appears to let you resize the volume of the web cache.
For more information, refer to the System configuration chapter of the McAfee Web Gateway Product Guide.
After completing the initial configuration, with or without resizing the web cache, you can log on to the user
interface.
Task
1 In the wizard windows, configure the following:
• Primary network interface
If you plan to configure the explicit proxy mode with High Availability functions (Proxy HA) mode later on,
we strongly recommend not to enter a virtual IP address here.
• Host name
2 Review the summary that is displayed after configuring the first settings.
• If you approve of the summary, confirm and configure the remaining settings:
• Root password
The installation is completed with your initial configuration settings and the IP address is displayed.
When the initial configuration settings are implemented, the appliance restarts and the appliance volume
wizard appears to let you resize the volume of the web cache.
For more information, refer to the System configuration chapter of the McAfee Web Gateway Product Guide.
After completing the initial configuration, with or without resizing the web cache, you can log on to the user
interface.
In each case, the procedure begins with accessing the logon options window for Web Gateway through a
browser.
Task
1 Open a browser on your administration system for Web Gateway and go to one of the following:
• http://<IP address>:4711
• https://<IP address>:4712
<IP address> is the IP address that was specified during the initial configuration.
If the credentials that you submit are invalid, a message informs you about it You must wait about five
seconds until you can repeat your logon attempt. The short-term blocking does not apply to another
administrator trying to logon during this time.
• To run the interface as a Java applet in your browser: Enter admin as the user name and webgateway as
the password, then click Login.
When you have completed the wizard activities, the interface appears and you can start working with
Web Gateway.
2 Click Open, Continue, and similar buttons in the windows that open during the logon process.
3 When the logon window has opened, enter admin as the user name and webgateway as the
password, then click Login.
When you have completed the wizard activities, the interface appears and you can start working with
Web Gateway.
2 In the logon window that opens, enter admin as the user name and webgateway as the password,
then click Login.
When you have completed the wizard activities, the interface appears and you can start working with
Web Gateway.
You must agree to the content of the online documents if you want to activate the product.
For the licensing procedure, a file with a license key was sent to you. If you have not received it, contact McAfee
support. In the meantime, you can use a temporary key.
Task
1 In the License section of the setup wizard, click End User License Agreement and review the agreement. If you
agree to it, select the corresponding checkbox.
2 Click Data Usage Statement and review the statement. If you agree to it, select the corresponding checkbox.
3 Click Browse and use the file manager that opens to select the file with the license key, then click OK.
If you are using a browser without Java support for working with Web Gateway, complete the import of the
license key file in the additional window that is provided.
Web Gateway is activated and an initial download of files begins to update the information used by the
anti-malware and URL filtering modules (engines).
Download progress is indicated by a progress bar at the bottom and explained by a status label.
This completes the setup procedure. You can now work with the user interface to perform more
administration activities.
If you want to configure settings for data collection, configure them and click Save Changes when you are
done. For more information, refer to the Data Usage Statement.
Be sure not to click Save Changes to save any other settings before configuring data collection (if you want
to do it at all), as data collection starts when this button is clicked for the first time.
For more information on how to work with the user interface, refer to the McAfee Web Gateway Product
Guide.
The download progress remains visible while you continue with the wizard.
If the download fails, an error message appears and the Network solutions section becomes accessible in the
navigation area. This section allows you to solve problems with connecting to the download servers.
License replacement
When something changes about the order that you issued to purchase one or more Web Gateway appliances
from McAfee, your old license is replaced with a new.
Your order will, for example, change when you purchase more appliances for your Web Gateway appliance
cluster. Your old license is then disabled and a new license created. To implement it, you must log on to the user
interface, activate Web Gateway, and import the new license.
McAfee sends the new license with the license key to the contact that is associated with your customer account.
This means that some delay can occur before a new license is actually available for implementing it on an
appliance.
While an old license is disabled and no new license implemented yet, you can continue with operating Web
Gateway. Updates, however, of the information that the web filters on an appliance retrieve from the update
servers cannot be performed during this time.
• Log entry — An entry is written into the update log stating that your license is disabled.
• Incidents — An incident is created to record that your license is enabled. Another incident records that no
updates can currently be retrieved for the web filters.
The alert message includes the ID of the appliance that the disabled license was issued for. When an
appliance is running as a node in a cluster of Web Gateway appliances, the node number is also provided.
Task
1 In the Time zone section of the wizard, select a time zone for the Web Gateway appliance or leave the default
zone (UTC).
2 On the Network interfaces tab of the Network settings section, configure the following:
• In the Host name / Fully qualified domain name field, type a host name for the appliance.
• In the Default gateway (IPv4) or Default gateway (IPv6) fields, type an IP address in IPv4 or IPv6 format.
To configure the default gateway address dynamically, select Obtain automatically (DHCP) under IP settings.
Do not configure more than one DHCP interface because proper operation is not ensured. If
you set up Web Gateway in an AWS environment, we recommend configuring the first
(default) network interface using DHCP. This reduces the risk of losing access to the respective
AWS instance.
3 On the Domain name servers tab of the Network settings section, type IP addresses for up to three DNS servers.
The wizard closes and the user interface becomes accessible. A message asks if you want to save the
configuration.
You can enable this mitigation by selecting a suitable option from a menu that is shown on your administration
system when an appliance starts. You can also have an option permanently selected by editing a system file.
The mitigation can be enabled on the Web Gateway appliance models where hyper-threading is used:
It cannot be enabled on the WBG-5000-C models where the relevant microcode is not available yet.
Task
1 When an appliance starts, wait until these menus are shown on your administration system.
2 Select an option from the second (no SMT) or third (no microcode) menu, depending on whether you want to
enable additional mitigation or load no microcode at all.
• Advanced options for McAfee Web Gateway (no SMT) — Provides options for proceeding with
additional mitigation.
These options are for disabling hyper-threading on CPUs, which mitigates their risk of being affected by
several vulnerabilities.
• Advanced options for McAfee Web Gateway (no microcode) — Provides options for proceeding
without loading microcode.
Not loading the microcode exposes CPUs to vulnerabilities caused by hyper-threading, as well as to
various other vulnerabilities. We recommend not selecting an option from this menu unless it is required
to solve issues with stability or with starting an appliance.
3 To enable any of these options permanently, edit the /etc/default/grub system file.
a Append a line for the GRUB_DEFAULT parameter as follows:
GRUB_DEFAULT='2>0'
The parameter values serve to select a menu and an option, with option numbering beginning at 0. For
example, '2 > 0' selects the first option of the second menu.
• System files integrity — System files, which are files containing settings for functions of the Web Gateway
appliance system, cannot be modified.
An example of a system file is the /etc/hosts file, which contains entries for IP addresses and host names,
including the local IP address and host name of the appliance itself.
In other modes, system files can be edited using the File Editor on Web Gateway. This editor is removed
from the user interface in FIPS-compliant mode.
• Root password not resettable — The root password, which is required for working with the command line
interface on a system console that is connected to Web Gateway, cannot be reset.
Accessing Web Gateway as root administrator on the operating system level is then no longer possible.
In other modes, this password can be reset using an option on the troubleshooting menu of Web Gateway.
• No scheduled jobs for yum commands — Commands of the yum type, which are usually run manually on
a system console that is connected to Web Gateway in order to perform product upgrades, cannot be run as
scheduled jobs.
Examples of yum commands are yum upgrade or mwg-switch-repo, which is used to switch to a suitable
software repository.
In other modes, these commands can be run as scheduled jobs, which run unattended at a given time and
are configured using the Central Management functions of Web Gateway.
• No HSM support for SSL scanning — When the SSL scanner is used on Web Gateway to inspect and filter
HTTPS traffic, private certificate keys cannot be stored on a Hardware Security Module (HSM), which is a
separate physical device that is connected to Web Gateway.
In other modes, HSM devices for storing private certificate keys can be installed and configured to run with
Web Gateway.
See also
Install the downloaded software on a physical appliance on page 26
Contents
Version numbering
Main and controlled releases
Upgrading to a new version provided as a main release
Upgrading to a new version provided as a controlled release
Reimage an appliance using virtual RMM media
Version numbering
Version numbering for Web Gateway uses a particular numbering scheme for different types of product
versions.
Beginning with MWG 8.0, versions are numbered like this:
A hotfix usually resolves an issue that occurred at a particular customer's site and is provided only to this
customer.
For example, MWG 8.0, MWG 8.1, and MWG 8.2 are iterations of the Copper version group.
When a new version group begins, the first digit of the version number changes. For example, the Copper
version group will be followed by the Zinc version group, which will include MWG 9.0, MWG 9.1, and MWG 9.2.
The distinction between major and minor product versions is irrelevant for Web Gateway.
A version number with two digits can also be specified with three digits, for example, as 8.1 or 8.1.0.
With every update that follows a new version, Web Gateway development resolves issues that still occurred.
After a few updates are released with issues resolved, an update follows that is first provided as a controlled
and then as a main release, which means the updated version is now considered stable.
• Upgrade to all new versions and updates, including main and controlled releases
If you want to benefit from the new features and enhancements that a particular new version provides, you
might prefer not to wait until an update of this version is provided as a main release.
Then you will rather upgrade to a new version immediately or to one of its first updates. You can also upgrade
to any new version or update without following a pattern.
Create a configuration backup before you upgrade and be sure to save it in an external location, so it is still
available in case you cannot access Web Gateway after the upgrade failed.
• 7.3.x or later — Upgrade to the new version from the Web Gateway interface or from a system console.
• 7.2.x or earlier 7.x, 6.9.x, or 6.8.x — Reimage the appliance using an image of the new version.
Download an image of the new version from the download page of the McAfee Content & Cloud Security
Portal at https://contentsecurity.mcafee.com/software_mwg7_download.
Task
1 Select Configuration | Appliances.
2 On the appliances tree, select the appliance where you want to perform the upgrade.
When the upgrade is complete, a message informs you about the completion.
If you are running Web Gateway as an appliance on a virtual machine, a warning also appears on the host
system where you created the virtual machine. You are warned that an operating system is being used that
is not recommended.
To optimize the operation of the virtual machine, adapt its settings by configuring the recommended
operating system, which is CentOS, 64 bit, version 7.
When the restart is complete, you can again log on to the interface and start working with the new version.
You can use the tmux multiplexer that Web Gateway has installed.
Task
1 Log on to the appliance where you want to perform the upgrade.
yum upgrade
When the upgrade is complete, a message informs you about the completion.
If you are running Web Gateway as an appliance on a virtual machine, a warning also appears on the host
system where you created the virtual machine. You are warned that an operating system is being used that
is not recommended.
To optimize the operation of the virtual machine, adapt its settings by configuring the recommended
operating system, which is CentOS, 64 bit, version 7.
3 To perform the restart of the appliance that is required, run this command:
reboot
When the restart is complete, a logon prompt appears. You can now log on to the Web Gateway interface and
start working with the new version.
Create a configuration backup before you upgrade and be sure to save it in an external location, so it is still
available in case you cannot access Web Gateway after the upgrade failed.
• 7.8.2 or later — Activate the repository for the new version and upgrade to it from the Web Gateway
interface or from a system console.
• 7.3.x to 7.8.1.x — Upgrade to version 7.8.2 first, then upgrade to the new version, proceeding as follows:
• Activate the repository for version 7.8.2 and upgrade to this version from the Web Gateway interface or
from a system console.
• Activate the repository for the new version and upgrade to it in one of the ways described.
• 7.2.x or earlier 7.x, 6.9.x, or 6.8.x — Re-image the appliance using an image of the new version.
Download an image of the new version from the download page of the McAfee Content & Cloud Security
Portal at https://contentsecurity.mcafee.com/software_mwg7_download.
You can use the tmux multiplexer that Web Gateway has installed.
Task
1 Log on to the appliance where you want to perform the upgrade.
When upgrading to version 7.8.2, which can be required as an intermediate step for upgrading to the new
version, type 7.8.2.
You can now upgrade to the new version from the Web Gateway interface or from a system console.
Task
1 Select Configuration | Appliances.
2 On the appliances tree, select the appliance where you want to perform the upgrade.
When the upgrade is complete, a message informs you about the completion.
If you are running Web Gateway as an appliance on a virtual machine, a warning also appears on the host
system where you created the virtual machine. You are warned that an operating system is being used that
is not recommended.
To optimize the operation of the virtual machine, adapt its settings by configuring the recommended
operating system, which is CentOS, 64 bit, version 7.
When the restart is complete, you can again log on to the interface and start working with the new version.
You can use the tmux multiplexer that Web Gateway has installed.
Task
1 Log on to the appliance where you want to perform the upgrade.
yum upgrade
When the upgrade is complete, a message informs you about the completion.
If you are running Web Gateway as an appliance on a virtual machine, a warning also appears on the host
system where you created the virtual machine. You are warned that an operating system is being used that
is not recommended.
To optimize the operation of the virtual machine, adapt its settings by configuring the recommended
operating system, which is CentOS, 64 bit, version 7.
3 To perform the restart of the appliance that is required, run this command:
reboot
When the restart is complete, a logon prompt appears. You can now log on to the Web Gateway interface and
start working with the new version.
Task
1 Download the Web Gateway .iso image file to the system you are using to connect to the RMM virtual media.
a On this system, open a browser and go to the McAfee Content & Cloud Security Portal at https://
contentsecurity.mcafee.com .
d Click the icon for the .iso file version you want to download.
3 On the system for connecting to the RMM virtual media, open a browser and go to:
https://<RMM IP address>
When prompted for credentials, submit the credentials you logged on with to the appliance.
4 Select the .iso file and complete these substeps to use the RMM virtual media for the reimaging process.
a On the Remote Control tab, click Launch Console.
b On the Device tab, select Redirect ISO. Then browse to the .iso file and select it.
c On the Remote Control tab, select Server Power Control | Power Cycle Server.
If you do not dieselect Redirect ISO, the reimaging that is performed after the next restart will
remove your current configuration and reset the appliance to the default values.
5 Restart the appliance, choose an installation mode, and follow the wizard's instructions to complete the
installation.
The installation uses the .iso file that has been made available by the RMM virtual media to reimage the
appliance.
Contents
Create a key pair for SSH authentication
Import a key pair for SSH authentication
Install a Web Gateway instance within AWS
Connect to a Web Gateway instance within AWS
Task
1 On the AWS Web Console, select the region where you want to set up Web Gateway from the drop-down
menu in the upper right corner.
2 Navigate to the Services menu in the upper left corner and select EC2.
A key pair file is generated and downloaded to the system that the AWS Web Console is connected to.
To connect to Web Gateway instance within AWS using PuTTY, convert the .pem file into the .pkk format, which
is supported by PuTTY.
Task
1 On the AWS Web Console, navigate to the Services menu in the upper left corner and select EC2.
3 Click Import Key Pair, then browse to a key pair and select it.
A file with the selected key pair is downloaded to the system that the AWS Web Console is connected to.
Task
1 On the AWS Web Console, navigate to the Services menu in the upper left corner, then select EC2.
b Click Next: Configure Instance Details and in the Network list that appears make sure that the default VPC
(Virtual Private Cloud) is selected.
The instance is set up in a Virtual Private Cloud. Every AWS account created after December 4, 2013, has
a default VPC ready to use within each AWS region.
c Click Next: Add Storage and increase the size of the hard disk drive to at least 80 GB.
d (Optional) Click Next: Add Tags and add a key-value pair to tag the instance.
This step is not required, but enables you to categorize instances, for example, by owner or purpose.
b Change the default name of the security group, for example, to MWG-security-group.
c Configure rules for the security group, such as these sample rules.
Table 5-1 Rules for a security group
Type Protocol Port Source Use
SSH rule TCP 22 my IP SSH access
Customized TCP rule TCP 9090 my IP Proxy port
Customized TCP rule TCP 4712 my IP Admin user interface HTTPS
These rules ensure that the configured ports on Web Gateway cannot be accessed by anyone other than
yourself.
For testing and production, change access to the ports according to your considerations. For a complete
list of ports used by Web Gateway, see KB86010.
b Review what you have configured and make changes if necessary, then click Launch.
When reviewing the configuration, make sure that the AMI ID of your instance and the AWS account
number are also correct.
c Select the SSH key pair that you created, then click Launch Instances.
When the status in the Status Checks column changes to 2/2 checks passed, the instance is ready to use.
You can now connect to the instance and log on to its interface.
Task
1 On the AWS Web Console, navigate to the Services menu in the upper right corner, then select EC2.
2 Select Instances and right-click the name of the Web Gateway instance.
3 Select Connect and execute the commands for connecting to the instance described in the window that
opens.
When performing the SSH authentication command, be sure not to use root, as it reads in the description,
but the ec2 user name, which also includes the domain, for example:
4 Next to the command line prompt that appears after you have successfully authenticated, type ec2-user
and submit.
A password is shown, which is the one that is required for logging on to the user interface of Web Gateway.
https://foo.eu-west-2.compute.amazonaws.com:4712
b When prompted for your credentials, submit admin as the user name and the password that was shown
before.
After logging on to the user interface successfully, you can work with the web security features that are
provided by Web Gateway.
Contents
Set up Web Gateway on Azure with a script
Set up Web Gateway on Azure with the Azure command line interface
Look up and configure access parameters for Web Gateway on Azure
Task
1 Download the Web Gateway software and the script.
a Open a browser and go to the McAfee Content & Cloud Security Portal at https://
contentsecurity.mcafee.com/.
b Download the VHD file with the Web Gateway software to a directory on your system.
While the script is executed, several options are presented. Follow the instructions and select suitable
options until the script finishes.
Web Gateway is now installed as a virtual machine on an Azure platform. Continue with looking up and
configuring access parameters for Web Gateway.
For more information, see the community pages that are provided for Web Gateway on Azure beta.
See also
Set up Web Gateway on Azure with the Azure command line interface on page 50
Look up and configure access parameters for Web Gateway on Azure on page 52
Azure platform requirements on page 22
Set up Web Gateway on Azure with the Azure command line interface
You can install Web Gateway as a virtual machine on an Azure platform using the Azure command line interface
(Azure CLI).
Alternatively, you can set up Web Gateway using a script provided by McAfee.
The command parameters are either fixed, so you can type them as shown here, for example,
mwgnativegroup, or have variable values, enclosed in arrows here, for example, <name of a location>.
When entering longer commands in more than one line, be sure to use a \ (backslash) at the end of each line that
is followed by another line, as shown below. Also, enter each command parameter completely in one line.
Task
1 Download the Web Gateway software.
a Open a browser and go to the McAfee Content & Cloud Security Portal at https://
contentsecurity.mcafee.com/.
b Download the VHD file with the Web Gateway software to a directory on your system. Note down the link
name for later use.
2 On the Azure CLI, navigate to the directory with the VHD file, then run this command to log on to the Azure
portal:
az login
5 Upload the VHD file with the Web Gateway software to Azure using an az command and a SAS token.
Alternatively, you can upload this file using a storage account key. If you prefer this method, continue with
step 6.
a Create an SAS token.
• At the Azure portal, click All resources, then select the storage account that you created in step 4a.
• Click Shared access signature, then click Generate SAS and connection string.
The SAS token is generated. Note down its name, for use in the next substep.
The link to the VHD file is the one that you noted down after going to the Content & Cloud Security
Portal. When specifying the name of the VHD file, you can type it with or without the .vhd extension.
6 Upload the VHD file with the Web Gateway software using a storage account key.
a Create a list of the storage account keys:
az storage account keys list --resource-group mwgnativegroup \
--account-name mwgimgstorage
Note down the name of the first key on the list that you have created, for use in the next substep.
--file <name of the VHD file> --name <name of the VHD file>
The account key must be the first on the storage account keys list that you created in substep a.
As size, specify the GB that you planned for the virtual machine when considering the system requirements,
for example, 500, omitting the letters GB.
--attach-os-disk mwgmanagedimg
Specify the same location as in step 3. As size type, specify the Azure size type that you chose for the virtual
machine when considering the system requirements, for example, Standard_D8s_v3.
Web Gateway is now installed as a virtual machine on an Azure platform. Continue with looking up and
configuring access parameters for Web Gateway.
See also
Set up Web Gateway on Azure with a script on page 49
Look up and configure access parameters for Web Gateway on Azure on page 52
Azure platform requirements on page 22
Task
1 Go to the Azure portal.
2 On the Azure resource list, identify the virtual machine that you set up for Web Gateway and note down its
public IP address.
3 Under Settings | Networking, create inbound port rules for these ports on Web Gateway:
The rules ensure that these ports cannot be accessed by anyone other than yourself. For testing and
production, change access to these ports as needed.
For a list of ports used on Web Gateway, see this Knowledge Center article: KB86010.
4 Generate credentials with a password or an SSH public key for the virtual machine, depending on how you
want to access it.
a Under Support + Troubleshooting, select Reset password, then select Reset password or Reset SSH public key.
5 Click Update.
6 When the update is complete, open an SSH terminal, using the public IP address of the virtual machine.
Then submit the configured user name and password or SSH public key.
The terminal returns logon information for Web Gateway, for example:
You can now log on to the Web Gateway interface using this link:
When prompted, submit the logon name and password that the SSH terminal returned.
Contents
Set up a Windows 2016 Server on Azure
Configure the Hyper-V server role for the Windows 2016 Server
Configure Network Address Translation for Web Gateway
Install Web Gateway on a hosted virtual machine
Configure port forwarding for Web Gateway on a hosted virtual machine
Restore a server connection
Task
1 Log on to the Azure Portal.
2 In the marketplace on this portal, set up a Windows 2016 Server as a virtual machine.
Use these options to set up the server:
• Password
b Select a configuration model that supports nested virtualization for a virtual machine. This can be Dv3,
Ev3, or a later model.
5 After setting it up, identify the virtual machine on the list of resources within the portal and note down its
public IP address.
You have now set up a Windows 2016 Server as a virtual machine on Azure. Continue with configuring a
Hyper-V role for this server.
Configure the Hyper-V server role for the Windows 2016 Server
Configure the Hyper-V role for the Windows 2016 Server that you have set up. This server role is well suited for
hosting another virtual machine that Web Gateway uses as its platform.
Task
1 Log on to the Windows 2016 Server using RDP.
2 On the server interface, use the Server Manager to configure the Hyper-V server role.
a Select the installation type for role-based and feature-based installations.
b From the server pool, select the server where you are logged on.
When the server role is created, the server restarts and you lose connection to the RDP public port.
4 When the restart is complete, log on to the server again using RDP with the credentials that you configured.
5 Wait until a message informs you that the configuration process has finished successfully.
You have now configured the Hyper-V server role for the Windows 2016 Server. Continue with configuring
Network Address Translation for Web Gateway, which allows it to connect to the Internet.
Task
1 On the Windows 2016 Server interface, open a Powershell in administrator mode.
b Run this command to find the interface index (ifIndex) of the switch and note it down.
Get-NetAdapter
As a result, the command displays a list of entries for the different interfaces that are currently in use,
among them the internal virtual switch that you created. Its name is: vEthernet (NAT-Switch).
The network where the NAT gateway runs must not be the same as that of the Windows 2016 Server.
The IP address configured for the NAT gateway shows it runs in the 192.168.200.0/24 network, which has
been chosen as an example in this procedure.
If the index of an external interface is erroneously specified in this command, you will lose connection to
the Windows 2016 Server. So, be careful when providing this value.
If you have lost connection to the server, you can restore it by attaching a new interface and restarting
the server.
The NAT gateway and network provide Internet connectivity for Web Gateway, which will run with an IP address
of the NAT network.
Continue with installing Web Gateway on a virtual machine that is hosted by the Windows 2016 server.
See also
Restore a server connection on page 58
Task
1 Download an ISO image of the Web Gateway appliance software from the Content & Cloud Security Portal
and store it in a location of your choice.
b Select entry for the server that is displayed, then click New and Virtual Machine.
• Generation: Generation 1
Use of dynamic memory for a virtual machine is not supported by Web Gateway.
d Select this installation method: Install an operating system from a bootable CD/DVD-ROM , and under this method,
select Image file (.iso).
e Browse to the location where you stored the ISO image of the Web Gateway appliance software, select it,
and click Next.
The appliance software is now available for installation on the virtual machine.
• IP address for eth0: An IP address of the NAT network that you created, for example, 192.168.200.220
• Primary DNS: IP address of the Azure domain name server, for example, 168.63.129.16
4 Set a root password, then select Default scheme with full Web Cache as the volume scheme.
You have now installed a virtual machine with Web Gateway on it. which is hosted by a Windows 2016 Server.
Continue with enabling access to Web Gateway on the hosted virtual machine.
• Requests for accessing the Web Gateway interface under HTTP and HTTPS to ports 4711 and 4712
• Web traffic that is to be filtered on Web Gateway to the 9060 proxy port
Ports with these numbers are by default not allowed for inbound traffic on Azure. So, the rules must be added
to the settings on this portal.
Task
1 On the Azure portal, access the virtual machine that Web Gateway uses as its platform.
2 Configure port forwarding rules for inbound traffic, using these values for the rule parameters:
• Source: Any
• Destination: Any
• Protocol: Any
• Action: Allow
• Priority: 330
• Name: MWG_Ports
4 Run the following commands to add the port forwarding rules to the portal settings.
The rules include the IP address of the virtual machine for Web Gateway.
a For port 4711:
netsh int portproxy add v4tov4 listenport=4711 connectport=4711
connectaddress=192.168.200.220
Web Gateway can now be accessed from outside Azure. The IP address of the Windows 2016 Server and one of
the interface ports or the proxy port must be submitted for this access:
<server IP address>:4711|4712|9060
To restore the connection, you must attach a new interface to the virtual machine and associate it with a public
IP address.
Task
1 Log on to the Azure Portal.
2 Under All resources, open the properties window for your virtual machine and click Stop to shut it down.
b Click Attach network interface and Create network interface, then enter a name for the new interface and click
Create.
A new network interface is created and you are redirected to Attach network interface.
b In the window that opens, click Dissociate to disconnect the public IP address from its current resource.
Click Yes to confirm.
d Select the network interface that you attached to the virtual machine and click OK.
5 Under All resources, open the properties window for your virtual machine and click Start to restart it.
When the restart is complete, the public IP address is associated to the virtual machine. You can look up this
address in the properties window of the virtual machine.
The connection between the network interface and the Windows 2016 Server that runs as a virtual machine to
host Web Gateway is now restored. You can log on to the virtual machine using RDP.
See also
Configure Network Address Translation for Web Gateway on page 54
Contents
Install Web Gateway in L2 Transparent mode as a virtual cloud resource on AWS
Install Web Gateway in L2 Transparent mode as a virtual cloud resource on Azure
Complete the first steps of this task for any of the two configuration types. Then follow the instructions
provided for either type.
Task
1 On an AWS web console, create a virtual private cloud (VPC) for Web Gateway.
a Create a VPC with IP address 192.168.0.0/16 (CIDR notation).
b Set up an Internet gateway and associate it with the VPC if none is associated yet.
• ClientNetwork — 192.168.5.0/24
d Allow all protocols and ports inbound for source 192.168.0.0/16 in the network security group that
includes these subnets.
2 Create a virtual machine as a platform for running the Web Gateway appliance software.
a Create a virtual machine.
b Use the AMI search field to locate the appliance software on the McAfee Content & Cloud Security Portal,
also known as the Web Gateway extranet, then use the link to it to launch it on the virtual machine.
3 Disable source and destination checking for the network interface on Web Gateway that you associated with
the MWGNetwork subnet.
a In the navigation pane, select Instance.
b Select the Web Gateway instance, then navigate to Actions | Networking | Change source/destination check.
d Click Save.
b Associate a network interface on this virtual machine with the ClientNetwork subnet.
d Select Add tags, and under Key and Value, type key names and values for every table tag you want to add.
e Select Create.
f Navigate to Subnet Associations and associate this routing table with the ClientNetwork subnet.
If you want to set up a single-arm configuration, continue with step 7. Otherwise, continue with the next
step to add another network interface for a dual-arm configuration.
b Associate this network interface with the virtual machine for Web Gateway.
• For a single-arm configuration: The network interface on Web Gateway that you associated with the
MWGNetwork subnet in step 2.
• For a dual-arm configuration: The network interface that you added in step 6.
8 On Web Gateway, configure the appliance to run as a proxy in L2 Transparent network mode.
a On the user interface, select Configuration | Appliances.
d In the Port Redirects table, enter port redirects for the web traffic coming in under different network
protocols, for example, HTTP or FTP, to be filtered on Web Gateway.
e Select File Editor, and on the appliances tree, select this appliance. Open the mwg system file for editing
and append the following lines:
These lines must also be appended for any additional inbound or outbound network interface as well,
for example, if there is also an outbound eth2 interface on Web Gateway.
• Select Network Interfaces and under Enable these network interfaces, select eth1.
You have now set up a virtual Web Gateway appliance in L2 Transparent mode on AWS.
After associating the routing table with the ClientNetwork subnet, Internet connectivity to other systems in this
subnet is lost. To restore it, you can add another entry to this table with the SSH or RDP public IP address of the
subnet and an Internet gateway as target.
Depending on how Web Gateway is configured, more steps can be required to set up a virtual Web Gateway
appliance in this mode. For example, if ports for network protection are assigned, they must be accounted for
in a network security group.
Complete the first steps of this task for any of the two configuration types. Then follow the instructions
provided for either type.
Task
1 On the Azure portal, create a virtual private cloud (VPC) for Web Gateway.
a Create a VPC with IP address 192.168.0.0/16 (CIDR notation).
• ClientNetwork — 192.168.5.0/24
c Allow all protocols and ports inbound for source 192.168.0.0/16 in the network security group that
includes these subnets.
2 Create a virtual machine as a platform for running the Web Gateway appliance software.
a Create a virtual machine.
b Locate the appliance software in .vhd file format on the McAfee Content & Cloud Security Portal, also
known as the Web Gateway extranet, then use this file to launch the appliance software on the virtual
machine.
3 Disable IP forwarding for the network interface on Web Gateway that you associated with the MWGNetwork
subnet.
a In the search field for resources, search for network interfaces and select the one for Web Gateway when
it appears among the results.
c Click Save.
b Associate a network interface on this virtual machine with the ClientNetwork subnet.
b Under Subnets, select the ClientNetwork subnet you created in the VPC.
c Under Route Table, select the one you want to associate with this subnet.
d Select Create.
If you want to set up a single-arm configuration, continue with step 6. Otherwise, continue with the next
step to add another network interface for a dual-arm configuration.
b Enable IP forwarding for this network interface, see step 3 where you disabled it for a network interface.
c Associate this network interface with the virtual machine for Web Gateway.
• For a single-arm configuration: The IP address of the network interface on Web Gateway that you
associated with the MWGNetwork subnet in step 2.
• For a dual-arm configuration: The IP address of the network interface that you added in step 6.
8 On Web Gateway, configure the appliance to run as a proxy in L2 Transparent network mode.
a On the user interface, select Configuration | Appliances.
d In the Port Redirects table, enter port redirects for the web traffic coming in under different network
protocols, for example, HTTP or FTP, to be filtered on Web Gateway.
e Select File Editor, and on the appliances tree, select this appliance. Open the mwg system file for editing
and append the following lines:
These lines must also be appended for any additional inbound or outbound network interface, for
example, if there is also an outbound eth2 interface on Web Gateway.
• Select Network Interfaces and under Enable these network interfaces, select eth1.
You have now set up a virtual Web Gateway appliance in L2 Transparent mode on Azure.
After associating the routing table with the ClientNetwork subnet, Internet connectivity to other systems in this
subnet is lost. To restore it, you can add another entry to this table with the SSH or RDP public IP address of the
subnet and an Internet gateway as next-hop proxy type.
Depending on how Web Gateway is configured, more steps can be required to set up a virtual Web Gateway
appliance in this mode. For example, if ports for network protection are assigned, they must be accounted for
in a network security group.
Contents
Install the blade system enclosure
Install the interconnect modules
Turn on the blade system enclosure
Use the internal CD/DVD drive to install Web Gateway on a blade server
Use an external CD/DVD drive to install Web Gateway on a blade server
Use a USB drive to install Web Gateway on a blade server
Use virtual media to install Web Gateway on a blade server
Proxy HA on a blade server
Proxy with external load balancing on a blade server
Transparent mode on a blade server
Task
1 Review and observe the safety information that is provided.
2 Remove the protective packaging and place the blade system enclosure on a flat surface.
Considering its weight, unpack the enclosure as close as possible to the intended location.
3 Remove the front and rear components, as well as the rear cage from the enclosure.
Install all power supplies and fans that were shipped with the enclosure to ensure redundancy in case one of
these components fails.
5 Install the Onboard Administrator and the Integrated Lights Out System.
7 Attach power cords to the monitor and the enclosure, but do not yet connect the power supplies.
For more information, refer to the Setup and Installation Guide, the Onboard Administrator User Guide, and the
Integrated Lights-Out User Guide that are provided for each enclosure model on the website of the McAfee
partner.
The M3 enclosure model has 4 interconnect bays, the M7 model has 8. These modules are either pass-through
modules or switches.
Task
1 Locate the positions of the interconnect bays.
• M7 — insert four switches in interconnect bays 1 to 4 and two pass-through modules in interconnect
bays 5 and 6.
Task
1 Connect the power cords of the enclosure to the power supplies and the power outlets.
Use two power circuits to ensure all blade servers in the enclosure turn on. If you use only one
circuit and the power management settings are configured for AC redundant (which is also
recommended), some blade servers will fail to turn on.
You can now install the Web Gateway appliance software on a blade server in the enclosure.
Use the internal CD/DVD drive to install Web Gateway on a blade server
If your enclosure model is M3, you can use the internal CD/DVD drive to install the Web Gateway appliance
software on a blade server in the enclosure.
Task
1 Insert a CD or DVD with the Web Gateway appliance software on it in the internal CD/DVD drive of the
enclosure.
2 Open the Onboard Administrator of the enclosure and select a blade server to install Web Gateway on.
4 Use this tab to connect the internal CD/DVD drive to the blade server.
5 Click the Boot Options tab and set One Time Boot from to CD-ROM.
7 Follow the instructions for installing Web Gateway that appear on the monitor you connected to the
enclosure.
When the installation is completed, you can log on to the user interface of Web Gateway.
Task
1 Insert a CD or DVD with the Web Gateway appliance software on it in the external CD/DVD drive.
2 Use the USB SUV cable that is shipped with the enclosure to connect the drive to the blade server you want
to install Web Gateway on.
3 Open the Onboard Administrator of the enclosure and select the blade server.
4 Click the Boot Options tab and set One Time Boot from to CD-ROM.
6 Follow the instructions for installing Web Gateway that appear on the monitor you connected to the
enclosure.
When the installation is completed, you can log on to the user interface of Web Gateway.
Task
1 Use the USB SUV cable that is shipped with the enclosure to connect the USB drive to the blade server you
want to install Web Gateway on.
2 Open the Onboard Administrator of the enclosure and select the blade server.
4 Click the Boot Options tab and set One Time Boot from to USB.
6 Follow the instructions for installing Web Gateway that appear on the monitor you connected to the
enclosure.
When the installation is completed, you can log on to the user interface of Web Gateway.
Task
1 Open the Onboard Administrator of the enclosure and select a blade server to install Web Gateway on.
A new browser window opens providing access to the iLO (integrated Lights-Out) web user interface.
4 Choose the Virtual Floppy/USB Key or Virtual CD/DVD-ROM section of the window for installing Web Gateway and
click Browse in the section.
5 Browse to the location where you stored the ISO image of the Web Gateway appliance software and click
Connect.
6 Follow the instructions for installing Web Gateway that appear on the monitor you connected to the
enclosure.
When the installation is completed, you can log on to the user interface of Web Gateway.
Network configuration
This High Availability configuration is also known as High Availability cluster. In this cluster, multiple instances of
Web Gateway on blade servers run as nodes. There must be at least two director nodes, so a failover can be
performed in case one of them is down. A director node directs data packets to the nodes that scan the data in
a suitable manner to enable load balancing.
The director node that acts in this role at a given point of time is known as active director. The second director
node, which takes over when the first is down, is also known as backup node. If you want you can configure even
more than one backup node.
We recommend that you configure the proxy HA mode as a two-legged proxy solution. This means the following
is configured on a director node:
The network interface that handles inbound traffic must have a virtual IP address of its own. The network
interface for outbound web traffic should also be used to do the load balancing.
This is achieved by filling in a table with the IP addresses of the scanning nodes in the cluster when configuring
the director node. The following must be entered in this table for any particular node:
• For a node that runs as a scanning node only — IP address and Scanner as type
If the node that is first to run as an active director also runs as scanning node, its IP address must also be
entered in the scanner table with Scanner as type.
We also recommend that you configure the following on each director node:
Configuring this network interface allows you to perform management communication separately.
• Network interface for internal communication within the blade system enclosure
This network interface has its IP address configured under VRRP (Virtual Router Redundancy Protocol).
The virtual IP address that the active director nodes uses on its interface for communication with the Web
Gateway clients must be added to the settings of the HTTP and FTP proxies with ports that listen to requests
coming in from the clients.
Link resilience
If switches are installed as interconnect modules on an enclosure, link resilience can be achieved in the
following way:
• Two of the ports used as uplink ports on a switch are bundled in a trunk group.
This means that if one the two links fails, the trunk group remains still active.
The interconnect modules and the trunk groups are mapped to the ports on the network interfaces, for
example, as shown in the following table. For the network interface that handles internal communication, no
port mapping to a trunk group is required.
For more information on how to configure the interconnect modules, refer to the GbE2c Ethernet Blade Switch for
c-Class BladeSystem Application Guide that is available on the website of the McAfee partner.
Network configuration
We recommend that you configure a two-legged proxy solution for this mode, with two separate network
interfaces on each blade server for inbound and outbound web traffic. Each of these interfaces is configured
with an IP address of its own.
Additionally, a network interface for out-of-band management should be configured, which allows you to
perform also management communication separately.
Load balancing
Load balancing is performed in this configuration not by one of the blade servers, but by an external load
balancer, which directs load to the blade servers. For this purpose, the blade servers are included in a load
balancing pool.
When configuring the load balancer, an algorithm can be configured that supports IP client stickiness. This
ensures that functions requiring IP client stickiness are available, for example, a progress page.
Link resilience
If switches are installed as interconnect modules on an enclosure, link resilience can be achieved in the
following way:
• Two of the ports used as uplink ports on a switch are bundled in a trunk group.
This means that if one the two links fails, the trunk group remains still active.
The interconnect modules and the trunk groups are mapped to the ports on the network interfaces, for
example, as shown in the following table.
Table 9-2 Mapping of network components in an explicit proxy configuration with external load
balancing
Port on network interface Interconnect module Trunk group
Inbound web traffic interface Switch in interconnect bay 1 Group 1: port 21, port 22
Outbound web traffic interface Switch in interconnect bay 2 Group 2: port 21, port 22
Out-of-band management interface Switch in interconnect bay 3 Group 3: port 21, port 22
For more information on how to configure the interconnect modules, refer to the GbE2c Ethernet Blade Switch for
c-Class BladeSystem Application Guide that is available on the website of the McAfee partner.
Transparent router
We recommend that you configure the transparent router mode as a two-legged proxy solution, with two
separate network interfaces for inbound and outbound web traffic.
Each of the network interfaces is configured with its own IP address under VRRP (Virtual Router Redundancy
Protocol). The outbound network interface should be used for load-balancing the traffic.
This is achieved by specifying its IP address as the physical component that is configured together with the
management IP address.
This is achieved by filling in a table with the IP addresses of the scanning nodes in the cluster when configuring
the director node. The following must be entered in this table for any particular node:
• For a node that runs as a scanning node only — IP address and Scanner as type
If the node that is first to run as an active director also runs as scanning node, its IP address must also be
entered in the scanner table with Scanner as type.
If IP spoofing is configured, the blade servers on which Web Gateway only scans web traffic, without also
directing it, do not need a connection for inbound web traffic. Inbound and outbound traffic is handled by an
instance of Web Gateway that runs as a director node on a blade server.
Contents
Solve problems with connecting to download servers
Activate Web Gateway with a temporary license key
Reimage a Web Gateway appliance
Upgrading Web Gateway with the mwg-update tool
Working with Web Gateway using a browser without Java support
Task
1 In the Network solutions section of the installation wizard, do one of the following:
• If the download servers cannot be used for updating filtering information because you are running the
appliance in an environment without internet connection, click Perform offline update and follow the wizard
instructions.
• If you want to use a next-hop proxy to connect to the download servers, click Specify next-hop proxy for
download and continue with step 2.
• If you want to modify the domain name service configuration before connecting to the download
servers, click Specify DNS servers for download and continue with step 3.
b In the Port field, type a port number for the port on the next-hop proxy that listens to requests from Web
Gateway.
c In the User field, type the user name Web Gateway submits when authenticating to the next-hop proxy.
d In the Password field, type the password Web Gateway submits when authenticating to the next-hop
proxy.
e Click Continue.
The wizard closes the Network solutions section and returns to its main page. If you also want to modify the
domain name service configuration, continue with step 3, otherwise continue with step 4.
b Click Continue.
The wizard closes the Network solutions section and returns to its main page.
The download completes. If, however, the download does still not complete successfully, close the wizard and
try other measures for solving the problem.
Task
1 Use a browser to go to the McAfee Content & Cloud Security Portal at https://contentsecurity.mcafee.com/.
3 On the home page of the portal, type activate after the URL mentioned in step 1 and press Enter.
4 In the Activation ID field, type the activation ID from the label on your appliance box, then click Activate.
The USB drive must be bootable if to be used for re-imaging. You can create a bootable USB drive with a
suitable program, for example, Microsoft Win32diskimager.
Re-imaging an appliance overwrites all data that has previously been stored on it.
Task
1 Back up your appliance configuration on the user interface of Web Gateway, using the functions provided
under Troubleshooting | Backup/Restore.
6 Select Boot manager and then the option for CD/DVD or the USB drive. Then press Enter.
On some appliance models, you can press F6 to enter the boot manager menu directly.
The downloaded software is installed on the appliance. When this installation is completed, the
configuration wizard appears.
You can now work with the configuration wizard to implement the initial configuration settings.
For an offline update, the mwg-update tool creates a temporary repository on the local disk. The tool then uses
the packages that are provided in the ISO file and performs the upgrade based on the local repository. After the
upgrade, the tool removes the repository from the local disk.
Version restrictions
A new version of the MLOS operating system was introduced with version 7.8.2. Versions earlier than 7.8.2 use
MLOS 2, while later versions use MLOS 3. For this reason, there are the following restrictions when using the
tool:
• You cannot upgrade offline from a version earlier than 7.8.2 to a version later than this.
• When upgrading online, you can upgrade from a version earlier than 7.8.2 to a version later than this.
But you cannot upgrade directly. You must first upgrade to 7.8.2 and from there, in a second step, to the
later version.
Examples:
But, for example, from 7.8.1 to 8.2, you cannot upgrade offline. To upgrade online, you must::
See also
Upgrade Web Gateway offline with the mwg-update tool on page 76
mwg-update command line tool on page 76
Task
1 Log on to the appliance where you want to perform the upgrade from a local system console or remotely
using SSH.
When upgrading with SSH, consider using a terminal multiplexer to ensure that the update does not fail due
to an unstable or broken SSH connection.
You can use the tmux multiplexer that Web Gateway has installed.
As file name, type the name of the ISO file with the appliance software, for example,
mwgappl-7.8.2.12.0-29703.x86_64.iso.
With these parameters, the command allows you to cancel the upgrade before it is performed.
3 After the upgrade has been successfully completed, restart the appliance manually.
mwg-update
-o <file name> The upgrade is performed offline using the specified ISO file.
See also
Upgrade Web Gateway offline with the mwg-update tool on page 76
mwg-update command line tool on page 76
These differences are mostly related to file handling performed to move files between Web Gateway and your
local file system.
Uploading and downloading files to and from Web Gateway, exporting and importing lists or rule sets from and
to files, and some other activities require that you work with another dialog window to complete them.
You browse for and select a file in the first window and execute the download by clicking the appropriate button
in the second.
A third window is involved when you upload a file from your local system to Web Gateway.
Upload files Uploads a file from your local system to Web Gateway.
You select the file and perform the upload in a third window, which opens after selecting this
option.
They are grouped according to the tabs and pages of the Web Gateway interface that you begin with to perform
an activity.
If you are running multiple appliances as nodes in a Central Management cluster, you can distribute users among
the appliances without exceeding the limit for each appliance.