1. Introduction¶
UserGate is the comprehensive network gateway which implements the Unified Threat Management and features the built-in firewall, routing, gateway anti-virus tool, intrusion detection and prevention system (IPS), VPN server, content filtering system, monitoring and statistics, and many more. This product provides everything you may need for efficient network management, traffic optimization and prevention of cyber-attacks.
1.1. Network security and protection from network threats¶
1.1.1. Next Generation Firewall¶
The Next Generation Firewall built into UserGate filters the traffic at various levels (e.g. TCP, UDP, IP), thereby protecting your network from hacker attacks and various types of intrusions.
1.1.2. Intrusion detection and prevention¶
Our intrusion detection and prevention system (IPS) can quickly detect malicious network activity, identify, record and prevent various threats, and generate detailed reports on each suspicious event.
Security breaches are usually detected by means of heuristic techniques and matching with signatures of already known attacks. UserGate regularly provides and updates its own databases of heuristic rules and virus signatures. IPS can track and proactively block all the detected attacks in real time, e.g. terminate malicious network connections, send notifications to network administrators, log the suspicious activity, and so on.
Administrators can create various IPS profiles (signature sets for protection of certain services) and also specify IPS rules to define actions per traffic type that will be verified by the IPS module according to the assigned profiles.
1.1.3. Protection from DOS attacks and network flooding¶
UserGate allows you to set up protection parameters for each network zone against network flooding (for TCP (SYN-flood), UDP, ICMP), including the notification threshold (the minimal number of requests per IP address for logging) and the packet drop threshold (the minimal number of requests for packet dropping and subsequent logging).
It is also possible to set up exclusions, e.g. for networks zones that use VoIP and thus need to send many UDP packets.
1.1.4. Anti-virus traffic check¶
UserGate's built-in anti-virus checks the traffic for viruses without compromising network performance and throughput. This module uses a vast database of signatures.
In addition, you can also integrate the heuristic anti-virus module.
1.1.5. Anti-spam and anti-virus protection of email traffic¶
UserGate can efficiently handle traffic of email protocols (SMTP(S) and POP3(S)) and check it for spam messages and viruses.
UserGate processes the transit email traffic (SMTP(S), POP3(S)) by analyzing its source along with messages and attachments, thereby ensuring reliable protection against spam, viruses, pharming, and phishing. UserGate also allows you to set up flexible filters for the email traffic by user group.
1.1.6. Interaction with 3rd party security systems¶
It is possible to transfer the HTTP/HTTPS and email traffic (SMTP, POP3) to external ICAP servers, e.g. in order to check the traffic for viruses or to check the outgoing data from users by means of DLP systems. Administrators can specify which type of traffic should be transmitted to ICAP and also set up interaction with server farms.
1.1.7. SCADA management¶
The new platform version features various management options for SCADA (Supervisory Control And Data Acquisition) systems. Administrators can control the traffic by setting up rules for detection, blocking, and logging of events. This allows you to automate basic workflows while keeping manual control over them when it's necessary.
1.1.8. Security Orchestration, Automation, and Response¶
UserGate allows for much faster responses to detected attacks thanks to security features automated using SOAR scenarios (Security Orchestration, Automation, and Response).
This is a very popular concept which helps administrators create scenarios (triggered by schedule or upon any threat) with automatic responses to various events. Such an approach ensures flexible security policies and higher level of automation for routine tasks instead of manual operations, and also supports priority-based scenarios for rapid elimination of critical threats.
1.2. Improvements in network performance and reliability¶
1.2.1. High Availability and Clustering¶
UserGate supports 2 cluster types: a configuration cluster for applying the same settings to all nodes within a cluster and a failover cluster for smooth operation of the whole network. A failover cluster can operate in two modes: Active-Active and Active-Passive. Both modes support synchronization of user sessions for transparent switching of the traffic among nodes.
1.2.2. FTP over HTTP¶
The FTP over HTTP module is used for accessing the contents of an FTP server directly from a browser on the client side.
1.2.3. Support of redundant channels¶
UserGate allows you to switch between available network channels from various ISPs, thereby making the Internet access much more reliable and resilient.
1.2.4. Traffic shaper¶
You can assign priorities to users and applications by means of the traffic management functionality, so that the most resource-intensive endpoints could not severely impact the overall network performance. This will ensure the agreed service level for all your mission-critical software.
1.2.5. WCCP¶
Support for the WCCP protocol makes it possible to use UserGate in an infrastructure with WCCP servers such as Cisco routers.
1.3. Traffic management and Internet access control¶
1.3.1. Traffic routing and publication of resources¶
UserGate supports both static and dynamic routing. Since dynamic routing is performed using the OSPF and BGP protocols, UserGate can be smoothly integrated in large corporate networks with sophisticated routing.
Administrators can create NAT rules (for the provision of the Internet access to users), and also various rules for secure publication of internal resources on the Internet using Reverse Proxy for HTTP/HTTPS and DNAT for other protocols.
1.3.2. User authentication¶
The platform supports various authentication mechanisms for users, such as Captive portal, Kerberos, and NTLM, while user accounts can be obtained from any sources: LDAP, Active Directory, FreeIPA, TACACS+, Radius, or SAML IDP. SAML IDP, Kerberos-based and NTLM-based methods allow for transparent authentication (i.e. without asking any credentials) of users from your Active Directory domain.
Network administrators are free to apply individual security settings for a specific user, group of users or, all known or unknown users. In addition, the system supports authentication via special Terminal Services Agents or via authentication agents for Windows-based platforms.
For better protection of accounts, it is also recommended that you use multi-factor authentication based on TOTP tokens (Time-based One Time Password Algorithm), SMS or email.
1.3.3. Support of the guest portal¶
UserGate can provide users with temporary access to networks, such as public Wi-Fi hotspots. Profiles can be created either by administrators or registered by users with email-based or SMS-based confirmation. The platform also allows you to specify individual security settings for temporary users.
1.3.4. Proxy agent for Windows¶
For Windows users, you can set up a proxy agent in order to provide proxy services to applications that cannot directly work with proxy servers. The proxy agent can also be used for provision of Internet access to such applications, when UserGate is not set up as the default gateway.
1.3.5. Support of the BYOD ("Bring Your Own Device") concept¶
You can set up special access policies for any user devices including laptops, tablets and smartphones. In UserGate, you can limit the maximum number of devices per user (both total and currently used devices) as well as define a list of devices from which a particular user is allowed to access the corporate network.
1.4. Content filtering and application control¶
1.4.1. Internet filtering¶
The Internet filtering module can significantly strengthen the security of your local network through full control over Internet connections and downloads as well as through blocking access to potentially malicious or unwanted web resources.
To analyze the security level of sites requested by users, the system utilizes reputational services, MIME content types (photos, videos, texts, and more), specialized morphological dictionaries provided by UserGate, black and white lists of URLs, and Useragents which together allow administrators to prohibit or permit usage of certain browser types. UserGate supports creation of custom black and white lists, dictionaries, MIME types, morphological dictionaries, and Useragent for adding rules at the user level and user group level.
1.4.2. Selective ad blocking¶
Even secure websites sometimes display unwanted graphical banners, and website owners do not have a full control over the content of such banners. UserGate can resolve this issue by blocking banners and protecting users from unwanted content.
1.4.3. Safe search¶
UserGate supports forced safe search activation for Google, Yandex, Yahoo, Bing, Rambler, Ask, and YouTube. This protection ensures high-quality filters, e.g. for responses to graphical or video content requests. You can also block certain search systems that does not provide safe search functionality.
1.4.4. Access control for social media¶
UserGate allows you to block online games and various apps from Facebook, VKontakte, Odnoklassniki and other social media. Network administrators can provide access to social media in general, but prohibit or restrain certain unwanted actions in them. The system also supports filtering of individual pages and groups in social media by various criteria, such as extremist content, profanity, and more.
1.4.5. Code injection for web pages¶
The script injection feature allows you to insert the necessary program code in all web pages accessible for users. This feature can be used for obtaining various metrics, for hiding web elements, for showing ads or other information.
1.4.6. Inspection of the SSL traffic¶
The UserGate platform allows you to filter both unencrypted and encrypted traffic (HTTPS, SMTPS, POP3S) through MITM-based decryption (Man In The Middle) and signing of the traffic with the corporate trusted root certificate after analysis. The system supports selective traffic checks, e.g. not to decrypt resources in the Finance category.
1.4.7. VPN and WEB PORTAL¶
The VPN technology (Virtual Private Network) allows you to set up virtual logical networks on top of the Internet and other networks. UserGate supports two types of VPNs: Remote Access VPN (client-server model) and Site-to-Site VPN (server-server model).
Tunnels can be established using Layer 2 Tunneling Protocol (L2TP), and the data being transmitted can be protected with IPSec. UserGate supports default clients for most popular operating systems: Windows, Linux, Mac OS X, iOS, Android, and more.
Web portal (SSL VPN) allows you to grant access for your employees to internal web resources, SSH servers, and terminal servers by HTTPS without installing any VPN clients.
1.5. Logs and Reports¶
The platform supports full-scale real-time monitoring with event logs, web access, IPS, and traffic analysis. For convenient analysis, administrators may set up automatic exports of logs to SSH, FTP, and Syslog servers. Reports help administrators extract and display various datasets regarding security events, configuration changes or user actions. Reports can be generated automatically by the previously created rules and templates, and then emailed to all stakeholders.
1.6. Other functions¶
1.6.1. Role-based management¶
By default, the system provides a single superadministrator who can create accounts for other administrators and grant them permissions to view and change certain sections.
In addition, you can also strengthen the security level of the console by enabling certificate-based authentication for administrators.
1.6.2. Monitoring and notifications¶
UserGate supports monitoring based on the SNMP v2c and SNMP v3 protocols. The product is fully compatible with SNMP queries and SNMP traps for comprehensive management.
In addition, the system allows you creating notification profiles in order to inform users about important events through SMTP (e-mail) and SMPP (SMS).
1.6.3. Network interfaces¶
UserGate allows you to add and set up tagged VLAN interfaces, and also group multiple physical interfaces into a single logical aggregated interface (a bond) based on LACP (Link Aggregation Control Protocol) for higher throughput or availability. In addition, it is also possible to join interfaces in a bridge for L2 traffic filtering without any changes to the existing corporate infrastructure.
1.6.4. DNS filtering¶
UserGate can be set up to work with DNS servers and DNS Proxy which captures DNS requests from users and modifies these requests depending on the administrator's needs. You can also add filters of DNS requests from users.
1.6.5. Load balancer¶
UserGate allows you to balance workload on various services within your local area network. Balancing can be provided for internal servers published (such as DNAT or reverse proxy) or not published on the Internet and for traffic being routed to external servers or ICAP server farms.
2. Initial configuration¶
UserGate is usually implemented as a set of hardware and software (appliance) or as a virtual machine (virtual appliance) ready for deployment in a virtual environment. In both cases, UserGate is equipped with four or more Ethernet interfaces. In the case of virtual image UserGate is equipped with four Ethernet interfaces. In the case of appliance, it is equipped with from 2 to 64 Ethernet-interfaces.
2.1. Deploying the virtual appliance¶
UserGate UTM Virtual Appliance allows you to quickly set up a virtual machine with pre-set components. The image is created in OVF (Open Virtualization Format), which supports vendors such as VMWare, Oracle VirtualBox. Disk image is provided for Microsoft Hyper-V.
Important! In order for your virtual machine to run correctly, we recommend using at least 8GB of RAM and a dual-core virtual CPU. Your hypervisor must support 64-bit operating systems.
To launch the virtual machine:
Name | Description |
---|---|
Step 1. Download the image and extract it | Download latest image from the official site https://www.usergate.com. |
Step 2. Import the image | Instructions for importing the virtual image can be found on the VirtualBox and VMWare websites. For Microsoft Hyper-V create new virtual machine and use downloaded disk image as hard drive, then disable integration services for this virtual machine. |
Step 3. Configure virtual server memory | Increase virtual machine's RAM size. Set it to the minimum of 8Gb and add 1Gb to every 100 users. |
Step 4. Important! Increase virtual machine's hard drive size | Default size is 100Gb, which is usually not enough to keep all logs and settings. Use virtual machine settings and increase size to 200Gb or more. Recommended size is 300Gb. |
Step 5. Set up virtual server networks | UserGate UTM comes with four interfaces assigned to the following zones:
|
Step 6. Factory reset | Launch the UserGate virtual machine. In boot menu select Support Menu and then Factory reset. This is important step which must be completed. During this step UTM configures network adapters and resizes its partition to the full size of the disk, increased on step 4. |
2.2. Connecting to UserGate¶
The eth0 interface is automatically allocated an IP address (via DHCP) and then added to the Management zone. To perform initial configuration, network administrator should connect to the web console via eth0.
If the system fails to allocate an IP address to the Management interface automatically via DHCP, network administrator can assign it manually using CLI (Command-Line Interface). For more details on CLI, please refer to Command-Line Interface (CLI).
All other interfaces are disabled by default and should be configured individually.
Perform the following steps for initial configuration:
Name | Description |
---|---|
Step 1. Connect to the management interface | If DHCP server is available Connect the eth0 interface to your corporate network with active DHCP server. Launch UserGate. After rebooting, UserGate will display the IP address to which you need to connect for product activation. Static IP address Launch UserGate. Assign an unallocated IP address to the eth0 using CLI (Command-Line Interface). For more details on CLI, please refer to the Command-line interface (CLI) section. Connect to the web console of UserGate using the specified address which should look like this: httpS://UserGate_IP_address:8001 |
Step 2. Select a language | Select a language which you want to use during the initial configuration process. |
Step 3. Enter a password | Specify the username and password for the web administration interface. |
Step 4. Register the system | Enter PIN to activate the product and fill in the registration form. UserGate will require the Internet access for proper activation. If you cannot activate the system on this step, you can perform it later on step 10 after setting up the network interfaces. |
Step 5. Set up the zones and IP addresses of interfaces and then connect UserGate to your corporate network | In the Interfaces section, enable the interfaces you need, allocate valid IP address from your local networks and then group these interfaces by zone. For details on how to manage interfaces, please refer to Configuring interfaces. By default, the system provides several predefined zones:
|
Step 6. Set up the Internet gateway | In the Gateways section, specify the IP address of your Internet gateway (for the Internet access interface) in the Untrusted zone. For details on how to manage gateways, please refer to Configuring gateways. |
Step 7. Specify DNS servers of the system | In the DNS section, specify the IP addresses of DNS used in your corporate network. For details on how to manage DNS, please refer to Configuring DNS. |
Step 8. Create the NAT rules | In the NAT & routing section, create the necessary NAT rules. The system is predefined with the NAT rule required for Internet access from the Trusted network ("Trusted-->Untrusted"). For details on how to create NAT rules, please refer to NAT rules. |
Step 9. Create the firewall rules | In the Firewall section, create the necessary firewall rules. The system is predefined with the firewall rule required for unlimited Internet access from the Trusted network ("Internet for Trusted"), so you can simply enable it. For details on how to create firewall rules, please refer to Firewall. |
Step 10. Register the product (if haven't registered it on step 4) | In the General settings section, enter your PIN to register the product. For successful registration, make sure that the Internet connection is active and all the above steps are completed. For more details on product licensing, please refer to UserGate licensing. |
Step 11. Create additional administrators (optional) | In the Device management section, create additional system administrators and grant them necessary rights (via roles). |
Step 12. Set up user authentication (optional) | In the Users and devices section, define the necessary methods of user authentication. The simplest way to do this is to create local UserGate users with fixed IP addresses or disable user identification completely (i.e. apply the "Any" user to all rules). For details on other authentication options, please refer to Users and devices. |
Step 13. Create the content filtering rules (optional) | In the Content filtering section, create the HTTP(S) filtering rules. For more details on content filtering, please refer to the Content filtering section. |
Step 14. Create the safe browsing rules (optional) | In the Safe browsing section, create the additional safe browsing rules. For more details on safe browsing, please refer to the Safe browsing section of this Guide. |
Step 15. Create the HTTPS inspection rules (optional) | In the SSL inspection section, create the capturing and decryption rules for HTTPS traffic. For more details on HTTPS decryption, please refer to SSL inspection. |
Once all the above steps are complete, UserGate will be ready for work. For more details on the configuration process, please refer to the corresponding sections of this Guide.
3. UserGate licensing¶
UserGate is licensed by the number of simultaneously connected devices, including terminal services users. For example, if you have an end user license for 100 devices, then you are eligible to connect 100 devices with unique IP addresses at once, but the 101st device and the next ones will not gain access to your network. Note that the number of accounts in the system is not limited. After installing the license, you will be able to use UserGate for an unlimited period of time.
The following modules are licensed separately:
Name | Description |
---|---|
Security Updates (SU) | The SU module provides the following benefits:
The module is provided for a 1-year period after which you will need to purchase a license in order to continue obtaining software updates and technical support. |
Advanced Threat Protection (ATP) | The ATP module includes the following:
The module is licensed for a 1-year period, and upon its expiration:
|
Heuristic Anti-Virus (HAV) | The Heuristic Anti-Virus module includes a 1-year subscription for Heuristic Anti-Virus. |
Mail security | Mail security includes a 1-year subscription for email traffic control based on the anti-spam and anti-virus module from UserGate. |
To register the product, perform the following steps:
Name | Description |
---|---|
Step 1. Go to the Dashboard panel | Click the Dashboard icon in the top right corner. |
Step 2. Register the product in the License information section | In the License information section, click Registered, enter your PIN and fill in the registration form. |
4. Managing the device¶
4.1. General settings¶
The General settings section contains basic parameters of UserGate, such as:
Name | Description |
---|---|
Timezone | Specify the timezone according to your actual location. The timezone is used for scheduling in rules as well as for displaying correct date and time in statistical reports, logs and other elements. |
Default interface language | Default language that will be used in the console |
Web console authentication mode | An authentication method for users (administrators) who need access to the management web console. The following options are supported:
|
Modules | Configures the following UserGate modules:
|
Cache settings | Parameters of the proxy server's cache:
|
Log Analyzer | Settings of the Log Analyzer module:
|
WCCP support | Setup for receiving traffic via WCCP. You can find a detailed description of these settings in chapter WCCP support. |
4.2. Device management¶
The Device management section contains basic parameters of UserGate, such as:
- Clustering
- Diagnostics options
- Server operations
- Settings export
4.2.1. Clustering and high availability¶
UserGate supports 2 cluster types:
- Configuration cluster. Nodes grouped into a configuration cluster use the same settings applicable within the cluster.
- Failover cluster. You can merge up to 4 configuration clusters into a single failover cluster that supports the Active-Active and Active-Passive modes. The system can handle multiple failover clusters.
Certain settings are unique for each cluster node, e.g. network interfaces and IP routing. The list of unique settings:
Name | Description |
---|---|
The following settings are individual for each node in a cluster: | Log Analyzer Diagnostics Interfaces Gateways DHCP Routes OSPF BGP VPN |
To create a new configuration cluster, perform the following steps:
Name | Description |
---|---|
Step 1. Perform initial configuration on the first node of your cluster | For details, please refer to Initial configuration. |
Step 2. On the first node of your cluster, configure a zone with interfaces that will be used for replication of the cluster | In the Zones section, create a new dedicated zone for replication of cluster settings or use an existing one. The following services must be allowed in the zone settings:
Do not use zones in which interfaces are connected to untrusted networks or the Internet. |
Step 3. Specify the IP address for communication with other nodes of your cluster | In the Device management section, select the current node of your cluster and click Edit. Specify the IP address of the interface from the zone configured on step 2. |
Step 4. Generate the Secret code on the first node of your cluster | In the Device management section, click Generate secret code. Then copy the generated code to the Clipboard. This secret code is used for one-time authentication of the second node being added to your cluster |
Step 5. Connect the second node to your cluster | Connect to the web console of the second node in your cluster and select the language that you want to use during installation. Specify the interface for communication with the first node and assign an IP address. Both cluster nodes must belong to the same subnetwork, e.g. IP addresses of the eth2 interfaces on both nodes are 192.168.100.5/24 and 192.168.100.6/24, or specify gateway's IP address, which can be used to communicate with first cluster’s node. Specify the IP address of the first node configured on step 3, paste the secret code and then click Connect. If IP addresses configured on step 2 in your cluster are valid, then the second node will be added to the cluster and all settings of the first node will be replicated to the second node. |
Step 6. Assign zones to interfaces of the second node | In the web console of the second node in your cluster, go to Network - Interfaces and assign a valid zone to each interface. Zones and their settings have been already replicated from the first node of your cluster. |
Step 7. Set up the individual parameters for each cluster node (optional). | Set up gateways, routes, OSPF and BGP parameters individually for each node. |
You can group up to four configuration clusters into a single failover cluster. The system can handle multiple failover clusters. The two modes are supported, which are Active-Active and Active-Passive. Active-Passive mode supports synchronization of user sessions for transparent switching of the traffic among nodes.
In the Active-Passive mode, one server works as the Master node and processes the traffic while all other servers are for backup purposes only. You can provide one or more virtual IP addresses for a cluster. Virtual addresses are switched from the Master node to a backup node in the following situations:
- A backup server cannot get a response from the Master node, e.g. when the Master node is disabled or when the connection is lost.
- The node is set up to control the Internet access (see Configuring gateways), but all the configured gateways cannot connect to the Internet.
- A failure in the UserGate software.
A sample network diagram of a failover cluster in the Active-Passive mode is shown below. The interfaces are set up as follows:
- Trusted Zone: IP1, IP2, IP3, IP4, and IP cluster (Trusted)
- Untrusted Zone: IP5, IP6, IP7, IP8, and IP cluster (Untrusted)
- Cluster Zone: IP9, IP10, IP11, IP12, IP13, IP14. Interfaces in the Cluster zone are used for replication of the settings.
Both cluster IP addresses are assigned to node UTM1. If UTM1 is not available, both cluster IP addresses are moved to the next server, e.g. UTM2, that becomes a new Master node.
In the Active-Active mode, one server works as the Master node and distributes the traffic among all other cluster nodes. Since the cluster's IP address is assigned to the Master node, the Master node responses to ARP requests from clients. By distributing MAC addresses of all failover cluster nodes one by one, the Master node ensures optimized distribution of the traffic across all cluster nodes while keeping consistency of user sessions. You can provide one or more virtual IP addresses for a cluster. The Master node role can be reassigned to a backup node in the following situations:
- A backup server cannot get a response from the Master node, e.g. when the Master node is disabled or when the connection is lost.
- The node is set up to control the Internet access (see the Configuring gateways but all the configured gateways cannot connect to the Internet.
- A failure in the UserGate software.
A sample network diagram of a failover cluster in the Active-Active mode is shown below. The interfaces are set up as follows:
- Trusted Zone: IP1, IP2, IP3, IP4, and IP cluster (Trusted)
- Untrusted Zone: IP5, IP6, IP7, IP8, and IP cluster (Untrusted)
- Cluster Zone: IP9, IP10, IP11, IP12,IP13, IP14. Interfaces in the Cluster zone are used for replication of the settings (support of the configuration cluster).
Both cluster IP addresses are assigned to node UTM1. If UTM1 is not available, both cluster IP addresses are moved to the next server, e.g. UTM2, that becomes a new Master node.
Important! For correct traffic processing it is required that user’s sessions were always kept to the same cluster’s node, i.e. traffic from client to server and from server to client always go via the same cluster’s node. The easiest way to set it up is to configure NAT from client to server network (NAT from Trusted zone to Untrusted zone).
To create a new high-availability cluster, perform the following steps:
Name | Description |
---|---|
Step 1. Create a new configuration cluster | Create a new cluster as described above. |
Step 2. On both nodes of your clusters, set up the zones with interfaces that you want to use in the high-availability cluster. | In the Zones section, enable the VRRP service in the zone settings for all zones where you are going to add a virtual IP address for a cluster (Trusted and Untrusted zones on the above diagrams). |
Step 3. Add nodes of your cluster to the high-availability VRRP cluster | In the Device management - High availability cluster section, click Add and specify the High-availability cluster parameters. |
Step 4. Specify the virtual IP address for auth.captive, logout.captive, block.captive, ftpclient.captive | If you are going to set up authentication via the captive portal, then make sure that the system names of auth.captive, logout.captive, block.captive, ftpclient.captive are resolved into the IP address that you have previously configured as the virtual address of your cluster. For more details refer to General settings section of this Guide. |
Failover cluster parameters:
Name | Description |
---|---|
On | Enables or disables the failover cluster |
Name | Name of the failover cluster |
Description | Description of the failover cluster |
Cluster mode | Failover cluster mode:
|
Sessions sync | Enables the synchronization mode for user sessions across all nodes in the failover cluster. Enabling this option will make transition of users among devices more transparent for users, but will significantly increase the workload for UserGate platform. This applies only to the Active-Passive mode of a cluster. |
Multicast identifier of the cluster | You can create multiple failover clusters within a single configuration cluster. This parameter defines a multicast address that will be used for synchronization of sessions. Make sure to set a unique identifier for each group of failover clusters that requires synchronization of sessions. |
Virtual router identifier (VRID) | A virtual router identifier must be unique for each VRRP cluster in a local area network. If you don't have any 3rd party VRRP clusters in your network, leave the default value. |
Nodes | Here you can select which configuration cluster nodes you want to merge into a failover cluster. In addition, you can also assign the Master server role to a node of your choice. |
Virtual IP addresses | Here you can assign virtual IP addresses and match them with the cluster node interfaces. |
4.2.2. Diagnostics¶
In this section, you can set up server diagnostic parameters that may be requested by the UserGate support team for troubleshooting.
Name | Description |
---|---|
Diagnostics details |
It is recommended that you set the Diagnostics details to Error (only errors) or Off (disabled) until the UserGate support team asks you to set another value. Any values other than Error (only errors) and Off (disabled) may significantly reduce performance of UserGate. |
Diagnostics logs |
|
Remote assistance |
|
4.2.3. Server operations¶
This section allows you to perform the following server operations:
Name | Description |
---|---|
Maintenance actions |
|
Update channel | Sources of UserGate updates
|
UserGate always does its best to deliver the top-quality software and regularly issues UserGate updates for all subscribers of the Security Update licensing module (for details on licensing, please refer to UserGate licensing). Once a new update is available, the system will display the corresponding notification in the Device management section. Since installing UserGate updates may take some time, it is recommended that you schedule it beforehand to avoid unplanned downtimes.
To install updates, perform the following steps:
Name | Description |
---|---|
Step 1. Create a new backup file | Make a backup of UserGate's current state as described in Backing up and restoring initial settings. It is recommended that you perform this step before each update, so that you could recover the system in case of any faults during installation of updates. |
Step 2. Install updates | In the Device management section, find the Updates are available notification and click Install now. Once all the downloaded updates are installed, UserGate will reboot. |
Important! In order to update the configuration cluster nodes, make sure that all nodes are enabled and available when the first node is being updated. Nodes that are not available when the first node is being updated must be added to the cluster again after updates.
4.3. Exporting and importing settings¶
Network administrators can save the UserGate's current settings and then restore them on the same or another UserGate server. Unlike the backup procedure, exporting/importing of settings will save only the current parameters rather than the current state of all system components.
Important! Exporting/importing settings will not restore the cluster's state, network interfaces settings and licensing information. Once the import procedure is finished, register UserGate with your PIN again, configure network and re-create the cluster if necessary.
To export settings, perform the following steps:
Name | Description |
---|---|
Step 1. Export the settings | In the Device management section, click Settings export --> Export. The system will save the current settings of your server to the file called "database.bin". |
To apply the previously created settings, perform the following steps:
Name | Description |
---|---|
Step 1. Import the settings | In the Device management section, click Settings export --> Import and then browse to the previously created configuration file. Once the specified settings are applied to the server, the server will reboot. |
In addition, administrators can set up a schedule to export the settings to external servers (FTP, SSH). To create a schedule for exporting the settings, perform the following steps:
Name | Description |
---|---|
Step 1. Create a new export rule. | In the Device management section, click Settings export --> Add and then provide the name and description of a new rule. |
Step 2. Provide the remote server parameters. | Select the Remote server tab and specify the following parameters of the remote server:
|
Step 3. Select an export schedule. | On the Schedule tab, specify when you want the settings to be sent. If you want to set time in the CRONTAB format, use the following rules: (minutes:0-59) (hours:0-23) (days of month:0-31) (month:0-12) (days of week:0-6, 0-Sunday) Each of the five fields can be specified in the following way:
|
4.4. Managing access to the UserGate console¶
You can manage access to the UserGate web console using additional accounts of network administrators, roles, password management policies and zone-based access permissions. As additional security measure, it is possible to use authentication to the web console based on administrators’ certificates.
Important! During the initial configuration, UserGate creates the superuser called Admin.
To create additional accounts of network administrators for the device, perform the following:
Name | Description |
---|---|
Step 1. Create a new administrator’s profile | In the Device management section, go to Administrator profiles and click Add and set required permissions. |
Step 2. Create new administrator account and assign it to one of profiles created earlier | Go to Administrators, click Add and select one of the following options:
|
Provide the following parameters when creating a new access profile for administrators:
Name | Description |
---|---|
Name | Name of the profile |
Description | Description of the profile |
API permissions | The list of objects that are available for access delegation through an application programming interface (API). These objects are described in the API documentation. The following access options are available:
|
Web console permissions | The list of web console tree objects that are available for delegation. The following access options are available:
|
CLI permissions | Grants access to the CLI. The following access options are available:
|
Administrator can set up additional security parameters for accounts of other network administrators, such as password complexity and blocking of accounts in case of multiple failed attempts to log in to the system.
To set up these parameters, perform the following:
Name | Description |
---|---|
Step 1. Configure the password policy | In the Device management section, go to Administrators and click Configure. |
Step 2. Fill in the necessary fields | Fill in the following mandatory fields:
|
Admin can also specify zones from which the web console will be accessible (via the TCP 8001 port).
Important! It is not recommended that you permit access to the web console from zones connected to untrusted networks or to the Internet.
To enable access to the web console for a certain zone, go to the zone properties and enable the Administration console in the access control section. For more details on how to set up the access control for zones, please refer to the Configuring zones section.
Additional security measure is enabling authentication to web console using administrator certificates. To enable this mode, you need to perform the following steps (openssl utility commands are shown as an example):
Name | Description |
---|---|
Step 1. Create a new administrator’s account | Create account as it is described above in this chapter, e.g., create account for Administrator54. |
Step 2. Create or import an existing certificate of the type of “Web console auth CA” | Create or import an existing certificate (only public key is required) of the type of “Web console auth CA” in accordance with the instructions in the Managing certificates section. To create a certificate with openssl, use the following commands: openssl req -x509 -subj '/C=UK/ST=London/O= MyCompany /CN=ca.mycompany.com' -newkey rsa:2048 -keyout ca-key.pem -out ca.pem -nodes openssl rsa -in ca-key.pem -out ca-key.pem File named ca-key.pem will contain a private key, where ca.pem is the public key. Import public key for the UserGate. |
Step 3. Create certificates for administrators | Create certificates for administrators using third party utilities. It is required that the Common field name exactly matches the name of the administrator’s account as it was created in UserGate in step 1. Example for openssl and user Administrator54: openssl req -subj '/C=UK/ST=London/O= MyCompany /CN=Administrator54' -out admin.csr -newkey rsa:2048 -keyout admin-key.pem -nodes |
Step 4. Sign administrators’ certificates using the web console auth CA certificate created in step 2 | Using third party utilities sign certificates for administrators using the web console auth CA certificate created in step 2. Example for openssl and user Administrator54: openssl x509 -req -days 9999 -CA ca.pem -CAkey ca-key.pem -set_serial 1 -in admin.csr -out admin.pem openssl pkcs12 -export -in admin.pem -inkey admin-key.pem -out admin.p12 -name 'Administrator54 client certificate' File admin.p12 contains the signed Administrator54’s certificate. |
Step 5. Add signed certificates to OS which will be used by administrators to login to web console | Add signed certificates to operating system (or to Firefox browser if it will be used to manage UserGate) which will be used by administrators to login to web console. For details please refer to manual for your OS. |
Step 6. Switch web console authentication mode to X.509 Certificate | In General settings change Web console authentication mode to X.509 Certificate. |
Important! You can switch the web console authentication mode using the CLI commands.
In Administrators --> Administrator sessions, you can view all administrators who are currently logged in to the administration web console of UserGate. You can terminate (close) any session when necessary.
4.5. Managing certificates¶
UserGate uses the secure HTTPS protocol for managing devices. It is able to intercept/decrypt transit SSL traffic (HTTPS, SMTPS, POP3S) and to authenticate administrators based on their certificates.
This UserGate functionality is based on SSL certificates:
Name | Description |
---|---|
Web console SSL certificate | This certificate is used by network administrators for establishing secure HTTPS connections with the UserGate web console. |
Captive portal SSL certificate | This certificate ensures secure HTTPS connections to the login page of the Captive portal for users, display of the block page and logout page on the Captive portal, and the proper operation of FTP Proxy. This certificate must be issued with the following parameters:
By default, the system uses the certificate signed with an SSL inspection certificate that was issued for domain "auth.captive" with the following parameters: - Subject name = auth.captive - Alternative names = auth.captive, logout.captive, block.captive, ftpclient.captive, sslvpn.captive If administrator did not submit their own certificate for this role, then UserGate will automatically re-issue this certificate in case of any changes made by the system administrator to any domain listed in General settings (i.e. domains for auth.captive, logout.captive, block.captive, ftpclient.captive, sslvpn.captive). |
SSL decrypt certificate | This is CA class certificate. It is used for creating SSL certificates of Internet hosts for which the HTTPS, SMTPS, POP3S traffic should be decrypted. For example, when decrypting the HTTPS traffic from yahoo.com, the original certificate is issued by Subject name = yahoo.com Issuer name = VeriSign Class 3 Secure Server CA - G3 is replaced with Subject name = yahoo.com Issuer name = company name as specified on the certificate issued by the CA used in UserGate. This certificate is also used for generating default certificates for the SSL Captive portal role. |
SSL inspection intermediate CA | This certificate can be used in organizations where SSL inspection certificates are issued by a chain of certification authorities. Note that only public keys are required. |
SSL inspection (root) | The root certificate in the certification authority chain that was used for issuing the SSL inspection certificate. Only the public key of the certificate is required for proper operation. |
User certificate | The certificate assigned to a user by UserGate. A user can be either created locally or obtained from LDAP. The certificate can be utilized for user authentication when accessing published resources according to the Reverse proxy rules. |
Web console auth CA | Certificate authority certificate for authenticating administrators to web console in x.509certificate auth mode. Administrators’' certificates must be signed with this certificate. |
SAML server | The certificate is necessary for interaction between UserGate and the SSO SAML IDP server. For details on how to set up interaction between UserGate and the SAML IDP authentication server, please refer to the corresponding section of the Guide. |
Web portal | The certificate used for the web portal. When this certificate is not specified explicitly, UserGate applies the certificate of the SSL Captive portal issued on the basis of the SSL inspection certificate. For more details on how to set up web portal, please refer to the corresponding section of the Guide. |
Though you can create multiple certificates of the type “web console SSL”, “Captive portal SSL certificate” and “SSL decrypt certificate”, only one certificate of each type can be used at a time. The system can store multiple certification authority certificates for web console authentication and use any of them when checking authenticity of administrator certificates.
To create a new certificate, perform the following steps:
Name | Description |
---|---|
Step 1. Create a new certificate | Click Generate --> New certificate in the Certificates section. |
Step 2. Fill in the necessary fields | Fill in the following mandatory fields:
|
Step 3. Set the type of created certificate | Once the certificate is created, you need to set its type or decide what the certificate’s roles should be. Select the created certificate in the list and press the Edit button. Set the certificate’s type (“web console SSL”, “SSL inspection” or “web console auth CA”). If you selected “web console SSL”, UserGate will restart the web console to apply the changes. The SSL inspection certificate will begin to work immediately. For more details about SSL decryption, please refer to SSL inspection. |
In UserGate, you can export the internally created certificates or import certificates from other systems, e.g. from the trusted certification authority of your company.
To export a certificate, perform the following steps:
Name | Description |
---|---|
Step 1. Select a certificate for exporting | Select the desired certificate in the list of certificates. |
Step 2. Export the selected certificate | Select the type of export:
|
Important! It is recommended that you save the certificate and its private key for backup purpose.
Important! For security reasons, UserGate does not allow exporting private keys of certificates.
To import an existing certificate, you should have the certificate's public and optionally private key and then perform the following:
Name | Description |
---|---|
Step 1. Start the import | Click the Import button. |
Step 2. Fill in the necessary fields | Fill in the following fields:
|
4.5.1. Creating SSL inspection certificates based on company’s CA¶
If one or more certification authorities are already set up in your organization, you can use a certificate issued by your internal CA as the SSL inspection certificate. And if your internal CA is trusted for all business users, then SSL inspection will be happened seamlessly and users will not be notified about substituted SSL certificates.
Let’s consider an example. Suppose that your organization has an internal CA which is based on Microsoft Enterprise CA and integrated with Active Directory, as shown in the picture below.
It is required to issue new CA type certificate for UserGate by Sub CA2 and then set up this certificate as your SSL inspection certificate.
Important! UserGate does not support signature rsassaPss. Make sure this algorithm is not used in certificate chain used for creating SSL decrypt certificate.
To do this perform the following steps:
Step | Description |
---|---|
Step 1. Generate a CSR request for creation of a new certificate in UserGate | Select Generate-->New CSR, fill in the necessary fields and then generate a new CSR. The system will create a private key and a request file. Click Export to download this file. |
Step 2. Create a new certificated based on this CSR | Using Microsoft CA, create a new certificate based on the downloaded CSR file by running the “certreq” utility: certreq.exe -submit -attrib "CertificateTemplate:SubCA" HTTPS_csr.pem or the web console of Microsoft CA. For more details, please refer to Microsoft’s documentation. As a result, you will obtain a new certificate (public key) signed by Sub CA2. |
Step 3. Download the resulting certificate | Download the certificate (public key) from the web console of Microsoft CA. |
Step 4. Upload the certificate to the previously created CSR | In UserGate, select the CSR you’ve previously created and then click Edit. Upload the certificate file and click Save. |
Step 5. Specify the certificate as your SSL inspection certificate | In UserGate, select the CSR you’ve previously created and then click Edit. In the Use as field, choose SSL decrypt certificate. |
Step 6. Download certificates for the intermediary CAs (Sub CA1 and Sub CA2) | In the web console of Microsoft CA, select and download certificates (public keys) for Sub CA1 and Sub CA2. |
Step 7. Upload the certificates for Sub CA1 and Sub CA2 to UserGate | Click Import to add the downloaded certificates for Sub CA1 and Sub CA2 into UserGate. |
Step 8. Specify the certificates for Sub CA1 and Sub CA2 as your intermediary SSL inspection certificates | In UserGate, select the uploaded certificates and click Edit. In the Use as field, choose SSL intermediate decrypt certificate for both these certificates. |
Step 9. Upload a Root CA certificate to UserGate (optional) | Click Import to upload a root certificate of your organization to UserGate. Click Edit and select Currently used - SSL inspection (root). |
4.6. Command-line interface (CLI)¶
In UserGate, you can define basic settings of the device using the command-line interface, or CLI. Using CLI, network administrators can run various diagnostic commands, such as ping, nslookup and traceroute, configure network interfaces and zones as well as reboot/shut down the device.
CLI is especially useful for network diagnostics or when the web console is temporarily unavailable, e.g. due to invalid IP address or access control zone.
You can connect to CLI physically through standard VGA/keyboard ports (if they are available on UserGate) or a serial port or remotely via SSH.
To connect to CLI using a monitor and a keyboard, perform the following steps:
Name | Description |
---|---|
Step 1. Connect a monitor and a keyboard to UserGate | Connect a monitor to VGA (HDMI) and a keyboard to USB. |
Step 2. Log in to CLI | Log in to CLI using the username and password of the Full Administrator (Admin by default). If UserGate has not been initialized yet, then use the following credentials to access CLI: Admin/utm |
To connect to CLI using a serial port, perform the following steps:
Name | Description |
---|---|
Step 1. Connect to UserGate | Connect your PC to UserGate by means of a special cable for serial ports or a USB-Serial adapter. |
Step 2. Run the terminal | Run any software terminal supporting serial port connections, e.g. Putty for Windows or minicom for Linux. Establish a new serial port connection using the following connection parameters: 115200 8n1 |
Step 3. Log in to CLI | Log in to CLI using the username and password of the Full Administrator (Admin by default). If UserGate has not been initialized yet, then use the following credentials to access CLI: Admin/utm |
To connect to CLI remotely via SSH, perform the following steps:
Name | Description |
---|---|
Step 1. Enable access to CLI (by SSH) for the selected zone | Enable access to CLI via the SSH protocol for the zone through which you are going to access CLI. The TCP 2200 port will be opened. |
Step 2. Run an SSH terminal | Run an SSH terminal on your PC, e.g. SSH for Linux or Putty for Windows. Specify the UserGate address for address, 2200 for connection port, and the Full Administrator credentials for username and password (Admin by default). In Linux, the connection command should look like this: ssh Admin@IP-UserGate -p 2200 |
Step 3. Log in to CLI | Log in to CLI using the password of the user you have specified on the previous step. If UserGate has not been initialized yet, then use the following credentials to access CLI: Admin/utm |
The following commands are supported:
Name | Description |
---|---|
help | Displays the full list of available commands |
exit quit Ctrl+D | Log out of CLI |
backup | A set of commands for viewing, deleting and restoring of automatically created backups of configuration. backup list – shows list of existing backups. backup restore -name NAME – restore backup with name NAME. backup delete -name NAME - delete selected backup. |
cache ldap-clear | Command for clear LDAP cache. |
code-change-control | A set of commands for viewing and configuring of action on unauthorized code change. Code integrity check runs every time UserGate is booted. code-change-control show - displays the current working mode. By default, tracking of unauthorized changes to the executable code is disabled. code-change-control set log - activates tracking of unauthorized changes to the executable code. When a change is detected, UserGate records the change details in the event log. This option requires setting a password that will be used for switching to another tracking mode. code-change-control set block - activates tracking of unauthorized changes to the executable code. This option requires setting a password that will be used for switching to another tracking mode. When a change is detected, UserGate records the change details in the event log and also creates a block rule for the firewall in order to prohibit any transit traffic through UserGate. This firewall rule can be disabled only after deactivation of tracking of unauthorized changes. code-change-control set off - deactivates tracking of unauthorized changes to the executable code. Requires entering a password that was set during activation of tracking of unauthorized changes. |
config-change-control | A set of commands for viewing and configuring of action on unauthorized config change. Before activating this control, administrator should complete configuration of the UserGate according with company requirement and then to freeze the configuration (set mode to log or block). Any change to configuration will be logged to the Event log or to log and block transit traffic. Config integrity check runs every few minutes. config-change-control show - shows current configuration. Default value is off. config-change-control set log - set action to log unauthorized configuration change to the event log. Requires to set password to change this setting. config-change-control set block - set action to traffic block. If UserGate founds any configuration change it creates a firewall rule which blocks all transit traffic. To disable or remove this firewall rule administrator has to disable config-change-control (set it to off). config-change-control set off - set config-change-control to off. Requires to enter password, which was set before. |
date | Returns the server’s local time |
gateway | A set of commands for viewing and configuring gateway parameters. Type gateway help for more details. |
iface | A set of commands for viewing and configuring network interface parameters. Type iface help for more details. |
license | Show current license information |
netcheck | Command to check connectivity to a specific web site. Usage: netcheck [-t TIMEOUT] [-d] URL Available options: -t - maximum request timeout in seconds -d - request payload data, if not set only headers are fetched. |
node | A set of commands for viewing and configuring cluster’s nodes. Type “node help” for more details. |
nslookup | Returns an IP address of the specified host |
ping | Pings the specified host |
proxy | A set of commands for viewing and configuring of http/s proxy server. Administrator can set the following settings:
Check proxy help for more information. |
proxy | Set of commands for viewing and configuring proxy server parameters. Allows you set parameters such as adding the HTTP headers "via" and "forward," as well as timeout setting for connecting to websites and loading content:
Changing the default value is not recommended. See the proxy help for more detailed information. |
radmin | A set of commands for viewing and configuring a remote access for UserGate technical support team to the UserGate. nodes. Type “radmin help” for more details |
radmin_e | A set of commands for viewing and configuring a remote access for UserGate technical support team to the UserGate in case of appliance is in hung state. Type “radmin help” for more details |
reboot | Reboot the UserGate server |
route | Create, edit, delete routes |
shutdown | Shuts down the UserGate server |
telemetry | A set of commands for viewing and configuring telemetry mode. Telemetry makes it possible to send anonymous statistical data to the UserGate team for analysis and product improvement. This data includes information such as the popularity of Web resources, uncategorized websites, virus attacks, IDPS events, and malware activity. Telemetry is enabled by default. telemetry show – shows current status telemetry set -enabled true – enables telemetry telemetry set -enabled false – disables telemetry |
traceroute | Trace a connection up to the specified host |
usersession | Command to drop specific user’s session (force logout user). usersession terminate -ipv4 IP_ADDRESS - terminate session using IP address of client |
webaccess | A set of commands for viewing and configuring the web console’s authentication mode. You can use this command to revert back from the X.509 certificate mode to the Login and password mode. |
zone | A set of commands for viewing and configuring zone parameters. Type zone help for more details. |
4.7. Backing up and restoring initial settings¶
In UserGate, you can easily backup the current system state and then restore it when necessary. This backup contains a snapshot of the UserGate file system as of the time the backup was created. When performing a recovery from such a backup, UserGate will be rolled back to the state when the backup was created. This feature is especially useful when critical changes are applied to the system, such as installing UserGate updates. It is recommended that you regularly make backups of your data.
To create a new backup, perform the following steps:
Name | Description |
---|---|
Step 1. Connect to the server console | Connect a monitor to VGA (HDMI) and a keyboard to USB (if these ports are available on the device) or Connect you PC to the serial port of UserGate through a special cable/USB-Serial adapter. Run any software terminal supporting serial port connections, e.g. Putty for Windows. Establish a new serial port connection using the following connection parameters: 115200 8n1 |
Step 2. Reboot the device | In the Device management - Server operations section of the web console, click Reboot. |
Step 3. Select the backup management menu while the system is rebooting | While the device is booting, select Support menu and then Create backup. Boot menu is not shown if you connected via serial port. To get to Support menu press key “4” while device is booting. To select Create backup press key “C”, then Enter. |
Step 4. Make a backup | Insert a flash drive into the USB port of UserGate. The server will format the flash drive and then save the current system state to it. Once the procedure is finished, the server will reboot. |
To restore the previous system state from a backup, perform the following:
Name | Description |
---|---|
Step 1. Connect to the server console | Connect a monitor to VGA (HDMI) and a keyboard to USB (if these ports are available on the device) or Connect you PC to the serial port of UserGate through a special cable/USB-Serial adapter. Run any software terminal supporting serial port connections, e.g. Putty for Windows. Establish a new serial port connection using the following connection parameters: 115200 8n1 |
Step 2. Reboot the device | In the Device management - Server operations section of the web console, click Reboot. |
Step 3. Select the backup management menu while the system is rebooting | While the device is booting, select Support menu and then Restore backup. Boot menu is not shown if you connected via serial port. To get to Support menu press key “4” while device is booting. To select Restore backup press key “R”, then Enter. |
Step 4. Restore the system from a backup | Insert a flash drive with the latest backup into the USB port of UserGate. Once the procedure is finished, the server will reboot. |
To reset UserGate to default settings, perform the following:
Name | Description |
---|---|
Step 1. Connect to the server console | Connect a monitor to VGA (HDMI) and a keyboard to USB (if these ports are available on the device) or Connect you PC to the serial port of UserGate through a special cable/USB-Serial adapter. Run any software terminal supporting serial port connections, e.g. Putty for Windows. Establish a new serial port connection using the following connection parameters: 115200 8n1 |
Step 2. Reboot the device | In the Device management - Server operations section of the web console, click Reboot. |
Step 3. Select the backup management menu while the system is rebooting | While the device is booting, select Support menu and then Factory reset Once the procedure is finished, the server will reboot. Boot menu is not shown if you connected via serial port. To get to Support menu press key “4” while device is booting. To select Factory reset press key “F”, then Enter. |
5. Configuring a network¶
This section describes the basic network settings of UserGate.
5.1. Configuring zones¶
In UserGate, a zone is a logical conjunction of network interfaces. Security policies of UserGate are based on zones of interfaces rather than individual interfaces. This makes security policies more flexible and dramatically simplifies the overall management of high-availability clusters. Note that zones are the same across all cluster nodes, i.e. this is a global setting for the entire cluster.
It is recommended that you group interfaces into zones based on their functionality, e.g. a zone of LAN interfaces, a zone of Internet interfaces, a zone of interfaces with partner networks, etc.
By default, UserGate provides the following zones:
Name | Description |
---|---|
Management | Zone for interfaces connected to trusted networks, allowed for administering UserGate |
Trusted | Zone for interfaces connected to trusted networks, e.g. LANs |
Untrusted | Zone for interfaces connected to untrusted network, e.g. the Internet |
DMZ | Zone for interfaces connected to the DMZ network |
Cluster | Zone for interfaces designated for cluster operations |
VPN for Site-to-Site | A zone to which all clients connected to UserGate through Site-to-Site VPN are added. |
VPN for remote access | A zone to which all clients connected to UserGate through remote access VPN are added. |
UserGate administrators can change the zones default settings, and also can create additional zones.
Important! Up to 16 zones can be created.
To create a new zone, perform the following steps:
Name | Description |
---|---|
Step 1. Create a new zone | Click Add and specify a name for your zone. |
Step 2. Set up the DoS protection parameters (optional) | Specify the following DoS protection parameters in the zone for the TCP (SYN-flood), UDP and ICMP protocols:
Recommended values for TCP and UDP for the notification threshold and package discard threshold are 300 queries per second and 600 queries per second respectively. It is also recommended that you enable flood protection on all interfaces except Cluster zone. When interfaces in the zone handle VoIP or L2TP VPN traffic, make sure to increase the packet drop threshold for UDP. DoS protection exclusion allows you to set up a range of IP addresses excluded from flood protection. This can be useful, for example, on IP telephony servers that usually send lots of small UDP packets. I:orangebold:` mportant!` UserGate can provide even more granular protection from DoS attacks. For details, please refer to section DoS protection. |
Step 3. Set up the access control parameters for the zone (optional) | Specify UserGate services that you want to make available for all clients connected to the zone. It is recommended that you disable all services in zones connected to untrusted networks and the Internet. The following services are supported:
|
Step 4. Set up the IP-spoofing protection (optional) | Using IP spoofing attacks, fraudsters can send a packet from an external network, e.g. from the Untrusted zone, to an internal network, e.g. to the Trusted zone. To do so, fraudsters “spoof” the source IP address with one of the possible IP addresses in the internal network, thereby making all responses to this packet go to an internal IP address. To protect from such attack administrator can specify network ranges of allowed IP source addresses for specific zone. Network packets with different IP sources will be dropped. With Negate option administrator can specify network ranges of IP source addresses which are not expected on the zone's network interfaces and network packets with these sources will be dropped. |
5.2. Configuring interfaces¶
The interfaces section displays all physical and virtual interfaces available in the system and allows you to change their settings or add new VLAN interfaces. This section contains all interfaces of each node in the cluster. Note that settings of interfaces are node-specific, i.e. they are not global.
Click Edit to change the network interface parameters:
- Enable or disable the interface
- Provide the interface type: Layer 3 or Mirror. An interface working in the Layer 3 mode can be assigned an IP address and used in various rules, such as firewall rules or content filtering rules. An interface working in the Mirror mode can obtain and analyze the traffic from SPAN ports of network devices.
- Assign the interface to a zone
- Assign Netflow profile to send statistics to Netflow collector
- Change the physical parameters of the interface - MAC address and MTU size
- Select the allocation method for IP addresses - static IP address or dynamic IP address obtained by DHCP
- Configure a DHCP relay on the selected interface. To do this, enable the DHCP relay, specify the IP address of the interface for which you want to add a relay in the UserGate address field and then specify one or more DHCP servers to which you want to forward DHCP queries from clients
Click Add VLAN to add a new virtual adapter and then configure it.
5.2.1. Setting up Netflow¶
Netflow is a network protocol that was introduced by Cisco Systems that provides the ability to collect network traffic statistics. A typical Netflow monitoring setup consists of three main components:
- Sensor - aggregates packets into flows and exports flow records towards one or more flow collectors.
- Flow collector - responsible for reception, storage and pre-processing of flow data received from a sensor.
- Analysis application - analyzes received flow data and prepares reports.
UserGate can act as Netflow sensor. To configure UserGate as a sensor perform the following steps:
Name | Description |
---|---|
Step 1. Create a new Netflow profile | In Libraries --> Netflow profiles click Add and create new profile. |
Step 2. Assign Netflow profile to the network interface which should collect traffic statistics | In Network --> Interfaces select required interface, click Edit and assign Netflow profile created on the previous step. |
Netflow profile has the following configuration settings:
Name | Description |
---|---|
Name | Name of Netflow profile. |
Description | Description of Netflow profile. |
Netflow collector IP | IP address of Netflow collector. |
Netflow collector port | UDP port of Netflow collector. Default is 2055. |
Netflow protocol version | Version of Netflow protocol to use |
Active flow timeout, (sec.) | Export flow after it has been active for this timeout in seconds. Default value is 1800. |
Inactive flow timeout, (sec.) | Export flow after it has been inactive for this timeout in seconds. Default value is 15. |
Maximum flows | Maximum number of flows to account. It's here to prevent DoS attacks. After this limit is reached new flows will not be accounted. Default is 2000000, set zero to unlimited. |
Send NAT information | Collect and send NAT translation events netflow collector. |
Template refresh rate (packets) | The number of packets after which sensor re-sends templates to Netflow collector. Only for Netflow 9/10. Default value is 20. |
Timeout to re-send old template (sec.) | Time in seconds after which sensor re-sends old template to Netflow collector. Only for Netflow 9/10. Default value is 1800 seconds. |
5.2.2. Interface bonding¶
Click Add a new bond interface to merge multiple physical interfaces into an aggregated logical interface for higher channel throughput or availability. Provide the following parameters when creating a new bond:
Name | Description |
---|---|
Enabled | Enables a bond |
Name | Bond name |
Node name | A node in the UserGate cluster where a new bond will be created |
Zone | A zone to which the bond will belong |
Interfaces | One or more interfaces that will be used for creating the bond |
Mode | The working mode of the bond must be the same as that of the device to which the bond will be connected. Possible options:
|
MII monitoring period (ms) | Sets the frequency of MII monitoring (in milliseconds). Sets the frequency of checks for failures in a communication line. The default value is 0 - disable MII monitoring. |
Down delay (ms) | Sets a delay (in milliseconds) before the interface goes down due to a connection failure. This option is valid only when MII monitoring (miimon) is enabled. Values of this parameter must be divisible by "miimon" values. When a value is not divisible, it will be rounded to the nearest divisible value. The default value is 0. |
Up delay (ms) | Sets a delay (in milliseconds) before the interface goes up after connection recovery. This parameter is valid only when MII monitoring (miimon) is enabled. Values of this parameter must be divisible by "miimon" values. When a value is not divisible, it will be rounded to the nearest divisible value. The default value is 0. |
LACP rate | Sets the interval of sending LACPDU packets by a partner in the 802.3ad mode. Possible values:
|
Failover MAC | Sets how to assign MAC addresses to the merged interfaces in the active-backup mode when switching between the interfaces. The standard behavior is to assign the same MAC address to all interfaces. Possible values:
|
Xmit hash policy | Sets the hash policy of sending packets through the merged interfaces in the XOR or IEEE 802.3ad modes. Possible values:
|
Network | Assignment of IP addresses: no address, static IP address or dynamic IP address obtained through DHCP. |
DHCP relay | Configuring a DHCP relay for a bond interface. Enable a DHCP relay, then in the UserGate address field, enter the IP address of the interface to which you want to add a relay, and specify one or more DHCP servers to which DHCP queries from clients should be routed. |
5.2.3. Creating a bridge¶
A network bridge operates at the data link level (L2) of the OSI model and, upon obtaining a frame, checks whether the MAC address in the frame is part of the subnetwork. If the MAC is not part of the subnetwork, the bridge will send (broadcast) the frame to the target segment; otherwise, the bridge will do nothing.
An interface bridge can be used in UserGate similar to a standard interface. In addition, a bridge can be configured for content filtering at L2 without any changes to the existing corporate network infrastructure. The easiest way to use UserGate for content filtering at L2 is as follows:
When creating a bridge, you can specify its working mode type: Layer 2 or Layer 3.
In the Layer 2 mode, the newly created bridge does not need any IP addresses, routes or gateways for proper operation. A bridge in this mode works at the MAC address level and broadcasts packets among segments. In Layer 2 mode you cannot use Content filtering and Mail security, while all other filtering mechanisms are supported.
When the Layer 3 mode is selected, make sure to assign an IP address to the bridge being created and provide the routes to networks connected to the bridge interfaces. In this mode, you can use all filtering mechanisms available in UserGate.
When creating a bridge on a UserGate appliance that features a network adapter with the bypass mode, you can merge two interfaces into a single bypass bridge. A bypass bridge automatically switches the two selected interfaces to the bypass mode (i.e. shortens them by skipping UserGate in the traffic routes) in the following cases:
- The UserGate appliance is powered off
- The internal diagnostic system detected an issue in the UserGate software.
For more details on network interfaces that support the bypass mode, please refer to the specifications for UserGate appliances.
Click Add a new bridge to merge multiple physical interfaces into a new interface bridge. Make sure to specify the following parameters:
Name | Description |
---|---|
Enabled | Enables an interface bridge |
Name | Interface name |
Type | Specify bridge network type - Layer 3 or Layer 2. |
Node name | A node in the UserGate cluster where a new interface bridge will be created |
Zone | A zone to which the interface bridge will belong |
Bridge interfaces | Two interfaces that will be used for creating the interface bridge |
Bypass bridge interfaces | Pair of interfaces which are eligible to create bypass bridge. UserGate appliance with specific network card is required. |
STP (Spanning Tree Protocol) | Enables STP to protect a network from loops |
Forward delay | A delay before switching a bridge into an active mode (Forwarding) when STP is enabled |
Maximum age | A timeout after which an STP connection is considered lost |
Network | Assignment of IP addresses: no address, static IP address or dynamic IP address obtained through DHCP. |
DHCP relay | Configuring a DHCP relay for a bond interface Enable a DHCP relay, then in the UserGate address field, enter the IP address of the interface to which you want to add a relay, and specify one or more DHCP servers to which DHCP queries from clients should be routed. |
5.2.4. PPPoE interface¶
The Point-to-Point Protocol over Ethernet (PPPoE) is a network protocol for encapsulating PPP frames inside Ethernet frames. Click Add a PPPoE to create PPPoE interface. Make sure to specify the following parameters:
Name | Description |
---|---|
Enabled | Enables an PPPoE interface. |
Node name | A node in the UserGate cluster where a new PPPoE interface will be created. |
Interface | An interface which will be used to create PPPoE. |
Zone | A zone to which the interface PPPoE will belong |
MTU | MTU size. Default value is 1492 bytes, which is standard for Ethernet. |
Login | Account name for PPPoE connection. |
Password | Password for PPPoE connection. |
Persist connection | Reopen the connection if connection is terminated. |
Holdoff interval (sec.) | Specifies how many seconds to wait before re-initiating the link after it terminates. This option only has any effect if the persist connection is activated. |
Default route | Add a default route to the system routing tables, using the peer as the gateway. This entry is removed when the PPPoE connection is broken. . |
LCP echo interval (sec.) | If this option is given, UserGate will send an LCP echo-request frame to the peer every n seconds. Normally the peer should respond to the echo-request by sending an echo-reply. |
Number of LCP echo failures | If this option is given, UserGate will presume the peer to be dead if specified here LCP echo-requests are sent without receiving a valid LCP echo-reply. If this happens, UserGate will terminate the PPPoE connection. |
Use provider's DNS | If enabled, UserGate will use DNS servers, provided by PPPoE connection. |
Number of connection attempts | Stop connecting after specified here consecutive failed connection attempts. A value of 0 means no limit. |
5.2.5. VPN interface¶
VPN device is a virtual network interface for connecting VPN clients. This type of interface is clustered interface, which means it virtually exists on all cluster’s nodes, and if high availability cluster is configured, VPN clients will be automatically switched to a backup node without VPN connection interruption. To create a new VPN interface, click on Add in Network-->Interfaces and select Add VPN. Set the following fields:
Name | Description |
---|---|
Name | Name of the interface as tunnelN, where N is the number of virtual device. |
Description | The description of the interface. |
Zone | The zone of the interface. VPN clients will be assigned to this zone when connected. |
Netflow profile | An optional netflow profile that will be used for this interface. |
Mode | IP address assignment mode – Dynamic (via DHCP), Static, No address. Static mode should be used for serving VPN clients (remote access VPN and the server side of site-to-site VPN). |
MTU | The MTU for the interface. |
UTM is preconfigured with 3 VPN interfaces:
- tunnel1 is preconfigured for use for Remote access VPN.
- tunnel2 is preconfigured for use for server side of Site-to-Site VPN.
- tunnel3 is preconfigured for use for client side of Site-to-Site VPN.
5.3. Configuring gateways¶
To connect UserGate to the Internet, specify the IP address of one or more gateways. If you use multiple ISPs for accessing the Internet, then specify gateways for each of them. Settings of gateway are unique for each node in the cluster.
Example of a configuration with two ISPs:
- The eth1 interface with IP address 192.168.11.2 is connected to ISP 1. To access the Internet using this ISP, add a new gateway with IP address 192.168.11.1
- The eth2 interface with IP address 192.168.12.2 is connected to ISP 2. To access the Internet using this ISP, add a new gateway with IP address 192.168.12.1
If you have two or more gateways, the system will be able to operate in two modes:
Name | Description |
---|---|
Traffic balancing between gateways | Enable the Balancing checkbox and specify the Weight of each gateway. In this mode, all the Internet traffic will be distributed between gateways according to the weights that you have specified (gateways with bigger weights will handle more traffic). Actions when using traffic balancing between gateways: 1.Hash calculation using source and destination IP addresses. 2.Gateway choice. Traffic is distributed based on weights. For example, there are 2 gateways:
Then sessions between gateways will be distributed in accordance with n1/w1 = n2/w2. |
Primary gateway with failover to redundant gateway | Make one of the gateways a primary one and then configure the Connectivity checker by clicking the corresponding button in the interface. Connectivity checker will identify whether the host can access the Internet in the specified periods and will redirect all traffic to redundant gateways as they are listed in the console in case of the primary host failure. |
By default, the Connectivity checker uses the public DNS server from Google (8.8.8.8), but network administrators can easily switch to another host.
5.4. Configuring DHCP¶
The DHCP service (Dynamic Host Configuration Protocol) allows you to automate provisioning of network settings to clients in a local network. In a network with the DHCP server, each network device can be dynamically assigned an IP address, gateway address, and DNS.
UserGate is also able to work as a DHCP relay by forwarding DHCP requests from clients in different networks to the central DHCP server. For more details on how to configure a DHCP relay, please refer to Configuring DHCP.
In UserGate, you can create multiple ranges of IP addresses that will be allocated via DHCP. A DHCP server works independently on each node of the high-availability cluster. To ensure high availability of the DHCP server, make sure to configure DHCP on both nodes and allocate them non-overlapping IP ranges.
To create a new DHCP range, click Add subnet and specify the following parameters:
Name | Description |
---|---|
Enabled | Enable or disable this DHCP range |
Node name | Node of the cluster where this range will be created |
Interface | Interface of the server om which the IP addresses from the new range will be allocated |
IP range | Range of IP addresses allocated to clients by DHCP |
Mask | Subnet mask allocated to clients by DHCP |
Lease time | Period for which the IP addresses are allocated, in seconds |
Domain | Domain name allocated to clients by DHCP |
Gateway | IP address of the gateway allocated to clients by DHCP |
Name servers | IP addresses of the DNS servers allocated to clients by DHCP |
Reserved hosts | MAC addresses and their mapped IP addresses |
Ignored MAC | List of MAC addresses that should be ignored by the DHCP server |
DHCP PXE boot | Server address and boot file name provided to PXE boot |
All assigned IP addresses are shown in the Leased addresses panel. Network administrators can release any assigned address by selecting it in the list and clicking Release.
5.5. Configuring DNS¶
This section provides settings for the DNS and DNS proxy services.
For proper operation of the product, UserGate should be configured to resolve domain names into IP addresses. Specify valid IP address of the DNS servers in the System DNS servers’ parameter.
The DNS proxy service allows network administrators to capture DNS queries from users and then modify them as required.
DNS proxy settings are as follows:
Name | Description |
---|---|
DNS caching | Enables or disables caching of DNS responses. It is recommended that you leave this option enabled for better performance. |
DNS filtering | Enables or disables filtering of DNS queries. This option requires an additional license for the ATP module. |
Recursive DNS queries | Allows or prohibits the server to perform recursive DNS queries. It is recommended that you leave this option enabled. |
Max TTL for DNS records (sec) | Sets the maximum allowed lifetime of DNS records. |
Limit DNS requests per second for user | Sets the limit on the number of DNS queries per second for each user. All queries exceeding the specified limiting will be discarded. The default value is 100 queries per second. It is not recommended that you set large values for this parameter, since DNS flood (DNS DoS attacks) is among the most frequent reasons of improper operation of DNS servers. |
Only A and AAAA DNS records for unknown users (prohibit VPN over DNS) | If enabled DNS server will respond to unknown users only requests for A and AAAA records blocking all other types. This can efficiently block any kind of VPN over DNS. |
Using the DNS proxy rules, you can specify DNS servers to which the queries for certain domains will be forwarded. This option can be useful if your company uses an internal local domain, e.g. Active Directory, which is not connected to the Internet.
To create a new DNS proxy rule, perform the following:
Name | Description |
---|---|
Step 1. Add a new rule | Click Add and specify Name and Description (optional). |
Step 2. Specify a list of domains | Provide a list of domains which you want to forward, e.g. localdomain.local. You can also use the "*" character to specify domain templates. |
Step 3. Specify DNS servers | Provide a list of IP addresses of DNS servers to which you want to forward queries for the specified domains. |
In addition, you can specify static records of the "host" type (A-records) using the DNS proxy. To create a new static record, perform the following:
Name | Description |
---|---|
Step 1. Add a new record | Click Add and specify Name and Description (optional). |
Step 2. Provide the FQDN | Specify the Fully Qualified Domain Name (FQDN) of the static record, e.g., www.example.com. |
Step 3. Specify IP addresses | Provide a list of IP addresses which will be returned by the UserGate server when this FQDN is requested. |
5.6. Routes¶
In this section, you can specify a route to the network available through a certain router. This can be useful when several IP subnets in your local network are integrated via a local router. A route is applied only to the cluster's node where it has been created.
To add a new route, perform the following steps:
Name | Description |
---|---|
Step 1. Select a node in your cluster | If using cluster, select a node in which you want to create a new route from the drop-down menu. |
Step 2. Specify a name and description for a given route | Provide a name for a given route. Provide an optional description for a given route. |
Step 3. Specify the Destination | Specify a destination subnet for the new route, e.g. 172.16.20.0/24 or 172 .16.20.5/32 |
Step 4. Specify the Gateway | Provide the IP address of the gateway through which the specified subnet should be accessible. This IP address must be accessible from the UserGate server. |
Step 5. Specify an Interface | Select an interface to which you want to add a new route. |
Step 6. Specify Metric | Specify metrics for the new route. If you have multiple routes, then the routes with lower metrics will have higher priorities. |
5.7. WCCP support¶
A Web Cache Communication Protocol (WCCP) is a content-redirection protocol developed by Cisco. It provides a mechanism for redirecting traffic streams in teal time and has built-in scaling, load balancing, and failsafes. When using WCCP, the WCCP server accepts a HTTP from the client browser and redirects it to one or more WCCP clients. The WCCP client receives the data from the internet and returns it to the client's browser. Data can be delivered to the client via a WCCP server, or it can bypass it based on the routing rules.
UserGate can act as a WCCP client. A router usually acts as the WCCP server. All filtration mechanisms can be applied for traffic received via WCCP.
Important! For traffic received via a WCCP tunnel, as an IP source UserGate will use the IP address of the client's computer, and the zone of the source will not be defined, so do not indicate the zone in the filtration rules (leave it as "any").
To configure a WCCP client in UserGate, perform the following steps:
Name | Description |
---|---|
Step 1. Configure the WCCP server | Configure the WCCP server in accordance with the instructions to the WCCP server |
Step 2. Enable the WCCP client service in UserGate | Enable WCCP in the Settings --> Configure WCCP section of the UserGate console. |
Step 3. Indicate the address of the WCCP server and the password for connecting to this server | Set the IP address of the server and the password for connecting to the WCCP server. The password must match the value of the password set when configuring the WCCP server in Step 1. |
Step 4. Enable HTTPS support | By default, the WCCP client will inform the server that it is ready to accept the HTTP protocol. To receive and process HTTPS traffic, check the box labeled HTTPS support. |
5.8. Dynamic routing protocols¶
The dynamic routing protocols are used for distributing information about the networks currently connected to each router. Routers communicate with one another through routing protocols. UserGate updates the routing table in its core according to the information obtained from the adjacent routers.
Dynamic routing does not affect the methods used by the core for IP routing. The core will be checking its own routing table in the same way to search for routes to hosts, routes to networks, and default routes. The only change is how the information will be added to the routing table: routes will be recorded automatically, without any manual operations.
UserGate supports two routing protocols which are OSPF and BGP.
5.8.1. OSPF¶
OSPF (Open Shortest Path First) is a dynamic routing protocol that is based on the link state tracking technology and Dijkstra's algorithm for finding the shortest paths between nodes. The OSPF protocol redistributes information about the available routes among routers within the same autonomous system (AS). For more details on OSPF, please refer to the corresponding technical documentation.
To set up OSPF in UserGate, perform the following steps:
Name | Description |
---|---|
Step 1. Enable an OSPF router. | In the UserGate console, go to Network-->OSPF-->OSPF router, click Configure and configure parameters of the OSPF router. |
Step 2. Select the interfaces through which the OSPF router will be receiving/redistributing information from other routers. | In the UserGate console, go to Network-->OSPF-->Interfaces, click Add and configure parameters of the interface. Add as many interfaces as necessary for proper operation of OSPF in your organization. |
Step 3. Define an OSPF area. | In the UserGate console, go to Network-->OSPF-->Areas, click Add and configure parameters of the OSPF area. Make sure to provide the interfaces (created in the previous step) through which the area will be available to other routers. Add as many areas as necessary for proper operation of OSPF in your organization. |
When setting up an OSPF router, make sure to provide the following parameters:
Name | Description |
---|---|
Enabled | Enables or disables a given OSPF router. |
Router ID | IP address of the router. Must be the same as one of IP addresses assigned to network interfaces of UserGate. |
Redistribute | Redistributes routes directly connected to the UserGate network or kernel routes added by administrators in the Routes section among other OSPF routers. |
Metric | Set the metric for the redistributed routes. |
Default originate | Notify other routers that a given router has a default route. |
When setting up OSPF interfaces, make sure to provide the following parameters:
Name | Description |
---|---|
Enabled | Enables or disables a given interface. |
Interface | Select an existing interface that will be used for OSPF. |
Cost | Cost of the channel in a given interface. This value is sent by LSA (link state advertisement) for the adjacent routers and then is used by these routers when they calculate the shortest route. The default value is 1. |
Priority | An integer from 0 to 255. A larger value means higher chances for a router to become the designated router in the network for sending LSAs. Set this value to 0 if you do not want to make this router the designated router. The default value is 1. |
Hello interval | Time period in seconds after which a router sends 'hello' packets. This value must be the same across all routes within the autonomous system. The default value is 10 seconds. |
Dead interval | Time period in seconds after which the adjacent router will be considered unavailable. This time period is counted since the moment when the last 'hello' packet is received from the adjacent router. The default value is 40 seconds. |
Retransmit interval | Sets the time interval before repeated sending of an LSA packet. The default value is 5 seconds. |
Transmit delay | Sets an approximate time period required for delivering the updated link state to the adjacent routers. The default value is 1 second. |
Authentication Enabled | Enables mandatory authentication for each incoming OSPF message on the router. Authentication is mostly used for prevention of injected false routes from unauthorized routers. |
Auth type | Possible values:
|
When setting up an OSPF area, make sure to provide the following parameters:
Name | Description |
---|---|
Enabled | Enables or disables a given area. |
Name | Name of a given area. |
Cost | Cost of LSA announced in the stub zone |
Area ID | Area identifier. An identifier can be specified in a decimal format or as an IP address. However, area identifiers are not IP addresses and thus can coincide with any assigned IP address. |
Auth type | Possible values:
Identification at the interface level has primacy over authentication at the area level. |
Area type | Sets the area type. The following area types are supported:
|
Do not sum up | Prohibits injection of summary routes to stub areas. |
Interfaces | Selection of OSPF interfaces in which this area will be accessible. |
Virtual links | A special connection for merging a disrupted area or joining an area to a backbone through another area. It can be configured between two ABRs. This option allows a router sending OSPF packets through virtual links by encapsulating these packets in IP packets. This mechanism can be used as a temporary solution or as a backup when the core connections go down. You can specify IDs of routers that should be accessible through a given area. |
5.8.2. BGP¶
BGP (Border Gateway Protocol) is a dynamic routing protocol which relates to exterior gateway protocols (EGP - External Gateway Protocol). Presently, it is the key dynamic routing protocol on the Internet. BGP is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS), i.e. groups of routers under the unified technical and administrative control. BGP uses intra-domain routing protocols for identification of internal routes and cross-domain routing protocols for identification of routes to deliver packets to other ASes. The delivered information may include a list of ASes that are accessible through a given system. The best routes are selected according to the network-specific rules. For more details on BGP, please refer to the corresponding technical documentation.
To set up BGP in UserGate, perform the following steps:
Name | Description |
---|---|
Step 1. Enable a BGP router. | In the UserGate console, go to Network-->BGP--> BGP router, click Settings and configure parameters of the BGP router. |
Step 2. Add at least one BGP peer. | In the UserGate console, go to Network-->BGP-->BGP peers, click Add and configure parameters of the router included in the peer AS. Add as many peers as necessary. |
Step 3. Optional. Set up the filters and Routemap in order to limit the number of incoming routes. | In the UserGate console, go to Network-->BGP-->Routemaps or Network-->BGP--> Filters, click Add and configure parameters of the Routemap/filters. Add as many Routemap/filters as necessary for proper operation of BGP in your organization. |
When setting up a BGP router, make sure to provide the following parameters:
Name | Description |
---|---|
Enabled | Enables or disables a given BGP router. |
Router ID | IP address of the router. Must be the same as one of IP addresses assigned to network interfaces of UserGate. |
ID of the autonomous system (AS). | An autonomous system is a system of IP networks and routers managed by one or more providers with the unified routing policy. ID of an autonomous system indicates routers that belong to a given system. |
Redistribute | Notifies other BGP routers about routes directly connected to a UserGate-network (connected), routes added by the administrator in the Routes section (kernel), or routes obtained through BGP. |
Multiple path | Enables traffic balancing to routes with the same cost. |
Networks | A list of networks in a given AS. |
To add BGP peers, click Add and provide the following parameters:
Name | Description |
---|---|
Enabled | Enables or disables a given peer |
Interface | One of the existing system interfaces through which a given peer should be accessible |
Host | IP address of a peer |
Description | An arbitrary description of a peer |
Remote ASN | ID of an autonomous system which a peer relates to |
Weight | The weight of given routes obtained from a given peer |
TTL | The maximum number of hops allowed in the route to a given peer |
Announce next-hop-self for BGP | Replace the next-hop-self value with own IP address when a given peer is BGP |
Multihop for eBPGP | Indicates that a connection to a given peer is indirect (several hops) |
Route reflector client | Indicates whether a given peer is a Route reflector client |
Soft reconfiguration | Use soft reconfiguration (without disconnections) for configuration updates |
Default originate | Announce the default route to a given peer |
Authentication | Enables authentication for a given peer and sets a password for authentication |
Filters for BGP peers | Restricts access to information about routes obtained from peers or announced routes to them |
Routemaps | Routemaps are used for managing route tables and defining conditions upon which routes must be redistributed among domains |
Routemaps help filtering routes during redistribution and changing various route attributes. Provide the following parameters when creating a new routemap:
Name | Description |
---|---|
Name | Name of a given routemap |
Operation | Sets an action for a given routemap. Possible values:
|
Compare by | Conditions for applying a routemap. Possible values:
|
Set next hop | Sets the next hop value to the indicated IP address for the filtered routes |
Set weight | Sets a preference to the indicated value for the filtered routes |
Set metric | Sets a metric to the indicated value for the filtered routes |
Set preference | Sets a preference to the indicated value for the filtered routes |
Set AS-prepend | Sets AS-prepend, i.e. a list of autonomous systems to be added for a given route |
Community | Sets a BGP community for the filtered routes |
The filter allows sorting out various routes during redistribution. Provide the following parameters when creating a new filter:
Name | Description |
---|---|
Name | Name of a given filter |
Action | Sets an action for a given filter. Possible values:
|
Filter by | Conditions for applying a filter. Possible values:
|
6. Users and devices¶
Security policies, firewall rules, safe browsing rules and many other features of UserGate can be applied to users or groups of users. Since policies can be applied only to the selected users, network administrators can flexibly adapt the entire network to the company's needs.
Identification of users is a core feature of UserGate. A user is identified when the system is able to exactly match their identity with the IP address of the device from which they are currently logged in. UserGate offers multiple mechanisms of user identification:
- Identification by explicitly provided IP address
- Identification by username and password
- Identification of users of terminal servers from Microsoft using a special terminal service agent
- Identification of users via an authentication agent (for Windows-based systems)
- Identification based on NTLM and Kerberos
Identification of users by username and password is performed via the Captive portal which, in turn, can be configured to identify users via Active Directory, Radius, Kerberos or a local user database.
UserGate supports the following types of users:
Name | Description |
---|---|
Unknown user | Represents a set of users not identified by the system |
Known user | Represents a set of users identified by the system. Various user identification methods are described below in more detail. |
Any user | The Any user is the set of Known users plus the set of Unknown users |
Certain user | The Certain user represents users fully identified and authorized by the system, e.g. DOMAIN\User authorized through an Active Directory domain. |
Users and groups of users can be registered directly on the UserGate device - these are the so-called local users and groups or get from external directories, such as Microsoft Active Directory.
6.1. Users¶
In this section, you can add local users. In addition, you can also temporarily disable users or enable them again.
To create a new local user, you need to specify only one mandatory parameter (username). Though all other parameters are optional, it is recommended that you specify them for proper user identification:
- Username and password - for identification by username and password. In this case, you will need to set up the Captive portal where users can enter their username and password for authentication
- One IP address or a range of IP addresses, and MAC address for identification based on MAC and IP. In this case, it is necessary to ensure network access from the specified MAC and/or IP addresses for a given user.
- The VLAN ID for identifying the user via LAN tag. In this case you need to make sure the user always accesses the network from the indicated LVAN.
If both the credentials and IP/MAC/VLAN addresses are provided for a user, the system will utilize identification by address, i.e. identification by address has a higher priority.
Though user accounts obtained from LDAP synchronization are not shown here, these users can also be added to security policies.
6.2. Groups¶
Groups of users will allow you to join users together and efficiently manage their security policies.
6.3. Authentication servers¶
Authentication servers are the external sources of user accounts for UserGate, e.g. LDAP servers, Radius, TACACS+, Kerberos or SAML. UserGate supports:
- LDAP-connector
- Radius authentication server
- TACACS+ authentication server
- Kerberos authentication server
- NTLM authentication server
- SAML (SSO) authentication server
The Radius, TACACS+, NTLM, SAML and Kerberos authentication servers can only authorize users, while the LDAP-connector can provide information about users and their properties.
6.3.1. LDAP connector¶
LDAP connector allows you:
- Get information about users and groups from Active directory or other LDAP servers. . Support of FreeIPA LDAP servers. LDAP users and groups can be used in different security rules.
- Authorize users via the Active Directory domain/FreeIPA using Captive portal, Kerberos or NTLM.
To create a new authentication server based on Active Directory, click Add, select Add LDAP connector and then specify the following parameters:
Name | Description |
---|---|
Enabled | Enables or disables usage of the specified authentication server |
Name | Name of the authentication server |
SSL | Specifies whether an SSL connection is needed for communication with the LDAP server. |
LDAP domain name or IP address | IP address of the domain controller or domain name (FQDN). When a domain name is used, UserGate will be retrieving IP addresses of domain controllers via DNS queries. |
Bind DN ("login") | Username for connecting to the LDAP server. The username must be in the DOMAIN\username or username@domain format. This user must be already created in the domain. |
Password | User password for connecting to the domain. |
LDAP domains | List of the domains which are handled by the domain controller, e.g. domains of Active Directory tree or forest. You may also add a NetBIOS domain name here. This list may be displayed on the authorization page of the Captive portal. For details on the Captive portal, please refer to Configuring a Captive portal. |
Kerberos keytab | You can upload a Kerberos keytab file here to set up Kerberos-based authentication. For more details on Kerberos, please refer to Kerberos authentication. Important! It is highly recommended that you upload a keytab file even when you do not need Kerberos-based authentication. In this case, the uploaded keytab file will help retrieve users and groups from LDAP servers via Kerberos and thus dramatically reduce workload for AD servers. When there are 1,000+ elements in AD, uploading a keytab file for Kerberos is mandatory. |
Once the server is created, check whether all parameters are correct by clicking Check connection. If all parameters are correct, the system will notify you about it, otherwise the system will display an error message.
The connection to LDAP is completed. To authorize LDAP users, you need to set up identification by username/password (create rules for the Captive portal). For more details on the Captive portal, please refer to the next chapters of this Guide.
6.3.2. Radius authentication server¶
The Radius authentication server allows you to authorize users on Radius servers, i.e. UserGate will be serving as a Radius client. When authorizing via Radius, the UserGate server sends the username and password to a Radius server which, in turn, notifies whether the authentication has been successful or not.
Radius servers cannot provide a property of users to UserGate, so that if you have not registered them in UserGate beforehand (e.g. as local users or via LDAP connector), then you will be able to use only Known (i.e. authorized on a Radius server) or Unknown (failed to authorize on a Radius server) users in your security policies.
To create a new authentication server based on Radius, click Add, select Add RADIUS server and then specify the following parameters:
Name | Description |
---|---|
Enabled | Enables or disables usage of the specified authentication server |
Server name | Name of the authentication server |
Shared secret | Shared key used by the Radius protocol for authentication |
Host | IP address of the Radius server |
Port | UDP port on which the Radius server is listening for authentication requests (UDP 1812 by default). |
Once the authentication server is created, you should set up the Captive portal for Radius-based authentication. For more details on the Captive portal, please refer to the next chapters of this Guide.
6.3.3. TACACS+ authentication server¶
A user authentication server TACACS+ allows authorizing users on TACACS+ servers. When authorizing a user via a TACACS+ server, UserGate sends user credentials to the TACACS+ servers, which, in turn, notify UserGate whether the authentication was successful or not.
TACACS+ servers cannot provide a property of users to UserGate, so that if you have not registered them in UserGate beforehand (e.g. as local users or via LDAP connector), then you will be able to use only Known (i.e. authorized on a Radius server) or Unknown (failed to authorize on a Radius server) users in your security policies.
To create a TACACS+ authentication server, click Add, select Add a TACACS+ server and provide the following parameters:
Name | Description |
---|---|
Enabled | Enables or disables a given authentication server |
Server name | Name of the authentication server. |
Secret key | A public key used by TACACS+ for authentication. |
Address | IP address of the TACACS+ server. |
Port | A UDP port on which a TACACS+ server will be listening for authentication requests. By default, UDP 1812 is used. |
Use a single connection | Use a single TCP connection for communications with a TACACS+ server. |
Timeout (sec) | Period during which authentication from a TACACS+ server will be awaited. By default, the timeout is 4 seconds. |
6.3.4. SAML IDP authentication server¶
A SAML IDP server (Security Assertion Markup Language Identity Provider) allows authorizing users based on locally deployed Single Sign-On (SSO) systems, such as Microsoft Active Directory Federation Service. As a result, each user will be able to authorize in SSO once, and then transparently authorize on all resources that support SAML. UserGate can be configured as a SAML service provider and use SAML IDP servers for client authentication.
SAML IDP servers cannot provide UserGate with properties of users, and thus if no connection with AD domains is set up, then only users with Known (successfully authorized on a SAML server) or Unknown (failed to authorize) statuses will be eligible in filtering policies.
To set up authentication using SAML IDP servers, perform the following steps:
Name | Description |
---|---|
Step 1. Create a DNS record for the UserGate server. | On a domain controller, create DNS records corresponding to your UserGate server for use as auth.captive domain, e.g. utm.domain.loc. As an IP address, provide the address of your UserGate interface connected to the Trusted network. |
Step 2. Set up DNS servers in UserGate. | In the UserGate settings, provide IP addresses of the controller domain as the system DNS servers. |
Step 3. Change the address for Captive portal auth domain. | Replace the address of the Captive portal auth domain in the General settings section with the DNS record created in the previous step. For more details on how to change the domain address of the Captive portal auth domain, please refer to General settings section. |
Step 4. Set up the SAML IDP server. | Add a record about the UTM service provider on the SAML IDP server using the name that you have created in Step 1 FQDN. |
Step 5. Create a SAML IDP authentication server for users. | Create a SAML IDP authentication server in UserGate. |
To create a SAML IDP authentication server, go to Users and devices-->Authentication servers, click Add, select Add a SAML IDP server and provide the following parameters:
Name | Description |
---|---|
Enabled | Enables or disables a given authentication server. |
Server name | Name of the authentication server. |
Description | Description of the authentication server. |
SAML metadata URL | URL on the SAML IDP server for downloading an XML file with the valid configuration for a SAML service provider (client). Clicking Download will fill in the mandatory server configuration fields with the data from this XML file. This a preferred configuration method for a SAML IDP authentication server. For more details on SAML servers, please refer to the corresponding documentation. |
SAML IDP certificate | A certificate that will be used in a SAML client. Possible options:
|
Single sign-on URL | URL used in the SAML IDP server as a single login point. For more details, please refer to the documentation of the SAML IDP server that you use. |
Single sign-on binding | A method for handling SSO-based logins. Possible options: POST or Redirect. For more details, please refer to the documentation of the SAML IDP server that you use. |
Single logout URL | URL used in the SAML IDP server as a single logout point. For more details, please refer to the documentation of the SAML IDP server that you use. |
Single logout binding | A method for handling SSO-based logouts. Possible options: POST or Redirect. For more details, please refer to the documentation of the SAML IDP server that you use. |
6.3.5. Kerberos authentication¶
Authentication via Kerberos enables you with a transparent (without entering usernames and passwords) authentication of the Active Directory domain users. During Kerberos-based authentication, the UserGate server is communicating with domain controllers to authorize user who wants to gain access to the Internet.
Kerberos authentication can work both when a proxy server is explicitly provided in a user browser (standard mode) or when no proxy server is provided (transparent mode).
To set up authentication through Kerberos, perform the following steps:
Name | Description |
---|---|
Step 1. Create a DNS record for the UserGate server. | On a domain controller, create DNS records corresponding to your UserGate serve domains for auth.captive and logout.captive, e.g. auth.domain.loc and logout.domain.loc. As an IP address, provide the address of your UserGate interface connected to the Trusted network. Important! Create A-type DNS records, do not use CNAME records. |
Step 2. Create a new user for your UserGate server. | Create a new user in the AD domain, e.g. kerb@domain.loc, and enable the password never expires option. Set up a password for user 'kerb'. Important! Do not use characters from national alphabets, such as Cyrillic letters, in user names and Active Directory organizational units where you are going to create account for user 'kerb'. Important! Do not utilize for Kerberos the user that was previously created for the LDAP connector. Make sure to create a new account. |
Step 3. Create a keytab file. | On the domain controller, create a keytab file using the following command running as the administrator (it is a one-line command!): ktpass.exe /princ HTTP/auth.domain.loc@DOMAIN.LOC /mapuser kerb@DOMAIN.LOC /crypto ALL /ptype KRB5_NT_PRINCIPAL /pass * /out C:\utm.keytab Enter the password previously set for user 'kerb'. Important! This command is case-sensitive. In this example: auth.domain.loc is the DNS record create for your UserGate server in Step 1 DOMAIN.LOC is the Kerberos realm domain, in capital letters only! kerb@DOMAIN.LOC is the domain user name created in Step 2, name of the realm domain in capital letters only! |
Step 4. Set up DNS servers in UserGate. | In the UserGate settings, provide IP addresses of the controller domain as the system DNS servers. |
Step 5. Set up synchronization of time with the domain controller. | In the General settings, enable synchronization of time with NTP servers and provide IP addresses of the domain controllers as the primary and secondary NTP servers. |
Step 6. Change the address for Captive portal auth domains. | Replace the address in Captive portal auth domain and optionally the address in Captive portal logout domain in the General settings section with the DNS records created in the previous step. For more details on how to change domain addresses for the Captive portal auth and logout domains, please refer to General settings. |
Step 7. Create an LDAP connector and upload a keytab file to it. | Create a new LDAP connector and upload the keytab file created in the previous step. For more details on LDAP connectors, please refer to LDAP connector. |
Step 8. Create a Captive portal rule with Kerberos authentication. | Set up the Captive portal for authentication through Kerberos. For more details on the Captive portal, please refer to the next chapters of the Guide. |
Step 9. Allow access to HTTP(S) for the zone. | In the Zones section, allow access to HTTP(S) proxy for the zone to which the users who authorize through Kerberos are connected. |
Step 10. Set up the proxy server on user workstations to enable standard authentication. | On the user workstations, enable mandatory use of the proxy server as the UTM's FQDN name created in Step 3. |
Step 11. For authentication in the transparent mode, set up automatic user authentication by a browser across all browser's security zones. | On the user workstations, go to Control panel-->Internet options-->Security, select Internet--> Security-->Custom level-->User Authentication and enable Automatic logon with current name and password. Repeat this configuration for all other zones available on a given workstation (Local intranet, Trusted sites). |
6.3.6. NTLM authentication server¶
NTLM authentication allows you transparently (without requesting credentials) authorize users of Active Directory domains. To perform NTLM authentication, your UserGate server will communicate with the domain controllers and request them to verify a user and provide or prohibit the Internet access.
NTLM servers cannot provide a list of users, and thus if user accounts were not added to UserGate beforehand (e.g. as local users or via LDAP connector), then only users with Known (successfully authorized on a NTLM server) or Unknown (failed to authorize) statuses will be eligible in filtering policies.
NTLM authentication can work both when a proxy server is explicitly provided in a user browser (standard mode) or when no proxy server is provided (transparent mode). In this case, setting up UserGate is similar to the standard authentication.
To set up NTLM authentication, perform the following steps:
Name | Description |
---|---|
Step 1. Set up synchronization of time with the domain controller. | In the UserGate settings, enable synchronization of time with NTP servers and provide IP addresses of the domain controllers as the primary and secondary NTP servers. |
Step 2. Create a DNS record for the UserGate server. | On a domain controller, create DNS records corresponding to your UserGate serve domains for auth.captive and logout.captive, e.g. auth.domain.loc and logout.domain.loc. As an IP address, provide the address of your UserGate interface connected to the Trusted network. |
Step 3. Change the address for Captive portal auth domains. | Replace the address in Captive portal auth domain and optionally the address in Captive portal logout domain in the General settings section with the DNS records created in the previous step. For more details on how to change domain addresses for the Captive portal auth and logout domains, please refer to General settings. |
Step 4. Add a NTLM authentication server. | Go to Authentication servers, click Add, select Add a NTLM server and then specify the name, IP address of the domain controller, and the domain name. |
Step 5. Create a Captive portal rule with NTLM authentication. | Set up the Captive portal for authentication through NTLM. For more details on the Captive portal, please refer to the next chapters of the Guide. |
Step 6. Allow access to HTTP(S) for the zone. | In the Zones section, allow access to HTTP(S) proxy for the zone to which the users who authorize through NTLM are connected. |
Step 7. Set up the proxy server on user workstations to enable standard authentication. | On the user workstations, enable the mandatory use of a proxy server and specify the IP address of your Trusted UserGate interface as the proxy server address. Important! You can use domain names instead of IP addresses, but do not specify domain names from Active Directory — otherwise, Windows-based workstations will be trying to authorize through Kerberos. |
Step 8. For authentication in the transparent mode, set up automatic user authentication by a browser across all browser's security zones. | On the user workstations, go to Control panel-->Internet options-->Security, select Internet--> Security-->Custom level-->User Authentication and enable Automatic logon with current name and password. Repeat this configuration for all other zones available on a given workstation (Local intranet, Trusted sites). |
6.4. Auth profiles¶
Auth profiles allow you to specify a set of authentication methods and parameters for users and then apply this set to various subsystems of UserGate, such as Captive portal, VPN, WEB PORTAL, and more. To create an authentication profile, go to Users and devices - Auth profiles, click Add and provide the following parameters:
Name | Description |
---|---|
Name | Name of the Captive profile. |
Description | Description of the Captive profile. |
MFA profile | A multi-factor authentication profile. This profile must be created beforehand in the MFA profiles section, if you are going to use multi-factor authentication together with a given authentication profile. MFA profiles define a delivery method for one-time passwords used in the second authentication method. For more details on how to set up MFA, please refer to the corresponding chapter below. Important! Multi-factor authentication is compatible only with authentication methods that allow users entering one-time passwords, i.e. when users explicitly enter their credentials in a web form on the login page. Therefore, multi-factor authentication is not possible for Kerberos and NTLM. |
Idle time | This parameter sets a timeout in seconds after which UserGate will move a user from Known users to Unknown users if the user is inactive (i.e. no network packets are sent from their IP address). |
Expiration time | This parameter sets a general timeout in seconds after which UserGate will move a user from Known users to Unknown users. After this timeout, a user will have to authorize again on the Captive portal. |
Maximum auth attempts | Allowed number of failed attempts to authorize through the Captive portal before temporary blocking a user account. |
Authentication lockout time | A period of time for which a user account will be locked after exceeding the allowed number of failed attempts to authorize. |
Authentication methods | Previously created authentication methods for users, e.g. through Active Directory authentication servers. If multiple authentication methods are provided, they will be used in the same order as listed in the console. When using the NTLM authentication method, it is not possible to add other authentication methods. |
6.5. Configuring a Captive portal¶
A Captive portal allows you to authorize Unknown users by means of Active Directory, Radius, TACACS+, SAML IDP, Kerberos or a local user database. In addition, you can allow users to register on their own in your Captive portal and confirm their registrations via SMS or by email.
Please keep in mind the following:
- Identified users, e.g. those with assigned IP addresses in the properties as well as those identified via authentication agents of the Windows terminal servers, do not need to authorize on the Captive portal. Such users are treated as Known users and therefore do not need any additional identification.
- Authentication via the Captive portal is possible only via HTTP and HTTPS. For example, if you have created a firewall rule to allow the Internet access via FTP only to the Known users, then users will gain the Internet access only after identification, i.e. after they launch their web browser and authorize on the Captive portal.
- If the Captive portal uses authentication via Active Directory, then a user must enter their domain name in the DOMAIN\username or username@domain format as their username.
To configure the Captive portal, perform the following steps:
Name | Description |
---|---|
Step 1. Create a new authentication method, e.g. authentication via the Active Directory domain | In the UserGate console, go to the Users and devices-->Authentication servers section, click Add and then create a new authentication server. |
Step 2. Create an authentication profile and add all authentication methods that you need. | In the UserGate console, go to Users and devices-->Auth profiles, click Add and create an authentication profile using the previously created authentication method. |
Step 3. Create a new Captive profile and specify the auth profiles you want to use | In the UserGate console, go to the Users and devices-->Captive profiles section, click Add and then create a new captive profile based on the previously created authentication profile. |
Step 4. Create a new rule for the Captive portal | A Captive portal rule defines a traffic to which the user identification methods specified in the Captive profile should be applied. In the UserGate console, go to the Users and devices-->Captive portal section, click Add and then create a new rule for the Captive portal. |
Step 5. Configure DNS records for domains auth.captive and logout.captive | Special domain names auth.captive and logout.captive are used internally by UserGate for users’ authentication. Nothing should be done if users use UserGate as DNS server. If another server is used, then these two domains should be resolved to the IP address of UserGate which is connected to users’ network. Alternatively, it is possible to configure Captive portal auth domain and Captive portal logout domain. For more details refer to General settings section of this manual. |
For more information on how to create authentication methods, please refer to the previous chapters. Let's consider creation of a new Captive profile and rules for the Captive portal in more detail.
To create a new Captive profile, click Add in the Captive profiles section and specify the following parameters:
Name | Description |
---|---|
Name | Name of the Captive profile |
Description | Description of the Captive profile |
Auth page template | Select an authentication page template. You can create authentication pages in the Libraries/Response pages’ section. If you want to allow users register on their own with subsequent SMS/email confirmation, then choose a template of the corresponding type (Captive portal: SMS auth/ Captive portal: Email auth). |
Authentication mode | Defines how UserGate should remember a user. The two options are possible:
|
Authentication profile | The previously created authentication profile that defines authentication methods |
Redirect URL | URL to which a user will redirected after successful authentication on the Captive portal. When not set, the user will be redirected to the URL they have initially requested. |
Allow browsers to keep auth | Enables saving of authentication sessions in browsers for the specified period in hours. The authentication data is stored in cookie files. |
Show AD/LDAP domain selector on Captive portal page | If you use Active Directory as the authentication method, then a user will be able to select a domain name from the list on the authentication page when this parameter is enabled. When this parameter is disabled, a user must specify the target domain in the DOMAIN\username or username@domain format. |
Show CAPTCHA | When this option is enabled, users will be asked to enter a code displayed on the login page of the Captive portal. This option is recommended for protection against bots trying to brute-force user passwords. |
HTTPS for auth page | Use HTTPS encryption for Captive portal authentication pages. It is required to have configured Captive portal SSL certificate. For more information about certificates please refer to Managing certificates chapter. |
To allow users register on their own with subsequent confirmation via SMS or email, configure the parameters on the Guest users registration tab. Please keep in mind that you should use a template of the corresponding type (Captive portal: SMS auth/ Captive portal: Email auth).
Name | Description |
---|---|
Notification profile | Notification profile that will be used for sending information about the created user and password. You can choose between two notification types - SMS and email. For more details on how to create a notification profile, please refer to Notifications. |
Notification from | Specify on whose behalf the message will be sent |
Notification subject | Subject of the notification (for email notifications only) |
Notification body | Body of the message. You can use special variables {login} and {password} in the text which will be automatically replaced with the actual username and password. |
Guest users expiration date | Date and time when the guest user's account will be disabled |
Guest user TTL | Time period since the first authentication of the guest user after which the corresponding account will be disabled |
Password length | Password length for created users |
Password complexity | Password complexity for created users. Can be
|
Groups | Group for guest users in which they are stored. For more details on groups for guest users, please refer to Groups. |
To create a new rule for the captive portal, click Add in the rules section of the Captive portal and then specify the following parameters:
Name | Description |
---|---|
Name | Name of the rule for the Captive portal |
Description | Description of the rule for the Captive portal |
Captive profile | Select the Captive profile you have previously created You can also enable the Skip captive portal page option if you don't want to use any authentication method. |
Enable logging | Logs information about rule triggered. |
Source | Addresses of the source. You can specify a certain zone, such as a Trusted or an IP range, as the source. You can also use IP addresses of countries (Geo-IP). |
Destination | You can specify a certain zone, such as a Trusted or an IP range, as the destination. You can also use IP addresses of countries (Geo-IP). |
Categories | Categories of URL filtering for which the rule will be applied. Note that URL filtering requires the corresponding license. |
URLs | Lists of URLs for which the rule will be applied. |
Time | Time period when the rule will be active |
Thus, by creating several rules for the Captive portal, you can set up multiple user identification policies for various zones, addresses and time periods.
Important! Conditions specified on the rule's tab are applied according to the AND logic, i.e. the rule will be triggered only when all these conditions are met. If you want to use the OR logic, then you should create multiple rules.
Important! Rules are applied in the same order as they are displayed in the console. You can change the order using the corresponding buttons.
Important! When processing rules, the system applies only the first triggered rule.
If you want to log in to the system with another account or log out of the system, type http://logout.captive or http://UserGate_IP_address:8002/cps in your web browser and then click Log out.
6.6. MFA profiles (multi-factor authentication)¶
Multi-factor authentication is a user identification method that combines two or more different authentication data types. An additional security level provides better protection of accounts from unauthorized access.
UserGate supports multi-factor authentication with user credentials as the first authentication type together with any of following types as the second type:
- TOTP (Time-based One Time Password) of a token as the second authentication method. A TOTP token creates a time-based one-time password; for more details on TOTP, please refer to https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm. As a TOTP token, you can use various hardware or software installed on user smartphones, such as Google Authenticator.
- SMS. Obtain one-time passwords in SMS. For SMS notifications, each user must have a phone number specified in their local UTM account or in their domain account in Active Directory.
- Email. Obtain one-time passwords by email. For email notifications, each user must have an email address specified in their local UTM account in or in their domain account in Active Directory.
To set up multi-factor authentication, perform the following steps:
Name | Description |
---|---|
Step 1. Set up authentication using the Captive portal. | Multi-factor authentication is supported only when users authorize through the Captive portal. Please refer to Section Configuring a Captive portal. |
Step 2. Create a multi-factor authentication profile. | In the console, go to Users and devices-->MFA profiles and create a multi-factor authentication profile. Provide the following delivery parameters for the second authentication factor when creating a new profile. You can create 3 delivery types:
|
For MFA by TOTP, make sure to provide the following parameters:
Name | Description |
---|---|
Name | Name of the MFA profile. |
Description | Description of the MFA profile. |
TOTP initialization | To obtain TOTP tokens, make sure to initialize the hardware or software on the client side. To do this, enter a unique key in the hardware or software on the client side. You can send the initial code for TOTP initialization in any of the following ways:
|
Display a QR code | Displays a QR code on the Captive portal or in email messages for easier setting up of the TOTP hardware or software on the client side. |
If a user lost their token, the administrator can request them to initialize their TOTP token again. To do this, the administrator should select this user from the list (Users and devices-->Users) and choose Reset the TOTP key. During the next authentication, this user will be asked to initialize their token again.
For MFA by SMS, make sure to provide the following parameters:
Name | Description |
---|---|
Name | Name of the MFA profile |
Description | Description of the MFA profile |
Auth delivery profile | SMPP profile that will be used for sending passwords in SMS. For more details on how to set up sending of passwords in SMS, please refer to Notifications |
From | Specify on whose behalf the message will be sent |
Body | Body of the message. You can use special variables {2fa_auth_code} in the text which will be automatically replaced with the actual passcode. |
Auth code lifetime | Lifetime of passcode |
For MFA over email, make sure to provide the following parameters:
Name | Description |
---|---|
Name | Name of the MFA profile |
Description | Description of the MFA profile |
Auth delivery profile | SMTP profile that will be used for sending passwords by email. For more details on how to set up sending of passwords by email, please refer to Notifications |
From | Specify on whose behalf the message will be sent |
Subject | Subject of the notification |
Body | Body of the message. You can use special variables {2fa_auth_code} in the text which will be automatically replaced with the actual passcode. |
Auth code lifetime | Lifetime of passcode |
6.7. Users of terminal servers¶
The terminal server is designed for remote provision of various services to users via the remote desktop or console. In most cases, one terminal server provides services to several or even hundreds of users. However, users of a terminal server can be difficult to identify, since they share the same IP address and UserGate cannot track their network connections properly. To address this issue, consider using a special agent of the terminal service.
The terminal service agent should be installed on all terminal servers where you are going to identify users. Basically, this agent is a service that transfers information about users and their network connections from the terminal server to the UserGate server. Due to nature of TCP/IP protocol, the terminal service agent is able to identify user traffic only at the level of the TCP and UDP protocols. Traffic sent through all other protocols, such as ICMP, cannot be identified.
Active directory connector is required for correct identification of terminal server users.
To set up the user identification on terminal servers, perform the following steps:
Name | Description |
---|---|
Step 1. Allow the Authorization agent service in the required zone. | Go to Network-->Zones, edit the access control parameters for the zone where terminal servers reside and allow the Authorization agent service in this zone. |
Step 2. Set up a password for terminal server agents | In the UserGate console, go to the Users and devices-->Terminal servers section, click Configure and then specify the password for terminal server agents. |
Step 3. Install the terminal server agent | Install the terminal server agent on all servers where you want to identify users During installation, make sure to specify the IP address of the UserGate server and the password that you have set on the previous step. |
Step 4. Enable the necessary servers in the UserGate console | Once the agents are installed, the UserGate console will display a list of terminal servers. By clicking Enable or Disable, you can enable or disable identification of users from the selected servers. |
Now UserGate is able to receive information of terminal users.
All IP addresses assigned to the terminal server will be used for users authentication. To exclude some IPs from authentication, change configuration file C:\ProgramData\Entensys\Terminal Server Agent\tsagent.cfg and set excluded IP addresses as:
ExcludeIP=IP1;IP2
6.8. Authentication agent for Windows¶
The system also offers a special authentication agent - yet another identification method for users who are working in the Windows operating system in Active Directory environment. The agent provides a convenient service which transfers information about users, such as their usernames and IP addresses, to the UserGate server for proper identification of all network connections, thereby eliminating the need for additional identification methods. To set up the user identification in the authentication agent, perform the following steps:
Name | Description |
---|---|
Step 1. Allow the Authorization agent service in the required zone. | Go to Network-->Zones, edit the access control parameters for the zone where users reside and allow the Authorization agent service in this zone. |
Step 2. Set up a password for terminal server agents | In the UserGate console, go to the Users and devices-->Terminal servers section, click Configure and then specify the password for terminal server agents. |
Step 3. Install the authentication agent | Using Active Directory Group policy install the authentication agent on all PCs where you are going to identify users. The authentication agent is supplied with the administrative template for convenient deployment through Active Directory policies. Using this template, administrators can deploy a valid pre-configured agent to a large number of user workstations at once. Template allows to provide the IP address and port of the UserGate server and the password that you have set on the previous step. For more details on how to deploy a software using Active Directory policies, please refer to Microsoft documentation. Alternative method is to install authentication agent manually and provide required settings in the following registry keys: [HKEY_CURRENT_USER\Software\Policies\Entensys\Auth Client] "ServerIP"="" "ServerPort"="1813" "SharedKey"="" |
Now UserGate is able to receive information of users. If you have set up an Active Directory connector, then all user names from Active Directory will be available in the system. Alternatively, if the list of users is missing in UserGate, you can use Known users and Unknown users in UserGate rules.
6.9. Proxy agent for Windows¶
For Windows users, it is possible to provide the Internet access through the explicitly specified proxy server for applications that cannot directly work with proxy servers. Sometimes you may also need to provide the Internet access to such applications when UserGate is not set up as the default Internet gateway for user workstations. In such cases, you can use the proxy agent. The proxy agent resends all TCP requests not intended for local addresses to UserGate that serves as a proxy server for them.
Important! The proxy agent does not authorize users on UserGate, so when authentication is required, make sure to set up an authentication method for users, e.g. install an authentication agent for Windows.
You can also install the proxy agent either manually or by using Active Directory policies.
When installing and setting up the agent manually, make sure to create a text file called utmagent.cfg in C:\Documents and Settings\All Users\Application Data\Entensys\UTMAgent\. Add the following information to this configuration file:
ServerName=10.255.1.1
ServerHttpPort=8090
LocalNetwork=192.168.1.0/24; 192.168.0.0/24; 192.168.30.0/24;
Once the configuration file is created or modified, make sure to restart the proxy agent service.
When installing the proxy agent through GPO, the proxy agent will contain the administrative template for convenient deployment through Active Directory policies. Using this template, administrators can deploy a valid pre-configured agent to a large number of user workstations at once. For more details on how to deploy a software using Active Directory policies, please refer to Microsoft documentation.
All mandatory parameters for proper operation of the proxy agent are specified during the group policy configuration. During the configuration process, the parameters are added to the Registry on the workstation and thus have priority over the CFG file. Deleting the agent with a policy will not remove the values from the Registry, and they will remain in the following branch:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Entensys\UTMAgent
6.10. Guest portal¶
In UserGate, you can create lists of guest users. This is especially useful for hotels and public Wi-Fi networks with Internet access, when it is necessary to identify users and provide them access for a limited period of time.
Transient users can be either created by network administrators beforehand, or they can register on their own with subsequent confirmation via SMS or by email.
To create a new list of guest users, perform the following steps:
Name | Description |
---|---|
Step 1. Create a new administrator of guest users (optional) |
For more details on how to create UserGate administrators, please refer to the corresponding section. |
Step 2. Create a new group for guest users. This group will allow you to manage access policies for transient users | In the UserGate console, go to the Groups section, click Add and then create a new group with the Group for guest users option enabled. For more details on how to create user groups, please refer to the corresponding section of the Guide. |
Step 3. Connect to the guest portal console | Type https://IP_UserGate:8001/ta in your web browser and then specify the username and password of the device administrator or administrator of transient users created on Step 1. |
Step 4. Create a new list of users | Click Create in the console and fill in the following fields:
|
You can view the list of created users in the Users list section of the console for managing transient users.
To allow users register in the system on their own, perform the following steps:
Name | Description |
---|---|
Step 1. Create a new SMPP notification profile (for SMS confirmations) or SMTP notification profile (for email confirmations) | In the Notifications section, go to the Notification profiles, click Add and then create a new SMPP or SMTP notification profile. For more details on how to create a notification profile, please refer to Notification profiles |
Step 2. Create a new group for guest users. This group will allow you to manage access policies for transient users | In the UserGate console, go to the Groups section, click Add and then create a new group with the Group for guest users option enabled. For more details on how to create user groups, please refer to the corresponding section of the Guide. |
Step 3. Create a new Captive profile which uses notification profile that you have created for guest users | In the Users and devices, go to the Captive profiles, create a new profile and use previously created notification profile. In the authentication page field, specify Captive portal: email auth or Captive portal: SMS auth depending on the notification method that you are going to use. Set up the notification's text, the group for guest users and the time period when the new account will be valid. For more details on how to create notification profiles, please refer to Notification profiles |
Step 4. Create a new Captive portal rule with the Captive profile that you have created on the previous step | In the Users and devices section, go to the Captive portal and create a new rule. Use previously created Captive profile. For more details on how to create Captive portal rules, please refer to Configuring a Captive portal. |
6.11. Radius accounting¶
You can set up UserGate to update IP addresses of users based on the Radius servers that send the Radius accounting information. This may be convenient when integrating UserGate in ISP networks that assign dynamic IP addresses to users. To update user IP addresses, perform the following steps:
Name | Description |
---|---|
Step 1. Add a user to UserGate | Add the necessary local users to UserGate. Refer to the Users section. |
Step 2. Allow the Authentication Agent service for the required zone | Go to Network-->Zones and select a zone to which interface you are going to receive Radius-accounting. Allow the Authorization agent service. For more details on how to set up zones, please refer to Configuring zones. |
Step 3. Set up a password for the terminal service agent | Go to Terminal servers, click Settings and provide a password for the terminal service agent. This password will be used as the Radius secret when setting up a Radius server. |
Step 4. Set up a Radius server | On the Radius server, set up sending of the Radius-accounting information to the UserGate server by specifying the IP address of the UserGate server as the server IP with UDP 1813 as the port. Provide the password specified for the terminal service in the previous step as the Radius secret. Set up the server to send a user name in the 'Radius User-Name (type=1)' attribute and the IP address in the 'Radius Framed-IP-Address (type=8)' attribute. For more details on setting up Radius, please refer to the documentation for your Radius server. |
As a result, UserGate will be changing user IP addresses with the Radius-accounting addresses obtained from the server. Depending on the obtained information, UserGate will perform the following:
Name | Description |
---|---|
Step 1. A Radius server has sent a user name that does not exist in UserGate | UserGate responds 'Accounting reject' to the accounting request. |
Step 2. A Radius server has sent a user name that exists in UserGate and provided 'Acct-Status-Type' = 'Start' or 'Interim-Update' | The obtained IP address will be assigned to the specified user. If the user already has another IP address, then the user will be assigned two or more IP addresses. If the user already has the same IP address, then no changes will be made. If this IP address is already assigned to another user, then this IP address will be removed from that user and assigned to the user specified in the request. |
Step 3. A Radius server has sent a user name that exists in UserGate and provided 'Acct-Status-Type' = 'Stop' | The obtained IP address will be removed from the specified user. |
6.12. BYOD policies¶
Many companies allow their employees to work from their own devices and PCs, or BYOD devices ("Bring Your Own Device"). In UserGate, network administrators can manage BYOD devices, e.g. through limiting Internet access from devices by device type, number of simultaneous devices per users or by specific model.
Important! BYOD management requires properly configured authentication of users via the Captive portal. Note that BYOD policies cannot be applied to user devices that are not authorized via the Captive portal. For more details on the Captive portal, please refer to Configuring a Captive portal.
To set up BYOD management, perform the following steps:
Name | Description |
---|---|
Step 1. Create a new rule for the Captive portal | For more details on how to create rules of the Captive portal, please refer to Configuring a Captive portal . |
Step 2. Create a new BYOD policy | Create one or more BYOD policy rules |
Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.
Important! If no rules have been created, then all device types will be allowed.
To create a new rule for the BYOD policy, click Add in the BYOD policies section and then specify the following parameters:
Name | Description |
---|---|
Name | Name of the BYOD policy rule |
Comment | Description of the BYOD policy rule |
Action | Allow - use this option to allow connections from devices that meet the rule's criteria Deny - use this option to prohibit connections from devices that meet the rule's criteria |
Administrator’s approval required | Applicable to "allow" rules only. When this option is enabled, each user device successfully authorized for the first time via the Captive portal will be added to the list of BYOD devices, but the Internet access will not be available until your network administrator confirms the device. |
Maximum total devices | Applicable to "allow" rules only. Maximum number of devices per user for Internet access. This parameter is not applicable to rules containing Known, Unknown or Any users. |
Maximum active devices | Applicable to "allow" rules only. Maximum number of simultaneous devices per user for Internet access. This parameter is not applicable to rules containing Known, Unknown or Any users. |
Users/Groups | List of users and groups of users to which this BYOD policy rule is applied. |
Device type | Device type to which this BYOD policy rule is applied. |
Devices from which users connect to your network are listed in Users and devices-->BYOD devices. Network administrators can prohibit or allow access from certain user device by selecting this device in the list and clicking Disable or Enable respectively. From here, you can also confirm access from a certain user device if the BYOD policy requires approval of your network administrator.
7. Network policies¶
The Network policies section contains four subsections:
- Firewall
- NAT & routing
- Load balancing
- Traffic shaping
Using network policies, your network administrators will be able to organize Internet access for users, publish internal resources on the Internet, and efficiently balance network bandwidth between services and applications.
Important! Rules created in these sections are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom.
To grant Internet access to users, perform the following:
Name | Description |
---|---|
Step 1. Create a NAT rule | Please refer to NAT rules. |
Step 2. Create a "allow" firewall rule | Please refer to the Firewall section. |
To publish an internal resource on the Internet, perform the following:
Name | Description |
---|---|
Step 1. Create a DNAT rule or reverse-proxy rule | Please refer to DNAT rules and Publication of HTTP/HTTPS resources using the reverse proxy. |
To set up the Internet access via alternative ISP for certain service or address, perform the following:
Name | Description |
---|---|
Step 1. Create a Route rule | Please refer to Policy-based routing. |
To prohibit or allow certain type of traffic passing through UserGate, perform the following:
Name | Description |
---|---|
Step 1. Create a firewall rule | Please refer to the Firewall section. |
To distribute traffic to several internal servers, perform the following:
Name | Description |
---|---|
Step 1. Create a load balancing rule | For more details, please refer to Load balancing. |
To limit the bandwidth allocated to certain service or application, perform the following:
Name | Description |
---|---|
Step 1. Create a shaping rule | For more details, please refer to Traffic shaping. |
7.1. Firewall¶
Based on various firewall rules, network administrators can allow or prohibit any type of transit network traffic passing through UserGate. You can use zones, source/destination IP addresses, users, groups, services and applications as the matching criteria.
Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.
Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).
Important! When no rules are defined, the transit traffic cannot pass through UserGate.
To create a new firewall rule, click Add in the Network policies--> Firewall section and specify the following parameters.
Name | Description |
---|---|
Enabled | Enables or disables a rule |
Name | Rule name |
Description | Description of a rule |
Action | Deny - blocks the traffic Allow - allows the traffic |
Scenarios | It indicates a scenario that must be active for applying the rule. For more details on scenarios, please refer to Scenarios. Important! A scenario represents an additional condition. If the scenario is not activated (i.e. one or more its triggers are not launched), the rule will not be applied. |
Enable logging | Logs information about traffic when a rule is triggered. The following modes can be used:
|
Apply rule to |
|
Source | Zone(s) and IP addresses of the traffic source |
Users | List of users and groups of users to which this rule will be applied. You can add users of the Any, Unknown, Known type. To apply rules to individual users or user of the Known type, make sure to set up authentication properly. For more details on user identification, please refer to Users and devices. |
Destination | A destination zone and/or a list of destination IP addresses for the traffic. |
Service | Service type, e.g. HTTP or HTTPS |
Application | List of applications to which this rule will be applied. |
Time | Time ranges when rule is active. |
7.2. NAT and routing¶
Based on NAT and routing rules, network administrators can create additional rules for NAT, DNAT and routing. UserGate supports NAT/DNAT for complex protocols which can use dynamic ports. The system is compatible with FTP, PPTP, SIP and H323.
7.2.1. NAT rules¶
In most cases, provision of the Internet access to users will require creating at least one NAT rules from the Trusted zone to the Untrusted zone.
Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.
Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).
To create a new NAT rule, click Add in the Network policies--> NAT and routing section and specify the following parameters.
A rule is triggered only when all its criteria are met.
Name | Description |
---|---|
Enabled | Enables or disables a rule |
Name | Rule name |
Comment | Description of a rule |
Type | Select NAT |
Enable logging | Logs information about traffic when a rule is triggered. The following modes can be used:
|
SNAT IP address (external IP) | Set IP address which will be used as source address for natted network packets. Make sense if there are several IP addresses assigned to the interfaces of destination zone. If field is empty then arbitrary address of destination zone will be used. For higher firewall performance, it is recommended that you provide SNAT IP explicitly. |
Enable logging | Logs information about traffic when a rule is triggered. It is recommended to enable logging limit to avoid high system utilization. |
Source | A source zone and/or a list of source IP addresses for the traffic. |
Destination | A destination zone and/or a list of destination IP addresses for the traffic. |
Services | Service type, e.g. HTTP, HTTPS, etc. |
Important! It is recommended that you create global NAT rules, e.g. a single NAT rule from your local network (i.e. Trusted zone) to the Internet (i.e. Untrusted zone), and then define access policies for users, services and applications through firewall rules.
7.2.2. DNAT rules¶
The DNAT rules are designed for publishing internal network resources on the Internet. For publication of HTTP/HTTPS servers, it is recommended that you use publication based on the reverse proxy rules. For more details on publication of resources using reverse proxy rules, please refer to the Publication of HTTP/HTTPS resources using the reverse proxy section. For publication of non-HTTP/HTTPS servers, consider using DNAT.
Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.
Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).
To create a new DNAT rule, click Add in the Network policies--> NAT and routing section and specify the following parameters.
Name | Description |
---|---|
Enabled | Enables or disables a rule |
Name | Rule name |
Comment | Description of a rule |
Type | Select DNAT |
Enable logging | Logs information about traffic when a rule is triggered. The following modes can be used:
|
Source | A source zone and/or a list of source IP addresses for the traffic. |
Destination | One of UserGate's public IP addresses to which external clients will be sending their traffic. |
Services | Type of the service that you are going to publish, e.g. HTTP. If no services are specified, the system will publish all services. Important! The following ports are reserved for UserGate internal use and cannot be used in services: 2200, 8001, 4369, 9000-9100. |
DNAT target IP | IP address of the local PC that you are going to publish on the Internet. |
Enable SNAT | When this option is enabled, UserGate will be replacing the source address with its own IP address in the network packets coming from an external network to the published server. |
7.2.3. Port forwarding rules¶
Port forwarding rules are similar to DNAT rules, except that these rules allow you to modify the port number for publication of an internal service. To create a port forwarding rule, click Add in Network policies-->NAT and routing and then provide the necessary parameters.
Important! Rules are applied from top to bottom in the same order as they appear in the console. Only the first rule for which all its specific conditions are met will be applied. Therefore, make sure to place more specific rules above the more common ones in the list. Use the Up/Down buttons to change the order of rules in the list.
Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).
Name | Description |
---|---|
On/Off | Enable or disable the rule |
Name | Name of the rule |
Comment | Description of the rule |
Type | Select Port forwarding |
Enable logging | Logs information about traffic when a rule is triggered. The following modes can be used:
|
Source | A source zone and/or a list of source IP addresses for the traffic. |
Destination | A destination zone and/or a list of destination IP addresses for the traffic. |
Port forwarding | Modify the ports of the published services:
|
DNAT destination address | IP address which is assigned to a workstation in a local area network and will be published on the Internet. |
Enable SNAT | When this option is enabled, UserGate will be replacing source addresses in packets from external networks with its own IP address. |
7.2.4. Policy-based routing¶
Based on the policy-based routing rules, you can specify a dedicated route to the Internet for certain hosts and/or services. Suppose that your company uses 2 ISPs, so that all HTTP/HTTPS traffic is forwarded via ISP1 while ISP2 handles the remaining traffic. To do this, specify the Internet gateway of ISP2 as the default gateway and then create a new rule for forwarding all HTTP/HTTPS traffic to a gateway of ISP1.
Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.
Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).
To create a new routing rule, click Add in the Network policies--> NAT and routing section and specify the following parameters.
Name | Description |
---|---|
Enabled | Enables or disables a rule |
Name | Rule name |
Comment | Description of a rule |
Type | Select Policy-based routing |
Enable logging | Logs information about traffic when a rule is triggered. The following modes can be used:
|
Gateway | Select an existing gateway. You can add more gateways in Network-->Gateways. |
Source | A source zone and/or a list of source IP or MAC addresses for the traffic. I |
Destination | A destination zone and/or a list of destination IP addresses for the traffic. |
Services | Service type, e.g. HTTP, HTTPS, etc. |
7.2.5. Network mapping¶
The network mapping rules allow you to replace the address of the source or destination network. This may be useful when you have multiple networks with the same addressing, e.g. 192.168.1.0/24, and you want to merge them into a single network with common routes. Such merging can be implemented only with replacement of addresses.
Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.
Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).
To create a new Network mapping rule, click Add in the Network policies--> NAT and routing section and specify the following parameters.
Name | Description |
---|---|
Enabled | Enables or disables a rule |
Name | Rule name |
Comment | Description of a rule |
Type | Select Network mapping |
Enable logging | Logs information about traffic when a rule is triggered. The following modes can be used:
|
Source | A source zone and/or a list of source IP addresses for the traffic. |
Destination | A destination zone and/or a list of destination IP addresses for the traffic. |
Services | Service type, e.g. HTTP, HTTPS, etc. |
Network mapping | Set the network replacement parameters. Direction:
New network/mask is the network address that will be used for replacement. |
7.3. Load balancing¶
UserGate supports load balancing for various services within a local network, including internal servers published on the Internet (DNAT) and internal servers without publication. Balancing can be provided to:
- Internal servers published on the Internet (DNAT)
- Internal servers that are not published.
- Balance the traffic which is sent to external ICAP servers or ICAP farm.
- Balance the traffic which is sent to servers published through reverse proxy.
The balancer uses various techniques to dynamically allocate queries received on the IP address of a virtual server to IP addresses of physical servers. To set up balancing, create new balancing rules in the Network policies-->Load balancing section.
To create a balancing rule for TCP/IP servers, select Add a TCP/IP load balancer and provide the following parameters:
Name | Description |
---|---|
Enabled | Enables or disables a rule |
Name | Name of the balancing rule |
Description | Description of the balancing rule |
Virtual server IP | Select an IP address from the list of addresses assigned to UserGate network interfaces. If necessary, administrators can also add more IP addresses to any interface. |
Protocol | TCP or UDP for which you are going to perform load balancing |
Port | Port for which you are going to perform load balancing |
Scheduler | You can choose between 4 load balancing methods:
|
Real servers | Add a new pool of physical servers to which you are going to forward traffic. Specify the following parameters for each server:
|
Fallback | Failover mode is used when all physical servers are unavailable. To activate the fallback mode, enable it and then specify the following parameters:
|
Monitoring | Based on monitoring functionality, you can set up automatic health checking for physical servers. All servers that fail to pass the health check will be excluded from balancing. |
Mode | Monitoring method for physical servers. Possible values:
|
Check interval | Minimum time period between subsequent checks |
Check timeout | Maximum time period of waiting for a response |
Max failures | Number of failed attempts of physical server checking after which the server will be considered unavailable and therefore will be excluded from balancing. |
Important! Balancing rules have a higher priority and therefore are applied before NAT/DNAT/routing rules.
The ICAP service balancer distributes the workload on external ICAP server farms, e.g. to an external server farm with the anti-virus software. Then this balancer can be used in ICAP rules. To create an ICAP server balancer, select Add an ICAP load balancer and provide the following parameters:
Name | Description |
---|---|
Enabled | Enable or disable the rule |
Name | Name of the balancing rule |
Description | Description of the balancing rule |
ICAP profiles | Select ICAP profiles of the servers to which the workload should be distributed. For more details on ICAP servers, please refer to section Integration with external ICAP servers. |
The reverse proxy server balancer distributes the workload on internal servers or server farms published using the reverse proxy rules. Then this balancer can be used in reverse proxy rules. To create a reverse proxy server balancer, select Add a reverse proxy load balancer and provide the following parameters:
Name | Description |
---|---|
Enabled | Enable or disable the rule |
Name | Name of the balancing rule |
Description | Description of the balancing rule |
Reverse proxy profiles | Select reverse proxy profiles of the servers to which the workload should be redistributed. For more details on publication using reverse proxy rules, please refer to the Publication of HTTP/HTTPS resources using the reverse proxy section. |
7.4. Traffic shaping¶
The traffic shaping control rules allow you to limit bandwidth of network channels for certain users, hosts, services or applications.
Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.
Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).
To create a new traffic shaping rule, click Add in the Network policies--> Traffic shaping section and specify the following parameters.
Name | Description |
---|---|
Enabled | Enables or disables a rule |
Name | Rule name |
Description | Description of a rule |
Bandwidth pools | Select a bandwidth. You can add more bandwidths in Libraries-->Bandwidths. |
Scenarios | It indicates a scenario that must be active for applying the rule. For more details on scenarios, please refer to Security policies-->Scenarios. Important! A scenario represents an additional condition. If the scenario is not activated (i.e. one or more its triggers are not launched), the rule will not be applied. |
Source | A source zone and/or a list of source IP addresses for the traffic. |
Users | Users or groups |
Destination | A destination zone and/or a list of destination IP addresses for the traffic. |
Service | Service type, e.g. HTTP, HTTPS, etc. |
Application | List of applications for which you are going to limit bandwidth. Important! To use applications, make sure you enable the Application Control module in General settings. |
Time | Time ranges when rule is active. |
8. Security policies¶
The Security policies section contains the following subsections:
- Content filtering
- Safe browsing
- SSL inspection
- Intrusion prevention and detection system
- SCADA rules
- Scenarios
- Mail security
- Integration with external ICAP servers
- Publication of HTTP/HTTPS resources using the reverse proxy
Based on security policies, network administrators can perform the following:
- Set up the HTTP/S content filtering, e.g. prohibit access to certain categories of websites in the specified periods for individual users or configure the virus scanning of web content
- Set up safe browsing options, e.g. forced safe search, block social network application, log users’ search phrases and blocking of ads
- Set up the HTTPS inspection rules, e.g. to decrypt HTTPS in the "Forums" category for all users and decrypt HTTPS in the "Social media" category only for the selected users. Once the HTTP traffic is decrypted, the system will be able to apply various content filtering and safe browsing policies.
- Enable and set up the IPS settings
- Set up spam filtering and virus scanning of the SMTP and POP3 traffic
- Set up logging or blocking of certain SCADA commands
- Set up selective sampling of the traffic for analysis on external ICAP servers, e.g. on DLP systems
- Set up publication of HTTP/HTTPS servers
8.1. Content filtering¶
Based on content filtering rules, network administrators can allow or prohibit certain content passed through HTTP and HTTPS (if the HTTPS inspection is configured). In addition, UserGate can block the HTTPS traffic without decrypting its content, but only when the UserGate URL filtering rules for blocking by content filtering categories or by lists of URLs (with host names only) are applied. In such cases, UserGate uses either SNI (Server Name Indication) or host names in the SSL certificate from user requests for domain identification when SNI is not available.
Criteria of a rule can be as follows:
- Users and groups
- Certain words or phrases (morphology) on web pages
- Category of a website
- URL
- Zone and IP address of the source
- Zone and IP addresses of the destination
- MIME type of content
- Time
- User browser useragent
- HTTP-method
Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.
Important! If no rules have been created, then all content will be allowed.
Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).
To create a new content filtering rule, click Add in the Network policies--> Content filtering section and specify the following parameters.
Name | Description |
---|---|
Enabled | Enables or disables a rule |
Name | Rule name |
Description | Description of a rule |
Action | Deny - blocks the web page Warning - notifies a user that a web page they are trying to access is unwanted. The user will decide on their own whether to access the page or not. Each web page view is logged Allow - allows the traffic |
Enable logging | Logs information about rule triggered. |
Check by UserGate antivirus | Applicable to the Deny rules only, i.e. if a web page is infected, the entire web resource will be blocked. If a rule contains additional conditions (categories, time, etc.), then the virus scan will be performed only when all criteria in the rule are met. |
Check by Heuristic antivirus | Applicable to the Deny rules only, i.e. if a web page is infected, the entire web resource will be blocked. If a rule contains additional conditions (categories, time, etc.), then the anti-virus scan will be performed only when all criteria in the rule are met. Heuristic virus check may require higher performance system. |
Scenarios | It indicates a scenario that must be active for applying the rule. For more details on scenarios, please refer to Scenarios. Important! A scenario represents an additional condition. If the scenario is not activated (i.e. one or more its triggers are not launched), the rule will not be applied. |
Blocking page | Specifies the blocking page that will be shown to users when a web resource they are trying to access is prohibited. You can either use an external page by selecting Use external URL or specify the UserGate's blocking page. In this case, you can select an existing template of the blocking page or create a new one in Libraries-->Response pages. |
Source | A source zone and/or a list of source IP addresses for the traffic. |
Destination | A destination zone and/or a list of destination IP addresses for the traffic. |
Users | List of users and groups of users to which this rule will be applied. You can add users of the Any, Unknown, Known type. To apply rules to individual users or user of the Known type, make sure to set up authentication properly. For more details on user identification, please refer to the Users and devices chapter. |
Categories | List of categories from UserGate URL filtering 3.0. Note that you will need the corresponding license in order to use categories. UserGate URL filtering 3.0 is the largest database of web resources split into 73 categories for your convenience. Network administrators can efficiently manage access to unwanted web resources, such as pornography, malicious websites, online casinos, gambling websites, social media, and more. Important! Beginning from version UserGate 5.0.7 administrator can override category for any website, if site is not categorized or categorized incorrectly. For more details please refer to Requests to a white list. Important! Blocking by URL categories can be applied to the HTTPS traffic without decrypting it. |
URLs | Lists of URLs. If you have the corresponding license, UserGate will provide you with the regularly updated lists of URLs, such as "UserGate black list", "UserGate white list", "List of prohibited websites according to some national laws", "Black list of phishing websites", and "Search engines without safe search". Network administrators can also create their own lists of URLs. For more details on how to work with lists of URLs, please refer to Libraries-->URL lists. Important! Blocking by URL lists can be applied to the HTTPS traffic without decrypting it, provided that the lists contain only host (domain) names. |
MIME-types | Lists of MIME types. Network administrators can manage video content, audio content, images, executables, and more. Network administrators can also create their own groups of MIME types. For more details on how to work with MIME types, please refer to Content types. |
Morphology | List of morphology dictionaries for web page checks. If you have the corresponding license, UserGate will provide you with the list of various dictionaries, such as "Suicide", "Terrorism", "Pornography", "Profanity", "Gambling", "Drugs", and other. The dictionaries are available in English, German, Russian, Japanese and Arabic. Network administrators can also create their own dictionaries. For more details on how to work with morphological dictionaries, please refer to Morphology. |
Time | Time period when the rule will be active. Network administrators can add necessary time intervals in Libraries-->Time sets. |
Useragent | Useragent of user browsers for which a given rule will be applied. Administrators can add all necessary Useragents as described in the Useragents section. |
HTTP method | For HTTP requests, the system usually applies POST or GET methods. |
Referrers | A list of URLs with the referrers for the current page. The corresponding rule will be triggered when the referrer of a given page is found on this list. This functionality is useful for allowing access to certain websites in CDNs (Content Delivery Networks) while prohibiting direct access to CDN content. |
8.2. Safe browsing¶
In the Safe browsing section, network administrators can enable additional filtering parameters for HTTP and HTTPS (if the HTTPS encryption has been configured) including the following ones:
- Ad blocking. Even secure websites may sometimes display annoying ads or unwanted content on sidebars. UserGate can address this issue and prevent ad banners from displaying on webpages
- The script injection feature allows you to insert the necessary program code in all web pages accessible for users. Program code is injected before HTML tag </head>.
- Forced safe search for search engines (Google, Yahoo, Bing, Ask, Yandex) and on YouTube. You can use this tool to block unwanted content by means of search portals, thereby ensuring high efficiency, e.g. when filtering responses to requests of graphical or video content
- Enables logging of users’ search queries
- Blocking of social network applications. Social networks have become an important part of our life. However, many companies don't allow their employees to play online games provided by social network at work. UserGate can block such applications without any impact to all other functions of social networks
Criteria of a rule can be as follows:
- Traffic source
- Users and groups
- Time
Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.
Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).
Important! If no rules have been created, then no additional safe browsing functions will be applied.
To create a new content filtering rule, click Add in the Security policies-->Safe browsing section and specify the following parameters.
Name | Description |
---|---|
Enabled | Enables or disables a rule |
Name | Rule name |
Description | Description of a rule |
Enable logging | Logs information about rule triggered. |
AdBlock | Enable ad blocking. By clicking Exceptions, administrators can select a list of URLs for which no ad blocking is required. |
Injector | Injects an arbitrary program code in all web pages. To edit this program code, click Injector code. |
Safe search | Forcibly enables the safe search functionality |
Search history | Enables logging of user search queries |
Block social media apps | Blocks apps in popular social media |
Source | A source zone and/or a list of source IP addresses for the traffic. |
Users | List of users and groups of users to which this rule will be applied. You can add users of the Any, Unknown, Known type. To apply rules to individual users or user of the Known type, make sure to set up authentication properly. For more details on user identification, please refer to the Users and devices section. |
Time | Time period when the rule will be active. Network administrators can add necessary time intervals in Libraries-->Time sets. |
8.3. SSL inspection¶
In this section, network administrators can set up inspection of the data passed by the TLS/SSL, such as HTTPS or SMTP/POP3. UserGate uses the well-known technology called Man-In-The-Middle (MITM) which decrypts and analyzes content on the server side. HTTPS inspection is required for proper operation of content filtering rules and safe browsing.
HTTPS inspection ensures proper operation of the content filtering rules and safe browsing rules. SMTPS and POP3S inspection is required for spam and virus checks of the email traffic.
Based on these rules, you can set up HTTPS inspection for various categories of content, e.g. "Malware", "Anonymizers" or "Botnets", without decryption of safe categories, such as "Finance", "Government", etc. The system identifies category of a website according to the information passed in HTTPS requests, such as SNI (Server Name Indication) or Subject Name in the server certificate (when SNI is missing). The values of the Subject Alternative Name are ignored.
After decryption and analysis, the data will be encrypted again with a certificate issued by the certification authority that you have previously specified in the Certificates section. Make sure to add this certificate to the trusted root certificates on users’ computers - otherwise, web browsers on the user side will be displaying notification that the certificate has been compromised. For more details, please refer to Appendix 1: Installing a certificate issued by the local certification authority.
Similar to user browsers, some email servers and clients reject email messages when they detect a replaced certificate. In this case, make sure to disable certification checks in your email software or add exclusions for the given certificates to UserGate. For more details, please refer to your email software documentation.
Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.
Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).
Important! When no rules are defined, the system will not be decrypting SSL and therefore the content passed through SSL will not be filtered.
Important! UserGate supports the inspection of a wide range of SSL protocols, including legacy versions such as TLSv1.0 and TLSv1.1 and new versions such as TLSv1.2 and TLSv1.3. By default, compatibility with legacy protocols is enabled, which provides support for TLSv1.0-TLSv1.2. If compatibility with legacy protocols is disabled, only TLSv1.0,TLSv1.2-TLSv1.3 are supported. Configuration is handled via the CLI command legacy_ssl_enabled. You can read more about CLI commands in the section Command-line interface (CLI).
To create a new SSL inspection rule, click Add in the Security policies--> SSL inspection section and specify the following parameters.
Name | Description |
---|---|
Enabled | Enables or disables a rule. |
Name | Rule name. |
Description | Description of a rule. |
Action |
|
Enable logging | Logs information about rule triggered. |
Block sites with invalid certificates | Blocks access to servers with invalid HTTPS certificates, e.g. servers with expired/recalled certificates or issued for another domain name and/or by untrusted certification authority. |
Check the certificates revocation list | Check a site certificate against the list of revoked certificates (CRL) and block the site if any matches are found |
Block expired certificates | Block certificates that are not valid anymore |
Block selfsigned certificates | Block self-signed certificates |
Users | List of users and groups of users to which this rule will be applied. You can add users of the Any, Unknown, Known type. To apply rules to individual users or user of the Known type, make sure to set up authentication properly. For more details on user identification, please refer to the Users and devices section. |
Source | A source zone and/or a list of source IP addresses for the traffic. |
Destination address | Lists of IP addresses of the traffic destination. |
Services | Service for which rule will decrypt traffic. Can be HTTPS, SMTPS, POP3S. |
Categories | List of categories from UserGate URL filtering 3.0. |
Domains | Lists of domains. Domain names to which this rule is applied. Domain names are created similar to lists of URLs except that only domain names can be used for HTTPS inspection (such as www.example.com, but not http://www.example.com/home/). For more details on how to work with lists of URLs, please refer to Libraries-->URL lists. |
Time | Time period when the rule is active. Network administrators can add necessary time intervals in Libraries-->Time sets. |
By default, UserGate has SSL inspection rule Decrypt all for unknown users which is required for authentication of unknown users on the Captive portal.
8.4. Intrusion prevention system¶
The intrusion detection and prevention system (IPS) can quickly detect malicious activity in your local network or from the Internet, identify, record and prevent various threats, and generate detailed reports on each suspicious event. Security breaches are usually detected by means of heuristic techniques and matching with signatures of already known attacks. If you have the corresponding license, UserGate will be regularly providing you with its up-to-date databases of heuristic rules and attacks’ signatures. IPS can track and proactively block all the detected attacks in real time, e.g. terminate malicious network connections, send notifications to network administrators, log the suspicious activity, and so on.
To get started with IPS, perform the following:
Name | Description |
---|---|
Step 1. Create required IPS profiles | An IPS profile is a set of signatures relevant for the protection of certain services. Administrators can create any number of IPS profiles to protect various services. It is recommended that you avoid adding excessive signatures to profiles and use only signatures that are really important for security. For example, do not add UDP-specific signatures to a profile that protects a TCP-based service. When there are too many signatures, the system will be processing the traffic longer due to additional workload on the CPU. |
Step 2. Create the IPS rules | The IPS rules define IPS actions depending on the traffic type checked by the IPS module according to the assigned IPS profiles. |
To set up the IPS profile, click IPS profiles in the Security policies-->Library and then add all necessary signatures to the policy. The IPS signatures are regularly updated and delivered by UserGate to the corresponding subscribers. Each signature contains the following fields:
Name | Description |
---|---|
Signature | Name of the signature |
Risk | Signature's risk from 1 (low risk) to 5 (high risk) |
Protocol | Protocol of the signature:
|
Category | Category is group of signatures with some common properties. List of categories can be extended in the future:
|
Classtype | Classtype is group of signatures based on the type of attack class. Supported the following classtypes:
|
When adding signatures to a IPS profile, administrators can use flexible filters, e.g. select only signature with a very high risk that use TCP protocol in the 'botcc' category across all classes.
IPS rules define a traffic to which a IPS profile will be applied and an action that the IPS module must perform in response to such signatures.
Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.
Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).
Important! If no rules have been created, then IPS will not work.
To set up the IPS rules, click Add in the Security policies--> Intrusion prevention section and specify the following fields:
Name | Description |
---|---|
Enabled | Enables or disables a rule. |
Name | Rule name. |
Description | Description of a rule. |
Action | The following options are supported:
|
Source | A source zone and/or a list of source IP addresses for the traffic. |
Destination | A destination zone and/or a list of destination IP addresses for the traffic. |
Service | Service type, e.g. HTTP, DNS, etc. |
Application | List of applications to which this rule will be applied. |
Profiles | The list of IPS profiles that have been created in the previous step. |
8.5. SCADA rules¶
Using SCADA rules, administrators can control the traffic flow of the supervisory control and data acquisition systems (SCADA) through UserGate. UserGate supports the inspection of the following SCADA protocols:
- GOST R IEC 60870-5-104
- Modbus
- DNP3
- MMS
The administrator is able to specify SCADA profiles of their own choosing, in which they can indicate the required set of protocols and commands and use them in rules.
To get started with SCADA, perform the following:
Name | Description |
---|---|
Step 1. Allow the SCADA service in the required zones. | Go to Network-->Zones, edit the access control parameters for the zone to which SCADA clients will be connecting and allow the SCADA in this zone. |
Step 2. Create the necessary SCADA profiles. | A SCADA profile is a set of elements each containing a SCADA command and an address. |
Step 3. Create the required SCADA rules. | The SCADA rules define SCADA actions depending on the traffic type checked by the SCADA module according to the assigned profiles. |
To set up SCADA profiles, create a new profile in Libraries-->SCADA profiles and then add the necessary commands to it. Each record contains the following fields:
Name | Description |
---|---|
Name | Name of the profile |
Description | Description of the profile |
Protocol | Select the required SCADA protocol |
SCADA command | Select the necessary SCADA command |
SCADA address | Provide the SCADA address. You can specify an integer 4-byte number. |
SCADA rules define a traffic to which a SCADA profile will be applied and an action that UserGate must perform when the rule is applied.
Important! Rules are applied from top to bottom in the same order as they appear in the console. Only the first rule for which all its specific conditions are met will be applied. Therefore, make sure to place more specific rules above the more common ones in the list. Use the Up/Down buttons to change the order of rules in the list.
Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).
To create a new SCADA rule, click Add in Security policies-->SCADA rules and fill out the fields in the rule.
Name | Description |
---|---|
Enabled | Enable or disable the rule. |
Name | Name of the rule. |
Description | Description of the rule. |
Action | The following options are supported:
It is also possible to select the option Log. If this option is enabled, the fact that a rule has been applied to traffic will be recorded in the corresponding log. |
Source | A source zone and/or a list of source IP addresses for the traffic. |
Destination | A destination IP addresses for the traffic. |
Service | L4 service which will be used in the rule. |
SCADA profiles | The list of SCADA profiles that have been created in the previous step |
8.6. Scenarios¶
UserGate allows for much faster responses to detected attacks thanks to the SOAR concept (Security Orchestration, Automation, and Response). UserGate implements this concept based on scenarios. A scenario is an additional condition in the firewall and bandwidth rules that allows administrators to set up UTM's behavior in response to certain events within a long time period. For example, scenarios can be used for the following tasks:
- Block or limit the bandwidth for 30 minutes when a user tried to use a torrent application 5 times within the last 10 minutes.
- Block or limit the bandwidth for a user or user group specified in a rule when any of the following triggers has been activated: a user is viewing sites from the Threats category, high-risk IPS signatures are triggered for the traffic utilized by a user, or a virus is blocked in the traffic utilized by a user.
- Block or limit the bandwidth for a user who has already consumed their traffic limit of 10 GB/month.
Important! A scenario represents an additional condition in the firewall rules and bandwidth rules. If the scenario is not activated (i.e. one or more its triggers are not launched), the rule will not be applied.
To get started with the scenarios, perform the following steps:
Name | Description |
---|---|
Step 1. Create the necessary scenarios. | Create the necessary scenarios in Security policies-->Scenarios. |
Step 2. Specify the created scenarios in the firewall rules or bandwidth rules. | Add the scenarios that you have created to the firewall rules or bandwidth rules. For more details on firewall rules or bandwidth rules, please refer to Network policies. |
Provide the following parameters when creating a new scenario:
Name | Description |
---|---|
Enabled | Enable or disable the scenario |
Name | Name of the scenario |
Description | Description of the scenario |
Trigger for | Possible options:
|
Duration | A time period in minutes during which the triggered scenario will remain active. The same time period will be applied for the firewall rule or bandwidth rule in which this scenario is used. |
Conditions | Define the triggering conditions for a scenario. You can specify the minimum number of triggering events within a time period that are required for triggering a scenario. When multiple conditions are selected, make sure to specify whether the scenario must be triggered when any or all of these conditions are met. |
Triggering conditions | The following conditions can be used in scenarios:
|
8.7. Integration with external ICAP servers¶
UserGate can transfer the HTTP/HTTPS and email traffic (SMTP, POP3) to external ICAP servers, e.g. in order to check the traffic for viruses or to check the outgoing data from users by means of DLP systems. In this case, UserGate will serve as an ICAP client.
UserGate offers flexible settings for ICAP servers, e.g. administrators can set up rules for sending only part of the traffic to ICAP servers or for integration with ICAP server farms.
To set up UserGate for integration with external ICAP servers, perform the following steps:
Name | Description |
---|---|
Step 1. Create an ICAP server. | Go to Security policies-->ICAP servers, click Add and create one or more ICAP servers. |
Step 2. Create a balancing rule for ICAP servers (optional). | When a balancing for ICAP server farms is required, go to Network policies-->Load balancing and create a new ICAP server balancer. Use the ICAP servers that you have created in the previous step. |
Step 3. Create a new ICAP rule. | Go to Security policies-->ICAP rules and create a rule that defines conditions for resending the traffic to ICAP servers or ICAP server farms. Important! ICAP rules are applied from top to bottom in the list of rules. Only the first publication rule for which all its specific conditions are met will be applied. |
To create an ICAP server, go to Security policies-->ICAP servers, click Add and fill out the following fields:
Name | Description |
---|---|
Name | Name of the ICAP server |
Description | Description of the ICAP server |
Address | IP address of the ICAP server |
Port | TCP port of the ICAP server (1344 by default) |
Max message size | The maximum size of a message sent to the ICAP server (in megabytes). The default value is 0 (disabled). |
Check ICAP server every | A time period in seconds after which UserGate will send an OPTIONS request to the ICAP server to check its availability. |
Bypass if errors | When this option is enabled, UserGate will not send any data to the ICAP server if the ICAP server is not available (does not respond to OPTIONS request). |
Reqmod path |
|
Respmod path |
|
Send username |
|
Send IP |
|
Send MAC |
|
To create a balancing rule for the reverse proxy servers, go to Network policies-->Load balancing, select Add-->ICAP balancer and fill out the following fields:
Name | Description |
---|---|
Enabled | Enable or disable the rule |
Name | Name of the rule |
Description | Description of the rule |
ICAP servers | The list of ICAP servers among which the workload will be distributed, created in the previous step. |
To create an ICAP rule, click Add in Security policies-->ICAP rules and fill out the following fields.
Important! Rules are applied from top to bottom in the same order as they appear in the console. Only the first rule for which all its specific conditions are met will be applied. Therefore, make sure to place more specific rules above the more common ones in the list. Use the Up/Down buttons to change the order of rules in the list.
Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).
Name | Description |
---|---|
Enabled | Enable or disable the rule |
Name | Name of the rule |
Description | Description of the rule |
Action | The following options are supported:
|
ICAP servers | An ICAP server or an ICAP server balancer to which UserGate will be resending user requests. |
Source | A source zone and/or a list of source IP addresses for the traffic. |
Users | The list of users and/or groups to which a given rule is applied. Users of the Any, Unknown or Known types can be added. To apply the rules to given users or users of the Known type, you need to set up user identification. |
Destination address | A destination IP addresses for the traffic. |
MIME types | Lists of MIME types. The system provides the management functionality for video, audio, images, executable files, and other content types. Administrators can also create custom groups of MIME types. For more details on MIME types, please refer to the Content types |
Categories | Lists of UserGate URL filtering categories |
URLs | Lists of URLs |
HTTP method | For HTTP requests, the system usually applies POST or GET methods |
Service | Possible options:
|
8.8. Mail security¶
In the Mail security section, you can set up virus and spam scanning of the transit email traffic. The system supports the POP3(S) and SMTP(S) protocols. For proper operation of the email traffic protection, make sure you have the license for the corresponding module.
In most cases, you will need to protect the email traffic coming from the Internet to your internal mail servers as well as the mail traffic coming from your servers or user PCs.
To set up protection of the email traffic coming from the Internet to your internal mail servers, perform the following:
Name | Description |
---|---|
Step 1. Publish your mail server on the Internet | Please refer to DNAT rules. It is recommended to create separate DNAT rules for SMTP and POP3, rather than combine them into one rule. |
Step 2. Enable support of the SMTP(S) and POP3(S) services in the zone connected to the Internet | Please refer to Configuring zones. |
Step 3. Create the email protection rules | Create the necessary email protection rules. For more details, please see below in this chapter. |
If you need to protect the mail traffic without publishing your mail server on the Internet, perform the following steps:
Name | Description |
---|---|
Step 1. Create the traffic protection rules | Create the necessary email protection rules. For more details, please see below in this chapter. |
To set up the mail traffic filtering rules, click Add in the Security policies--> Mail security section and specify the following fields:
Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.
Important! If no rules have been created, then mail traffic will not be protected.
Important! A rule is triggered only when all its criteria are met.
Name | Description |
---|---|
Enabled | Enables or disables a rule |
Name | Rule name |
Description | Description of a rule |
Action | Select an action that will to be applied to the mail traffic when all corresponding criteria are met:
|
Scanning | Select an email traffic scanning method:
|
Header | Field for placing the message tag |
Mark | Text of the message tag |
Source | A source zone and/or a list of source IP addresses for the traffic. |
Destination | A destination zone and/or a list of destination IP addresses for the traffic. |
Users | Users or groups of users to which the rule will be applied. |
Service | Select an email protocol (POP3 or SMTP) to which the rule will be applied. |
Envelope from | Email address of the sender as specified in the "Envelope from" field. Applicable to SMTP only. |
Envelope to | Email address of the recipient as specified in the "Envelope to" field. Applicable to SMTP only. |
It is recommended that you use the following spam protection settings.
For SMTP(S):
- The first rule in the list should be blocking by DNSBL. It is recommended that you leave the Envelop from/Envelop to fields blank. In this case, DNSBL will be proactively discarding connections from SMTP servers that are known as spam sources. When email addresses recipients are added to exclusions, the system will be forced to receive each message entirely for analysis, and therefore the overall sever workload will increase.
- The second rule is marking messages using UserGate spam check. Here you can use any exclusions you want including Envelop from/Envelop to.
For POP3(S):
- Action - Mark
- Scanning - UserGate spam check
8.9. Publication of HTTP/HTTPS resources using the reverse proxy¶
For publication of HTTP/HTTPS servers, it is recommended that you use publication based on the reverse proxy rules.
Unlike the DNAT-based publication, the reverse proxy publication offers the following advantages:
- Publication of HTTP servers using HTTPS, and vice versa
- Balancing of requests to web server farms
- Ability to limit access to the published servers with certain Useragents
- Ability to replace domains and paths of the published servers.
To publish a server using the reverse proxy, perform the following steps:
Name | Description |
---|---|
Step 1. Create a reverse proxy server. | Go to Security policies-->Reverse proxy servers, click Add and create one or more web servers for publishing. |
Step 2. Create a balancing rule for the reverse proxy servers (optional). | When a balancing for published server farms is required, go to Network policies-->Load balancing and create a new reverse proxy balancer. Use the reverse proxy servers that you have created in the previous step. |
Step 3. Create a reverse proxy rule. | Go to Security policies-->Reverse proxy rules and create a new rule that defines the publication conditions for servers or server farms. Important! Publication rules are applied from top to bottom in the list of rules. Only the first publication rule for which all its specific conditions are met will be applied. |
Step 4. Allow the Reverse proxy server in the zone where you want to grant access to the internal resources. | Go to Network-->Zones and allow the Reverse proxy service in the zone where you want to grant access to the internal resources (in most cases, it is the Untrusted zone). |
To create a reverse proxy server, go to Security policies-->Reverse proxy servers, click Add and fill out the following fields:
Name | Description |
---|---|
Name | Name of the published server. |
Description | Description of the published server. |
Address | IP address of the published server. |
Port | TCP port of the published server. |
HTTPS to server | Defines whether it is necessary to use the HTTPS protocol to access the published server. |
Check SSL certificate | Enables or disables validation of the SSL certificates installed on the published server. |
Keep original source IP address | Leaves the original IP address of the source in packets sent to the published server. When this option is disabled, the source IP address is replaced with the UserGate's IP address. |
To create a balancing rule for the reverse proxy servers, go to Network policies-->Load balancing, select Add-->Reverse proxy balancer and fill out the following fields:
Name | Description |
---|---|
Enabled | Enable or disable the rule |
Name | Name of the rule |
Description | Description of the rule |
Reverse proxy servers | The list of the reverse proxy servers among which the workload will be distributed (created in the previous step). |
To create a new reverse proxy rule, click Add in Security policies-->Reverse proxy rules and fill out the mandatory fields.
Important! Rules are applied from top to bottom in the same order as they appear in the console. Only the first rule for which all its specific conditions are met will be applied. Therefore, make sure to place more specific rules above the more common ones in the list. Use the Up/Down buttons to change the order of rules in the list.
Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).
Name | Description |
---|---|
Enabled | Enable or disable the rule |
Name | Name of the rule |
Description | Description of the rule |
Reverse proxy server | A reverse proxy server or reverse proxy balancer to which UserGate will be resending user requests |
Port | A port on which UserGate will be listening for incoming requests. |
Use HTTPS | Enable the HTTPS support |
Certificate | A certificate used for establishing HTTPS connections |
Authenticate by certificate | When this option is enabled, browsers will be required to provide user certificates. To do this, make sure to add the user certificate to the list of UserGate certificates, and also assign it the User certificate role and the corresponding UserGate user account. For more details on user certificates, please refer to the Managing certificates section. |
Source | A source zone and/or a list of source IP addresses for the traffic. |
Users | The list of users and groups to which a given rule is applied. Users of the Any, Unknown or Known types can be added. To apply the rules to given users or users of the Known type, you need to set up user identification. |
Useragent | Useragent of user browsers for which a given rule will be applied |
Path rewrite | Replace a domain and/or path in the user request URL. For example, incoming requests to http://www.example.com/path1 can be changed to http://www.example.loc/path2. Change from - a domain and/or path that you want to replace in the URL. Change to - a domain and/or path that you want to use as a replacement in the URL. If a domain is specified in the Change from field, then the publication rule will be applied for the requests sent to this domain only. In other words, this will be a condition for rule triggering. |
8.10. DoS protection¶
UserGate supports granular settings to protect networks from network flooding (for TCP (SYN-flood), UDP, ICMP). Preliminary settings can be configured in the zone properties (see section Configuring zones) while more precise settings are available in this section. Using the DoS protection rules, administrators can provide specific settings to protect a given service, protocol or application from DoS attacks. To create DoS protection rules, the administrator must perform the following steps:
Name | Description |
---|---|
Step 1. Create DoS profile | Go to Security policies-->DoS profiles, click Add and create one or more DoS profiles. |
Step 2. Create DoS rule | Go to Security policies-->DoS rules, click Add and create one or more DoS rules. Use DoS profiles created on the previous step. |
To create a DoS profile, go to Security policies-->DoS profiles, click Add and fill out the following fields:
Name | Description |
---|---|
Name | Name of the profile. |
Description | Description of the profile. |
Aggregate | This option sets whether UserGate will be summing up packets per second for all IP addresses of the traffic source or counting them individually for each IP address. When this option is active, make sure to specify large values for packets per second on the DoS protection and Resource protection tabs. |
DoS protection | Specify the following DoS protection parameters in the zone for the TCP (SYN-flood), UDP and ICMP protocols:
|
Resource protection | This option allows you to limit the maximum number of sessions per protected resource, e.g. published server:
|
To create a new DoS protection rule, click Security policies-->DoS rules, click Add and specify the following parameters.
Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.
Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).
Name | Description |
---|---|
Enabled | Enables or disables a rule |
Name | Rule name |
Description | Description of a rule |
Action | Block – blocks the traffic without any conditions (similar to firewall rules). Allow – allows the traffic flows, but without any DoS protection. This option can be used for creating exclusions. Protect – enables protection with the selected DoS profile. |
DoS profile | If action is protect, chose one of the created DoS profiles. |
Scenarios | It indicates a scenario that must be active for applying the rule. For more details on scenarios, please refer to Scenarios. Important! A scenario represents an additional condition. If the scenario is not activated (i.e. one or more its triggers are not launched), the rule will not be applied. |
Enable logging | Logs information about traffic when a rule is triggered. The following modes can be used:
|
Source | Zone(s) and IP addresses of the traffic source |
Users | List of users and groups of users to which this rule will be applied. You can add users of the Any, Unknown, Known type. To apply rules to individual users or user of the Known type, make sure to set up authentication properly. For more details on user identification, please refer to Users and devices. |
Destination | A destination zone and/or a list of destination IP addresses for the traffic. |
Service | Service type, e.g. HTTP or HTTPS |
Time | Time ranges when rule is active. |
9. Setting up a VPN¶
VPN (Virtual Private Network) is a set of technologies for establishing one or more network connections (i.e. a logical network) on top of another network (e.g. Internet). UserGate allows you to establish the following types of VPN connections:
- Remote access VPN. In this case, UserGate will operate as the server while users of other devices will become VPN clients. UserGate supports the standard clients for most of popular operating systems, including Windows, Linux, Mac OS X, iOS, Android, and more.
- Site-to-Site VPN. In this case, one of your UserGate servers operates as the server while another UserGate server becomes a client. A client initiates a connection with the server. A server-to-server connection allows you to add all your remote offices to a single logical network.
Tunnels are established using Layer 2 Tunneling Protocol (L2TP), and the data being transmitted are protected with IPSec.
9.1. Remote access VPN¶
To connect VPN clients to your corporate network, set up UserGate to operate as the VPN server. To do this, perform the following steps:
Name | Description |
---|---|
Step 1. Allow the VPN service in the zone to which VPN clients will be connecting. | Go to Network-->Zones, edit the access control parameters for the zone to which VPN clients will be connecting and allow the VPN service in this zone. In most cases, it is the Untrusted zone. |
Step 2. Create a zone where your VPN clients will be placed. | Go to Network-->Zones and create a zone where you are going to place VPN clients. You will be able to use this zone in the security policies. It is recommended that you use the existing default zone VPN for remote access. |
Step 3. Create a new NAT rule for the zone. | Clients connect to a VPN using the Point-to-Point protocol. To allow the traffic flow from the zone that you have created in the previous step, create a NAT rule from this zone to all other zones that you need. Create the corresponding rule in Network policies-->NAT and routing. By default, UserGate provides a rule called NAT from VPN for remote access to Trusted and Untrusted that allows NAT from the VPN for remote access zone to the Trusted and Untrusted zones. |
Step 4. Create a firewall rule to allow the traffic flow from the created zone. | Go to Network policies-->Firewall and create a firewall rule to allow the traffic flow from the created zone to other zones. By default, UserGate provides a firewall rule called VPN for remote access to Trusted and Untrusted that allows all the traffic from the VPN for remote access zone to the Trusted and Untrusted zones. |
Step 5. Create an authentication profile. | Go to Users and devices-->Auth profiles and create an authentication profile for VPN users. You can use the same authentication profile that is set up for user authentication for Internet access. For more details on authentication profile, please refer to section Auth profiles. |
Step 6. Create a VPN security profile. | A server profile defines the preshared key, encryption and authentication algorithms, and other settings. You can create multiple server profiles and use them for establishing connections with various client types. To create a server profile, go to VPN-->Security profiles, click Add and fill out the following fields:
By default, UserGate provides a server profile called Remote access VPN profile that defines all the necessary settings. If you are going to use this profile, make sure to change the preshared key. |
Step 7. Create a VPN device | VPN device is a virtual network interface for connecting VPN clients. This type of interface is clustered interface, which means it virtually exists on all cluster’s nodes, and if high availability cluster is configured, VPN clients will be automatically switched to a backup node without VPN connection interruption. To create a new VPN interface, click on Add in Network-->Interfaces and select Add VPN. Set the following fields:
VPN interface tunnel1 is preconfigured for use for Remote access VPN. |
Step 8. Create a VPN network. | A VPN network defines network settings that will be applied when a client connects to the server. These settings include assignment of IP addresses to a client within a tunnel, DNS settings, and optional routes that will be submitted to the client (providing that the client supports such routes). You can create multiple tunnels with different settings for different clients. To create a VPN network, go to VPN-->VPN networks, click Add and fill out the following fields:
UserGate already provides a network called Remote access VPN network with the recommended settings. |
Step 9. Create a VPN server rule. | Create a VPN server rule based on the previously created VPN tunnel and VPN security profile. To create a rule, go to VPN-->Server rules, click Add and fill out the following fields:
By default, UserGate provides a server rule called Remote access VPN rule that uses all the necessary settings for the Remote Access VPN and allows the VPN access for all participants of the local group called VPN users. |
Step 10. Set up the VPN on a client workstation. | To set up a client connection to the VPN, the following parameters must be specified on the user workstation:
Important! For correct operation with L2TP/IPSec VPN servers, operating systems of the Microsoft Windows family require changing the Registry parameters. Please refer to Microsoft's article https://support.microsoft.com/en-us/help/926179/how-to-configure-an-l2tp-ipsec-server-behind-a-nat-t-device-in-windows for detailed instructions. |
9.2. Site-to-Site VPN¶
To establish a Site-to-Site VPN, set up one UserGate as a VPN client and another UserGate as the VPN server. Though setting up UserGate as a VPN server is similar to that for a remote access server, we recommend that you set up all parameters individually since some of them may be different.
To set up your server as a shared VPN server for multiple offices, perform the following steps:
Name | Description |
---|---|
Step 1. Create a local user to authorize the server that will be operating as a VPN client. | Go to Users and devices --> Users and create new users for each of the remote UserGate servers that will be operating as VPN clients and then set up the user passwords. It is recommended that you add all the created users to a group with the access allowed to VPN connections. By default, UserGate provides a group called VPN servers for this purpose. |
Step 2. Allow the VPN service in the zone to which VPN clients will be connecting. | Go to Network-->Zones, edit the access control parameters for the zone to which VPN clients will be connecting and allow the VPN service in this zone. In most cases, it is the Untrusted zone. |
Step 3. Create a zone where your VPN servers will be placed. | Go to Network-->Zones and create a zone where you are going to place VPN servers. You will be able to use this zone in the security policies. It is recommended that you use the existing default zone VPN for Site-to-Site. |
Step 4. Create a firewall rule to allow the traffic flow from the created zone. | Go to Network policies-->Firewall and create a firewall rule to allow the traffic flow from the created zone to other zones. By default, UserGate provides a firewall rule called VPN for Site-to-Site to Trusted and Untrusted that allows all the traffic from the VPN for Site-to-Site to Trusted and Untrusted zones. Rule is disabled by default. |
Step 5. Create an authentication profile. | Go to Users and devices-->Auth profiles and create an authentication profile for VPN users. You can use the same authentication profile that is set up for user authentication and Internet access. For more details on authentication profile, please refer to section Auth profiles. |
Step 6. Create a VPN security profile. | A security profile defines the preshared key, encryption and authentication algorithms, and other settings. You can create multiple security profiles and use them for establishing connections with various client types. To create a server profile, go to VPN-->Security profiles, click Add and fill out the following fields:
By default, UserGate provides a security profile called Site-to-Site VPN profile that defines all the necessary settings. If you are going to use this profile, make sure to change the preshared key. |
Step 7. Create a VPN device | VPN device is a virtual network interface for connecting VPN clients. This type of interface is clustered interface, which means it virtually exists on all cluster’s nodes, and if high availability cluster is configured, VPN clients will be automatically switched to a backup node without VPN connection interruption. To create a new VPN interface, click on Add in Network-->Interfaces and select Add VPN. Set the following fields:
VPN interface tunnel2 is preconfigured for use for server side of Sit—Site VPN. |
Step 8. Create a VPN network. | A VPN network defines network settings that will be applied when a client connects to the server. These settings include assignment of IP addresses to a client within a tunnel, DNS settings, and optional routes that will be submitted to the client (providing that the client supports such routes). You can create multiple tunnels with different settings for different clients. To create a VPN network, go to VPN-->VPN networks, click Add and fill out the following fields:
UserGate already provides a VPN network called Site-to-Site VPN network with the recommended settings. To use this network, make sure to provide it with the routes that are sent to the client server. |
Step 9. Create a VPN server rule. | Create a VPN server rule based on the previously created VPN tunnel and VPN profile. To create a rule, go to VPN-->Server rules, click Add and fill out the following fields:
By default, UserGate provides a server rule called Site-to-Site VPN rule that uses all the necessary settings for the Site-to-Site VPN and allows the VPN access for all participants of the local group called VPN servers. |
To set up your server as a VPN client, perform the following steps:
Name | Description |
---|---|
Step 1. Create a zone where you are going to place the interfaces for VPN connections. | Go to Network-->Zones and create a zone where you are going to place the interfaces for VPN connections. You will be able to use this zone in the security policies. It is recommended that you use the existing default zone VPN for Site-to-Site. |
Step 2. Create a firewall rule to allow the traffic flow to the created zone. | Create an Allow firewall rule in Network policies-->Firewall. By default, UserGate provides a firewall rule called VPN for Site-to-Site to Trusted and Untrusted that allows all the traffic among the VPN for Site-to-Site, Trusted and Untrusted zones. |
Step 3. Create a VPN device | VPN device is a virtual network interface for connecting VPN clients. This type of interface is clustered interface, which means it virtually exists on all cluster’s nodes, and if high availability cluster is configured, VPN clients will be automatically switched to a backup node without VPN connection interruption. To create a new VPN interface, click on Add in Network-->Interfaces and select Add VPN. Set the following fields:
VPN interface tunnel3 is preconfigured for use for client side of Site-to-Site VPN. |
Step 4. Create a VPN client rule. | Create a VPN client rule that will be initiating connections to your VPN server. To create a rule, go to VPN-->Client rules, click Add and fill out the following fields:
|
Once the VPN server and VPN client are up and running, the VPN client will initiate a connection to the server and establish a VPN tunnel upon success. To disable a tunnel, disable the VPN client rule (on the client side) or the VPN server rule (on the server side).
9.3. Setting up an web portal¶
Web portal allows you to provide access to the internal web resources, terminal servers, and SSH servers for remote or mobile employers using only the HTTPS protocol. This technology does not require installing any additional VPN software and works directly in most of the popular browsers.
To set up web portal, perform the following steps:
Name | Description |
---|---|
Step 1. Enable and set up the web portal. | Go to General settings-->web portal, enable web portal and set up its parameters. These settings are described in more detail below in this section. |
Step 2. Allow the access to the web portal service for the required zones. | Go to Network-->Zones and allow the web portal service for the selected zones (in most cases, it the Untrusted zone). This will grant access to the port of the service specified in the web portal settings in the previous step. |
Step 3. Add the internal resources to the web portal. | Go to VPN-->web portal and add the URLs of internal resources to which you are going to provide access for users. These settings are described in more detail below in this section. |
When setting up the web portal (in General settings-->web portal-->Configure), fill out the following fields:
Name | Description |
---|---|
Enabled | Enable or disable the web portal. |
Hostname | A host name that must be used on the client side for connecting to the web portal service. This name must be resolved by the DNS service into the IP address of the UserGate interface placed in the zone where the web portal is allowed. |
Port | A TCP port that will be used by the web portal service. This port together with the host name compose the URL that will be utilized by users for establishing connections: https://hostname:port |
Auth profile | The user authentication profile that will be utilized for authentication of users who connect to the web portal. The authentication profile defines an authentication method, e.g. the AD connector or a local user. In addition, you can also set up mandatory multi-factor authentication for accessing the web portal. For more details on authentication profiles, please refer to Auth profiles. |
Auth template | Select an authentication page template that will be displaying a user form for entering credentials. You can create a custom authentication page in Response pages. |
Portal template | Select an web portal template that will be displaying the resources available via web portal. You can create a custom authentication page in Response pages. |
Show AD/LDAP domain selector on auth page | Display domain selector on web portal auth page |
Protect with CAPTCHA | When this option is enabled, users will be asked to enter a code displayed on the login page of the web portal. This option is recommended for protection against bots trying to brute-force user passwords. |
Certificate | The certificate that will be used for establishing HTTPS connections. When the Automatic mode is selected, the system will use a certificate issued by the SSL inspection certificate for the Captive portal SSL certificate role. For more details on certificate roles, please refer to Managing certificates. |
Certificate-based user authentication | When this option is enabled, browsers will be required to provide user certificates. To do this, make sure to add the user certificate to the list of UserGate certificates, and also assign it the User certificate role and the corresponding user account. For more details on user certificates, please refer to section Managing certificates. |
To set up an web portal (in VPN-->web portal), make sure to create URL publication bookmark for the internal web resources. Create a bookmark and fill out the following fields for each URL:
Name | Description |
---|---|
Enabled | Enable or disable the tab. |
Name | Name of the tab. |
Description | Description of the tab. |
URL | URL of the resource that will be published via the web portal. Make sure to provide a complete URL starting with http://, https://, ftp://, ssh:// or rdp:// Important! To publish the terminal servers, make sure to disable the Network Level Authentication option in RDP properties of terminal servers. In this case, users will be authenticated and provided with the access to the servers through the web portal depending on its settings. |
Icon | An icon that will be displayed on the web portal for this tab. You can choose any ready-to-use icon, provide an URL of an external icon or upload a custom icon. |
Supporting URLs | Additional URLs that are required for the primary URL, but are not supposed to be published for users. For instance, the primary URL http://www.example.com may obtain some of the content from the supporting URL http://cdn.example.com. |
Users | A list of users and/or user groups that are allowed to view the bookmark on the web portal and also access the primary and supporting URLs. |
The order of bookmarks on the web portal is the same as will be seen by users. Administrators can reorder the bookmarks either using the Up, Above, Below, Down buttons or by dragging the tabs with a mouse.
10. Libraries¶
This large section provides all records, domain names, IP addresses, templates and other items that can be used in the UserGate rules.
By default, libraries already predefined with data, but network administrators can add custom items as required. Note that certain items in libraries are read-only, since they are provided and supported by UserGate. Libraries provided by UserGate are updated automatically, if you have the corresponding license. For more details on product licensing, please refer to UserGate licensing.
10.1. Morphology¶
Morphological analysis is a mechanism designed to recognize certain words and phrases on websites. If a text contains too many unwanted words or phrases, the system will block access to the website.
Morphological analysis is performed both when a user sends a new search query and when the requested web server responds to this query. Once the web server responds to the query, UserGate scans the text on the web page and then calculates its total "weight" by matching words and phrases from various morphological categories. If the total "weight" of the web page is higher than that of a morphological category, the rule will be triggered. The system also takes into account all word forms of prohibited words when calculating the "weight". UserGate searches word forms in its built-in dictionaries available in English, German, Russian, Japanese and Arabic.
You can also subscribe for additional dictionaries offered by UserGate. These dictionaries are read-only. You will also need the corresponding license to use them. For more details on product licensing, please refer to UserGate licensing.
Name | Description |
---|---|
Suicide | Morphological dictionary containing words and phrases related to suicide |
Terrorism | Morphological dictionary containing words and phrases related to terrorism |
Profanity | Morphological dictionary containing profane words and phrases |
Gambling | Morphological dictionary containing words and phrases related to gambling |
Drugs | Morphological dictionary containing words and phrases related to drugs |
Pornography | Morphological dictionary containing words and phrases related to pornography |
Restricted materials (Custom country code) | Morphological dictionary containing words and phrases not recommended for children according to some national laws. The GS1 suffix code for UserGate dictionaries comply with the national laws of the country. See http://www.gs1.org/company-prefix for details |
To set up morphology-based filtering, perform the following:
Name | Description |
---|---|
Step 1. Create one or more morphological categories and specify their weights | Click Add and specify the name and weight of the new category |
Step 2. Specify the list of prohibited phrases with their weights | Click Add and specify the necessary words and phrases. When adding a new word to any morphological dictionary, you can put the "!" modifier before the word, e.g. "!bassterd". In this case, the jargon word will not be converted in word forms during analysis - this significantly reduces the risk of false positives |
Step 3. Create a new content filtering rule containing one or more morphological categories | Please refer to Content filtering. |
Network administrators can create custom dictionaries and distribute them from a single center to all UserGate servers. To create a custom morphological database, perform the following steps:
Name | Description |
---|---|
Step 1. Create a new file with necessary phrases | Create a new file called list.txt with words presented in the following format: !word1 !word2 !word3 word4 50 … Lastword In this case, the total weight of the dictionary will be 100. You can also specify a weight for each word (the default value is 100) |
Step 2. Put this file into a new archive | Zip the file into a new archive called list.zip |
Step 3. Create a new file with the necessary version of your dictionary | Create a new file version.txt and specify the database version (e.g. "3") in it. Make sure to increment this value each time you update the morphological dictionary |
Step 4. Publish files on your web server | Publish list.zip and version.txt on your website and make them available for download via http |
Step 5. Create a new morphological category and provide the URL for updating your dictionary | Create a new morphological database on every UserGate server. When creating a new database, make sure to provide an URL for installing updates. UserGate will be checking for a new version on your website every 4 hours and automatically update your dictionary once a newer version is released |
Important! When creating a new morphological dictionary, it is highly recommended that you put the "!" modifier before each word in phrases containing more than three words. Note that the system will convert each word into all possible word forms (including cases, plural forms, grammatical tenses, etc.) when building a new morphological database and the resulting amount of words will be large. When you add long phrases, make sure to put the "!" modifier before each word that does not have word forms, e.g. before articles, prepositions and conjunctions. For example, phrase "how to commit a painless suicide" should be added as "!how !to commit !a suicide !painlessly". This will reduce the amount of possible phrase variants while preserving the main idea of initial phrase.
10.2. Services¶
The Services section contains a list of public TCP/IP-based services, such as HTTP, HTTPS, FTP, etc., that you can use when composing UserGate rules. By default, the initial list of services is already predefined, but network administrators can add custom items as required. To add a new service, perform the following steps:
Name | Description |
---|---|
Step 1. Create a new service | Click Add and then specify the name and comment for the new service |
Step 2. Specify the protocol and port | Click Add and then select the necessary protocol from the list and specify the source and/or destination ports. To add port range use : (dash), e.g. 33333-33344 |
10.3. IP addresses¶
The IP addresses section contains a list of IP ranges that you can use for composing UserGate rules. By default, the initial list of addresses is already predefined, but network administrators can add custom items as required. To add a new list of addresses, perform the following steps:
Name | Description |
---|---|
Step 1. Create list | Click Add and then specify the name for the list of IP addresses |
Step 2. Specify the URL for updating your list (optional) | Provide the server's address where your updatable list is hosted. Additional details about updatable lists are provided below in this chapter |
Step 3. Add IP addresses | Click Add and enter the addresses. Address must be specified either as IP address or as IP address/subnet mask, e.g. 192.168.1.5 192.168.1.0/24 |
Network administrators can create custom lists of IP addresses and distribute them from a single center to all UserGate servers. To create a new list of IP addresses, perform the following steps:
Name | Description |
---|---|
Step 1. Create a new file with necessary IP addresses | Create a new file called list.txt containing a list of addresses |
Step 2. Put this file into a new archive | Zip the file into a new archive called list.zip |
Step 3. Create a new file with the necessary version of your list | Create a new file called version.txt and specify the list version (e.g. "3") in it. Make sure to increment this value each time you update the list |
Step 4. Publish files on your web server | Publish list.zip and version.txt on your website and make them available for download |
Step 5. Create a new list of IP addresses and provide an URL for installing updates | Create a new list of IP addresses on every UserGate server. When creating a new database, make sure to provide an URL for installing updates. UserGate will be checking for a new version on your website every 4 hours and automatically update your list once a newer version is released |
10.4. Useragents¶
By means of the browser Useragent filters administrators can allow or prohibit certain browsers for users.
The initial default Useragent list is already included in the product. To apply the Useragent-specific filters, perform the following steps:
Name | Description |
---|---|
Step 1. Create a Useragent list. | Click Add and specify a name for the new UserAgent list. |
Step 2. Add the necessary browser Useragents to the new list. | Add the Useragent that you need. The full list of Useragent strings can be found here: http://www.useragentstring.com/pages/useragentstring.php |
Step 3. Create a content filtering rule with one or more lists. | Please refer to section Content filtering |
Administrators can create custom Useragent lists and distribute them centrally across all workstations on which UserGate is installed. To create a custom list, perform the following steps:
Name | Description |
---|---|
Step 1. Create a file with the necessary Useragent. | Create a file called list.txt with the Useragent list. |
Step 2. Create an archive containing this file. | Pack the file into the archive called list.zip. |
Step 3. Create a file containing the version of the list. | Create a file named version.txt and specify the list version number in it, e.g. 3. Make sure to increment this value each time the list is updated. |
Step 4. Publish the files on your web server. | Publish list.zip and version.txt on your site so that users could download them. |
Step 5. Create a Useragent list and provide the URL for updates. | Create a Useragent list on each UserGate instance. Make sure to provide the address from which to download the updates. UserGate will be checking for a new version on your site each 4 hour and will update the list once a new version is available. |
10.5. Content types¶
Based on filtering by content type, you can block downloads of certain files, e.g. prohibit all *.doc files.
You can also subscribe for additional content types offered by UserGate. Note that these lists of content types are read-only. You will also need the corresponding license to use them. For more details on product licensing, please refer to UserGate licensing.
To set up filtering by content type, perform the following steps:
Name | Description |
---|---|
Step 1. Create a new list of content types or select a predefined list from UserGate | Click Add and specify the name for the new list of content types. |
Step 2. Add the necessary MIME types to your list | Add the content types you want to prohibit in the MIME format. You can find description of various MIME types on the Internet, e.g.: https://www.iana.org/assignments/media-types/media-types.xhtml. For example, to block all *.doc files, add the following MIME type: application/msword. |
Step 3. Create a new content filtering rule containing one or more lists | Please refer to Content filtering. |
Network administrators can create custom lists of content types and distribute them from a single center to all UserGate servers. To create a new list of IP addresses, perform the following steps:
Name | Description |
---|---|
Step 1. Create a new file with necessary content types | Create a new file called list.txt containing a list of content types. |
Step 2. Put this file into a new archive | Zip the file into a new archive called list.zip. |
Step 3. Create a new file with the necessary version of your list | Create a new file called version.txt and specify the list version (e.g. "3") in it. Make sure to increment this value each time you update the list. |
Step 4. Publish files on your web server | Publish list.zip and version.txt on your website and make them available for download. |
Step 5. Create a new list of content types and provide an URL for installing updates | Create a new list of content types on every UserGate server. When creating a new database, make sure to provide an URL for installing updates. UserGate will be checking for a new version on your website every 4 hours and automatically update your list once a newer version is released. |
10.6. URL lists¶
On this page, you can create various lists of URLs and then use them as black and white lists for the content filtering rules.
Note that UserGate offers its own updatable lists. You will also need the corresponding license to use them. For more details on product licensing, please refer to UserGate licensing.
Name | Description |
---|---|
UserGate black list | This list contains URLs prohibited by some national laws. |
Phishing black list | This list contains URLs of known phishing websites. |
UserGate white list | This list contains URLs of known trusted websites and portals. |
Search engines without safesearch capability | This list contains known search engines which do not provide safe search (family filter). We recommend to block such search engines for parental control, as they provide ability to get adult content. |
UserGate black list (Custom code) | This list contains URLs prohibited by some national laws. The GS1 suffix code for UserGate custom black/white lists comply with the national laws of the country. See http://www.gs1.org/company-prefix for details |
To set up filtering based on lists of URLs, perform the following steps:
Name | Description |
---|---|
Step 1. Create a new list of URLs | Click Add and specify the name for the new list |
Step 2. Add the necessary records to your list | Add the necessary URLs to your list. You can use special characters ^, $ and * in the lists: * stands for an arbitrary number of characters ^ denotes the start of the current line $ denotes the end of the current line Note that characters ? and # are not allowed here |
Step 3. Create a new content filtering rule containing one or more lists | Please refer to Content filtering. |
All records that start with http:// , https://, ftp:// or contain one or more "/" characters are handled as URLs with the HTTP(S) filtering, but not applied to the DNS filtering. Otherwise, such string will be treated as domain name and therefore will be applied for both DNS and HTTP(S) filtering.
Example of URL record interpretation:
Sample record | Handling of DNS requests | Handling of HTTP requests |
---|---|---|
yahoo.com or *yahoo.com* | Blocks the entire domain with its third-level domains, e.g.: sport.yahoo.com mail.yahoo.com and qweryahoo.com | Blocks the entire domain with all its URLs and third-level domains, e.g.: |
^mail.yahoo.com$ | Blocks only mail.yahoo.com | Blocks only http://mail.yahoo.com |
^mail.yahoo.com/$ | Nothing is blocked | Nothing is blocked, since the last "/" defines an URL, but neither "https" nor "http" are specified |
^http://finance.yahoo.com/personal-finance/$ | Nothing is blocked | Blocks only |
^yahoo.com/12345/ | Nothing is blocked | Blocks |
Network administrators can create custom lists and distribute them from a single center to all UserGate servers. To create a new list, perform the following steps:
Name | Description |
---|---|
Step 1. Create a new file with the necessary list of URLs | Create a new text file called list.txt with URLs presented in the following format: www.site1.com/url1 www.site2.com/url2 … www.siteend.com/urlN |
Step 2. Put this file into a new archive | Zip the file into a new archive called list.zip |
Step 3. Create a new file with the necessary version of your list | Create a new file called version.txt and specify the list version (e.g. "3") in it. Make sure to increment this value each time you update the list |
Step 4. Publish files on your web server | Publish list.zip and version.txt on your website and make them available for download |
Step 5. Create a new list of content types and provide an URL for installing updates | Create a new list of URLs on every UserGate server. When creating a new database, make sure to provide an URL for installing updates. UserGate will be checking for a new version on your website every 4 hours and automatically update your list once a newer version is released |
10.7. Time sets¶
Based on time sets, you can add time periods and then use them for composing various UserGate rules. By default, the initial list is already predefined, but network administrators can add custom items as required. To add a new time set, perform the following steps:
Name | Description |
---|---|
Step 1. Create a new time set | Click Add and then specify the name for the time set |
Step 2. Add the necessary time periods to your time set | Click Add and specify a new period. Make sure to provide a name and time range for the period |
10.8. Bandwidth pools¶
The Bandwidth pools library item defines the data transfer speed that you can use for composing various rules and managing the network bandwidth. For more details on how to manage the network bandwidth, please refer to Traffic shaping.
By default, the initial list is already predefined, but network administrators can add custom items as required. To add a new bandwidth item, perform the following steps:
Name | Description |
---|---|
Step 1. Create a new bandwidth item | Click Add and then specify the name and description of the new bandwidth. |
Step 2. Specify the speed | Specify the data transfer speed in Kbytes/s. |
Step 3. Provide the DCSP value for QoS. | Optional parameter. When this option is enabled, the parameter will be set in each IP packet. Ranges from 0 to 63. |
10.9. SCADA profiles¶
A SCADA profile is a set of elements each containing a SCADA command and an address. SCADA profiles are used in SCADA rules. For more details on SCADA traffic filtering, please refer to section`SCADA rules`_.
10.10. Response pages¶
Based on response page templates, network administrators can manage the appearance of the blocking and authentication pages of the Captive portal. Network administrators can apply various templates depending on the content filtering rules and rules of the Captive portal.
UserGate is pre-packed with three default types of templates, which are templates for the Captive portal, templates for user session control, and templates of the blocking page. Based on these built-in templates, you can create custom templates using your corporate style, logos, and language.
Name | Description |
---|---|
Templates Blockpage | Default blocking template. |
Templates Captive portal user auth | User authentication template for the Captive portal. The template displays a form for user authentication (by username and password). After a successful authentication, a user is granted the Internet access. |
Templates Captive portal user auth + policy | User authentication template for the Captive portal. The template displays a form for user authentication (by username and password) and network usage rules (Terms and Conditions) and then asks a user to accept the network access policy. After a successful authentication and policy acceptance, a user is granted the Internet access. |
Templates Captive portal: email auth | Template for user authentication via the Captive portal; this template allows users to register in the system on their own and then confirm their registration by email. |
Templates Captive portal: SMS auth | Template for user authentication via the Captive portal; these templates allow users to register in the system on their own and then confirm their registration via SMS. |
Templates Captive portal policy | User authentication template for the Captive portal. The template does not require user authentication (by username and password), but displays the network usage rules (Terms and Conditions) and asks a user to accept the network access policy. After accepting the network access policy, a user is granted the Internet access. Make sure to set up the Accept policy method as the default authentication method of the Captive profile for proper operation of this template. |
Templates Captive portal user session | Template for logging out of the current user session via http://logout.captive or http://UserGate_IP/cps |
Templates Content warning page block | This template contains a warning page that will be displayed when a content filtering rule is triggered with the Warn operation. |
Templates FTP over HTTP view | These templates are used for displaying the content of FTP over HTTP servers. |
Web portal portal page | These templates are used for displaying the content of web portal page. |
Web portal login page for RDP | These templates are used for displaying the login page for RDP resources when connecting over web portal. |
Web portal login page for SSH | These templates are used for displaying the login page for SSH resources when connecting over web portal. |
To create a new custom template, perform the following steps:
Name | Description |
---|---|
Step 1. Export one of the default templates | Select an existing template, click Export and then save it to a file. |
Step 2. Modify the exported template | Modify the template contents using an editor. It is not recommended that you use HTML editors, since they can corrupt the internal structure of your template. Instead, try to use simple text editors. |
Step 3. Create a new template | Click Add, select the corresponding template type, specify the name of the template and then save changes. |
Step 4. Import the template modified on step 2 | Select the newly created template, click Import and then choose a file containing the modified template. |
10.11. URL categories¶
Based on the URL Category library items, you can create groups of UserGate URL filtering categories for convenient usage of content filtering rules. For example, network administrators can create a group called "Business Categories" and then add the corresponding categories into it.
Note that you will have to install the corresponding license in order to use UserGate URL filtering categories.
By default, the initial list is already predefined, but network administrators can add custom items as required.
Name | Description |
---|---|
Threats | Categories recommended for blocking for security reasons. |
Parental Control | Categories recommended for blocking in order to protect children from unwanted content. |
Productivity | Categories recommended for blocking in order to improve the labor discipline. |
Safe categories | Categories considered as secure ones. It is recommended that you disable morphological checks and capturing of HTTPS traffic for this group of categories in order to reduce false triggering. |
Recommended for morphology checking | Categories recommended for morphological checks. These categories do not include News, Finance, Government, Information Security, Kids websites and other categories in order to reduce false triggering. The same categories are recommended for HTTPS traffic capturing. |
Recommended for virus check | Categories recommended for morphological checks. |
To add a new group of categories, perform the following steps:
Name | Description |
---|---|
Step 1. Create a group of categories | Click Add and then specify the name for the group |
Step 2. Add the categories | Click Add and then select the necessary categories from the list |
10.12. Overridden URL categories¶
On this page, you can override a specific URL category to a particular website (domain). This can be useful if site does not have category assigned or it has incorrectly assigned URL category. To assign new category for a web site, perform the following steps:
Name | Description |
---|---|
Step 1. Check original site’s category | In Libraries --> Overridden URL categories type site’s address and click Check categories. |
Step 2. Assign new category | If resulted category is not correct, click Add and then select up to 2 new URL categories and click Save. |
When finished, web site will be shown in the list of overridden sites along with date, administrator’s name who made this change, original and new categories.
Next time you will perform checking of this site’s categories, only new categories will be reported and one special category - User overridden domains.
Administrator can export list of sites with changed categories and import any text file with web sites and assign them to required categories.
10.13. Applications¶
Based on Application library items, you can create groups of applications and then conveniently use them in firewall rules and bandwidth rules. For example, network administrators can create a group of applications called "Business Applications" and then add the corresponding applications into it.
To add a new group of applications, perform the following steps:
Name | Description |
---|---|
Step 1. Create a group of applications | Click Add and then specify the name for the group |
Step 2. Add the applications | Click Add and then select the necessary applications from the list |
10.14. Emails¶
Based on the Email library items, you can create groups of email addresses and then use them in email traffic filtering rules and notifications.
To add a new group of emails, perform the following steps:
Name | Description |
---|---|
Step 1. Create a new group of emails | Click Add and then specify the name for the group |
Step 2. Add new emails to the group | Click Add and then add the necessary emails |
10.15. Phones¶
Based on the Phone library items, you can create groups of phone numbers and then use them in various SMPP notification rules.
To add a new group of phone numbers, perform the following steps:
Name | Description |
---|---|
Step 1. Create a new group of phone numbers | Click Add and then specify the name for the group |
Step 2. Add new phone numbers to the group | Click Add and then add the necessary phone numbers |
10.16. IPS profiles¶
A IPS profile is a set of signatures relevant for the protection of certain services. Administrators can create any number of IPS profiles to protect various services. It is recommended that you avoid adding excessive signatures to profiles and use only signatures that are really important for security. For example, do not add UDP-specific signatures to a profile that protects a TCP-based service. When there are too many signatures, the system will be processing the traffic longer due to additional workload on the CPU. For more details on how to create and use IPS profiles, please refer to section Intrusion prevention system.
10.17. Notification profiles¶
Notification profiles specify the transport used for delivering notifications to recipients. The system supports 2 types of transport:
- SMTP, message delivery by Email
- SMPP, message delivery by SMS
To create a new SMTP message profile, click Add in the Notifications--> Notification profiles section, select Add SMTP notification profile and then specify the following fields:
Name | Description |
---|---|
Name | Name of the profile |
Description | Description of the profile |
Host | IP address of the SMTP server that you are going to use for sending messages |
Port | TCP port used by the SMTP server (usually port 25 for SMTP and port 465 for SMTP with SSL). Ask your email server administrator to provide this value |
Connection security | The following email security options are supported: None, STARTTLS, SSL |
Authentication | Enables authentication for SMTP server |
Login | Username of the account used for connecting to the SMTP server |
Password | Password of the account used for connecting to the SMTP server |
To create a new SMPP message profile, click Add in the Notifications--> Notification profiles section, select Add SMPP notification profile and then specify the following fields:
Name | Description |
---|---|
Name | Name of the profile |
Description | Description of the profile |
Host | IP address of the SMPP server that you are going to use for sending SMS messages |
Port | TCP port used by the SMPP server (usually port 2775 for SMPP and port 3550 for SMPP with SSL). |
SSL | Whether to use the SSL encryption |
Login | Username of the account used for connecting to the SMPP server |
Password | Password of the account used for connecting to the SMPP server |
Phone translation rules | Allows to change prefix for phone numbers, i.e. change 11234567890 to +111234567890. This can be required by some SMPP providers |
11. Dashboard¶
This section allows you to view the current status of the server along with its workload, number of users, traffic volumes going through the server, applied filters, license status, and more. Reports are provided as widgets that can be configured by system administrators depending on the current needs. You can add, remove, resize or move the widgets on the Dashboard page.
12. Diagnostics and monitoring¶
12.1. Routes¶
In the Routes section, you can obtain a list of all routes specified in a given UserGate node. To view the routes, click Filter and provide the types of routes to be displayed. You can specify the following route types:
- Connected - the routes to networks that are directly connected to the UserGate interfaces. Such routes will be marked with the С character in the list of routes.
- Kernel - the routes defined statically in Network-->Routes. Such routes will be marked with the S character in the list of routes.
- OSPF - the routes obtained using the OSPF protocol. Such routes will be marked with the O character in the list of routes.
- BGP - the routes obtained using the BGP protocol. Such routes will be marked with the B character in the list of routes.
You can download the displayed list of routes as a text file by clicking Download all routes.
12.2. VPN¶
In the VPN section, you can view all users and all servers connected to a given server by VPN. The following information is displayed for each connection:
- User - the user name for which the connection has been authorized
- Type - a client or a server
- Duration - duration of the established connection
- Source Geo IP - the country from which the connection has been established (detected by Geo IP)
- Encryption - encryption type
- Transmission speed - the data transmission speed at the moment when the page is being displayed
- Reception speed - the data reception speed at the moment when the page is being displayed
- Bytes sent - the volume of the outgoing data
- Bytes received- the volume of the incoming data
- Packets sent - the number of packets sent since the VPN session has started
- Packets received - the number of packets received since the VPN session has started
12.3. Web portal¶
In the web portal section, you can view all users and all servers connected to a given server by web portal. The following information is displayed for each connection:
- User - the user name for which the connection has been authorized
- Started - time when connection was established
- Source IP - the source IP address of connected user
- Useragent - Browser's useragent of connected user
12.4. Packet capture¶
In the Packet capture section, you can record the traffic that meets the specified conditions to a PCAP file for later analysis in 3rd party applications, such as Wireshark. This may be useful for network diagnostics and troubleshooting.
The section consists of three parts:
- Filters - this subsection defines the conditions for traffic recording. You can use the source address, source port, destination address, Ethernet protocol, or IPv4 protocol as the conditions to start recording. The list of IPv4 protocols can be found at http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml.
- Rules - the rules contain the UserGate interfaces in which the traffic must be recorded, custom filters, and also the name and size of the file in which the captured traffic is recorded.
- Files - this subsection contains files with recorded traffic. You can download them for analysis or remove.
To record the traffic, perform the following steps:
Name | Description |
---|---|
Step 1. Create the filter that you need. | Optional. You can use the predefined filters or record all the traffic without any filters. |
Step 2. Create a new rule. | Create a rule and provide the rule name, file name, maximum size of the file, and the necessary filters. |
Step 3. Select the rule you need and start recording. | Select the necessary rule and click Start capture. When all the data is recorded, click Stop capture. |
Step 4. Download the output file in the Files section. | Download the PCAP file for analysis. |
12.5. Requests to a white list¶
When a website is blocked according to content filtering rules, a user will see the blocking page which describes the reason of blocking along with the name of the filtering rule, website category, morphological database or the black list used for blocking. In addition, the blocking page allows a user to request adding this website to the white list if it has been blocked by mistake. When a user clicks Add to white list, the corresponding request will appear in Requests for white list. Network administrators can perform the following actions with user requests:
Name | Description |
---|---|
Add to white list | Adds the provided URL to the white list. The system will prompt network administrators to modify URL and select a white list which this web resource will be added to. |
Delete | Removes the request from the list of requests. |
Reject URL | Adds the requested URL to the list of discarded requests. Once the request is discarded, the Add to white list option will not be shown on the blocking page for this URL anymore. The list of discarded domains and URLs is displayed in the rejected requests window. |
Reject domain | Adds the domain of the requested URL to the list of discarded requests. Once the request is discarded, the Add to white list option will not be available on the blocking page for this domain anymore. The list of discarded domains and URLs is displayed in the rejected requests window. |
Network administrators can check the category of a web resource using the Check URL form. If the web resource appears to be in a wrong category, network administrators can request changing the category by suggest another category or change site’s category locally for its UserGate.
To request changing the category administrator should click on Suggest URL category button. The system will send this request to UserGate, so that our support team could check it and make necessary updates to the UserGate URL filtering database.
To make category change locally administrator should click Override category and then select up to 2 new URL categories and click Save. All sites with changed categories can be seen in Libraries --> Overridden URL categories.
Next time you will perform checking of this site’s categories, only new categories will be reported and one special category - User overridden domains.
12.6. Tracing of rules¶
Using the rule tracing feature, administrators can check which rules are triggered in response to user HTTP(S) requests. This can be very useful for diagnostics of various access issues for certain sites. To trace the rules, perform the following steps:
Name | Description |
---|---|
Step 1. Create the filter that you need. | Click Configure in Diagnostics and monitoring-->Tracing rules and provide the filter parameters:
The filter limits the volume of the output diagnostic information. When no filter is set up, you will also see the results for other user requests. |
Step 2. Run the tracing. | Click Start tracing. |
Step 3. Open the site with access issues. | Ask a user to open the site with access issues and check which rules are triggered at the moment. You will see all the rules that are triggered when a user request is being processed. |
12.7. Ping¶
Using the 'ping' routine, you can check availability of various network resources. Parameters of the 'ping' command:
Name | Description |
---|---|
Ping host | A host to be checked. |
TTL | The maximum number of preliminary hosts allowed in the route to the host being validated. |
Interface | A network interface from which to run ping. |
Count | Number of repeats. |
Show timestamp | Add a timestamp to the command output. |
Don't resolve names | Operate with IP addresses without replacing them with domain names |
12.8. Traceroute¶
Using the 'traceroute' routine, you can trace the route of the network packets sent to a given host. Parameters of the 'traceroute' command:
Name | Description |
---|---|
Traceroute host | A host to be checked. |
Interface | A network interface from which to run the command. |
Do not resolve names | Operate with IP addresses without replacing them with domain names |
12.9. DNS query¶
Using the DNS query, you can check how DNS issues. Parameters of the 'traceroute' command:
Name | Description |
---|---|
DNS query (host) | A hostname to be checked. |
Query source IP | One of the IP addresses assigned to UserGate |
DNS server | DNS server to send requests to |
Port | UDP port to use for DNS requests |
Query type | Type of DNS request to send |
12.10. Notifications¶
In this section, you can set up notification profiles and then use them for sending notifications about various events, e.g. high CPU workload or sending a password to a user via SMS.
12.10.1. Alert rules¶
Based on alert rules, network administrators can send information about certain events of the UserGate server to the specified recipients. To create a new notification rule, perform the following steps:
Name | Description |
---|---|
Step 1. Create one or more notification profiles | Please refer to Notifications-->Notification profiles |
Step 2. Create one or more groups of message recipients | Please refer to Libraries-->Emails and Libraries-->Phones |
Step 3. Create a new alert rule | Add a new rule in the Notifications-->Alert rules section |
Specify the following parameters when adding a new rule:
Name | Description |
---|---|
Enabled | Enables or disables a rule |
Name | Rule name |
Description | Description of a rule |
Notification profile | Select a notification profile that you have previously created. The system will display a separate tab for adding phone numbers (for SMPP profiles) or for adding email addresses (for SMTP profiles) |
Sender | Specify the notification sender |
Subject | Specify the notification subject |
Wait for next alert, seconds | Specify the server's timeout before sending next message if the rule is triggered again |
Events | Specify the events for which you want to receive notifications |
Phones | Applicable for SMPP profiles only. Specify the groups of phone numbers to which SMS notifications will be sent |
Emails | Applicable for SMTP profiles only. Specify the groups of emails to which email notifications will be sent |
12.10.2. SNMP monitoring¶
UserGate supports the SNMP v2c and SNMP v3 protocols for monitoring purposes. The system can use both SNMP queries and SNMP traps, thereby allowing you to track critical parameters of UserGate directly from the SMNP management software deployed in your company.
To set up the SNMP-based monitoring, you should first define the SNMP rules. To create a new SNMP rule, click Add in the SNMP section and specify the following parameters:
Name | Description |
---|---|
Name | Rule name |
Trap host IP, port | IP address of the trap server and the port on which the server will be listening for events (usually UDP 162). This option is necessary only if you want to send traps to the notification center. |
Community | SNMP community - a string for identification of the UserGate server and the SNMP management server for SNMP v2c. Make sure to use only digits and Latin letters. |
Context | Optional parameter which defines the SNMP context. Make sure to use only digits and Latin letters. |
Version | Specify the version of the SNMP protocol that you want to use in this rule. Possible values are SNMP v2 and SNMP v3. |
Operation: SNMP queries | When enabled, the system will be retrieving and handling SNMP queries from the SNMP manager. |
Operation: SNMP traps | When enabled, the system will be sending SNMP traps to the management server. |
Username | Applicable for SNMP v3 only. Username for authentication of the SNMP manager. |
Authentication type | Select an authentication mode for the SNMP manager. Possible values:
The most secure mode is authPriv. |
Authentication algorithm | Algorithm used for authentication |
Authentication password | Password used for authentication |
Encryption algorithm | Algorithm used for encryption. Possible values are DES and AES. |
Encryption password | Password used for encryption |
Events | Specify parameters which will be available for the SNMP manager. If you enabled sending traps, then the system will be sending a trap each time when the critical value is achieved. |
Important! Make sure that all authentication settings for SNMP v2c (community) and SNMP v3 (user, authentication type, authentication algorithm, authentication password, encryption algorithm, encryption password) in the SNMP manager are exactly the same as in UserGate.
For more details on how to configure authentication parameters for your SNMP manager, please refer to the manuals of the SNMP management software you are using.
By clicking Download MIBs, you can download MIB files with UserGate monitoring parameters and then use them in your SNMP manager. UserGate has its own unique ID 45741 for SNMP (Private Enterprise Number).
13. Logs and reports¶
13.1. Logs¶
13.1.1. Event log¶
The event log displays events in which any settings of the UserGate server have been changed, e.g. adding/removing/modifying data of a user account, rule or any other item. Here you can also view all login events for the web console, user authentication via the Captive portal, and so on.
For convenience, you can filter certain events by various criteria, such as date range, component, severity, or event type.
Administrators can filter and display columns as required. To do this, click any column and in the shortcut menu that appears enable the checkboxes that correspond to the necessary columns.
By clicking Export to CSV administrators can download the filtered data from a log as a CSV file for additional analysis.
13.1.2. Web access log¶
The web access log displays all user requests sent to the Internet via HTTP and HTTPS. The following information is displayed:
- The UserGate node where the event has taken place
- Time of the event
- User
- Actions
- Rule
- Reason (if the site has been blocked)
- URL
- Source zone
- Source IP address
- Source port
- Destination IP
- Destination port
- Categories
- Protocol (HTTP)
- Method (HTTP)
- Response code (HTTP)
- MIME (if any)
- Bytes sent/received
- Packets sent
- Referrer (if any)
- Operating system
- Browser
Administrators can filter and display columns as required. To do this, click any column and in the shortcut menu that appears enable the checkboxes that correspond to the necessary columns.
For convenience, you can filter and search certain events and records by various criteria, such as user account, rule, action, and more.
By clicking Export to CSV administrators can download the filtered data from a log as a CSV file for additional analysis.
13.1.3. Traffic log¶
The traffic log displays all events in which firewall rules or NAT rules have been triggered (providing that packet logging has been enabled). The following information is displayed:
- The UserGate node where the event has taken place
- Time of the event
- User
- Operation
- Rule
- Application
- Protocol
- Source zone
- Source address
- Source port
- Destination IP
- Destination port
- NAT source IP (if this is a NAT rule)
- NAT source port (if this is a NAT rule)
- NAT destination IP (if this is a NAT rule)
- NAT destination port (if this is a NAT rule)
- Bytes sent/received
- Packets
Administrators can filter and display columns as required. To do this, click any column and in the shortcut menu that appears enable the checkboxes that correspond to the necessary columns.
For convenience, you can filter and search certain events and records by various criteria, such as user account, rule, action, and more.
By clicking Export to CSV administrators can download the filtered data from a log as a CSV file for additional analysis.
13.1.4. IPS log¶
The system log of intrusion detection displays the triggered IPS signatures for which a logging or blocking action has been set up. The following information is displayed:
- The UserGate node where the event has taken place
- Time
- Operation
- Signature
- Class — the signature class
- CVE — vulnerability ID according to the CVE database
- Bugtrack — vulnerability ID according to the Bugtrack database
- Nessus — vulnerability ID according to the Nessus database
- Protocol
- Source IP
- Source port
- Destination IP
- Destination port
- Signature triggering details
Administrators can filter and display columns as required. To do this, click any column and in the shortcut menu that appears enable the checkboxes that correspond to the necessary columns.
For convenience, you can filter and search certain events and records by various criteria, such as protocol, date range, action, and more.
By clicking Export to CSV administrators can download the filtered data from a log as a CSV file for additional analysis.
13.1.5. Search history¶
In the Search history section, you can view all search queries from users for which logging is enabled in the safe browsing policies. Administrators can filter and display columns as required. To do this, click any column and in the shortcut menu that appears enable the checkboxes that correspond to the necessary columns.
For convenience, you can filter and search certain events and records by various criteria, such as user, date range, search engines, and more.
By clicking Export to CSV administrators can download the filtered data from a log as a CSV file for additional analysis.
13.1.6. Searching and filtering¶
Since logs usually contain lots of entries, UserGate offers convenient ways to search for and filter the necessary information. Administrators may choose between the basic and advanced search modes in logs.
In the basic search mode, administrators can use a GUI to set up filtering by one or more fields in logs and thus exclude excessive data. For example, it is possible to set up filters by time period, list of users, category, etc. Setting up various search criteria is intuitive and does not require any special knowledge.
More sophisticated filters can be configured by means of the advanced search mode with a special query language. In the advanced search mode, you are free to compose queries using log fields that are not available in the basic mode. Such queries may also include field names, field values, keywords, and operators. If you want to enter field values that contain spaces, make sure to put single or double quotes. Parentheses can be used for grouping multiple conditions.
Keywords must be separated by spaces and may be as follows:
Name | Description |
---|---|
AND/and | Logical AND: all conditions in the query must be met. |
OR/or | Logical OR: at least one condition in the query must be met. |
You can use the following operators to define filter conditions:
Name | Description |
---|---|
= | Equal to. Searches for the specified value only, e.g. the query ip=172.16.31.1 will display all log entries in which the "IP" field exactly equals to "172.16.31.1". |
!= | Not equal to. Searches for any values except the specified one, e.g. the query ip!=172.16.31 will display all log entries in which the "IP" field is not equal to "172.16.31.1". |
<= | Less or equal. The field value must be less or equal to that in the query. Can be applied only to the fields that support comparison, such as date fields, portSource, portDest, statusCode, etc., e.g. date <= '2019-03-28T20:59:59' AND statusCode=303 |
>= | Greater or equal. The field value must be greater or equal to that in the query. Can be applied only to the fields that support comparison, such as date fields, portSource, portDest, statusCode, etc., e.g. date >= "2019-03-13T21:00:00" AND statusCode=200 |
< | Less. The field value must be less than that in the query. Can be applied only to the fields that support comparison, such as date fields, portSource, portDest, statusCode, etc., e.g. date < '2019-03-28T20:59:59' AND statusCode=404 |
> | Greater. The field value must be greater than that in the query. Can be applied only to the fields that support comparison, such as date fields, portSource, portDest, statusCode, etc., e.g. (statusCode>200 AND statusCode <300) OR (statusCode=404) |
IN | Allows you to specify multiple field values in a query. Use parentheses to denote a list of values, e.g. category IN (botnets, compromised, 'illegal software', 'phishing and fraud','reputation high risk','unknown category') |
~ | Contains. Allows you to specify a substring that must be found in a given field, e.g. browser ~ "Mozilla/5.0" This operator is applicable only to the string fields. |
!~ | Does not contain. Allows you to specify a substring that must not be found in a given field, e.g. browser !~ "Mozilla/5.0" This operator is applicable only to the string fields. |
For your convenience, UserGate will be prompting you the possible field names, applicable operators and allowed values when composing an extended query. When you switch from the basic search mode to the advanced one, UserGate automatically generates a search string according to the filter conditions that you have specified in the basic search mode.
13.1.7. Logs export¶
The log export feature in UserGate allows you to upload the information to external servers for later analysis or for processing in SIEM (Security Information and Event Management) systems.
UserGate supports the following logs:
- Events
- Web access
- IPS
- Traffic
The system supports sending logs to SSH (SFTP), FTP and Syslog servers. You can set up a schedule according to which the logs will be sent to SSH and FTP servers. Sending to Syslog servers is performed each time a new record is added into a log.
To start sending logs, you should create a logs export configuration in the Logs export section.
Specify the following parameters when creating a new configuration:
Name | Description |
---|---|
Name | Name of the log export rule |
Description | Optional field for rule description |
Logs for export | Select logs for export
Set log format for every type of logs:
Consult with SIEM documentation to select correct format type. |
Server type | SSH (SFTP), FTP, Syslog |
Server address | IP address or domain name of the server |
Transport | Only for Syslog servers (TCP or UDP) |
Port | Server ports to which the data should be sent |
Protocol | Only for Syslog servers. Chose compatible with your SIEM protocol - RFC5424 or BSD syslog RFC 3164. |
Severity | Only for Syslog servers. Optional field. Consult with SIEM documentation to select correct value. Possible values are: 0 - Emergency: system is unusable 1 - Alert: action must be taken immediately 2 - Critical: critical conditions 3 - Error: error conditions 4 - Warning: warning conditions 5 - Notice: normal but significant condition 6 - Informational: informational messages 7 - Debug: debug-level messages |
Facility | Only for Syslog servers. Optional field. Consult with SIEM documentation to select correct value. Possible values are: 0 - kernel messages 1 - user-level messages 2 - mail system 3 - system daemons 4 - security/authorization messages 5 - messages generated internally by syslogd 6 - line printer subsystem 7 - network news subsystem 8 - UUCP subsystem 9 - clock daemon 10 - security/authorization messages 11 - FTP daemon 12 - NTP subsystem 13 - log audit 14 - log alert 15 - clock daemon (note 2) |
Hostname | Only for Syslog servers. The hostname field identifies the machine that originally sent the syslog message. Should be in Fully Qualified Domain Name (FQDN). |
App-Name | Only for Syslog servers. The App-Name field should identify the device or application that originated the message. It is a string without further semantics. It is intended for filtering messages on a relay or collector. |
Login | Username of the account used for connecting to a remote server. Not applicable for Syslog servers |
Password | Password of the account used for connecting to a remote server. Not applicable for Syslog servers |
Repeat password | Confirmation of the password of the account used for connecting to a remote server. Not applicable for Syslog servers |
Directory path | Server folder into which the log files will be copied. Not applicable for Syslog servers |
Schedule | Select a schedule of sending logs. Not applicable for Syslog servers. Possible values:
If you set the value manually, use the crontab-like format in which a string consists of six fields separated with spaces. Time in fields is specified in the following format: (minutes: 0-59) (hours: 0-23) (days of month: 0-31) (month: 0-12) (days of week: 0-6, 0 - Sunday). You can also use the following symbols in the first five fields:
|
13.2. Reports¶
Reports help administrators extract and display various datasets regarding security events, configuration changes or user actions. Reports can be generated automatically by the previously created rules and templates, and then emailed to all stakeholders.
The Reports section consists of three subsections, which are Templates, Rules, and Generated Reports. To create a new report, perform the following:
Name | Description |
---|---|
Step 1. Define a report creation rule. | Create a report generation rule and provide the required report generation parameters. |
Step 2. Run the report. | You can run the report manually or wait until the report is launched automatically according to the schedule. |
Step 3. Obtain the report. | You can get the report by email (when emailing of reports is enabled) or download it manually in the Generated reports section. |
Important! The report creation process may take a long time to complete and may consume a lot of computing resources.
13.2.1. Report templates¶
A template defines the appearance and fields to be used in the report. The default report templates are provided by the UserGate team.
The report templates by category include:
- Events — a group of templates for the events recorded in the event log
- IPS — a group of templates for the events recorded in the IPS log
- Network activity — a group of templates for the events recorded in the traffic log
- Traffic — a group of templates for the events recorded in the traffic log and related to the traffic volume consumed by users, applications, and more.
- Web activity — a group of templates for the events recorded in the web access log
Each template contains a name, report description, and report display type (table, histogram, or pie chart).
13.2.2. Report rules¶
A report rule defines the parameters of generated reports and also the schedule of the report launches and report delivery types for users. Provide the following parameters when creating a new report rule:
Name | Description |
---|---|
On | Enable or disable a report. |
Name | Name of the rule. |
Description | Optional field for the rule description. |
Report language | Select a language that will be used in the report. |
Time range | A time range for which the report will be generated. |
Limit records | Limits the number of records to be displayed in reports for which the number of top records is limited, e.g. only TOP-20 of users who failed authentication in the console. |
Group by limit (when applicable) | Limits the number of records to be displayed in reports for which the number of grouped records is limited, e.g. only TOP-10 of users in each category, i.e. not more than 10 users per category. This restriction is applicable only to the report templates with grouping. |
Users | Select the users or user groups for which the report will be generated. When this field is empty, the report will be generated for all users. |
Templates | The list of templates to be used for report building. Make sure to add at least one template. |
Schedule | Select a report generation schedule. Possible options:
If Advanced is selected, use the crontab-like format in which a string contains of six fields separated with spaces. Make sure to specify the fields as follows: (minutes: 0-59) (hours: 0-23) (days of month: 0-31) (month: 0-12) (day of week: 0-6, 0-Sunday). Each of the five fields can be specified in the following way:
An asterisk or range with increment. It is used for denoting missed elements in ranges. A step must be specified after a backslash. For example, "2-10/2" stands for "2,4,6,8,10", and the statement "*/2" in the "hours" field means "every two hours" |
Delivery | You can set up optional sending of generated reports to recipients by SMTP. Make sure to set up the following:
|
Important! The report creation process may take a long time to complete and may consume a lot of computing resources. It is especially important to pay attention to the workload when generating reports for a large time period.
Important! Note that you can run a report rule even without enabling it or configuring its schedule. In the manual mode, you can run any report (even a disabled one) by adding the necessary rule to the list of rules and clicking Run now. The output reports will be available in the Generated reports section.
13.2.3. Generated reports¶
In the Generated reports section, you can view all the obtained reports. The reports are generated in PDF or CSV. For each report, you can view its name (which is the same as that of the corresponding report rule), creation time, and size.
Click Download to obtain the report or Remove to delete it.
Click Configure to set up how long the annual reports must be stored (i.e. report rotation). The default value is 60 days.
14. Technical support¶
The technical support section of our website https://www.usergate.com/support provides additional information on how to set up UserGate. You can also submit your ticket here, and we will help to resolve your technical issue.
15. Appendix 1: Installing a certificate issued by the local certification authority¶
Download a certificate from the authentication center that you use for capturing the HTTPS traffic, as described in Managing certificates, and then follow the steps below.
15.1. Installing a certificate for Internet Explorer and Chrome in Windows¶
Open the folder with the DER certificate you have just downloaded and then double-click it:
The certificate details will appear. Click "Install certificate":
The certificate import wizard will be launched. Follow the wizard's on-screen instructions to import the certificate:
Select a storage for the certificate and click "Browse":
Select "Trusted root certification centers" and click OK:
Click "Finish":
When the security warning appears, click "Yes":
The installation is complete.
15.2. Installing a certificate for Safari and Chrome in MacOS X¶
Open the folder with the DER certificate you have just downloaded and double-click the file:
The Keychain program will be launched. Select "Always trust this certificate":
Enter the password to confirm the operation:
The certificate is now installed.
15.3. Installing a certificate for Firefox¶
Installation of a certificate for Firefox is similar on all operating systems. Let's describe the installation process on Windows.
Go to Firefox settings (Tools-->Options):
Select Advanced and then open the Certificates tab. Click View certificates:
Then click Import and browse to the DER certificate that you have downloaded:
Enable the Trust this CA to identify web sites checkbox and click OK:
The installation is complete.