Professional Documents
Culture Documents
TRADEMARK ATTRIBUTIONS
Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee Active
Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,
McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfee
Total Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.
Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
Preface 5
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1 Product overview 7
What is the Web Protection hybrid solution? . . . . . . . . . . . . . . . . . . . . . . . 7
How Client Proxy works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Client Proxy metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Deployment options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Integration with Endpoint Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Index 31
This guide provides the information you need to work with your McAfee product.
Contents
About this guide
Find product documentation
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
• Administrators — People who implement and enforce the company's security program.
Conventions
This guide uses these typographical conventions and icons.
Task
1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.
2 In the Knowledge Base pane under Content Source, click Product Documentation.
3 Select a product and version, then click Search to display a list of documents.
®
McAfee Client Proxy is endpoint client software for Microsoft Windows and Mac OS X that is an
®
essential component of the McAfee Web Protection hybrid deployment solution. The Client Proxy
technology allows you to apply your organization's web security policy to an endpoint computer,
whether it is located inside or outside your network.
Contents
What is the Web Protection hybrid solution?
How Client Proxy works
Deployment options
Integration with Endpoint Security
Client Proxy is installed on the computers of end users in your organization. Using the
location-awareness settings that you configure, Client Proxy determines whether the computers are
located inside or outside your network or are connected to your network by VPN.
In a hybrid deployment, Client Proxy lets web requests sent by users working inside the network or
connected to the network by VPN pass. These requests are automatically redirected for filtering to a
Web Gateway appliance installed on the network. Web requests sent by users working outside the
network, on the other hand, are redirected to McAfee WGCS for filtering.
For more information about the hybrid solution, see the McAfee Web Protection Hybrid Deployment
Guide.
When an end user is working inside your organization's network, Client Proxy software:
1 Recognizes that the end user is working inside your organization's network
2 Remains passive, allowing web traffic and network communications to pass to Web Gateway for
filtering
When an end user is working outside your organization's network, Client Proxy software:
1 Recognizes that the end user is working outside your organization's network
2 Redirects all web traffic and network communications to the McAfee WGCS service
• User ID
The authentication version is the version of the metadata that Client Proxy shares with the proxy server.
Deployment options
Client Proxy consists of server and client software that is deployed using the McAfee ePO or McAfee
ePO Cloud management platform. Deployment details depend on which management platform is used.
Server software
The server software is installed on the McAfee ePO server and adds the Client Proxy server
functionality to the McAfee ePO platform. Because the server software extends the McAfee ePO
functionality, it is called the extension software or extension.
When Client Proxy is deployed using McAfee ePO Cloud, the server software comes installed on the
platform and does not need to be installed by an administrator.
Client software
The client software is checked in to the McAfee ePO Master Repository as a package and then deployed
to the client computers in your organization. Client software and computers are also called endpoint
software and computers, respectively. Endpoint computers are sometimes called the endpoint.
When Client Proxy is deployed using McAfee ePO Cloud, the client package is already checked in to the
Master Repository and only needs to be deployed to the endpoint.
For more information about deploying Client Proxy using McAfee ePO Cloud, see the McAfee Client Proxy
Product Guide for McAfee ePolicy Orchestrator Cloud.
When integrated, Client Proxy joins the Endpoint Security family, including:
• McAfee Endpoint Security Threat Prevention
®
Whether standalone or integrated, Client Proxy is managed using McAfee ePO and the management
tasks are the same. When Client Proxy is integrated with Endpoint Security:
1 The client software package is deployed to the endpoint and installed as a module on the Endpoint
Solution Platform.
2 The administrator can configure Web Control so that it is disabled while Client Proxy is installed and
running.
On a Windows-based computer, you can view the integration status of Client Proxy by opening the
About McAfee Client Proxy window. If EspMode is set to ON, Client Proxy is installed and running on the
Endpoint Security Platform.
® ® ® ™
Using McAfee ePolicy Orchestrator (McAfee ePO ) , deploy the Client Proxy server and client
software. The server software is installed on the McAfee ePO server and the client software package is
deployed to the computers of end users in your organization.
Contents
Client computer requirements
Deploying Client Proxy software
View end-user installation data
Hardware requirements
Verify that the client computers meet these hardware requirements:
• RAM — 1 GB minimum (2 GB recommended)
Operating systems
Verify that the client computers are running a supported operating system:
• Windows Server 2008 R2
• Windows 7
• Windows 10
• Windows 10 RS2
• OS X 10.10 (Yosemite)
• OS X 10.12 (Sierra)
Contents
Download and install the product files
Install the extension software
Check in the client software package
Deploy Client Proxy software to clients running Windows
Deploying Client Proxy software to clients running Mac OS X
Task
1 Download the product files.
a Log on to the operating system as an administrator.
e Select and save the .zip files for your operating system.
• Client Proxy server software for McAfee ePO: MCPSRVER1000_2.3.1.x_package.zip
• Client Proxy client software for Windows: mcp-win 2.3.1 Build x Package #y.zip
x specifies the number of the build and y specifies the number of the package.
2 Install the server software, and check the client package into McAfee ePO.
Task
1 From the management console menu, select Software | Extensions.
3 Click Browse to locate the Client Proxy extension file: MCPSRVER1000_2.3.1.x_package.zip, where x
specifies the number of the build.
5 Click OK.
® ®
The package installs the Client Proxy manager, McAfee Common Catalog, McAfee Help Desk
software, and the related Help files.
Task
1 From the management console menu, select Software | Master Repository.
3 For the Package type, select Product or Update (.ZIP), then click Browse.
4 Select the Client Proxy Mac OS X or Windows client file that you downloaded earlier:
• Mac OS X — McpDistribution.zip
Task
1 From the management console menu, select Systems | System Tree.
2 Select the organizational level to which you want the install action applied.
4 From the Actions drop-down list, select New Client Task Assignment.
5 In the Client Task Assignment Builder, configure the following options in the order shown, then click Create
New Task:
• Product — Select McAfee Agent.
6 In the New Task window, configure the following options, then click Save:
• Task Name — Specify a name for the task.
• Products and components — From the drop-down list, select the version of McAfee Client Proxy that
you want to install on the endpoint computers, then from the Action drop-down list, select Install.
7 Click Next.
8 From the Schedule type drop-down list, select Run immediately, then click Next.
The task is scheduled for the next time that the McAfee Agent checks for updates. To force the
installation to run immediately, issue an agent wake-up call.
After installation, Client Proxy runs immediately without restarting the endpoint computer.
• The latest Mac OS X build of the Client Proxy package must be checked in to the McAfee ePO
Master Repository.
• A compatible version of McAfee Agent must be checked in to the Master Repository and installed on
the endpoint computers running Mac OS X.
Task
1 From the management console menu, select Reporting | Queries & Reports.
2 From the Groups list, expand Shared Groups, then select McAfee Client Proxy.
3 Create a query.
Option Definition
Select a query 1 Click the Query tab, then select Actions | New.
type.
The Query Builder opens with the Result Types view active.
2 From the Feature Group list, select Policy Management.
Select a query 1 From the Display Results As list, select a graph or table for the query layout.
layout.
Select a layout for your query that best displays your data.
2 Select the display options you want from the available lists.
Select query 1 From the Available Columns list, select which columns to apply to your query.
columns.
2 In Selected Columns, select, drag, and position each column.
Configure From the Available Properties list, select which properties to use for filtering your
properties. query, and the appropriate values for each.
Run the query. Click Run.
Save the query. 1 To view the Save Query page, click Save.
2 Type a name for the query, add any notes, and select a group.
3 Click Save.
4 Create a report.
Option Definition
Select a query. 1 Click the Report tab, then select Actions | New.
The Report Builder opens with the Report Layout view active.
2 From the Toolbox menu, select Query Chart, and drag it to the Report Layout area.
The Configure Query Chart dialog box appears.
3 From the Query drop-down list, select MCP: Endpoint Install Success/Failed events in last
month.
4 Configure the remaining query options, then click OK.
Customize the 1 In the Name, Description and Group tab, type a name, description, and which group
report. to use.
2 Use the Header and Footer and Page Setup tabs to specify how you want the query to
appear in the report.
3 Use the Runtime Parameters tab to select report‑level filters.
In the McAfee ePO management console, you configure and manage Client Proxy policies.
Contents
Users and permission sets
Configuring the policy areas
Assign the policy to the endpoint computers
Export the policy to an .xml or .opg file
Policy Catalog
Tasks
• How Client Proxy manages the proxy server list on page 18
When configuring proxy servers for a Client Proxy policy, consider how Client Proxy
manages the proxy server list.
• Configure the proxy server list on page 18
To redirect network traffic to a proxy server, configure the proxy server list.
• Client configuration on page 19
Client Proxy uses the Client Configuration settings to identify the customer and determine
whether endpoint computers are located inside or outside the network.
• Configure the client settings on page 20
Configure the settings that Client Proxy uses to identify the customer and determine
whether end-user computers are located inside or outside the network.
• Configure the bypass list on page 20
Configure the McAfee Common Catalog instance that Client Proxy uses to determine which
®
For example, the list is updated when the end user starts the computer, the VPN connection breaks, a
proxy server fails to respond, or the Client Proxy policy changes. At these times, the software tests the
connections to all proxy servers and reorders the list based on response times.
If redirection to the proxy server at the top of the list fails, the software tries redirecting to the second
proxy server in the list. At the same time, the software tests the proxy server connections again and
updates the proxy server list.
When configuring how the Client Proxy software selects the next proxy server from the list, you have
these options:
• connect to the first accessible Proxy Server based on their order in the list below — The software selects the next
proxy server from the list that you configure.
• connect to the Proxy Server that has the fastest response time — The software selects the next proxy server from
the list that it maintains, which is based on response time.
To save the policy, you must configure at least one proxy server, and the configuration must include an
IP address or host name and a port number.
Task
1 From the management console menu, select Policy | Policy Catalog.
2 From the Product drop-down list, select the current version of McAfee Client Proxy.
5 In the Proxy Server List, select how Client Proxy connects to the proxy servers from these options:
• connect to the first accessible Proxy Server based on their order in the list below
• connect to the Proxy Server which has the fastest response time
b In the Proxy Port field, enter the port number of the proxy server.
c To redirect HTTP/HTTPS requests to the proxy server, select the HTTP/HTTPS checkbox.
Client Proxy redirects all requests going to ports 80 and 443.
d To redirect requests going to ports using protocols other than HTTP/HTTPS, specify the port
numbers in this field: Non-HTTP/HTTPS Redirected Ports.
Use this setting to redirect traffic that uses a transfer protocol other than HTTP/HTTPS. Verify
that the proxy server supports the protocol.
e Click Add.
Using the icons in the Actions column, you can edit, delete, or change the order of the proxy servers
in the list.
7 To redirect requests going to ports other than 80 or 443 using the HTTP/HTTPS protocol, specify
the port numbers in this field: Specify additional ports that you would like to redirect as HTTP/HTTPS traffic.
Use this setting to redirect traffic that is going to an application, for example, instead of a web
browser.
8 To redirect all requests, including requests going to local addresses inside your organization's
network, deselect the Bypass proxy server for local addresses checkbox.
By default, Client Proxy does not redirect requests going to local addresses. To redirect all requests
to the proxy server, you can override the default setting.
Client configuration
Client Proxy uses the Client Configuration settings to identify the customer and determine whether
endpoint computers are located inside or outside the network.
• Customer Identifier — Client Proxy uses the customer ID and shared password to identify the customer
and apply the customer's policy.
• Traffic Redirection Settings — Client Proxy uses this setting to determine when to redirect network traffic
to the configured proxy servers.
• Corporate Network Detection — Client Proxy uses this setting to determine whether the endpoint
computer is located inside or outside the network.
• Corporate VPN Detection — Client Proxy uses this setting to determine whether the endpoint computer is
connected to the network through the VPN.
• Active Directory Groups Filter — Client Proxy uses the regular expressions that you configure to filter the
list of Active Directory groups included sent to the proxy server.
• Log File Settings (OS X Only) — Depending on this setting, Client Proxy logs error messages to a log file
on each endpoint computer.
• Access Protection (Windows Only) — Depending on this setting, Client Proxy is protected from
unauthorized removal or tampering by end users.
Task
1 From the management console menu, select Policy | Policy Catalog.
2 From the Product drop-down list, select the current version of McAfee Client Proxy.
5 In the Customer Identifier section, click Browse, select the ID file, then click Open.
This file is provided by the Web Gateway or McAfee WGCS administrator.
The Unique Customer ID and Shared Password fields are automatically populated.
The bypass list can include domain names, network addresses, network ports, and the names of
processes that endpoint computers are allowed to access directly. Updating the bypass list in McAfee
ePO also updates the Common Catalog instance associated with the policy.
Process names can be in Microsoft Windows format (test.exe) or Mac OS X format (test).
Task
1 From the management console menu, select Policy | Policy Catalog.
2 From the Product drop-down list, select the current version of McAfee Client Proxy.
5 In the Bypass List window: From the Actions menu, select Add bypass list item, then select an item type.
• Click New Item, enter the new information, then click Save.
7 Click OK.
Task
1 From the management console menu, select Policy | Policy Catalog.
2 From the Product drop-down list, select the current version of McAfee Client Proxy.
5 Select an option:
• Allow traffic to go directly to destination — No processes are blocked.
• Block traffic for all processes (except bypass listed processes) — All processes are blocked except for
processes whose names are on the bypass list. These processes are allowed to access the
network directly.
• Block traffic only for the following processes — To configure the list of processes that you want blocked,
enter the process names, clicking Add after each entry.
Windows process names must end with the .exe extension. Mac process names can be specified
without the extension.
6 Click Save.
Task
1 From the management console menu, select Systems | System Tree.
4 From the Product drop-down list, select the current version of McAfee Client Proxy.
6 Next to Inherit from, select Break inheritance and assign the policy and settings below.
9 Click Save.
Task
1 From the management console menu, select Policy | Policy Catalog.
2 From the Product drop-down list, select the current version of McAfee Client Proxy.
5 Click a link:
• McAfee Client Proxy Policy Server File — Exports the policy to a .xml file that you can use for
troubleshooting.
• McAfee Client Proxy Policy Client File — Exports the policy to a .opg file that can be imported by client
computers in your organization.
7 Click OK.
Policy Catalog
On the McAfee Client Proxy page of the Policy Catalog, you can create, import, export, rename, duplicate,
delete, view, and edit policies.
The Client Proxy policy named McAfee Default is read only. It can be duplicated and saved with a new
name, but it cannot be renamed, deleted, exported, or edited.
Name Clicking this link opens the policy settings, which you can edit and save.
Owner Clicking this link opens a list of users and groups, where you can select the policy owners
and save any changes.
Assignments Clicking this link opens the list of nodes, to which the policy is assigned.
Actions • Rename — When clicked, opens the Rename Policy dialog box, where you specify a new
name for the policy.
• Duplicate — When clicked, opens the Duplicate Existing Policy dialog box, where you specify a
name for the new policy that is based on an existing policy.
• Delete — When clicked, opens the Delete Policy dialog box, where you confirm that you
want to delete the policy.
• Export — When clicked, opens the same page as the Export button.
You can upgrade or remove the Client Proxy software, install a hotfix release, and support end users.
Contents
Upgrade the Client Proxy software
Install a hotfix release
Uninstall the Client Proxy software
Working with end users
Task
1 Download the latest versions of the Client Proxy software.
a Go to the McAfee Content & Cloud Security Portal.
c Click Browse to locate the Client Proxy .zip file, click Open, then click OK.
d Click OK.
e Verify that the extension is installed, and select Menu | Software | Extensions.
c Choose the Client Proxy .zip file you downloaded earlier, then click Open.
b From the System Tree list, select the subgroup level to deploy Client Proxy endpoint software.
h Click Save.
i Click Next.
j From the Schedule type drop-down list, select Run immediately, then click Next.
The Client Proxy software runs immediately on the endpoint computers without restarting.
Task
1 Go to the McAfee Content & Cloud Security Portal.
4 Select and save the hotfix installation file for your operating system.
Task
1 From the management console menu, select Software | Extensions.
3 Click Remove.
Task
1 From the management console menu, select Systems | System Tree.
2 Select the organizational level to which you want the remove action applied.
4 From the Actions drop-down list, select New Client Task Assignment.
5 In the Client Task Assignment Builder, configure the following options in the order shown, then click Create
New Task:
• Product — Select McAfee Agent.
6 In the New Task window, configure the following options, then click Save:
• Task Name — Specify a name for the task.
• Products and components — From the drop-down list, select the version of McAfee Client Proxy that
you want to remove from the endpoint computers, then from the Action drop-down list, select
Remove.
Task
1 On a Windows-based computer, click Start | All Programs | McAfee, then click About McAfee Client Proxy.
2 In the McAfee Client Proxy window, you can view the following information:
• Version Number — Specifies the version and build number of the Client Proxy software installed on
the endpoint computer.
• Active Proxy — Specifies the address of the proxy server to which Client Proxy is redirecting traffic.
• Connection Status — Specifies whether the endpoint computer is connected to the network.
• EspMode — Specifies whether Client Proxy is installed and running on the Endpoint Solution
Platform.
• Policy Name — Specifies the name of the policy that Client Proxy is applying.
• Policy Revision — Specifies the revision number of the policy that Client Proxy is applying.
• Policy Timestamp — Specifies the time when the Client Proxy policy was deployed to the endpoint
computer.
Task
1 On an OS X computer, click the McAfee menulet and select About McAfee Endpoint Protection for Mac.
• Policy revision
2 Verify that you are connected to the proxy server: From the menulet, select the dashboard.
The end user sends a request to an administrator, including the policy revision number and
®
identification code displayed in the Enter Release Code dialog box. Using this information and the McAfee
Help Desk software, the administrator creates a release code and then sends it to the end user.
The release code is valid for a limited time, and the time allowed for policy suspension is limited as
well. Thus, the end user must enter the release code in the dialog box and complete the task that
requires policy suspension before the allowed time period expires.
If McAfee ePO is not available and the endpoint computer is running Windows, the administrator can
uninstall the software using the Windows Add or Remove Programs tool. In this case, the
administrator uses the challenge-response mechanism to generate the release key.
Task
1 To request a bypass release code on an endpoint computer, do one of the following:
• On Mac OS X computers: From the McAfee menulet on the status bar, select McAfee Endpoint
Protection for Mac Preferences, then select Client Proxy.
• On computers running Windows: Click Start | All Programs | McAfee, then click Bypass McAfee Client
Proxy.
The McAfee Client Proxy Enter Release Code dialog box opens.
While you are waiting for the administrator to send the release code, leave this dialog box open. If
you close it, you must start the procedure over.
2 Copy the number in the Policy Revision field and the code in the Identification field, send these values to
your administrator, and include your user name and email address.
3 When your administrator sends the release code, enter the code in the Release field, then do one of
the following:
• On Mac OS X computers: Click Release.
Policy enforcement is suspended for the time period specified by the administrator when creating the
code.
M R
Master Repository release codes
McAfee ePO 13 generating 29
McAfee ePO reports
Master Repository 13 generating in McAfee ePO 14
McAfee ServicePortal, accessing 6
McAfee WGCS S
configuring as the proxy server 18
ServicePortal, finding product documentation 6
metadata
shared password 19
Client Proxy 9
T
O
technical support, finding product information 6
operating systems traffic redirection 20
supported on client computers 11 traffic redirection settings 19
P U
permission sets 17 user groups 9
policies user ID 9
Client Proxy 21, 22
exporting to an .xml or .opg file 22 W
suspending 28 Web Control 10
policy areas Web Gateway appliances
configuring 17 configuring as proxy servers 18
Policy Catalog Web Protection
Client Proxy page 22 hybrid solution 7
processes
blocking 21
proxy server list
configuring 18
how Client Proxy manages 18
Q
queries
creating in McAfee ePO 14