I wanted to redirect the web console to port 443, but the agents use that for communication with ePO. I could change the agent communication port, but I don't want to redeploy all the agents to fix their configurations. Thus, this madness was born.
You'll need to navigate to the ePO apache server configuration directory:
X:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf
Edit the httpd.conf to enable the proxy and rewrite modules:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule rewrite_module modules/mod_rewrite.soThen add some rewrite rules to the bottom of the VirtualHost block in ssl.conf:
RewriteEngine On
ProxyPreserveHost On
SSLProxyEngine On
# Ignore certificate issues
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
# Reverse proxy websockets (or attempt to)
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) wss://epo.server.fqdn:8007/$1 [P,L]
# Reverse proxy any browser user agent
RewriteCond %{HTTP_USER_AGENT} (Firefox|Chrome|Trident)
RewriteRule /?(.*) https://epo.server.fqdn:8007/$1 [P,L]And that should about do it. Just restart the ePO Server service (mcafeeapachesrv).
Due to the above shenanigans, I had to edit the ssl.conf in order to add my SSL certificates:
# Path to the x509 certificate in PEM format
SSLCertificateFile conf/ssl.crt/my-new-cert.crt
# Path to the unencrypted RSA key in PEM format
SSLCertificateKeyFile conf/ssl.crt/my-new-cert.key
# Path to the CA certificate chain for this cert
SSLCertificateChainFile conf/ssl.crt/my-new-cert.pemTo fix the warning about the SSL Session Cache, add the following line to httpd.conf:
LoadModule socache_shmcb_module modules/mod_socache_shmcb.soAnd add (or uncomment) the following line in the ssl.conf:
SSLSessionCache shmcb:logs/ssl_scache(512000)Then restart the ePO Server service as per above.