UserGate 5

Administrator's Guide

1. Introduction

UserGate is the comprehensive network gateway which implements the Unified Threat Management and features the built-in firewall, routing, gateway anti-virus tool, intrusion detection and prevention system (IPS), VPN server, content filtering system, monitoring and statistics, and many more. This product provides everything you may need for efficient network management, traffic optimization and prevention of cyber-attacks.

1.1. Network security and protection from network threats

1.1.1. Next Generation Firewall

The Next Generation Firewall built into UserGate filters the traffic at various levels (e.g. TCP, UDP, IP), thereby protecting your network from hacker attacks and various types of intrusions.

1.1.2. Intrusion detection and prevention

Our intrusion detection and prevention system (IPS) can quickly detect malicious network activity, identify, record and prevent various threats, and generate detailed reports on each suspicious event.

Security breaches are usually detected by means of heuristic techniques and matching with signatures of already known attacks. UserGate regularly provides and updates its own databases of heuristic rules and virus signatures. IPS can track and proactively block all the detected attacks in real time, e.g. terminate malicious network connections, send notifications to network administrators, log the suspicious activity, and so on.

Administrators can create various IPS profiles (signature sets for protection of certain services) and also specify IPS rules to define actions per traffic type that will be verified by the IPS module according to the assigned profiles.

1.1.3. Protection from DOS attacks and network flooding

UserGate allows you to set up protection parameters for each network zone against network flooding (for TCP (SYN-flood), UDP, ICMP), including the notification threshold (the minimal number of requests per IP address for logging) and the packet drop threshold (the minimal number of requests for packet dropping and subsequent logging).

It is also possible to set up exclusions, e.g. for networks zones that use VoIP and thus need to send many UDP packets.

1.1.4. Anti-virus traffic check

UserGate's built-in anti-virus checks the traffic for viruses without compromising network performance and throughput. This module uses a vast database of signatures.

In addition, you can also integrate the heuristic anti-virus module.

1.1.5. Anti-spam and anti-virus protection of email traffic

UserGate can efficiently handle traffic of email protocols (SMTP(S) and POP3(S)) and check it for spam messages and viruses.

UserGate processes the transit email traffic (SMTP(S), POP3(S)) by analyzing its source along with messages and attachments, thereby ensuring reliable protection against spam, viruses, pharming, and phishing. UserGate also allows you to set up flexible filters for the email traffic by user group.

1.1.6. Interaction with 3rd party security systems

It is possible to transfer the HTTP/HTTPS and email traffic (SMTP, POP3) to external ICAP servers, e.g. in order to check the traffic for viruses or to check the outgoing data from users by means of DLP systems. Administrators can specify which type of traffic should be transmitted to ICAP and also set up interaction with server farms.

1.1.7. SCADA management

The new platform version features various management options for SCADA (Supervisory Control And Data Acquisition) systems. Administrators can control the traffic by setting up rules for detection, blocking, and logging of events. This allows you to automate basic workflows while keeping manual control over them when it's necessary.

1.1.8. Security Orchestration, Automation, and Response

UserGate allows for much faster responses to detected attacks thanks to security features automated using SOAR scenarios (Security Orchestration, Automation, and Response).

This is a very popular concept which helps administrators create scenarios (triggered by schedule or upon any threat) with automatic responses to various events. Such an approach ensures flexible security policies and higher level of automation for routine tasks instead of manual operations, and also supports priority-based scenarios for rapid elimination of critical threats.

1.2. Improvements in network performance and reliability

1.2.1. High Availability and Clustering

UserGate supports 2 cluster types: a configuration cluster for applying the same settings to all nodes within a cluster and a failover cluster for smooth operation of the whole network. A failover cluster can operate in two modes: Active-Active and Active-Passive. Both modes support synchronization of user sessions for transparent switching of the traffic among nodes.

1.2.2. FTP over HTTP

The FTP over HTTP module is used for accessing the contents of an FTP server directly from a browser on the client side.

1.2.3. Support of redundant channels

UserGate allows you to switch between available network channels from various ISPs, thereby making the Internet access much more reliable and resilient.

1.2.4. Traffic shaper

You can assign priorities to users and applications by means of the traffic management functionality, so that the most resource-intensive endpoints could not severely impact the overall network performance. This will ensure the agreed service level for all your mission-critical software.

1.2.5. WCCP

Support for the WCCP protocol makes it possible to use UserGate in an infrastructure with WCCP servers such as Cisco routers.

1.3. Traffic management and Internet access control

1.3.1. Traffic routing and publication of resources

UserGate supports both static and dynamic routing. Since dynamic routing is performed using the OSPF and BGP protocols, UserGate can be smoothly integrated in large corporate networks with sophisticated routing.

Administrators can create NAT rules (for the provision of the Internet access to users), and also various rules for secure publication of internal resources on the Internet using Reverse Proxy for HTTP/HTTPS and DNAT for other protocols.

1.3.2. User authentication

The platform supports various authentication mechanisms for users, such as Captive portal, Kerberos, and NTLM, while user accounts can be obtained from any sources: LDAP, Active Directory, FreeIPA, TACACS+, Radius, or SAML IDP. SAML IDP, Kerberos-based and NTLM-based methods allow for transparent authentication (i.e. without asking any credentials) of users from your Active Directory domain.

Network administrators are free to apply individual security settings for a specific user, group of users or, all known or unknown users. In addition, the system supports authentication via special Terminal Services Agents or via authentication agents for Windows-based platforms.

For better protection of accounts, it is also recommended that you use multi-factor authentication based on TOTP tokens (Time-based One Time Password Algorithm), SMS or email.

1.3.3. Support of the guest portal

UserGate can provide users with temporary access to networks, such as public Wi-Fi hotspots. Profiles can be created either by administrators or registered by users with email-based or SMS-based confirmation. The platform also allows you to specify individual security settings for temporary users.

1.3.4. Proxy agent for Windows

For Windows users, you can set up a proxy agent in order to provide proxy services to applications that cannot directly work with proxy servers. The proxy agent can also be used for provision of Internet access to such applications, when UserGate is not set up as the default gateway.

1.3.5. Support of the BYOD ("Bring Your Own Device") concept

You can set up special access policies for any user devices including laptops, tablets and smartphones. In UserGate, you can limit the maximum number of devices per user (both total and currently used devices) as well as define a list of devices from which a particular user is allowed to access the corporate network.

1.4. Content filtering and application control

1.4.1. Internet filtering

The Internet filtering module can significantly strengthen the security of your local network through full control over Internet connections and downloads as well as through blocking access to potentially malicious or unwanted web resources.

To analyze the security level of sites requested by users, the system utilizes reputational services, MIME content types (photos, videos, texts, and more), specialized morphological dictionaries provided by UserGate, black and white lists of URLs, and Useragents which together allow administrators to prohibit or permit usage of certain browser types. UserGate supports creation of custom black and white lists, dictionaries, MIME types, morphological dictionaries, and Useragent for adding rules at the user level and user group level.

1.4.2. Selective ad blocking

Even secure websites sometimes display unwanted graphical banners, and website owners do not have a full control over the content of such banners. UserGate can resolve this issue by blocking banners and protecting users from unwanted content.

1.4.3. Safe search

UserGate supports forced safe search activation for Google, Yandex, Yahoo, Bing, Rambler, Ask, and YouTube. This protection ensures high-quality filters, e.g. for responses to graphical or video content requests. You can also block certain search systems that does not provide safe search functionality.

1.4.4. Access control for social media

UserGate allows you to block online games and various apps from Facebook, VKontakte, Odnoklassniki and other social media. Network administrators can provide access to social media in general, but prohibit or restrain certain unwanted actions in them. The system also supports filtering of individual pages and groups in social media by various criteria, such as extremist content, profanity, and more.

1.4.5. Code injection for web pages

The script injection feature allows you to insert the necessary program code in all web pages accessible for users. This feature can be used for obtaining various metrics, for hiding web elements, for showing ads or other information.

1.4.6. Inspection of the SSL traffic

The UserGate platform allows you to filter both unencrypted and encrypted traffic (HTTPS, SMTPS, POP3S) through MITM-based decryption (Man In The Middle) and signing of the traffic with the corporate trusted root certificate after analysis. The system supports selective traffic checks, e.g. not to decrypt resources in the Finance category.

1.4.7. VPN and WEB PORTAL

The VPN technology (Virtual Private Network) allows you to set up virtual logical networks on top of the Internet and other networks. UserGate supports two types of VPNs: Remote Access VPN (client-server model) and Site-to-Site VPN (server-server model).

Tunnels can be established using Layer 2 Tunneling Protocol (L2TP), and the data being transmitted can be protected with IPSec. UserGate supports default clients for most popular operating systems: Windows, Linux, Mac OS X, iOS, Android, and more.

Web portal (SSL VPN) allows you to grant access for your employees to internal web resources, SSH servers, and terminal servers by HTTPS without installing any VPN clients.

1.5. Logs and Reports

The platform supports full-scale real-time monitoring with event logs, web access, IPS, and traffic analysis. For convenient analysis, administrators may set up automatic exports of logs to SSH, FTP, and Syslog servers. Reports help administrators extract and display various datasets regarding security events, configuration changes or user actions. Reports can be generated automatically by the previously created rules and templates, and then emailed to all stakeholders.

1.6. Other functions

1.6.1. Role-based management

By default, the system provides a single superadministrator who can create accounts for other administrators and grant them permissions to view and change certain sections.

In addition, you can also strengthen the security level of the console by enabling certificate-based authentication for administrators.

1.6.2. Monitoring and notifications

UserGate supports monitoring based on the SNMP v2c and SNMP v3 protocols. The product is fully compatible with SNMP queries and SNMP traps for comprehensive management.

In addition, the system allows you creating notification profiles in order to inform users about important events through SMTP (e-mail) and SMPP (SMS).

1.6.3. Network interfaces

UserGate allows you to add and set up tagged VLAN interfaces, and also group multiple physical interfaces into a single logical aggregated interface (a bond) based on LACP (Link Aggregation Control Protocol) for higher throughput or availability. In addition, it is also possible to join interfaces in a bridge for L2 traffic filtering without any changes to the existing corporate infrastructure.

1.6.4. DNS filtering

UserGate can be set up to work with DNS servers and DNS Proxy which captures DNS requests from users and modifies these requests depending on the administrator's needs. You can also add filters of DNS requests from users.

1.6.5. Load balancer

UserGate allows you to balance workload on various services within your local area network. Balancing can be provided for internal servers published (such as DNAT or reverse proxy) or not published on the Internet and for traffic being routed to external servers or ICAP server farms.

2. Initial configuration

UserGate is usually implemented as a set of hardware and software (appliance) or as a virtual machine (virtual appliance) ready for deployment in a virtual environment. In both cases, UserGate is equipped with four or more Ethernet interfaces. In the case of virtual image UserGate is equipped with four Ethernet interfaces. In the case of appliance, it is equipped with from 2 to 64 Ethernet-interfaces.

2.1. Deploying the virtual appliance

UserGate UTM Virtual Appliance allows you to quickly set up a virtual machine with pre-set components. The image is created in OVF (Open Virtualization Format), which supports vendors such as VMWare, Oracle VirtualBox. Disk image is provided for Microsoft Hyper-V.

Important! In order for your virtual machine to run correctly, we recommend using at least 8GB of RAM and a dual-core virtual CPU. Your hypervisor must support 64-bit operating systems.

To launch the virtual machine:

Name

Description

Step 1. Download the image and extract it

Download latest image from the official site https://www.usergate.com.

Step 2. Import the image

Instructions for importing the virtual image can be found on the VirtualBox and VMWare websites. For Microsoft Hyper-V create new virtual machine and use downloaded disk image as hard drive, then disable integration services for this virtual machine.

Step 3. Configure virtual server memory

Increase virtual machine's RAM size. Set it to the minimum of 8Gb and add 1Gb to every 100 users.

Step 4. Important! Increase virtual machine's hard drive size

Default size is 100Gb, which is usually not enough to keep all logs and settings. Use virtual machine settings and increase size to 200Gb or more. Recommended size is 300Gb.

Step 5. Set up virtual server networks

UserGate UTM comes with four interfaces assigned to the following zones:

  • Management: the virtual machine’s first interface

  • Trusted: the virtual machine’s second interface

  • Untrusted: the virtual machine’s third interface

  • DMZ: the virtual machine’s fourth interface.

Step 6. Factory reset

Launch the UserGate virtual machine. In boot menu select Support tools and then Factory reset UTM. This is important step which must be completed. During this step UTM configures network adapters and resizes its partition to the full size of the disk, increased on step 4.

2.2. Connecting to UserGate

The eth0 interface is automatically allocated an IP address (via DHCP) and then added to the Management zone. To perform initial configuration, network administrator should connect to the web console via eth0.

If the system fails to allocate an IP address to the Management interface automatically via DHCP, network administrator can assign it manually using CLI (Command-Line Interface). For more details on CLI, please refer to Command-Line Interface (CLI).

All other interfaces are disabled by default and should be configured individually.

Perform the following steps for initial configuration:

Name

Description

Step 1. Connect to the management interface

If DHCP server is available
Connect the eth0 interface to your corporate network with active DHCP server. Launch UserGate. After rebooting, UserGate will display the IP address to which you need to connect for product activation.
Static IP address
Launch UserGate. Assign an unallocated IP address to the eth0 using CLI (Command-Line Interface). For more details on CLI, please refer to the Command-line interface (CLI) section.

Connect to the web console of UserGate using the specified address which should look like this: httpS://UserGate_IP_address:8001

Step 2. Select a language

Select a language which you want to use during the initial configuration process.

Step 3. Enter a password

Specify the username and password for the web administration interface.

Step 4. Register the system

Enter PIN to activate the product and fill in the registration form. UserGate will require the Internet access for proper activation. If you cannot activate the system on this step, you can perform it later on step 10 after setting up the network interfaces.

Step 5. Set up the zones and IP addresses of interfaces and then connect UserGate to your corporate network

In the Interfaces section, enable the interfaces you need, allocate valid IP address from your local networks and then group these interfaces by zone. For details on how to manage interfaces, please refer to Configuring interfaces. By default, the system provides several predefined zones:

  • Management (administration network), eth0 interface

  • Trusted (LAN);

  • Untrusted (Internet);

  • DMZ (DMZ);

  • Cluster

  • VPN for remote access

  • VPN for Site-to-Site

Step 6. Set up the Internet gateway

In the Gateways section, specify the IP address of your Internet gateway (for the Internet access interface) in the Untrusted zone. For details on how to manage gateways, please refer to Configuring gateways.

Step 7. Specify DNS servers of the system

In the DNS section, specify the IP addresses of DNS used in your corporate network. For details on how to manage DNS, please refer to Configuring DNS.

Step 8. Create the NAT rules

In the NAT & routing section, create the necessary NAT rules. The system is predefined with the NAT rule required for Internet access from the Trusted network ("Trusted-->Untrusted"). For details on how to create NAT rules, please refer to NAT rules.

Step 9. Create the firewall rules

In the Firewall section, create the necessary firewall rules. The system is predefined with the firewall rule required for unlimited Internet access from the Trusted network ("Internet for Trusted"), so you can simply enable it. For details on how to create firewall rules, please refer to Firewall.

Step 10. Register the product (if haven't registered it on step 4)

In the General settings section, enter your PIN to register the product. For successful registration, make sure that the Internet connection is active and all the above steps are completed. For more details on product licensing, please refer to UserGate licensing.

Step 11. Create additional administrators (optional)

In the Device management section, create additional system administrators and grant them necessary rights (via roles).

Step 12. Set up user authentication (optional)

In the Users and devices section, define the necessary methods of user authentication. The simplest way to do this is to create local UserGate users with fixed IP addresses or disable user identification completely (i.e. apply the "Any" user to all rules). For details on other authentication options, please refer to Users and devices.

Step 13. Create the content filtering rules (optional)

In the Content filtering section, create the HTTP(S) filtering rules. For more details on content filtering, please refer to the Content filtering section.

Step 14. Create the safe browsing rules (optional)

In the Safe browsing section, create the additional safe browsing rules. For more details on safe browsing, please refer to the Safe browsing section of this Guide.

Step 15. Create the HTTPS inspection rules (optional)

In the SSL inspection section, create the capturing and decryption rules for HTTPS traffic. For more details on HTTPS decryption, please refer to SSL inspection.

Once all the above steps are complete, UserGate will be ready for work. For more details on the configuration process, please refer to the corresponding sections of this Guide.

3. UserGate licensing

UserGate is licensed by the number of simultaneously connected devices, including terminal services users. For example, if you have an end user license for 100 devices, then you are eligible to connect 100 devices with unique IP addresses at once, but the 101st device and the next ones will not gain access to your network. Note that the number of accounts in the system is not limited. After installing the license, you will be able to use UserGate for an unlimited period of time.

The following modules are licensed separately:

Name

Description

Security Updates (SU)

The SU module provides the following benefits:

  • updates for UserGate platform

  • updates for signatures of the intrusion detection and prevention system

  • updates for signatures of L7 applications

  • technical support

The module is provided for a 1-year period after which you will need to purchase a license in order to continue obtaining software updates and technical support.

Advanced Threat Protection (ATP)

The ATP module includes the following:

  • 1-year subscription for UserGate URL filtering database

  • 1-year subscription for up-to-date lists of prohibited websites according to some national laws, lists of phishing websites as well as black and white lists from UserGate

  • 1-year subscription for morphological databases from UserGate

  • 1-year subscription for the anti-virus from UserGate

  • 1-year subscription for the ad blocking module

The module is licensed for a 1-year period, and upon its expiration:

  • UserGate URL filtering will stop working

  • Morphological filtering will stop working

  • Lists of prohibited websites according to some national laws, lists of phishing websites as well as black and white lists from UserGate will continue working, but no updates will be provided

  • The anti-virus from UserGate will stop working

  • The ad blocking module will stop working

Heuristic Anti-Virus (HAV)

The Heuristic Anti-Virus module includes a 1-year subscription for Heuristic Anti-Virus.

Mail security

Mail security includes a 1-year subscription for email traffic control based on the anti-spam and anti-virus module from UserGate.

To register the product, perform the following steps:

Name

Description

Step 1. Go to the Dashboard panel

Click the Dashboard icon in the top right corner.

Step 2. Register the product in the License information section

In the License information section, click Registered, enter your PIN and fill in the registration form.

4. Managing the device

4.1. General settings

The General settings section contains basic parameters of UserGate, such as:

Name

Description

Timezone

Specify the timezone according to your actual location. The timezone is used for scheduling in rules as well as for displaying correct date and time in statistical reports, logs and other elements.

Default interface language

Default language that will be used in the console

Web console authentication mode

An authentication method for users (administrators) who need access to the management web console. The following options are supported:

  • By user name and password. To access the web console, enter your user name and password.

  • By X.509 certificate. For a certificate-based authentication, you will need to have a user certificate signed by a certification authority and installed in your browser. Note that enabling this authentication method will disable authentication by user name and password. To enable authentication by user name and password again, use the CLI commands.

Modules

Configures the following UserGate modules:

  • HTTP(S) proxy port - allows to set custom HTTP(S) proxy port number. Default is TCP 8090. ** **Important! The following ports are reserved for UserGate internal use and cannot be used here: 2200, 8001, 4369, 9000-9100.

  • Captive portal auth domain - special domain name which is used by UserGate to authorize users by Captive portal. This domain name should be resolved to the IP address of UserGate interface connected to users. If users use UserGate as DNS server then everything should work right away. Default is auth.captive, which can be changed to another name used in corporate network

  • Captive portal logout domain - special domain name which is used by UserGate users to logout. This domain name should be resolved to the IP address of UserGate interface connected to users. If users use UserGate as DNS server then everything should work right away. Default is logout.captive, which can be changed to another name used in corporate network

  • Block page domain - a service domain that displays the block page to users. Make sure that users can resolve the specified domain into the IP address of the UserGate interface to which they are connected. If the IP address of your UserGate server is specified as the DNS server, then resolving will be performed automatically. By default, 'block.captive' is used as the name, but you can change it to any other domain name according to your corporate policies.

  • FTP over HTTP — enables or disables a module which provides access to the content stored on FTP servers from user browsers.
    Note that users must explicitly set the proxy server for FTP in their browsers.
    Administrators may control access to the FTP servers via content filtering rules (only Users and URL conditions).
  • FTP over HTTP domain - a service domain that is used to provide FTP over HTTP service to users. Make sure that users can resolve the specified domain into the IP address of the UserGate interface to which they are connected. If the IP address of your UserGate server is specified as the DNS server, then resolving will be performed automatically. By default, 'ftpclient.captive' is used as the name, but you can change it to any other domain name according to your corporate policies.

Cache settings

Parameters of the proxy server's cache:

  • Caching mode - enables or disables caching

  • Cache exclusions - list of URLs which should not be cached

  • Max cacheable object size (MB) - objects of a larger size will not be cached. The recommended value is 1 MB (set by default)

  • RAM size (MB) - amount of RAM available for caching It is not recommended that you allocate more than 20% of RAM for caching.

Log Analyzer

Settings of the Log Analyzer module:

  • Status - displays the current status of the statistics service

  • Log analyzer server. Select External server with Log Analyzer (if you have any); otherwise, select Local server.

  • Port - a TCP port on which Log Analyzer is listening

  • Password - authentication string for connecting to Log Analyzer

  • Logs-->Event logs - send the contents of event logs to the Log Analyzer server

  • Logs-->IPS log - send the contents of the IPS log to the Log Analyzer server

  • Logs-->Traffic logs - send the contents of the traffic log to the Log Analyzer server

  • Logs-->Web access log - send the contents of the web access log to the Log Analyzer server

WCCP support

Setup for receiving traffic via WCCP. You can find a detailed description of these settings in chapter WCCP support.

4.2. Device management

The Device management section contains basic parameters of UserGate, such as:

  • Clustering

  • Diagnostics options

  • Server operations

  • Settings export

4.2.1. Clustering and high availability

UserGate supports 2 cluster types:

  1. Configuration cluster. Nodes grouped into a configuration cluster use the same settings applicable within the cluster.

  2. Failover cluster. You can merge up to 4 configuration clusters into a single failover cluster that supports the Active-Active and Active-Passive modes. The system can handle multiple failover clusters.

Certain settings are unique for each cluster node, e.g. network interfaces and IP routing. The list of unique settings:

Name

Description

The following settings are individual for each node in a cluster:

Log Analyzer Diagnostics Interfaces Gateways DHCP Routes OSPF BGP VPN

To create a new configuration cluster, perform the following steps:

Name

Description

Step 1. Perform initial configuration on the first node of your cluster

For details, please refer to Initial configuration.

Step 2. On the first node of your cluster, configure a zone with interfaces that will be used for replication of the cluster

In the Zones section, create a new dedicated zone for replication of cluster settings or use an existing one. The following services must be allowed in the zone settings:

  • Administration console

  • Cluster

Do not use zones in which interfaces are connected to untrusted networks or the Internet.

Step 3. Specify the IP address for communication with other nodes of your cluster

In the Device management section, select the current node of your cluster and click Edit. Specify the IP address of the interface from the zone configured on step 2.

Step 4. Generate the Secret code on the first node of your cluster

In the Device management section, click Generate secret code. Then copy the generated code to the Clipboard. This secret code is used for one-time authentication of the second node being added to your cluster

Step 5. Connect the second node to your cluster

Connect to the web console of the second node in your cluster and select the language that you want to use during installation.

Specify the interface for communication with the first node and assign an IP address. Both cluster nodes must belong to the same subnetwork, e.g. IP addresses of the eth2 interfaces on both nodes are 192.168.100.5/24 and 192.168.100.6/24, or specify gateway's IP address, which can be used to communicate with first cluster’s node.

Specify the IP address of the first node configured on step 3, paste the secret code and then click Connect. If IP addresses configured on step 2 in your cluster are valid, then the second node will be added to the cluster and all settings of the first node will be replicated to the second node.

Step 6. Assign zones to interfaces of the second node

In the web console of the second node in your cluster, go to Network - Interfaces and assign a valid zone to each interface. Zones and their settings have been already replicated from the first node of your cluster.

Step 7. Set up the individual parameters for each cluster node (optional).

Set up gateways, routes, OSPF and BGP parameters individually for each node.

You can group up to four configuration clusters into a single failover cluster. The system can handle multiple failover clusters. The two modes are supported, which are Active-Active and Active-Passive. Active-Passive mode supports synchronization of user sessions for transparent switching of the traffic among nodes.

In the Active-Passive mode, one server works as the Master node and processes the traffic while all other servers are for backup purposes only. You can provide one or more virtual IP addresses for a cluster. Virtual addresses are switched from the Master node to a backup node in the following situations:

  • A backup server cannot get a response from the Master node, e.g. when the Master node is disabled or when the connection is lost.

  • The node is set up to control the Internet access (see Configuring gateways), but all the configured gateways cannot connect to the Internet.

  • A failure in the UserGate software.

A sample network diagram of a failover cluster in the Active-Passive mode is shown below. The interfaces are set up as follows:

  • Trusted Zone: IP1, IP2, IP3, IP4, and IP cluster (Trusted)

  • Untrusted Zone: IP5, IP6, IP7, IP8, and IP cluster (Untrusted)

  • Cluster Zone: IP9, IP10, IP11, IP12, IP13, IP14. Interfaces in the Cluster zone are used for replication of the settings.

Both cluster IP addresses are assigned to node UTM1. If UTM1 is not available, both cluster IP addresses are moved to the next server, e.g. UTM2, that becomes a new Master node.

image0

In the Active-Active mode, one server works as the Master node and distributes the traffic among all other cluster nodes. Since the cluster's IP address is assigned to the Master node, the Master node responses to ARP requests from clients. By distributing MAC addresses of all failover cluster nodes one by one, the Master node ensures optimized distribution of the traffic across all cluster nodes while keeping consistency of user sessions. You can provide one or more virtual IP addresses for a cluster. The Master node role can be reassigned to a backup node in the following situations:

  • A backup server cannot get a response from the Master node, e.g. when the Master node is disabled or when the connection is lost.

  • The node is set up to control the Internet access (see the Configuring gateways but all the configured gateways cannot connect to the Internet.

  • A failure in the UserGate software.

A sample network diagram of a failover cluster in the Active-Active mode is shown below. The interfaces are set up as follows:

  • Trusted Zone: IP1, IP2, IP3, IP4, and IP cluster (Trusted)

  • Untrusted Zone: IP5, IP6, IP7, IP8, and IP cluster (Untrusted)

  • Cluster Zone: IP9, IP10, IP11, IP12,IP13, IP14. Interfaces in the Cluster zone are used for replication of the settings (support of the configuration cluster).

Both cluster IP addresses are assigned to node UTM1. If UTM1 is not available, both cluster IP addresses are moved to the next server, e.g. UTM2, that becomes a new Master node.

image1

Important! For correct traffic processing it is required that user’s sessions were always kept to the same cluster’s node, i.e. traffic from client to server and from server to client always go via the same cluster’s node. The easiest way to set it up is to configure NAT from client to server network (NAT from Trusted zone to Untrusted zone).

To create a new high-availability cluster, perform the following steps:

Name

Description

Step 1. Create a new configuration cluster

Create a new cluster as described above.

Step 2. On both nodes of your clusters, set up the zones with interfaces that you want to use in the high-availability cluster.

In the Zones section, enable the VRRP service in the zone settings for all zones where you are going to add a virtual IP address for a cluster (Trusted and Untrusted zones on the above diagrams).

Step 3. Add nodes of your cluster to the high-availability VRRP cluster

In the Device management - High availability cluster section, click Add and specify the High-availability cluster parameters.

Step 4. Specify the virtual IP address for auth.captive, logout.captive, block.captive, ftpclient.captive

If you are going to set up authentication via the captive portal, then make sure that the system names of auth.captive, logout.captive, block.captive, ftpclient.captive are resolved into the IP address that you have previously configured as the virtual address of your cluster. For more details refer to General settings section of this Guide.

Failover cluster parameters:

Name

Description

On

Enables or disables the failover cluster

Name

Name of the failover cluster

Description

Description of the failover cluster

Cluster mode

Failover cluster mode:

  • Active-Active - the workload is distributed among all cluster nodes

  • Active-Passive - the workload is processed by the Master node and is moved to a backup node only when the Master node is not available

Sessions sync

Enables the synchronization mode for user sessions across all nodes in the failover cluster. Enabling this option will make transition of users among devices more transparent for users, but will significantly increase the workload for UserGate platform. This applies only to the Active-Passive mode of a cluster.

Multicast identifier of the cluster

You can create multiple failover clusters within a single configuration cluster. This parameter defines a multicast address that will be used for synchronization of sessions. Make sure to set a unique identifier for each group of failover clusters that requires synchronization of sessions.

Virtual router identifier (VRID)

A virtual router identifier must be unique for each VRRP cluster in a local area network. If you don't have any 3rd party VRRP clusters in your network, leave the default value.

Nodes

Here you can select which configuration cluster nodes you want to merge into a failover cluster. In addition, you can also assign the Master server role to a node of your choice.

Virtual IP addresses

Here you can assign virtual IP addresses and match them with the cluster node interfaces.

4.2.2. Diagnostics

In this section, you can set up server diagnostic parameters that may be requested by the UserGate support team for troubleshooting.

Name

Description

Diagnostics details

  • Off - disable diagnostic logs

  • Error - log only server errors

  • Warning - log only errors and warnings

  • Info - log only errors, warnings and additional information

  • Debug - very detailed logging

It is recommended that you set the Diagnostics details to Error (only errors) or Off (disabled) until the UserGate support team asks you to set another value. Any values other than Error (only errors) and Off (disabled) may significantly reduce performance of UserGate.

Diagnostics logs

  • Download logs - download diagnostic logs that may be requested by the UserGate support service.

  • Clear logs - delete the content of all logs.

Remote assistance

  • On/Off - enable or disable the remote assistant mode. Using the remote assistant, engineers of the UserGate support service can securely connect to your UserGate server for diagnostics or troubleshooting based on the remote assistant identifier and token. For successful activation of the remote assistant, UserGate will need access to the remote assistant server by SSH.

  • Remote assistant identifier - randomly assigned value. This value is unique for each remote assistant session.

  • Remote assistant token - randomly assigned token value. This value is unique for each remote assistant session.

4.2.3. Server operations

This section allows you to perform the following server operations:

Name

Description

Maintenance actions

  • Reboot - reboot the UserGate server

  • Shut down - shut down the UserGate server

Update channel

Sources of UserGate updates

  • Stable - check for stable versions of the software

  • Beta - check for beta versions of the software.

UserGate always does its best to deliver the top-quality software and regularly issues UserGate updates for all subscribers of the Security Update licensing module (for details on licensing, please refer to UserGate licensing). Once a new update is available, the system will display the corresponding notification in the Device management section. Since installing UserGate updates may take some time, it is recommended that you schedule it beforehand to avoid unplanned downtimes.

To install updates, perform the following steps:

Name

Description

Step 1. Create a new backup file

Make a backup of UserGate's current state as described in Backing up and restoring initial settings. It is recommended that you perform this step before each update, so that you could recover the system in case of any faults during installation of updates.

Step 2. Install updates

In the Device management section, find the Updates are available notification and click Install now. Once all the downloaded updates are installed, UserGate will reboot.

Important! In order to update the configuration cluster nodes, make sure that all nodes are enabled and available when the first node is being updated. Nodes that are not available when the first node is being updated must be added to the cluster again after updates.

4.3. Exporting and importing settings

Network administrators can save the UserGate's current settings and then restore them on the same or another UserGate server. Unlike the backup procedure, exporting/importing of settings will save only the current parameters rather than the current state of all system components.

Important! Exporting/importing settings will not restore the cluster's state, network interfaces settings and licensing information. Once the import procedure is finished, register UserGate with your PIN again, configure network and re-create the cluster if necessary.

To export settings, perform the following steps:

Name

Description

Step 1. Export the settings

In the Device management section, click Settings export --> Export. The system will save the current settings of your server to the file called "database.bin".

To apply the previously created settings, perform the following steps:

Name

Description

Step 1. Import the settings

In the Device management section, click Settings export --> Import and then browse to the previously created configuration file. Once the specified settings are applied to the server, the server will reboot.

In addition, administrators can set up a schedule to export the settings to external servers (FTP, SSH). To create a schedule for exporting the settings, perform the following steps:

Name

Description

Step 1. Create a new export rule.

In the Device management section, click Settings export --> Add and then provide the name and description of a new rule.

Step 2. Provide the remote server parameters.

Select the Remote server tab and specify the following parameters of the remote server:

  • Server type - FTP or SSH

  • Server address - IP address of the server

  • Port - port of the server

  • User name - account on a remote server

  • Password/Password confirmation — password for the account

  • Server path - a path on the server to which the settings will be exported

Step 3. Select an export schedule.

On the Schedule tab, specify when you want the settings to be sent. If you want to set time in the CRONTAB format, use the following rules:

(minutes:0-59) (hours:0-23) (days of month:0-31) (month:0-12) (days of week:0-6, 0-Sunday)

Each of the five fields can be specified in the following way:

  • Asterisk (*)- denotes the whole range (from the first element to the last one);

  • Hyphen (-) - denotes a numeric range. For example, "5-7" stands for 5, 6 and 7;

  • Lists. These are numbers (or ranges) separated with commas. Example: "1,5,10,11" or "1-11,19-23";

  • Asterisks and dashes denote omitted elements in ranges. A step must be specified after a backslash. For example, "2-10/2" stands for "2,4,6,8,10", and the statement "*/2" in the "hours" field means "every two hours".

4.4. Managing access to the UserGate console

You can manage access to the UserGate web console using additional accounts of network administrators, roles, password management policies and zone-based access permissions. As additional security measure, it is possible to use authentication to the web console based on administrators’ certificates.

Important! During the initial configuration, UserGate creates the superuser called Admin.

To create additional accounts of network administrators for the device, perform the following:

Name

Description

Step 1. Create a new administrator’s profile

In the Device management section, go to Administrator profiles and click Add and set required permissions.

Step 2. Create new administrator account and assign it to one of profiles created earlier

Go to Administrators, click Add and select one of the following options:

  • Add a local administrator - create a local user, set an access password and assign them the previously created access profile

  • Add an LDAP user - add a user from the existing domain. This will require you to set up a valid LDAP connector in Authentication servers. For access to the administration console, the credentials must be entered in the user@domain format. Assign administrator's profile created earlier.

  • Add an LDAP group - add a user group from the existing domain. This will require you to set up a valid LDAP connector in Authentication servers. For access to the administration console, the credentials must be entered in the user@domain format. Assign administrator's profile created earlier.

Provide the following parameters when creating a new access profile for administrators:

Name

Description

Name

Name of the profile

Description

Description of the profile

API permissions

The list of objects that are available for access delegation through an application programming interface (API). These objects are described in the API documentation. The following access options are available:

  • No access

  • Read only

  • Read and write

Web console permissions

The list of web console tree objects that are available for delegation. The following access options are available:

  • No access

  • Read only

  • Read and write

CLI permissions

Grants access to the CLI. The following access options are available:

  • No access

  • Read only

  • Read and write

Administrator can set up additional security parameters for accounts of other network administrators, such as password complexity and blocking of accounts in case of multiple failed attempts to log in to the system.

To set up these parameters, perform the following:

Name

Description

Step 1. Configure the password policy

In the Device management section, go to Administrators and click Configure.

Step 2. Fill in the necessary fields

Fill in the following mandatory fields:

  • Strong password - enables additional requirement for password complexity, such as, number of uppercase and lowercase characters, digits, special characters, total password length etc.

  • Number of invalid auth attempts - total number of unsuccessful attempts to log in to the administrator's account after which this account will be blocked for Block time

  • Block time - period for which the account will be blocked

Admin can also specify zones from which the web console will be accessible (via the TCP 8001 port).

Important! It is not recommended that you permit access to the web console from zones connected to untrusted networks or to the Internet.

To enable access to the web console for a certain zone, go to the zone properties and enable the Administration console in the access control section. For more details on how to set up the access control for zones, please refer to the Configuring zones section.

Additional security measure is enabling authentication to web console using administrator certificates. To enable this mode, you need to perform the following steps (openssl utility commands are shown as an example):

Name

Description

Step 1. Create a new administrator’s account

Create account as it is described above in this chapter, e.g., create account for Administrator54.

Step 2. Create or import an existing certificate of the type of “Web console auth CA”

Create or import an existing certificate (only public key is required) of the type of “Web console auth CA” in accordance with the instructions in the Managing certificates section.

To create a certificate with openssl, use the following commands:
openssl req -x509 -subj '/C=UK/ST=London/O= MyCompany /CN=ca.mycompany.com' -newkey rsa:2048 -keyout ca-key.pem -out ca.pem -nodes
openssl rsa -in ca-key.pem -out ca-key.pem

File named ca-key.pem will contain a private key, where ca.pem is the public key. Import public key for the UserGate.

Step 3. Create certificates for administrators

Create certificates for administrators using third party utilities. It is required that the Common field name exactly matches the name of the administrator’s account as it was created in UserGate in step 1.

Example for openssl and user Administrator54:
openssl req -subj '/C=UK/ST=London/O= MyCompany /CN=Administrator54' -out admin.csr -newkey rsa:2048 -keyout admin-key.pem -nodes

Step 4. Sign administrators’ certificates using the web console auth CA certificate created in step 2

Using third party utilities sign certificates for administrators using the web console auth CA certificate created in step 2.

Example for openssl and user Administrator54:
openssl x509 -req -days 9999 -CA ca.pem -CAkey ca-key.pem -set_serial 1 -in admin.csr -out admin.pem
openssl pkcs12 -export -in admin.pem -inkey admin-key.pem -out admin.p12 -name 'Administrator54 client certificate'

File admin.p12 contains the signed Administrator54’s certificate.

Step 5. Add signed certificates to OS which will be used by administrators to login to web console

Add signed certificates to operating system (or to Firefox browser if it will be used to manage UserGate) which will be used by administrators to login to web console. For details please refer to manual for your OS.

Step 6. Switch web console authentication mode to X.509 Certificate

In General settings change Web console authentication mode to X.509 Certificate.

Important! You can switch the web console authentication mode using the CLI commands.

In Administrators --> Administrator sessions, you can view all administrators who are currently logged in to the administration web console of UserGate. You can terminate (close) any session when necessary.

4.5. Managing certificates

UserGate uses the secure HTTPS protocol for managing devices. It is able to intercept/decrypt transit SSL traffic (HTTPS, SMTPS, POP3S) and to authenticate administrators based on their certificates.

This UserGate functionality is based on SSL certificates:

Name

Description

Web console SSL certificate

This certificate is used by network administrators for establishing secure HTTPS connections with the UserGate web console.

Captive portal SSL certificate

This certificate ensures secure HTTPS connections to the login page of the Captive portal for users, display of the block page and logout page on the Captive portal, and the proper operation of FTP Proxy. This certificate must be issued with the following parameters:

  • Subject name — provide the value configured for the Captive portal auth domain as set in General settings section

  • Alternative names — provide all domains for which this certificate should be used as shown in General settings:
    - Captive portal auth domain
    - Captive portal logout domain
    - Block page domain
    - FTP over HTTP domain
    - Domain for web portal in web portal properties
By default, the system uses the certificate signed with an SSL inspection certificate that was issued for domain "auth.captive" with the following parameters:
- Subject name = auth.captive
- Alternative names = auth.captive, logout.captive, block.captive, ftpclient.captive, sslvpn.captive

If administrator did not submit their own certificate for this role, then UserGate will automatically re-issue this certificate in case of any changes made by the system administrator to any domain listed in General settings (i.e. domains for auth.captive, logout.captive, block.captive, ftpclient.captive, sslvpn.captive).

SSL decrypt certificate

This is CA class certificate. It is used for creating SSL certificates of Internet hosts for which the HTTPS, SMTPS, POP3S traffic should be decrypted. For example, when decrypting the HTTPS traffic from yahoo.com, the original certificate is issued by
Subject name = yahoo.com
Issuer name = VeriSign Class 3 Secure Server CA - G3
is replaced with
Subject name = yahoo.com
Issuer name = company name as specified on the certificate issued by the CA used in UserGate.

This certificate is also used for generating default certificates for the SSL Captive portal role.

SSL inspection intermediate CA

This certificate can be used in organizations where SSL inspection certificates are issued by a chain of certification authorities. Note that only public keys are required.

SSL inspection (root)

The root certificate in the certification authority chain that was used for issuing the SSL inspection certificate. Only the public key of the certificate is required for proper operation.

User certificate

The certificate assigned to a user by UserGate. A user can be either created locally or obtained from LDAP. The certificate can be utilized for user authentication when accessing published resources according to the Reverse proxy rules.

Web console auth CA

Certificate authority certificate for authenticating administrators to web console in x.509certificate auth mode. Administrators’' certificates must be signed with this certificate.

SAML server

The certificate is necessary for interaction between UserGate and the SSO SAML IDP server. For details on how to set up interaction between UserGate and the SAML IDP authentication server, please refer to the corresponding section of the Guide.

Web portal

The certificate used for the web portal. When this certificate is not specified explicitly, UserGate applies the certificate of the SSL Captive portal issued on the basis of the SSL inspection certificate. For more details on how to set up web portal, please refer to the corresponding section of the Guide.

Though you can create multiple certificates of the type “web console SSL”, “Captive portal SSL certificate” and “SSL decrypt certificate”, only one certificate of each type can be used at a time. The system can store multiple certification authority certificates for web console authentication and use any of them when checking authenticity of administrator certificates.

To create a new certificate, perform the following steps:

Name

Description

Step 1. Create a new certificate

Click Generate --> New certificate in the Certificates section.

Step 2. Fill in the necessary fields

Fill in the following mandatory fields:

  • Name - name of the certificate that will be shown in the list of certificates

  • Description - certificate’s description

  • Country - specify the country in which you want to issue the certificate

  • Region or state - specify the region or state in which you want to issue the certificate

  • City - specify the city in which you want to issue the certificate

  • Company name - specify the name of the company for which you want to issue the certificate

  • Common name - specify the name of the certificate. For compatibility with most web browsers, it is recommended that you use only Latin letters

  • E-mail - specify the e-mail address of your company

Step 3. Set the type of created certificate

Once the certificate is created, you need to set its type or decide what the certificate’s roles should be. Select the created certificate in the list and press the Edit button. Set the certificate’s type (“web console SSL”, “SSL inspection” or “web console auth CA”). If you selected “web console SSL”, UserGate will restart the web console to apply the changes. The SSL inspection certificate will begin to work immediately. For more details about SSL decryption, please refer to SSL inspection.

In UserGate, you can export the internally created certificates or import certificates from other systems, e.g. from the trusted certification authority of your company.

To export a certificate, perform the following steps:

Name

Description

Step 1. Select a certificate for exporting

Select the desired certificate in the list of certificates.

Step 2. Export the selected certificate

Select the type of export:

  • Export certificate - exports certificate's public key in the PEM format without exporting the certificate's private key. Use this file to set a trusted root certificate on every workstation. For more details, please refer to Appendix 1: Installing a certificate issued by the local certification authority.

  • Export CSR - exports CSR of a certificate, e.g. in order to sign it in the certification authority.

Important! It is recommended that you save the certificate and its private key for backup purpose.

Important! For security reasons, UserGate does not allow exporting private keys of certificates.

Important! Users can download SSL decrypt certificate directly from UserGate from the link:
http:// UserGate_IP:8002/cps/ca

To import an existing certificate, you should have the certificate's public and optionally private key and then perform the following:

Name

Description

Step 1. Start the import

Click the Import button.

Step 2. Fill in the necessary fields

Fill in the following fields:

  • Name - name of the certificate as will be shown in the list of certificates

  • Description - certificate’s description

  • Upload a file containing the certificate's data

  • Upload a file containing the certificate's private key

4.5.1. Creating SSL inspection certificates based on company’s CA

If one or more certification authorities are already set up in your organization, you can use a certificate issued by your internal CA as the SSL inspection certificate. And if your internal CA is trusted for all business users, then SSL inspection will be happened seamlessly and users will not be notified about substituted SSL certificates.

Let’s consider an example. Suppose that your organization has an internal CA which is based on Microsoft Enterprise CA and integrated with Active Directory, as shown in the picture below.

image2

It is required to issue new CA type certificate for UserGate by Sub CA2 and then set up this certificate as your SSL inspection certificate.

Important! UserGate does not support signature rsassaPss. Make sure this algorithm is not used in certificate chain used for creating SSL decrypt certificate.

To do this perform the following steps:

Step

Description

Step 1. Generate a CSR request for creation of a new certificate in UserGate

Select Generate-->New CSR, fill in the necessary fields and then generate a new CSR. The system will create a private key and a request file. Click Export to download this file.

Step 2. Create a new certificated based on this CSR

Using Microsoft CA, create a new certificate based on the downloaded CSR file by running the “certreq” utility: certreq.exe -submit -attrib "CertificateTemplate:SubCA" HTTPS_csr.pem or the web console of Microsoft CA. For more details, please refer to Microsoft’s documentation. As a result, you will obtain a new certificate (public key) signed by Sub CA2.

Step 3. Download the resulting certificate

Download the certificate (public key) from the web console of Microsoft CA.

Step 4. Upload the certificate to the previously created CSR

In UserGate, select the CSR you’ve previously created and then click Edit. Upload the certificate file and click Save.

Step 5. Specify the certificate as your SSL inspection certificate

In UserGate, select the CSR you’ve previously created and then click Edit. In the Use as field, choose SSL decrypt certificate.

Step 6. Download certificates for the intermediary CAs (Sub CA1 and Sub CA2)

In the web console of Microsoft CA, select and download certificates (public keys) for Sub CA1 and Sub CA2.

Step 7. Upload the certificates for Sub CA1 and Sub CA2 to UserGate

Click Import to add the downloaded certificates for Sub CA1 and Sub CA2 into UserGate.

Step 8. Specify the certificates for Sub CA1 and Sub CA2 as your intermediary SSL inspection certificates

In UserGate, select the uploaded certificates and click Edit. In the Use as field, choose SSL intermediate decrypt certificate for both these certificates.

Step 9. Upload a Root CA certificate to UserGate (optional)

Click Import to upload a root certificate of your organization to UserGate. Click Edit and select Currently used - SSL inspection (root).

4.6. Command-line interface (CLI)

In UserGate, you can define basic settings of the device using the command-line interface, or CLI. Using CLI, network administrators can run various diagnostic commands, such as ping, nslookup and traceroute, configure network interfaces and zones as well as reboot/shut down the device.

CLI is especially useful for network diagnostics or when the web console is temporarily unavailable, e.g. due to invalid IP address or access control zone.

You can connect to CLI physically through standard VGA/keyboard ports (if they are available on UserGate) or a serial port or remotely via SSH.

To connect to CLI using a monitor and a keyboard, perform the following steps:

Name

Description

Step 1. Connect a monitor and a keyboard to UserGate

Connect a monitor to VGA (HDMI) and a keyboard to USB.

Step 2. Log in to CLI

Log in to CLI using the username and password of the Full Administrator (Admin by default). If UserGate has not been initialized yet, then use the following credentials to access CLI: Admin/utm

To connect to CLI using a serial port, perform the following steps:

Name

Description

Step 1. Connect to UserGate

Connect your PC to UserGate by means of a special cable for serial ports or a USB-Serial adapter.

Step 2. Run the terminal

Run any software terminal supporting serial port connections, e.g. Putty for Windows or minicom for Linux. Establish a new serial port connection using the following connection parameters: 115200 8n1

Step 3. Log in to CLI

Log in to CLI using the username and password of the Full Administrator (Admin by default). If UserGate has not been initialized yet, then use the following credentials to access CLI: Admin/utm

To connect to CLI remotely via SSH, perform the following steps:

Name

Description

Step 1. Enable access to CLI (by SSH) for the selected zone

Enable access to CLI via the SSH protocol for the zone through which you are going to access CLI. The TCP 2200 port will be opened.

Step 2. Run an SSH terminal

Run an SSH terminal on your PC, e.g. SSH for Linux or Putty for Windows. Specify the UserGate address for address, 2200 for connection port, and the Full Administrator credentials for username and password (Admin by default). In Linux, the connection command should look like this:

ssh Admin@IP-UserGate -p 2200

Step 3. Log in to CLI

Log in to CLI using the password of the user you have specified on the previous step. If UserGate has not been initialized yet, then use the following credentials to access CLI: Admin/utm

Once you have successfully logged in to CLI, you can view the full list of supported commands by entering help. To view a detailed description of a command, use the following syntax:
help command
For example, if you want to view a detailed description of the iface command for configuring network interfaces, type the following:
help Iface

The following commands are supported:

Name

Description

help

Displays the full list of available commands

exit quit Ctrl+D

Log out of CLI

backup

A set of commands for viewing, deleting and restoring of automatically created backups of configuration.

backup list – shows list of existing backups.

backup restore -name NAME – restore backup with name NAME.

backup delete -name NAME - delete selected backup.

cache ldap-clear

Command for clear LDAP cache.

code-change-control

A set of commands for viewing and configuring of action on unauthorized code change. Code integrity check runs every time UserGate is booted.

code-change-control show - displays the current working mode. By default, tracking of unauthorized changes to the executable code is disabled.

code-change-control set log - activates tracking of unauthorized changes to the executable code. When a change is detected, UserGate records the change details in the event log. This option requires setting a password that will be used for switching to another tracking mode.

code-change-control set block - activates tracking of unauthorized changes to the executable code. This option requires setting a password that will be used for switching to another tracking mode. When a change is detected, UserGate records the change details in the event log and also creates a block rule for the firewall in order to prohibit any transit traffic through UserGate. This firewall rule can be disabled only after deactivation of tracking of unauthorized changes.

code-change-control set off - deactivates tracking of unauthorized changes to the executable code. Requires entering a password that was set during activation of tracking of unauthorized changes.

config-change-control

A set of commands for viewing and configuring of action on unauthorized config change. Before activating this control, administrator should complete configuration of the UserGate according with company requirement and then to freeze the configuration (set mode to log or block). Any change to configuration will be logged to the Event log or to log and block transit traffic. Config integrity check runs every few minutes.

config-change-control show - shows current configuration. Default value is off.

config-change-control set log - set action to log unauthorized configuration change to the event log. Requires to set password to change this setting.

config-change-control set block - set action to traffic block. If UserGate founds any configuration change it creates a firewall rule which blocks all transit traffic. To disable or remove this firewall rule administrator has to disable config-change-control (set it to off).

config-change-control set off - set config-change-control to off. Requires to enter password, which was set before.

date

Returns the server’s local time

gateway

A set of commands for viewing and configuring gateway parameters. Type gateway help for more details.

iface

A set of commands for viewing and configuring network interface parameters. Type iface help for more details.

license

Show current license information

netcheck

Command to check connectivity to a specific web site. Usage:

netcheck [-t TIMEOUT] [-d] URL

Available options:

-t - maximum request timeout in seconds

-d - request payload data, if not set only headers are fetched.

node

A set of commands for viewing and configuring cluster’s nodes. Type “node help” for more details.

nslookup

Returns an IP address of the specified host

ping

Pings the specified host

proxy

A set of commands for viewing and configuring of http/s proxy server. Administrator can set the following settings:

  • add VIA to the HTTP headers. Default is set to false, which is the recommended value

  • add X-Forwarded-For to the HTTP headers. Default is set to false, which is the recommended value

  • HTTP connection timeout - set the maximum waiting time for establishing connection to web server. Default value is 20 seconds

  • HTTP loading timeout - set the maximum waiting time for a data from a web server. Default is 60 seconds

Check proxy help for more information.

proxy

Set of commands for viewing and configuring proxy server parameters. Allows you set parameters such as adding the HTTP headers "via" and "forward," as well as timeout setting for connecting to websites and loading content:

  • add_via_enabled – add the HTTP header "via." Disabled by default.

  • add_forwarded_enabled – add the HTTP header "forwarded." Disabled by default.

  • http_connection_timeout – the wait time allocated to the HTTP connection. By default: 20 seconds.

  • http_loading_timeout – the wait time allocated to loading HTTP content. By default: 60 seconds.

  • proxy_host_rfc - expand the use of the HTTP PROXY 1.1. protocol without indicating the "host" parameter. This mode contradicts RFC, but is required for compatibility with certain programs. By default the value "strict" (observe RFC) is set.

  • fmode_enabled (boolean) - activates fast content loading. It may not be compatible with certain websites. Disabled by default.

  • icap_wait_timeout - the time in seconds the UserGate server will wait for a response from an ICAP server. If a response is not received from the server within the allocated amount of time, then if the Resend and Ignore rule is in effect UserGate will send data to the user without modification. If the Resend rule is in effect, UserGate will not send the data to the user. The default value is ten seconds.

  • smode_enabled (boolean) – enables SYN Proxy mode. Disabled by default.

  • legacy_ssl_enabled (boolean) – disables support for the decryption of SSl protocol TLSv1.3. If this mode is enabled, UserGate will support the protocols TLSv1.0-TLSv1.2. If the mode is disabled, all TLSv1.0-TLSv1.3 will be supported. Disabled by default.

Changing the default value is not recommended. See the proxy help for more detailed information.

radmin

A set of commands for viewing and configuring a remote access for UserGate technical support team to the UserGate. nodes. Type “radmin help” for more details

radmin_e

A set of commands for viewing and configuring a remote access for UserGate technical support team to the UserGate in case of appliance is in hung state. Type “radmin help” for more details

reboot

Reboot the UserGate server

route

Create, edit, delete routes

shutdown

Shuts down the UserGate server

telemetry

A set of commands for viewing and configuring telemetry mode. Telemetry makes it possible to send anonymous statistical data to the UserGate team for analysis and product improvement. This data includes information such as the popularity of Web resources, uncategorized websites, virus attacks, IDPS events, and malware activity. Telemetry is enabled by default.

telemetry show – shows current status

telemetry set -enabled true – enables telemetry

telemetry set -enabled false – disables telemetry

traceroute

Trace a connection up to the specified host

usersession

Command to drop specific user’s session (force logout user).

usersession terminate -ipv4 IP_ADDRESS - terminate session using IP address of client

webaccess

A set of commands for viewing and configuring the web console’s authentication mode. You can use this command to revert back from the X.509 certificate mode to the Login and password mode.

zone

A set of commands for viewing and configuring zone parameters. Type zone help for more details.

4.7. Backing up and restoring initial settings

In UserGate, you can easily backup the current system state and then restore it when necessary. This backup contains a snapshot of the UserGate file system as of the time the backup was created. When performing a recovery from such a backup, UserGate will be rolled back to the state when the backup was created. This feature is especially useful when critical changes are applied to the system, such as installing UserGate updates. It is recommended that you regularly make backups of your data.

To create a new backup, perform the following steps:

Name

Description

Step 1. Connect to the server console

Connect a monitor to VGA (HDMI) and a keyboard to USB (if these ports are available on the device) or Connect you PC to the serial port of UserGate through a special cable/USB-Serial adapter. Run any software terminal supporting serial port connections, e.g. Putty for Windows. Establish a new serial port connection using the following connection parameters: 115200 8n1

Step 2. Reboot the device

In the Device management - Server operations section of the web console, click Reboot.

Step 3. Select the backup management menu while the system is rebooting

While the device is booting, select Support menu and then Create backup.

Boot menu is not shown if you connected via serial port. To get to Support menu press key “4” while device is booting. To select Create backup press key “C”, then Enter.

Step 4. Make a backup

Insert a flash drive into the USB port of UserGate. The server will format the flash drive and then save the current system state to it. Once the procedure is finished, the server will reboot.

To restore the previous system state from a backup, perform the following:

Name

Description

Step 1. Connect to the server console

Connect a monitor to VGA (HDMI) and a keyboard to USB (if these ports are available on the device) or Connect you PC to the serial port of UserGate through a special cable/USB-Serial adapter. Run any software terminal supporting serial port connections, e.g. Putty for Windows. Establish a new serial port connection using the following connection parameters: 115200 8n1

Step 2. Reboot the device

In the Device management - Server operations section of the web console, click Reboot.

Step 3. Select the backup management menu while the system is rebooting

While the device is booting, select Support menu and then Restore backup.

Boot menu is not shown if you connected via serial port. To get to Support menu press key “4” while device is booting. To select Restore backup press key “R”, then Enter.

Step 4. Restore the system from a backup

Insert a flash drive with the latest backup into the USB port of UserGate. Once the procedure is finished, the server will reboot.

To reset UserGate to default settings, perform the following:

Name

Description

Step 1. Connect to the server console

Connect a monitor to VGA (HDMI) and a keyboard to USB (if these ports are available on the device) or Connect you PC to the serial port of UserGate through a special cable/USB-Serial adapter. Run any software terminal supporting serial port connections, e.g. Putty for Windows. Establish a new serial port connection using the following connection parameters: 115200 8n1

Step 2. Reboot the device

In the Device management - Server operations section of the web console, click Reboot.

Step 3. Select the backup management menu while the system is rebooting

While the device is booting, select Support menu and then Factory reset Once the procedure is finished, the server will reboot.

Boot menu is not shown if you connected via serial port. To get to Support menu press key “4” while device is booting. To select Factory reset press key “F”, then Enter.

5. Configuring a network

This section describes the basic network settings of UserGate.

5.1. Configuring zones

In UserGate, a zone is a logical conjunction of network interfaces. Security policies of UserGate are based on zones of interfaces rather than individual interfaces. This makes security policies more flexible and dramatically simplifies the overall management of high-availability clusters. Note that zones are the same across all cluster nodes, i.e. this is a global setting for the entire cluster.

It is recommended that you group interfaces into zones based on their functionality, e.g. a zone of LAN interfaces, a zone of Internet interfaces, a zone of interfaces with partner networks, etc.

By default, UserGate provides the following zones:

Name

Description

Management

Zone for interfaces connected to trusted networks, allowed for administering UserGate

Trusted

Zone for interfaces connected to trusted networks, e.g. LANs

Untrusted

Zone for interfaces connected to untrusted network, e.g. the Internet

DMZ

Zone for interfaces connected to the DMZ network

Cluster

Zone for interfaces designated for cluster operations

VPN for Site-to-Site

A zone to which all clients connected to UserGate through Site-to-Site VPN are added.

VPN for remote access

A zone to which all clients connected to UserGate through remote access VPN are added.

UserGate administrators can change the zones default settings, and also can create additional zones.

Important! Up to 16 zones can be created.

To create a new zone, perform the following steps:

Name

Description

Step 1. Create a new zone

Click Add and specify a name for your zone.

Step 2. Set up the DoS protection parameters (optional)

Specify the following DoS protection parameters in the zone for the TCP (SYN-flood), UDP and ICMP protocols:

  • Alert threshold - once the number of packets from a single IP address exceeds the specified limit, this event will be recorded in the system log

  • Drop threshold - once the number of packets from a single IP address exceeds the specified limit, UserGate will start dropping packages from this IP address and will record this event in the system log

Recommended values for TCP and UDP for the notification threshold and package discard threshold are 300 queries per second and 600 queries per second respectively. It is also recommended that you enable flood protection on all interfaces except Cluster zone.

When interfaces in the zone handle VoIP or L2TP VPN traffic, make sure to increase the packet drop threshold for UDP.

DoS protection exclusion allows you to set up a range of IP addresses excluded from flood protection. This can be useful, for example, on IP telephony servers that usually send lots of small UDP packets.

I:orangebold:` mportant!` UserGate can provide even more granular protection from DoS attacks. For details, please refer to section DoS protection.

Step 3. Set up the access control parameters for the zone (optional)

Specify UserGate services that you want to make available for all clients connected to the zone. It is recommended that you disable all services in zones connected to untrusted networks and the Internet.

The following services are supported:

  • Ping - allows you to ping UserGate

  • SNMP - provides access to UserGate via SNMP (UDP 161)

  • Captive portal and block page - displays the login page of the Captive portal and the blocking page (TCP 80, 443, 8002)

  • Control XML-RPC- allows you to manage the product via API (TCP 4040)

  • Cluster - allows you to merge multiple UserGate nodes into a cluster (TCP 4369, TCP 9000-9100)

  • VRRP - allows you to merge multiple UserGate nodes into a high-availability cluster (IP protocol 112)

  • Administrative console - provides access to the web console (TCP 8001)

  • DNS - provides access to the DNS proxy service (TCP 53, UDP 53)

  • HTTP(S) Proxy - provides access to the HTTP(S) proxy service (TCP 8090)

  • Authentication agent - provides access to the server for Windows authentication agents and terminal servers (UDP 1813)

  • SMTP(S) Proxy - anti-spam and anti-virus filtering service for the SMTP traffic Required only for publishing email server in the Internet. For more details, please refer to Mail security

  • POP3(S) Proxy - anti-spam and anti-virus filtering service for the POP3(S) traffic Required only for publishing email server in the Internet. For more details, please refer to Mail security

  • CLI over SSH - provides access for management using CLI (Command-line interface) via TCP 2200

  • VPN - access to the server for L2TP VPN clients (UDP 500, 4500)

  • SCADA - SCADA protocol protection. This option is necessary only for SCADA traffic control. For more details, please refer to SCADA - SCADA protocol protection. This option is necessary only for SCADA traffic control. For more details, please refer to SCADA rules.

  • Reverse proxy – reverse proxy service. This option is necessary only if you need to publish resources via reverse proxy. For more details, please refer to Publication of HTTP/HTTPS resources using the reverse proxy.

  • Web portal – Web portal service. This option is necessary only if you need to publish resources via SSL VPN. For more details, please refer to Setting up an web portal.

  • Log analyzer –Log analyzer service. This option is necessary only if you need to use this UserGate server to collect and analyze logs from other UserGate servers.

  • OSPF – dynamic routing protocol OSPF. For more details, please refer to OSPF.

  • BGP– dynamic routing protocol BGP. For more details, please refer to BGP.

Step 4. Set up the IP-spoofing protection (optional)

Using IP spoofing attacks, fraudsters can send a packet from an external network, e.g. from the Untrusted zone, to an internal network, e.g. to the Trusted zone. To do so, fraudsters “spoof” the source IP address with one of the possible IP addresses in the internal network, thereby making all responses to this packet go to an internal IP address.

To protect from such attack administrator can specify network ranges of allowed IP source addresses for specific zone. Network packets with different IP sources will be dropped.

With Negate option administrator can specify network ranges of IP source addresses which are not expected on the zone's network interfaces and network packets with these sources will be dropped.

5.2. Configuring interfaces

The interfaces section displays all physical and virtual interfaces available in the system and allows you to change their settings or add new VLAN interfaces. This section contains all interfaces of each node in the cluster. Note that settings of interfaces are node-specific, i.e. they are not global.

Click Edit to change the network interface parameters:

  • Enable or disable the interface

  • Provide the interface type: Layer 3 or Mirror. An interface working in the Layer 3 mode can be assigned an IP address and used in various rules, such as firewall rules or content filtering rules. An interface working in the Mirror mode can obtain and analyze the traffic from SPAN ports of network devices.

  • Assign the interface to a zone

  • Assign Netflow profile to send statistics to Netflow collector

  • Change the physical parameters of the interface - MAC address and MTU size

  • Select the allocation method for IP addresses - static IP address or dynamic IP address obtained by DHCP

  • Configure a DHCP relay on the selected interface. To do this, enable the DHCP relay, specify the IP address of the interface for which you want to add a relay in the UserGate address field and then specify one or more DHCP servers to which you want to forward DHCP queries from clients

Click Add VLAN to add a new virtual adapter and then configure it.

5.2.1. Setting up Netflow

Netflow is a network protocol that was introduced by Cisco Systems that provides the ability to collect network traffic statistics. A typical Netflow monitoring setup consists of three main components:

  • Sensor - aggregates packets into flows and exports flow records towards one or more flow collectors.

  • Flow collector - responsible for reception, storage and pre-processing of flow data received from a sensor.

  • Analysis application - analyzes received flow data and prepares reports.

UserGate can act as Netflow sensor. To configure UserGate as a sensor perform the following steps:

Name

Description

Step 1. Create a new Netflow profile

In Libraries --> Netflow profiles click Add and create new profile.

Step 2. Assign Netflow profile to the network interface which should collect traffic statistics

In Network --> Interfaces select required interface, click Edit and assign Netflow profile created on the previous step.

Netflow profile has the following configuration settings:

Name

Description

Name

Name of Netflow profile.

Description

Description of Netflow profile.

Netflow collector IP

IP address of Netflow collector.

Netflow collector port

UDP port of Netflow collector. Default is 2055.

Netflow protocol version

Version of Netflow protocol to use

Active flow timeout, (sec.)

Export flow after it has been active for this timeout in seconds. Default value is 1800.

Inactive flow timeout, (sec.)

Export flow after it has been inactive for this timeout in seconds. Default value is 15.

Maximum flows

Maximum number of flows to account. It's here to prevent DoS attacks. After this limit is reached new flows will not be accounted. Default is 2000000, set zero to unlimited.

Send NAT information

Collect and send NAT translation events netflow collector.

Template refresh rate (packets)

The number of packets after which sensor re-sends templates to Netflow collector. Only for Netflow 9/10. Default value is 20.

Timeout to re-send old template (sec.)

Time in seconds after which sensor re-sends old template to Netflow collector. Only for Netflow 9/10. Default value is 1800 seconds.

5.2.2. Interface bonding

Click Add a new bond interface to merge multiple physical interfaces into an aggregated logical interface for higher channel throughput or availability. Provide the following parameters when creating a new bond:

Name

Description

Enabled

Enables a bond

Name

Bond name

Node name

A node in the UserGate cluster where a new bond will be created

Zone

A zone to which the bond will belong

Interfaces

One or more interfaces that will be used for creating the bond

Mode

The working mode of the bond must be the same as that of the device to which the bond will be connected. Possible options:

  • Round robin. Packets are sent one by one, starting with the first available interface and ending with the last available interface. This policy is used for better load balancing and failover.

  • Active backup. Only one network interface among the merged interfaces will be active. Another interface will be activated only when the currently active interface goes down. With such a policy, MAC address of a bond interface can be obtained from the outside using only one network port in order to avoid switching issues. This policy is used for failover.

  • XOR. The traffic is distributed among network adapters using the following formula: [("MAC address of the origin" XOR "MAC address of the destination") modulo "number of interfaces"]. This means that the same network adapter sends packets to the same destinations. Optionally, the traffic distribution can also be based on the xmit_hash policy. This XOR policy is used for load balancing and failover.

  • Broadcast. Sends all packets to all network interfaces. This policy is used for failover.

  • IEEE 802.3ad - this is a default working mode supported by most network switches. The system creates aggregated groups of network adapters with the same throughput and duplex. In this mode, packets are sent through all channels in the active aggregate according to IEEE 802.3ad. Which interface to use for sending packets depends on the current policy: by default, it is XOR policy, but the xmit_hash policy is also supported.

  • Adaptive transmit load balancing. The outgoing traffic is distributed depending on load on each network adapter (i.e. download speed) and does not require any additional configuration on the switch. The incoming traffic goes to the current network adapter. In case of its failure, another network adapter will be assigned the MAC address of the failed one.

  • Adaptive load balancing. Includes the above-mentioned policy plus load balancing for the incoming traffic. This option does not require any additional configuration on the switch. The incoming traffic is balanced through ARP communications. The driver captures ARP responses sent from local network adapters to the outside, and then replaces the MAC address of the origin with one of the unique MAC addresses of the network adapters to be bound. As a result, different peers use different MAC addresses of the server. Balancing of the incoming traffic is distributed among interfaces one by one (round-robin).

MII monitoring period (ms)

Sets the frequency of MII monitoring (in milliseconds). Sets the frequency of checks for failures in a communication line. The default value is 0 - disable MII monitoring.

Down delay (ms)

Sets a delay (in milliseconds) before the interface goes down due to a connection failure. This option is valid only when MII monitoring (miimon) is enabled. Values of this parameter must be divisible by "miimon" values. When a value is not divisible, it will be rounded to the nearest divisible value. The default value is 0.

Up delay (ms)

Sets a delay (in milliseconds) before the interface goes up after connection recovery. This parameter is valid only when MII monitoring (miimon) is enabled. Values of this parameter must be divisible by "miimon" values. When a value is not divisible, it will be rounded to the nearest divisible value. The default value is 0.

LACP rate

Sets the interval of sending LACPDU packets by a partner in the 802.3ad mode. Possible values:

  • Slow - query a partner each 30 seconds on whether to send LACPDU packets

  • Fast - query a partner each second on whether to send LACPDU packets

Failover MAC

Sets how to assign MAC addresses to the merged interfaces in the active-backup mode when switching between the interfaces. The standard behavior is to assign the same MAC address to all interfaces. Possible values:

  • Disabled - the same MAC address is assigned to all interfaces when switching between them

  • Active - the MAC address of the bond interface will always be the same as that of the currently active interface. MAC addresses of the backup interfaces are not changed. The MAC address of the bond interface is changed when handling a failure.

  • Follow - the MAC address of the bond interface will be the same as that of the first interface added to the bond. This MAC address will not be assigned to the second interface and so on while they are in the backup mode. The MAC address is assigned when handling a failure: the backup interface becomes active, obtains a new MAC (the same as of the bond interface) while the previously active interface obtains the MAC that was used by the currently active interface.

Xmit hash policy

Sets the hash policy of sending packets through the merged interfaces in the XOR or IEEE 802.3ad modes. Possible values:

  • Layer 2 - only MAC addresses are used for generating a hash. When this option is enabled, traffic for a certain network host will always be sent through the same interface in accordance with IEEE 802.3ad.

  • Layer 2+3 - both MAC addresses and IP addresses are used for generating a hash in accordance with IEEE 802.3ad.

  • Layer 3+4 - IP addresses and transport layer protocols (TCP or UDP) are used for generating a hash. This option is not fully compatible with IEEE 802.3ad, since both fragmented and non-fragmented packets can be sent within the same TCP or UDP communication. Fragmented packets do not contain origin ports and destination ports. As a result, packets within the same session can be obtained at the destination point in a different order, since they are sent through different interfaces.

Network

Assignment of IP addresses: no address, static IP address or dynamic IP address obtained through DHCP.

DHCP relay

Configuring a DHCP relay for a bond interface. Enable a DHCP relay, then in the UserGate address field, enter the IP address of the interface to which you want to add a relay, and specify one or more DHCP servers to which DHCP queries from clients should be routed.

5.2.3. Creating a bridge

A network bridge operates at the data link level (L2) of the OSI model and, upon obtaining a frame, checks whether the MAC address in the frame is part of the subnetwork. If the MAC is not part of the subnetwork, the bridge will send (broadcast) the frame to the target segment; otherwise, the bridge will do nothing.

An interface bridge can be used in UserGate similar to a standard interface. In addition, a bridge can be configured for content filtering at L2 without any changes to the existing corporate network infrastructure. The easiest way to use UserGate for content filtering at L2 is as follows:

image3

When creating a bridge, you can specify its working mode type: Layer 2 or Layer 3.

In the Layer 2 mode, the newly created bridge does not need any IP addresses, routes or gateways for proper operation. A bridge in this mode works at the MAC address level and broadcasts packets among segments. In Layer 2 mode you cannot use Content filtering and Mail security, while all other filtering mechanisms are supported.

When the Layer 3 mode is selected, make sure to assign an IP address to the bridge being created and provide the routes to networks connected to the bridge interfaces. In this mode, you can use all filtering mechanisms available in UserGate.

When creating a bridge on a UserGate appliance that features a network adapter with the bypass mode, you can merge two interfaces into a single bypass bridge. A bypass bridge automatically switches the two selected interfaces to the bypass mode (i.e. shortens them by skipping UserGate in the traffic routes) in the following cases:

  • The UserGate appliance is powered off

  • The internal diagnostic system detected an issue in the UserGate software.

For more details on network interfaces that support the bypass mode, please refer to the specifications for UserGate appliances.

Click Add a new bridge to merge multiple physical interfaces into a new interface bridge. Make sure to specify the following parameters:

Name

Description

Enabled

Enables an interface bridge

Name

Interface name

Type

Specify bridge network type - Layer 3 or Layer 2.

Node name

A node in the UserGate cluster where a new interface bridge will be created

Zone

A zone to which the interface bridge will belong

Bridge interfaces

Two interfaces that will be used for creating the interface bridge

Bypass bridge interfaces

Pair of interfaces which are eligible to create bypass bridge. UserGate appliance with specific network card is required.

STP (Spanning Tree Protocol)

Enables STP to protect a network from loops

Forward delay

A delay before switching a bridge into an active mode (Forwarding) when STP is enabled

Maximum age

A timeout after which an STP connection is considered lost

Network

Assignment of IP addresses: no address, static IP address or dynamic IP address obtained through DHCP.

DHCP relay

Configuring a DHCP relay for a bond interface Enable a DHCP relay, then in the UserGate address field, enter the IP address of the interface to which you want to add a relay, and specify one or more DHCP servers to which DHCP queries from clients should be routed.

5.2.4. PPPoE interface

The Point-to-Point Protocol over Ethernet (PPPoE) is a network protocol for encapsulating PPP frames inside Ethernet frames. Click Add a PPPoE to create PPPoE interface. Make sure to specify the following parameters:

Name

Description

Enabled

Enables an PPPoE interface.

Node name

A node in the UserGate cluster where a new PPPoE interface will be created.

Interface

An interface which will be used to create PPPoE.

Zone

A zone to which the interface PPPoE will belong

MTU

MTU size. Default value is 1492 bytes, which is standard for Ethernet.

Login

Account name for PPPoE connection.

Password

Password for PPPoE connection.

Persist connection

Reopen the connection if connection is terminated.

Holdoff interval (sec.)

Specifies how many seconds to wait before re-initiating the link after it terminates. This option only has any effect if the persist connection is activated.

Default route

Add a default route to the system routing tables, using the peer as the gateway. This entry is removed when the PPPoE connection is broken. .

LCP echo interval (sec.)

If this option is given, UserGate will send an LCP echo-request frame to the peer every n seconds. Normally the peer should respond to the echo-request by sending an echo-reply.

Number of LCP echo failures

If this option is given, UserGate will presume the peer to be dead if specified here LCP echo-requests are sent without receiving a valid LCP echo-reply. If this happens, UserGate will terminate the PPPoE connection.

Use provider's DNS

If enabled, UserGate will use DNS servers, provided by PPPoE connection.

Number of connection attempts

Stop connecting after specified here consecutive failed connection attempts. A value of 0 means no limit.

5.2.5. VPN interface

VPN device is a virtual network interface for connecting VPN clients. This type of interface is clustered interface, which means it virtually exists on all cluster’s nodes, and if high availability cluster is configured, VPN clients will be automatically switched to a backup node without VPN connection interruption. To create a new VPN interface, click on Add in Network-->Interfaces and select Add VPN. Set the following fields:

Name

Description

Name

Name of the interface as tunnelN, where N is the number of virtual device.

Description

The description of the interface.

Zone

The zone of the interface. VPN clients will be assigned to this zone when connected.

Netflow profile

An optional netflow profile that will be used for this interface.

Mode

IP address assignment mode – Dynamic (via DHCP), Static, No address. Static mode should be used for serving VPN clients (remote access VPN and the server side of site-to-site VPN).

MTU

The MTU for the interface.

UTM is preconfigured with 3 VPN interfaces:

  • tunnel1 is preconfigured for use for Remote access VPN.

  • tunnel2 is preconfigured for use for server side of Site-to-Site VPN.

  • tunnel3 is preconfigured for use for client side of Site-to-Site VPN.

5.3. Configuring gateways

To connect UserGate to the Internet, specify the IP address of one or more gateways. If you use multiple ISPs for accessing the Internet, then specify gateways for each of them. Settings of gateway are unique for each node in the cluster.

Example of a configuration with two ISPs:

  • The eth1 interface with IP address 192.168.11.2 is connected to ISP 1. To access the Internet using this ISP, add a new gateway with IP address 192.168.11.1

  • The eth2 interface with IP address 192.168.12.2 is connected to ISP 2. To access the Internet using this ISP, add a new gateway with IP address 192.168.12.1

If you have two or more gateways, the system will be able to operate in two modes:

Name

Description

Traffic balancing between gateways

Enable the Balancing checkbox and specify the Weight of each gateway. In this mode, all the Internet traffic will be distributed between gateways according to the weights that you have specified (gateways with bigger weights will handle more traffic).

Primary gateway with failover to redundant gateway

Make one of the gateways a primary one and then configure the Connectivity checker by clicking the corresponding button in the interface. Connectivity checker will identify whether the host can access the Internet in the specified periods and will redirect all traffic to redundant gateways as they are listed in the console in case of the primary host failure.

By default, the Connectivity checker uses the public DNS server from Google (8.8.8.8), but network administrators can easily switch to another host.

5.4. Configuring DHCP

The DHCP service (Dynamic Host Configuration Protocol) allows you to automate provisioning of network settings to clients in a local network. In a network with the DHCP server, each network device can be dynamically assigned an IP address, gateway address, and DNS.

UserGate is also able to work as a DHCP relay by forwarding DHCP requests from clients in different networks to the central DHCP server. For more details on how to configure a DHCP relay, please refer to Configuring DHCP.

In UserGate, you can create multiple ranges of IP addresses that will be allocated via DHCP. A DHCP server works independently on each node of the high-availability cluster. To ensure high availability of the DHCP server, make sure to configure DHCP on both nodes and allocate them non-overlapping IP ranges.

To create a new DHCP range, click Add subnet and specify the following parameters:

Name

Description

Enabled

Enable or disable this DHCP range

Node name

Node of the cluster where this range will be created

Interface

Interface of the server om which the IP addresses from the new range will be allocated

IP range

Range of IP addresses allocated to clients by DHCP

Mask

Subnet mask allocated to clients by DHCP

Lease time

Period for which the IP addresses are allocated, in seconds

Domain

Domain name allocated to clients by DHCP

Gateway

IP address of the gateway allocated to clients by DHCP

Name servers

IP addresses of the DNS servers allocated to clients by DHCP

Reserved hosts

MAC addresses and their mapped IP addresses

Ignored MAC

List of MAC addresses that should be ignored by the DHCP server

DHCP PXE boot

Server address and boot file name provided to PXE boot

All assigned IP addresses are shown in the Leased addresses panel. Network administrators can release any assigned address by selecting it in the list and clicking Release.

5.5. Configuring DNS

This section provides settings for the DNS and DNS proxy services.

For proper operation of the product, UserGate should be configured to resolve domain names into IP addresses. Specify valid IP address of the DNS servers in the System DNS servers’ parameter.

The DNS proxy service allows network administrators to capture DNS queries from users and then modify them as required.

DNS proxy settings are as follows:

Name

Description

DNS caching

Enables or disables caching of DNS responses. It is recommended that you leave this option enabled for better performance.

DNS filtering

Enables or disables filtering of DNS queries. This option requires an additional license for the ATP module.

Recursive DNS queries

Allows or prohibits the server to perform recursive DNS queries. It is recommended that you leave this option enabled.

Max TTL for DNS records (sec)

Sets the maximum allowed lifetime of DNS records.

Limit DNS requests per second for user

Sets the limit on the number of DNS queries per second for each user. All queries exceeding the specified limiting will be discarded. The default value is 100 queries per second. It is not recommended that you set large values for this parameter, since DNS flood (DNS DoS attacks) is among the most frequent reasons of improper operation of DNS servers.

Only A and AAAA DNS records for unknown users (prohibit VPN over DNS)

If enabled DNS server will respond to unknown users only requests for A and AAAA records blocking all other types. This can efficiently block any kind of VPN over DNS.

Using the DNS proxy rules, you can specify DNS servers to which the queries for certain domains will be forwarded. This option can be useful if your company uses an internal local domain, e.g. Active Directory, which is not connected to the Internet.

To create a new DNS proxy rule, perform the following:

Name

Description

Step 1. Add a new rule

Click Add and specify Name and Description (optional).

Step 2. Specify a list of domains

Provide a list of domains which you want to forward, e.g. localdomain.local. You can also use the "*" character to specify domain templates.

Step 3. Specify DNS servers

Provide a list of IP addresses of DNS servers to which you want to forward queries for the specified domains.

In addition, you can specify static records of the "host" type (A-records) using the DNS proxy. To create a new static record, perform the following:

Name

Description

Step 1. Add a new record

Click Add and specify Name and Description (optional).

Step 2. Provide the FQDN

Specify the Fully Qualified Domain Name (FQDN) of the static record, e.g.:guielement:www.example.com.

Step 3. Specify IP addresses

Provide a list of IP addresses which will be returned by the UserGate server when this FQDN is requested.

5.6. Routes

In this section, you can specify a route to the network available through a certain router. This can be useful when several IP subnets in your local network are integrated via a local router. A route is applied only to the cluster's node where it has been created.

To add a new route, perform the following steps:

Name

Description

Step 1. Select a node in your cluster

If using cluster, select a node in which you want to create a new route from the drop-down menu.

Step 2. Specify a name and description for a given route

Provide a name for a given route. Provide an optional description for a given route.

Step 3. Specify the Destination

Specify a destination subnet for the new route, e.g. 172.16.20.0/24 or 172 .16.20.5/32

Step 4. Specify the Gateway

Provide the IP address of the gateway through which the specified subnet should be accessible. This IP address must be accessible from the UserGate server.

Step 5. Specify an Interface

Select an interface to which you want to add a new route.

Step 6. Specify Metric

Specify metrics for the new route. If you have multiple routes, then the routes with lower metrics will have higher priorities.

5.7. WCCP support

A Web Cache Communication Protocol (WCCP) is a content-redirection protocol developed by Cisco. It provides a mechanism for redirecting traffic streams in teal time and has built-in scalingload balancing, and failsafes. When using WCCP, the WCCP server accepts a HTTP from the client browser and redirects it to one or more WCCP clients. The WCCP client receives the data from the internet and returns it to the client's browser. Data can be delivered to the client via a WCCP server, or it can bypass it based on the routing rules.

UserGate can act as a WCCP client. A router usually acts as the WCCP server. All filtration mechanisms can be applied for traffic received via WCCP.

Important! For traffic received via a WCCP tunnel, as an IP source UserGate will use the IP address of the client's computer, and the zone of the source will not be defined, so do not indicate the zone in the filtration rules (leave it as "any").

To configure a WCCP client in UserGate, perform the following steps:

Name

Description

Step 1. Configure the WCCP server

Configure the WCCP server in accordance with the instructions to the WCCP server

Step 2. Enable the WCCP client service in UserGate

Enable WCCP in the Settings --> Configure WCCP section of the UserGate console.

Step 3. Indicate the address of the WCCP server and the password for connecting to this server

Set the IP address of the server and the password for connecting to the WCCP server. The password must match the value of the password set when configuring the WCCP server in Step 1.

Step 4. Enable HTTPS support

By default, the WCCP client will inform the server that it is ready to accept the HTTP protocol. To receive and process HTTPS traffic, check the box labeled HTTPS support.

5.8. Dynamic routing protocols

The dynamic routing protocols are used for distributing information about the networks currently connected to each router. Routers communicate with one another through routing protocols. UserGate updates the routing table in its core according to the information obtained from the adjacent routers.

Dynamic routing does not affect the methods used by the core for IP routing. The core will be checking its own routing table in the same way to search for routes to hosts, routes to networks, and default routes. The only change is how the information will be added to the routing table: routes will be recorded automatically, without any manual operations.

UserGate supports two routing protocols which are OSPF and BGP.

5.8.1. OSPF

OSPF (Open Shortest Path First) is a dynamic routing protocol that is based on the link state tracking technology and Dijkstra's algorithm for finding the shortest paths between nodes. The OSPF protocol redistributes information about the available routes among routers within the same autonomous system (AS). For more details on OSPF, please refer to the corresponding technical documentation.

To set up OSPF in UserGate, perform the following steps:

Name

Description

Step 1. Enable an OSPF router.

In the UserGate console, go to Network-->OSPF-->OSPF router, click Configure and configure parameters of the OSPF router.

Step 2. Select the interfaces through which the OSPF router will be receiving/redistributing information from other routers.

In the UserGate console, go to Network-->OSPF-->Interfaces, click Add and configure parameters of the interface. Add as many interfaces as necessary for proper operation of OSPF in your organization.

Step 3. Define an OSPF area.

In the UserGate console, go to Network-->OSPF-->Areas, click Add and configure parameters of the OSPF area. Make sure to provide the interfaces (created in the previous step) through which the area will be available to other routers.

Add as many areas as necessary for proper operation of OSPF in your organization.

When setting up an OSPF router, make sure to provide the following parameters:

Name

Description

Enabled

Enables or disables a given OSPF router.

Router ID

IP address of the router. Must be the same as one of IP addresses assigned to network interfaces of UserGate.

Redistribute

Redistributes routes directly connected to the UserGate network or kernel routes added by administrators in the Routes section among other OSPF routers.

Metric

Set the metric for the redistributed routes.

Default originate

Notify other routers that a given router has a default route.

When setting up OSPF interfaces, make sure to provide the following parameters:

Name

Description

Enabled

Enables or disables a given interface.

Interface

Select an existing interface that will be used for OSPF.

Cost

Cost of the channel in a given interface. This value is sent by LSA (link state advertisement) for the adjacent routers and then is used by these routers when they calculate the shortest route. The default value is 1.

Priority

An integer from 0 to 255. A larger value means higher chances for a router to become the designated router in the network for sending LSAs. Set this value to 0 if you do not want to make this router the designated router. The default value is 1.

Hello interval

Time period in seconds after which a router sends 'hello' packets. This value must be the same across all routes within the autonomous system. The default value is 10 seconds.

Dead interval

Time period in seconds after which the adjacent router will be considered unavailable. This time period is counted since the moment when the last 'hello' packet is received from the adjacent router. The default value is 40 seconds.

Retransmit interval

Sets the time interval before repeated sending of an LSA packet. The default value is 5 seconds.

Transmit delay

Sets an approximate time period required for delivering the updated link state to the adjacent routers. The default value is 1 second.

Authentication Enabled

Enables mandatory authentication for each incoming OSPF message on the router. Authentication is mostly used for prevention of injected false routes from unauthorized routers.

Auth type

Possible values:

  • Plain – an open key is transferred for authentication of routers. Make sure to fill out the Key field.

  • Digest – an MD5 hash is used as a key for authentication of OSPF packets. Make sure to provide the Key and MD5 key ID. For proper operation, these parameters must be the same across all routers.

When setting up an OSPF area, make sure to provide the following parameters:

Name

Description

Enabled

Enables or disables a given area.

Name

Name of a given area.

Cost

Cost of LSA announced in the stub zone

Area ID

Area identifier. An identifier can be specified in a decimal format or as an IP address. However, area identifiers are not IP addresses and thus can coincide with any assigned IP address.

Auth type

Possible values:

  • None - no authentication for OSPF packets is required

  • Plain - an open key is transferred for authentication of OSPF packets. The key specified in the interface settings is used

  • Digest - an MD5 hash is used as a key for authentication of OSPF packets. The key specified in the interface settings is used

Identification at the interface level has primacy over authentication at the area level.

Area type

Sets the area type. The following area types are supported:

  • Normal - a standard area created by default. This area obtains channel updates, summary routes, and external routes.

  • Stub - a stub area does not obtain information about external routes for a standalone system, but obtains routes from other areas. When routers from a stub area are required to send information outside the standalone area, they can use the default route. No ASBRs can be within a stub area.

  • NSSA - Not-so-stubby. An NSSA area defines an additional type of LSA — LSA type 7. An NSSA area can contain an edge router (ASBR).

Do not sum up

Prohibits injection of summary routes to stub areas.

Interfaces

Selection of OSPF interfaces in which this area will be accessible.

Virtual links

A special connection for merging a disrupted area or joining an area to a backbone through another area. It can be configured between two ABRs.

This option allows a router sending OSPF packets through virtual links by encapsulating these packets in IP packets. This mechanism can be used as a temporary solution or as a backup when the core connections go down.

You can specify IDs of routers that should be accessible through a given area.

5.8.2. BGP

BGP (Border Gateway Protocol) is a dynamic routing protocol which relates to exterior gateway protocols (EGP - External Gateway Protocol). Presently, it is the key dynamic routing protocol on the Internet. BGP is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS), i.e. groups of routers under the unified technical and administrative control. BGP uses intra-domain routing protocols for identification of internal routes and cross-domain routing protocols for identification of routes to deliver packets to other ASes. The delivered information may include a list of ASes that are accessible through a given system. The best routes are selected according to the network-specific rules. For more details on BGP, please refer to the corresponding technical documentation.

To set up BGP in UserGate, perform the following steps:

Name

Description

Step 1. Enable a BGP router.

In the UserGate console, go to Network-->BGP--> BGP router, click Settings and configure parameters of the BGP router.

Step 2. Add at least one BGP peer.

In the UserGate console, go to Network-->BGP-->BGP peers, click Add and configure parameters of the router included in the peer AS. Add as many peers as necessary.

Step 3. Optional. Set up the filters and Routemap in order to limit the number of incoming routes.

In the UserGate console, go to Network-->BGP-->Routemaps or Network-->BGP--> Filters, click Add and configure parameters of the Routemap/filters. Add as many Routemap/filters as necessary for proper operation of BGP in your organization.

When setting up a BGP router, make sure to provide the following parameters:

Name

Description

Enabled

Enables or disables a given BGP router.

Router ID

IP address of the router. Must be the same as one of IP addresses assigned to network interfaces of UserGate.

ID of the autonomous system (AS).

An autonomous system is a system of IP networks and routers managed by one or more providers with the unified routing policy. ID of an autonomous system indicates routers that belong to a given system.

Redistribute

Notifies other BGP routers about routes directly connected to a UserGate-network (connected), routes added by the administrator in the Routes section (kernel), or routes obtained through BGP.

Multiple path

Enables traffic balancing to routes with the same cost.

Networks

A list of networks in a given AS.

To add BGP peers, click Add and provide the following parameters:

Name

Description

Enabled

Enables or disables a given peer

Interface

One of the existing system interfaces through which a given peer should be accessible

Host

IP address of a peer

Description

An arbitrary description of a peer

Remote ASN

ID of an autonomous system which a peer relates to

Weight

The weight of given routes obtained from a given peer

TTL

The maximum number of hops allowed in the route to a given peer

Announce next-hop-self for BGP

Replace the next-hop-self value with own IP address when a given peer is BGP

Multihop for eBPGP

Indicates that a connection to a given peer is indirect (several hops)

Route reflector client

Indicates whether a given peer is a Route reflector client

Soft reconfiguration

Use soft reconfiguration (without disconnections) for configuration updates

Default originate

Announce the default route to a given peer

Authentication

Enables authentication for a given peer and sets a password for authentication

Filters for BGP peers

Restricts access to information about routes obtained from peers or announced routes to them

Routemaps

Routemaps are used for managing route tables and defining conditions upon which routes must be redistributed among domains

Routemaps help filtering routes during redistribution and changing various route attributes. Provide the following parameters when creating a new routemap:

Name

Description

Name

Name of a given routemap

Operation

Sets an action for a given routemap. Possible values:

  • Allow - allows a flow of traffic matching the routemap's conditions.

  • Block - prohibits a flow of traffic matching the routemap's conditions.

Compare by

Conditions for applying a routemap. Possible values:

  • IP. When this condition is selected, then add all IP addresses required for this condition on the IP address tab.

  • AS path. When this condition is selected, then add all IDs of the autonomous networks required for this condition on the AS path tab. It is allowed to use regular expressions in POSIX 1003.2 or additional underscore (_) that is interpreted as follows:
    - space
    - comma
    - string start
    - string end
    - AS set delimiter { and }
    - AS confederation delimiter ( and )
  • Community. When this condition is selected, then add all strings of BGP communities required for this condition on the Community tab.

Set next hop

Sets the next hop value to the indicated IP address for the filtered routes

Set weight

Sets a preference to the indicated value for the filtered routes

Set metric

Sets a metric to the indicated value for the filtered routes

Set preference

Sets a preference to the indicated value for the filtered routes

Set AS-prepend

Sets AS-prepend, i.e. a list of autonomous systems to be added for a given route

Community

Sets a BGP community for the filtered routes

The filter allows sorting out various routes during redistribution. Provide the following parameters when creating a new filter:

Name

Description

Name

Name of a given filter

Action

Sets an action for a given filter. Possible values:

  • Allow - allows a flow of traffic matching the filter's conditions.

  • Block - prohibits a flow of traffic matching the filter's conditions.

Filter by

Conditions for applying a filter. Possible values:

  • IP. When this condition is selected, then add all IP addresses required for this condition on the IP addresses tab.

  • AS path. When this condition is selected, then add all IDs of the autonomous networks required for this condition on the AS path tab.

6. Users and devices

Security policies, firewall rules, safe browsing rules and many other features of UserGate can be applied to users or groups of users. Since policies can be applied only to the selected users, network administrators can flexibly adapt the entire network to the company's needs.

Identification of users is a core feature of UserGate. A user is identified when the system is able to exactly match their identity with the IP address of the device from which they are currently logged in. UserGate offers multiple mechanisms of user identification:

  • Identification by explicitly provided IP address

  • Identification by username and password

  • Identification of users of terminal servers from Microsoft using a special terminal service agent

  • Identification of users via an authentication agent (for Windows-based systems)

  • Identification based on NTLM and Kerberos

Identification of users by username and password is performed via the Captive portal which, in turn, can be configured to identify users via Active Directory, Radius, Kerberos or a local user database.

UserGate supports the following types of users:

Name

Description

Unknown user

Represents a set of users not identified by the system

Known user

Represents a set of users identified by the system. Various user identification methods are described below in more detail.

Any user

The Any user is the set of Known users plus the set of Unknown users

Certain user

The Certain user represents users fully identified and authorized by the system, e.g. DOMAIN\User authorized through an Active Directory domain.

Users and groups of users can be registered directly on the UserGate device - these are the so-called local users and groups or get from external directories, such as Microsoft Active Directory.

6.1. Users

In this section, you can add local users. In addition, you can also temporarily disable users or enable them again.

To create a new local user, you need to specify only one mandatory parameter (username). Though all other parameters are optional, it is recommended that you specify them for proper user identification:

  • Username and password - for identification by username and password. In this case, you will need to set up the Captive portal where users can enter their username and password for authentication

  • One IP address or a range of IP addresses, and MAC address for identification based on MAC and IP. In this case, it is necessary to ensure network access from the specified MAC and/or IP addresses for a given user.

  • The VLAN ID for identifying the user via LAN tag. In this case you need to make sure the user always accesses the network from the indicated LVAN.

If both the credentials and IP/MAC/VLAN addresses are provided for a user, the system will utilize identification by address, i.e. identification by address has a higher priority.

Though user accounts obtained from LDAP synchronization are not shown here, these users can also be added to security policies.

6.2. Groups

Groups of users will allow you to join users together and efficiently manage their security policies.

6.3. Authentication servers

Authentication servers are the external sources of user accounts for UserGate, e.g. LDAP servers, Radius, TACACS+, Kerberos or SAML. UserGate supports:

  • LDAP-connector

  • Radius authentication server

  • TACACS+ authentication server

  • Kerberos authentication server

  • NTLM authentication server

  • SAML (SSO) authentication server

The Radius, TACACS+, NTLM, SAML and Kerberos authentication servers can only authorize users, while the LDAP-connector can provide information about users and their properties.

6.3.1. LDAP connector

LDAP connector allows you:

  • Get information about users and groups from Active directory or other LDAP servers. . Support of FreeIPA LDAP servers. LDAP users and groups can be used in different security rules.

  • Authorize users via the Active Directory domain/FreeIPA using Captive portal, Kerberos or NTLM.

To create a new authentication server based on Active Directory, click Add, select Add LDAP connector and then specify the following parameters:

Name

Description

Enabled

Enables or disables usage of the specified authentication server

Name

Name of the authentication server

SSL

Specifies whether an SSL connection is needed for communication with the LDAP server.

LDAP domain name or IP address

IP address of the domain controller or domain name (FQDN). When a domain name is used, UserGate will be retrieving IP addresses of domain controllers via DNS queries.

Bind DN ("login")

Username for connecting to the LDAP server. The username must be in the DOMAIN\username or username@domain format. This user must be already created in the domain.

Password

User password for connecting to the domain.

LDAP domains

List of the domains which are handled by the domain controller, e.g. domains of Active Directory tree or forest. You may also add a NetBIOS domain name here.

This list may be displayed on the authorization page of the Captive portal. For details on the Captive portal, please refer to Configuring a Captive portal.

Kerberos keytab

You can upload a Kerberos keytab file here to set up Kerberos-based authentication. For more details on Kerberos, please refer to Kerberos authentication.

Important! It is highly recommended that you upload a keytab file even when you do not need Kerberos-based authentication. In this case, the uploaded keytab file will help retrieve users and groups from LDAP servers via Kerberos and thus dramatically reduce workload for AD servers. When there are 1,000+ elements in AD, uploading a keytab file for Kerberos is mandatory.

Once the server is created, check whether all parameters are correct by clicking Check connection. If all parameters are correct, the system will notify you about it, otherwise the system will display an error message.

The connection to LDAP is completed. To authorize LDAP users, you need to set up identification by username/password (create rules for the Captive portal). For more details on the Captive portal, please refer to the next chapters of this Guide.

6.3.2. Radius authentication server

The Radius authentication server allows you to authorize users on Radius servers, i.e. UserGate will be serving as a Radius client. When authorizing via Radius, the UserGate server sends the username and password to a Radius server which, in turn, notifies whether the authentication has been successful or not.

Radius servers cannot provide a property of users to UserGate, so that if you have not registered them in UserGate beforehand (e.g. as local users or via LDAP connector), then you will be able to use only Known (i.e. authorized on a Radius server) or Unknown (failed to authorize on a Radius server) users in your security policies.

To create a new authentication server based on Radius, click Add, select Add RADIUS server and then specify the following parameters:

Name

Description

Enabled

Enables or disables usage of the specified authentication server

Server name

Name of the authentication server

Shared secret

Shared key used by the Radius protocol for authentication

Host

IP address of the Radius server

Port

UDP port on which the Radius server is listening for authentication requests (UDP 1812 by default).

Once the authentication server is created, you should set up the Captive portal for Radius-based authentication. For more details on the Captive portal, please refer to the next chapters of this Guide.

6.3.3. TACACS+ authentication server

A user authentication server TACACS+ allows authorizing users on TACACS+ servers. When authorizing a user via a TACACS+ server, UserGate sends user credentials to the TACACS+ servers, which, in turn, notify UserGate whether the authentication was successful or not.

TACACS+ servers cannot provide a property of users to UserGate, so that if you have not registered them in UserGate beforehand (e.g. as local users or via LDAP connector), then you will be able to use only Known (i.e. authorized on a Radius server) or Unknown (failed to authorize on a Radius server) users in your security policies.

To create a TACACS+ authentication server, click Add, select Add a TACACS+ server and provide the following parameters:

Name

Description

Enabled

Enables or disables a given authentication server

Server name

Name of the authentication server.

Secret key

A public key used by TACACS+ for authentication.

Address

IP address of the TACACS+ server.

Port

A UDP port on which a TACACS+ server will be listening for authentication requests. By default, UDP 1812 is used.

Use a single connection

Use a single TCP connection for communications with a TACACS+ server.

Timeout (sec)

Period during which authentication from a TACACS+ server will be awaited. By default, the timeout is 4 seconds.

6.3.4. SAML IDP authentication server

A SAML IDP server (Security Assertion Markup Language Identity Provider) allows authorizing users based on locally deployed Single Sign-On (SSO) systems, such as Microsoft Active Directory Federation Service. As a result, each user will be able to authorize in SSO once, and then transparently authorize on all resources that support SAML. UserGate can be configured as a SAML service provider and use SAML IDP servers for client authentication.

SAML IDP servers cannot provide UserGate with properties of users, and thus if no connection with AD domains is set up, then only users with Known (successfully authorized on a SAML server) or Unknown (failed to authorize) statuses will be eligible in filtering policies.

To set up authentication using SAML IDP servers, perform the following steps:

Name

Description

Step 1. Create a DNS record for the UserGate server.

On a domain controller, create DNS records corresponding to your UserGate server for use as auth.captive domain, e.g. utm.domain.loc. As an IP address, provide the address of your UserGate interface connected to the Trusted network.

Step 2. Set up DNS servers in UserGate.

In the UserGate settings, provide IP addresses of the controller domain as the system DNS servers.

Step 3. Change the address for Captive portal auth domain.

Replace the address of the Captive portal auth domain in the General settings section with the DNS record created in the previous step. For more details on how to change the domain address of the Captive portal auth domain, please refer to General settings section.

Step 4. Set up the SAML IDP server.

Add a record about the UTM service provider on the SAML IDP server using the name that you have created in Step 1 FQDN.

Step 5. Create a SAML IDP authentication server for users.

Create a SAML IDP authentication server in UserGate.

To create a SAML IDP authentication server, go to Users and devices-->Authentication servers, click Add, select Add a SAML IDP server and provide the following parameters:

Name

Description

Enabled

Enables or disables a given authentication server.

Server name

Name of the authentication server.

Description

Description of the authentication server.

SAML metadata URL

URL on the SAML IDP server for downloading an XML file with the valid configuration for a SAML service provider (client). Clicking Download will fill in the mandatory server configuration fields with the data from this XML file. This a preferred configuration method for a SAML IDP authentication server. For more details on SAML servers, please refer to the corresponding documentation.

SAML IDP certificate

A certificate that will be used in a SAML client. Possible options:

  • Create a new certificate from the downloaded one — if you have performed configuration through downloading the XML file, the certificate will be automatically created and provided with the SAML IDP role (see the Certificates section).

  • Use the existing certificate. The certificate must be created or imported to the Certificates section and does not have any role. Once the authentication server will be up and running, this certificate will be assigned the SAML IDP role.

  • Do not use certificates

Single sign-on URL

URL used in the SAML IDP server as a single login point. For more details, please refer to the documentation of the SAML IDP server that you use.

Single sign-on binding

A method for handling SSO-based logins. Possible options: POST or Redirect. For more details, please refer to the documentation of the SAML IDP server that you use.

Single logout URL

URL used in the SAML IDP server as a single logout point. For more details, please refer to the documentation of the SAML IDP server that you use.

Single logout binding

A method for handling SSO-based logouts. Possible options: POST or Redirect. For more details, please refer to the documentation of the SAML IDP server that you use.

6.3.5. Kerberos authentication

Authentication via Kerberos enables you with a transparent (without entering usernames and passwords) authentication of the Active Directory domain users. During Kerberos-based authentication, the UserGate server is communicating with domain controllers to authorize user who wants to gain access to the Internet.

Kerberos authentication can work both when a proxy server is explicitly provided in a user browser (standard mode) or when no proxy server is provided (transparent mode).

To set up authentication through Kerberos, perform the following steps:

Name

Description

Step 1. Create a DNS record for the UserGate server.

On a domain controller, create DNS records corresponding to your UserGate serve domains for auth.captive and logout.captive, e.g. auth.domain.loc and logout.domain.loc.

As an IP address, provide the address of your UserGate interface connected to the Trusted network.

Important! Create A-type DNS records, do not use CNAME records.

Step 2. Create a new user for your UserGate server.

Create a new user in the AD domain, e.g. kerb@domain.loc, and enable the password never expires option. Set up a password for user 'kerb'.

Important! Do not use characters from national alphabets, such as Cyrillic letters, in user names and Active Directory organizational units where you are going to create account for user 'kerb'.

Important! Do not utilize for Kerberos the user that was previously created for the LDAP connector. Make sure to create a new account.

Step 3. Create a keytab file.

On the domain controller, create a keytab file using the following command running as the administrator (it is a one-line command!):

ktpass.exe /princ HTTP/auth.domain.loc@DOMAIN.LOC /mapuser kerb@DOMAIN.LOC /crypto ALL /ptype KRB5_NT_PRINCIPAL /pass * /out C:\utm.keytab

Enter the password previously set for user 'kerb'.

Important! This command is case-sensitive. In this example:
auth.domain.loc is the DNS record create for your UserGate server in Step 1
DOMAIN.LOC is the Kerberos realm domain, in capital letters only!
kerb@DOMAIN.LOC is the domain user name created in Step 2, name of the realm domain in capital letters only!

Step 4. Set up DNS servers in UserGate.

In the UserGate settings, provide IP addresses of the controller domain as the system DNS servers.

Step 5. Set up synchronization of time with the domain controller.

In the General settings, enable synchronization of time with NTP servers and provide IP addresses of the domain controllers as the primary and secondary NTP servers.

Step 6. Change the address for Captive portal auth domains.

Replace the address in Captive portal auth domain and optionally the address in Captive portal logout domain in the General settings section with the DNS records created in the previous step. For more details on how to change domain addresses for the Captive portal auth and logout domains, please refer to General settings.

Step 7. Create an LDAP connector and upload a keytab file to it.

Create a new LDAP connector and upload the keytab file created in the previous step. For more details on LDAP connectors, please refer to LDAP connector.

Step 8. Create a Captive portal rule with Kerberos authentication.

Set up the Captive portal for authentication through Kerberos. For more details on the Captive portal, please refer to the next chapters of the Guide.

Step 9. Allow access to HTTP(S) for the zone.

In the Zones section, allow access to HTTP(S) proxy for the zone to which the users who authorize through Kerberos are connected.

Step 10. Set up the proxy server on user workstations to enable standard authentication.

On the user workstations, enable mandatory use of the proxy server as the UTM's FQDN name created in Step 3.

Step 11. For authentication in the transparent mode, set up automatic user authentication by a browser across all browser's security zones.

On the user workstations, go to Control panel-->Internet options-->Security, select Internet--> Security-->Custom level-->User Authentication and enable Automatic logon with current name and password.

Repeat this configuration for all other zones available on a given workstation (Local intranet, Trusted sites).

6.3.6. NTLM authentication server

NTLM authentication allows you transparently (without requesting credentials) authorize users of Active Directory domains. To perform NTLM authentication, your UserGate server will communicate with the domain controllers and request them to verify a user and provide or prohibit the Internet access.

NTLM servers cannot provide a list of users, and thus if user accounts were not added to UserGate beforehand (e.g. as local users or via LDAP connector), then only users with Known (successfully authorized on a NTLM server) or Unknown (failed to authorize) statuses will be eligible in filtering policies.

NTLM authentication can work both when a proxy server is explicitly provided in a user browser (standard mode) or when no proxy server is provided (transparent mode). In this case, setting up UserGate is similar to the standard authentication.

To set up NTLM authentication, perform the following steps:

Name

Description

Step 1. Set up synchronization of time with the domain controller.

In the UserGate settings, enable synchronization of time with NTP servers and provide IP addresses of the domain controllers as the primary and secondary NTP servers.

Step 2. Create a DNS record for the UserGate server.

On a domain controller, create DNS records corresponding to your UserGate serve domains for auth.captive and logout.captive, e.g. auth.domain.loc and logout.domain.loc.

As an IP address, provide the address of your UserGate interface connected to the Trusted network.

Step 3. Change the address for Captive portal auth domains.

Replace the address in Captive portal auth domain and optionally the address in Captive portal logout domain in the General settings section with the DNS records created in the previous step. For more details on how to change domain addresses for the Captive portal auth and logout domains, please refer to General settings.

Step 4. Add a NTLM authentication server.

Go to Authentication servers, click Add, select Add a NTLM server and then specify the name, IP address of the domain controller, and the domain name.

Step 5. Create a Captive portal rule with NTLM authentication.

Set up the Captive portal for authentication through NTLM. For more details on the Captive portal, please refer to the next chapters of the Guide.

Step 6. Allow access to HTTP(S) for the zone.

In the Zones section, allow access to HTTP(S) proxy for the zone to which the users who authorize through NTLM are connected.

Step 7. Set up the proxy server on user workstations to enable standard authentication.

On the user workstations, enable the mandatory use of a proxy server and specify the IP address of your Trusted UserGate interface as the proxy server address.

Important! You can use domain names instead of IP addresses, but do not specify domain names from Active Directory — otherwise, Windows-based workstations will be trying to authorize through Kerberos.

Step 8. For authentication in the transparent mode, set up automatic user authentication by a browser across all browser's security zones.

On the user workstations, go to Control panel-->Internet options-->Security, select Internet--> Security-->Custom level-->User Authentication and enable Automatic logon with current name and password.

Repeat this configuration for all other zones available on a given workstation (Local intranet, Trusted sites).

6.4. Auth profiles

Auth profiles allow you to specify a set of authentication methods and parameters for users and then apply this set to various subsystems of UserGate, such as Captive portal, VPN, WEB PORTAL, and more. To create an authentication profile, go to Users and devices - Auth profiles, click Add and provide the following parameters:

Name

Description

Name

Name of the Captive profile.

Description

Description of the Captive profile.

MFA profile

A multi-factor authentication profile. This profile must be created beforehand in the MFA profiles section, if you are going to use multi-factor authentication together with a given authentication profile. MFA profiles define a delivery method for one-time passwords used in the second authentication method. For more details on how to set up MFA, please refer to the corresponding chapter below.

Important! Multi-factor authentication is compatible only with authentication methods that allow users entering one-time passwords, i.e. when users explicitly enter their credentials in a web form on the login page. Therefore, multi-factor authentication is not possible for Kerberos and NTLM.

Idle time

This parameter sets a timeout in seconds after which UserGate will move a user from Known users to Unknown users if the user is inactive (i.e. no network packets are sent from their IP address).

Expiration time

This parameter sets a general timeout in seconds after which UserGate will move a user from Known users to Unknown users. After this timeout, a user will have to authorize again on the Captive portal.

Maximum auth attempts

Allowed number of failed attempts to authorize through the Captive portal before temporary blocking a user account.

Authentication lockout time

A period of time for which a user account will be locked after exceeding the allowed number of failed attempts to authorize.

Authentication methods

Previously created authentication methods for users, e.g. through Active Directory authentication servers. If multiple authentication methods are provided, they will be used in the same order as listed in the console. When using the NTLM authentication method, it is not possible to add other authentication methods.

6.5. Configuring a Captive portal

A Captive portal allows you to authorize Unknown users by means of Active Directory, Radius, TACACS+, SAML IDP, Kerberos or a local user database. In addition, you can allow users to register on their own in your Captive portal and confirm their registrations via SMS or by email.

Please keep in mind the following:

  • Identified users, e.g. those with assigned IP addresses in the properties as well as those identified via authentication agents of the Windows terminal servers, do not need to authorize on the Captive portal. Such users are treated as Known users and therefore do not need any additional identification.

  • Authentication via the Captive portal is possible only via HTTP and HTTPS. For example, if you have created a firewall rule to allow the Internet access via FTP only to the Known users, then users will gain the Internet access only after identification, i.e. after they launch their web browser and authorize on the Captive portal.

  • If the Captive portal uses authentication via Active Directory, then a user must enter their domain name in the DOMAIN\username or username@domain format as their username.

To configure the Captive portal, perform the following steps:

Name

Description

Step 1. Create a new authentication method, e.g. authentication via the Active Directory domain

In the UserGate console, go to the Users and devices-->Authentication servers section, click Add and then create a new authentication server.

Step 2. Create an authentication profile and add all authentication methods that you need.

In the UserGate console, go to Users and devices-->Auth profiles, click Add and create an authentication profile using the previously created authentication method.

Step 3. Create a new Captive profile and specify the auth profiles you want to use

In the UserGate console, go to the Users and devices-->Captive profiles section, click Add and then create a new captive profile based on the previously created authentication profile.

Step 4. Create a new rule for the Captive portal

A Captive portal rule defines a traffic to which the user identification methods specified in the Captive profile should be applied. In the UserGate console, go to the Users and devices-->Captive portal section, click Add and then create a new rule for the Captive portal.

Step 5. Configure DNS records for domains auth.captive and logout.captive

Special domain names auth.captive and logout.captive are used internally by UserGate for users’ authentication. Nothing should be done if users use UserGate as DNS server. If another server is used, then these two domains should be resolved to the IP address of UserGate which is connected to users’ network. Alternatively, it is possible to configure Captive portal auth domain and Captive portal logout domain. For more details refer to General settings section of this manual.

For more information on how to create authentication methods, please refer to the previous chapters. Let's consider creation of a new Captive profile and rules for the Captive portal in more detail.

To create a new Captive profile, click Add in the Captive profiles section and specify the following parameters:

Name

Description

Name

Name of the Captive profile

Description

Description of the Captive profile

Auth page template

Select an authentication page template. You can create authentication pages in the Libraries/Response pages’ section. If you want to allow users register on their own with subsequent SMS/email confirmation, then choose a template of the corresponding type (Captive portal: SMS auth/ Captive portal: Email auth).

Authentication mode

Defines how UserGate should remember a user. The two options are possible:

  • Use IP address. Once a user has successfully authorized via the Captive portal, UserGate will remember its IP address and match all future connections from this IP address with this user. This method allows you to identify data passed via any protocol of the TCP/IP family, but will not be able to identify users behind NAT.
    This is the recommended value used by default.
  • Use COOKIES. Once the user is successfully authorized via the Captive portal for the first time, UserGate will add a special cookies file to the user's web browser in order to identify them in future. This method allows you to identify users behind NAT device, but only via the HTTP/S protocol and the same web browser in which the user has authorized in the Captive portal. In addition, UserGate will be forcibly decrypting all HTTPS connections in order to authorize HTTPS sessions of a user. Such user will always be identified as Unknown by firewall rules as there is no IP address associated with the user authenticated by cookie.

Authentication profile

The previously created authentication profile that defines authentication methods

Redirect URL

URL to which a user will redirected after successful authentication on the Captive portal. When not set, the user will be redirected to the URL they have initially requested.

Allow browsers to keep auth

Enables saving of authentication sessions in browsers for the specified period in hours. The authentication data is stored in cookie files.

Show AD/LDAP domain selector on Captive portal page

If you use Active Directory as the authentication method, then a user will be able to select a domain name from the list on the authentication page when this parameter is enabled. When this parameter is disabled, a user must specify the target domain in the DOMAIN\username or username@domain format.

Show CAPTCHA

When this option is enabled, users will be asked to enter a code displayed on the login page of the Captive portal. This option is recommended for protection against bots trying to brute-force user passwords.

HTTPS for auth page

Use HTTPS encryption for Captive portal authentication pages. It is required to have configured Captive portal SSL certificate. For more information about certificates please refer to Managing certificates chapter.

To allow users register on their own with subsequent confirmation via SMS or email, configure the parameters on the Guest users registration tab. Please keep in mind that you should use a template of the corresponding type (Captive portal: SMS auth/ Captive portal: Email auth).

Name

Description

Notification profile

Notification profile that will be used for sending information about the created user and password. You can choose between two notification types - SMS and email. For more details on how to create a notification profile, please refer to Notifications.

Notification from

Specify on whose behalf the message will be sent

Notification subject

Subject of the notification (for email notifications only)

Notification body

Body of the message. You can use special variables {login} and {password} in the text which will be automatically replaced with the actual username and password.

Guest users expiration date

Date and time when the guest user's account will be disabled

Guest user TTL

Time period since the first authentication of the guest user after which the corresponding account will be disabled

Password length

Password length for created users

Password complexity

Password complexity for created users. Can be

  • Numeric - only digits

  • Alphanumeric - digits and letters

  • Alphanumeric+special - digits, letters and special symbols, like a @#%^&*

Groups

Group for guest users in which they are stored. For more details on groups for guest users, please refer to Groups.

To create a new rule for the captive portal, click Add in the rules section of the Captive portal and then specify the following parameters:

Name

Description

Name

Name of the rule for the Captive portal

Description

Description of the rule for the Captive portal

Captive profile

Select the Captive profile you have previously created You can also enable the Skip captive portal page option if you don't want to use any authentication method.

Enable logging

Logs information about rule triggered.

Source

Addresses of the source. You can specify a certain zone, such as a Trusted or an IP range, as the source. You can also use IP addresses of countries (Geo-IP).

Destination

You can specify a certain zone, such as a Trusted or an IP range, as the destination. You can also use IP addresses of countries (Geo-IP).

Categories

Categories of URL filtering for which the rule will be applied. Note that URL filtering requires the corresponding license.

URLs

Lists of URLs for which the rule will be applied.

Time

Time period when the rule will be active

Thus, by creating several rules for the Captive portal, you can set up multiple user identification policies for various zones, addresses and time periods.

Important! Conditions specified on the rule's tab are applied according to the AND logic, i.e. the rule will be triggered only when all these conditions are met. If you want to use the OR logic, then you should create multiple rules.

Important! Rules are applied in the same order as they are displayed in the console. You can change the order using the corresponding buttons.

Important! When processing rules, the system applies only the first triggered rule.

If you want to log in to the system with another account or log out of the system, type http://logout.captive or http://UserGate_IP_address:8002/cps in your web browser and then click Log out.

6.6. MFA profiles (multi-factor authentication)

Multi-factor authentication is a user identification method that combines two or more different authentication data types. An additional security level provides better protection of accounts from unauthorized access.

UserGate supports multi-factor authentication with user credentials as the first authentication type together with any of following types as the second type:

  • TOTP (Time-based One Time Password) of a token as the second authentication method. A TOTP token creates a time-based one-time password; for more details on TOTP, please refer to https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm. As a TOTP token, you can use various hardware or software installed on user smartphones, such as Google Authenticator.

  • SMS. Obtain one-time passwords in SMS. For SMS notifications, each user must have a phone number specified in their local UTM account or in their domain account in Active Directory.

  • Email. Obtain one-time passwords by email. For email notifications, each user must have an email address specified in their local UTM account in or in their domain account in Active Directory.

To set up multi-factor authentication, perform the following steps:

Name

Description

Step 1. Set up authentication using the Captive portal.

Multi-factor authentication is supported only when users authorize through the Captive portal. Please refer to Section Configuring a Captive portal.

Step 2. Create a multi-factor authentication profile.

In the console, go to Users and devices-->MFA profiles and create a multi-factor authentication profile. Provide the following delivery parameters for the second authentication factor when creating a new profile. You can create 3 delivery types:

  • MFA by TOTP - delivery of the second authentication factor through TOTP

  • MFA by SMS - delivery of the second authentication factor in SMS

  • MFA by email - delivery of the second authentication factor by email

For MFA by TOTP, make sure to provide the following parameters:

Name

Description

Name

Name of the MFA profile.

Description

Description of the MFA profile.

TOTP initialization

To obtain TOTP tokens, make sure to initialize the hardware or software on the client side. To do this, enter a unique key in the hardware or software on the client side. You can send the initial code for TOTP initialization in any of the following ways:

  • Display the code on the Captive portal after first successful authentication. To do this, select Display the key on the Captive portal.

  • Send in SMS. For SMS notifications, each user must have a phone number specified in their local UTM account in or in their domain account in Active Directory. For this option, make sure to select the corresponding previously created SMS profile (SMPP profile).

  • Send by email. For email notifications, each user must have an email address specified in their local UTM account in or in their domain account in Active Directory. For this option, make sure to select the corresponding previously created email profile (SMTP profile).

Display a QR code

Displays a QR code on the Captive portal or in email messages for easier setting up of the TOTP hardware or software on the client side.

If a user lost their token, the administrator can request them to initialize their TOTP token again. To do this, the administrator should select this user from the list (Users and devices-->Users) and choose Reset the TOTP key. During the next authentication, this user will be asked to initialize their token again.

For MFA by SMS, make sure to provide the following parameters:

Name

Description

Name

Name of the MFA profile

Description

Description of the MFA profile

Auth delivery profile

SMPP profile that will be used for sending passwords in SMS. For more details on how to set up sending of passwords in SMS, please refer to Notifications

From

Specify on whose behalf the message will be sent

Body

Body of the message. You can use special variables {2fa_auth_code} in the text which will be automatically replaced with the actual passcode.

Auth code lifetime

Lifetime of passcode

For MFA over email, make sure to provide the following parameters:

Name

Description

Name

Name of the MFA profile

Description

Description of the MFA profile

Auth delivery profile

SMTP profile that will be used for sending passwords by email. For more details on how to set up sending of passwords by email, please refer to Notifications

From

Specify on whose behalf the message will be sent

Subject

Subject of the notification

Body

Body of the message. You can use special variables {2fa_auth_code} in the text which will be automatically replaced with the actual passcode.

Auth code lifetime

Lifetime of passcode

6.7. Users of terminal servers

The terminal server is designed for remote provision of various services to users via the remote desktop or console. In most cases, one terminal server provides services to several or even hundreds of users. However, users of a terminal server can be difficult to identify, since they share the same IP address and UserGate cannot track their network connections properly. To address this issue, consider using a special agent of the terminal service.

The terminal service agent should be installed on all terminal servers where you are going to identify users. Basically, this agent is a service that transfers information about users and their network connections from the terminal server to the UserGate server. Due to nature of TCP/IP protocol, the terminal service agent is able to identify user traffic only at the level of the TCP and UDP protocols. Traffic sent through all other protocols, such as ICMP, cannot be identified.

Active directory connector is required for correct identification of terminal server users.

To set up the user identification on terminal servers, perform the following steps:

Name

Description

Step 1. Allow the Authorization agent service in the required zone.

Go to Network-->Zones, edit the access control parameters for the zone where terminal servers reside and allow the Authorization agent service in this zone.

Step 2. Set up a password for terminal server agents

In the UserGate console, go to the Users and devices-->Terminal servers section, click Configure and then specify the password for terminal server agents.

Step 3. Install the terminal server agent

Install the terminal server agent on all servers where you want to identify users During installation, make sure to specify the IP address of the UserGate server and the password that you have set on the previous step.

Step 4. Enable the necessary servers in the UserGate console

Once the agents are installed, the UserGate console will display a list of terminal servers. By clicking Enable or Disable, you can enable or disable identification of users from the selected servers.

Now UserGate is able to receive information of terminal users.

All IP addresses assigned to the terminal server will be used for users authentication. To exclude some IPs from authentication, change configuration file C:\ProgramData\Entensys\Terminal Server Agent\tsagent.cfg and set excluded IP addresses as:

ExcludeIP=IP1;IP2

6.8. Authentication agent for Windows

The system also offers a special authentication agent - yet another identification method for users who are working in the Windows operating system in Active Directory environment. The agent provides a convenient service which transfers information about users, such as their usernames and IP addresses, to the UserGate server for proper identification of all network connections, thereby eliminating the need for additional identification methods. To set up the user identification in the authentication agent, perform the following steps:

Name

Description

Step 1. Allow the Authorization agent service in the required zone.

Go to Network-->Zones, edit the access control parameters for the zone where users reside and allow the Authorization agent service in this zone.

Step 2. Set up a password for terminal server agents

In the UserGate console, go to the Users and devices-->Terminal servers section, click Configure and then specify the password for terminal server agents.

Step 3. Install the authentication agent

Using Active Directory Group policy install the authentication agent on all PCs where you are going to identify users. The authentication agent is supplied with the administrative template for convenient deployment through Active Directory policies. Using this template, administrators can deploy a valid pre-configured agent to a large number of user workstations at once. Template allows to provide the IP address and port of the UserGate server and the password that you have set on the previous step. For more details on how to deploy a software using Active Directory policies, please refer to Microsoft documentation.

Alternative method is to install authentication agent manually and provide required settings in the following registry keys:

[HKEY_CURRENT_USER\Software\Policies\Entensys\Auth Client]
"ServerIP"=""
"ServerPort"="1813"
"SharedKey"=""

Now UserGate is able to receive information of users. If you have set up an Active Directory connector, then all user names from Active Directory will be available in the system. Alternatively, if the list of users is missing in UserGate, you can use Known users and Unknown users in UserGate rules.

6.9. Proxy agent for Windows

For Windows users, it is possible to provide the Internet access through the explicitly specified proxy server for applications that cannot directly work with proxy servers. Sometimes you may also need to provide the Internet access to such applications when UserGate is not set up as the default Internet gateway for user workstations. In such cases, you can use the proxy agent. The proxy agent resends all TCP requests not intended for local addresses to UserGate that serves as a proxy server for them.

Important! The proxy agent does not authorize users on UserGate, so when authentication is required, make sure to set up an authentication method for users, e.g. install an authentication agent for Windows.

You can also install the proxy agent either manually or by using Active Directory policies.

When installing and setting up the agent manually, make sure to create a text file called utmagent.cfg in C:\Documents and Settings\All Users\Application Data\Entensys\UTMAgent\. Add the following information to this configuration file:

ServerName=10.255.1.1

ServerHttpPort=8090

LocalNetwork=192.168.1.0/24; 192.168.0.0/24; 192.168.30.0/24;

ServerName and ServerHttpPort are the IP address and proxy server port on UserGate; by default, port 8090 is used.
LocalNetwork is a list of networks that do not need any routing to the proxy. The network of workstation interfaces is not routed to the proxy by default.

Once the configuration file is created or modified, make sure to restart the proxy agent service.

When installing the proxy agent through GPO, the proxy agent will contain the administrative template for convenient deployment through Active Directory policies. Using this template, administrators can deploy a valid pre-configured agent to a large number of user workstations at once. For more details on how to deploy a software using Active Directory policies, please refer to Microsoft documentation.

All mandatory parameters for proper operation of the proxy agent are specified during the group policy configuration. During the configuration process, the parameters are added to the Registry on the workstation and thus have priority over the CFG file. Deleting the agent with a policy will not remove the values from the Registry, and they will remain in the following branch:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Entensys\UTMAgent

6.10. Guest portal

In UserGate, you can create lists of guest users. This is especially useful for hotels and public Wi-Fi networks with Internet access, when it is necessary to identify users and provide them access for a limited period of time.

Transient users can be either created by network administrators beforehand, or they can register on their own with subsequent confirmation via SMS or by email.

To create a new list of guest users, perform the following steps:

Name

Description

Step 1. Create a new administrator of guest users (optional)

  • In the Administration section, click Add and create administrator's profile with permission to read and write Guest portal in Web console.

  • Create an administrator account and assign the created role to it.

For more details on how to create UserGate administrators, please refer to the corresponding section.

Step 2. Create a new group for guest users. This group will allow you to manage access policies for transient users

In the UserGate console, go to the Groups section, click Add and then create a new group with the Group for guest users option enabled. For more details on how to create user groups, please refer to the corresponding section of the Guide.

Step 3. Connect to the guest portal console

Type https://IP_UserGate:8001/ta in your web browser and then specify the username and password of the device administrator or administrator of transient users created on Step 1.

Step 4. Create a new list of users

Click Create in the console and fill in the following fields:

  • Number of users to create

  • Comment

  • Expiration date and time - date and time when the transient user's account will be disabled

  • TTL - time period since the first authentication of the transient user after which the corresponding account will be disabled

  • Password length - password length for created users

  • Password complexity - password complexity for created users. Can be
    Numeric - only digits
    Alphanumeric - digits and letters
    Alphanumeric+special - digits, letters and special symbols, like a @#%^&*
  • Groups - the groups for transient users which has been created on Step 2

You can view the list of created users in the Users list section of the console for managing transient users.

To allow users register in the system on their own, perform the following steps:

Name

Description

Step 1. Create a new SMPP notification profile (for SMS confirmations) or SMTP notification profile (for email confirmations)

In the Notifications section, go to the Notification profiles, click Add and then create a new SMPP or SMTP notification profile. For more details on how to create a notification profile, please refer to Notification profiles

Step 2. Create a new group for guest users. This group will allow you to manage access policies for transient users

In the UserGate console, go to the Groups section, click Add and then create a new group with the Group for guest users option enabled. For more details on how to create user groups, please refer to the corresponding section of the Guide.

Step 3. Create a new Captive profile which uses notification profile that you have created for guest users

In the Users and devices, go to the Captive profiles, create a new profile and use previously created notification profile. In the authentication page field, specify Captive portal: email auth or Captive portal: SMS auth depending on the notification method that you are going to use. Set up the notification's text, the group for guest users and the time period when the new account will be valid. For more details on how to create notification profiles, please refer to Notification profiles

Step 4. Create a new Captive portal rule with the Captive profile that you have created on the previous step

In the Users and devices section, go to the Captive portal and create a new rule. Use previously created Captive profile. For more details on how to create Captive portal rules, please refer to Configuring a Captive portal.

6.11. Radius accounting

You can set up UserGate to update IP addresses of users based on the Radius servers that send the Radius accounting information. This may be convenient when integrating UserGate in ISP networks that assign dynamic IP addresses to users. To update user IP addresses, perform the following steps:

Name

Description

Step 1. Add a user to UserGate

Add the necessary local users to UserGate. Refer to the Users section.

Step 2. Allow the Authentication Agent service for the required zone

Go to Network-->Zones and select a zone to which interface you are going to receive Radius-accounting. Allow the Authorization agent service. For more details on how to set up zones, please refer to Configuring zones.

Step 3. Set up a password for the terminal service agent

Go to Terminal servers, click Settings and provide a password for the terminal service agent. This password will be used as the Radius secret when setting up a Radius server.

Step 4. Set up a Radius server

On the Radius server, set up sending of the Radius-accounting information to the UserGate server by specifying the IP address of the UserGate server as the server IP with UDP 1813 as the port. Provide the password specified for the terminal service in the previous step as the Radius secret.

Set up the server to send a user name in the 'Radius User-Name (type=1)' attribute and the IP address in the 'Radius Framed-IP-Address (type=8)' attribute.

For more details on setting up Radius, please refer to the documentation for your Radius server.

As a result, UserGate will be changing user IP addresses with the Radius-accounting addresses obtained from the server. Depending on the obtained information, UserGate will perform the following:

Name

Description

Step 1. A Radius server has sent a user name that does not exist in UserGate

UserGate responds 'Accounting reject' to the accounting request.

Step 2. A Radius server has sent a user name that exists in UserGate and provided 'Acct-Status-Type' = 'Start' or 'Interim-Update'

The obtained IP address will be assigned to the specified user. If the user already has another IP address, then the user will be assigned two or more IP addresses.

If the user already has the same IP address, then no changes will be made.

If this IP address is already assigned to another user, then this IP address will be removed from that user and assigned to the user specified in the request.

Step 3. A Radius server has sent a user name that exists in UserGate and provided 'Acct-Status-Type' = 'Stop'

The obtained IP address will be removed from the specified user.

6.12. BYOD policies

Many companies allow their employees to work from their own devices and PCs, or BYOD devices ("Bring Your Own Device"). In UserGate, network administrators can manage BYOD devices, e.g. through limiting Internet access from devices by device type, number of simultaneous devices per users or by specific model.

Important! BYOD management requires properly configured authentication of users via the Captive portal. Note that BYOD policies cannot be applied to user devices that are not authorized via the Captive portal. For more details on the Captive portal, please refer to Configuring a Captive portal.

To set up BYOD management, perform the following steps:

Name

Description

Step 1. Create a new rule for the Captive portal

For more details on how to create rules of the Captive portal, please refer to Configuring a Captive portal

.

Step 2. Create a new BYOD policy

Create one or more BYOD policy rules

Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.

Important! If no rules have been created, then all device types will be allowed.

To create a new rule for the BYOD policy, click Add in the BYOD policies section and then specify the following parameters:

Name

Description

Name

Name of the BYOD policy rule

Comment

Description of the BYOD policy rule

Action

Allow - use this option to allow connections from devices that meet the rule's criteria Deny - use this option to prohibit connections from devices that meet the rule's criteria

Administrator’s approval required

Applicable to "allow" rules only. When this option is enabled, each user device successfully authorized for the first time via the Captive portal will be added to the list of BYOD devices, but the Internet access will not be available until your network administrator confirms the device.

Maximum total devices

Applicable to "allow" rules only. Maximum number of devices per user for Internet access. This parameter is not applicable to rules containing Known, Unknown or Any users.

Maximum active devices

Applicable to "allow" rules only. Maximum number of simultaneous devices per user for Internet access. This parameter is not applicable to rules containing Known, Unknown or Any users.

Users/Groups

List of users and groups of users to which this BYOD policy rule is applied.

Device type

Device type to which this BYOD policy rule is applied.

Devices from which users connect to your network are listed in Users and devices-->BYOD devices. Network administrators can prohibit or allow access from certain user device by selecting this device in the list and clicking Disable or Enable respectively. From here, you can also confirm access from a certain user device if the BYOD policy requires approval of your network administrator.

7. Network policies

The Network policies section contains four subsections:

  • Firewall

  • NAT & routing

  • Load balancing

  • Traffic shaping

Using network policies, your network administrators will be able to organize Internet access for users, publish internal resources on the Internet, and efficiently balance network bandwidth between services and applications.

Important! Rules created in these sections are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom.

To grant Internet access to users, perform the following:

Name

Description

Step 1. Create a NAT rule

Please refer to NAT rules.

Step 2. Create a "allow" firewall rule

Please refer to the Firewall section.

To publish an internal resource on the Internet, perform the following:

Name

Description

Step 1. Create a DNAT rule or reverse-proxy rule

Please refer to DNAT rules

and Publication of HTTP/HTTPS resources using the reverse proxy.

To set up the Internet access via alternative ISP for certain service or address, perform the following:

Name

Description

Step 1. Create a Route rule

Please refer to Policy-based routing.

To prohibit or allow certain type of traffic passing through UserGate, perform the following:

Name

Description

Step 1. Create a firewall rule

Please refer to the Firewall section.

To distribute traffic to several internal servers, perform the following:

Name

Description

Step 1. Create a load balancing rule

For more details, please refer to Load balancing.

To limit the bandwidth allocated to certain service or application, perform the following:

Name

Description

Step 1. Create a shaping rule

For more details, please refer to Traffic shaping.

7.1. Firewall

Based on various firewall rules, network administrators can allow or prohibit any type of transit network traffic passing through UserGate. You can use zones, source/destination IP addresses, users, groups, services and applications as the matching criteria.

Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.

Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).

Important! When no rules are defined, the transit traffic cannot pass through UserGate.

To create a new firewall rule, click Add in the Network policies--> Firewall section and specify the following parameters.

Name

Description

Enabled

Enables or disables a rule

Name

Rule name

Description

Description of a rule

Action

Deny - blocks the traffic

Allow - allows the traffic

Scenarios

It indicates a scenario that must be active for applying the rule. For more details on scenarios, please refer to Scenarios.

Important! A scenario represents an additional condition. If the scenario is not activated (i.e. one or more its triggers are not launched), the rule will not be applied.

Enable logging

Logs information about traffic when a rule is triggered. The following modes can be used:

  • Log session start. Only first packet will be logged for every session. This is recommended setting for logging.

  • Log all packets. Every network packet will be logged. It is recommended to enable logging limit to avoid high system utilization for this mode.

Apply rule to

  • Any packets

  • Only fragmented packets - only packets with fragmentation bit set

  • Not fragmented packets - only packets wit fragmentation bit not set

Source

Zone(s) and IP addresses of the traffic source

Users

List of users and groups of users to which this rule will be applied. You can add users of the Any, Unknown, Known type. To apply rules to individual users or user of the Known type, make sure to set up authentication properly. For more details on user identification, please refer to Users and devices.

Destination

A destination zone and/or a list of destination IP addresses for the traffic.

Service

Service type, e.g. HTTP or HTTPS

Application

List of applications to which this rule will be applied.

Time

Time ranges when rule is active.

7.2. NAT and routing

Based on NAT and routing rules, network administrators can create additional rules for NAT, DNAT and routing. UserGate supports NAT/DNAT for complex protocols which can use dynamic ports. The system is compatible with FTP, PPTP, SIP and H323.

7.2.1. NAT rules

In most cases, provision of the Internet access to users will require creating at least one NAT rules from the Trusted zone to the Untrusted zone.

Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.

Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).

To create a new NAT rule, click Add in the Network policies--> NAT and routing section and specify the following parameters.

A rule is triggered only when all its criteria are met.

Name

Description

Enabled

Enables or disables a rule

Name

Rule name

Comment

Description of a rule

Type

Select NAT

Enable logging

Logs information about traffic when a rule is triggered. The following modes can be used:

  • Log session start. Only first packet will be logged for every session. This is recommended setting for logging.

  • Log all packets. Every network packet will be logged. It is recommended to enable logging limit to avoid high system utilization for this mode.

SNAT IP address (external IP)

Set IP address which will be used as source address for natted network packets. Make sense if there are several IP addresses assigned to the interfaces of destination zone. If field is empty then arbitrary address of destination zone will be used.

For higher firewall performance, it is recommended that you provide SNAT IP explicitly.

Enable logging

Logs information about traffic when a rule is triggered. It is recommended to enable logging limit to avoid high system utilization.

Source

A source zone and/or a list of source IP addresses for the traffic.

Destination

A destination zone and/or a list of destination IP addresses for the traffic.

Services

Service type, e.g. HTTP, HTTPS, etc.

Important! It is recommended that you create global NAT rules, e.g. a single NAT rule from your local network (i.e. Trusted zone) to the Internet (i.e. Untrusted zone), and then define access policies for users, services and applications through firewall rules.

7.2.2. DNAT rules

The DNAT rules are designed for publishing internal network resources on the Internet. For publication of HTTP/HTTPS servers, it is recommended that you use publication based on the reverse proxy rules. For more details on publication of resources using reverse proxy rules, please refer to the Publication of HTTP/HTTPS resources using the reverse proxy section. For publication of non-HTTP/HTTPS servers, consider using DNAT.

Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.

Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).

To create a new DNAT rule, click Add in the Network policies--> NAT and routing section and specify the following parameters.

Name

Description

Enabled

Enables or disables a rule

Name

Rule name

Comment

Description of a rule

Type

Select DNAT

Enable logging

Logs information about traffic when a rule is triggered. The following modes can be used:

  • Log session start. Only first packet will be logged for every session. This is recommended setting for logging.

  • Log all packets. Every network packet will be logged. It is recommended to enable logging limit to avoid high system utilization for this mode.

Source

A source zone and/or a list of source IP addresses for the traffic.

Destination

One of UserGate's public IP addresses to which external clients will be sending their traffic.

Services

Type of the service that you are going to publish, e.g. HTTP. If no services are specified, the system will publish all services.

Important! The following ports are reserved for UserGate internal use and cannot be used in services: 2200, 8001, 4369, 9000-9100.

DNAT target IP

IP address of the local PC that you are going to publish on the Internet.

Enable SNAT

When this option is enabled, UserGate will be replacing the source address with its own IP address in the network packets coming from an external network to the published server.

7.2.3. Port forwarding rules

Port forwarding rules are similar to DNAT rules, except that these rules allow you to modify the port number for publication of an internal service. To create a port forwarding rule, click Add in Network policies-->NAT and routing and then provide the necessary parameters.

Important! Rules are applied from top to bottom in the same order as they appear in the console. Only the first rule for which all its specific conditions are met will be applied. Therefore, make sure to place more specific rules above the more common ones in the list. Use the Up/Down buttons to change the order of rules in the list.

Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).

Name

Description

On/Off

Enable or disable the rule

Name

Name of the rule

Comment

Description of the rule

Type

Select Port forwarding

Enable logging

Logs information about traffic when a rule is triggered. The following modes can be used:

  • Log session start. Only first packet will be logged for every session. This is recommended setting for logging.

  • Log all packets. Every network packet will be logged. It is recommended to enable logging limit to avoid high system utilization for this mode.

Source

A source zone and/or a list of source IP addresses for the traffic.

Destination

A destination zone and/or a list of destination IP addresses for the traffic.

Port forwarding

Modify the ports of the published services:

  • Original destination port - the TCP/UDP port which users send requests to.
    Important! The following ports are reserved for UserGate internal use and cannot be used here: 2200, 8001, 4369, 9000-9100.
  • New destination port - the TCP/UDP port through which user requests will be resent to the internal published server.

DNAT destination address

IP address which is assigned to a workstation in a local area network and will be published on the Internet.

Enable SNAT

When this option is enabled, UserGate will be replacing source addresses in packets from external networks with its own IP address.

7.2.4. Policy-based routing

Based on the policy-based routing rules, you can specify a dedicated route to the Internet for certain hosts and/or services. Suppose that your company uses 2 ISPs, so that all HTTP/HTTPS traffic is forwarded via ISP1 while ISP2 handles the remaining traffic. To do this, specify the Internet gateway of ISP2 as the default gateway and then create a new rule for forwarding all HTTP/HTTPS traffic to a gateway of ISP1.

Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.

Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).

To create a new routing rule, click Add in the Network policies--> NAT and routing section and specify the following parameters.

Name

Description

Enabled

Enables or disables a rule

Name

Rule name

Comment

Description of a rule

Type

Select Policy-based routing

Enable logging

Logs information about traffic when a rule is triggered. The following modes can be used:

  • Log session start. Only first packet will be logged for every session. This is recommended setting for logging.

  • Log all packets. Every network packet will be logged. It is recommended to enable logging limit to avoid high system utilization for this mode.

Gateway

Select an existing gateway. You can add more gateways in Network-->Gateways.

Source

A source zone and/or a list of source IP or MAC addresses for the traffic. I

Destination

A destination zone and/or a list of destination IP addresses for the traffic.

Services

Service type, e.g. HTTP, HTTPS, etc.

7.2.5. Network mapping

The network mapping rules allow you to replace the address of the source or destination network. This may be useful when you have multiple networks with the same addressing, e.g. 192.168.1.0/24, and you want to merge them into a single network with common routes. Such merging can be implemented only with replacement of addresses.

Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.

Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).

To create a new Network mapping rule, click Add in the Network policies--> NAT and routing section and specify the following parameters.

Name

Description

Enabled

Enables or disables a rule

Name

Rule name

Comment

Description of a rule

Type

Select Network mapping

Enable logging

Logs information about traffic when a rule is triggered. The following modes can be used:

  • Log session start. Only first packet will be logged for every session. This is recommended setting for logging.

  • Log all packets. Every network packet will be logged. It is recommended to enable logging limit to avoid high system utilization for this mode.

Source

A source zone and/or a list of source IP addresses for the traffic.

Destination

A destination zone and/or a list of destination IP addresses for the traffic.

Services

Service type, e.g. HTTP, HTTPS, etc.

Network mapping

Set the network replacement parameters.

Direction:

  • Input, replace destination network address. The destination IP addresses will be replaced in the traffic that meets the criteria. The network address will be replaced with the value specified in New network/mask.

  • Output, replace source network address. The source IP addresses will be replaced in the traffic that meets the criteria. The network address will be replaced with the value specified in New network/mask.

New network/mask is the network address that will be used for replacement.

7.3. Load balancing

UserGate supports load balancing for various services within a local network, including internal servers published on the Internet (DNAT) and internal servers without publication. Balancing can be provided to:

  • Internal servers published on the Internet (DNAT)

  • Internal servers that are not published.

  • Balance the traffic which is sent to external ICAP servers or ICAP farm.

  • Balance the traffic which is sent to servers published through reverse proxy.

The balancer uses various techniques to dynamically allocate queries received on the IP address of a virtual server to IP addresses of physical servers. To set up balancing, create new balancing rules in the Network policies-->Load balancing section.

To create a balancing rule for TCP/IP servers, select Add a TCP/IP load balancer and provide the following parameters:

Name

Description

Enabled

Enables or disables a rule

Name

Name of the balancing rule

Description

Description of the balancing rule

Virtual server IP

Select an IP address from the list of addresses assigned to UserGate network interfaces. If necessary, administrators can also add more IP addresses to any interface.

Protocol

TCP or UDP for which you are going to perform load balancing

Port

Port for which you are going to perform load balancing

Scheduler

You can choose between 4 load balancing methods:

  • Round robin - each new connection is forwarded to the next server in the list to distribute load across all servers

  • Weighted round robin - this method is similar to Round robin except that each server is assigned a weight to distribute traffic according with servers’ performance

  • Least connections - each new connection is forwarded to the server which is serving the least number of connections at the moment

  • Weighted least connections - this method is similar to Least connections except that each server is assigned a weight to distribute traffic according with servers’ performance

Real servers

Add a new pool of physical servers to which you are going to forward traffic. Specify the following parameters for each server:

  • IP address of server

  • Port to which you are going to forward user requests

  • Weight. This factor allows for more efficient load distribution among physical servers when using Weighted round robin or Weighted least connections. Larger weights correspond to higher server loads

  • Mode. Two options are possible:
    Gate - forwards traffic to a virtual server by means of routing.
    Masq - forwards traffic to a virtual server by means of NAT

Fallback

Failover mode is used when all physical servers are unavailable. To activate the fallback mode, enable it and then specify the following parameters:

  • IP address of the server to which requests will be forwarded in case of fallback

  • Port to which you are going to forward user requests

  • Mode. Two options are possible:
    Gate - forwards traffic to a virtual server by means of routing.
    Masq - forwards traffic to a virtual server by means of NAT

Monitoring

Based on monitoring functionality, you can set up automatic health checking for physical servers. All servers that fail to pass the health check will be excluded from balancing.

Mode

Monitoring method for physical servers. Possible values:

  • ping - checks availability of a node using the ping command

  • connect - checks availability of a node by establishing a TCP connection with a certain port

  • negotiate - checks availability of a node by sending the predefined HTTP or DNS query and matching the actual response with the expected one. To set up this mode, select a service type (HTTP or DNS) and the rows Request and Expected response

Check interval

Minimum time period between subsequent checks

Check timeout

Maximum time period of waiting for a response

Max failures

Number of failed attempts of physical server checking after which the server will be considered unavailable and therefore will be excluded from balancing.

Important! Balancing rules have a higher priority and therefore are applied before NAT/DNAT/routing rules.

The ICAP service balancer distributes the workload on external ICAP server farms, e.g. to an external server farm with the anti-virus software. Then this balancer can be used in ICAP rules. To create an ICAP server balancer, select Add an ICAP load balancer and provide the following parameters:

Name

Description

Enabled

Enable or disable the rule

Name

Name of the balancing rule

Description

Description of the balancing rule

ICAP profiles

Select ICAP profiles of the servers to which the workload should be distributed. For more details on ICAP servers, please refer to section Integration with external ICAP servers.

The reverse proxy server balancer distributes the workload on internal servers or server farms published using the reverse proxy rules. Then this balancer can be used in reverse proxy rules. To create a reverse proxy server balancer, select Add a reverse proxy load balancer and provide the following parameters:

Name

Description

Enabled

Enable or disable the rule

Name

Name of the balancing rule

Description

Description of the balancing rule

Reverse proxy profiles

Select reverse proxy profiles of the servers to which the workload should be redistributed. For more details on publication using reverse proxy rules, please refer to the Publication of HTTP/HTTPS resources using the reverse proxy section.

7.4. Traffic shaping

The traffic shaping control rules allow you to limit bandwidth of network channels for certain users, hosts, services or applications.

Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.

Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).

To create a new traffic shaping rule, click Add in the Network policies--> Traffic shaping section and specify the following parameters.

Name

Description

Enabled

Enables or disables a rule

Name

Rule name

Description

Description of a rule

Bandwidth pools

Select a bandwidth. You can add more bandwidths in Libraries-->Bandwidths.

Scenarios

It indicates a scenario that must be active for applying the rule. For more details on scenarios, please refer to Security policies-->Scenarios.

Important! A scenario represents an additional condition. If the scenario is not activated (i.e. one or more its triggers are not launched), the rule will not be applied.

Source

A source zone and/or a list of source IP addresses for the traffic.

Users

Users or groups

Destination

A destination zone and/or a list of destination IP addresses for the traffic.

Service

Service type, e.g. HTTP, HTTPS, etc.

Application

List of applications for which you are going to limit bandwidth. Important! To use applications, make sure you enable the Application Control module in General settings.

Time

Time ranges when rule is active.

8. Security policies

The Security policies section contains the following subsections:

  • Content filtering

  • Safe browsing

  • SSL inspection

  • Intrusion prevention and detection system

  • SCADA rules

  • Scenarios

  • Mail security

  • Integration with external ICAP servers

  • Publication of HTTP/HTTPS resources using the reverse proxy

Based on security policies, network administrators can perform the following:

  • Set up the HTTP/S content filtering, e.g. prohibit access to certain categories of websites in the specified periods for individual users or configure the virus scanning of web content

  • Set up safe browsing options, e.g. forced safe search, block social network application, log users’ search phrases and blocking of ads

  • Set up the HTTPS inspection rules, e.g. to decrypt HTTPS in the "Forums" category for all users and decrypt HTTPS in the "Social media" category only for the selected users. Once the HTTP traffic is decrypted, the system will be able to apply various content filtering and safe browsing policies.

  • Enable and set up the IPS settings

  • Set up spam filtering and virus scanning of the SMTP and POP3 traffic

  • Set up logging or blocking of certain SCADA commands

  • Set up selective sampling of the traffic for analysis on external ICAP servers, e.g. on DLP systems

  • Set up publication of HTTP/HTTPS servers

8.1. Content filtering

Based on content filtering rules, network administrators can allow or prohibit certain content passed through HTTP and HTTPS (if the HTTPS inspection is configured). In addition, UserGate can block the HTTPS traffic without decrypting its content, but only when the UserGate URL filtering rules for blocking by content filtering categories or by lists of URLs (with host names only) are applied. In such cases, UserGate uses either SNI (Server Name Indication) or host names in the SSL certificate from user requests for domain identification when SNI is not available.

Criteria of a rule can be as follows:

  • Users and groups

  • Certain words or phrases (morphology) on web pages

  • Category of a website

  • URL

  • Zone and IP address of the source

  •  Zone and IP addresses of the destination

  • MIME type of content

  • Time

  • User browser useragent

  • HTTP-method

Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.

Important! If no rules have been created, then all content will be allowed.

Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).

To create a new content filtering rule, click Add in the Network policies--> Content filtering section and specify the following parameters.

Name

Description

Enabled

Enables or disables a rule

Name

Rule name

Description

Description of a rule

Action

Deny - blocks the web page

Warning - notifies a user that a web page they are trying to access is unwanted. The user will decide on their own whether to access the page or not. Each web page view is logged

Allow - allows the traffic

Enable logging

Logs information about rule triggered.

Check by UserGate antivirus

Applicable to the Deny rules only, i.e. if a web page is infected, the entire web resource will be blocked. If a rule contains additional conditions (categories, time, etc.), then the virus scan will be performed only when all criteria in the rule are met.

Check by Heuristic antivirus

Applicable to the Deny rules only, i.e. if a web page is infected, the entire web resource will be blocked. If a rule contains additional conditions (categories, time, etc.), then the anti-virus scan will be performed only when all criteria in the rule are met. Heuristic virus check may require higher performance system.

Scenarios

It indicates a scenario that must be active for applying the rule. For more details on scenarios, please refer to Scenarios.

Important! A scenario represents an additional condition. If the scenario is not activated (i.e. one or more its triggers are not launched), the rule will not be applied.

Blocking page

Specifies the blocking page that will be shown to users when a web resource they are trying to access is prohibited. You can either use an external page by selecting Use external URL or specify the UserGate's blocking page. In this case, you can select an existing template of the blocking page or create a new one in Libraries-->Response pages.

Source

A source zone and/or a list of source IP addresses for the traffic.

Destination

A destination zone and/or a list of destination IP addresses for the traffic.

Users

List of users and groups of users to which this rule will be applied. You can add users of the Any, Unknown, Known type. To apply rules to individual users or user of the Known type, make sure to set up authentication properly. For more details on user identification, please refer to the Users and devices chapter.

Categories

List of categories from UserGate URL filtering 3.0. Note that you will need the corresponding license in order to use categories. UserGate URL filtering 3.0 is the largest database of web resources split into 73 categories for your convenience. Network administrators can efficiently manage access to unwanted web resources, such as pornography, malicious websites, online casinos, gambling websites, social media, and more.

Important! Beginning from version UserGate 5.0.7 administrator can override category for any website, if site is not categorized or categorized incorrectly. For more details please refer to Requests to a white list.

Important! Blocking by URL categories can be applied to the HTTPS traffic without decrypting it.

URLs

Lists of URLs. If you have the corresponding license, UserGate will provide you with the regularly updated lists of URLs, such as "UserGate black list", "UserGate white list", "List of prohibited websites according to some national laws", "Black list of phishing websites", and "Search engines without safe search". Network administrators can also create their own lists of URLs. For more details on how to work with lists of URLs, please refer to Libraries-->URL lists.

Important! Blocking by URL lists can be applied to the HTTPS traffic without decrypting it, provided that the lists contain only host (domain) names.

MIME-types

Lists of MIME types. Network administrators can manage video content, audio content, images, executables, and more. Network administrators can also create their own groups of MIME types. For more details on how to work with MIME types, please refer to Content types.

Morphology

List of morphology dictionaries for web page checks. If you have the corresponding license, UserGate will provide you with the list of various dictionaries, such as "Suicide", "Terrorism", "Pornography", "Profanity", "Gambling", "Drugs", and other. The dictionaries are available in English, German, Russian, Japanese and Arabic.

Network administrators can also create their own dictionaries. For more details on how to work with morphological dictionaries, please refer to Morphology.

Time

Time period when the rule will be active. Network administrators can add necessary time intervals in Libraries-->Time sets.

Useragent

Useragent of user browsers for which a given rule will be applied. Administrators can add all necessary Useragents as described in the Useragents section.

HTTP method

For HTTP requests, the system usually applies POST or GET methods.

Referrers

A list of URLs with the referrers for the current page. The corresponding rule will be triggered when the referrer of a given page is found on this list. This functionality is useful for allowing access to certain websites in CDNs (Content Delivery Networks) while prohibiting direct access to CDN content.

8.2. Safe browsing

In the Safe browsing section, network administrators can enable additional filtering parameters for HTTP and HTTPS (if the HTTPS encryption has been configured) including the following ones:

  • Ad blocking. Even secure websites may sometimes display annoying ads or unwanted content on sidebars. UserGate can address this issue and prevent ad banners from displaying on webpages

  • The script injection feature allows you to insert the necessary program code in all web pages accessible for users. Program code is injected before HTML tag </head>.

  • Forced safe search for search engines (Google, Yahoo, Bing, Ask, Yandex) and on YouTube. You can use this tool to block unwanted content by means of search portals, thereby ensuring high efficiency, e.g. when filtering responses to requests of graphical or video content

  • Enables logging of users’ search queries

  • Blocking of social network applications. Social networks have become an important part of our life. However, many companies don't allow their employees to play online games provided by social network at work. UserGate can block such applications without any impact to all other functions of social networks

Criteria of a rule can be as follows:

  • Traffic source

  • Users and groups

  • Time

Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.

Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).

Important! If no rules have been created, then no additional safe browsing functions will be applied.

To create a new content filtering rule, click Add in the Security policies-->Safe browsing section and specify the following parameters.

Name

Description

Enabled

Enables or disables a rule

Name

Rule name

Description

Description of a rule

Enable logging

Logs information about rule triggered.

AdBlock

Enable ad blocking. By clicking Exceptions, administrators can select a list of URLs for which no ad blocking is required.

Injector

Injects an arbitrary program code in all web pages. To edit this program code, click Injector code.

Safe search

Forcibly enables the safe search functionality

Search history

Enables logging of user search queries

Block social media apps

Blocks apps in popular social media

Source

A source zone and/or a list of source IP addresses for the traffic.

Users

List of users and groups of users to which this rule will be applied. You can add users of the Any, Unknown, Known type. To apply rules to individual users or user of the Known type, make sure to set up authentication properly. For more details on user identification, please refer to the Users and devices section.

Time

Time period when the rule will be active. Network administrators can add necessary time intervals in Libraries-->Time sets.

8.3. SSL inspection

In this section, network administrators can set up inspection of the data passed by the TLS/SSL, such as HTTPS or SMTP/POP3. UserGate uses the well-known technology called Man-In-The-Middle (MITM) which decrypts and analyzes content on the server side. HTTPS inspection is required for proper operation of content filtering rules and safe browsing.

HTTPS inspection ensures proper operation of the content filtering rules and safe browsing rules. SMTPS and POP3S inspection is required for spam and virus checks of the email traffic.

Based on these rules, you can set up HTTPS inspection for various categories of content, e.g. "Malware", "Anonymizers" or "Botnets", without decryption of safe categories, such as "Finance", "Government", etc. The system identifies category of a website according to the information passed in HTTPS requests, such as SNI (Server Name Indication) or Subject Name in the server certificate (when SNI is missing). The values of the Subject Alternative Name are ignored.

After decryption and analysis, the data will be encrypted again with a certificate issued by the certification authority that you have previously specified in the Certificates section. Make sure to add this certificate to the trusted root certificates on users’ computers - otherwise, web browsers on the user side will be displaying notification that the certificate has been compromised. For more details, please refer to Appendix 1: Installing a certificate issued by the local certification authority.

Similar to user browsers, some email servers and clients reject email messages when they detect a replaced certificate. In this case, make sure to disable certification checks in your email software or add exclusions for the given certificates to UserGate. For more details, please refer to your email software documentation.

Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.

Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).

Important! When no rules are defined, the system will not be decrypting SSL and therefore the content passed through SSL will not be filtered.

Important! UserGate supports the inspection of a wide range of SSL protocols, including legacy versions such as TLSv1.0 and TLSv1.1 and new versions such as TLSv1.2 and TLSv1.3. By default, compatibility with legacy protocols is enabled, which provides support for TLSv1.0-TLSv1.2. If compatibility with legacy protocols is disabled, only TLSv1.0,TLSv1.2-TLSv1.3 are supported. Configuration is handled via the CLI command legacy_ssl_enabled. You can read more about CLI commands in the section Command-line interface (CLI).

To create a new SSL inspection rule, click Add in the Security policies--> SSL inspection section and specify the following parameters.

Name

Description

Enabled

Enables or disables a rule.

Name

Rule name.

Description

Description of a rule.

Action

  • Decrypt - decrypt traffic

  • Bypass - do not decrypt traffic

Enable logging

Logs information about rule triggered.

Block sites with invalid certificates

Blocks access to servers with invalid HTTPS certificates, e.g. servers with expired/recalled certificates or issued for another domain name and/or by untrusted certification authority.

Check the certificates revocation list

Check a site certificate against the list of revoked certificates (CRL) and block the site if any matches are found

Block expired certificates

Block certificates that are not valid anymore

Block selfsigned certificates

Block self-signed certificates

Users

List of users and groups of users to which this rule will be applied. You can add users of the Any, Unknown, Known type. To apply rules to individual users or user of the Known type, make sure to set up authentication properly. For more details on user identification, please refer to the Users and devices section.

Source

A source zone and/or a list of source IP addresses for the traffic.

Destination address

Lists of IP addresses of the traffic destination.

Services

Service for which rule will decrypt traffic. Can be HTTPS, SMTPS, POP3S.

Categories

List of categories from UserGate URL filtering 3.0.

Domains

Lists of domains. Domain names to which this rule is applied. Domain names are created similar to lists of URLs except that only domain names can be used for HTTPS inspection (such as www.example.com, but not http://www.example.com/home/). For more details on how to work with lists of URLs, please refer to Libraries-->URL lists.

Time

Time period when the rule is active. Network administrators can add necessary time intervals in Libraries-->Time sets.

By default, UserGate has SSL inspection rule Decrypt all for unknown users which is required for authentication of unknown users on the Captive portal.

8.4. Intrusion prevention system

The intrusion detection and prevention system (IPS) can quickly detect malicious activity in your local network or from the Internet, identify, record and prevent various threats, and generate detailed reports on each suspicious event. Security breaches are usually detected by means of heuristic techniques and matching with signatures of already known attacks. If you have the corresponding license, UserGate will be regularly providing you with its up-to-date databases of heuristic rules and attacks’ signatures. IPS can track and proactively block all the detected attacks in real time, e.g. terminate malicious network connections, send notifications to network administrators, log the suspicious activity, and so on.

To get started with IPS, perform the following:

Name

Description

Step 1. Create required IPS profiles

An IPS profile is a set of signatures relevant for the protection of certain services. Administrators can create any number of IPS profiles to protect various services. It is recommended that you avoid adding excessive signatures to profiles and use only signatures that are really important for security. For example, do not add UDP-specific signatures to a profile that protects a TCP-based service. When there are too many signatures, the system will be processing the traffic longer due to additional workload on the CPU.

Step 2. Create the IPS rules

The IPS rules define IPS actions depending on the traffic type checked by the IPS module according to the assigned IPS profiles.

To set up the IPS profile, click IPS profiles in the Security policies-->Library and then add all necessary signatures to the policy. The IPS signatures are regularly updated and delivered by UserGate to the corresponding subscribers. Each signature contains the following fields:

Name

Description

Signature

Name of the signature

Risk

Signature's risk from 1 (low risk) to 5 (high risk)

Protocol

Protocol of the signature:

  • IP

  • ICMP

  • TCP

  • UDP

Category

Category is group of signatures with some common properties. List of categories can be extended in the future:

  • attack_response – signatures designed to catch the results of a successful attack.

  • botcc (Bot Command and Control) – These are autogenerated from several sources of known and confirmed active Botnet and other Command and Control hosts.

  • botcc.portgrouped – same as above, but grouped by destination port.

  • ciarmy – collective intelligence generated IP rules for blocking based upon www.ciarmy.com.

  • compromised –list of known compromised hosts.

  • current_events – category for active and short lived campaigns. This category covers exploit kits and malware that will be aged and removed quickly due to the short lived nature of the threat.

  • dns - known DNS vulnerabilities

  • dos – Denial of Service attempt detection.

  • drop – signatures to block spamhaus “drop” listed networks. More info at http://www.spamhaus.org.

  • dshield – IP based signatures for Dshield Identified attackers. More information can be found at http://www.dshield.org.

  • exploit –direct exploits.

  • ftp - signatures for attacks, exploits, and vulnerabilities regarding FTP.

  • icmp - signatures for attacks and vulnerabilities regarding ICMP.

  • icmp_info - signatures to log ICMP protocol specific events, typically normal operation.

  • imap - signatures for the identification, as well as attacks and vulnerabilities regarding the IMAP protocol.

  • info - potential data leak

  • malware – malware and spyware related, no clear criminal intent.

  • misc - signatures not covered in other categories.

  • mobile_malware – signatures specific to mobile platforms.

  • netbios - signatures for the identification, as well as attacks, exploits and vulnerabilities regarding Netbios.

  • p2p – signatures for the identification of Peer-To-Peer traffic and attacks against.

  • policy– signatures often disallowed by company or organizational policy.

  • pop3 - signatures for the identification, as well as attacks and vulnerabilities regarding the POP3 protocol.

  • rpc – RPC related attacks, vulnerabilities, and protocol detection.

  • scada – Signatures for SCADA attacks, exploits and vulnerabilities, as well as protocol detection.

  • scan - things to detect reconnaissance and probing. Nessus, Nikto, portscanning, etc.

  • shellcode – signatures for remote shellcode detection.

  • smtp - signatures for attacks, exploits, and vulnerabilities regarding SMTP.

  • snmp - signatures for attacks, exploits, and vulnerabilities regarding SNMP.

  • sql - signatures for attacks, exploits, and vulnerabilities regarding SQL.

  • telnet - signatures for attacks and vulnerabilities regarding the TELNET service.

  • tftp - signatures for attacks and vulnerabilities regarding the TFTP service.

  • tor – IP based rules for the identification of traffic to and from TOR exit nodes.

  • trojan – malicious software that has clear criminal intent. Signatures detect malicious software that is in transit, active, infecting, attacking, updating.

  • user_agents – user agent identification and detection.

  • voip - signatures for attacks and vulnerabilities regarding the VOIP environment. SIP, h.323, RTP, etc.

  • web_client – signatures for web client side attacks and vulnerabilities.

  • web_server – signatures for attacks and vulnerabilities against web servers.

  • web_specific_apps – signatures for very specific web applications.

  • worm – traffic indicative of network based worm activity.

Classtype

Classtype is group of signatures based on the type of attack class. Supported the following classtypes:

  • attempted-admin - attempted administrator privilege gain.

  • attempted-dos - attempted denial of service.

  • attempted-recon - attempted information leak.

  • attempted-user - attempted user privilege gain.

  • bad-unknown - potentially bad traffic.

  • default-login-attempt - attempt to login by a default username and password.

  • denial-of-service - detection of a denial of service attack.

  • misc-activity - miscellaneous activity

  • misc-attack - miscellaneous attack

  • network-scan - detection of a network scan

  • non-standard-protocol - detection of a non-standard protocol or event

  • not-suspicious - not suspicious traffic

  • policy-violation - potential corporate privacy violation

  • protocol-command-decode - generic protocol command decode

  • rpc-portmap-decode - decode of an rpc query

  • shellcode-detect - executable code was detected

  • string-detect - a suspicious string was detected

  • successful-admin - successful administrator privilege gain

  • successful-recon-largescale - large scale information leak

  • successful-recon-limited - information leak

  • successful-user - successful user privilege gain

  • suspicious-filename-detect - a suspicious filename was detected

  • suspicious-login - an attempted login using a suspicious username was detected

  • system-call-detect - a system call was detected

  • trojan-activity - a network trojan was detected

  • unsuccessful-user - unsuccessful user privilege gain

    web-application-activity - access to a potentially vulnerable web application

  • web-application-attack - web application attack

When adding signatures to a IPS profile, administrators can use flexible filters, e.g. select only signature with a very high risk that use TCP protocol in the 'botcc' category across all classes.

IPS rules define a traffic to which a IPS profile will be applied and an action that the IPS module must perform in response to such signatures.

Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.

Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).

Important! If no rules have been created, then IPS will not work.

To set up the IPS rules, click Add in the Security policies--> Intrusion prevention section and specify the following fields:

Name

Description

Enabled

Enables or disables a rule.

Name

Rule name.

Description

Description of a rule.

Action

The following options are supported:

  • Pass - do not block the traffic

  • Log - do not block the traffic and record it in the log

  • Drop - block the traffic and record it in the log

Source

A source zone and/or a list of source IP addresses for the traffic.

Destination

A destination zone and/or a list of destination IP addresses for the traffic.

Service

Service type, e.g. HTTP, DNS, etc.

Application

List of applications to which this rule will be applied.

Profiles

The list of IPS profiles that have been created in the previous step.

8.5. SCADA rules

Using SCADA rules, administrators can control the traffic flow of the supervisory control and data acquisition systems (SCADA) through UserGate. UserGate supports the inspection of the following SCADA protocols:

  • GOST R IEC 60870-5-104

  • Modbus

  • DNP3

  • MMS

The administrator is able to specify SCADA profiles of their own choosing, in which they can indicate the required set of protocols and commands and use them in rules.

To get started with SCADA, perform the following:

Name

Description

Step 1. Allow the SCADA service in the required zones.

Go to Network-->Zones, edit the access control parameters for the zone to which SCADA clients will be connecting and allow the SCADA in this zone.

Step 2. Create the necessary SCADA profiles.

A SCADA profile is a set of elements each containing a SCADA command and an address.

Step 3. Create the required SCADA rules.

The SCADA rules define SCADA actions depending on the traffic type checked by the SCADA module according to the assigned profiles.

To set up SCADA profiles, create a new profile in Libraries-->SCADA profiles and then add the necessary commands to it. Each record contains the following fields:

Name

Description

Name

Name of the profile

Description

Description of the profile

Protocol

Select the required SCADA protocol

SCADA command

Select the necessary SCADA command

SCADA address

Provide the SCADA address. You can specify an integer 4-byte number.

SCADA rules define a traffic to which a SCADA profile will be applied and an action that UserGate must perform when the rule is applied.

Important! Rules are applied from top to bottom in the same order as they appear in the console. Only the first rule for which all its specific conditions are met will be applied. Therefore, make sure to place more specific rules above the more common ones in the list. Use the Up/Down buttons to change the order of rules in the list.

Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).

To create a new SCADA rule, click Add in Security policies-->SCADA rules and fill out the fields in the rule.

Name

Description

Enabled

Enable or disable the rule.

Name

Name of the rule.

Description

Description of the rule.

Action

The following options are supported:

  • Pass - do not block the traffic

  • Drop - block the traffic and record it in the log

It is also possible to select the option Log. If this option is enabled, the fact that a rule has been applied to traffic will be recorded in the corresponding log.

Source

A source zone and/or a list of source IP addresses for the traffic.

Destination

A destination IP addresses for the traffic.

Service

L4 service which will be used in the rule.

SCADA profiles

The list of SCADA profiles that have been created in the previous step

8.6. Scenarios

UserGate allows for much faster responses to detected attacks thanks to the SOAR concept (Security Orchestration, Automation, and Response). UserGate implements this concept based on scenarios. A scenario is an additional condition in the firewall and bandwidth rules that allows administrators to set up UTM's behavior in response to certain events within a long time period. For example, scenarios can be used for the following tasks:

  • Block or limit the bandwidth for 30 minutes when a user tried to use a torrent application 5 times within the last 10 minutes.

  • Block or limit the bandwidth for a user or user group specified in a rule when any of the following triggers has been activated: a user is viewing sites from the Threats category, high-risk IPS signatures are triggered for the traffic utilized by a user, or a virus is blocked in the traffic utilized by a user.

  • Block or limit the bandwidth for a user who has already consumed their traffic limit of 10 GB/month.

Important! A scenario represents an additional condition in the firewall rules and bandwidth rules. If the scenario is not activated (i.e. one or more its triggers are not launched), the rule will not be applied.

To get started with the scenarios, perform the following steps:

Name

Description

Step 1. Create the necessary scenarios.

Create the necessary scenarios in Security policies-->Scenarios.

Step 2. Specify the created scenarios in the firewall rules or bandwidth rules.

Add the scenarios that you have created to the firewall rules or bandwidth rules. For more details on firewall rules or bandwidth rules, please refer to Network policies.

Provide the following parameters when creating a new scenario:

Name

Description

Enabled

Enable or disable the scenario

Name

Name of the scenario

Description

Description of the scenario

Trigger for

Possible options:

  • Single user — when a scenario is triggered, a rule in which this scenario is used will be applied only to the user for which the scenario has been triggered

  • All users — when a scenario is triggered, a rule in which this scenario is used will be applied to all users specified in the Users/Group field for this rule.

Duration

A time period in minutes during which the triggered scenario will remain active. The same time period will be applied for the firewall rule or bandwidth rule in which this scenario is used.

Conditions

Define the triggering conditions for a scenario. You can specify the minimum number of triggering events within a time period that are required for triggering a scenario. When multiple conditions are selected, make sure to specify whether the scenario must be triggered when any or all of these conditions are met.

Triggering conditions

The following conditions can be used in scenarios:

  • URL category — matches with the UserGate URLF categories in the user traffic

  • A virus has been detected

  • Application — the specified application has been detected in the user traffic

  • СОВ — the intrusion prevention system has been triggered

  • MIME types — the specified MIME types have been detected in the user traffic

  • Packet size — the size of a packets in the user traffic has exceeded the allowed value

  • Sessions per IP — the number of sessions per IP address has exceeded the allowed value

  • Traffic volume — the volume of the user traffic has exceeded the allowed value per time period.

8.7. Integration with external ICAP servers

UserGate can transfer the HTTP/HTTPS and email traffic (SMTP, POP3) to external ICAP servers, e.g. in order to check the traffic for viruses or to check the outgoing data from users by means of DLP systems. In this case, UserGate will serve as an ICAP client.

UserGate offers flexible settings for ICAP servers, e.g. administrators can set up rules for sending only part of the traffic to ICAP servers or for integration with ICAP server farms.

To set up UserGate for integration with external ICAP servers, perform the following steps:

Name

Description

Step 1. Create an ICAP server.

Go to Security policies-->ICAP servers, click Add and create one or more ICAP servers.

Step 2. Create a balancing rule for ICAP servers (optional).

When a balancing for ICAP server farms is required, go to Network policies-->Load balancing and create a new ICAP server balancer. Use the ICAP servers that you have created in the previous step.

Step 3. Create a new ICAP rule.

Go to Security policies-->ICAP rules and create a rule that defines conditions for resending the traffic to ICAP servers or ICAP server farms.

Important! ICAP rules are applied from top to bottom in the list of rules. Only the first publication rule for which all its specific conditions are met will be applied.

To create an ICAP server, go to Security policies-->ICAP servers, click Add and fill out the following fields:

Name

Description

Name

Name of the ICAP server

Description

Description of the ICAP server

Address

IP address of the ICAP server

Port

TCP port of the ICAP server (1344 by default)

Max message size

The maximum size of a message sent to the ICAP server (in megabytes). The default value is 0 (disabled).

Check ICAP server every

A time period in seconds after which UserGate will send an OPTIONS request to the ICAP server to check its availability.

Bypass if errors

When this option is enabled, UserGate will not send any data to the ICAP server if the ICAP server is not available (does not respond to OPTIONS request).

Reqmod path

  • Enabled - enable the Reqmod mode.

  • Path on the ICAP server for the Reqmod mode. These parameters together with the server address and port form the Reqmod URL. If no path is required according to the ICAP server documentation, then specify "/".

Respmod path

  • Enabled - enable the Reqmod mode.

  • Path on the ICAP server for the Respmod mode. These parameters together with the server address and port form the Respmod URL. If no path is required according to the ICAP server documentation, then specify "/".

Send username

  • Enabled - enable sending a user name to the ICAP server.

  • Encode to base64 - encode a user name in base64 when, for example, user names contain non-Latin characters.

  • Header name that will be used for sending a user name to the ICAP server. The default value is
    X-Authenticated-User

Send IP

  • Enabled - enable sending an IP address to the ICAP server.

  • Header name that will be used for sending an IP address to the ICAP server. The default value is X-Client-Ip

Send MAC

  • Enabled - enable sending a MAC address to the ICAP server.

  • Header name that will be used for sending a MAC address to the ICAP server. The default value is X-Client-Mac.

To create a balancing rule for the reverse proxy servers, go to Network policies-->Load balancing, select Add-->ICAP balancer and fill out the following fields:

Name

Description

Enabled

Enable or disable the rule

Name

Name of the rule

Description

Description of the rule

ICAP servers

The list of ICAP servers among which the workload will be distributed, created in the previous step.

To create an ICAP rule, click Add in Security policies-->ICAP rules and fill out the following fields.

Important! Rules are applied from top to bottom in the same order as they appear in the console. Only the first rule for which all its specific conditions are met will be applied. Therefore, make sure to place more specific rules above the more common ones in the list. Use the Up/Down buttons to change the order of rules in the list.

Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).

Name

Description

Enabled

Enable or disable the rule

Name

Name of the rule

Description

Description of the rule

Action

The following options are supported:

  • Bypass - do not send any data to the ICAP server. By creating a rule with such behavior, administrators can prevent certain traffic from sending to ICAP servers.

  • Redirect - resend the data to the ICAP server and wait for its response. This is a standard working mode for most ICAP servers.

  • Redirect and ignore - redirect the data to the ICAP server, but disregard its response. In this case, the data will be sent to users without any modifications, but the ICAP server will receive a full snapshot of the user traffic.

ICAP servers

An ICAP server or an ICAP server balancer to which UserGate will be resending user requests.

Source

A source zone and/or a list of source IP addresses for the traffic.

Users

The list of users and/or groups to which a given rule is applied. Users of the Any, Unknown or Known types can be added. To apply the rules to given users or users of the Known type, you need to set up user identification.

Destination address

A destination IP addresses for the traffic.

MIME types

Lists of MIME types. The system provides the management functionality for video, audio, images, executable files, and other content types. Administrators can also create custom groups of MIME types. For more details on MIME types, please refer to the Content types

Categories

Lists of UserGate URL filtering categories

URLs

Lists of URLs

HTTP method

For HTTP requests, the system usually applies POST or GET methods

Service

Possible options:

  • HTTP - web traffic

  • SMTP - email traffic. Email messages will be sent to the ICAP server as the corresponding MIME type.

  • POP3 - email traffic. Email messages will be sent to the ICAP server as the corresponding MIME type.

8.8. Mail security

In the Mail security section, you can set up virus and spam scanning of the transit email traffic. The system supports the POP3(S) and SMTP(S) protocols. For proper operation of the email traffic protection, make sure you have the license for the corresponding module.

In most cases, you will need to protect the email traffic coming from the Internet to your internal mail servers as well as the mail traffic coming from your servers or user PCs.

To set up protection of the email traffic coming from the Internet to your internal mail servers, perform the following:

Name

Description

Step 1. Publish your mail server on the Internet

Please refer to DNAT rules. It is recommended to create separate DNAT rules for SMTP and POP3, rather than combine them into one rule.

Step 2. Enable support of the SMTP(S) and POP3(S) services in the zone connected to the Internet

Please refer to Configuring zones.

Step 3. Create the email protection rules

Create the necessary email protection rules. For more details, please see below in this chapter.

If you need to protect the mail traffic without publishing your mail server on the Internet, perform the following steps:

Name

Description

Step 1. Create the traffic protection rules

Create the necessary email protection rules. For more details, please see below in this chapter.

To set up the mail traffic filtering rules, click Add in the Security policies--> Mail security section and specify the following fields:

Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.

Important! If no rules have been created, then mail traffic will not be protected.

Important! A rule is triggered only when all its criteria are met.

Name

Description

Enabled

Enables or disables a rule

Name

Rule name

Description

Description of a rule

Action

Select an action that will to be applied to the mail traffic when all corresponding criteria are met:

  • Pass - skips the traffic without changing it

  • Mark - puts a special tag in the "subject" or an additional field of email messages

  • Drop with error - blocks a message and sends a notification about failed delivery attempt to the SMTP server (for the SMTP(S) traffic) or to the POP3 client (for the POP3(S) traffic)

  • Drop without error - drops a message without sending a notification

Scanning

Select an email traffic scanning method:

  • UserGate spam check - checks the email traffic for spam

  • Heuristic virus check - checks the email traffic using heuristic engine

  • DNSBL check (SMTP only) - performs spam protection based on the DNSBL technology. Applicable to the SMTP traffic only. When the email traffic is being scanned by DNSBL, the spammer's SMTP server is blocked by IP address even before a SMTP connection is established, thereby significantly reducing overall scanning workload.

Header

Field for placing the message tag

Mark

Text of the message tag

Source

A source zone and/or a list of source IP addresses for the traffic.

Destination

A destination zone and/or a list of destination IP addresses for the traffic.

Users

Users or groups of users to which the rule will be applied.

Service

Select an email protocol (POP3 or SMTP) to which the rule will be applied.

Envelope from

Email address of the sender as specified in the "Envelope from" field. Applicable to SMTP only.

Envelope to

Email address of the recipient as specified in the "Envelope to" field. Applicable to SMTP only.

It is recommended that you use the following spam protection settings.

For SMTP(S):

  • The first rule in the list should be blocking by DNSBL. It is recommended that you leave the Envelop from/Envelop to fields blank. In this case, DNSBL will be proactively discarding connections from SMTP servers that are known as spam sources. When email addresses recipients are added to exclusions, the system will be forced to receive each message entirely for analysis, and therefore the overall sever workload will increase.

  • The second rule is marking messages using UserGate spam check. Here you can use any exclusions you want including Envelop from/Envelop to.

For POP3(S):

  • Action - Mark

  • Scanning - UserGate spam check

8.9. Publication of HTTP/HTTPS resources using the reverse proxy

For publication of HTTP/HTTPS servers, it is recommended that you use publication based on the reverse proxy rules.

Unlike the DNAT-based publication, the reverse proxy publication offers the following advantages:

  • Publication of HTTP servers using HTTPS, and vice versa

  • Balancing of requests to web server farms

  • Ability to limit access to the published servers with certain Useragents

  • Ability to replace domains and paths of the published servers.

To publish a server using the reverse proxy, perform the following steps:

Name

Description

Step 1. Create a reverse proxy server.

Go to Security policies-->Reverse proxy servers, click Add and create one or more web servers for publishing.

Step 2. Create a balancing rule for the reverse proxy servers (optional).

When a balancing for published server farms is required, go to Network policies-->Load balancing and create a new reverse proxy balancer. Use the reverse proxy servers that you have created in the previous step.

Step 3. Create a reverse proxy rule.

Go to Security policies-->Reverse proxy rules and create a new rule that defines the publication conditions for servers or server farms.

Important! Publication rules are applied from top to bottom in the list of rules. Only the first publication rule for which all its specific conditions are met will be applied.

Step 4. Allow the Reverse proxy server in the zone where you want to grant access to the internal resources.

Go to Network-->Zones and allow the Reverse proxy service in the zone where you want to grant access to the internal resources (in most cases, it is the Untrusted zone).

To create a reverse proxy server, go to Security policies-->Reverse proxy servers, click Add and fill out the following fields:

Name

Description

Name

Name of the published server.

Description

Description of the published server.

Address

IP address of the published server.

Port

TCP port of the published server.

HTTPS to server

Defines whether it is necessary to use the HTTPS protocol to access the published server.

Check SSL certificate

Enables or disables validation of the SSL certificates installed on the published server.

Keep original source IP address

Leaves the original IP address of the source in packets sent to the published server. When this option is disabled, the source IP address is replaced with the UserGate's IP address.

To create a balancing rule for the reverse proxy servers, go to Network policies-->Load balancing, select Add-->Reverse proxy balancer and fill out the following fields:

Name

Description

Enabled

Enable or disable the rule

Name

Name of the rule

Description

Description of the rule

Reverse proxy servers

The list of the reverse proxy servers among which the workload will be distributed (created in the previous step).

To create a new reverse proxy rule, click Add in Security policies-->Reverse proxy rules and fill out the mandatory fields.

Important! Rules are applied from top to bottom in the same order as they appear in the console. Only the first rule for which all its specific conditions are met will be applied. Therefore, make sure to place more specific rules above the more common ones in the list. Use the Up/Down buttons to change the order of rules in the list.

Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).

Name

Description

Enabled

Enable or disable the rule

Name

Name of the rule

Description

Description of the rule

Reverse proxy server

A reverse proxy server or reverse proxy balancer to which UserGate will be resending user requests

Port

A port on which UserGate will be listening for incoming requests.

Use HTTPS

Enable the HTTPS support

Certificate

A certificate used for establishing HTTPS connections

Authenticate by certificate

When this option is enabled, browsers will be required to provide user certificates. To do this, make sure to add the user certificate to the list of UserGate certificates, and also assign it the User certificate role and the corresponding UserGate user account. For more details on user certificates, please refer to the Managing certificates section.

Source

A source zone and/or a list of source IP addresses for the traffic.

Users

The list of users and groups to which a given rule is applied. Users of the Any, Unknown or Known types can be added. To apply the rules to given users or users of the Known type, you need to set up user identification.

Useragent

Useragent of user browsers for which a given rule will be applied

Path rewrite

Replace a domain and/or path in the user request URL. For example, incoming requests to http://www.example.com/path1 can be changed to http://www.example.loc/path2.

Change from - a domain and/or path that you want to replace in the URL.

Change to - a domain and/or path that you want to use as a replacement in the URL.

If a domain is specified in the Change from field, then the publication rule will be applied for the requests sent to this domain only. In other words, this will be a condition for rule triggering.

8.10. DoS protection

UserGate supports granular settings to protect networks from network flooding (for TCP (SYN-flood), UDP, ICMP). Preliminary settings can be configured in the zone properties (see section Configuring zones) while more precise settings are available in this section. Using the DoS protection rules, administrators can provide specific settings to protect a given service, protocol or application from DoS attacks. To create DoS protection rules, the administrator must perform the following steps:

Name

Description

Step 1. Create DoS profile

Go to Security policies-->DoS profiles, click Add and create one or more DoS profiles.

Step 2. Create DoS rule

Go to Security policies-->DoS rules, click Add and create one or more DoS rules. Use DoS profiles created on the previous step.

To create a DoS profile, go to Security policies-->DoS profiles, click Add and fill out the following fields:

Name

Description

Name

Name of the profile.

Description

Description of the profile.

Aggregate

This option sets whether UserGate will be summing up packets per second for all IP addresses of the traffic source or counting them individually for each IP address. When this option is active, make sure to specify large values for packets per second on the DoS protection and Resource protection tabs.

DoS protection

Specify the following DoS protection parameters in the zone for the TCP (SYN-flood), UDP and ICMP protocols:

  • Alert threshold - once the number of packets exceeds the specified limit, this event will be recorded in the system log

  • Drop threshold - once the number of packets exceeds the specified limit, UserGate will start dropping packages and will record this event in the system log

Resource protection

This option allows you to limit the maximum number of sessions per protected resource, e.g. published server:

  • On – enables the limitation for the maximum number of sessions

  • Limit the number of sessions – sets the maximum allowed number of sessions.

To create a new DoS protection rule, click Security policies-->DoS rules, click Add and specify the following parameters.

Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.

Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).

Name

Description

Enabled

Enables or disables a rule

Name

Rule name

Description

Description of a rule

Action

Block – blocks the traffic without any conditions (similar to firewall rules).

Allow – allows the traffic flows, but without any DoS protection. This option can be used for creating exclusions.

Protect – enables protection with the selected DoS profile.

DoS profile

If action is protect, chose one of the created DoS profiles.

Scenarios

It indicates a scenario that must be active for applying the rule. For more details on scenarios, please refer to Scenarios.

Important! A scenario represents an additional condition. If the scenario is not activated (i.e. one or more its triggers are not launched), the rule will not be applied.

Enable logging

Logs information about traffic when a rule is triggered. The following modes can be used:

  • Log session start. Only first packet will be logged for every session. This is recommended setting for logging.

  • Log all packets. Every network packet will be logged. It is recommended to enable logging limit to avoid high system utilization for this mode.

Source

Zone(s) and IP addresses of the traffic source

Users

List of users and groups of users to which this rule will be applied. You can add users of the Any, Unknown, Known type. To apply rules to individual users or user of the Known type, make sure to set up authentication properly. For more details on user identification, please refer to Users and devices.

Destination

A destination zone and/or a list of destination IP addresses for the traffic.

Service

Service type, e.g. HTTP or HTTPS

Time

Time ranges when rule is active.

9. Setting up a VPN

VPN (Virtual Private Network) is a set of technologies for establishing one or more network connections (i.e. a logical network) on top of another network (e.g. Internet). UserGate allows you to establish the following types of VPN connections:

  • Remote access VPN. In this case, UserGate will operate as the server while users of other devices will become VPN clients. UserGate supports the standard clients for most of popular operating systems, including Windows, Linux, Mac OS X, iOS, Android, and more.

  • Site-to-Site VPN. In this case, one of your UserGate servers operates as the server while another UserGate server becomes a client. A client initiates a connection with the server. A server-to-server connection allows you to add all your remote offices to a single logical network.

Tunnels are established using Layer 2 Tunneling Protocol (L2TP), and the data being transmitted are protected with IPSec.

9.1. Remote access VPN

To connect VPN clients to your corporate network, set up UserGate to operate as the VPN server. To do this, perform the following steps:

Name

Description

Step 1. Allow the VPN service in the zone to which VPN clients will be connecting.

Go to Network-->Zones, edit the access control parameters for the zone to which VPN clients will be connecting and allow the VPN service in this zone. In most cases, it is the Untrusted zone.

Step 2. Create a zone where your VPN clients will be placed.

Go to Network-->Zones and create a zone where you are going to place VPN clients. You will be able to use this zone in the security policies.

It is recommended that you use the existing default zone VPN for remote access.

Step 3. Create a new NAT rule for the zone.

Clients connect to a VPN using the Point-to-Point protocol. To allow the traffic flow from the zone that you have created in the previous step, create a NAT rule from this zone to all other zones that you need. Create the corresponding rule in Network policies-->NAT and routing.

By default, UserGate provides a rule called NAT from VPN for remote access to Trusted and Untrusted that allows NAT from the VPN for remote access zone to the Trusted and Untrusted zones.

Step 4. Create a firewall rule to allow the traffic flow from the created zone.

Go to Network policies-->Firewall and create a firewall rule to allow the traffic flow from the created zone to other zones.

By default, UserGate provides a firewall rule called VPN for remote access to Trusted and Untrusted that allows all the traffic from the VPN for remote access zone to the Trusted and Untrusted zones.

Step 5. Create an authentication profile.

Go to Users and devices-->Auth profiles and create an authentication profile for VPN users. You can use the same authentication profile that is set up for user authentication for Internet access. For more details on authentication profile, please refer to section Auth profiles.

Step 6. Create a VPN security profile.

A server profile defines the preshared key, encryption and authentication algorithms, and other settings. You can create multiple server profiles and use them for establishing connections with various client types.

To create a server profile, go to VPN-->Security profiles, click Add and fill out the following fields:

  • Name - name of the profile.

  • Description - description of the profile.

  • Preshared key — the string that must be the same on the server and on the client for successful connection.

  • Security-->Encryption methods - pairs of the authentication and encryption methods. These algorithms are applied in the same order as the appear here (from top to bottom). When establishing a new connection, the system will apply the first pair that is supported both by the server and the client. For compatibility with the standard VPN clients, it is recommended that you leave the default values.

By default, UserGate provides a server profile called Remote access VPN profile that defines all the necessary settings. If you are going to use this profile, make sure to change the preshared key.

Step 7. Create a VPN device

VPN device is a virtual network interface for connecting VPN clients. This type of interface is clustered interface, which means it virtually exists on all cluster’s nodes, and if high availability cluster is configured, VPN clients will be automatically switched to a backup node without VPN connection interruption. To create a new VPN interface, click on Add in Network-->Interfaces and select Add VPN. Set the following fields:

  • Name – name of the interface as tunnelN, where N is the number of virtual device.

  • Description – description of the interface.

  • Zone – zone of the interface. VPN clients will be belonged to this zone when connected. Assign zone created on step 2.

  • Netflow profile – optional netflow profile which will be used for this interface.

  • Mode – IP address assignment mode – Dynamic (via DHCP), Static, No address. Static mode should be used for serving VPN clients.

  • MTU – MTU for the interface.

VPN interface tunnel1 is preconfigured for use for Remote access VPN.

Step 8. Create a VPN network.

A VPN network defines network settings that will be applied when a client connects to the server. These settings include assignment of IP addresses to a client within a tunnel, DNS settings, and optional routes that will be submitted to the client (providing that the client supports such routes). You can create multiple tunnels with different settings for different clients.

To create a VPN network, go to VPN-->VPN networks, click Add and fill out the following fields:

  • Name - name of the network.

  • Description - description of the network.

  • IP range that will be used by clients. Do not provide the network and broadcast address here.

  • Specify the DNS servers that will be provided to clients or enable the Use system DNS checkbox if you want to assign the DNS servers used by UserGate to clients.

  • Specify the routes that will be submitted to a client as classless inter-domain routing (CIDR).

UserGate already provides a network called Remote access VPN network with the recommended settings.

Step 9. Create a VPN server rule.

Create a VPN server rule based on the previously created VPN tunnel and VPN security profile. To create a rule, go to VPN-->Server rules, click Add and fill out the following fields:

  • Enabled - enables or disables the rule

  • Name - name of the rule.

  • Description - description of the rule.

  • Security profile - server profile that you have previously created.

  • VPN network - VPN tunnel that you have previously created.

  • Auth profile - authentication profile that you have previously created.

  • Interface – VPN device that you have previously created.

  • Source - zones and addresses for which incoming VPN connections are accepted. Since most clients come from the Internet, it is recommended that you select the Untrusted zone.

  • Users - a group of users or individual users that are allowed to establish VPN connections.

By default, UserGate provides a server rule called Remote access VPN rule that uses all the necessary settings for the Remote Access VPN and allows the VPN access for all participants of the local group called VPN users.

Step 10. Set up the VPN on a client workstation.

To set up a client connection to the VPN, the following parameters must be specified on the user workstation:

  • VPN connection type - L2TP over IPSec.

  • As the IP address of the VPN server, provide the IP address of the interface in the zone specified in step 1.

  • As the preshared key (shared secret), use the preshared key that you have specified in step 6.

  • Specify the PAP protocol for user authentication.

  • As the user name, provide the user name of the account in the 'username@domain' format, e.g. testuser@testdomain.loc.

Important! For correct operation with L2TP/IPSec VPN servers, operating systems of the Microsoft Windows family require changing the Registry parameters. Please refer to Microsoft's article https://support.microsoft.com/en-us/help/926179/how-to-configure-an-l2tp-ipsec-server-behind-a-nat-t-device-in-windows for detailed instructions.

9.2. Site-to-Site VPN

To establish a Site-to-Site VPN, set up one UserGate as a VPN client and another UserGate as the VPN server. Though setting up UserGate as a VPN server is similar to that for a remote access server, we recommend that you set up all parameters individually since some of them may be different.

To set up your server as a shared VPN server for multiple offices, perform the following steps:

Name

Description

Step 1. Create a local user to authorize the server that will be operating as a VPN client.

Go to Users and devices --> Users and create new users for each of the remote UserGate servers that will be operating as VPN clients and then set up the user passwords. It is recommended that you add all the created users to a group with the access allowed to VPN connections. By default, UserGate provides a group called VPN servers for this purpose.

Step 2. Allow the VPN service in the zone to which VPN clients will be connecting.

Go to Network-->Zones, edit the access control parameters for the zone to which VPN clients will be connecting and allow the VPN service in this zone. In most cases, it is the Untrusted zone.

Step 3. Create a zone where your VPN servers will be placed.

Go to Network-->Zones and create a zone where you are going to place VPN servers. You will be able to use this zone in the security policies.

It is recommended that you use the existing default zone VPN for Site-to-Site.

Step 4. Create a firewall rule to allow the traffic flow from the created zone.

Go to Network policies-->Firewall and create a firewall rule to allow the traffic flow from the created zone to other zones.

By default, UserGate provides a firewall rule called VPN for Site-to-Site to Trusted and Untrusted that allows all the traffic from the VPN for Site-to-Site to Trusted and Untrusted zones. Rule is disabled by default.

Step 5. Create an authentication profile.

Go to Users and devices-->Auth profiles and create an authentication profile for VPN users. You can use the same authentication profile that is set up for user authentication and Internet access. For more details on authentication profile, please refer to section Auth profiles.

Step 6. Create a VPN security profile.

A security profile defines the preshared key, encryption and authentication algorithms, and other settings. You can create multiple security profiles and use them for establishing connections with various client types.

To create a server profile, go to VPN-->Security profiles, click Add and fill out the following fields:

  • Name - name of the profile.

  • Description - description of the profile.

  • Preshared key — the string that must be the same on the server and on the client for successful connection.

  • Security-->Encryption methods - pairs of the authentication and encryption methods. These algorithms are applied in the same order as the appear here (from top to bottom). When establishing a new connection, the system will apply the first pair that is supported both by the server and the client. For compatibility with the standard VPN clients, it is recommended that you leave the default values.

By default, UserGate provides a security profile called Site-to-Site VPN profile that defines all the necessary settings. If you are going to use this profile, make sure to change the preshared key.

Step 7. Create a VPN device

VPN device is a virtual network interface for connecting VPN clients. This type of interface is clustered interface, which means it virtually exists on all cluster’s nodes, and if high availability cluster is configured, VPN clients will be automatically switched to a backup node without VPN connection interruption. To create a new VPN interface, click on Add in Network-->Interfaces and select Add VPN. Set the following fields:

  • Name – name of the interface as tunnelN, where N is the number of virtual device.

  • Description – description of the interface.

  • Zone – zone of the interface. VPN clients will be belonged to this zone when connected. Assign zone created on step 3.

  • Netflow profile – optional netflow profile which will be used for this interface.

  • Mode – IP address assignment mode – Dynamic (via DHCP), Static, No address. Static mode should be used for serving VPN clients.

  • MTU – MTU for the interface.

VPN interface tunnel2 is preconfigured for use for server side of Sit—Site VPN.

Step 8. Create a VPN network.

A VPN network defines network settings that will be applied when a client connects to the server. These settings include assignment of IP addresses to a client within a tunnel, DNS settings, and optional routes that will be submitted to the client (providing that the client supports such routes). You can create multiple tunnels with different settings for different clients.

To create a VPN network, go to VPN-->VPN networks, click Add and fill out the following fields:

  • Name - name of the network.

  • Description - description of the network.

  • IP range that will be used by clients. Do not provide the network and broadcast address here.

  • Specify the DNS servers that will be provided to clients or enable the Use system DNS checkbox if you want to assign the DNS servers used by UserGate to clients.

  • Specify the routes that will be submitted to a client as classless inter-domain routing (CIDR).

UserGate already provides a VPN network called Site-to-Site VPN network with the recommended settings. To use this network, make sure to provide it with the routes that are sent to the client server.

Step 9. Create a VPN server rule.

Create a VPN server rule based on the previously created VPN tunnel and VPN profile. To create a rule, go to VPN-->Server rules, click Add and fill out the following fields:

  • Name - name of the rule.

  • Description - description of the rule.

  • Server profile - server profile that you have previously created.

  • VPN tunnel - VPN tunnel that you have previously created.

  • Authentication profile - authentication profile that you have previously created.

  • Source - zones and addresses for which incoming VPN connections are accepted. Since most clients come from the Internet, it is recommended that you select the Untrusted zone.

  • Interface - the previously created VPN device.

  • Users - a group of server accounts or individual server accounts that are allowed to connect via VPN.

By default, UserGate provides a server rule called Site-to-Site VPN rule that uses all the necessary settings for the Site-to-Site VPN and allows the VPN access for all participants of the local group called VPN servers.

To set up your server as a VPN client, perform the following steps:

Name

Description

Step 1. Create a zone where you are going to place the interfaces for VPN connections.

Go to Network-->Zones and create a zone where you are going to place the interfaces for VPN connections. You will be able to use this zone in the security policies.

It is recommended that you use the existing default zone VPN for Site-to-Site.

Step 2. Create a firewall rule to allow the traffic flow to the created zone.

Create an Allow firewall rule in Network policies-->Firewall.

By default, UserGate provides a firewall rule called VPN for Site-to-Site to Trusted and Untrusted that allows all the traffic among the VPN for Site-to-Site, Trusted and Untrusted zones.

Step 3. Create a VPN device

VPN device is a virtual network interface for connecting VPN clients. This type of interface is clustered interface, which means it virtually exists on all cluster’s nodes, and if high availability cluster is configured, VPN clients will be automatically switched to a backup node without VPN connection interruption. To create a new VPN interface, click on Add in Network-->Interfaces and select Add VPN. Set the following fields:

  • Name – name of the interface as tunnelN, where N is the number of virtual device.

  • Description – description of the interface.

  • Zone – zone of the interface. VPN clients will be belonged to this zone when connected. Assign zone created on step 3.

  • Netflow profile – optional netflow profile which will be used for this interface.

  • Mode – IP address assignment mode – Dynamic (via DHCP), Static, No address. Use Dynamic mode for the client side of Site-to-Site VPN.

  • MTU – MTU for the interface.

VPN interface tunnel3 is preconfigured for use for client side of Site-to-Site VPN.

Step 4. Create a VPN client rule.

Create a VPN client rule that will be initiating connections to your VPN server. To create a rule, go to VPN-->Client rules, click Add and fill out the following fields:

  • Name - name of the rule.

  • Description - description of the rule.

  • Preshared key - a string that must be the same as the preshared key string on the server.

  • Security-->Encryption methods - pairs of the authentication and encryption methods. These algorithms are applied in the same order as the appear here (from top to bottom). When establishing a new connection, the system will apply the first pair that is supported both by the server and the client.

  • Server address - IP-address of the VPN server to which a given VPN client will connect. In most cases, it is the IP address of the interface in the Untrusted zone on your UserGate server that operates as the VPN server.

  • Interface - the previously created VPN interface.

  • Username and password are the user name and password of the user created in step 1 during the VPN server preparation.

Once the VPN server and VPN client are up and running, the VPN client will initiate a connection to the server and establish a VPN tunnel upon success. To disable a tunnel, disable the VPN client rule (on the client side) or the VPN server rule (on the server side).

9.3. Setting up an web portal

Web portal allows you to provide access to the internal web resources, terminal servers, and SSH servers for remote or mobile employers using only the HTTPS protocol. This technology does not require installing any additional VPN software and works directly in most of the popular browsers.

To set up web portal, perform the following steps:

Name

Description

Step 1. Enable and set up the web portal.

Go to General settings-->web portal, enable web portal and set up its parameters. These settings are described in more detail below in this section.

Step 2. Allow the access to the web portal service for the required zones.

Go to Network-->Zones and allow the web portal service for the selected zones (in most cases, it the Untrusted zone). This will grant access to the port of the service specified in the web portal settings in the previous step.

Step 3. Add the internal resources to the web portal.

Go to VPN-->web portal and add the URLs of internal resources to which you are going to provide access for users. These settings are described in more detail below in this section.

When setting up the web portal (in General settings-->web portal-->Configure), fill out the following fields:

Name

Description

Enabled

Enable or disable the web portal.

Hostname

A host name that must be used on the client side for connecting to the web portal service. This name must be resolved by the DNS service into the IP address of the UserGate interface placed in the zone where the web portal is allowed.

Port

A TCP port that will be used by the web portal service. This port together with the host name compose the URL that will be utilized by users for establishing connections: https://hostname:port

Auth profile

The user authentication profile that will be utilized for authentication of users who connect to the web portal. The authentication profile defines an authentication method, e.g. the AD connector or a local user. In addition, you can also set up mandatory multi-factor authentication for accessing the web portal. For more details on authentication profiles, please refer to Auth profiles.

Auth template

Select an authentication page template that will be displaying a user form for entering credentials. You can create a custom authentication page in Response pages.

Portal template

Select an web portal template that will be displaying the resources available via web portal. You can create a custom authentication page in Response pages.

Show AD/LDAP domain selector on auth page

Display domain selector on web portal auth page

Protect with CAPTCHA

When this option is enabled, users will be asked to enter a code displayed on the login page of the web portal. This option is recommended for protection against bots trying to brute-force user passwords.

Certificate

The certificate that will be used for establishing HTTPS connections. When the Automatic mode is selected, the system will use a certificate issued by the SSL inspection certificate for the Captive portal SSL certificate role. For more details on certificate roles, please refer to Managing certificates.

Certificate-based user authentication

When this option is enabled, browsers will be required to provide user certificates. To do this, make sure to add the user certificate to the list of UserGate certificates, and also assign it the User certificate role and the corresponding user account. For more details on user certificates, please refer to section Managing certificates.

To set up an web portal (in VPN-->web portal), make sure to create URL publication bookmark for the internal web resources. Create a bookmark and fill out the following fields for each URL:

Name

Description

Enabled

Enable or disable the tab.

Name

Name of the tab.

Description

Description of the tab.

URL

URL of the resource that will be published via the web portal. Make sure to provide a complete URL starting with http://, https://, ftp://, ssh:// or rdp://

Important! To publish the terminal servers, make sure to disable the Network Level Authentication option in RDP properties of terminal servers. In this case, users will be authenticated and provided with the access to the servers through the web portal depending on its settings.

Icon

An icon that will be displayed on the web portal for this tab. You can choose any ready-to-use icon, provide an URL of an external icon or upload a custom icon.

Supporting URLs

Additional URLs that are required for the primary URL, but are not supposed to be published for users. For instance, the primary URL http://www.example.com may obtain some of the content from the supporting URL http://cdn.example.com.

Users

A list of users and/or user groups that are allowed to view the bookmark on the web portal and also access the primary and supporting URLs.

The order of bookmarks on the web portal is the same as will be seen by users. Administrators can reorder the bookmarks either using the Up, Above, Below, Down buttons or by dragging the tabs with a mouse.

10. Libraries

This large section provides all records, domain names, IP addresses, templates and other items that can be used in the UserGate rules.

By default, libraries already predefined with data, but network administrators can add custom items as required. Note that certain items in libraries are read-only, since they are provided and supported by UserGate. Libraries provided by UserGate are updated automatically, if you have the corresponding license. For more details on product licensing, please refer to UserGate licensing.

10.1. Morphology

Morphological analysis is a mechanism designed to recognize certain words and phrases on websites. If a text contains too many unwanted words or phrases, the system will block access to the website.

Morphological analysis is performed both when a user sends a new search query and when the requested web server responds to this query. Once the web server responds to the query, UserGate scans the text on the web page and then calculates its total "weight" by matching words and phrases from various morphological categories. If the total "weight" of the web page is higher than that of a morphological category, the rule will be triggered. The system also takes into account all word forms of prohibited words when calculating the "weight". UserGate searches word forms in its built-in dictionaries available in English, German, Russian, Japanese and Arabic.

You can also subscribe for additional dictionaries offered by UserGate. These dictionaries are read-only. You will also need the corresponding license to use them. For more details on product licensing, please refer to UserGate licensing.

Name

Description

Suicide

Morphological dictionary containing words and phrases related to suicide

Terrorism

Morphological dictionary containing words and phrases related to terrorism

Profanity

Morphological dictionary containing profane words and phrases

Gambling

Morphological dictionary containing words and phrases related to gambling

Drugs

Morphological dictionary containing words and phrases related to drugs

Pornography

Morphological dictionary containing words and phrases related to pornography

Restricted materials (Custom country code)

Morphological dictionary containing words and phrases not recommended for children according to some national laws. The GS1 suffix code for UserGate dictionaries comply with the national laws of the country. See http://www.gs1.org/company-prefix for details

To set up morphology-based filtering, perform the following:

Name

Description

Step 1. Create one or more morphological categories and specify their weights

Click Add and specify the name and weight of the new category

Step 2. Specify the list of prohibited phrases with their weights

Click Add and specify the necessary words and phrases. When adding a new word to any morphological dictionary, you can put the "!" modifier before the word, e.g. "!bassterd". In this case, the jargon word will not be converted in word forms during analysis - this significantly reduces the risk of false positives

Step 3. Create a new content filtering rule containing one or more morphological categories

Please refer to Content filtering.

Network administrators can create custom dictionaries and distribute them from a single center to all UserGate servers. To create a custom morphological database, perform the following steps:

Name

Description

Step 1. Create a new file with necessary phrases

Create a new file called list.txt with words presented in the following format:

!word1 !word2

!word3

word4 50

Lastword

In this case, the total weight of the dictionary will be 100. You can also specify a weight for each word (the default value is 100)

Step 2. Put this file into a new archive

Zip the file into a new archive called list.zip

Step 3. Create a new file with the necessary version of your dictionary

Create a new file version.txt and specify the database version (e.g. "3") in it. Make sure to increment this value each time you update the morphological dictionary

Step 4. Publish files on your web server

Publish list.zip and version.txt on your website and make them available for download via http

Step 5. Create a new morphological category and provide the URL for updating your dictionary

Create a new morphological database on every UserGate server. When creating a new database, make sure to provide an URL for installing updates. UserGate will be checking for a new version on your website every 4 hours and automatically update your dictionary once a newer version is released

Important! When creating a new morphological dictionary, it is highly recommended that you put the "!" modifier before each word in phrases containing more than three words. Note that the system will convert each word into all possible word forms (including cases, plural forms, grammatical tenses, etc.) when building a new morphological database and the resulting amount of words will be large. When you add long phrases, make sure to put the "!" modifier before each word that does not have word forms, e.g. before articles, prepositions and conjunctions. For example, phrase "how to commit a painless suicide" should be added as "!how !to commit !a suicide !painlessly". This will reduce the amount of possible phrase variants while preserving the main idea of initial phrase.

10.2. Services

The Services section contains a list of public TCP/IP-based services, such as HTTP, HTTPS, FTP, etc., that you can use when composing UserGate rules. By default, the initial list of services is already predefined, but network administrators can add custom items as required. To add a new service, perform the following steps:

Name

Description

Step 1. Create a new service

Click Add and then specify the name and comment for the new service

Step 2. Specify the protocol and port

Click Add and then select the necessary protocol from the list and specify the source and/or destination ports. To add port range use : (dash), e.g. 33333-33344

10.3. IP addresses

The IP addresses section contains a list of IP ranges that you can use for composing UserGate rules. By default, the initial list of addresses is already predefined, but network administrators can add custom items as required. To add a new list of addresses, perform the following steps:

Name

Description

Step 1. Create list

Click Add and then specify the name for the list of IP addresses

Step 2. Specify the URL for updating your list (optional)

Provide the server's address where your updatable list is hosted. Additional details about updatable lists are provided below in this chapter

Step 3. Add IP addresses

Click Add and enter the addresses. Address must be specified either as IP address or as IP address/subnet mask, e.g. 192.168.1.5 192.168.1.0/24

Network administrators can create custom lists of IP addresses and distribute them from a single center to all UserGate servers. To create a new list of IP addresses, perform the following steps:

Name

Description

Step 1. Create a new file with necessary IP addresses

Create a new file called list.txt containing a list of addresses

Step 2. Put this file into a new archive

Zip the file into a new archive called list.zip

Step 3. Create a new file with the necessary version of your list

Create a new file called version.txt and specify the list version (e.g. "3") in it. Make sure to increment this value each time you update the list

Step 4. Publish files on your web server

Publish list.zip and version.txt on your website and make them available for download

Step 5. Create a new list of IP addresses and provide an URL for installing updates

Create a new list of IP addresses on every UserGate server. When creating a new database, make sure to provide an URL for installing updates. UserGate will be checking for a new version on your website every 4 hours and automatically update your list once a newer version is released

10.4. Useragents

By means of the browser Useragent filters administrators can allow or prohibit certain browsers for users.

The initial default Useragent list is already included in the product. To apply the Useragent-specific filters, perform the following steps:

Name

Description

Step 1. Create a Useragent list.

Click Add and specify a name for the new UserAgent list.

Step 2. Add the necessary browser Useragents to the new list.

Add the Useragent that you need. The full list of Useragent strings can be found here: http://www.useragentstring.com/pages/useragentstring.php

Step 3. Create a content filtering rule with one or more lists.

Please refer to section Content filtering

Administrators can create custom Useragent lists and distribute them centrally across all workstations on which UserGate is installed. To create a custom list, perform the following steps:

Name

Description

Step 1. Create a file with the necessary Useragent.

Create a file called list.txt with the Useragent list.

Step 2. Create an archive containing this file.

Pack the file into the archive called list.zip.

Step 3. Create a file containing the version of the list.

Create a file named version.txt and specify the list version number in it, e.g. 3. Make sure to increment this value each time the list is updated.

Step 4. Publish the files on your web server.

Publish list.zip and version.txt on your site so that users could download them.

Step 5. Create a Useragent list and provide the URL for updates.

Create a Useragent list on each UserGate instance. Make sure to provide the address from which to download the updates. UserGate will be checking for a new version on your site each 4 hour and will update the list once a new version is available.

10.5. Content types

Based on filtering by content type, you can block downloads of certain files, e.g. prohibit all *.doc files.

You can also subscribe for additional content types offered by UserGate. Note that these lists of content types are read-only. You will also need the corresponding license to use them. For more details on product licensing, please refer to UserGate licensing.

To set up filtering by content type, perform the following steps:

Name

Description

Step 1. Create a new list of content types or select a predefined list from UserGate

Click Add and specify the name for the new list of content types.

Step 2. Add the necessary MIME types to your list

Add the content types you want to prohibit in the MIME format. You can find description of various MIME types on the Internet, e.g.: http://www.webmaster-toolkit.com/mime-types.shtml.

For example, to block all *.doc files, add the following MIME type: application/msword.

Step 3. Create a new content filtering rule containing one or more lists

Please refer to Content filtering.

Network administrators can create custom lists of content types and distribute them from a single center to all UserGate servers. To create a new list of IP addresses, perform the following steps:

Name

Description

Step 1. Create a new file with necessary content types

Create a new file called list.txt containing a list of content types.

Step 2. Put this file into a new archive

Zip the file into a new archive called list.zip.

Step 3. Create a new file with the necessary version of your list

Create a new file called version.txt and specify the list version (e.g. "3") in it. Make sure to increment this value each time you update the list.

Step 4. Publish files on your web server

Publish list.zip and version.txt on your website and make them available for download.

Step 5. Create a new list of content types and provide an URL for installing updates

Create a new list of content types on every UserGate server. When creating a new database, make sure to provide an URL for installing updates. UserGate will be checking for a new version on your website every 4 hours and automatically update your list once a newer version is released.

10.6. URL lists

On this page, you can create various lists of URLs and then use them as black and white lists for the content filtering rules.

Note that UserGate offers its own updatable lists. You will also need the corresponding license to use them. For more details on product licensing, please refer to UserGate licensing.

Name

Description

UserGate black list

This list contains URLs prohibited by some national laws.

Phishing black list

This list contains URLs of known phishing websites.

UserGate white list

This list contains URLs of known trusted websites and portals.

Search engines without safesearch capability

This list contains known search engines which do not provide safe search (family filter). We recommend to block such search engines for parental control, as they provide ability to get adult content.

UserGate black list (Custom code)

This list contains URLs prohibited by some national laws. The GS1 suffix code for UserGate custom black/white lists comply with the national laws of the country. See http://www.gs1.org/company-prefix for details

To set up filtering based on lists of URLs, perform the following steps:

Name

Description

Step 1. Create a new list of URLs

Click Add and specify the name for the new list

Step 2. Add the necessary records to your list

Add the necessary URLs to your list. You can use special characters ^, $ and * in the lists:

* stands for an arbitrary number of characters

^ denotes the start of the current line

$ denotes the end of the current line

Note that characters ? and # are not allowed here

Step 3. Create a new content filtering rule containing one or more lists

Please refer to Content filtering.

All records that start with http:// , https://, ftp:// or contain one or more "/" characters are handled as URLs with the HTTP(S) filtering, but not applied to the DNS filtering. Otherwise, such string will be treated as domain name and therefore will be applied for both DNS and HTTP(S) filtering.

To block a website by exact address, use the "^" and "$" characters:
^:guielement:http://domain.com/exacturl$
To block an exact URLs of all subfolders, use the "^" character:
^http://domain.com/exacturl/
To block a domain with all its URLs, use the following record:
domain.com

Example of URL record interpretation:

Sample record

Handling of DNS requests

Handling of HTTP requests

yahoo.com

or

*yahoo.com*

Blocks the entire domain with its third-level domains, e.g.:

sport.yahoo.com

mail.yahoo.com

and

qweryahoo.com

Blocks the entire domain with all its URLs and third-level domains, e.g.:

http://sport.yahoo.com

http://mail.yahoo.com

https://mail.yahoo.com

http://sport.yahoo.com/123

^mail.yahoo.com$

Blocks only mail.yahoo.com

Blocks only http://mail.yahoo.com

https://mail.yahoo.com

^mail.yahoo.com/$

Nothing is blocked

Nothing is blocked, since the last "/" defines an URL, but neither "https" nor "http" are specified

^http://finance.yahoo.com/personal-finance/$

Nothing is blocked

Blocks only

http://finance.yahoo.com/personal-finance/

^yahoo.com/12345/

Nothing is blocked

Blocks

http://yahoo.com/12345/whatever/

https://yahoo.com/12345/whatever/

Network administrators can create custom lists and distribute them from a single center to all UserGate servers. To create a new list, perform the following steps:

Name

Description

Step 1. Create a new file with the necessary list of URLs

Create a new text file called list.txt with URLs presented in the following format:

www.site1.com/url1

www.site2.com/url2

www.siteend.com/urlN

Step 2. Put this file into a new archive

Zip the file into a new archive called list.zip

Step 3. Create a new file with the necessary version of your list

Create a new file called version.txt and specify the list version (e.g. "3") in it. Make sure to increment this value each time you update the list

Step 4. Publish files on your web server

Publish list.zip and version.txt on your website and make them available for download

Step 5. Create a new list of content types and provide an URL for installing updates

Create a new list of URLs on every UserGate server. When creating a new database, make sure to provide an URL for installing updates. UserGate will be checking for a new version on your website every 4 hours and automatically update your list once a newer version is released

10.7. Time sets

Based on time sets, you can add time periods and then use them for composing various UserGate rules. By default, the initial list is already predefined, but network administrators can add custom items as required. To add a new time set, perform the following steps:

Name

Description

Step 1. Create a new time set

Click Add and then specify the name for the time set

Step 2. Add the necessary time periods to your time set

Click Add and specify a new period. Make sure to provide a name and time range for the period

10.8. Bandwidth pools

The Bandwidth pools library item defines the data transfer speed that you can use for composing various rules and managing the network bandwidth. For more details on how to manage the network bandwidth, please refer to Traffic shaping.

By default, the initial list is already predefined, but network administrators can add custom items as required. To add a new bandwidth item, perform the following steps:

Name

Description

Step 1. Create a new bandwidth item

Click Add and then specify the name and description of the new bandwidth.

Step 2. Specify the speed

Specify the data transfer speed in Kbytes/s.

Step 3. Provide the DCSP value for QoS.

Optional parameter. When this option is enabled, the parameter will be set in each IP packet. Ranges from 0 to 63.

10.9. SCADA profiles

A SCADA profile is a set of elements each containing a SCADA command and an address. SCADA profiles are used in SCADA rules. For more details on SCADA traffic filtering, please refer to section`SCADA rules`_.

10.10. Response pages

Based on response page templates, network administrators can manage the appearance of the blocking and authentication pages of the Captive portal. Network administrators can apply various templates depending on the content filtering rules and rules of the Captive portal.

UserGate is pre-packed with three default types of templates, which are templates for the Captive portal, templates for user session control, and templates of the blocking page. Based on these built-in templates, you can create custom templates using your corporate style, logos, and language.

Name

Description

Templates Blockpage

Default blocking template.

Templates Captive portal user auth

User authentication template for the Captive portal. The template displays a form for user authentication (by username and password). After a successful authentication, a user is granted the Internet access.

Templates Captive portal user auth + policy

User authentication template for the Captive portal. The template displays a form for user authentication (by username and password) and network usage rules (Terms and Conditions) and then asks a user to accept the network access policy. After a successful authentication and policy acceptance, a user is granted the Internet access.

Templates Captive portal: email auth

Template for user authentication via the Captive portal; this template allows users to register in the system on their own and then confirm their registration by email.

Templates Captive portal: SMS auth

Template for user authentication via the Captive portal; these templates allow users to register in the system on their own and then confirm their registration via SMS.

Templates Captive portal policy

User authentication template for the Captive portal. The template does not require user authentication (by username and password), but displays the network usage rules (Terms and Conditions) and asks a user to accept the network access policy. After accepting the network access policy, a user is granted the Internet access. Make sure to set up the Accept policy method as the default authentication method of the Captive profile for proper operation of this template.

Templates Captive portal user session

Template for logging out of the current user session via http://logout.captive or http://UserGate_IP/cps

Templates Content warning page block

This template contains a warning page that will be displayed when a content filtering rule is triggered with the Warn operation.

Templates FTP over HTTP view

These templates are used for displaying the content of FTP over HTTP servers.

Web portal portal page

These templates are used for displaying the content of web portal page.

Web portal login page for RDP

These templates are used for displaying the login page for RDP resources when connecting over web portal.

Web portal login page for SSH

These templates are used for displaying the login page for SSH resources when connecting over web portal.

To create a new custom template, perform the following steps:

Name

Description

Step 1. Export one of the default templates

Select an existing template, click Export and then save it to a file.

Step 2. Modify the exported template

Modify the template contents using an editor. It is not recommended that you use HTML editors, since they can corrupt the internal structure of your template. Instead, try to use simple text editors.

Step 3. Create a new template

Click Add, select the corresponding template type, specify the name of the template and then save changes.

Step 4. Import the template modified on step 2

Select the newly created template, click Import and then choose a file containing the modified template.

10.11. URL categories

Based on the URL Category library items, you can create groups of UserGate URL filtering categories for convenient usage of content filtering rules. For example, network administrators can create a group called "Business Categories" and then add the corresponding categories into it.

Note that you will have to install the corresponding license in order to use UserGate URL filtering categories.

By default, the initial list is already predefined, but network administrators can add custom items as required.

Name

Description

Threats

Categories recommended for blocking for security reasons.

Parental Control

Categories recommended for blocking in order to protect children from unwanted content.

Productivity

Categories recommended for blocking in order to improve the labor discipline.

Safe categories

Categories considered as secure ones. It is recommended that you disable morphological checks and capturing of HTTPS traffic for this group of categories in order to reduce false triggering.

Recommended for morphology checking

Categories recommended for morphological checks. These categories do not include News, Finance, Government, Information Security, Kids websites and other categories in order to reduce false triggering. The same categories are recommended for HTTPS traffic capturing.

Recommended for virus check

Categories recommended for morphological checks.

To add a new group of categories, perform the following steps:

Name

Description

Step 1. Create a group of categories

Click Add and then specify the name for the group

Step 2. Add the categories

Click Add and then select the necessary categories from the list

10.12. Overridden URL categories

On this page, you can override a specific URL category to a particular website (domain). This can be useful if site does not have category assigned or it has incorrectly assigned URL category. To assign new category for a web site, perform the following steps:

Name

Description

Step 1. Check original site’s category

In Libraries --> Overridden URL categories type site’s address and click Check categories.

Step 2. Assign new category

If resulted category is not correct, click Add and then select up to 2 new URL categories and click Save.

When finished, web site will be shown in the list of overridden sites along with date, administrator’s name who made this change, original and new categories.

Next time you will perform checking of this site’s categories, only new categories will be reported and one special category - User overridden domains.

Administrator can export list of sites with changed categories and import any text file with web sites and assign them to required categories.

10.13. Applications

Based on Application library items, you can create groups of applications and then conveniently use them in firewall rules and bandwidth rules. For example, network administrators can create a group of applications called "Business Applications" and then add the corresponding applications into it.

To add a new group of applications, perform the following steps:

Name

Description

Step 1. Create a group of applications

Click Add and then specify the name for the group

Step 2. Add the applications

Click Add and then select the necessary applications from the list

10.14. Emails

Based on the Email library items, you can create groups of email addresses and then use them in email traffic filtering rules and notifications.

To add a new group of emails, perform the following steps:

Name

Description

Step 1. Create a new group of emails

Click Add and then specify the name for the group

Step 2. Add new emails to the group

Click Add and then add the necessary emails

10.15. Phones

Based on the Phone library items, you can create groups of phone numbers and then use them in various SMPP notification rules.

To add a new group of phone numbers, perform the following steps:

Name

Description

Step 1. Create a new group of phone numbers

Click Add and then specify the name for the group

Step 2. Add new phone numbers to the group

Click Add and then add the necessary phone numbers

10.16. IPS profiles

A IPS profile is a set of signatures relevant for the protection of certain services. Administrators can create any number of IPS profiles to protect various services. It is recommended that you avoid adding excessive signatures to profiles and use only signatures that are really important for security. For example, do not add UDP-specific signatures to a profile that protects a TCP-based service. When there are too many signatures, the system will be processing the traffic longer due to additional workload on the CPU. For more details on how to create and use IPS profiles, please refer to section Intrusion prevention system.

10.17. Notification profiles

Notification profiles specify the transport used for delivering notifications to recipients. The system supports 2 types of transport:

  • SMTP, message delivery by Email

  • SMPP, message delivery by SMS

To create a new SMTP message profile, click Add in the Notifications--> Notification profiles section, select Add SMTP notification profile and then specify the following fields:

Name

Description

Name

Name of the profile

Description

Description of the profile

Host

IP address of the SMTP server that you are going to use for sending messages

Port

TCP port used by the SMTP server (usually port 25 for SMTP and port 465 for SMTP with SSL). Ask your email server administrator to provide this value

Connection security

The following email security options are supported: None, STARTTLS, SSL

Authentication

Enables authentication for SMTP server

Login

Username of the account used for connecting to the SMTP server

Password

Password of the account used for connecting to the SMTP server

To create a new SMPP message profile, click Add in the Notifications--> Notification profiles section, select Add SMPP notification profile and then specify the following fields:

Name

Description

Name

Name of the profile

Description

Description of the profile

Host

IP address of the SMPP server that you are going to use for sending SMS messages

Port

TCP port used by the SMPP server (usually port 2775 for SMPP and port 3550 for SMPP with SSL).

SSL

Whether to use the SSL encryption

Login

Username of the account used for connecting to the SMPP server

Password

Password of the account used for connecting to the SMPP server

Phone translation rules

Allows to change prefix for phone numbers, i.e. change 11234567890 to +111234567890. This can be required by some SMPP providers

11. Dashboard

This section allows you to view the current status of the server along with its workload, number of users, traffic volumes going through the server, applied filters, license status, and more. Reports are provided as widgets that can be configured by system administrators depending on the current needs. You can add, remove, resize or move the widgets on the Dashboard page.

12. Diagnostics and monitoring

12.1. Routes

In the Routes section, you can obtain a list of all routes specified in a given UserGate node. To view the routes, click Filter and provide the types of routes to be displayed. You can specify the following route types:

  • Connected - the routes to networks that are directly connected to the UserGate interfaces. Such routes will be marked with the С character in the list of routes.

  • Kernel - the routes defined statically in Network-->Routes. Such routes will be marked with the S character in the list of routes.

  • OSPF - the routes obtained using the OSPF protocol. Such routes will be marked with the O character in the list of routes.

  • BGP - the routes obtained using the BGP protocol. Such routes will be marked with the B character in the list of routes.

You can download the displayed list of routes as a text file by clicking Download all routes.

12.2. VPN

In the VPN section, you can view all users and all servers connected to a given server by VPN. The following information is displayed for each connection:

  • User - the user name for which the connection has been authorized

  • Type - a client or a server

  • Duration - duration of the established connection

  • Source Geo IP - the country from which the connection has been established (detected by Geo IP)

  • Encryption - encryption type

  • Transmission speed - the data transmission speed at the moment when the page is being displayed

  • Reception speed - the data reception speed at the moment when the page is being displayed

  • Bytes sent - the volume of the outgoing data

  • Bytes received- the volume of the incoming data

  • Packets sent - the number of packets sent since the VPN session has started

  • Packets received - the number of packets received since the VPN session has started

12.3. Web portal

In the web portal section, you can view all users and all servers connected to a given server by web portal. The following information is displayed for each connection:

  • User - the user name for which the connection has been authorized

  • Started - time when connection was established

  • Source IP - the source IP address of connected user

  • Useragent - Browser's useragent of connected user

12.4. Packet capture

In the Packet capture section, you can record the traffic that meets the specified conditions to a PCAP file for later analysis in 3rd party applications, such as Wireshark. This may be useful for network diagnostics and troubleshooting.

The section consists of three parts:

  • Filters - this subsection defines the conditions for traffic recording. You can use the source address, source port, destination address, Ethernet protocol, or IPv4 protocol as the conditions to start recording. The list of IPv4 protocols can be found at http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml.

  • Rules - the rules contain the UserGate interfaces in which the traffic must be recorded, custom filters, and also the name and size of the file in which the captured traffic is recorded.

  • Files - this subsection contains files with recorded traffic. You can download them for analysis or remove.

To record the traffic, perform the following steps:

Name

Description

Step 1. Create the filter that you need.

Optional. You can use the predefined filters or record all the traffic without any filters.

Step 2. Create a new rule.

Create a rule and provide the rule name, file name, maximum size of the file, and the necessary filters.

Step 3. Select the rule you need and start recording.

Select the necessary rule and click Start capture. When all the data is recorded, click Stop capture.

Step 4. Download the output file in the Files section.

Download the PCAP file for analysis.

12.5. Requests to a white list

When a website is blocked according to content filtering rules, a user will see the blocking page which describes the reason of blocking along with the name of the filtering rule, website category, morphological database or the black list used for blocking. In addition, the blocking page allows a user to request adding this website to the white list if it has been blocked by mistake. When a user clicks Add to white list, the corresponding request will appear in Requests for white list. Network administrators can perform the following actions with user requests:

Name

Description

Add to white list

Adds the provided URL to the white list. The system will prompt network administrators to modify URL and select a white list which this web resource will be added to.

Delete

Removes the request from the list of requests.

Reject URL

Adds the requested URL to the list of discarded requests. Once the request is discarded, the Add to white list option will not be shown on the blocking page for this URL anymore. The list of discarded domains and URLs is displayed in the rejected requests window.

Reject domain

Adds the domain of the requested URL to the list of discarded requests. Once the request is discarded, the Add to white list option will not be available on the blocking page for this domain anymore. The list of discarded domains and URLs is displayed in the rejected requests window.

Network administrators can check the category of a web resource using the Check URL form. If the web resource appears to be in a wrong category, network administrators can request changing the category by suggest another category or change site’s category locally for its UserGate.

To request changing the category administrator should click on Suggest URL category button. The system will send this request to UserGate, so that our support team could check it and make necessary updates to the UserGate URL filtering database.

To make category change locally administrator should click Override category and then select up to 2 new URL categories and click Save. All sites with changed categories can be seen in Libraries --> Overridden URL categories.

Next time you will perform checking of this site’s categories, only new categories will be reported and one special category - User overridden domains.

12.6. Tracing of rules

Using the rule tracing feature, administrators can check which rules are triggered in response to user HTTP(S) requests. This can be very useful for diagnostics of various access issues for certain sites. To trace the rules, perform the following steps:

Name

Description

Step 1. Create the filter that you need.

Click Configure in Diagnostics and monitoring-->Tracing rules and provide the filter parameters:

  • String - a string in a user request, e.g. a domain name, URL, or content filtering rules.

  • User - a user whose requests need to be diagnosed.

  • Source IP address - IP address from which a user sends a request.

The filter limits the volume of the output diagnostic information. When no filter is set up, you will also see the results for other user requests.

Step 2. Run the tracing.

Click Start tracing.

Step 3. Open the site with access issues.

Ask a user to open the site with access issues and check which rules are triggered at the moment. You will see all the rules that are triggered when a user request is being processed.

12.7. Ping

Using the 'ping' routine, you can check availability of various network resources. Parameters of the 'ping' command:

Name

Description

Ping host

A host to be checked.

TTL

The maximum number of preliminary hosts allowed in the route to the host being validated.

Interface

A network interface from which to run ping.

Count

Number of repeats.

Show timestamp

Add a timestamp to the command output.

Don't resolve names

Operate with IP addresses without replacing them with domain names

12.8. Traceroute

Using the 'traceroute' routine, you can trace the route of the network packets sent to a given host. Parameters of the 'traceroute' command:

Name

Description

Traceroute host

A host to be checked.

Interface

A network interface from which to run the command.

Do not resolve names

Operate with IP addresses without replacing them with domain names

12.9. DNS query

Using the DNS query, you can check how DNS issues. Parameters of the 'traceroute' command:

Name

Description

DNS query (host)

A hostname to be checked.

Query source IP

One of the IP addresses assigned to UserGate

DNS server

DNS server to send requests to

Port

UDP port to use for DNS requests

Query type

Type of DNS request to send

12.10. Notifications

In this section, you can set up notification profiles and then use them for sending notifications about various events, e.g. high CPU workload or sending a password to a user via SMS.

12.10.1. Alert rules

Based on alert rules, network administrators can send information about certain events of the UserGate server to the specified recipients. To create a new notification rule, perform the following steps:

Name

Description

Step 1. Create one or more notification profiles

Please refer to Notifications-->Notification profiles

Step 2. Create one or more groups of message recipients

Please refer to Libraries-->Emails and Libraries-->Phones

Step 3. Create a new alert rule

Add a new rule in the Notifications-->Alert rules section

Specify the following parameters when adding a new rule:

Name

Description

Enabled

Enables or disables a rule

Name

Rule name

Description

Description of a rule

Notification profile

Select a notification profile that you have previously created. The system will display a separate tab for adding phone numbers (for SMPP profiles) or for adding email addresses (for SMTP profiles)

Sender

Specify the notification sender

Subject

Specify the notification subject

Wait for next alert, seconds

Specify the server's timeout before sending next message if the rule is triggered again

Events

Specify the events for which you want to receive notifications

Phones

Applicable for SMPP profiles only. Specify the groups of phone numbers to which SMS notifications will be sent

Emails

Applicable for SMTP profiles only. Specify the groups of emails to which email notifications will be sent

12.10.2. SNMP monitoring

UserGate supports the SNMP v2c and SNMP v3 protocols for monitoring purposes. The system can use both SNMP queries and SNMP traps, thereby allowing you to track critical parameters of UserGate directly from the SMNP management software deployed in your company.

To set up the SNMP-based monitoring, you should first define the SNMP rules. To create a new SNMP rule, click Add in the SNMP section and specify the following parameters:

Name

Description

Name

Rule name

Trap host IP, port

IP address of the trap server and the port on which the server will be listening for events (usually UDP 162). This option is necessary only if you want to send traps to the notification center.

Community

SNMP community - a string for identification of the UserGate server and the SNMP management server for SNMP v2c. Make sure to use only digits and Latin letters.

Context

Optional parameter which defines the SNMP context. Make sure to use only digits and Latin letters.

Version

Specify the version of the SNMP protocol that you want to use in this rule. Possible values are SNMP v2 and SNMP v3.

Operation: SNMP queries

When enabled, the system will be retrieving and handling SNMP queries from the SNMP manager.

Operation: SNMP traps

When enabled, the system will be sending SNMP traps to the management server.

Username

Applicable for SNMP v3 only. Username for authentication of the SNMP manager.

Authentication type

Select an authentication mode for the SNMP manager. Possible values:

  • Without authentication, without encryption (noAuthNoPriv)

  • With authentication, without encryption (authNoPriv)

  • With authentication, with encryption (authPriv)

The most secure mode is authPriv.

Authentication algorithm

Algorithm used for authentication

Authentication password

Password used for authentication

Encryption algorithm

Algorithm used for encryption. Possible values are DES and AES.

Encryption password

Password used for encryption

Events

Specify parameters which will be available for the SNMP manager. If you enabled sending traps, then the system will be sending a trap each time when the critical value is achieved.

Important! Make sure that all authentication settings for SNMP v2c (community) and SNMP v3 (user, authentication type, authentication algorithm, authentication password, encryption algorithm, encryption password) in the SNMP manager are exactly the same as in UserGate.

For more details on how to configure authentication parameters for your SNMP manager, please refer to the manuals of the SNMP management software you are using.

By clicking Download MIBs, you can download MIB files with UserGate monitoring parameters and then use them in your SNMP manager. UserGate has its own unique ID 45741 for SNMP (Private Enterprise Number).

13. Logs and reports

13.1. Logs

13.1.1. Event log

The event log displays events in which any settings of the UserGate server have been changed, e.g. adding/removing/modifying data of a user account, rule or any other item. Here you can also view all login events for the web console, user authentication via the Captive portal, and so on.

For convenience, you can filter certain events by various criteria, such as date range, component, severity, or event type.

Administrators can filter and display columns as required. To do this, click any column and in the shortcut menu that appears enable the checkboxes that correspond to the necessary columns.

By clicking Export to CSV administrators can download the filtered data from a log as a CSV file for additional analysis.

13.1.2. Web access log

The web access log displays all user requests sent to the Internet via HTTP and HTTPS. The following information is displayed:

  • The UserGate node where the event has taken place

  • Time of the event

  • User

  • Actions

  • Rule

  • Reason (if the site has been blocked)

  • URL

  • Source zone

  • Source IP address

  • Source port

  • Destination IP

  • Destination port

  • Categories

  • Protocol (HTTP)

  • Method (HTTP)

  • Response code (HTTP)

  • MIME (if any)

  • Bytes sent/received

  • Packets sent

  • Referrer (if any)

  • Operating system

  • Browser

Administrators can filter and display columns as required. To do this, click any column and in the shortcut menu that appears enable the checkboxes that correspond to the necessary columns.

For convenience, you can filter and search certain events and records by various criteria, such as user account, rule, action, and more.

By clicking Export to CSV administrators can download the filtered data from a log as a CSV file for additional analysis.

13.1.3. Traffic log

The traffic log displays all events in which firewall rules or NAT rules have been triggered (providing that packet logging has been enabled). The following information is displayed:

  • The UserGate node where the event has taken place

  • Time of the event

  • User

  • Operation

  • Rule

  • Application

  • Protocol

  • Source zone

  • Source address

  • Source port

  • Destination IP

  • Destination port

  • NAT source IP (if this is a NAT rule)

  • NAT source port (if this is a NAT rule)

  • NAT destination IP (if this is a NAT rule)

  • NAT destination port (if this is a NAT rule)

  • Bytes sent/received

  • Packets

Administrators can filter and display columns as required. To do this, click any column and in the shortcut menu that appears enable the checkboxes that correspond to the necessary columns.

For convenience, you can filter and search certain events and records by various criteria, such as user account, rule, action, and more.

By clicking Export to CSV administrators can download the filtered data from a log as a CSV file for additional analysis.

13.1.4. IPS log

The system log of intrusion detection displays the triggered IPS signatures for which a logging or blocking action has been set up. The following information is displayed:

  • The UserGate node where the event has taken place

  • Time

  • Operation

  • Signature

  • Class — the signature class

  • CVE — vulnerability ID according to the CVE database

  • Bugtrack — vulnerability ID according to the Bugtrack database

  • Nessus — vulnerability ID according to the Nessus database

  • Protocol

  • Source IP

  • Source port

  • Destination IP

  • Destination port

  • Signature triggering details

Administrators can filter and display columns as required. To do this, click any column and in the shortcut menu that appears enable the checkboxes that correspond to the necessary columns.

For convenience, you can filter and search certain events and records by various criteria, such as protocol, date range, action, and more.

By clicking Export to CSV administrators can download the filtered data from a log as a CSV file for additional analysis.

13.1.5. Search history

In the Search history section, you can view all search queries from users for which logging is enabled in the safe browsing policies. Administrators can filter and display columns as required. To do this, click any column and in the shortcut menu that appears enable the checkboxes that correspond to the necessary columns.

For convenience, you can filter and search certain events and records by various criteria, such as user, date range, search engines, and more.

By clicking Export to CSV administrators can download the filtered data from a log as a CSV file for additional analysis.

13.1.6. Searching and filtering

Since logs usually contain lots of entries, UserGate offers convenient ways to search for and filter the necessary information. Administrators may choose between the basic and advanced search modes in logs.

In the basic search mode, administrators can use a GUI to set up filtering by one or more fields in logs and thus exclude excessive data. For example, it is possible to set up filters by time period, list of users, category, etc. Setting up various search criteria is intuitive and does not require any special knowledge.

More sophisticated filters can be configured by means of the advanced search mode with a special query language. In the advanced search mode, you are free to compose queries using log fields that are not available in the basic mode. Such queries may also include field names, field values, keywords, and operators. If you want to enter field values that contain spaces, make sure to put single or double quotes. Parentheses can be used for grouping multiple conditions.

Keywords must be separated by spaces and may be as follows:

Name

Description

AND/and

Logical AND: all conditions in the query must be met.

OR/or

Logical OR: at least one condition in the query must be met.

You can use the following operators to define filter conditions:

Name

Description

=

Equal to. Searches for the specified value only, e.g. the query ip=172.16.31.1 will display all log entries in which the "IP" field exactly equals to "172.16.31.1".

!=

Not equal to. Searches for any values except the specified one, e.g. the query ip!=172.16.31 will display all log entries in which the "IP" field is not equal to "172.16.31.1".

<=

Less or equal. The field value must be less or equal to that in the query. Can be applied only to the fields that support comparison, such as date fields, portSource, portDest, statusCode, etc., e.g. date <= '2019-03-28T20:59:59' AND statusCode=303

>=

Greater or equal. The field value must be greater or equal to that in the query. Can be applied only to the fields that support comparison, such as date fields, portSource, portDest, statusCode, etc., e.g. date >= "2019-03-13T21:00:00" AND statusCode=200

<

Less. The field value must be less than that in the query. Can be applied only to the fields that support comparison, such as date fields, portSource, portDest, statusCode, etc., e.g. date < '2019-03-28T20:59:59' AND statusCode=404

>

Greater. The field value must be greater than that in the query. Can be applied only to the fields that support comparison, such as date fields, portSource, portDest, statusCode, etc., e.g. (statusCode>200 AND statusCode <300) OR (statusCode=404)

IN

Allows you to specify multiple field values in a query. Use parentheses to denote a list of values, e.g. category IN (botnets, compromised, 'illegal software', 'phishing and fraud','reputation high risk','unknown category')

~

Contains. Allows you to specify a substring that must be found in a given field, e.g. browser ~ "Mozilla/5.0" This operator is applicable only to the string fields.

!~

Does not contain. Allows you to specify a substring that must not be found in a given field, e.g. browser !~ "Mozilla/5.0" This operator is applicable only to the string fields.

For your convenience, UserGate will be prompting you the possible field names, applicable operators and allowed values when composing an extended query. When you switch from the basic search mode to the advanced one, UserGate automatically generates a search string according to the filter conditions that you have specified in the basic search mode.

13.1.7. Logs export

The log export feature in UserGate allows you to upload the information to external servers for later analysis or for processing in SIEM (Security Information and Event Management) systems.

UserGate supports the following logs:

  • Events

  • Web access

  • IPS

  • Traffic

The system supports sending logs to SSH (SFTP), FTP and Syslog servers. You can set up a schedule according to which the logs will be sent to SSH and FTP servers. Sending to Syslog servers is performed each time a new record is added into a log.

To start sending logs, you should create a logs export configuration in the Logs export section.

Specify the following parameters when creating a new configuration:

Name

Description

Name

Name of the log export rule

Description

Optional field for rule description

Logs for export

Select logs for export

  • Web access log

  • IPS log

  • Traffic log

Set log format for every type of logs:

  • CEF – Common Event Format (ArcSight)

  • JSON – JSON format

  • @CEE: JSON - CEE Log Syntax (CLS) Encoding JSON

Consult with SIEM documentation to select correct format type.

Server type

SSH (SFTP), FTP, Syslog

Server address

IP address or domain name of the server

Transport

Only for Syslog servers (TCP or UDP)

Port

Server ports to which the data should be sent

Protocol

Only for Syslog servers. Chose compatible with your SIEM protocol - RFC5424 or BSD syslog RFC 3164.

Severity

Only for Syslog servers. Optional field. Consult with SIEM documentation to select correct value. Possible values are:

0 - Emergency: system is unusable

1 - Alert: action must be taken immediately

2 - Critical: critical conditions

3 - Error: error conditions

4 - Warning: warning conditions

5 - Notice: normal but significant condition

6 - Informational: informational messages

7 - Debug: debug-level messages

Facility

Only for Syslog servers. Optional field. Consult with SIEM documentation to select correct value. Possible values are:

0 - kernel messages

1 - user-level messages

2 - mail system

3 - system daemons

4 - security/authorization messages

5 - messages generated internally by syslogd

6 - line printer subsystem

7 - network news subsystem

8 - UUCP subsystem

9 - clock daemon

10 - security/authorization messages

11 - FTP daemon

12 - NTP subsystem

13 - log audit

14 - log alert

15 - clock daemon (note 2)

Hostname

Only for Syslog servers. The hostname field identifies the machine that originally sent the syslog message. Should be in Fully Qualified Domain Name (FQDN).

App-Name

Only for Syslog servers. The App-Name field should identify the device or application that originated the message. It is a string without further semantics. It is intended for filtering messages on a relay or collector.

Login

Username of the account used for connecting to a remote server. Not applicable for Syslog servers

Password

Password of the account used for connecting to a remote server. Not applicable for Syslog servers

Repeat password

Confirmation of the password of the account used for connecting to a remote server. Not applicable for Syslog servers

Directory path

Server folder into which the log files will be copied. Not applicable for Syslog servers

Schedule

Select a schedule of sending logs. Not applicable for Syslog servers. Possible values:

  • Daily

  • Weekly

  • Monthly

  • Every … hours

  • Every … minutes

  • Advanced

If you set the value manually, use the crontab-like format in which a string consists of six fields separated with spaces. Time in fields is specified in the following format: (minutes: 0-59) (hours: 0-23) (days of month: 0-31) (month: 0-12) (days of week: 0-6, 0 - Sunday). You can also use the following symbols in the first five fields:

  • Asterisk (*) - denotes the entire range (from the first element up to the last one)

  • Hyphen (-) - denotes a numeric range. For example, "5-7" stands for 5, 6 and 7

  • Lists. These are numbers (or ranges) separated with commas. Example: "1,5,10,11" or "1-11,19-23"

  • Asterisk, or a range with increment. Denotes a gap in a range. Increment is specified after the slash. For example, "2-10/2" stands for "2,4,6,8,10" while "*/2" in the "hours" field means "every two hours"

13.2. Reports

Reports help administrators extract and display various datasets regarding security events, configuration changes or user actions. Reports can be generated automatically by the previously created rules and templates, and then emailed to all stakeholders.

The Reports section consists of three subsections, which are Templates, Rules, and Generated Reports. To create a new report, perform the following:

Name

Description

Step 1. Define a report creation rule.

Create a report generation rule and provide the required report generation parameters.

Step 2. Run the report.

You can run the report manually or wait until the report is launched automatically according to the schedule.

Step 3. Obtain the report.

You can get the report by email (when emailing of reports is enabled) or download it manually in the Generated reports section.

Important! The report creation process may take a long time to complete and may consume a lot of computing resources.

13.2.1. Report templates

A template defines the appearance and fields to be used in the report. The default report templates are provided by the UserGate team.

The report templates by category include:

  • Events — a group of templates for the events recorded in the event log

  • IPS — a group of templates for the events recorded in the IPS log

  • Network activity — a group of templates for the events recorded in the traffic log

  • Traffic — a group of templates for the events recorded in the traffic log and related to the traffic volume consumed by users, applications, and more.

  • Web activity — a group of templates for the events recorded in the web access log

Each template contains a name, report description, and report display type (table, histogram, or pie chart).

13.2.2. Report rules

A report rule defines the parameters of generated reports and also the schedule of the report launches and report delivery types for users. Provide the following parameters when creating a new report rule:

Name

Description

On

Enable or disable a report.

Name

Name of the rule.

Description

Optional field for the rule description.

Report language

Select a language that will be used in the report.

Time range

A time range for which the report will be generated.

Limit records

Limits the number of records to be displayed in reports for which the number of top records is limited, e.g. only TOP-20 of users who failed authentication in the console.

Group by limit (when applicable)

Limits the number of records to be displayed in reports for which the number of grouped records is limited, e.g. only TOP-10 of users in each category, i.e. not more than 10 users per category. This restriction is applicable only to the report templates with grouping.

Users

Select the users or user groups for which the report will be generated. When this field is empty, the report will be generated for all users.

Templates

The list of templates to be used for report building. Make sure to add at least one template.

Schedule

Select a report generation schedule. Possible options:

  • Daily

  • Weekly

  • Monthly

  • Every … hours

  • Every … minutes

  • Advanced

If Advanced is selected, use the crontab-like format in which a string contains of six fields separated with spaces. Make sure to specify the fields as follows: (minutes: 0-59) (hours: 0-23) (days of month: 0-31) (month: 0-12) (day of week: 0-6, 0-Sunday). Each of the five fields can be specified in the following way:

  • Asterisk (*)- denotes the whole range (from the first element to the last one)

  • Hyphen (-) - denotes a numeric range. For example, "5-7" stands for 5, 6 and 7

  • Lists. These are numbers (or ranges) separated with commas. Example: "1,5,10,11" or "1-11,19-23"

An asterisk or range with increment. It is used for denoting missed elements in ranges. A step must be specified after a backslash. For example, "2-10/2" stands for "2,4,6,8,10", and the statement "*/2" in the "hours" field means "every two hours"

Delivery

You can set up optional sending of generated reports to recipients by SMTP. Make sure to set up the following:

  • An SMTP profile to be used for sending reports. For more details on how to set up SMTP profiles, please refer to Notification profiles.

  • Email sender — name of the message sender

  • Email subject — subject string of the message

  • Email body — body of the message

  • Recipients — list of message recipients. Make sure to add all recipients to the lists of the Email addresses library.

Important! The report creation process may take a long time to complete and may consume a lot of computing resources. It is especially important to pay attention to the workload when generating reports for a large time period.

Important! Note that you can run a report rule even without enabling it or configuring its schedule. In the manual mode, you can run any report (even a disabled one) by adding the necessary rule to the list of rules and clicking Run now. The output reports will be available in the Generated reports section.

13.2.3. Generated reports

In the Generated reports section, you can view all the obtained reports. The reports are generated in PDF or CSV. For each report, you can view its name (which is the same as that of the corresponding report rule), creation time, and size.

Click Download to obtain the report or Remove to delete it.

Click Configure to set up how long the annual reports must be stored (i.e. report rotation). The default value is 60 days.

14. Technical support

The technical support section of our website https://www.usergate.com/support provides additional information on how to set up UserGate. You can also submit your ticket here, and we will help to resolve your technical issue.

15. Appendix 1: Installing a certificate issued by the local certification authority

Download a certificate from the authentication center that you use for capturing the HTTPS traffic, as described in Managing certificates, and then follow the steps below.

15.1. Installing a certificate for Internet Explorer and Chrome in Windows

Open the folder with the DER certificate you have just downloaded and then double-click it:

image4

The certificate details will appear. Click "Install certificate":

image5

The certificate import wizard will be launched. Follow the wizard's on-screen instructions to import the certificate:

image6

Select a storage for the certificate and click "Browse":

image7

Select "Trusted root certification centers" and click OK:

image8

Click "Finish":

image9

When the security warning appears, click "Yes":

image10

image11

The installation is complete.

15.2. Installing a certificate for Safari and Chrome in MacOS X

Open the folder with the DER certificate you have just downloaded and double-click the file:

image12

The Keychain program will be launched. Select "Always trust this certificate":

image13

Enter the password to confirm the operation:

image14

The certificate is now installed.

15.3. Installing a certificate for Firefox

Installation of a certificate for Firefox is similar on all operating systems. Let's describe the installation process on Windows.

Go to Firefox settings (Tools-->Options):

image15

Select Advanced and then open the Certificates tab. Click View certificates:

image16

Then click Import and browse to the DER certificate that you have downloaded:

image17

image18

Enable the Trust this CA to identify web sites checkbox and click OK:

image19

The installation is complete.