Timezone
|
The timezone for your location. Used in rule schedules and for the correct display of time and date in reports, logs, etc.
|
Default interface language
|
The language to use by default in the console.
|
Web console authentication mode
|
The method of authenticating the user (administrator) when logging in to the web management console. The options are as follows:
-
Login and password. The administrator must provide their login name and password to get access to the web console.
-
X.509 certificate. For certificate-based authentication, you need a user certificate signed with the certificate of the web console Certification Authority and installed in the browser. When this authentication mode is turned on, the login name and password mode is disabled. You can restore the login name and password authentication mode afterwards using CLI commands.
|
SSL profile for web console
|
Select an SSL profile to build a secure web console access link. For more details on SSL profiles, see the chapter SSL Profiles.
|
SSL Profile for response pages
|
Select an SSL profile to build a secure link for displaying web resource block pages and the captive portal's auth page. For more details on SSL profiles, see the chapter SSL Profiles.
|
Server time settings
|
Configure the time synchronization settings.
Use NTP servers: use the NTP servers from the provided list for time synchronization.
Primary NTP server: the primary time server address. Default value: pool.ntp.org.
Secondary NTP server: the secondary time server address.
Server time: allows time setting on the server. The UTC timezone should be used.
|
Modules
|
Here you can configure UserGate modules:
-
HTTP(S) proxy port: allows you to specify a non-standard (alternative) port number that will be used to connect to the built-in proxy. By default, TCP port 8090 is used. If changed, the port continues working.
-
Important! The ports listed here may not be used as they are reserved for UserGate's internal services: 2200, 8001, 4369, 9000-9100.
-
Captive portal auth domain: an internal domain used by UserGate for user authorization via the captive portal. The users need to be able to resolve the domain provided here into the IP address of the UserGate network interface to which they are connected. If the users have the UserGate server's IP address specified as the DNS server, address resolving is configured automatically. The default name is auth.captive. It can be changed to another domain name used in the organization.
-
Captive portal logout domain: an internal domain used by UserGate users to terminate their sessions (log out). The users need to be able to resolve the domain provided here into the IP address of the UserGate network interface to which they are connected. If the users have the UserGate server's IP address specified as the DNS server, address resolving is configured automatically. The default name is logout.captive. It can be changed to another domain name used in the organization.
-
Block page domain: an internal domain used to display a block page to users. The users need to be able to resolve the domain provided here into the IP address of the UserGate network interface to which they are connected. If the users have the UserGate server's IP address specified as the DNS server, address resolving is configured automatically. The default name is block.captive. It can be changed to another domain name used in the organization.
-
FTP over HTTP: enable or disable the module that provides access to content on FTP servers from a user browser.
The FTP proxy must be specified explicitly in the user browser.
The administrator can restrict access to FTP resources using content filtering rules (only the Users and URL criteria are supported).
-
FTP over HTTP domain: an internal domain used to provide the FTP over HTTP service to users. The users need to be able to resolve the domain provided here into the IP address of the UserGate network interface to which they are connected. If the users have the UserGate server's IP address specified as the DNS server, address resolving is configured automatically. The default name is ftpclient.captive. It can be changed to another domain name used in the organization.
-
Tunnel inspection zone: enable or disable the tunnel inspection module and specify a zone where tunnels are to be inspected.
-
SNMP Engine ID: each UserGate device has a unique SNMPv3 Engine ID. By default, the Engine ID is generated from the UserGate node name. When editing the Engine ID, you are required to specify its length, type, and value. The length can be defined as fixed (max. 8 bytes) or dynamic (max. 27 bytes). A fixed ID length is only applicable to the text type.
The Engine ID can be generated in these formats:
-
IPv4 (ip4).
-
IPv6 (ip6).
-
MAC address (mac).
-
Text (text).
-
Octets (octets).
-
Password for terminal server agent: set the password to be used by terminal server authorization agents for connection.
-
LLDP settings: configure the use of the Link Layer Discovery Protocol (LLDP) that enables the network equipment in the local area network to notify devices about its existence, report its characteristics, and receive similar information from the devices. These settings are required:
-
Transmit delay: how long the device will wait before sending advertisements to the neighbors after a change in the LLDP protocol's TLV parameter or the local system state (e.g., a changed hostname or management address). Specified in seconds and can take values from 1 to 3600.
-
Transmit hold: the hold multiplier. The transmit delay multiplied by the transmit hold determines the time to live (TTL) for LLDP packets. Can take values from 1 to 100.
|
Cache settings
|
These are the settings for the proxy cache:
-
Caching mode on/off: enable or disable caching.
-
Cache exclusions: the list of URLs that will not be cached.
-
Max cacheable object size (MB): objects larger than this will not be cached. It is recommended to leave the default value of 1MB.
-
RAM size (MB): the amount of RAM reserved for the cache. This should not be set to more than 20% of the system RAM.
|
Log Analyzer
|
Configure the Log Analyzer module here:
-
Local/Remote server: if you have a remote Log Analyzer server, select it here, otherwise select the local server.
-
State: shows the current state of the statistics service.
Important! If external UserGate Log Analyzer is specified, log processing and export, reports creation, and other statistical data processing are performed by the LogAn.
|
Web portal
|
These are the settings used to provide access to the internal corporate resources using a web portal (SSL VPN). For a detailed description of these settings, see the chapter Web Portal.
|
PCAP settings
|
Configure the traffic logging triggered when IPS signatures are encountered. These are the options for packet capture:
Important! A large PCAP value can slow down data processing significantly.
|
Change tracker settings
|
If this option is enabled and Change types have been defined, any change to the configuration introduced by the administrator using the web console will require that the administrator specify the change type and a description for the change. Here are some possible examples of change types:
The number of change types is not limited.
|
UserGate Management Center agent
|
Here you can configure device connection to the central management console that can be used to manage a UserGate device fleet from a single point. TCP ports 2022 and 9712 are used for connection to the UserGate Management Center server.
-
Caching mode on/off: enable or disable management via UserGate Management Center.
-
UserGate Management Center address: the server address.
-
Device code: a token required to connect to UserGate Management Center.
UserGate Management Center can be used as software and signatures updates source.
|
Updates download schedule
|
This is where you configure update downloads for UserGate software (UGOS) and updatable libraries provided on subscription (URL filtering category database, IDPS, IP/URL/content type lists etc.).
-
Software updates: configure the schedule for checking and downloading new UGOS updates.
-
Library updates: configure the schedule for checking and downloading new library updates. If the Apply for all updates checkbox is set, the schedule is applied to all libraries, otherwise a separate schedule must be configured for each type of library.
You can select from the following schedule options:
With the Advanced option, a crontab-like format is used where the date/time string consists of six space-separated fields. The fields specify the time as follows: (minutes: 0-59) (hours: 0-23) (days of the month: 1-31) (month: 1-12) (days of the week: 0-6, where 0 is Sunday). Each of the first five fields can be defined using:
-
An asterisk (*): denotes the entire range (from the first number to the last).
-
A dash (-): denotes a number range. For example, "5-7" means 5, 6, and 7.
-
Lists: comma-separated numbers or ranges. For example, "1,5,10,11" or "1-11,19-23".
-
An asterisk or range spacing: used for spacing out values in ranges. The increment is given after a slash. Examples: "2-10/2" means "2,4,6,8,10" while "*/2" in the "hours" field means "every two hours".
|