A template is a basic component that allows you to configure all settings of a device, such as network settings, firewall rules, content filtering rules, etc. To create a template, go to the Endpoints ➜ Templates section, click Add, and provide a name and optional description for the template.
After creating a template, you can configure its settings. To do this, go to the desktop Endpoints --- configuration and select the required template in the drop-down menu.
Template settings are displayed in a tree view. When configuring templates, follow these rules:
-
If the value of a setting is not defined in the template, nothing will be sent to the UGC managed device. In this case, the default setting will be used.
-
Libraries (e.g., IP addresses, URL lists, MIME content type lists, applications, etc.) have no predefined content in UGMC. To use libraries in filtering policies, you need first to add items to them.
-
It is recommended to create separate templates for different settings groups to avoid conflicts between settings when templates are combined into template groups and to make it easier to understand the final settings that will be applied to UGC managed device. For example, you can create separate templates for firewall rules, content filtering rules, libraries, etc.
When creating a template, the administrator can use sections such as "General Settings", "VPN Settings", "Network Policies", and "Libraries".
General Settings
This section defines the general UGC managed device settings:
|
Name |
Description |
|---|---|
|
UserGate client installation settings |
These are the settings that control the installation of UserGate client software:
Important! These settings will not be applied if sync mode is not enabled (the Sync flag). If the flag is not set, the default value will be used.
|
|
Notifications |
Configure alerts:
Important! These settings will not be applied if sync mode is not enabled (the Sync flag). If the flag is not set, the default value will be used.
|
|
LogAn device settings |
Specify the LogAn server to which the device will send event information. The LogAn server must be already registered in UGMC. Important! These settings will not be applied if sync mode is not enabled (the Sync flag). If the flag is not set, the default value will be used.
|
VPN settings
This section allows you to configure VPN security profiles that define settings such as the pre-shared key and encryption and authentication algorithms. Multi-factor user authentication, where a one-time TOTP code can be used as the second factor, is also supported. The VPN settings are sent to the UserGate Client MD. The user can select the required VPN server for connecting in the initial GUI window.
To configure a VPN connection, provide these settings:
|
Name |
Description |
|---|---|
|
Enabled |
Enable/disable a rule. |
|
Name |
The name of the security profile for connecting to the VPN server. |
|
Description |
Profile description. |
|
VPN address |
Host name (FQDN) or the IP address of the VPN server. Important! Please note that if you specify the VPN server address as FQDN, there is no IP address enumeration. If the DNS server returns several addresses, an attempt to connect to the first address in the list will be made. |
|
Протокол |
VPN protocols to create a tunnel:
|
|
IKE mode |
IKE mode (specify when selecting the IPSecL2TP protocol): Main or Aggressive. The difference between the modes is that the aggressive mode uses fewer packets, which allows for quicker establishment of connections. The aggressive mode does not transmit some negotiation parameters and thus requires that they be configured identically at the opposite ends of the connection. Основной режим. In the main mode, the devices exchange six messages. During the first exchange (messages 1 and 2), the encryption and authentication algorithms are negotiated. The second exchange (messages 3 and 4) implements the Diffie-Hellman (DH) key exchange. After the second exchange, the IKE service on each device creates a master key to use for authentication. The third exchange (messages 5 and 6) authenticates the reporter and responder of the connection (identity checking) and the information is secured using the encryption algorithm established earlier. Агрессивный режим. In the aggressive mode, there are 2 exchanges, 3 messages in total. In the first message, the reporter transmits information corresponding to messages 1 and 3 of the main mode --- that is, the information on encryption and authentication algorithms as well as the DH key. The second message, transmitted by the responder, contains information corresponding to messages 2 and 4 of the main mode and also authenticates the responder. The third message authenticates the reporter and confirms the exchange. |
|
Pre-shared key |
This is a string that must match on the client and server for a successful connection. For IPSec L2TP protocol. |
|
Phase 1 |
In the first phase, IKE security is negotiated. The authentication is done using a pre-shared key in the mode selected earlier. Provide the following settings:
|
|
Phase 2 |
In the second phase, the method for securing IPsec connections is selected. You need to specify the following:
|
If multi-factor authentication via one-time TOTP codes is used, the token is entered in a separate window that appears on the endpoint device after a certificate is selected or a login/password is entered.
Network Policies
This section contains settings for filtering policies, such as the firewall and content filtering policy.
Using firewall rules, the administrator can allow or deny any type of network traffic flowing to or from the UGC device. Source/destination IP addresses, users and user groups, services, applications, URL lists and categories, content types, HIP profiles, and rule schedules can all be used as conditions for the rules.
Templates can contain pre-rules and post-rules. Pre-rules always reside higher in the rule list and therefore have higher priority than post-rules. Post-rules always reside lower than pre-rules and therefore have lower priority. The ability to create pre- and post-rules allows the realm administrator to define flexible security policy settings.
To create a firewall rule, go to the Network policies ➜ Firewall section, click Add, select the rule's position (pre or post), and provide the desired settings.
|
Name |
Description |
|---|---|
|
Enabled |
Enables or disables the rule. |
|
Name |
The name of the rule. |
|
Description |
A description of the rule. |
|
Apply in |
Specifies the scope of application of this rule on UGC managed devices. The options are as follows:
|
|
Action |
The action that the rule will take:
|
|
Logging |
Sets whether triggers for this rule should be logged on the LogAn server. |
|
Proxy |
If Redirect to proxy is selected as the action, the proxy is specified here by selecting a proxy profile. For more details on proxy profiles, see the Proxy Profiles chapter. |
|
Users |
Specify the LDAP users or user groups to which this firewall rule will be applied. To specify the users, a correctly configured LDAP connector is required. For more details, see the Users Catalogs section. |
|
Source |
The lists of source IP addresses for the traffic. Important! Creating rules that simultaneously contain conditions for filtering traffic by source address and URL/URL category/content type is not recommended. Such rules may not work correctly. The list can be created in advance in the Libraries ➜ IP addresses section or during the configuration of the rule. For more details on IP address lists, see the IP Addresses chapter. |
|
Destination |
The lists of destination IP addresses for the traffic. The list can be created in advance in the Libraries ➜ IP addresses section or during the configuration of the rule. For more details on IP address lists, see the IP Addresses chapter. |
|
Service |
The service type, such as HTTP, HTTPS, or a service group. The service or service group can be created in advance in the Libraries ➜ Services or Libraries ➜ Services groups section, respectively, as well as during the configuration of firewall rules. For more details on services, see the Services chapter. |
|
Applications |
List of applications to which this rule applies. The application can be created in advance in the Libraries ➜ Applications section or during the configuration of the firewall rule. For more details on applications, see the Applications chapter. |
|
URL Lists |
The URL address lists. The URL lists can be created in the Libraries ➜ URL lists or in the properties of firewall rules. For more details on working with URL lists, see the URL Lists chapter. Important! When URL lists are used as conditions for traffic filtering, the services must be specified. |
|
URL categories |
UserGate URL Filtering 4.0 category lists. The administrator can control access to categories such as pornography, malicious websites, online casinos, gaming and entertainment websites, social networks, and many others. You can also add URL category groups that can be created in the Libraries ➜ URL categories section or during rule configuration. For more details on categories, see the URL Categories chapter. Important! When URL categories are used as conditions for firewall rules, the services must be specified. |
|
Content types |
The content type lists. Video, audio, images, executables, and other types of content can be controlled. Administrators can also create custom content type groups. They can be created in the Libraries ➜ Content types section or in the properties of the firewall rule. For more details on working with MIME types, see the Content Types chapter. Important! When content types are used as conditions for firewall rules, the services must be specified. |
|
Time |
The time when this rule will be active. The administrator can add the required time period in the Time Sets section or during the configuration of the rule. Important! The schedule uses the timezone of the device with the UserGate Client software installed. |
|
HIP profiles |
The list of HIP profiles. The firewall rule will be applied only if the device matches the HIP objects specified in the profile. For more details on HIP profiles and objects, see the sections HIP Profiles and HIP Objects, respectively. Important! To filter traffic based on the results of a compliance checking, a license for the Network access control at the host level module is required. |
|
Endpoint devices |
The specific devices to which this rule will apply. If nothing is specified here, the rule will apply to all devices to which this template is applied. |
Libraries of items
This section contains website addresses, IP addresses, applications, and other items used in the configuration of UGC managed device rules.
Services
The Services section contains a list of common services based on the TCP/IP protocol, such as HTTP, HTTPS, FTP, and others. These services can be used in UGC managed device rules. A predefined list of services is supplied with the product. The administrator can add the desired items during use. To add a new service, follow these steps:
|
Name |
Description |
|---|---|
|
Шаг 1. Создать сервис. |
Нажать на кнопку Добавить, дать сервису название, ввести комментарий. |
|
Шаг 2. Указать протокол и порт. |
Нажать на кнопку Добавить, выбрать из списка необходимый протокол, указать порты назначения и, опционально, порты источника. To specify a port range, you can use a dash (-), such as 33333-33355. |
IP Addresses
The IP addresses section contains the list of IP address ranges that can be used in UGC managed device rules.
The administrator can add the desired items during use. To add a new address list, follow these steps:
|
Name |
Description |
|---|---|
|
Step 1. Create a list. |
In the Groups pane, click Add and give a name to the IP address list. |
|
Step 2. (Optional) Specify the list update address. |
Specify the address of the server where the updatable list is stored. For more details on updatable lists, see later in this chapter. |
|
Step 3. Add IP addresses. |
In the Selected group addresses pane, click Add and enter the addresses. An IP address entry can be in the form of an IP address or IP address/subnet mask (e.g., 192.168.1.5, 192.168.1.0/24). |
The administrator can create custom IP address lists and manage them centrally. To create such a list, follow these steps:
|
Name |
Description |
|---|---|
|
Step 1. Create a file with the desired IP addresses. |
Create a file named list.txt with the IP address list. |
|
Step 2. Create an archive containing this file. |
Поместить файл в архив zip с именем list.zip. |
|
Step 3. Create a version file for the list. |
Create a file named version.txt and specify the list version number inside it, such as 3. On each update of the list, the version number must be incremented. |
|
Step 4. Upload the files to a web server. |
Upload the list.zip and version.txt files to your website so that they can be downloaded. |
|
Step 5. Create an IP address list and specify an update URL for it. |
On each UserGate server, create an IP address list. When creating the list, select Updatable as the list type and enter the address for downloading updates. UserGate will check for a new version on your website according to the set update download schedule. The schedule can be configured in the list properties. The available options are:
With the Advanced option, a crontab-like format is used where the date/time string consists of six space-separated fields. The fields specify the time as follows: (minutes: 0-59) (hours: 0-23) (days of the month: 1-31) (month: 1-12) (days of the week: 0-6, where 0 is Sunday). Each of the first five fields can be defined using:
An asterisk or range spacing: used for spacing out values in ranges. The increment is given after a slash. Examples: "2-10/2" means "2,4,6,8,10" while "*/2" in the "hours" field means "every two hours". |
Applications
Элемент библиотеки Приложения позволяет создать группы приложений для более удобного использования в правилах фильтрации сетевого трафика. For example, the administrator can create an application group called "Business applications" and place the desired applications there.
The UserGate Client software recognizes the application by its checksum, which enables the administrator to control network access for specific applications in a very precise and selective fashion --- for example, allow only a specific application version to access the network and block all other versions.
To add a new application group, follow these steps:
|
Name |
Description |
|---|---|
|
Шаг 1. Создать группу приложений. |
In the Application groups pane, click Add and give a name to the new group. |
|
Шаг 2. Добавить приложения. |
Highlight the group just created, click Add in the Applications pane, and enter the name of the application and its checksum. The checksum for a Windows executable must be computed using the SHA1 algorithm --- e.g., using the fciv utility. |
The user can export and import lists using the Export and Import buttons. Application list entries or application listing file entries must follow the APPLICATION_NAME HASH format.
Proxy Profiles
This section allows you to configure proxies to which the TCP traffic matching the rules will be redirected with the Redirect to proxy action.
|
Name |
Description |
|---|---|
|
Name |
The proxy profile name. |
|
Description |
Profile description. |
|
IP address |
The IP address of the proxy server to which the traffic will be redirected. |
|
Port |
The port number of the proxy server to which the traffic will be redirected. |
URL Lists
The URL lists page allows you to create URL lists to be used as black and white lists in content filtering rules.
To configure filtering using URL lists, follow these steps:
|
Name |
Description |
|---|---|
|
Шаг 1. Создать список URL. |
In the URL lists pane, click Add and set:
|
|
Шаг 2. Добавить необходимые записи в новый список. |
Add URL entries to the new list. You can use wildcards such as "^", "$", and "*":
The "?" and "#" characters cannot be used. |
|
Step 3. Create an endpoint firewall rule containing one or more lists. |
See the Network Policies section. |
If you want to block an exact address, use the "^" and "$" characters:
To block an exact URL with all child directories, use the "^" character:
To block a domain with all possible URLs, use this notation:
domain.com
An example of interpreting URL entries:
|
Example entry |
HTTP request processing |
|---|---|
|
yahoo.com or *yahoo.com* |
The entire domain along with all its URLs and 3rd level domains are blocked, e.g.: |
|
^mail.yahoo.com$ |
Only this address is blocked: http://mail.yahoo.com |
|
^mail.yahoo.com/$ |
Nothing is blocked, since the last forward slash character defines a URL, but there is no "https" or "http". |
|
Only this address is blocked: |
|
|
^yahoo.com/12345/ |
These are blocked: |
The administrator can create custom lists and distribute them centrally. To create such a list, follow these steps:
|
Name |
Description |
|---|---|
|
Шаг 1. Создать файл с необходимым списком URL. |
Создать текстовый файл list.txt со списком URL в следующем формате: ... |
|
Step 2. Create an archive containing this file. |
Поместить файл в архив zip с именем list.zip. |
|
Step 3. Create a version file for the list. |
Create a file named version.txt and specify the list version number inside it, such as 3. On each update of the list, the version number must be incremented. |
|
Step 4. Upload the files to a web server. |
Upload the list.zip and version.txt files to your website so that they can be downloaded. |
|
Шаг 5. Создать список типа контента и указать URL для обновления. |
On each UserGate server, create a URL list. When creating the list, select Updatable as the list type and enter the address for downloading updates. UserGate will check for a new version on your website according to the set update download schedule. The schedule can be configured in the list properties. The available options are:
With the Advanced option, a crontab-like format is used where the date/time string consists of six space-separated fields. The fields specify the time as follows: (minutes: 0-59) (hours: 0-23) (days of the month: 1-31) (month: 1-12) (days of the week: 0-6, where 0 is Sunday). Each of the first five fields can be defined using:
An asterisk or range spacing: used for spacing out values in ranges. The increment is given after a slash. Examples: "2-10/2" means "2,4,6,8,10" while "*/2" in the "hours" field means "every two hours". |
URL Categories
Элемент библиотеки Категории URL позволяет создать группы категорий UserGate URL filtering для более удобного использования в правилах фильтрации контента. For example, the administrator can create a category group called "Business categories" and place the desired categories there.
To add a new category group, follow these steps:
|
Name |
Description |
|---|---|
|
Шаг 1. Создать группу категорий. |
In the URL category groups pane, click Add and give a name to the new group. |
|
Шаг 2. Добавить категории. |
Highlight the group just created, click Add in the Categories pane, and select the desired categories from the list. |
Content types
Using content type filtering, you can control the video and audio content, images, executables, and other content types.
To configure filtering by content type, follow these steps:
|
Name |
Description |
|---|---|
|
Шаг 1. Создать список типов контента. |
In the Categories pane, click Add and give a name to the new content type list. Optionally, provide a description and update URL for the list. |
|
Step 2. Add the relevant MIME types to the new list. |
Add the relevant content type to the list in the MIME format. You can find descriptions of various MIME types on the Internet --- for example, see this link: https://www.iana.org/assignments/media-types/media-types.xhtml. For example, to block *.doc documents, add the "application/msword" MIME type. |
|
Шаг 3. Создать правило фильтрации контента, содержащее один или несколько списков. |
See the Network Policies section. |
The administrator can create custom content type lists and distribute them centrally. To create such a list, follow these steps:
|
Name |
Description |
|---|---|
|
Шаг 1. Создать файл с необходимыми типами контента. |
Создать файл list.txt со списком типов контента. |
|
Step 2. Create an archive containing this file. |
Поместить файл в архив zip с именем list.zip. |
|
Step 3. Create a version file for the list. |
Create a file named version.txt and specify the list version number inside it, such as 3. On each update of the list, the version number must be incremented. |
|
Step 4. Upload the files to a web server. |
Upload the list.zip and version.txt files to your website so that they can be downloaded. |
|
Шаг 5. Создать список типа контента и указать URL для обновления. |
On each UserGate server, create a content type list. When creating the list, select Updatable as the list type and enter the address for downloading updates. UserGate will check for a new version on your website according to the set update download schedule. The schedule can be configured in the list properties. The available options are:
With the Advanced option, a crontab-like format is used where the date/time string consists of six space-separated fields. The fields specify the time as follows: (minutes: 0-59) (hours: 0-23) (days of the month: 1-31) (month: 1-12) (days of the week: 0-6, where 0 is Sunday). Each of the first five fields can be defined using:
An asterisk or range spacing: used for spacing out values in ranges. The increment is given after a slash. Examples: "2-10/2" means "2,4,6,8,10" while "/2" in the "hours" field means "every two hours". |
Time Sets
The Time sets section allows you to define time intervals that can later be used in rules. The administrator can add the desired items during use. To add a new time set, follow these steps:
|
Name |
Description |
|---|---|
|
Шаг 1. Создать календарь. |
В панели Группы нажать на кнопку Добавить, указать название календаря и его описание. |
|
Шаг 2. Добавить временные интервалы в календарь. |
В панели Элементы нажать на кнопку Добавить и добавить интервал. Give a name to the new interval and specify the time. |