Upgrade Guide

McAfee Web Gateway

from version 6.8.x to version 7.0.x

The McAfee Web Gateway Upgrade Guide provides information on upgrading a McAfee Web Gateway (formerly Webwasher ) appliance from version 6.8.x to version 7.0.x.

A complete redesign of system architecture, functions, and user interface has been carried out for version 7.0.x of the McAfee Web Gateway appliance to make it capable of ensuring more web security for your network. See the McAfee Web Gateway Product Guide, version 7.0, for more information. You can also find information at the following locations: Help Help is built into McAfee Web Gateway. Click the Help icon in the upper right corner of the user interface. Support Visit mysupport.mcafee.com to find product documentation, announcements, and support.

In this document ... About the upgrade McAfee Professional Services About the listConverter tool Using the listConverter tool

About the upgrade

There is no standard method of upgrading from version 6.8.x. However, the following needs to be done when you upgrade: Create a backup of your 6.8.x configuration. You can use this backup for reference purposes and also as input for an upgrade tool that is provided. Install the new version on your appliance system. This will overwrite an existing 6.8.x version. Make yourself familiar with new methods for administering the appliance. It is important that you understand how particular web security measures, such as URL filtering, virus and malware filtering, SSL scanning, and others, were implemented through the settings of your 6.8.x version. Then you need to create a configuration under version 7.0.x that performs the same measures, using the functions of the new version. For example, the same URL categories that were blocked or allowed in version 6.8.x by configuring appropriate settings on the Category Actions tab can be blocked or allowed by appropriate rules in a URL filtering rule set under version 7.0.x.

McAfee Web Gateway 6.8.x to 7.0.x Upgrade Guide

McAfee Professional Services

McAfee Professional Services

You can obtain upgrade information and assistance from McAfee Professional Services. McAfee Professional Services can also provide you with the listConverter upgrade tool and guide you in its use.

About the listConverter tool

The listConverter upgrade tool uses a backup file of a McAfee Web Gateway 6.8.x configuration as input and converts data from this file to prepare it for use in a 7.0.x configuration.
Note: The tool is provided on a community tool basis. No support is provided for using the tool or issues arising from this use, nor is any other responsibility accepted with regard to the tool by McAfee Support or Development.

For example, action settings for URL categories in a 6.8.x configuration (specifying whether these categories are blocked, allowed, or handled otherwise) are converted to category lists and implemented in your 7.0.x configuration. You can then use these lists in appropriate 7.0.x rules. The listConverter tool is provided in the Web Gateway section of the McAfee community portal (community.mcafee.com). It is available as a single executable file in a .zip archive (listConverter.063.zip). The version number will change as updates of the tool are provided. No special installation procedure is needed to get the tool running. Just unzip the archive and start the executable file. The listConverter tool runs on the following platforms: Windows system using a Microsoft .NET 2.0 framework Unix system using a Mono framework

General use of the tool

The listConverter tool can be used in different ways, depending on which upgrade jobs you want it to perform. In general, the procedure for using the tool is as follows: Import a 6.8.x backup file A backup file from a 6.8.x version of McAfee Web Gateway is the input for the listConverter tool. The tool converts the data in this file and prepares it for the upgrade to version 7.0.x. From the user interface of the tool, you can open your local file manager, browse to a backup file, and import it into the tool. Extract and convert configuration data From the imported backup file, the tool extracts and converts data according to your selections. For example, you can have the tool extract list data and convert it into lists that you implement later on in your 7.0.x configuration. At the same time, the tool can write these lists into plain-text report files. Or you let the tool extract appliance system settings, web mappings, and other data. You can complete multiple upgrade jobs at once by selecting the appropriate options. You can also run the tool repeatedly on a backup file to create just the output you are interested in each time. Work with the tool output You can use the data that is extracted and converted by the tool for configuring your 7.0.x version. For example, you can implement the lists that the tool creates in a 7.0.x configuration and let them be used by appropriate rules. Or you can use appliance system settings that the tool has written into a report file to configure your appliance system. For example, you can use IP addresses of DNS servers from the report file to configure DNS servers for your 7.0.x appliance.

McAfee Web Gateway 6.8.x to 7.0.x Upgrade Guide

About the listConverter tool

More information on how to work with the tool output is provided in the sections on individual procedures for completing upgrade jobs.

Tool options
When upgrading from McAfee Web Gateway 6.8.x to version 7.0.x, you can use the listConverter tool to complete the following jobs: Upgrade action settings for URL category filtering In a 6.8.x configuration, actions are set for particular URL categories, for example, the Block action for URLs that fall into the Online Shopping category. Extracting data from a 6.8.x backup file, the tool creates lists of categories that are blocked, allowed, or handled otherwise. These lists can be implemented in a 7.0.x configuration and used by appropriate rules. Upgrade settings on an Extended List Actions for URL categories might additionally have been entered into an Extended List. The tool can extract data from this list and implement a list of the Extended List Element type for use by a rule in a 7.0.x configuration. Migrate settings for ICAP bypassing In a 6.8.x configuration, requests to particular URLs and IP addresses can be configured to bypass modification on an ICAP server. The tool extracts relevant data from the global.conf file that is contained in a 6.8.x backup file and creates a list of these URLs and IP addresses, which can be implemented in a 7.0.x configuration. The list is of the Wildcard Expression type and can be used by appropriate rules. Merge actions Actions existing in a 6.8.x configuration, including user-configured actions, can be merged to fewer actions in a 7.0.x configuration and, consequently, to fewer lists of objects that these actions are applied to. Merge whitelist settings Whitelist settings in a 6.8.x configuration can be merged before upgrading them to a 7.0.x configuration, which results in fewer whitelists for that configuration. Extract appliance system and other settings for reference purposes The tool can extract settings from a 6.8.x backup file and write them into separate files, for example, report files, to document them. You can use the information in these files for setting up your 7.0.x configuration. The following settings can be extracted in this way: Appliance system settings System settings of a McAfee Web Gateway 6.8.x appliance, for example, settings for network interfaces, DNS servers, and similar items can be written into report files. List settings List settings can be written into report files. This can be done in addition to creating these lists and making them available for use in a 7.0.x configuration. Policy settings Policy settings contained in .conf files within a backup file can be made available by extracting and storing these files. Web mapping settings Settings for web mapping rules can be written into report files.

McAfee Web Gateway 6.8.x to 7.0.x Upgrade Guide

Using the listConverter tool

Using the listConverter tool

The following sections explain procedures for completing upgrade jobs. For more information on these procedures, contact McAfee Professional Services.

Upgrading action settings for URL category filtering

You can upgrade settings specifying filtering actions for URL categories under particular policies. The listConverter tool extracts these settings from a 6.8.x backup file and creates corresponding lists, which you can implement in your 7.0.x configuration. For example, under the Default policy in a 6.8.x configuration, URLs falling into categories such as Pornography, Violence, or Illegal Software are blocked. After importing a backup file of this configuration, the tool creates a list of all categories that are blocked, a list of those that are allowed, as well as category lists for every other action that has been configured under this policy. In the same way, lists are created for all other policies in the configuration. The lists are written into a common file named *.ImportedLists.xml. You can import this file into a 7.0.x configuration. The tool creates a rule set that serves as a transport stub and implements this set together with the lists in the *.ImportedLists.xml file into the configuration. The rule set contains no rules of its own and can be deleted after the import. The lists are then still available and can be used by appropriate 7.0.x rules. For example, lists containing URL categories that were blocked in a 6.8.x configuration can be used by a rule that blocks URLs if their categories are on those lists. Lists with allowed URLs can be used by rules that stop processing of the current cycle, and so on.

Import a backup file

To create category lists from a 6.8.x configuration, import a backup file of this configuration into the tool.
1 Start the listConverter tool. 2 From the File menu of the user interface, select Open. Your local file manager opens. 3 Browse to the 6.8.x backup file and click Open. The backup file is imported into the tool for further

processing.

Extract and convert category list data

To extract list data from the backup file and convert it into category lists, proceed as follows:
1 Under Items to extract, select Write Lists. The tool creates an *.ImportedLists.xml file, which contains

category lists.
2 From the File menu, select Save. Your local file manager opens. 3 Browse to the location where you want to store the *.ImportedLists.xml and click OK.

Implement category lists

To implement the category lists that the tool created in a 7.0.x configuration:
1 Start McAfee Web Gateway 7.0.x. 2 On the user interface, go to Policy | Rule Sets. 3 Click Add above the Rule Sets tree and select Top-Level Rule Set from the pop-up menu. 4 In the Add New Top-Level Rule Set window, click Import rule set from Rule Set Library. 5 In the Add from Rule Set Library window, click Import from file. Your local file manager opens.

McAfee Web Gateway 6.8.x to 7.0.x Upgrade Guide

Using the listConverter tool

6 Browse to the *.ImportedLists.xml and click Open. The tool creates a rule set and implements it in the

7.0.x configuration, together with the lists of the *.ImportedLists.xml. The name of the rule set is ImportedLists.wwbackup<backup ID>, where <backup ID> is a time stamp indicating when the backup file in question was created.
Note: The rule set is not enabled.

The lists are of the Category type. You can view and access them on the Lists tab under Custom Lists. They have names like Imported.default.Block, Imported.default.Allow, and so on.
7 [Optional] Delete the ImportedLists.wwbackup<backup ID> rule set. 8 Modify existing rules of the 7.0.x configuration or create rules to let them use the newly implemented lists.

Upgrading Extended List settings

You can upgrade settings for handling URL categories that were entered on an Extended List in a 6.8.x configuration. The tool extracts these settings from the wwextendedlist.txt file within the backup file. You can extract the settings in a separate procedure or together with other settings, for example, other category settings, as described under Upgrading action settings for URL category filtering. To upgrade Extended List settings:
1 Start the listConverter tool and import a backup file of a 6.8.x configuration. 2 Under Global Settings, select Extended List. The tool creates an *.ImportedLists.xml file, which

contains the Extended List data.

3 Import the *.ImportedLists.xml file into your 7.0.x configuration. The tool creates and implements a list

of the Extend List Element type. You can view and access it on the Lists tab. Its name is Imported.wwextendedlist.
4 Modify an existing rule of the 7.0.x configuration or create a rule to let it use the newly implemented list.

For more information, see Upgrading action settings for URL category filtering.

Upgrading ICAP bypass settings

You can upgrade settings that allow requests for particular URLs and IP addresses to bypass modification on an ICAP server in a 6.8.x configuration. The tool extracts ICAP bypass data from the global.conf within a 6.8.x backup file. It uses this data to create separate lists for HTTP, HTTP, and FTP objects. The lists are of the Wildcard Expression type. URLs are globalized in these lists, using *, while the original URLs are entered in the Comment field. However, IP addresses are kept as they are. For example, the URL: ftp.mcafee.com is globalized to: *ftp.mcafee.com* while the Comment field contains ftp.mcafee.com. You can upgrade these settings in a separate procedure or together with other settings, for example, category settings, as described under Upgrading action settings for URL category filtering. To upgrade ICAP bypass settings:
1 Start the listConverter tool and import a backup file of a 6.8.x configuration. 2 Under Global Settings, select any combination of the following, HTTProxy.NoICAPFor,

HTTPSProxy.NoICAPFor, or FTProxy.NoICAPFor, according to what you want to upgrade. The tool creates an *.ImportedLists.xml file, which contains the ICAP bypass data.

McAfee Web Gateway 6.8.x to 7.0.x Upgrade Guide

Using the listConverter tool

3 Import the *.ImportedLists.xml file into your 7.0.x configuration. The tool creates and implements lists

with objects for ICAP bypassing. The lists are of the Wildcard Expression type. You can view and access them on the Lists tab. Their names are Imported.global.HTTPProxy.NoICAPFor, Imported.global.HTTPSProxy.NoICAPFor, and Imported.global.FTTProxy.NoICAPFor.
4 Modify existing rules of the 7.0.x configuration or create rules to let them use the newly implemented lists.

For more information, see Upgrading action settings for URL category filtering.

Merging actions
You can merge actions from a 6.8.x configuration, including actions you have configured on your own, to fewer actions in a 7.0.x configuration, thereby reducing the number of lists that are related to each of these actions. If no merging is done, the listConverter tool creates a list for each action, containing the objects that the action can be applied to. If you want to have fewer lists in the 7.0.x configuration, the tool enables you to merge, for example, the Allow and Exempt actions to a common Allow with a single list for all objects in question. You can do the merging in a separate procedure or together with other settings, for example, category settings, as described under Upgrading action settings for URL category filtering. To merge existing actions into fewer:
1 Start the listConverter tool and import a backup file of a 6.8.x configuration. 2 From the Tools menu, select Category Options. The Action Merging window opens. It shows the

existing actions in a column on the left and menus to select merged actions from on the right.
3 For each action on the left, select an action from the menu in the same line. This way you can merge the

existing actions to a smaller number of actions and, consequently, lists. The tool creates an *.ImportedLists.xml file, which contains only the merged actions.
4 Import the *.ImportedLists.xml file into your 7.0.x configuration. The tool creates and implements lists

for each of the merged actions.

5 Modify existing rules of the 7.0.x configuration or create rules to let them use the newly implemented lists.

For more information, see Upgrading action settings for URL category filtering.

Merging whitelist settings

You can merge whitelist settings from a 6.8.x configuration, so as to reduce the number of whitelists you have in a 7.0.x configuration. In a 6.8.x configuration, whitelist settings are related to types of objects and to filters. For example, there might be whitelist settings specifying that any URL containing a particular string is not filtered by the Media Type filter. The tool displays a list of the object types, as well of the filters that exist in a 6.8.x configuration and allows you to merge types on the one hand and filters on the other. According to your merge selections, the tool creates whitelists for the 7.0.x configuration. For example, it creates a whitelist of all strings that are not filtered by the Media Type Filter and the Generic Body filter if contained in a URL or an HTTP request. You can do the merging in a single procedure or in multiple procedures to merge particular object types and filters each time. If you only want to complete one merging procedure, you can do it together with other settings, for example, category settings, as described under Upgrading action settings for URL category filtering.

McAfee Web Gateway 6.8.x to 7.0.x Upgrade Guide

Using the listConverter tool

To merge existing whitelist settings:

1 Start the listConverter tool and import a backup file of a 6.8.x configuration. 2 From the Tools menu, select Whitelist Options. The Select Whitelist Parameters window opens. 3 Make your merge selections: a In the White List Types section, select Merge Selected Web: Types, then select the object types you

want to merge.
b In the White List Filters section, select Merge Selected Filters, then select the filters you want to

merge. The tool creates an *.ImportedLists.xml file with merged object types and filters.
4 Import the *.ImportedLists.xml file into your 7.0.x configuration. The tool creates and implements

whitelists according to your selections.

5 Modify existing rules of the 7.0.x configuration or create rules to let them use the newly implemented

whitelists. For more information, see Upgrading action settings for URL category filtering.

Extracting data for reference purposes

You can extract data from a 6.8.x backup file and have them written into report files. You can use the information in these files when configuring your 7.0.x version. For example, you can let the tool extract appliance system settings or web mapping settings. You can do this in separate procedures or together with other settings, for example, category settings, as described under Upgrading action settings for URL category filtering. To extract different kinds of configuration data:
1 Start the listConverter tool and import a backup file of a 6.8.x configuration. 2 Make your selections under Items to extract: a To create an appliance system settings report file, select Appliance Settings. b To extract .conf files containing policy settings, select Policy Files (*.conf). c

To let the tool write the lists it creates into plain text files, select Write .txt Files.

3 To create a web mapping report file, select the File menu and then Policy Mapping Report. 4 Select Extract all files from backup. Your local file manager opens. 5 Browse to the location where you want to store the files with the extracted data and click OK. 6 Use the data in the files to configure settings for your 7.0.x configuration.

For support information, visit mysupport.mcafee.com. Copyright 2010 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. 700-2515A00

McAfee Web Gateway 6.8.x to 7.0.x Upgrade Guide