Skip to main content
McAfee Enterprise MVISION Cloud

Set up a secure next-hop proxy to secure traffic on a Hybrid connection

You can set up a secure next-hop proxy on Secure Web Gateway to ensure traffic going to Skyhigh Security Service Edge is secure.

When a secure next-hop proxy is in place, traffic on the connection to Skyhigh Security Service Edge follows the TLS protocol. Under this protocol, a certificate is presented to Secure Web Gateway at the initial handshake from the server side and verified.

Secure Web Gateway then authenticates as client to Skyhigh Security Service Edge, using the authentication method that is enabled by Client Proxy. Any authentication information that has been collected on Secure Web Gateway, for example, LDAP or NTLM user and user group information, is transformed into Client Proxy information and submitted.

  1. On the Secure Web Gateway user interface, select Policy | Rule Sets.
  2. Import a rule set with a rule where an event for enabling a next-hop proxy can be inserted.
    1. Under Rule Sets, click Add, then select Top-Level Rule Set.
    2. In the window that opens, click Import Rule Set from Rule Set Library.
    3. In the library window, expand Next-Hop Proxy on the library rule set tree and select the Next-Hop Proxy rule set.
    4. Click OK.
      The imported rule set is added at the bottom of the rule set tree in the navigation pane.
  3. Create an event that enables a next-hop proxy.
    1. Select the imported Next-Hop Proxy rule set and click Unlock View on the right. When prompted, confirm with Yes.
      The rule that is included in the rule set appears. It is the only rule here.
    2. Select the rule and click Show Details.
      The rule elements, including an event, show up.
    3. Click Edit immediately above the rule, then select Events in the window that opens.
    4. Click Add and select Event from the drop-down list.
    5. In the Event field of the window that opens, scroll down the list to Enable Next-Hop Proxy and select this event.
  4. Configure settings for the event that make the next-hop proxy that is enabled a secure next-hop proxy.
    1. With the event selected, click Add under Settings.
    2. In the window that opens, make sure you are on the Add Settings tab and type a name for the settings in the Name field, for example, Hybrid.
    3. Under Next-Hop Proxy Server, select a list of next-hop proxies from the list of lists that is provided here, for example, the Internal proxies list.
    4. Click Edit, and in the window that opens, click the Add icon.
      A window for creating a next-hop proxy opens.
    5. Create a next-hop proxy with the following settings:
      • Host — Host name of the device that presents a server-side certificate under the TLS protocol
        This name is the host name for Skyhigh Security Service Edge, for example, c1234.wgcs.mcafee-cloud.com. Be sure to type this host name here, not
        an IP address. Otherwise the certificate will not match when it is verified.
      • Port — 8081
        This port is where the TLS connection terminates under this Hybrid solution.
        To see the next relevant option, you must scroll further down. It is provided under UCE Specific Parameters.
      • Use secure connection to next-hop proxy — Select this option
    6. Click OK in this window and in the others that are open, except for the last of them. Click Finish here.
      You have now created a secure next-hop proxy for a Hybrid solution and an event that enables it in a rule.
  5. Modify the Certificate Verification rule set to ensure the server-side certificate is properly verified.
    1. On the rule set tree, select HTTPS Scanning, then select Enable on the right and click Unlock View. When prompted, confirm with Yes.
    2. Select the nested Certificate Verification rule set and click Edit on the right.
    3. In the window that opens, configure settings as follows:
      • Scroll down the list of properties on the left and select Command.Name.
      • Select equals from the list in the middle.
      • Type this in the field on the right: CERTVERIFY_SECURECHANNEL
      • Click OK here and in the other window that is open.
        The nested Certificate Verification rule set is still displayed. The rule set criteria in the top right corner reads like this now:
        Command.Name equals "CERTVERIFY" OR
        Command.Name equals "CERTVERIFY_SECURECHANNEL"
  6. Click Save Changes.

You have now set up a secure next-hop proxy for the traffic that goes from Secure Web Gateway to Skyhigh Security Service Edge.

  • Was this article helpful?