MWG Installation 10.1.x IG-INSTALLATION-0521-EN

Revision B
McAfee Web Gateway 10.1.x Installation Guide

COPYRIGHT
Copyright © 2021 McAfee, LLC
TRADEMARK ATTRIBUTIONS
McAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes,
McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee,
LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE
GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE
CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE
RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU
DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF
APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
2 McAfee Web Gateway 10.1.x Installation Guide

Contents
1 Installation overview 5
Which type of installation do you need? . . . . . . . . . . . . . . . . . . . . . . . . . . 5
First-time installation workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Upgrade installation workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
AWS environment installation workflow . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Azure platform installation workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Blade server installation workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2 System requirements 17
Physical and virtual appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
System requirements for a physical appliance . . . . . . . . . . . . . . . . . . . . . . . . 17
System requirements for a virtual appliance . . . . . . . . . . . . . . . . . . . . . . . . 18
AWS environment requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Azure platform requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Blade servers as hardware platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3 Install Web Gateway for the first time 25

Set up a physical appliance with preinstalled software . . . . . . . . . . . . . . . . . . . . . 25
Set up a physical appliance with downloaded software . . . . . . . . . . . . . . . . . . . . . 26
Download the software for a physical appliance . . . . . . . . . . . . . . . . . . . . 26
Install the downloaded software on a physical appliance . . . . . . . . . . . . . . . . . 26
Set up a virtual appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Download the software for a virtual appliance . . . . . . . . . . . . . . . . . . . . . 27
Install the downloaded software on a virtual appliance . . . . . . . . . . . . . . . . . 28
Set up a virtual appliance with Hyper-V . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Implement the initial configuration settings . . . . . . . . . . . . . . . . . . . . . . . . . 29
Default initial configuration settings . . . . . . . . . . . . . . . . . . . . . . . . 29
Accept the default initial configuration settings . . . . . . . . . . . . . . . . . . . . 29
Implement your own initial configuration settings . . . . . . . . . . . . . . . . . . . 30
Log on to the Web Gateway interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Activate Web Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
License replacement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Configure more initial settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Default serial system console settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Enable additional mitigation for CPU vulnerabilities . . . . . . . . . . . . . . . . . . . . . . 34
Restrictions when running Web Gateway in FIPS-compliant mode . . . . . . . . . . . . . . . . 35
4 Upgrade to a new Web Gateway version 37

Version numbering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Main and controlled releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Upgrading to a new version provided as a main release . . . . . . . . . . . . . . . . . . . . 38
Upgrade from the interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Upgrade from a system console . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Upgrading to a new version provided as a controlled release . . . . . . . . . . . . . . . . . . 40
Activate the repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
McAfee Web Gateway 10.1.x Installation Guide 3

Contents
Upgrade from the interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Upgrade from a system console . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Reimage an appliance using virtual RMM media . . . . . . . . . . . . . . . . . . . . . . . 42
5 Install Web Gateway in an AWS environment 45

Create a key pair for SSH authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Import a key pair for SSH authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Install a Web Gateway instance within AWS . . . . . . . . . . . . . . . . . . . . . . . . . 46
Connect to a Web Gateway instance within AWS . . . . . . . . . . . . . . . . . . . . . . . 47
6 Install Web Gateway on an Azure platform 49

Set up Web Gateway on Azure with a script . . . . . . . . . . . . . . . . . . . . . . . . . 49
Set up Web Gateway on Azure with the Azure command line interface . . . . . . . . . . . . . . . 50
Look up and configure access parameters for Web Gateway on Azure . . . . . . . . . . . . . . . 52
7 Install Web Gateway on an Azure platform with Hyper-V 53

Set up a Windows 2016 Server on Azure . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Configure the Hyper-V server role for the Windows 2016 Server . . . . . . . . . . . . . . . . . 54
Configure Network Address Translation for Web Gateway . . . . . . . . . . . . . . . . . . . 54
Install Web Gateway on a hosted virtual machine . . . . . . . . . . . . . . . . . . . . . . 55
Configure port forwarding for Web Gateway on a hosted virtual machine . . . . . . . . . . . . . . 57
Restore a server connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
8 Install Web Gateway in L2 Transparent mode as a virtual cloud resource on AWS or Azure 59
Install Web Gateway in L2 Transparent mode as a virtual cloud resource on AWS . . . . . . . . . . . 59
Install Web Gateway in L2 Transparent mode as a virtual cloud resource on Azure . . . . . . . . . . 61
9 Install Web Gateway on a blade server 65

Install the blade system enclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Install the interconnect modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Turn on the blade system enclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Use the internal CD/DVD drive to install Web Gateway on a blade server . . . . . . . . . . . . . . 66
Use an external CD/DVD drive to install Web Gateway on a blade server . . . . . . . . . . . . . . 67
Use a USB drive to install Web Gateway on a blade server . . . . . . . . . . . . . . . . . . . 67
Use virtual media to install Web Gateway on a blade server . . . . . . . . . . . . . . . . . . . 68
Proxy HA on a blade server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Proxy with external load balancing on a blade server . . . . . . . . . . . . . . . . . . . . . 70
Transparent mode on a blade server . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
10 Troubleshooting installation 73
Solve problems with connecting to download servers . . . . . . . . . . . . . . . . . . . . . 73
Activate Web Gateway with a temporary license key . . . . . . . . . . . . . . . . . . . . . . 74
Reimage a Web Gateway appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Upgrading Web Gateway with the mwg-update tool . . . . . . . . . . . . . . . . . . . . . 75
Upgrade Web Gateway offline with the mwg-update tool . . . . . . . . . . . . . . . . . 76
mwg-update command line tool . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Working with Web Gateway using a browser without Java support . . . . . . . . . . . . . . . . 77

1 Installation overview
Contents
Which type of installation do you need?
First-time installation workflow
Upgrade installation workflow
AWS environment installation workflow
Azure platform installation workflow
Blade server installation workflow

Web Gateway is installed as an appliance in your local network to protect it against threats arising from web
usage. Which type of installation you need depends on your circumstances and environment.

First-time installation
When you install Web Gateway for the first time in your local network, you can install it as a physical or virtual
appliance.
• Physical appliance
If you install Web Gateway as a physical appliance, you set it up on a hardware platform. The appliance
software is preinstalled or can be downloaded.
• Preinstalled software — When you purchase a new hardware platform for Web Gateway, the appliance
software is preinstalled on this platform.
• Downloaded software — You download the software in ISO or USB format from the Content & Cloud
Security Portal, then install it.

Installation overview
First-time installation workflow 1
• Virtual appliance
If you install Web Gateway as a virtual appliance, you set it up on a virtual machine that you create on a
suitable host system.
You download the appliance software in ISO format from the Content & Cloud Security Portal, then install it.
Upgrade installation
When you have already installed Web Gateway in your local network, you can upgrade the appliance software
after a new version or an update is released.
You can install an upgrade on the Web Gateway interface or from a system console that is connected to the
appliance system.
A release can be a main or controlled release. Upgrade procedures differ accordingly.
• Main release
After three new versions of Web Gateway have been released, an update of the third version is provided as
a main release, usually, the second or third update.
For example, after versions 8.0, 8.1, and 8.2 are released, the 8.2.2 update might be released as a main
release.
• Controlled release
All new versions and updates that are not released as main releases are controlled releases.
You can upgrade to every controlled release or upgrade only when a main release happens.
A new version is usually released every four months, so it takes a year until three of them have been released.
This means that if you only upgrade to main releases, you upgrade once in a year.
It also means, however, that you'll have to wait longer for the new features and enhancements that are
included in every new product version.
Installation in an AWS environment

You can install Web Gateway in an Amazon Web Services (AWS) environment. Within this environment, an
instance of Web Gateway runs as one among various other AWS instances.
Installation on an Azure platform

You can set up a Windows 2016 Server on Microsoft Azure and use Hyper-V to create a virtual machine on this
server that hosts another virtual machine, which Web Gateway uses as a platform to run on.
Installation on a blade server

You can install Web Gateway on a blade server, which Web Gateway uses as a hardware platform to run on as a
physical appliance. A blade server is usually part of a server farm that resides in a blade system enclosure.

This overview shows the workflow that you go through when installing a Web Gateway appliance for the first
time.

1 Make sure the system requirements are met for the type of installation that you want to complete.
2 Review the default initial configuration settings.

Upgrade installation workflow 1
3 Install the appliance.
• When installing Web Gateway as a physical appliance that runs on a hardware platform with preinstalled
software, connect and turn on the hardware platform.
• When setting up Web Gateway as a physical appliance running on a hardware platform with downloaded
software:
• Download the software and copy it to some installation media.
• Connect the hardware platform and insert the installation media, the turn it on.
• Use the Boot Manager to install the software.
• When setting up Web Gateway as a virtual appliance:

• Download the software and copy it to some installation media.
• Insert the installation media in a suitable host system.
• Create a virtual machine on the host system.
• Start the new virtual machine with the software.
4 Accept the default initial configuration settings or Implement your own settings.
5 Log on to the interface.
6 Review online documents and license the software.
7 Activate the appliance.
After completing the installation, you can work with Web Gateway and use its features to protect your network
against threats arising from the web.

The basic workflow for upgrading Web Gateway includes different steps for main and controlled releases. It also
varies according to the version you upgrade from and can be completed using the Web Gateway interface or a
system console.

Upgrade installation workflow for main releases

A particular workflow is used for upgrading to a version of the Web Gateway appliance software that is provided
as a main release. It also varies according to the version you upgrade from.
• Version 7.3 or later
You can upgrade from the Web Gateway interface or a system console.
• Upgrade from the Web Gateway interface:
1 Select the appliance where you want to upgrade.
2 Perform the upgrade.
3 Restart the appliance.
• Upgrade from a system console:
1 Connect to the appliance where you want to upgrade.
2 Perform the upgrade.
3 Restart the appliance.
• Version 7.2.x or earlier 7.x, 6.9.x, or 6.8.x
1 Download a software image of the new version from the Content & Cloud Security Portal.
2 Re-image the appliance using this image.

AWS environment installation workflow 1
Upgrade installation workflow for controlled releases

A particular workflow is used for upgrading to a version of the Web Gateway appliance software that is provided
as a controlled release. It also varies according to the version you upgrade from.
• Version 7.8.2 or later
1 From a system console, connect to the appliance where you want to upgrade.
2 Activate the repository for the new version.
3 Continue with the upgrade from the Web Gateway interface or the system console.
• Upgrade from the Web Gateway interface:
• Select the appliance where you want to upgrade.
• Perform the upgrade.
• Restart the appliance.
• Upgrade from the system console:
• Connect to the appliance where you want to upgrade.
• Perform the upgrade.
• Restart the appliance.
• Version 7.3.x to 7.8.1.x
You must first upgrade to version 7.8.2.
1 From a system console, connect to the appliance where you want to upgrade,
2 Activate the repository for version 7.8.2.
3 Upgrade to version 7.8.2 from the Web Gateway interface or the system console. Complete the same
steps as for upgrading from version 7.8.2 or later.
4 After completing the upgrade to version 7.8.2, upgrade to the new version:
a From a system console, connect to the appliance where you want to upgrade.
b Activate the repository for the new version.
c Upgrade from the Web Gateway interface or the system console. Complete the same steps as for
upgrading from version 7.8.2 or later.
• Version 7.2.x or earlier 7.x, 6.9.x, or 6.8.x
1 Download a software image of the new version from the Content & Cloud Security Portal.
2 Re-image the appliance using this image.

You can install Web Gateway as an instance in an Amazon Web Services (AWS) environment.

1 Choose an Amazon instance type based on the amount of web traffic that will pass through Web Gateway
according to your planning.
2 Create or import a pair of SSH keys, which are required for authentication when you access an instance of
Web Gateway within AWS.
3 Install an instance of Web Gateway within AWS.
4 Connect to the Web Gateway instance using an AWS web console.
After connecting to Web Gateway, you can log on to its interface and work with its features within the AWS
environment.

Azure platform installation workflow 1
Azure platform installation workflow

You can install Web Gateway on an Azure platform using Hyper-V. Web Gateway then runs on a virtual machine
that is hosted by a Windows 2016 Server, which also runs on Azure as a virtual machine.
1 Set up a Windows 2016 Server as a virtual machine on Azure.
2 Configure the Hyper-V server role for this server.
3 Configure Network Address Translation to enable Internet access for Web Gateway.
4 Use Hyper-V to install the downloaded Web Gateway appliance software on another virtual machine that is
hosted by the server.
5 Configure port forwarding rules for Web Gateway.

After completing the installation, you can log on to the Web Gateway interface and work with its features.

To install Web Gateway on a blade server, you set up a blade system enclosure where blade servers can run to
provide a hardware platform for the Web Gateway appliance software.
1 Get the blade system enclosure ready for installing Web Gateway.
• Install the blade system enclosure with the blade servers.
• Insert interconnect modules in the enclosure.
• Turn on the enclosure.
2 Download the Web Gateway appliance software from the Content & Cloud Security Portal and use one of
the following devices to install the software on a blade server.
Each of the devices can be used with one or two types of enclosure.
• Internal CD/DVD drive of the enclosure — M3
• External CD/DVD drive — M7
• USB drive — M3 and M7
• Virtual media — M3 and M7

Blade server installation workflow 1
3 On the Web Gateway interface, configure one of these network setups:
• Proxy HA (High Availability)
• Proxy with external load balancing
• Transparent router
When you have completed the installation, you can log on to the Web Gateway interface and work with its
features to protect your network.


2 System requirements
Contents
Physical and virtual appliances
System requirements for a physical appliance
System requirements for a virtual appliance
AWS environment requirements
Azure platform requirements
Blade servers as hardware platforms
Physical and virtual appliances

You can use different types of platforms to serve as the appliance systems that the Web Gateway appliance
software runs on.
Depending on these platforms, the appliance system is physical or virtual. Accordingly, a Web Gateway
appliance runs as one of the following:
• Physical appliance — On a physical hardware platform
• Virtual appliance — On a virtual machine
System requirements are different for each of these two options.
System requirements for a physical appliance

Before installing Web Gateway as a physical appliance, you must make sure that the system requirements for
this type of an appliance are met.
Shipped items
• Hardware platform (models vary) with appliance software
The recommended minimum memory size on a hardware platform is 8 GB. If you are using an older model
with less than this memory, you can upgrade.
• Power cord
• Network cables
• USB-PS/2 adapter cable (if you use a PS/2 keyboard for the initial configuration)
Installation media (CD/DVD and USB drive) with the appliance software were also shipped to you. They are not
required for the installation, but you can use them for re-imaging the appliance.

Items you must provide

• Standard VGA monitor and PS/2 keyboard
or: Serial system console
• Administration system with:

• Microsoft Windows or Linux operating system
• Oracle Java Runtime Environment (JRE), version 1.8, also referred to as Java 8, or later
JRE is required if you require Java support for working with the Web Gateway interface. You can, however,
work with this interface and not require Java support.
• Microsoft Internet Explorer, version 9.0 or later
This browser allows you to work with the Web Gateway interface. You can, however, work with this
interface and not use a browser.
• Network cables for the administration system

Before installing Web Gateway as a virtual appliance, you must make sure that the system requirements for this
appliance type are met. These requirements must also be met when installing a virtual appliance on an Azure
platform with Hyper-V.
Virtual machine software

This VMware type is required:
• VMware ESXi
The following table shows the versions of this VMware that we recommend for use with particular versions of
Web Gateway. VMware versions that are not recommended can still be run here.
We further recommend using the latest update of the recommended VMware version, ESXi 6.0, ESXi 6.5, and so
on, that you are actually working with.
We also recommend this for Web Gateway (MWG). Use the latest update of the particular version, MWG 7.8.x.x,
8.x.x, and so on, that you are working with.
Table 2-1 Recommended VMware versions

ESXi 6.0 ESXi 6.5 ESXi 6.7 ESXi 7.0
MWG 7.8.x.x Yes Yes Yes No

MWG 8.x.x Yes Yes Yes No
MWG 9.x.x Yes Yes Yes Yes
MWG 10.x.x Yes Yes Yes Yes
No = Not recommended
Yes = Recommended

System requirements
System requirements for a virtual appliance 2
Virtual machine host system

• CPU — 64-bit capable
• Virtualization extension — VT-x/AMD-V
Virtual machine
Specifications depend on how you are using a virtual appliance.
Table 2-2 Specifications for a virtual machine

Use RAM (in GB) Hard-disk space (in GB) CPU cores
Functional testing (user interface based on Java applet or 4 80 4
desktop client)
Functional testing (HTML-based user interface) 8 80 4
Production (minimum) 16 200 4
Production (recommended) 32 500 4 or more
Setup procedures differ for each VMware type. The following table provides some more common setup
parameters and values. Parameter names can also differ.
For parameters that are not listed, use the default values in the procedures.
Table 2-3 Virtual machine settings

Option Definition
Configuration type Typical | Advanced (recommended)
Installation mode ISO image
Operating system CentOS 64-bit, version 7
Memory 32 GB (recommended)
Starting with version 4.1, VMware ESXi, which is one of the supported VMware types
for a virtual Web Gateway appliance, includes some optimizations known as NUMA
optimizations.
A host system for virtual machines that runs this VMware is also referred to as a
NUMA node. Memory must then be allotted to a virtual machine in relation to the
memory that is available on a NUMA node, otherwise you might experience a severe
impact on performance.
For example, if you set up three virtual machines on one NUMA node and configure
the same number of processors (CPU cores) for each virtual machine, do not allot
more than one third of the memory that is available on the NUMA node to each
virtual machine.
Best results are achieved if you run one virtual machine on one NUMA node.
Make sure that you also reserve a certain amount of memory for the NUMA node
(the host system).
Hard-disk space 500 GB (recommended)

Table 2-3 Virtual machine settings (continued)

Option Definition
Number of processors 1 | 2 | 4 (recommended) | <other values>
The number of processors (CPU cores) that are provided for selection depends on
the equipment of the host system that is used for setting up the virtual appliance.
When virtual machines are set up on a host system that runs ESXi VMware, version
4.1 or later, with NUMA optimizations, CPU cores must be configured in relation to
what is allowed on a NUMA node (a host system).
The number of CPU cores that you configure for a virtual machine must be multiples
or divisors of the number of CPU cores that fit in with the size of a NUMA node.
For example, if the size of a NUMA node is sufficient for running six CPU cores,
configure virtual machines with two, three, or six cores (if you are only using one
node), or with 12, 18, 24, and so on (if you are using multiple nodes).
Best results are achieved if you run one virtual machine on one NUMA node.
Network connection Bridged (recommended) | NAT | <other values>

mode
CD/DVD drive with <drive name>/<name of the ISO image>
assigned ISO image
Network interface card VMXNET 3
type
SCSI controller (for BusLogic SCSI (not supported in a 64-bit environment) | LSI Logic Parallel (default) |
some ESX versions) LSI Logic SAS | VMware PV SCSI (recommended)
vSwitch — Allow Yes
promiscuous mode
vSwitch — Allow forged Yes
transmits
Supported Hyper-V servers

The following Windows Servers are currently supported as Hyper-V servers. Hyper-V is a role that a Windows
Server can take when a virtual appliance is installed.
• Windows Server 2019 (64-bit)
• Windows Server 2012 R2 (64-bit)
Supported Hyper-V servers for earlier appliance versions

The following Windows Servers are supported as Hyper-V servers when earlier appliance versions are installed.
• For MWG 7.8.2, 8.0, 8.1, 8.2, and 9.0:

System requirements
AWS environment requirements 2
• For MWG 7.6.1, 7.6.2, 7.7.0, 7.7.1, 7.7.2, 7.8.0, and 7.8.1:
Static MAC address for a virtual appliance on Hyper-V

A virtual machine on a Hyper-V server platform is by default configured to use dynamic MAC addresses. When
Web Gateway runs as a virtual appliance on this platform, using dynamic MAC addresses will result in losing IP
address information after a restart.
For this reason, the default settings must be changed to let the virtual appliance use a static MAC address.
AWS environment requirements

When installing a Web Gateway as an instance in an AWS environment, you must have information about
several environment parameters available. You must also choose an AWS instance type, considering what you
want to use Web Gateway for.
AWS environment parameters

An AWS environment can be described using several parameters, such as region or account numbers. Be sure
to have the following information available before the installation:
• AMI ID — ID for an instance of Web Gateway that you want to set up in an AWS environment
This ID is displayed on the AWS console that is used for the setup when the instance is ready for launching.
By comparing the displayed number with the number in a list, you can verify that this is indeed the instance
that you want to launch.
• Region — Region where you want run an instance
The instance ID changes for an instance when it is run in different regions. The mapping of IDs to regions
can also be looked up in a list.
• AWS account number — Number of the Amazon Web Services account that is owned by McAfee
The account number is also displayed on the AWS console when an instance is ready for launching.
For the list of valid AMI IDs and regions, as well as for the account number, see the download section of the
McAfee Content & Cloud Security Portal at https://contentsecurity.mcafee.com/software_mwg7_download.
Choosing an Amazon instance type

Before installing Web Gateway within an AWS environment, you must choose an Amazon instance type.
For Web Gateway, only Amazon instance types belonging to the HVM type group are supported.
Which instance type you choose depends on what you plan to use the Web Gateway instance for, for example,
testing or production.
You should also take into account network performance and the number of NICs that you plan to run with the
instance.

The following table shows some common use cases and Amazon instance types that you can choose.
Web caching is not included among the features of Web Gateway when run in an AWS environment, which
reduces the requirements for available hard-disk space.
Table 2-4 Specifications for an Amazon instance type

Use RAM (in GB) Hard-disk space (in CPU cores Amazon instance
GB) type
Functional testing (user interface 4 80 4 m4.large
based on Java applet or desktop
client)
Functional testing (HTML-based 8 80 4 m4.large
user interface)
Production (minimum) 16 80 4 m4.xlarge
Production (recommended) 32 or more 80 or more 4 or more m4.2xlarge

When installing Web Gateway on an Azure platform, make sure that your environment meets the system
requirements You must also choose a size type for the virtual machine that Web Gateway is to run on and
consider the restrictions for running on this platform.
System requirements
This is required to complete the installation:
• Azure account
• Windows, Linux, or Mac system with:
• 2 GB of free disk space (minimum)
• Most recent version of the Azure command line interface
• AzCopy
You can download the Azure commands from https://docs.microsoft.com.
Choosing an Azure virtual machine size type

You must choose a size type for the virtual machine that Web Gateway is to run on, according to what you want
to use Web Gateway for, for example, testing or production.
You should also consider network performance and the number of NICs that you plan to run with Web
Gateway.
This table shows some common use cases and Azure size types from which you can choose.
Web caching is not included among the features of Web Gateway when run on Azure, which reduces the
requirements for available hard-disk space.

System requirements
Blade servers as hardware platforms 2
Table 2-5 Specifications for the size type of an Azure virtual machine
Use RAM (in GB) Hard-disk space (in GB) CPU cores Azure size types
Functional testing (user interface based 4 80 4 Standard_B2s
on Java applet or desktop client)
Functional testing (HTML-based user 8 80 4 Standard_B2ms
interface)
Standard_D2s_v3
Production (minimum) 16 80 4 Standard_B4ms

Standard_D4s_v3
Production (recommended) 32 or more 80 or more 4 or more Standard_E4s_v3

Standard_B8ms
Standard_D8s_v3
Restrictions
These network modes, which can be configured for Web Gateway in other environments, are not supported on
Azure:
• Proxy HA
• Transparent Router

You can install Web Gateway on a blade server, which serves as the hardware platform for the appliance
software.
A blade server is a modular server that is itself installed in a blade system enclosure. A blade system enclosure
that has blade servers installed is referred to as a blade server system.
Web Gateway runs on this blade server model:
• ProLiant BL460c G8
The blade servers can be installed in these enclosure models:
• M3 (c3000)
• M7 (c7000)


3 Install Web Gateway for the first time
Contents
Set up a physical appliance with preinstalled software
Set up a physical appliance with downloaded software
Set up a virtual appliance
Set up a virtual appliance with Hyper-V
Implement the initial configuration settings
Log on to the Web Gateway interface
Activate Web Gateway
License replacement
Configure more initial settings
Default serial system console settings
Enable additional mitigation for CPU vulnerabilities
Restrictions when running Web Gateway in FIPS-compliant mode
Set up a physical appliance with preinstalled software

On a newly purchased hardware platform, the appliance software is preinstalled. Connect the appliance and
turn it on.
Task
1 Connect the appliance to power and the network.
2 Connect a monitor and keyboard or a serial system console to the appliance.
3 Turn on the appliance.
The configuration wizard appears.
4 Work with the configuration wizard to implement the initial configuration settings.
After implementing the initial configuration settings, you can log on to the interface and activate the Web
Gateway appliance.
When the appliance is activated, you can perform other administration activities on the user interface. As one of
these activities, we strongly recommend updating the appliance software.
When this update is performed, the appliance software is upgraded to the latest update of the version that is
preinstalled.
For example, if version 7.8.1.2 is preinstalled, which belongs to version 7.8.1, and the latest update within this
range is 7.8.1.3, the software on your Web Gateway appliance is upgraded to this version.
An update, such as 7.8.1.3, resolves issues that occurred in earlier versions.


Contents
Download the software for a physical appliance
Install the downloaded software on a physical appliance
Download the software for a physical appliance

You can download different versions of the appliance software in ISO or USB format.
Task
1 Use a browser to go to the McAfee Content & Cloud Security Portal at https://contentsecurity.mcafee.com/.
2 Submit your user name and password.
3 Beginning on the home page of the portal, select Software | McAfee Web Gateway 7 | Download.
A page with software versions in ISO and USB format appears.
4 Click the icon for the exact software version you want to download.
A download window opens.
5 Select the option for storing a file and click OK.
The software is downloaded and stored within your file system.
6 Copy the downloaded software to a CD/DVD or a USB drive to have it available for the installation.
Install the downloaded software on a physical appliance

To install the downloaded software on a physical appliance, connect the appliance, turn it on, and work with the
Boot Manager.
Task
1 Connect the appliance to power and the network.
2 Connect a monitor and keyboard or a serial system console to the appliance.
3 Insert the CD/DVD or the USB drive with the downloaded software.
The installation begins.
5 During the initial phase, select the installation device:

• If your appliance hardware model is Web Gateway (WBG) 4500B, 5000B, or 5500B:
• Press F6 to enter the Boot Manager.
• Select the drive for the CD/DVD or USB format, then press Enter.
• If your model is Web Gateway (WBG) 4000B:

• Press F2 to enter the BIOS setup menu.
• Select Boot Options and click Hard Disk Order.

Install Web Gateway for the first time
Set up a virtual appliance 3
• Select the option that assigns the CD/DVD or USB drive the highest priority.
• Click the Exit tab.
• Select Discard Changes.
Do not use the Discard Changes and Exit option here.
• Select Boot Manager and select the drive for the CD/DVD or USB format. Then press Enter.
• If your model is not specified:

• Press F11 to enter the Boot Manager.
• Select the drive for the CD/DVD or USB format, then press Enter.
The installation menu appears on the monitor.
6 Select an installation mode, then press Enter.

Help text is displayed for a selected mode below the menu.
If you select the FIPS mode, several restrictions are imposed on running Web Gateway to meet the
requirements of this United States federal security standard.
The downloaded software is installed on the appliance. When this installation is completed, the
configuration wizard appears.
You can now work with the configuration wizard to implement the initial configuration settings.
See also
Restrictions when running Web Gateway in FIPS-compliant mode on page 35
Set up a virtual appliance

Contents
Download the software for a virtual appliance
Install the downloaded software on a virtual appliance
Download the software for a virtual appliance

You can download different versions of the appliance software in ISO format.
Task
3 Beginning on the home page of the portal, select Software | McAfee Web Gateway 7 | Download.
A page with software versions in ISO and USB format appears.
4 Click the ISO icon for the exact software version you want to download.

5 Select the option for storing a file and click OK.
The software is downloaded and stored within your file system.
6 Copy the downloaded software to a CD/DVD to have it available for installation.
Install the downloaded software on a virtual appliance

To install the downloaded software on a virtual appliance, insert the CD/DVD with the software in a suitable
host system, create a virtual machine on this system, and start the virtual machine.
Task
1 Connect a keyboard and monitor to a suitable host system.
2 Insert the CD/DVD with the appliance software.
3 Using your VMware, create a virtual machine on the host system.
4 Start the new virtual machine.
The appliance software is installed on the virtual machine. When this installation is completed, the
configuration wizard appears on the monitor of the host system.
If your VMware type is ESXi and you are running a Vsphere client, you can use one of the following methods to
make the appliance software available on the host system:
• Insert a CD/DVD with the appliance software into the host system (as was already described)
• Store the appliance software on a local disk or the data store of the host system
• Store the appliance software on a USB drive and insert it into the host system

You can set up a virtual machine with Hyper-V and use it as a platform for running the Web Gateway appliance
software.
Hyper-V is a role in several Microsoft Windows Server products that provides the tools and services to create
virtualized servers. You can use these servers as the virtual machines that are required for running Web
Gateway as a virtual appliance.
Multiple virtual appliances can be set up this way on one hardware system, allowing you to work with multiple
separate operating systems.
Task
1 Install a suitable Microsoft Windows server product on the system where you want to run Web Gateway.
2 Set up Hyper-V as the server role.
3 Complete the following using the Hyper-V manager.

a Set up Web Gateway as a virtual appliance.
When configuring the virtual appliance settings make sure that dynamic memory is disabled, as this
feature is not supported on Web Gateway.

Implement the initial configuration settings 3
b Create a virtual network for the appliance.
4 Configure a static MAC address for the virtual appliance.
For more detailed information about how to perform this setup, see the Microsoft Windows documentation on
Hyper-V and KB85837.
Implement the initial configuration settings

Contents
Default initial configuration settings
Accept the default initial configuration settings
Implement your own initial configuration settings
Default initial configuration settings

You can set up an appliance with default initial configuration settings or implement your own settings, using the
configuration wizard that appears during the process.
The following table shows the default settings.
Table 3-1 Default initial configuration settings

Parameter Value
Primary network interface eth0
Autoconfiguration with DHCP yes
Host name mwgappl
Root password webgateway
Remote root logon with SSH on
Default gateway <configured by DHCP>
DNS server <configured by DHCP>
Accept the default initial configuration settings

To accept the default initial configuration settings, work with the wizard to configure a root password and
remote root logon, but leave the remaining settings unchanged.
Task
1 Press Esc in response to all prompts of the configuration wizard until the root password is configured.
2 When asked for the root password, enter and repeat it, then confirm it with OK.
3 When asked to allow remote root logon with SSH, click Yes or No.
When the initial configuration settings are implemented, the appliance restarts and the appliance volume
wizard appears to let you resize the volume of the web cache.
For more information, refer to the System configuration chapter of the McAfee Web Gateway Product Guide.
After completing the initial configuration, with or without resizing the web cache, you can log on to the user
interface.

Implement your own initial configuration settings

To implement your own initial configuration settings, follow the instructions of the wizard.
Task
1 In the wizard windows, configure the following:
• Primary network interface
• IP address, entered manually or configured dynamically by DHCP
If you plan to configure the explicit proxy mode with High Availability functions (Proxy HA) mode later on,
we strongly recommend not to enter a virtual IP address here.
• Network mask (only after entering the IP address manually)
• Default gateway (only after entering the IP address manually)
• Host name
• DNS server (only after entering the IP address manually)
2 Review the summary that is displayed after configuring the first settings.
• If you approve of the summary, confirm and configure the remaining settings:
• Root password
• Remote root logon with SSH
The installation is completed with your initial configuration settings and the IP address is displayed.
You can now log on to the user interface.
• If you need to make changes, click Cancel and return to step 1.
When the initial configuration settings are implemented, the appliance restarts and the appliance volume
wizard appears to let you resize the volume of the web cache.
For more information, refer to the System configuration chapter of the McAfee Web Gateway Product Guide.
After completing the initial configuration, with or without resizing the web cache, you can log on to the user
interface.

Log on to the interface that is provided for Web Gateway to use the product for configuring and maintaining a
web security policy.
You can run this interface in several ways:
• As a Java applet in your browser
• As a Java Web Start application
• As an HTML application in your browser
The logon procedure differs depending on the method you choose.
In each case, the procedure begins with accessing the logon options window for Web Gateway through a
browser.

Activate Web Gateway 3
Task
1 Open a browser on your administration system for Web Gateway and go to one of the following:
• http://<IP address>:4711
• https://<IP address>:4712
<IP address> is the IP address that was specified during the initial configuration.
The logon options window opens.
2 Under HTTPS, accept the self-signed certificate that appears.
3 Continue in one of the following ways to log on:
If the credentials that you submit are invalid, a message informs you about it You must wait about five
seconds until you can repeat your logon attempt. The short-term blocking does not apply to another
administrator trying to logon during this time.
• To run the interface as a Java applet in your browser: Enter admin as the user name and webgateway as
the password, then click Login.
After you have logged on successfully, the setup wizard appears.
When you have completed the wizard activities, the interface appears and you can start working with
Web Gateway.
• To run the interface as a Web Start application:
1 Click Web Gateway UI as Java Web Start download.
2 Click Open, Continue, and similar buttons in the windows that open during the logon process.
3 When the logon window has opened, enter admin as the user name and webgateway as the
password, then click Login.
Web Gateway.
• To run the interface as an HTML application in your browser:
1 Click Web Gateway UI as in-browser HTML.
2 In the logon window that opens, enter admin as the user name and webgateway as the password,
then click Login.
Web Gateway.
Activate Web Gateway

To activate the product, review two online documents on licensing and data usage, then import a license and
click the activation button.
You must agree to the content of the online documents if you want to activate the product.

License replacement
For the licensing procedure, a file with a license key was sent to you. If you have not received it, contact McAfee
support. In the meantime, you can use a temporary key.
Task
1 In the License section of the setup wizard, click End User License Agreement and review the agreement. If you
agree to it, select the corresponding checkbox.
2 Click Data Usage Statement and review the statement. If you agree to it, select the corresponding checkbox.
3 Click Browse and use the file manager that opens to select the file with the license key, then click OK.
If you are using a browser without Java support for working with Web Gateway, complete the import of the
license key file in the additional window that is provided.
The Activate product button becomes accessible.
4 Click Activate product.
Web Gateway is activated and an initial download of files begins to update the information used by the
anti-malware and URL filtering modules (engines).
Download progress is indicated by a progress bar at the bottom and explained by a status label.
5 Do one of the following:

• Wait until the download finishes successfully, then click Close wizard.
This completes the setup procedure. You can now work with the user interface to perform more
administration activities.
If you want to configure settings for data collection, configure them and click Save Changes when you are
done. For more information, refer to the Data Usage Statement.
Be sure not to click Save Changes to save any other settings before configuring data collection (if you want
to do it at all), as data collection starts when this button is clicked for the first time.
For more information on how to work with the user interface, refer to the McAfee Web Gateway Product
Guide.
• Configure more initial settings.
The download progress remains visible while you continue with the wizard.
If the download fails, an error message appears and the Network solutions section becomes accessible in the
navigation area. This section allows you to solve problems with connecting to the download servers.
License replacement
When something changes about the order that you issued to purchase one or more Web Gateway appliances
from McAfee, your old license is replaced with a new.
Your order will, for example, change when you purchase more appliances for your Web Gateway appliance
cluster. Your old license is then disabled and a new license created. To implement it, you must log on to the user
interface, activate Web Gateway, and import the new license.
McAfee sends the new license with the license key to the contact that is associated with your customer account.
This means that some delay can occur before a new license is actually available for implementing it on an
appliance.

Configure more initial settings 3
While an old license is disabled and no new license implemented yet, you can continue with operating Web
Gateway. Updates, however, of the information that the web filters on an appliance retrieve from the update
servers cannot be performed during this time.
Monitoring a disabled license

When your current license is disabled, the monitoring functions on Web Gateway record it as follows.
• Log entry — An entry is written into the update log stating that your license is disabled.
• Incidents — An incident is created to record that your license is enabled. Another incident records that no
updates can currently be retrieved for the web filters.
• Alert — A red alert appears on the dashboard of the user interface.
The alert message includes the ID of the appliance that the disabled license was issued for. When an
appliance is running as a node in a cluster of Web Gateway appliances, the node number is also provided.
Configure more initial settings

Configure initial settings for the time zone, network interfaces, and DNS servers.
Task
1 In the Time zone section of the wizard, select a time zone for the Web Gateway appliance or leave the default
zone (UTC).
2 On the Network interfaces tab of the Network settings section, configure the following:
• In the Host name / Fully qualified domain name field, type a host name for the appliance.
• In the Default gateway (IPv4) or Default gateway (IPv6) fields, type an IP address in IPv4 or IPv6 format.
To configure the default gateway address dynamically, select Obtain automatically (DHCP) under IP settings.
Do not configure more than one DHCP interface because proper operation is not ensured. If
you set up Web Gateway in an AWS environment, we recommend configuring the first
(default) network interface using DHCP. This reduces the risk of losing access to the respective
AWS instance.
3 On the Domain name servers tab of the Network settings section, type IP addresses for up to three DNS servers.
4 [Optional] In the Password section, change the preconfigured administrator password.
5 Click Close wizard.
The wizard closes and the user interface becomes accessible. A message asks if you want to save the
configuration.
6 Do one of the following:

• If you also want to configure settings for data collection, configure them and click Save Changes when you
are done. For more information, refer to the Data Usage Statement.
• Click Save Changes now.


When using a serial system console to connect to a Web Gateway appliance for administrative purposes,
particular settings are configured by default on the console.
The following table shows these default settings.
Table 3-2 Default serial system console settings

Parameter Value
Baud rate 19200
Data bits 8
Parity bit N (no)
Stop bits 1
Short 19200/8-N-1
Flow control no
Enable additional mitigation for CPU vulnerabilities

You can mitigate vulnerabilities that affect CPUs on Web Gateway by disabling hyper-threading, which creates a
risk of being affected. The mitigation is implemented in addition to other measures executed by microcode that
is loaded when an appliance starts.
Hyper-threading improves CPU performance, but also exposes CPUs to several MDS hyper-thread sibling
vulnerabilities. Disabling hyper-threading mitigates these vulnerabilities, but slows down performance. It is,
therefore, not enabled by default when an appliance starts, initially or as a restart.
You can enable this mitigation by selecting a suitable option from a menu that is shown on your administration
system when an appliance starts. You can also have an option permanently selected by editing a system file.
The mitigation can be enabled on the Web Gateway appliance models where hyper-threading is used:
• WBG-4500-C, WBG-5500-C, WBG-5500-D
It cannot be enabled on the WBG-5000-C models where the relevant microcode is not available yet.
Task
1 When an appliance starts, wait until these menus are shown on your administration system.
McAfee Web Gateway

Advanced options for McAfee Web Gateway
Advanced options for McAfee Web Gateway (no SMT)
Advanced options for McAfee Web Gateway (no microcode)
Use the ^ and v keys to change the selection.

Press 'e' to edit the selected item, or 'c' for a command prompt.

Restrictions when running Web Gateway in FIPS-compliant mode 3
2 Select an option from the second (no SMT) or third (no microcode) menu, depending on whether you want to
enable additional mitigation or load no microcode at all.
• Advanced options for McAfee Web Gateway (no SMT) — Provides options for proceeding with
additional mitigation.
These options are for disabling hyper-threading on CPUs, which mitigates their risk of being affected by
several vulnerabilities.
• Advanced options for McAfee Web Gateway (no microcode) — Provides options for proceeding
without loading microcode.
Not loading the microcode exposes CPUs to vulnerabilities caused by hyper-threading, as well as to
various other vulnerabilities. We recommend not selecting an option from this menu unless it is required
to solve issues with stability or with starting an appliance.
3 To enable any of these options permanently, edit the /etc/default/grub system file.
a Append a line for the GRUB_DEFAULT parameter as follows:
GRUB_DEFAULT='2>0'
The parameter values serve to select a menu and an option, with option numbering beginning at 0. For
example, '2 > 0' selects the first option of the second menu.
b After editing the system file, run this command:

update-grub

You can run Web Gateway in a mode that complies to the Federal Information Processing Standard (FIPS).
Under this standard, which has been introduced by United States federal authorities to enhance information
processing security, several restrictions are imposed on running the product.
The FIPS-compliant mode is enabled by selecting it during the installation procedure for Web Gateway.
The following restrictions are imposed in this mode:
• System files integrity — System files, which are files containing settings for functions of the Web Gateway
appliance system, cannot be modified.
An example of a system file is the /etc/hosts file, which contains entries for IP addresses and host names,
including the local IP address and host name of the appliance itself.
In other modes, system files can be edited using the File Editor on Web Gateway. This editor is removed
from the user interface in FIPS-compliant mode.
• Root password not resettable — The root password, which is required for working with the command line
interface on a system console that is connected to Web Gateway, cannot be reset.
Accessing Web Gateway as root administrator on the operating system level is then no longer possible.
In other modes, this password can be reset using an option on the troubleshooting menu of Web Gateway.

• No scheduled jobs for yum commands — Commands of the yum type, which are usually run manually on
a system console that is connected to Web Gateway in order to perform product upgrades, cannot be run as
scheduled jobs.
Examples of yum commands are yum upgrade or mwg-switch-repo, which is used to switch to a suitable
software repository.
In other modes, these commands can be run as scheduled jobs, which run unattended at a given time and
are configured using the Central Management functions of Web Gateway.
• No HSM support for SSL scanning — When the SSL scanner is used on Web Gateway to inspect and filter
HTTPS traffic, private certificate keys cannot be stored on a Hardware Security Module (HSM), which is a
separate physical device that is connected to Web Gateway.
In other modes, HSM devices for storing private certificate keys can be installed and configured to run with
Web Gateway.
See also
Install the downloaded software on a physical appliance on page 26

4 Upgrade to a new Web Gateway version
Contents
Version numbering
Main and controlled releases
Upgrading to a new version provided as a main release
Upgrading to a new version provided as a controlled release
Reimage an appliance using virtual RMM media
Version numbering
Version numbering for Web Gateway uses a particular numbering scheme for different types of product
versions.
Beginning with MWG 8.0, versions are numbered like this:
• MWG 8.1 — Version with new features
• MWG 8.1.3 — Update
An update resolves issues that were present in previous versions.
• MWG 8.1.3.1 — Hotfix
A hotfix usually resolves an issue that occurred at a particular customer's site and is provided only to this
customer.
Version groups and iterations

Three consecutive versions with new features are combined in a version group, which is given a code name.
With regard to its group, a version is also known as iteration.
For example, MWG 8.0, MWG 8.1, and MWG 8.2 are iterations of the Copper version group.
When a new version group begins, the first digit of the version number changes. For example, the Copper
version group will be followed by the Zinc version group, which will include MWG 9.0, MWG 9.1, and MWG 9.2.
The distinction between major and minor product versions is irrelevant for Web Gateway.
Version numbers for repositories

When a repository must be activated to upgrade to a particular product version, the version number is specified
as a parameter of the mwg-switch-repo command.
A version number with two digits can also be specified with three digits, for example, as 8.1 or 8.1.0.


New versions and updates of the Web Gateway appliance software are provided as main or controlled releases.
The upgrade procedure is different for both types of releases.
When a new version has been developed for Web Gateway, it is provided as a controlled release. This means
that this version is not yet considered stable.
With every update that follows a new version, Web Gateway development resolves issues that still occurred.
After a few updates are released with issues resolved, an update follows that is first provided as a controlled
and then as a main release, which means the updated version is now considered stable.
All following updates are also provided as main releases.
Sample version with main and controlled releases

• 7.7.2 new version — controlled release • 7.7.2.3 update — main release
• 7.7.2.1 update — controlled release • 7.7.2.4 update — main release
• 7.7.2.2, update — controlled release • all further updates — main releases
• 7.7.2.3 update — controlled release
Choosing an upgrade pattern

When new versions and updates are released, you can:
• Upgrade to all new versions and updates, including main and controlled releases
• Upgrade only to updates that are released as main releases
If you want to benefit from the new features and enhancements that a particular new version provides, you
might prefer not to wait until an update of this version is provided as a main release.
Then you will rather upgrade to a new version immediately or to one of its first updates. You can also upgrade
to any new version or update without following a pattern.
Upgrading to a new version provided as a main release

The procedure for upgrading to a new version of the Web Gateway appliance software that is provided as a
main release differs depending on the version that you are currently running.
Create a configuration backup before you upgrade and be sure to save it in an external location, so it is still
available in case you cannot access Web Gateway after the upgrade failed.
• 7.3.x or later — Upgrade to the new version from the Web Gateway interface or from a system console.
• 7.2.x or earlier 7.x, 6.9.x, or 6.8.x — Reimage the appliance using an image of the new version.
Download an image of the new version from the download page of the McAfee Content & Cloud Security
Portal at https://contentsecurity.mcafee.com/software_mwg7_download.

Upgrade to a new Web Gateway version
Upgrading to a new version provided as a main release 4
Upgrade from the interface

To upgrade to a new version from the Web Gateway interface, select an appliance and perform the upgrade,
then restart the appliance.
Task
1 Select Configuration | Appliances.
2 On the appliances tree, select the appliance where you want to perform the upgrade.
The appliance toolbar appears on the upper right of the tab.
3 Click Update Appliance Software.

The upgrade starts, and you are logged off from the interface.
When the upgrade is complete, a message informs you about the completion.
If you are running Web Gateway as an appliance on a virtual machine, a warning also appears on the host
system where you created the virtual machine. You are warned that an operating system is being used that
is not recommended.
To optimize the operation of the virtual machine, adapt its settings by configuring the recommended
operating system, which is CentOS, 64 bit, version 7.
4 To perform the restart of the appliance that is required:

a Log on to the interface again.
b Select Configuration | Appliances, then select your appliance.
c On the appliance toolbar, click Reboot.
When the restart is complete, you can again log on to the interface and start working with the new version.
Upgrade from a system console

When upgrading to a new version from a system console, you can work with a local system console or remotely
using SSH.
When working with SSH, consider using a terminal multiplexer to ensure that the upgrade will not fail due to an
unstable or broken SSH connection.
You can use the tmux multiplexer that Web Gateway has installed.

Task
1 Log on to the appliance where you want to perform the upgrade.
2 Run the following commands:

yum upgrade yum
yum upgrade
is not recommended.
3 To perform the restart of the appliance that is required, run this command:
reboot
When the restart is complete, a logon prompt appears. You can now log on to the Web Gateway interface and
start working with the new version.

The procedure for upgrading to a new version of the Web Gateway appliance software that is provided as a
controlled release differs depending on the version that you are currently running.
Create a configuration backup before you upgrade and be sure to save it in an external location, so it is still
available in case you cannot access Web Gateway after the upgrade failed.
• 7.8.2 or later — Activate the repository for the new version and upgrade to it from the Web Gateway
interface or from a system console.
• 7.3.x to 7.8.1.x — Upgrade to version 7.8.2 first, then upgrade to the new version, proceeding as follows:
• Activate the repository for version 7.8.2 and upgrade to this version from the Web Gateway interface or
from a system console.
• Activate the repository for the new version and upgrade to it in one of the ways described.
• 7.2.x or earlier 7.x, 6.9.x, or 6.8.x — Re-image the appliance using an image of the new version.
Download an image of the new version from the download page of the McAfee Content & Cloud Security
Portal at https://contentsecurity.mcafee.com/software_mwg7_download.
Activate the repository

Activate the repository for the new version from a system console. You can use a local system console or work
remotely with SSH.

Upgrading to a new version provided as a controlled release 4
Task
2 Run this command:

mwg-switch-repo <version number>
As <version number> type the version number of the new version.
When upgrading to version 7.8.2, which can be required as an intermediate step for upgrading to the new
version, type 7.8.2.
You can now upgrade to the new version from the Web Gateway interface or from a system console.
Upgrade from the interface

To upgrade to a new version from the Web Gateway interface, select an appliance and perform the upgrade,
then restart the appliance.
Task
1 Select Configuration | Appliances.
2 On the appliances tree, select the appliance where you want to perform the upgrade.
The appliance toolbar appears on the upper right of the tab.
3 Click Update Appliance Software.

The upgrade starts, and you are logged off from the interface.
is not recommended.
4 To perform the restart of the appliance that is required:

a Log on to the interface again.
b Select Configuration | Appliances, then select your appliance.
c On the appliance toolbar, click Reboot.
When the restart is complete, you can again log on to the interface and start working with the new version.
Upgrade from a system console

When upgrading to a new version from a system console, you can work with a local system console or remotely
using SSH.

Task
2 Run the following commands:

yum upgrade yum
yum upgrade
is not recommended.
3 To perform the restart of the appliance that is required, run this command:
reboot
When the restart is complete, a logon prompt appears. You can now log on to the Web Gateway interface and
start working with the new version.

You can use Remote Management Module (RMM) virtual media to reimage the Web Gateway appliance
software on a physical appliance and upgrade it to a new version.
You can connect to the RMM virtual media from a system within your network where Java is installed.
Task
1 Download the Web Gateway .iso image file to the system you are using to connect to the RMM virtual media.
a On this system, open a browser and go to the McAfee Content & Cloud Security Portal at https://
contentsecurity.mcafee.com .
b Submit your user name and password.
c On the home page, select Software | McAfee Web Gateway 7 | Download.
d Click the icon for the .iso file version you want to download.
e Select the option for storing a file and click OK.
The .iso file is downloaded to this system.
2 Log on to the Web Gateway appliance.
3 On the system for connecting to the RMM virtual media, open a browser and go to:
https://<RMM IP address>
When prompted for credentials, submit the credentials you logged on with to the appliance.

Reimage an appliance using virtual RMM media 4
4 Select the .iso file and complete these substeps to use the RMM virtual media for the reimaging process.
a On the Remote Control tab, click Launch Console.
b On the Device tab, select Redirect ISO. Then browse to the .iso file and select it.
c On the Remote Control tab, select Server Power Control | Power Cycle Server.
The .iso file is made available for reimaging the appliance.
d On the Device tab, deselect Redirect ISO. T
If you do not dieselect Redirect ISO, the reimaging that is performed after the next restart will
remove your current configuration and reset the appliance to the default values.
5 Restart the appliance, choose an installation mode, and follow the wizard's instructions to complete the
installation.
The installation uses the .iso file that has been made available by the RMM virtual media to reimage the
appliance.


5 Install Web Gateway in an AWS environment
Contents
Create a key pair for SSH authentication
Import a key pair for SSH authentication
Install a Web Gateway instance within AWS
Connect to a Web Gateway instance within AWS
Create a key pair for SSH authentication

To access Web Gateway within AWS, you must provide an SSH key pair for authentication. You can create this
key pair on an AWS Web Console.
Task
1 On the AWS Web Console, select the region where you want to set up Web Gateway from the drop-down
menu in the upper right corner.
2 Navigate to the Services menu in the upper left corner and select EC2.
3 Select Network and Security, then Key Pairs.
4 Click Create Key Pair.
5 Type a key pair name and enter it.
A key pair file is generated and downloaded to the system that the AWS Web Console is connected to.
The key pair file is generated with a .pem ending.
To connect to Web Gateway instance within AWS using PuTTY, convert the .pem file into the .pkk format, which
is supported by PuTTY.
Import a key pair for SSH authentication

When connecting to Web Gateway within AWS, you must provide an SSH key pair for authentication. You can
import this key pair using an AWS Web Console.
Task
1 On the AWS Web Console, navigate to the Services menu in the upper left corner and select EC2.
2 Select Network and Security, then Key Pairs.
3 Click Import Key Pair, then browse to a key pair and select it.

A file with the selected key pair is downloaded to the system that the AWS Web Console is connected to.

To install an instance of Web Gateway within AWS, launch an image for this instance, then configure a type and
security group for it.
Task
1 On the AWS Web Console, navigate to the Services menu in the upper left corner, then select EC2.
2 Launch a Web Gateway image.

a Select Images, then click AMIs.
b In the search field that appears, type and submit mwg.
c Select a Web Gateway image file and click Launch.
3 Select and configure an instance type for Web Gateway.

a Select an instance type based on your considerations regarding the use of the instance.
b Click Next: Configure Instance Details and in the Network list that appears make sure that the default VPC
(Virtual Private Cloud) is selected.
The instance is set up in a Virtual Private Cloud. Every AWS account created after December 4, 2013, has
a default VPC ready to use within each AWS region.
c Click Next: Add Storage and increase the size of the hard disk drive to at least 80 GB.
d (Optional) Click Next: Add Tags and add a key-value pair to tag the instance.
This step is not required, but enables you to categorize instances, for example, by owner or purpose.
4 Configure a security group for Web Gateway.

a Click Next: Configure Security Group.
b Change the default name of the security group, for example, to MWG-security-group.
c Configure rules for the security group, such as these sample rules.
Table 5-1 Rules for a security group
Type Protocol Port Source Use
SSH rule TCP 22 my IP SSH access
Customized TCP rule TCP 9090 my IP Proxy port
Customized TCP rule TCP 4712 my IP Admin user interface HTTPS
These rules ensure that the configured ports on Web Gateway cannot be accessed by anyone other than
yourself.
For testing and production, change access to the ports according to your considerations. For a complete
list of ports used by Web Gateway, see KB86010.

Install Web Gateway in an AWS environment
Connect to a Web Gateway instance within AWS 5
5 Launch the Web Gateway instance.

a Click Review and Launch.
b Review what you have configured and make changes if necessary, then click Launch.
When reviewing the configuration, make sure that the AMI ID of your instance and the AWS account
number are also correct.
c Select the SSH key pair that you created, then click Launch Instances.
The instance begins to launch.
d Click View Instances to monitor the launch status.
When the status in the Status Checks column changes to 2/2 checks passed, the instance is ready to use.
You can now connect to the instance and log on to its interface.

Connect to an instance of Web Gateway within AWS using an AWS web console.
Task
1 On the AWS Web Console, navigate to the Services menu in the upper right corner, then select EC2.
2 Select Instances and right-click the name of the Web Gateway instance.
3 Select Connect and execute the commands for connecting to the instance described in the window that
opens.
When performing the SSH authentication command, be sure not to use root, as it reads in the description,
but the ec2 user name, which also includes the domain, for example:
ssh -i <key pair file name> [email protected]
4 Next to the command line prompt that appears after you have successfully authenticated, type ec2-user
and submit.
A password is shown, which is the one that is required for logging on to the user interface of Web Gateway.
5 Log on to the user interface of Web Gateway.

a In a web browser, enter the appropriate URL.
This URL must include the Amazon public DNS name of the Web Gateway instance, for example:
https://foo.eu-west-2.compute.amazonaws.com:4712
b When prompted for your credentials, submit admin as the user name and the password that was shown
before.
After logging on to the user interface successfully, you can work with the web security features that are
provided by Web Gateway.


6 Install Web Gateway on an Azure platform
Contents
Set up Web Gateway on Azure with a script
Set up Web Gateway on Azure with the Azure command line interface
Look up and configure access parameters for Web Gateway on Azure
Set up Web Gateway on Azure with a script

McAfee provides a script, which you can use to install Web Gateway as a virtual machine on an Azure platform.
Alternatively, you can set up Web Gateway using the Azure command line interface (CLI).
To set up Web Gateway using the script, complete this task.
Task
1 Download the Web Gateway software and the script.
a Open a browser and go to the McAfee Content & Cloud Security Portal at https://
contentsecurity.mcafee.com/.
b Download the VHD file with the Web Gateway software to a directory on your system.
c Download the deploy-mwg-on-azure.sh script to the same directory.
2 On your system, run this command to make the script executable:

chmod +x deploy-mwg-on-azure.sh
3 Execute the script:

./deploy-mwg-on-azure.sh
While the script is executed, several options are presented. Follow the instructions and select suitable
options until the script finishes.
Web Gateway is now installed as a virtual machine on an Azure platform. Continue with looking up and
configuring access parameters for Web Gateway.
For more information, see the community pages that are provided for Web Gateway on Azure beta.
See also
Set up Web Gateway on Azure with the Azure command line interface on page 50
Look up and configure access parameters for Web Gateway on Azure on page 52
Azure platform requirements on page 22

You can install Web Gateway as a virtual machine on an Azure platform using the Azure command line interface
(Azure CLI).
Alternatively, you can set up Web Gateway using a script provided by McAfee.
To set up McAfee using the Azure CLI, complete this task.
The command parameters are either fixed, so you can type them as shown here, for example,
mwgnativegroup, or have variable values, enclosed in arrows here, for example, <name of a location>.
When entering longer commands in more than one line, be sure to use a \ (backslash) at the end of each line that
is followed by another line, as shown below. Also, enter each command parameter completely in one line.
Task
1 Download the Web Gateway software.
a Open a browser and go to the McAfee Content & Cloud Security Portal at https://
contentsecurity.mcafee.com/.
b Download the VHD file with the Web Gateway software to a directory on your system. Note down the link
name for later use.
2 On the Azure CLI, navigate to the directory with the VHD file, then run this command to log on to the Azure
portal:
az login
3 Create a resource group:

az group create --name mwgnativegroup --location <name of a location>
As the location, specify, for example, southindia.
4 Create the storage for the resource.

a Create a storage account:
az storage account create --resource-group mwgnativegroup \
--location <name of a location> --name mwgimgstorage \
--kind storage --sku standard_lrs
Specify the same location as in step 3.
b Create a storage container:

az storage container create --account-name mwgimgstorage --name mwgimg
5 Upload the VHD file with the Web Gateway software to Azure using an az command and a SAS token.
Alternatively, you can upload this file using a storage account key. If you prefer this method, continue with
step 6.
a Create an SAS token.
• At the Azure portal, click All resources, then select the storage account that you created in step 4a.
• Click Shared access signature, then click Generate SAS and connection string.
The SAS token is generated. Note down its name, for use in the next substep.

Install Web Gateway on an Azure platform
Set up Web Gateway on Azure with the Azure command line interface 6
b Run an az command to upload the VHD file:

az copy <link to the VHD file on the portal> \
https://mwgimgstore.blob.core.windows.net/mwgimg/<name of the VHD file><name of

the SAS token>
The link to the VHD file is the one that you noted down after going to the Content & Cloud Security
Portal. When specifying the name of the VHD file, you can type it with or without the .vhd extension.
The SAS token is the one created in substep a.
Continue with step 7.
6 Upload the VHD file with the Web Gateway software using a storage account key.
a Create a list of the storage account keys:
az storage account keys list --resource-group mwgnativegroup \
--account-name mwgimgstorage
Note down the name of the first key on the list that you have created, for use in the next substep.
b Upload the VHD file.

az storage blob upload --account-name mwgimgstorage \
--account-key <name of the first key on the list> \
--container-name mwgimg --type page \
--file <name of the VHD file> --name <name of the VHD file>
The account key must be the first on the storage account keys list that you created in substep a.
7 Create a managed disk for the virtual machine:

az disk create --resource-group mwgnativegroup \
--name mwgmanagedimg --size-gb <size in GB> \
--source https://mwgimgstore.blob.core.windows.net/mwgimg/<name of the VHD file>
As size, specify the GB that you planned for the virtual machine when considering the system requirements,
for example, 500, omitting the letters GB.
8 Create a virtual machine:

az vm create --resource-group mwgnativegroup --location <name of a location> \
--name mwgnativevm --os-type linux --size <name of the size type> \
--attach-os-disk mwgmanagedimg
Specify the same location as in step 3. As size type, specify the Azure size type that you chose for the virtual
machine when considering the system requirements, for example, Standard_D8s_v3.
Web Gateway is now installed as a virtual machine on an Azure platform. Continue with looking up and
configuring access parameters for Web Gateway.
See also
Set up Web Gateway on Azure with a script on page 49
Look up and configure access parameters for Web Gateway on Azure on page 52
Azure platform requirements on page 22


To enable access to Web Gateway on the virtual machine that you have set up on Azure, look up the public IP
address of the virtual machine and configure ports and credentials.
You can look up and configure these parameters at the Azure portal.
Task
1 Go to the Azure portal.
2 On the Azure resource list, identify the virtual machine that you set up for Web Gateway and note down its
public IP address.
3 Under Settings | Networking, create inbound port rules for these ports on Web Gateway:
Protocol Port Use

TCP 4712 Admin user HTTPS interface
TCP 9090 Proxy port
TCP 22 SSH access
The rules ensure that these ports cannot be accessed by anyone other than yourself. For testing and
production, change access to these ports as needed.
For a list of ports used on Web Gateway, see this Knowledge Center article: KB86010.
4 Generate credentials with a password or an SSH public key for the virtual machine, depending on how you
want to access it.
a Under Support + Troubleshooting, select Reset password, then select Reset password or Reset SSH public key.
b In the input fields, type:

• User name: azure-user
• Password: <password> or SSH public key: <key name>
5 Click Update.
6 When the update is complete, open an SSH terminal, using the public IP address of the virtual machine.
Then submit the configured user name and password or SSH public key.
The terminal returns logon information for Web Gateway, for example:
login as: azure-user

azure-user@...'s password:
Last login: Mon Jan 21 15:41:11 2019 from ...
-- Welcome to McAfee Web Gateway --
User interface can be accessed at

public: https:// ...:4712
local : https://10.0.0.:4712
Initial UI login is 'admin' with password: #888ec465-e92b-4ae4-a9a2-65125447403cMcAfee
-- To remove this message run: rm /home/azure-user/.ssh/banner --

[azure-user@mwgappl ~]$
You can now log on to the Web Gateway interface using this link:
https://<public IP address of the virtual machine>:4712
When prompted, submit the logon name and password that the SSH terminal returned.

with Hyper-V
Contents
Set up a Windows 2016 Server on Azure
Configure the Hyper-V server role for the Windows 2016 Server
Configure Network Address Translation for Web Gateway
Install Web Gateway on a hosted virtual machine
Configure port forwarding for Web Gateway on a hosted virtual machine
Restore a server connection
Set up a Windows 2016 Server on Azure

To prepare Azure for accommodating Web Gateway, begin with setting up a Windows 2016 Server there. The
server runs as a virtual machine that hosts another virtual machine, which Web Gateway uses as its platform.
When setting up this server, follow the usual procedure and configure suitable settings for running Web
Gateway.
Task
1 Log on to the Azure Portal.
2 In the marketplace on this portal, set up a Windows 2016 Server as a virtual machine.
Use these options to set up the server:
• Virtual machine environment: Windows 2016 Server Datacenter
• Deployment model: Resource Manager
3 Configure settings for a virtual machine:

a Configure basic settings (the values shown here are examples):
• Virtual machine name: Windows2K16forMWG
• User name: mwguser
• Password
• Resource group: Windows2K16forMWG
• Virtual machine location: South India

7 Install Web Gateway on an Azure platform with Hyper-V
b Select a configuration model that supports nested virtualization for a virtual machine. This can be Dv3,
Ev3, or a later model.
c Configure optional features as needed.

For example, select public inbound ports, preferably, SSH and RDP.
4 Set up the virtual machine with the configured settings.
5 After setting it up, identify the virtual machine on the list of resources within the portal and note down its
public IP address.
You have now set up a Windows 2016 Server as a virtual machine on Azure. Continue with configuring a
Hyper-V role for this server.
Configure the Hyper-V role for the Windows 2016 Server that you have set up. This server role is well suited for
hosting another virtual machine that Web Gateway uses as its platform.
Task
1 Log on to the Windows 2016 Server using RDP.
2 On the server interface, use the Server Manager to configure the Hyper-V server role.
a Select the installation type for role-based and feature-based installations.
b From the server pool, select the server where you are logged on.
c Select the Hyper-V role for this server.
d Configure settings for this server role:

• Required feature: Include management tools (if applicable)
• Virtual switch: Microsoft Hyper-V Network Adapter
• Confirmation mode: Restart the destination server automatically if required
3 Create the Hyper-V server role with the configured settings.
When the server role is created, the server restarts and you lose connection to the RDP public port.
4 When the restart is complete, log on to the server again using RDP with the credentials that you configured.
5 Wait until a message informs you that the configuration process has finished successfully.
You have now configured the Hyper-V server role for the Windows 2016 Server. Continue with configuring
Network Address Translation for Web Gateway, which allows it to connect to the Internet.
Configure Network Address Translation for Web Gateway

Configure Network Address Translation (NAT) for Web Gateway to enable it to connect to the Internet when
running on Azure.
Configuring Network Address Translation includes setting up a NAT gateway and network for use by Web
Gateway. An internal virtual switch is configured at the beginning to serve as the NAT gateway.

Install Web Gateway on an Azure platform with Hyper-V
Install Web Gateway on a hosted virtual machine 7
Task
1 On the Windows 2016 Server interface, open a Powershell in administrator mode.
2 Create an internal virtual switch.

a Run the following command to create the switch:
New-VMSwitch -SwitchName "NAT-Switch" -SwitchType Internal
b Run this command to find the interface index (ifIndex) of the switch and note it down.
Get-NetAdapter
As a result, the command displays a list of entries for the different interfaces that are currently in use,
among them the internal virtual switch that you created. Its name is: vEthernet (NAT-Switch).
Name InterfaceDescription ifIndex Status ...
vEthernet (NAT-Switch) Hyper-V Virtual Ethernet Adapter #2 17 up ...

...
In this example, the interface index is 17.
3 Create a NAT gateway and network.

When creating the gateway, specify the interface index of the internal virtual switch, so the switch will serve
as that gateway.
The network where the NAT gateway runs must not be the same as that of the Windows 2016 Server.
a Run the following command to create the NAT gateway:

New-NetIPAddress -IPAddress 192.168.200.1 -PrefixLength 24 -InterfaceIndex 17
The IP address configured for the NAT gateway shows it runs in the 192.168.200.0/24 network, which has
been chosen as an example in this procedure.
If the index of an external interface is erroneously specified in this command, you will lose connection to
the Windows 2016 Server. So, be careful when providing this value.
If you have lost connection to the server, you can restore it by attaching a new interface and restarting
the server.
b Run this command to create the NAT network.

New-NetNat -Name NATNetwork -InternalIPInterfaceAddressPrefix 192.168.200.0/24
The NAT gateway and network provide Internet connectivity for Web Gateway, which will run with an IP address
of the NAT network.
Continue with installing Web Gateway on a virtual machine that is hosted by the Windows 2016 server.
See also
Restore a server connection on page 58

Use the Windows 2016 server in its Hyper-V role to set up a virtual machine for installing and running Web
Gateway.
The virtual machine is hosted by the server, which runs itself as a virtual machine on Azure.

Task
1 Download an ISO image of the Web Gateway appliance software from the Content & Cloud Security Portal
and store it in a location of your choice.
2 Set up a virtual machine on the Windows 2016 server using Hyper-V.

a On the Windows 2016 Server interface, open the Hyper-V Manager
b Select entry for the server that is displayed, then click New and Virtual Machine.
c Configure settings for the new virtual machine:

• Name and location
• Generation: Generation 1
• Memory: Minimum is 4096 MB. Configure more as needed.
Use of dynamic memory for a virtual machine is not supported by Web Gateway.
• Network: The NAT network that you created
• Virtual hard disk: Minimum is 40 GB.
d Select this installation method: Install an operating system from a bootable CD/DVD-ROM , and under this method,
select Image file (.iso).
e Browse to the location where you stored the ISO image of the Web Gateway appliance software, select it,
and click Next.
The appliance software is now available for installation on the virtual machine.
3 Install the appliance software on the virtual machine.

a Right-click the virtual machine entry and select Connect, then click Start.
When the start phase is over, an installation menu appears.
b Select the video console (with configuration wizard) installation method.
c Use the configuration wizard to configure initial settings:

• Auto-configure with DHCP: No
• IP address for eth0: An IP address of the NAT network that you created, for example, 192.168.200.220
• Netmask: Netmask of the NAT network, for example, 24
• Gateway address: IP address of the NAT gateway
• Primary DNS: IP address of the Azure domain name server, for example, 168.63.129.16
4 Set a root password, then select Default scheme with full Web Cache as the volume scheme.
This completes the installation.
You have now installed a virtual machine with Web Gateway on it. which is hosted by a Windows 2016 Server.
Continue with enabling access to Web Gateway on the hosted virtual machine.

Install Web Gateway on an Azure platform with Hyper-V
Configure port forwarding for Web Gateway on a hosted virtual machine 7
Configure port forwarding for Web Gateway on a hosted virtual

machine
Configure port forwarding rules to enable access to Web Gateway when it runs on a virtual machine that is
hosted by a Windows 2016 Server.
These rules redirect:
• Requests for accessing the Web Gateway interface under HTTP and HTTPS to ports 4711 and 4712
• Web traffic that is to be filtered on Web Gateway to the 9060 proxy port
Ports with these numbers are by default not allowed for inbound traffic on Azure. So, the rules must be added
to the settings on this portal.
Task
1 On the Azure portal, access the virtual machine that Web Gateway uses as its platform.
2 Configure port forwarding rules for inbound traffic, using these values for the rule parameters:
• Source: Any
• Source port ranges: *
• Destination: Any
• Destination port ranges: 4711, 4712, 9060
• Protocol: Any
• Action: Allow
• Priority: 330
• Name: MWG_Ports
3 On the Windows 2016 Server interface, open a Powershell.
4 Run the following commands to add the port forwarding rules to the portal settings.
The rules include the IP address of the virtual machine for Web Gateway.
a For port 4711:
netsh int portproxy add v4tov4 listenport=4711 connectport=4711
connectaddress=192.168.200.220
b For port 4712:

c For port 9060:

Web Gateway can now be accessed from outside Azure. The IP address of the Windows 2016 Server and one of
the interface ports or the proxy port must be submitted for this access:
<server IP address>:4711|4712|9060


If you have lost connection to the Windows 2016 Server that is running as a virtual machine for hosting Web
Gateway, you can restore the connection.
The connection is lost when you set up a virtual switch as a NAT gateway for connecting Web Gateway to the
Internet, but erroneously specify the index number of an external interface instead of an internal one.
To restore the connection, you must attach a new interface to the virtual machine and associate it with a public
IP address.
Task
1 Log on to the Azure Portal.
2 Under All resources, open the properties window for your virtual machine and click Stop to shut it down.
3 Attach a new network interface to the virtual machine.

a Under Network, select the network interface that is currently attached to the virtual machine and click
Detach network interface.
b Click Attach network interface and Create network interface, then enter a name for the new interface and click
Create.
A new network interface is created and you are redirected to Attach network interface.
c Select the newly created interface and click OK.
4 Associate a public IP address with the virtual machine.

a From the resources list under All resources, select the entry for the public IP address.
The entry is described as Public IP address in the Type column of this list.
b In the window that opens, click Dissociate to disconnect the public IP address from its current resource.
Click Yes to confirm.
c Click Associate, then click Network interface.
d Select the network interface that you attached to the virtual machine and click OK.
5 Under All resources, open the properties window for your virtual machine and click Start to restart it.
When the restart is complete, the public IP address is associated to the virtual machine. You can look up this
address in the properties window of the virtual machine.
The connection between the network interface and the Windows 2016 Server that runs as a virtual machine to
host Web Gateway is now restored. You can log on to the virtual machine using RDP.
See also
Configure Network Address Translation for Web Gateway on page 54

8 Install Web Gateway in L2 Transparent mode
as a virtual cloud resource on AWS or Azure
Contents
Install Web Gateway in L2 Transparent mode as a virtual cloud resource on AWS
Install Web Gateway in L2 Transparent mode as a virtual cloud resource on Azure
Install Web Gateway in L2 Transparent mode as a virtual cloud resource

on AWS
You can set up Web Gateway as a virtual cloud resource in an AWS environment and configure it to run in the L2
Transparent network mode.
You can set up the resource with one network interface for Web Gateway in a single-arm configuration or
include an additional network interface in a dual-arm configuration.
Complete the first steps of this task for any of the two configuration types. Then follow the instructions
provided for either type.
Task
1 On an AWS web console, create a virtual private cloud (VPC) for Web Gateway.
a Create a VPC with IP address 192.168.0.0/16 (CIDR notation).
b Set up an Internet gateway and associate it with the VPC if none is associated yet.
c Create these subnets in the VPC:

• MWGNetwork — 192.168.10.0/24
• ClientNetwork — 192.168.5.0/24
d Allow all protocols and ports inbound for source 192.168.0.0/16 in the network security group that
includes these subnets.
2 Create a virtual machine as a platform for running the Web Gateway appliance software.
a Create a virtual machine.
b Use the AMI search field to locate the appliance software on the McAfee Content & Cloud Security Portal,
also known as the Web Gateway extranet, then use the link to it to launch it on the virtual machine.
c Associate a network interface on Web Gateway with the MWGNetwork subnet.

8 Install Web Gateway in L2 Transparent mode as a virtual cloud resource on AWS or Azure
Install Web Gateway in L2 Transparent mode as a virtual cloud resource on AWS
3 Disable source and destination checking for the network interface on Web Gateway that you associated with
the MWGNetwork subnet.
a In the navigation pane, select Instance.
b Select the Web Gateway instance, then navigate to Actions | Networking | Change source/destination check.
c Select Stop if source and destination checking is enabled.
d Click Save.
4 Create another virtual machine for use as a Web Gateway client.

b Associate a network interface on this virtual machine with the ClientNetwork subnet.
5 Create a routing table.

a In the navigation pane, select Route Tables.
b Optionally, type a table name under Name Tag.
c Under VPC, select the VPC for Web Gateway.
d Select Add tags, and under Key and Value, type key names and values for every table tag you want to add.
e Select Create.
f Navigate to Subnet Associations and associate this routing table with the ClientNetwork subnet.
If you want to set up a single-arm configuration, continue with step 7. Otherwise, continue with the next
step to add another network interface for a dual-arm configuration.
6 Add a network interface for a dual-arm configuration.

a Set up a network interface under the ClientNetwork subnet.
b Associate this network interface with the virtual machine for Web Gateway.
7 Navigate to Routes and add an entry as follows.

• Destination — 0.0.0.0/0
• Target — One of the following, depending on the configuration type:
• For a single-arm configuration: The network interface on Web Gateway that you associated with the
MWGNetwork subnet in step 2.
• For a dual-arm configuration: The network interface that you added in step 6.
8 On Web Gateway, configure the appliance to run as a proxy in L2 Transparent network mode.
a On the user interface, select Configuration | Appliances.
b On the appliances tree, select this appliance, then select Proxies.
c Under Transparent Setup, select L2 Transparent.
d In the Port Redirects table, enter port redirects for the web traffic coming in under different network
protocols, for example, HTTP or FTP, to be filtered on Web Gateway.

Install Web Gateway in L2 Transparent mode as a virtual cloud resource on AWS or Azure
Install Web Gateway in L2 Transparent mode as a virtual cloud resource on Azure 8
e Select File Editor, and on the appliances tree, select this appliance. Open the mwg system file for editing
and append the following lines:
#Changes for L2 Transparent

echo 1 > /proc/sys/net/ipv4/ip_forward
masq_rule="POSTROUTING -o eth0 -j MASQUERADE"
iptables -t nat -S | grep "$masq_rule"
if [ $? != 0 ]
then
iptables -t nat -A $masq_rule
fi
dhclient -r eth0
dhclient eth0
These lines must also be appended for any additional inbound or outbound network interface as well,
for example, if there is also an outbound eth2 interface on Web Gateway.
f If you are setting up a dual-arm configuration, complete these additional substeps:

• Select Appliances and on the appliances tree, select this appliance.
• Select Network Interfaces and under Enable these network interfaces, select eth1.
g Click Save Changes.
9 Restart the appliance to let the changes take effect.
You have now set up a virtual Web Gateway appliance in L2 Transparent mode on AWS.
After associating the routing table with the ClientNetwork subnet, Internet connectivity to other systems in this
subnet is lost. To restore it, you can add another entry to this table with the SSH or RDP public IP address of the
subnet and an Internet gateway as target.
Depending on how Web Gateway is configured, more steps can be required to set up a virtual Web Gateway
appliance in this mode. For example, if ports for network protection are assigned, they must be accounted for
in a network security group.
Install Web Gateway in L2 Transparent mode as a virtual cloud resource

on Azure
You can set up Web Gateway as a virtual cloud resource on an Azure platform and configure it to run in the L2
Transparent network mode.
You can set up the resource with one network interface for Web Gateway in a single-arm configuration or
include an additional network interface in a dual-arm configuration.
Complete the first steps of this task for any of the two configuration types. Then follow the instructions
provided for either type.
Task
1 On the Azure portal, create a virtual private cloud (VPC) for Web Gateway.
a Create a VPC with IP address 192.168.0.0/16 (CIDR notation).
b Create these subnets in the VPC:

• MWGNetwork — 192.168.10.0/24
• ClientNetwork — 192.168.5.0/24
c Allow all protocols and ports inbound for source 192.168.0.0/16 in the network security group that
includes these subnets.

2 Create a virtual machine as a platform for running the Web Gateway appliance software.
b Locate the appliance software in .vhd file format on the McAfee Content & Cloud Security Portal, also
known as the Web Gateway extranet, then use this file to launch the appliance software on the virtual
machine.
c Associate a network interface on Web Gateway with the MWGNetwork subnet .
3 Disable IP forwarding for the network interface on Web Gateway that you associated with the MWGNetwork
subnet.
a In the search field for resources, search for network interfaces and select the one for Web Gateway when
it appears among the results.
b Under Settings, select IP Configurations, and make sure Disabled is selected.
c Click Save.
4 Create another virtual machine for use as a Web Gateway client.

b Associate a network interface on this virtual machine with the ClientNetwork subnet.
5 Create a routing table for the ClientNetwork subnet.

a Search for virtual networks and select the VPC you created for Web Gateway when it appears among the
results.
b Under Subnets, select the ClientNetwork subnet you created in the VPC.
c Under Route Table, select the one you want to associate with this subnet.
d Select Create.
If you want to set up a single-arm configuration, continue with step 6. Otherwise, continue with the next
step to add another network interface for a dual-arm configuration.
6 Add a network interface for a dual-arm configuration.

a Set up a network interface under the ClientNetwork subnet.
b Enable IP forwarding for this network interface, see step 3 where you disabled it for a network interface.
c Associate this network interface with the virtual machine for Web Gateway.
7 Navigate to Routes and add an entry as follows.

• Address Prefix — 0.0.0.0/0
• Next-Hop Type — Virtual Appliance
• Next-Hop IP Address — One of the following, depending on the configuration type:
• For a single-arm configuration: The IP address of the network interface on Web Gateway that you
associated with the MWGNetwork subnet in step 2.
• For a dual-arm configuration: The IP address of the network interface that you added in step 6.
8 On Web Gateway, configure the appliance to run as a proxy in L2 Transparent network mode.
a On the user interface, select Configuration | Appliances.
b On the appliances tree, select this appliance, then select Proxies.

Install Web Gateway in L2 Transparent mode as a virtual cloud resource on AWS or Azure
Install Web Gateway in L2 Transparent mode as a virtual cloud resource on Azure 8
c Under Transparent Setup, select L2 Transparent.
d In the Port Redirects table, enter port redirects for the web traffic coming in under different network
protocols, for example, HTTP or FTP, to be filtered on Web Gateway.
e Select File Editor, and on the appliances tree, select this appliance. Open the mwg system file for editing
and append the following lines:
#Changes for L2 Transparent

echo 1 > /proc/sys/net/ipv4/ip_forward
masq_rule="POSTROUTING -o eth0 -j MASQUERADE"
iptables -t nat -S | grep "$masq_rule"
if [ $? != 0 ]
then
iptables -t nat -A $masq_rule
fi
dhclient -r eth0
dhclient eth0
These lines must also be appended for any additional inbound or outbound network interface, for
example, if there is also an outbound eth2 interface on Web Gateway.
f If you are setting up a dual-arm configuration, complete these additional substeps:

• Select Appliances and on the appliances tree, select this appliance.
• Select Network Interfaces and under Enable these network interfaces, select eth1.
g Click Save Changes.
9 Restart the appliance to let the changes take effect.
You have now set up a virtual Web Gateway appliance in L2 Transparent mode on Azure.
After associating the routing table with the ClientNetwork subnet, Internet connectivity to other systems in this
subnet is lost. To restore it, you can add another entry to this table with the SSH or RDP public IP address of the
subnet and an Internet gateway as next-hop proxy type.
Depending on how Web Gateway is configured, more steps can be required to set up a virtual Web Gateway
appliance in this mode. For example, if ports for network protection are assigned, they must be accounted for
in a network security group.


9 Install Web Gateway on a blade server
Contents
Install the blade system enclosure
Install the interconnect modules
Turn on the blade system enclosure
Use the internal CD/DVD drive to install Web Gateway on a blade server
Use an external CD/DVD drive to install Web Gateway on a blade server
Use a USB drive to install Web Gateway on a blade server
Use virtual media to install Web Gateway on a blade server
Proxy HA on a blade server
Proxy with external load balancing on a blade server
Transparent mode on a blade server
Install the blade system enclosure

To install the blade system enclosure, unpack it, install components, and connect a monitor and keyboard.
Task
1 Review and observe the safety information that is provided.
2 Remove the protective packaging and place the blade system enclosure on a flat surface.
Considering its weight, unpack the enclosure as close as possible to the intended location.
3 Remove the front and rear components, as well as the rear cage from the enclosure.
4 Install the power supplies and cooling fans.
Install all power supplies and fans that were shipped with the enclosure to ensure redundancy in case one of
these components fails.
5 Install the Onboard Administrator and the Integrated Lights Out System.
6 Connect a monitor and keyboard to the enclosure.
7 Attach power cords to the monitor and the enclosure, but do not yet connect the power supplies.
For more information, refer to the Setup and Installation Guide, the Onboard Administrator User Guide, and the
Integrated Lights-Out User Guide that are provided for each enclosure model on the website of the McAfee
partner.


To install the interconnect modules, inserted them in the interconnect bays on the blade system enclosure.
The Onboard Administrator lets you view diagrams of the enclosure. Using the mouse-over function, you can
locate the position of the interconnect bays on the rear side of the enclosure.
The M3 enclosure model has 4 interconnect bays, the M7 model has 8. These modules are either pass-through
modules or switches.
Task
1 Locate the positions of the interconnect bays.
2 Install the interconnect modules..

• M3 — insert four switches in interconnect bays 1 to 4.
• M7 — insert four switches in interconnect bays 1 to 4 and two pass-through modules in interconnect
bays 5 and 6.
Turn on the blade system enclosure

Supply power to the blade system enclosure and turn it on.
Task
1 Connect the power cords of the enclosure to the power supplies and the power outlets.
Use two power circuits to ensure all blade servers in the enclosure turn on. If you use only one
circuit and the power management settings are configured for AC redundant (which is also
recommended), some blade servers will fail to turn on.
2 Turn on the blade system enclosure.
You can now install the Web Gateway appliance software on a blade server in the enclosure.
Use the internal CD/DVD drive to install Web Gateway on a blade server
If your enclosure model is M3, you can use the internal CD/DVD drive to install the Web Gateway appliance
software on a blade server in the enclosure.
Task
1 Insert a CD or DVD with the Web Gateway appliance software on it in the internal CD/DVD drive of the
enclosure.
2 Open the Onboard Administrator of the enclosure and select a blade server to install Web Gateway on.
3 Click the Virtual Devices tab.
4 Use this tab to connect the internal CD/DVD drive to the blade server.
5 Click the Boot Options tab and set One Time Boot from to CD-ROM.

Install Web Gateway on a blade server
Use an external CD/DVD drive to install Web Gateway on a blade server 9
6 Turn on the blade server.
7 Follow the instructions for installing Web Gateway that appear on the monitor you connected to the
enclosure.
When the installation is completed, you can log on to the user interface of Web Gateway.
Use an external CD/DVD drive to install Web Gateway on a blade server

If your enclosure model is M7, you can use an external CD/DVD drive to install the Web Gateway appliance
software on a blade server in the enclosure.
Task
1 Insert a CD or DVD with the Web Gateway appliance software on it in the external CD/DVD drive.
2 Use the USB SUV cable that is shipped with the enclosure to connect the drive to the blade server you want
to install Web Gateway on.
3 Open the Onboard Administrator of the enclosure and select the blade server.
4 Click the Boot Options tab and set One Time Boot from to CD-ROM.
enclosure.
Use a USB drive to install Web Gateway on a blade server

You can use a USB drive to install the Web Gateway appliance software on a blade server in either of the two
enclosure models.
Task
1 Use the USB SUV cable that is shipped with the enclosure to connect the USB drive to the blade server you
want to install Web Gateway on.
2 Open the Onboard Administrator of the enclosure and select the blade server.
3 Click the Virtual Devices tab.
4 Click the Boot Options tab and set One Time Boot from to USB.
enclosure.


You can use virtual media to install the Web Gateway appliance software on a blade server in either of the two
enclosure models. The blade system enclosure provides an option for a virtual installation of McAfee Web
Gateway on a server in the enclosure using an ISO image that is stored on one of your local drives.
The blade system enclosure provides an option for a virtual installation of Web Gateway on a server in the
enclosure using an ISO image that is stored on one of your local drives.
Task
1 Open the Onboard Administrator of the enclosure and select a blade server to install Web Gateway on.
2 Click iLO, then click Web Administration.
A new browser window opens providing access to the iLO (integrated Lights-Out) web user interface.
3 Click the Virtual Media tab, then click Virtual Media.
The Virtual Media window opens.
4 Choose the Virtual Floppy/USB Key or Virtual CD/DVD-ROM section of the window for installing Web Gateway and
click Browse in the section.
5 Browse to the location where you stored the ISO image of the Web Gateway appliance software and click
Connect.
The ISO image becomes available for installation.
enclosure.
Proxy HA on a blade server

You can configure the proxy HA (High Availability) mode for Web Gateway on a blade server. This mode provides
the functions of a proxy that runs in explicit proxy mode combined with High Availability functions.
Network configuration
This High Availability configuration is also known as High Availability cluster. In this cluster, multiple instances of
Web Gateway on blade servers run as nodes. There must be at least two director nodes, so a failover can be
performed in case one of them is down. A director node directs data packets to the nodes that scan the data in
a suitable manner to enable load balancing.
The director node that acts in this role at a given point of time is known as active director. The second director
node, which takes over when the first is down, is also known as backup node. If you want you can configure even
more than one backup node.
We recommend that you configure the proxy HA mode as a two-legged proxy solution. This means the following
is configured on a director node:
• Network interface for inbound web traffic
• Network interface for outbound web traffic
The network interface that handles inbound traffic must have a virtual IP address of its own. The network
interface for outbound web traffic should also be used to do the load balancing.

Proxy HA on a blade server 9
This is achieved by filling in a table with the IP addresses of the scanning nodes in the cluster when configuring
the director node. The following must be entered in this table for any particular node:
• For a backup node — IP address and Peer/Director as type
• For a node that runs as a scanning node only — IP address and Scanner as type
If the node that is first to run as an active director also runs as scanning node, its IP address must also be
entered in the scanner table with Scanner as type.
We also recommend that you configure the following on each director node:
• Network interface for out-of-band management
Configuring this network interface allows you to perform management communication separately.
• Network interface for internal communication within the blade system enclosure
This network interface has its IP address configured under VRRP (Virtual Router Redundancy Protocol).
The virtual IP address that the active director nodes uses on its interface for communication with the Web
Gateway clients must be added to the settings of the HTTP and FTP proxies with ports that listen to requests
coming in from the clients.
Link resilience
If switches are installed as interconnect modules on an enclosure, link resilience can be achieved in the
following way:
• Two of the ports used as uplink ports on a switch are bundled in a trunk group.
• Each of these ports is connected by a network cable to a physical link.
This means that if one the two links fails, the trunk group remains still active.
The interconnect modules and the trunk groups are mapped to the ports on the network interfaces, for
example, as shown in the following table. For the network interface that handles internal communication, no
port mapping to a trunk group is required.
Table 9-1 Mapping of network components in a proxy HA configuration

Port on network interface Interconnect module Trunk group
Inbound web traffic interface Switch in interconnect bay 1 Group 1: port 21, port 22
Outbound web traffic interface Switch in interconnect bay 2 Group 2: port 21, port 22
Out-of-band management interface Switch in interconnect bay 3 Group 3: port 21, port 22
Internal communication interface Switch in interconnect bay 4 no uplink ports required
For more information on how to configure the interconnect modules, refer to the GbE2c Ethernet Blade Switch for
c-Class BladeSystem Application Guide that is available on the website of the McAfee partner.


You can configure the explicit mode for Web Gateway on a blade server with load balancing performed by an
external device.
Network configuration
We recommend that you configure a two-legged proxy solution for this mode, with two separate network
interfaces on each blade server for inbound and outbound web traffic. Each of these interfaces is configured
with an IP address of its own.
Additionally, a network interface for out-of-band management should be configured, which allows you to
perform also management communication separately.
Load balancing
Load balancing is performed in this configuration not by one of the blade servers, but by an external load
balancer, which directs load to the blade servers. For this purpose, the blade servers are included in a load
balancing pool.
When configuring the load balancer, an algorithm can be configured that supports IP client stickiness. This
ensures that functions requiring IP client stickiness are available, for example, a progress page.
Link resilience
If switches are installed as interconnect modules on an enclosure, link resilience can be achieved in the
following way:
• Two of the ports used as uplink ports on a switch are bundled in a trunk group.
• Each of these ports is connected by a network cable to a physical link.
This means that if one the two links fails, the trunk group remains still active.
The interconnect modules and the trunk groups are mapped to the ports on the network interfaces, for
example, as shown in the following table.
Table 9-2 Mapping of network components in an explicit proxy configuration with external load
balancing
Port on network interface Interconnect module Trunk group
Inbound web traffic interface Switch in interconnect bay 1 Group 1: port 21, port 22
Outbound web traffic interface Switch in interconnect bay 2 Group 2: port 21, port 22
Out-of-band management interface Switch in interconnect bay 3 Group 3: port 21, port 22
For more information on how to configure the interconnect modules, refer to the GbE2c Ethernet Blade Switch for
c-Class BladeSystem Application Guide that is available on the website of the McAfee partner.

You can configure a transparent mode for Web Gateway on a blade server.
In this mode, Web Gateway runs as a transparent router that directs data packets between segments of your
network.

Transparent mode on a blade server 9
Transparent router
We recommend that you configure the transparent router mode as a two-legged proxy solution, with two
separate network interfaces for inbound and outbound web traffic.
Each of the network interfaces is configured with its own IP address under VRRP (Virtual Router Redundancy
Protocol). The outbound network interface should be used for load-balancing the traffic.
This is achieved by specifying its IP address as the physical component that is configured together with the
management IP address.
This is achieved by filling in a table with the IP addresses of the scanning nodes in the cluster when configuring
the director node. The following must be entered in this table for any particular node:
• For a backup node — IP address and Peer/Director as type
• For a node that runs as a scanning node only — IP address and Scanner as type
If the node that is first to run as an active director also runs as scanning node, its IP address must also be
entered in the scanner table with Scanner as type.
If IP spoofing is configured, the blade servers on which Web Gateway only scans web traffic, without also
directing it, do not need a connection for inbound web traffic. Inbound and outbound traffic is handled by an
instance of Web Gateway that runs as a director node on a blade server.


10 Troubleshooting installation
Contents
Solve problems with connecting to download servers
Activate Web Gateway with a temporary license key
Reimage a Web Gateway appliance
Upgrading Web Gateway with the mwg-update tool
Working with Web Gateway using a browser without Java support
Solve problems with connecting to download servers

Downloading updated anti-malware and URL filtering information from external servers can fail due to
connection problems. There are several ways to solve these problems.
The downloads are started after you have activated a Web Gateway appliance, which is usually the last step of a
first-time installation procedure.
Task
1 In the Network solutions section of the installation wizard, do one of the following:
• If the download servers cannot be used for updating filtering information because you are running the
appliance in an environment without internet connection, click Perform offline update and follow the wizard
instructions.
• If you want to use a next-hop proxy to connect to the download servers, click Specify next-hop proxy for
download and continue with step 2.
• If you want to modify the domain name service configuration before connecting to the download
servers, click Specify DNS servers for download and continue with step 3.
2 Under Next Hop Proxy Definition, configure the following:

a In the Host field, type a host name or an IP address for the next-hop proxy in IPv4 or IPv6 format.
b In the Port field, type a port number for the port on the next-hop proxy that listens to requests from Web
Gateway.
c In the User field, type the user name Web Gateway submits when authenticating to the next-hop proxy.
d In the Password field, type the password Web Gateway submits when authenticating to the next-hop
proxy.
e Click Continue.
The wizard closes the Network solutions section and returns to its main page. If you also want to modify the
domain name service configuration, continue with step 3, otherwise continue with step 4.

3 Under Domain Name Server Configuration, configure the following:

a In the Domain name server fields, type IP addresses for up to three DNS servers.
b Click Continue.
The wizard closes the Network solutions section and returns to its main page.
4 Click Retry download of engines and patterns.
The download completes. If, however, the download does still not complete successfully, close the wizard and
try other measures for solving the problem.

If you have not yet received a file with a license key from McAfee, you can use a temporary key to activate a Web
Gateway appliance.
To generate this key, use the activation ID that can be found on a label on your appliance box, for example,
Activation ID: 0923839534
Task
3 On the home page of the portal, type activate after the URL mentioned in step 1 and press Enter.
The Activation page appears.
4 In the Activation ID field, type the activation ID from the label on your appliance box, then click Activate.
5 Follow the online instructions that are provided.
Reimage a Web Gateway appliance

To reimage a Web Gateway appliance, use the appliance software on the CD/DVD or USB drive that is shipped
with it.
Instead of using the appliance software on the shipped media for reimaging, you can download the software for
re-imaging from the McAfee Content & Cloud Security Portal and copy it to a USB drive for re-imaging.
The USB drive must be bootable if to be used for re-imaging. You can create a bootable USB drive with a
suitable program, for example, Microsoft Win32diskimager.
Re-imaging an appliance overwrites all data that has previously been stored on it.
Task
1 Back up your appliance configuration on the user interface of Web Gateway, using the functions provided
under Troubleshooting | Backup/Restore.
2 Connect a monitor and keyboard to the appliance.
3 Insert the CD/DVD or the USB drive in the appliance.

Troubleshooting installation
Upgrading Web Gateway with the mwg-update tool 10
5 When prompted, press F2 to enter the setup menu.
6 Select Boot manager and then the option for CD/DVD or the USB drive. Then press Enter.
On some appliance models, you can press F6 to enter the boot manager menu directly.
The installation menu appears on the monitor.
7 Select an installation mode, then press Enter.
Help text is displayed for a selected mode below the menu.
The downloaded software is installed on the appliance. When this installation is completed, the
configuration wizard appears.

You can upgrade to a new version of Web Gateway using an upgrade tool.
This tool is called the mwg-update tool. How it can be used depends on the product version and whether you
upgrade online or offline.
Online and offline upgrades

When upgrading online, the appliance software resides in an already existing repository that you enable to
access the software and use it for the upgrade.
For an offline update, the mwg-update tool creates a temporary repository on the local disk. The tool then uses
the packages that are provided in the ISO file and performs the upgrade based on the local repository. After the
upgrade, the tool removes the repository from the local disk.
Version restrictions
A new version of the MLOS operating system was introduced with version 7.8.2. Versions earlier than 7.8.2 use
MLOS 2, while later versions use MLOS 3. For this reason, there are the following restrictions when using the
tool:
• You cannot upgrade offline from a version earlier than 7.8.2 to a version later than this.
• When upgrading online, you can upgrade from a version earlier than 7.8.2 to a version later than this.
But you cannot upgrade directly. You must first upgrade to 7.8.2 and from there, in a second step, to the
later version.
Examples:
You can use the tool to upgrade directly, offline or online:
• From 7.8.0 to 7.8.1 (both versions are earlier than 7.8.2)
• From 8.1 to 8.2 (both versions are later than 7.8.2)
You can also upgrade online directly:
• From 7.8.1 to 7.8.2 (from any earlier version to 7.8.2 itself)

But, for example, from 7.8.1 to 8.2, you cannot upgrade offline. To upgrade online, you must::
• First upgrade from 7.8.1 to 7.8.2, then from 7.8.2 to 8.2
See also
Upgrade Web Gateway offline with the mwg-update tool on page 76
mwg-update command line tool on page 76
Upgrade Web Gateway offline with the mwg-update tool

Using the mwg-update tool, you can upgrade Web Gateway offline.
Task
1 Log on to the appliance where you want to perform the upgrade from a local system console or remotely
using SSH.
When upgrading with SSH, consider using a terminal multiplexer to ensure that the update does not fail due
to an unstable or broken SSH connection.
2 Run a command according to how you want to perform the upgrade.

• mwg-update -o <file name>
As file name, type the name of the ISO file with the appliance software, for example,
mwgappl-7.8.2.12.0-29703.x86_64.iso.
With these parameters, the command allows you to cancel the upgrade before it is performed.
Preparing files ...

Creating repository
Ready to update the current version

mwg-7.8.2.11.0-2ß361.mlos2.mwg.x86_64 using the file
mwgappl-7.8.2.12.0-29703-22595.x86_64.iso
Do you want to proceed? ([y]es/[n]o)
• mwg-update -y -o <file name>
Runs without user interaction, which is useful for scripting.
• mwg-update -d -y -o <file name>
Runs without user interaction, returning debugging information.
3 After the upgrade has been successfully completed, restart the appliance manually.
mwg-update command line tool

The mwg-update tool is provided for performing an upgrade to a new version of Web Gateway on the command
line of a system console.
The command name is:
mwg-update
The following table lists and explains the command parameters.

Working with Web Gateway using a browser without Java support 10
Table 10-1 Parameters of the mwg-update tool

Parameter Definition
No parameter The upgrade is performed using a repository, which must have been enabled.
A repository and path name might be, for example:
/etc/yum.repos.d/mwg.local.repo
-h Displays help information about the command parameters.

-d Returns debugging information.
-p <proxy> The upgrade is performed using the specified proxy.
-y Answers all questions asked during the upgrade process with yes.
This parameter is useful when running a script to perform the upgrade.
-o <file name> The upgrade is performed offline using the specified ISO file.
See also
Upgrade Web Gateway offline with the mwg-update tool on page 76
mwg-update command line tool on page 76

You can work with the Web Gateway interface using a browser that requires no Java support.
Product behavior is mainly the same as when using other methods for working with Web Gateway, with a few
differences.
These differences are mostly related to file handling performed to move files between Web Gateway and your
local file system.
Uploading and downloading files to and from Web Gateway, exporting and importing lists or rule sets from and
to files, and some other activities require that you work with another dialog window to complete them.
Working with an additional window for file handling

Assume you want to download a file from Web Gateway to your local file system. Two windows are involved in
the process:
• The usual Web Gateway window for file downloads
• A second window file handling activities
You browse for and select a file in the first window and execute the download by clicking the appropriate button
in the second.
A third window is involved when you upload a file from your local system to Web Gateway.
Options of the additional window

The additional window for file handling provides the following options.

Table 10-2 Additional file handling window

Option Definition
Download selected Downloads a file from Web Gateway to your local system.
Before performing the download, you select the file in the usual window of the Web Gateway
interface.
Upload files Uploads a file from your local system to Web Gateway.
You select the file and perform the upload in a third window, which opens after selecting this
option.
Delete selected Deletes a file within Web Gateway.

Before deleting this file, you select it in the usual window of the Web Gateway interface.
If the file also exists on your local system, it is not deleted.
Activities to be completed in the additional window

The file handling activities that are completed in the additional window are listed here.
They are grouped according to the tabs and pages of the Web Gateway interface that you begin with to perform
an activity.
Table 10-3 Activities to be completed in the additional window

Top-level menu Tab or page File handling activities
Policy Rule Sets • Import a rule set from a file
• Export a rule set to a file
Policy Lists • Import a list from a file

• Export a list to a file
• Append list content from a file
Troubleshooting Rule tracing central • Import a rule trace from a file

• Export a rule trace to a file
Troubleshooting Files • Upload a file

• Download a file
• Delete a file within Web Gateway
Troubleshooting Log files • Download a file

Rule tracing files • Delete a file within Web Gateway
Feedback
Core files
Connection tracing
Packet tracing
Troubleshooting System tools • Export tool output to a file

Network tools
Troubleshooting Backup/Restore • Create a configuration backup

• Import and restore a configuration

Working with Web Gateway using a browser without Java support 10
Number of users working on Web Gateway

When using a browser that is not supported by Java, we recommend limiting the number of simultaneous users
(administrators) on a Web Gateway appliance to 6. This is also the default limit.
If you are running multiple appliances as nodes in a Central Management cluster, you can distribute users among
the appliances without exceeding the limit for each appliance.


0B00

MWG Installation 10.1.x IG-INSTALLATION-0521-EN

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MWG Installation 10.1.x IG-INSTALLATION-0521-EN

Uploaded by

Copyright:

Available Formats

Revision B

McAfee Web Gateway 10.1.x Installation Guide

2 McAfee Web Gateway 10.1.x Installation Guide

3 Install Web Gateway for the first time 25

4 Upgrade to a new Web Gateway version 37

McAfee Web Gateway 10.1.x Installation Guide 3

Upgrade from the interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

5 Install Web Gateway in an AWS environment 45

6 Install Web Gateway on an Azure platform 49

7 Install Web Gateway on an Azure platform with Hyper-V 53

9 Install Web Gateway on a blade server 65

4 McAfee Web Gateway 10.1.x Installation Guide

Which type of installation do you need?

McAfee Web Gateway 10.1.x Installation Guide 5

6 McAfee Web Gateway 10.1.x Installation Guide

A release can be a main or controlled release. Upgrade procedures differ accordingly.

Installation in an AWS environment

Installation on an Azure platform

Installation on a blade server

First-time installation workflow

McAfee Web Gateway 10.1.x Installation Guide 7

2 Review the default initial configuration settings.

8 McAfee Web Gateway 10.1.x Installation Guide

3 Install the appliance.

• Use the Boot Manager to install the software.

• When setting up Web Gateway as a virtual appliance:

• Insert the installation media in a suitable host system.

• Create a virtual machine on the host system.

• Start the new virtual machine with the software.

5 Log on to the interface.

6 Review online documents and license the software.

7 Activate the appliance.

Upgrade installation workflow

McAfee Web Gateway 10.1.x Installation Guide 9

Upgrade installation workflow for main releases

• Version 7.3 or later

• Upgrade from the Web Gateway interface:

1 Select the appliance where you want to upgrade.

2 Perform the upgrade.

3 Restart the appliance.

• Upgrade from a system console:

1 Connect to the appliance where you want to upgrade.

2 Perform the upgrade.

3 Restart the appliance.

• Version 7.2.x or earlier 7.x, 6.9.x, or 6.8.x

2 Re-image the appliance using this image.

10 McAfee Web Gateway 10.1.x Installation Guide

Upgrade installation workflow for controlled releases

• Version 7.8.2 or later

2 Activate the repository for the new version.

• Upgrade from the Web Gateway interface:

• Select the appliance where you want to upgrade.

• Perform the upgrade.

• Restart the appliance.

• Upgrade from the system console:

• Connect to the appliance where you want to upgrade.

• Perform the upgrade.

• Restart the appliance.

• Version 7.3.x to 7.8.1.x

You must first upgrade to version 7.8.2.

2 Activate the repository for version 7.8.2.

b Activate the repository for the new version.

• Version 7.2.x or earlier 7.x, 6.9.x, or 6.8.x