DATA SHEET

McAfee Web Gateway

Reverse proxy and ICAP deployment options

The web has become an essential, yet dangerous place for businesses to operate. McAfee® McAfee Web Gateway
Reverse Proxy
Web Gateway security software is designed to protect enterprises against web-borne
malware attacks. McAfee Web Gateway can be configured to protect against malware
A secure web gateway configured
downloads from external sites, or it can be configured to protect an internal website against in reverse proxy mode applies
malicious uploads from an external user. In either mode, it allows customers to ensure malware detection rules to
content being uploaded to,
secure access to vital web-based systems. rather than downloaded from,
a website. Internet Content
Adaptation Protocol (ICAP)
The Web Security Problem McAfee Web Gateway Protective Features enables administrators to off-load
malware scanning to a dedicated
The web, while essential, is also a dangerous place McAfee Web Gateway uses multiple, layered techniques
server to improve security and
for businesses to operate. With the surge ing web- to scan web traffic to identify and block malware-
overall performance.
based attacks, it’s critical for businesses to protect infected payloads or enforce acceptable usage policy.
themselves against data breaches caused by external Malware may be hidden in a wide variety of formats,
infected websites attempting to download malware such as Adobe PDF or Flash files, Java/JavaScript code, or
onto internal systems. At the same time, organizations media files.
need to provide users with the ability to upload content
It leverages the McAfee Global Threat Intelligence
to an internal website. For example, they may want to
(McAfee GTI) service to block websites with a high-risk
provide contractors with access to a work order site or
reputation. Antivirus technology from McAfee provides
customers to a support forum.
scanning capabilities to block previously identified
A secure web gateway solution can be used to protect malware, while the McAfee Gateway Anti-Malware
an organization in either scenario, using either a forward engine scans for previously unknown (zero-day) malware
or reverse proxy configuration, depending on the that may be lurking in a web page.
business problem the company is trying to solve.

1 McAfee Web Gateway

 DATA SHEET

Secure sockets layer (SSL) scanning ensures that Reverse proxy Reverse Proxy/ICAP Benefits
encrypted traffic is examined, reducing the threat of Many organizations also have internal websites, which
hidden malware sneaking in. Administrators can enforce they make available to internal (employees) or external ■■
Enhances network security by
DLP rules to verify that sensitive or regulated content is users (contractors, partners, clients, and others) who isolating internal sites from direct
not being transmitted, and multifactor authentication contact by external users
need to upload content to the site. These sites need
can verify a user’s identity before allowing them access ■■
Protects internal websites
to be protected against attempts to upload infected
to a sensitive system. against malware infection by
content. For this use case, administrators deploy
contaminated content
Web Gateway Proxy Modes McAfee Web Gateway in reverse proxy mode to scan ■■
Other security measures, such
and analyze content before allowing it to be uploaded as data loss prevention (DLP)
Forward proxy
to the target site. scanning or strong authentication,
In a forward proxy configuration, McAfee Web Gateway can be applied in reverse
intercepts internal user requests to visit a website, which In Figure 1 below, an internet user attempts to upload proxy mode
is typically external. The downloaded content from the content to a website. A load balancer sends the content ■■
Provides administrators with
site is analyzed to verify that it is free of malware before to a McAfee Web Gateway cluster, which examines it. multiple deployment options,
being delivered to the user. giving them the flexibility to
choose the most appropriate
configuration
Continue Continue
Web ICAP Business processing
Web processing
server client rules good files
server good files
Load balancer

Internet
Internet
Good
Good file
file Warning
page
Uploaded
Uploaded
Uploaded HTTPS 200 OK file
File
file Bad
file
Web form on site

HTTPS POST Content sent Malware status

for scanning determined

403 Denied
Contents sent
to MWG via
Quarantine ICAP protocol
optional
McAfee Web Gateway
as a reverse proxy User uploads
User uploads file to website
file to website Bad McAfee Web Gateway ICAP server
file physical or virtual appliance

Figure 1. Typical reverse proxy configuration. Figure 2. Typical ICAP configuration.

2 McAfee Web Gateway

 DATA SHEET

If the content fails examination, McAfee Web Gateway Deployment Considerations Learn More
returns a 403 “Denied” response to the user. If the The major differences between a reverse proxy and an
content passes inspection, the load balancer forwards ICAP server configuration are as follows: For more information, visit
it to the web server for further processing. www.McAfee.com/WebProtection.
■■ In reverse proxy mode, McAfee Web Gateway
Internet Content Adaptation Protocol (ICAP) intercepts the content before it reaches the web
ICAP provides a standard lightweight mechanism for a server, processes it, and then either blocks or
web server (the ICAP client) to send content to an ICAP forwards it, depending on the results of the analysis. If
server for some further, specialized action. McAfee Web the content is blocked, it never reaches the web server.
Gateway, acting as an ICAP server, can perform a full ■■ In an ICAP configuration, the web server receives the
range of malware analysis and scanning. Files infected content and forwards it to McAfee Web Gateway for
with malware can be prevented from contaminating the further analysis before processing it. The web server
web server, while files free of malware can be processed. gains the benefit of having the ICAP server perform
In the example shown in Figure 2, the user attempts to more in-depth analysis, freeing up resources on the
upload the file directly to the web server (ICAP client), web server.
which transmits the file to the McAfee Web Gateway ■■ Reverse proxy mode doesn’t require any additional
cluster (ICAP server). If the file passes inspection, software development, but block responses returned
McAfee Web Gateway notifies the web server to to the user must be taken into account, and block
continue processing it. If the file fails, then the ICAP pages can be designed to conform to the style of
client takes the appropriate corrective action, based on the site.
the business logic of the ICAP application. ■■ ICAP mode requires that an ICAP client be written and
installed within the data flow of the application.

2821 Mission College Boulevard McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other
Santa Clara, CA 95054 marks and brands may be claimed as the property of others. Copyright © 2017 McAfee, LLC. 61202ds_web-gateway-reverse-proxy_0714
888 847 8766 JULY 2014
www.mcafee.com

3 McAfee Web Gateway