Here is how you configure UCE for IP based authentication

Update: IP Authentication Setup is not required if you are running MWG 11.0 or later and you enable use of Secure Connection in your NHP config.

Set up IP based authentication in UCE by going to Configuration (gear in upper right of MVC console) > Infrastructure > Web Gateway Setup > Configure Locations > New Location or same place and edit an existing location. Add the public egress ips to IP Range Mapping for your proxies that will use next hop to UCE. For example public egress 1.2.3.4/32. 

Save and Publish

Here is how you would do the proxy piece on MWG: 

Import the Next Hop Proxy ruleset from the library. Place it after authentication if you want to pass authentication information. 

Unlock the rule view.

Configure your Next hop proxy list to point to c<customerid>.wgcs.mcafee-cloud.com on port 8080 or 80.

Optionally add events to populate headers with Username and optionally user groups.

Add criteria to the ruleset or the rules to specify which traffic you want to direct to the cloud. In the example below I am "next hopping" to UCE all traffic originally directed to MWG on port 9091.

Note that when using the Remote Browser Isolation (RBI) function of UCE via Next Hop Proxy you must implement NHP for not only the isolated sites and categories, but also the domain rbi.mcafee-cloud.com and you must authenticate the requests for that domain and inject the authentication headers. 

Updated 5/26/22: Authentication header insertion is not necessary if running MWG 11.0 or later and you enable use of Secure Channel in your Next Hop Proxy configuration (uses port 8081). If 8081 is not accessible it will default to the configured port 8080 in example below)  If you want to use secure channel you must now configure use of port 8081 instead of port 8080.  Shown below is incorrect. Official Documentation Here  Also note that the official documentation is currently missing a few steps. If next hop proxy is implemented after HTTPS Inspection you must make sure that if Certificate Verification is enabled, add your SSE/UCE CA and the generic cloud service certificates from the bundle to the trusted certificate authorities list on SWG (even if you are using your SWG certificate in the cloud, it will not automatically be accepted by SWG as a valid signing authority). Also missing is that UCE Hybrid configuration must have the customer ID and shared secret configured! If this is not done, there will be no valid authentication headers. 

For example you might want to NHP uncategorized sites so you would have as a criteria for NHP to UCE. List.OfCategories.IsEmpty(URL.Categories) equals true OR URL.Host matches *.rbi.mcafee-cloud.com. 

IMPORTANT NOTE. The domain recently changed for bootstrap.rbi.mcafee-cloud.com. It now is bootstrap.rbi.skyhigh.cloud. Please update any proxy and firewall rules accordingly. You should be able to simply add the new hostname or domain wherever you have the old one.(bootstrap.rbi.mcafee-cloud.com). At a minimum, allow websockets for this domain or host and next hop proxy this domain or host.