UserGate Proxy & Firewall USERGATE Administrator Manual

Transcription

1 UserGate Proxy & Firewall Administrator Manual 1

2 Content Introduction 4 UserGate Proxy & Firewall 4 System requirements 4 UserGate Server installation 5 UserGate registration 5 UserGate update and removal 5 UserGate licensing policy 6 UserGate Administration module 6 Connection settings 6 Setting a connection password 7 Setting a statistics database password 7 NAT (Network Address Translation) Common Settings 7 Interface settings 7 Network traffic calculation in UserGate 8 Connection failover 9 Users and groups 9 User personal statistics page 11 User authorization methods 11 Terminal user support 12 Using HTTP authorization with transparent proxy 13 Using Authorization Client 13 UserGate services settings 14 DHCP settings 14 Proxy service settings 15 SIP protocol support 16 UserGate SIP Registrar 17 H323 protocol support 18 UserGate mail proxies 18 Proxies in transparent mode 18 Parent proxies 18 Port mapping 19 Cache settings 20 Antivirus scanning 20 UserGate Scheduler 21 DNS settings 22 2

3 Alert Manager 22 UserGate Firewall 23 Principle of operation 23 Network Address Translation rules (NAt) 24 Working with multiple Internet service providers 25 Masquerade for NAT rules 25 Network resources publishing 26 Firewall filtering rules 27 Routing support 28 UserGate speed limitations 29 Traffic Manager 30 Application Firewall 32 UserGate cache explorer 33 UserGate traffic management 34 Traffic management rules 34 Internet access restriction 34 BrightCloud URL filtering 35 Setting a traffic consumption limit 37 File size restriction 37 Content-type filtering 37 Billing system 39 Internet access tariffing 39 User account status control 39 Dynamic billing plans switching 39 UserGate remote administration 39 Remote connection settings 39 Restarting UserGate server 40 Checking for the new version 40 UserGate statistics utility 40 UserGate Web statistics 41 Web statistics settings 42 Traffic management rules efficiency rating 42 Antivirus efficiency rating 43 SIP usage statistics 43 3

4 Introduction UserGate works as a proxy server, i.e. as an intermediate computer between your PC and the Internet. All interactions with the Internet pass through UserGate. When you surf the Internet, your computer automatically connects to the proxy server (UserGate) and requests the desired web page or file from an Internet server. The proxy server then either connects to the specified server and receives the web page, or finds it in the proxy s cache (a temporary storage area for previously viewed web pages and files). In some situations, the proxy server can modify the request or a server s response for specific purposes, for example, blocking access to inappropriate pages or images, or if a virus is detected. UserGate Proxy & Firewall UserGate is a comprehensive solution designed to connect users to the Internet, provide traffic control, limit access, and supply built-in network security tools. UserGate enables the tariffing (pricing and limiting) of user Internet access based on traffic amounts and time spent online. An administrator can add various billing plans, dynamically switch them, and control access to Internet resources. The built-in Firewall and Antivirus module protects the UserGate server and identifies malicious software coming from the Internet. UserGate consists of various modules: the Server, the Administration Console (UserGate Administrator), and several others. UserGate Server (usergate.exe) is the central part, the core of the proxy server, where its functional capabilities are embodied. The Server provides Internet access, implements exact traffic calculations, tracks users online statistics, etc. UserGate Administration Console is a program used to control the Server. The Administration Console communicates with the server module by means of a special protocol using TCP/IP that enables server remote administration. There are four additional modules included in UserGate: UserGate Statistics, Web Statistics, UserGate Authorization Client, and Application Control. System requirements It is recommended to install UserGate Server on Windows 2000/XP/2003 computers connected to the Internet via a modem or any other type of connection. Server hardware requirements are as follows: Network configuration Minimum requirements Recommended requirements Small LAN: 2 to 5 users Medium LAN: 5 to 20 users Large LAN: more than 20 users Pentium 1 GHz, 512 MB RAM, Windows 2000, 56k modem Pentium 1 GHz, 512 MB RAM, Windows 2000, 56k modem Pentium 1 GHz, 512 MB RAM, Windows XP, ISDN connection Pentium 1 GHz, 512 MB RAM, Windows 2000, DSL Pentium 1 GHz, 1 GB RAM, Windows XP, broadband Internet connection Pentium 2 GHz, 1 GB RAM, Windows 2003, broadband Internet connection 4

5 UserGate Server installation To install UserGate Proxy & Firewall, simply run the installation file and specify the Installation options. When installing UserGate for the first time, you can leave all of its installation options with their default settings. During the installation process, the installation Wizard will give you the option of installing UserGate as a system service (UserGate Service) and will automatically disable the Internet Connection Service, if it is enabled. Figure 1. UserGate NAT driver installation Since UserGate NAT diver is not WHQL signed, during the installation process a Hardware installation dialog will appear (Fig. 1). In order to install the UserGate NAT driver properly, click Continue Anyway repeatedly in order to move through the Hardware Installation warnings. After installation, you must restart your computer. UserGate registration The unregistered version of UserGate Server runs for 30 days in evaluation mode and restricts the number of simultaneous users to 5. To register, please start the UserGate Server, connect the Administration Console to the Server, open Help, and choose Register Product in the UserGate Administration Console menu. You can choose the same option from the About page in the Administration Console. In the dialog box that appears, enter your registration name and registration code in the corresponding fields. Then click the OK button and restart the UserGate Server. During the registration process, the UserGate Server should be connected to the Internet. UserGate update and removal Before you install a new UserGate version, it is recommended that you remove the previous one and save the server settings file (config.cfg file, located in the UserGate directory; hereafter %UserGate%) and the statistics database (log.mdb file, also located in the %UserGate% folder). UserGate Server v.5 supports the UserGate v.4 settings format. All settings from the UserGate v.4 format will be converted into the new format after the initial run of the UserGate server. Versions earlier than UserGate v.4 are not compatible with v.5. Removal of UserGate Server is accomplished by clicking on the removal oprtion in the Start Programs menu or by using Add or Remove Programs in the Control Panel. After removal, some files remain in the UserGate directory, such as config.cfg (UserGate Server settings), log.mdb (UserGate statistics database) and some others. Therefore, when a newer version is installed, your settings are maintained. 5

6 UserGate licensing policy UserGate Server is designed to connect Local Area Network users to the Internet. The maximum number of users simultaneously connected to the Internet via UserGate is called number of sessions and is defined by a registration key. UserGate v.5 uses a unique registration key that does not support previous versions of UserGate software. Unregistered UserGate Server will run for 30 days in evaluation mode and is restricted to 5 sessions. Please do not confuse the session concept with the number of user-launched Internet applications or connections; in general, the number of user-launched connections varies (unless otherwise limited). UserGate s integrated antivirus software (Kaspersky and/or Panda) requires independent licensing, e.g. Kaspersky antivirus requires a special key file (*.key) located in the %UserGate%\kav directory. The UserGate distribution kit includes the 30-day trial key for Kaspersky antivirus; however, this key is not compatible with other Kaspersky Lab product keys The Panda antivirus license is built into the UserGate Server registration key according to agreements with Panda Security. A license for the BrightCloud module, designed for site categorizing, is also included in the UserGate license. The BrightCloud license period is restricted to one year. After the license period expires, the BrightCloud online service becomes unavailable. UserGate Administration module The UserGate Administration module is an application designed to control a local or remote UserGate Server. To start UserGate Administrator, please first start UserGate Server by selecting Start UserGate Server in the UserGate Agent context menu ( icon in the System Tray). You can also run UserGate Administrator by means of Start Programs if the module is installed on another computer. In order to modify your settings, you should connect the Administration module to the Server. Connection settings When the UserGate Administration Console initially launches, it displays the Connections page, where only one connection is specified. In the connection settings, localhost is specified as a server address, the login name specified is Administrator, and there is no connection password. To connect the Administration Console to the UserGate server, double-click on the localhost Administrator line or press the Connect button on the Control Panel. You can create several connections using the Administration Console. It is necessary to specify the following parameters in the connection settings: Server name connection name. User name login to connect to server. Server address domain name or UserGate Server IP address. Port TCP port used to connect to the Server (port 2345 is the default). Password the connection password. Always ask for password this option asks for your login and password whenever you connect to UserGate Server. Automatically connect to this server the Administration module automatically connects to the Server when it starts. 6

7 The Administration Console settings are stored in the file console.xml, located in the %UserGate%\Administrator\ folder. On the UserGate Server side, user names and connection passwords are stored in the %UserGate%\config. cfg file. Setting a connection password You can set up a login name and password for connection settings through the Administrator Settings section on the General Settings page. In this section, you can also specify a TCP port on which UserGate server will be listening for a connection with the Administration Console. In order for the new settings to take effect, it is necessary to restart the UserGate Server (using the Restart UserGate Server option in the Agent menu). After restarting, you should change the Administration Console connection settings as well. Otherwise, the Administrator will fail to connect to the Server. Setting a statistics database password All of a user s statistics, i.e. traffic, time online, and/or resources visited are logged by the UserGate Server in a special database. UserGate works with this database via the ODBC driver, which allows for the use of different database formats (MS Access, MS SQL and MySQL). In order for UserGate to work with a MySQL database, please use MySQL Connector v By default, UserGate server uses a database in MS Access format (log.mdb file) with no password specified. You can set a password on the General Settings Database Settings page in the Administration console. For the standard statistics database (log.mdb), you should stop the UserGate Server after setting the password, then open the database in MS Access using the Open exclusive option and set a password through Tools Security Set database password. NAT (Network Address Translation) Common Settings The NAT Common Settings option allows you to specify the timeout value for NAT connections through TCP, UDP, or ICMP protocols. The timeout defines a user s connection time through NAT after the data transfer is finished. The Print Debug Log option is used for debugging and allows you to turn on the extended logging mode of the UserGate NAT driver if needed. Interface settings The Interface page (Fig. 2) is the most important of the UserGate Server settings. It defines such important features as traffic count accuracy, Firewall rules creation, Internet channel bandwidth restrictions, relationships among networks, and the order of request processing by the UserGate NAT (Network Address Translation) drive. 7

8 Figure 2. UserGate Server interface settings All available network interfaces are listed on the Interface page, including Dial-up, VPN, and PPPoE connections. The UserGate administrator defines the connection type for each network adapter, i.e. for a network adapter connected to the Internet, you should select the WAN type; for a network adapter connected to a local area network, the LAN type should be selected. UserGate Server automatically defines PPPoE connections as a PPP interface (this type cannot be changed manually). For Dial-Up and VPN connections you can enter a user name and password by double-clicking on the corresponding interface. The network interface located at the top of the interfaces list is used as the default Internet connection. Network traffic calculation in UserGate Traffic passing through UserGate is assigned either to the user from the local area network that initiates the connection, or to the UserGate server itself if it initiates the connection. For the UserGate server traffic there is a special predefined user, UserGate Server, specified in the statistics database. UserGate Server traffic includes Kaspersky and Panda antivirus updates, DNS name resolution through the DNS-forwarding module, and BrightCloud requests and responses. When all UserGate server network adapters types (LAN or WAN) are specified correctly, traffic in the direction of local network UserGate Server (for example, accessing a shared folder on the UserGate server) is not taken into account during traffic calculation. Important note! Using third party antivirus or firewall products (for the purpose of traffic checking) may seriously affect the accuracy of UserGate traffic calculation. It is not recommended to set up and use any third party network software on the computer where UserGate Server is installed. 8

9 Connection failover If there are several Internet connections, the Connection Failover option becomes available on the Interfaces page. This option allows for the automatic switching of the UserGate Server to an alternative Internet connection if there is no connection through the primary channel. To use the Connection Failover option, you should specify the following: the primary Internet connection, one or several reserve channels, and a list of control hosts (Fig. 3). UserGate will check the availability of Internet connection by sending by sending ICMP echo-requests (the ping command) to the specified channels. The request period is 30 seconds by default, which can be changed manually. The Timeout parameter defines how long the UserGate server will be waiting for ICMP echo reply packets. If several control hosts are specified in Connection Failover, the UserGate Server will check them consecutively. A lack of response from all specified control hosts at the same time will be interpreted as primary Internet connection failure. Therefore, it is recommended to specify the most stable Internet hosts as control hosts. Figure 3. Connection Failover settings. As a reserve connection, UserGate Server can use either an Ethernet connection (dedicated channel, WAN interface) or a Dial-up, VPN, or PPPoE connection (PPP interface). In order for Network Address Translation (NAT) rules to work with both the primary and the reserve Internet channels, you should specify Masquerade as a destination in the NAT rules. After switching to the reserve Internet connection, UserGate Server regularly checks primary channel availability and, if possible, switches users back to the primary Internet connection. Users and groups To provide secure Internet access through UserGate, it is necessary to create the users accounts. To simplify common administration tasks, the UserGate administrator can create user groups according to access levels. The most common way is to combine users into groups by access level, as it makes traffic management, such as setting traffic consumption limit, much easier. Initially, there is only one group available in UserGate: the default group. 9

10 To create a new user, choose the Add new user option or press the Add button on the Control Panel s Users and Groups page. Then, enter the settings as shown in Fig. 4: Name, Authorization type, Authorization parameter (IP address, login, etc), Group and Billing plan. By default, all users belong to the default group. Each user must have a unique name. You can also specify the access level to UserGate Web statistics, define an internal H323 phone number, and enable NAT rules, traffic-management rules, and/or Application Firewall module rules. Figure 4. UserGate user profile Each newly defined user inherits all settings of the group to which it belongs, including the billing plan. The latter can be easily redefined in the user s profile. The billing plan specified in each user s profile is used for the connection tariffing (setting and monitoring the price of Internet traffic). You may use a blank tariff if the Internet connection is not rated. 10

11 User personal statistics page Every UserGate user can view his statistics page (Fig. 5). The user can access the page at if his browser is set to work through a proxy, or at where, for example, is the local address of UserGate server, and 8080 is the port on which the UserGate HTTP proxy is running. Figure 5. User personal page in UserGate On this page, the user can review his statistics summary, open the UserGate Web-Statistics page, or download the UserGate authorization client if needed. User authorization methods Internet access though UserGate is provided only for authorized users. UserGate supports the following authorization methods: authorization by IP address (or IP address range) authorization by MAC address authorization through a combination of IP and MAC addresses HTTP authorization (Basic) authorization through name and password Windows Login authorization 11

12 Active Directory authorization simplified version of Active Directory authorization For the last four methods, you should install the UserGate Authorization Client on the user s workstation. The corresponding MSI package (AuthClientInstall. msi) can be found in the %UserGate%\tools folder and can be installed automatically through Active Directory group policy tools. The %UserGate%\tools folder also contains the corresponding administrative template (*.adm file). When Active Directory authorization is used, UserGate Server obtains the authorization parameters (login and password) from the Authorization Client, which is launched at the user workstation, and checks them through the domain controller. If UserGate Server is installed on a computer not included in an Active Directory domain, it is recommended to use the simplified version of Active Directory authorization. In this case, UserGate Server will compare the login and domain name received from the Authorization Client with the corresponding fields specified in the user profile without requesting the domain controller. Terminal user support Along with basic HTTP authorization support, UserGate Server also supports terminal user HTTP authorization. You can enable this option on the General Settings page in the Administration Console (Fig. 6). This method of authorization allows terminal users to connect to the Internet using their individual UserGate accounts by means of a username and password for each connection. Figure 6. Terminal users support The HTTP authorization for terminal users mode is useful if you need to provide several network applications running from a single computer under the different UserGate accounts. Thereto please enter the appropriate proxy server (HTTP, SOCKS5) address, port and authorization parameters (username/password) for each network application. 12

13 Using HTTP authorization with transparent proxy The transparent proxy HTTP authorization method has also been added to UserGate v.5. If the user s browser is not set to use a proxy server and the UserGate HTTP proxy transparent mode is enabled, all requests from unauthorized users will be forwarded to an authorization page where you have to specify your username and password. After authorization, please do not close the page. The authorization page refreshes regularly by means of a special script to keep the user s session in active mode, which makes all UserGate services, including NAT, available for an authorized user. To end the session, press the Logout button on the Authorization page. Important note! Terminal users are not supported by this authorization method. Using Authorization Client The UserGate Authorization Client is a network application that works at the Winsock level. It connects to UserGate Server using a predefined UDP port (5456 by default) and sends user authorization parameters: the authorization type, username, and password. In the Authorization Client settings (Fig. 7), you should specify the UserGate server IP address and port, authorization type, and the corresponding parameters (username/password) as specified in the user profile. During its first run, the UserGate Authorization Client monitors the Registry key HKCU\Software\Policies\Entensys\ Auth client to find settings obtained through the Active Directory group policy. If these settings are not found in the Registry, you should specify the UserGate Server address manually in the third tab in the Authorization Client. After the server address is defined, press the Apply button to check the availability of the server. The specified authorization client settings are stored in the Registry key HKCU\Software\Entensys\Auth client. The authorization client log is saved in the Documents and Settings\%USER%\Application data\usergate Client folder. Figure 7. Authorization Client settings The UserGate Authorization Client shows statistics on bytes sent/received, time spent online, and cost. You can also change the Authorization Client s skin by editing the *.xml template located in the client s parent folder. There is also a link on the user s personal page that allows the data accessible through the UserGate Authorization Client to be viewed via a web browser. Important note! The Authorization Client is not supported for Terminal users. 13

14 UserGate services settings DHCP settings DHCP service (Dynamic Host Configuration Protocol) automates the task of configuring network settings for LAN clients. With DHCP server, you can dynamically assign parameters such as IP address, network mask, default gateway, DNS, etc. for all network devices. To enable the UserGate DHCP server, select the Services DHCP Server Add interface option in the UserGate Administration Console or press the Add button in the Control Panel. In the displayed dialog, select the network interface on which DHCP server will be running. For the minimum DHCP server configuration, it is sufficient to set the following parameters: IP address range (address pool) the range of addresses available to LAN clients from the server, the network mask, and the lease time. The maximum pool size in UserGate is 4000 addresses. You can exclude some IP addresses from the address pool by using the Exclusion list. You can also attach a permanent IP address to a particular network device by creating a corresponding reservation. To create a new reservation, please enter the IP address only; the MAC address will be defined automatically when you press the corresponding button. Figure 8. DHCP server settings UserGate DHCP server supports the import of MS Windows DHCP server settings. In order to use this feature, you should dump the Windows DHCP settings to a file. To do this, launch the command prompt (Start Run cmd ) and type: netsh dhcp server IP dump > file_name, where IP is your DHCP server s IP address. The import from file can be performed through the corresponding button on the first page of the DHCP server wizard. Previously delivered IP addresses are shown in the lower part of the DHCP page of the Administration Console (Fig. 7) along with the client information (workstation name, MAC address) and lease time values. By selecting a previously delivered IP address, you can create a user profile, create IP-MAC reservations, or remove the given IP address. 14

15 Figure 9. Remove the issued IP address The removed IP address will be released into the pool of free DHCP server addresses after a certain period of time. The Remove client option becomes useful if there is a workstation which has received an IP address and is later taken offline. Proxy service settings There are several proxy servers included in UserGate Server: HTTP (supports FTP over HTTP and HTTPS) and FTP proxy, SOCKS4, SOCKS5, POP3 and SMTP, SIP, and H323. Proxy server settings are located in Services Proxy Settings in the Administration Console. The most important settings are the interface (Fig. 10) and the port number where the UserGate server is running. 15

16 Figure 10. Proxy server primary settings If an interface is not specified in the proxy settings, the server will listen to all available network interfaces. By default, only HTTP proxy is enabled and it listens to the 8080 TCP port on all available network interfaces. To set the client browser to work through the proxy, you can specify the proxy address and port in the corresponding browser settings. For example, in Internet Explorer, you can set it through Tools Internet Options Connection LAN Settings. When working though HTTP proxy, specified in the browser settings, you do not need to specify the gateway and DNS in the TCP/IP settings of the local area network connection on a user workstation. For each proxy server, you can specify an upstream proxy-server. Important note! The port, specified in the proxy server settings, is opened automatically in the UserGate firewall. In order to ensure higher security, it is recommended to specify only local network interfaces in the proxy settings. SIP protocol support UserGate v.5 can operate as a stateful SIP proxy and as a SIP Registrar. Both functions can be enabled in the Services Proxy Settings page. UserGate SIP proxy always works in transparent mode, listening to ports 5060 TCP and 5060 UDP. When working through UserGate SIP-proxy, the information about the current connection state (registration, calling, waiting, etc) is shown on the Sessions page in the Administration Console. This information is also saved in the UserGate statistics database. In order to work through the UserGate SIP proxy, you should specify the UserGate Server IP as the default gateway in the TCP/IP settings on the user s workstation. A DNS server address must also be specified. Let us illustrate example client side settings for the SJPhone software phone and Sipnet.ru SIP provider. Start SJPhone, right-click on its icon in the system tray, choose Options, and then click New on the profiles page. Enter the profile name (Fig. 11), for example sipnet.ru, and specify Calls through SIP Proxy as the profile type. 16

17 Figure 11. SJPhone profile creation On the SIP Proxy page, specify your SIP provider address. In this example it is sipnet.ru. When closing the Profile options dialog box, enter the username and password for the SIP provider in the dialog box that is displayed. UserGate SIP Registrar Figure 12. SJPhone profile settings UserGate server can operate in SIP Registrar mode. In this mode, UserGate works as a PBX (Private Branch Exchange) for a local area network. The SIP Registrar function works simultaneously with the SIP-proxy function. In order to authenticate with the UserGate SIP Registrar you should specify the following: UserGate address as SIP server address UserGate user name (without spaces) Any password 17

18 H323 protocol support Built-in H323 protocol support enables you to use UserGate Server as a H323 Gatekeeper. In the H323 proxy settings, you need to specify the interface where on which UserGate will be listening for client queries, port number, and an H323 gateway address and port. For authorization on UserGate H323 Gatekeeper, the user should specify his user name (user name in UserGate), password (any password), and phone number (defined in the user s profile). UserGate mail proxies UserGate mail proxies are designed to support both POP3 and SMTP protocols, as well as to scan mail traffic for viruses. When UserGate POP3 and SMTP proxies work in transparent mode, the mail client settings on a user s workstation are the same as if it were connected directly to the Internet (without the use of proxies). If UserGate POP3 proxy is used in non-transparent mode, in the user s mail client you should specify the UserGate server IP address and port that correspond to the POP3 proxy as a POP3 server address. In addition, you need to specify a login for the remote POP3 server authorization in the following format: _address@pop3_server_ address. For example, if the user is user@mail.ru, you should enter user@mail.ru@pop.mail.ru as the login for the UserGate POP3 proxy. This format is necessary in order for UserGate to detect the remote POP server address. If UserGate SMTP proxy is used in non-transparent mode, you need to specify the SMTP server IP address and port in the proxy settings section. In this case, you enter the UserGate Server IP address and port that correspond to the SMTP proxy as the SMTP server address in the mail client settings of the user s workstation. If authorization is needed for sending mail, please enter the username and password that correspond to the SMTP server shown in the UserGate SMTP proxy settings. Proxies in transparent mode The Transparent Mode option in the proxy server settings is enabled if UserGate Server is installed along with a NAT driver. In transparent mode, the UserGate NAT driver is listening to the standard ports (such as 80 TCP for HTTP, 21 TCP for FTP, 110 and 25 TCP for POP3 and SMTP) on LAN network interfaces and sends users requests to the corresponding proxy in UserGate. When transparent mode is enabled, it is not necessary to specify the proxy server address and port in each network application, considerably reducing administrative efforts to provide LAN-to- Internet access. However, you need to specify UserGate Server as the gateway and specify a DNS server on each LAN workstation s settings. Parent proxies UserGate Server can work either with a direct Internet connection or through upstream or parent proxies. UserGate supports the following parent proxy types: HTTP, HTTPS, SOCKS4 and SOCKS5. You can create parent proxies on the Service Parent Proxy page. For each parent proxy, you should specify its type, IP address, and port. If the parent proxy supports authorization, you can specify the corresponding login and password. All created parent proxies become available in the UserGate proxy server settings. 18

19 Figure 13. Parent proxy in UserGate Port mapping Port mapping support is available in UserGate. Port mapping rules allow the UserGate Server to redirect user requests from specific ports of a UserGate workstation network interface to addresses and ports specified by the rules. Port mapping is already enabled for TCP and UDP protocols and does not require a UserGate NAT driver to be installed. Figure 14. UserGate ports definition Important note! If port mapping is used to provide access to company internal resources from the Internet, you should use Specified User as the Authorization setup parameter. 19

20 Cache settings An important purpose of a proxy server is resource caching, which reduces the Internet connection load and greatly increase the speed of access to commonly visited resources. UserGate proxy implements both HTTP and FTP traffic caching. Cached documents are saved in the %UserGate%\Cache folder. On the Cache page in the Administration Console you may specify the Cache size limit and the document storage lifetime. You can also enable the option Calculate traffic from cache. With this option enabled, UserGate server will calculate traffic downloaded from the cache and assign it to a LAN user as if the web page were taken from the Internet. Antivirus scanning There are two antivirus modules integrated in UserGate Server: Kaspersky Lab and Panda Security. Both modules are assigned to scan incoming traffic through UserGate HTTP, FTP, and mail proxies, as well as outgoing traffic through SMTP proxy. Antivirus settings are available on the Services Antivirus page in the Administrator console (Fig. 15). You can specify the protocols for each antivirus tool to scan, setup the antivirus automated update frequency, and enter URLs that it is not necessary to check (URL Filter). You can also specify a group of users whose traffic is not required to be scanned for viruses. Figure 15. UserGate antivirus modules 20

21 Before running the antivirus software, you need to start the antivirus update and wait for the update to complete. By default, the Kaspersky antivirus updates are downloaded from the Kaspersky Lab FTP site, whereas Panda antivirus updates are taken from UserGate Server supports both antivirus engines working simultaneously and allows you to choose the protocols to be scanned by each engine, as well as traffic scan directions for each protocol if it is checked by both. Important note! When traffic scanning for viruses is enabled, UserGate Server blocks HTTP and FTP multithreaded downloads. Blocking partial file transfer through HTTP may cause problems with the Windows Update service. UserGate Scheduler There is a task scheduler built into UserGate that enables Dial-up connection initialization and release, the delivery of statistics reports to users, arbitrary task execution, antivirus updates, and statistics base purging. Even nonstandard tasks can be performed on schedule, such as launching special kinds of *.bat or *.cmd files using Execute Program in the UserGate Scheduler. Figure 16 Setting UserGate scheduler 21

22 DNS settings UserGate supports two methods for name resolution: DNS module and NAT rules. The DNS module is used with all UserGate services: proxy servers, BrightCloud URL-filtering, antivirus, etc. This module is designed to handle DNS queries of different types, such as A, MX, and PTR, and it also supports recursive queries. Communication with UserGate services is performed on the Winsock level. By default, the DNS module listens to the 5458 UDP port. Moreover, the DNS module can use DNS servers specified in the server network settings or use a given list of DNS servers. If there are several DNS servers specified, UserGate calls are based on the response time. So, if a particular DNS server doesn t provide a timely response, UserGate automatically calls other servers. For resolving user DNS queries, DNS forwarding mode is used. DNS forwarding settings are available in the Services - DNS forwarding section of the Administrator console. In forwarding mode, the DNS listens to the 53 UDP port on the UserGate server s LAN adapters. DNS queries coming from the WAN adapters are ignored. Responses to DNS queries are cached in the server memory, so the speed of name resolution is greatly improved. The DNS module also looks for changes in the %WINDIR%\system32\drivers\etc\hosts file, updating the in-memory cache as needed. All records from the hosts file are stored in the DNS s own cache memory while the DNS is active. Figure 17. DNS settings A NAT setup creates a NAT rule for port 53 UDP, which can be applied to all or some users. In this case, you should specify the Internet provider s DNS IP as the DNS server on the client workstation. Alert Manager The purpose of the Alert manager module is to inform a UserGate administrator about certain types of events that occur with UserGate Server. For example, you can create a virus detection alert, antivirus module error alert or a license expired alert. The alert will be delivered by sending through the SMTP server specified in the Delivery Settings. 22

23 Figure 18 Setting the Alert manager UserGate Firewall Principle of operation UserGate s built-in Firewall, being a part of UserGate s NAT driver, is designed to handle network traffic according to predefined rule sets. In the Firewall rule, you must specify source and destination addresses, service (protocol-port pair) and action: Send or Drop. The firewall rule type is defined automatically according to specified parameters. UserGate supports network translation (NAT), routing, and firewall (FW) rule types. In the default settings, only one firewall rule is available (the #NONUSER# rule) which permits or silently drops all outgoing network traffic if it does not originate from a UserGate server process, and all unexpected incoming traffic. If you enable Drop mode for the #NONUSER# rule, UserGate Firewall will block all incoming and outgoing packets except transit packets. This is the most secure setting for UserGate if it is installed on a standalone PC serving only as a gateway. If UserGate is installed on a workstation that works as an internet gateway at the same time, you should create permissive firewall rules. These rules will be placed above the #NONUSER# rule in the rules list. When the UserGate server accepts a network packet, it looks through firewall rules in order to decide whether it should send or drop the packet. All firewall rules are scanned in sequence from top to bottom in firewall rules list. When UserGate finds the first applicable firewall rule for the given network packet, it ignores the remaining rules. By changing the firewall rule position in the rules list, the UserGate Administrator may change the rule s priority of use. 23

24 UserGate services, such as proxy server port mapping rules, generate, so called, automatic firewall rules. For example, when you turn on the HTTP proxy, the built-in firewall will automatically create a corresponding permissive rule to maintain the proxy operation. Automatic firewall rules are not represented in the rules list; you can remove them only by disabling the corresponding proxy or port mapping rule. Nevertheless, the UserGate administrator can block a permissive automatic rule by creating an appropriate prohibitive rule and placing it at the top of the rules list. Network Address Translation rules (NAT) To create a new network address translation rule (Fig. 19) right-click on the Firewall Rules page in the Administrator console and select the Add rule option. Select the UserGate LAN adapter as a source and either a WAN or a PPP interface as a destination, and specify one or several services. On the last page, specify which users or groups are allowed access through this NAT rule. Figure 19. UserGate NAT rule creation 24

25 If a required service (protocol/port pair) is absent in the predefined services list, you can add it through the New service button or through the Services page in the Administration Console. Important note! Prior to any access attempt through the UserGate NAT, make sure that the UserGate LAN IP address is specified as a default gateway on the user s workstation. When the user requests access through the NAT, domain names should be resolved automatically, so the DNS server must be specified on the user s workstation. Working with multiple Internet service providers The UserGate NAT driver supports several simultaneous external (Internet) connections. For this purpose, the UserGate administrator can create several NAT rule sets with different destination interfaces (WAN or PPP) (Fig. 20). Using this approach, the UserGate administrator can provide different Internet providers for different groups of users in a local area network. Applying two translation rule sets for the same user or group is not recommended. Masquerade for NAT rules Figure 20. Working with multiple providers In the presence of several external interfaces (WAN or PPP), the UserGate administrator may choose Masquerade as a destination address in a NAT rule. The Masquerade function is used when the outgoing network interface used for package transfer is not known beforehand. This choice means that an outgoing network interface will be defined dynamically by comparing the destination host network address with the network address of all UserGate WAN or PPP interfaces. If the network address of a destination host does not match any WAN or PPP interface, the packet will be sent through the Primary Internet channel. Additionally, the Masquerade function may be used for translation of network packets within several external networks 25

26 Figure 21 Automatic choice of the outgoing adapter in the NAT rules Important note! While using Connection Failover, the automatic outgoing interface selection option in the NAT rules is disabled. All NAT rules traffic with Masquerade, specified as a destination will go through the reserved Internet connection. Network resources publishing With UserGate Firewall, you can open access to your company s internal network resources from the Internet; for example, to a Web, FTP, VPN or mail server. If a resource publishing rule is created, all requests to a certain port of the UserGate server s external IP will be redirected to the internal server according to the rule. Access to internal resources can be provided for all (source - Any) or for specified Internet users (source Host or Host range). In order to create a resource publishing rule, you need to specify only one service on the Services page (Fig. 22) in the Add Network Rule dialog. 26

27 Firewall filtering rules Figure 22. FTP server publishing It is common for UserGate to be installed on a PC used both as an Internet gateway and as a workstation at the same time. If the #NONUSER# firewall rule is working in Drop mode, it is necessary to create several special permissive firewall rules. For example, these rules can permit outgoing requests and incoming responses for such basic protocols as HTTP, HTTPS, FTP, POP3 and SMTP. An example of such rules is shown in Figure

28 Routing support Figure 23. UserGate Server firewall rule If UserGate server is installed on a PC connected to several local area networks, UserGate can be set up to act as a router providing transparent bidirectional connections among local networks. A firewall routing rule can be set up between any pair of LAN interfaces (Fig. 24). 28

29 Figure 24. UserGate routing Important note! UserGate authorization is not required for routing, and traffic count is not monitored. UserGate speed limitations UserGate supports two methods of limiting network traffic speed. The simplest method is to set the traffic speed limit through a user profile or though a traffic rule ( Speed Set up Speed ). This method is somewhat limiting because it allows you to restrict only incoming traffic speed for all connections without an opportunity to distinguish among protocols or destination addresses and ports. This limitation mechanism works for proxy services and for NAT traffic. With this method you cannot restrict traffic speed for a group of users. The second method to limit network traffic speed in UserGate is to use the Traffic Manager (TM) module. This 29

30 method is more sophisticated and provides more possibilities for speed limitation. For example, you can create different restrictions for incoming and outgoing traffic for different protocols. Important note! When Traffic Manager is enabled, all traffic speed limitations specified either in the user s profile or in traffic rules are ignored. Traffic Manager The UserGate Traffic Manager (TM) module is based on a well-known CBWFQ (Class-Based Weighted Fair Queuing) algorithm. This algorithm allows the processing of network packets using FIFO (First In First Out) queues based on queue priority and packet classification. A part of the algorithm is WFQ (Weighted Fair Queuing), when FIFO packet queues are processed by priorities and weight (size) of packets. Also, the algorithm of TM includes the Shaper functionality (restriction of a bandwidth for a rule). Shaper also processes queues by priority. The other options are Speed limit and Time delay. Figure 25 Traffic Manager rules for setting speed limits There are two types of rules in the TM module: adapter rules, or default rules, and user rules. Default rules are designed for processing network packets that do not fit under user TM rules or for processing all network packets when there are no user TM rules defined. Default rules are created automatically for each WAN adapter of the 30

31 UserGate server. Default rules should be enabled to provide TM operation. User rules are designed to handle specific traffic types. The following parameters are accessible for the TM user rule: Rule priority Traffic direction (incoming/outgoing), Maximum bandwidth value allowed (Kbps or Mbps), Packet delay (ms), Protocol (TCP/UDP/ICMP), Source IP and port, Destination IP (as an IP/mask) and destination port, Adapter to process the traffic by Bandwidth Manager. Important note! The Time Delay parameter is designed for delaying network packets if their traffic does not fit into the specified bandwidth. The priority of the TM rule defines which FIFO queue will be used for packet processing. There are 8 priority queues defined: 4 absolute priority queues (HIGH, MEDIUM, NORMAL, and LOW) and 4 queues with relative priority. Manageable traffic speed limiting is provided only for rules with relative priorities. According to the speed limit specified, a package can be sent to the outgoing buffer, moved to the beginning of the queue (if the parameter Time Delay is specified), or rejected. Queues with an absolute priority are intended for priority traffic processing. If needed, this traffic can fill all the bandwidth of the dedicated Internet channel. There is only one parameter that the administrator can use to affect privileged traffic processing the absolute rule priority. When creating the user s TM rule, the machine address in the local network can be specified as a source. As a destination address, you should always specify an external host or external network address. To restrict NAT traffic speed, it is recommended to bind a user s TM rule to the UserGate server LAN adapter because, in this case, it is not necessary to specify the source address (this traffic speed limitation will be applied to all users). The traffic speed limit can be applied more narrowly by specifying the source IP address or IP addresses range. To restrict traffic speed through proxies, it is recommended to bind the user s TM rule to the UserGate WAN adapter without specifying the source address. The traffic speed limit through the proxy can be set only for all local network users. When creating a TM user rule, please take into account the following: The Traffic Manager is intended for traffic speed limiting for directions Server Internet and Local Network Internet. If a network packet matches more than one limiting rule, the Traffic Manager chooses only the first suitable rule. The Traffic Manager does not support Dial-up connections. A network packet, which does not match any user TM rules, will be handled by the default rule. There are two parameters specified in the default TM rule: speed limit (Kbps or Mbps) and priority. The speed limit specified in the default TM rule is assumed to be the same for both incoming and outgoing network traffic. 31

32 Application Firewall Internet access management policy is a logical continuation of the Application Firewall. With UserGate Server, a system administrator can manage Internet access for both users and network applications on a client workstation. To control client workstation applications in a local network, it is necessary to install the App. Firewall Service application. Installation can be performed by launching the MSI package (AuthFwInstall.msi) located in the %UserGate %\tools directory, which functions as an executable file. Network application management is performed on the basis of the administrator-defined rules, applied to a user or to a group of users. There are two types of rules in the Application Firewall: default rules and users rules. Any workstation with the Application Firewall Service installed can get default rules under the following conditions: The Application Firewall service detects the UserGate Server, A set of default rules was created. Since all Application Firewall rules should belong to a certain rules group, a special Default rules folder is assigned to store the default rules. A UserGate administrator can also create groups for User rules. Initially, UserGate has only one default rule which allows any user network application to access any IP address using any protocols. This rule is recommended to use at the beginning of Application Firewall setup for gathering application usage statistics. Application Firewall service obtains the User rules set only after user authorization on the UserGate Server. A user can be authorized with or without the Authorization Client by using the address of the workstation (IP address, MAC address, or both). User rules can supplement or override the default rules. When the Authorization Client is used, the Application Firewall creates a logical link between a Windows and UserGate profile for the authorized user. Changing the Windows account when the Authorization Client is running will disable all user rules. The Application Firewall does not support HTTP authorization. The Application Firewall policy with default settings is defined as the following: a) If the UserGate Server is unavailable, all network applications are allowed. b) If the UserGate Server is available, only local access of network applications and services is allowed. The network application statistics of the Application Firewall are stored in the workstation s local folder %Program Files%\Entensys\Application Firewall\Cache and are sent periodically (approximately every 10 minutes) to the UserGate Server. The sending frequency is defined by the Registry parameter SendStatistics (HKLM\Software\ Policies\Entensys\Application Firewall). Also, the proper Caching rules are embedded in the Application Firewall. If the UserGate Server is temporarily unavailable, the Application Firewall service continues to work according to rules in the local Cache while waiting for the next update time (UpdateRules Registry parameter). By default, the rules are updated every 5 minutes. User application statistics are available in Application Firewall Statistics. User and workstation information, as well as network application information, are shown in Figure

33 Figure 26. Network application statistics UserGate administrators can create an application rule by double-clicking on the corresponding line on the Application history page. UserGate cache explorer The Cache Explorer (Fig. 27) allows you to view the cached content stored by UserGate. To start the Cache Explorer, right-click the UserGate Agent icon in the system tray and then click the Run Cache Explorer option. Alternatively, you may click the corresponding item in the Windows Start menu. When starting the Cache Explorer, you need to specify the location of the file cache.dat (the UserGate cache file). Using the Cache Explorer interface, you can search, sort, and filter the cached content. Finally, you can select any files in a list and then save them to a folder of your choice. 33

34 Figure 27 Cache explorer UserGate traffic management Traffic management rules UserGate Server enables you to manage Internet access by using traffic management rules. These rules can deny user access to certain network resources, set up traffic consumption limits, create Internet scheduling, and track user accounts. Traffic management rules are arranged in the form of an action to be performed on a certain object. There are 4 object-action pairs defined in UserGate: Connection Close, Traffic Don t count, Tariff Change, and Speed Set up. For a traffic management rule to execute, you need to define the rule s condition: time of day, day of week, URLs (IP), traffic limit (per day, week or month), etc. Defined conditions may be combined using logical AND/OR operators, allowing greater flexibility when creating rules. Even more flexibility is possible due to the possibility of applying rules both for all protocols and/or for particular ones. You may apply created rules to users or user groups in UserGate. Internet access restriction Internet access restriction is a typical task of a proxy server. For this purpose, there are Connection Close rules in UserGate. Working with the proxy server (HTTP, FTP), you may specify the resource domain name (URL) as well as its IP address. The UserGate Server can implement filtering by a URL fragment ( Whole URL item), by address part ( Server address item), or by document address ( Document URL item). 34

35 Figure 28. URL filtering settings When providing an IP address, you may specify it as a Source or Destination address. The Inverse option means all IP addresses except the specified. Please note that if you need to deny access to some external hosts for NAT traffic, you should specify their IP addresses (but not domain names, as the UserGate NAT does not work with domain names). Important note! In order to work, the created rule must be applied to UserGate users or groups. BrightCloud URL filtering In the context of our technological partnership with BrightCloud Inc, we integrated the hosted BrightCloud service and the BrightCloud Master Database into UserGate. A UserGate administrator can deny access to sites having certain content without even knowing those sites names. Additionally, it is possible to get a report from UserGate Statistics about the site categories visited, e.g. Ads, Education, News, etc. Using site categories allows a more flexible policy of Internet access management. Categorized filtering is available for UserGate proxy services working in both transparent and non-transparent modes and for NAT traffic. For NAT traffic, categorized filtering will be available only if a user s DNS requests go through the DNS forwarding module in UserGate. To deny access to particular categories (Fig. 29), open the Traffic policy Traffic rules page, create a Connection Close rule, and specify the unwanted category on the fifth page of the rule creation dialog. 35

36 Figure 29. Categorized filtering rules 36

37 Setting a traffic consumption limit You may apply the 'Connection Close traffic management rules to prohibit certain Internet resources, but also you can use them to limit traffic consumption. In this case, you may specify a maximum value of incoming/outgoing (or total) traffic per day, week, or month as the condition (Fig. 30). Figure 30. Traffic limit If a traffic consumption limit is applied to a user, Internet access will be blocked completely or partially (depending on additional parameters, e.g. protocols to which the rule is applied) as soon as the limit is exceeded. File size restriction UserGate traffic management rules also enable an administrator to restrict the download of files larger than the maximum size specified. This option is enabled through the rule with the OR logical type and can be applied to HTTP proxy traffic only. Content-type filtering The HTTP proxy in UserGate can filter traffic by the Content-type field, which is included in the header of a response to a user from a web server.the Content-Type header field is used to specify the nature of the data (and its format) in a web-server response: whether it is audio or video content, image (e.g. jpg, png, etc.), or a document (MS Word, MS Excel). The Content-type header field is analyzed by UserGate and the corresponding content can be either blocked or allowed depending on the traffic rules set by an administrator. Filtering by the Content-type field can be used to block access to certain data types and formats like video or audio files, disable JavaScript, or prevent documents of a specific extension from being transferred over the network. 37

38 Fig 31 HTTP filtering by Content-type 38

39 The content-types list is stored in a special *.xml file located in the %UserGate5%\Administrator folder. A UserGate administrator can add new content-types in this *.xml file or through the Administration Console. The link to ianna. org is included for this purpose. Billing system Internet access tariffing In addition to direct traffic registration, UserGate Server can also be used for Internet connection expenditure calculations. This opportunity is provided by its integrated billing system. Underlying the billing system is a billing plan term. By default, there is only one billing plan in UserGate with zero values for incoming, outgoing, and temporal traffic costs. If UserGate is used to provide paid Internet access, the UserGate administrator can create any number of billing plans according to Internet provider cost policies, or varied according to administrator preferences. UserGate access billing plans can be applied both to users and/or user groups. By default, the Internet connections of all users belonging to the same group are rated according to the group s specified billing plan. An administrator can redefine user billing plans at any time. User account status control The UserGate billing system perfectly supplements the integrated Traffic Management system. If UserGate Server is used to provide paid Internet access, you can use the Traffic Management system to control user account status. Thus, in the Connection Close rule, you can enable the Activate tracking option as a condition and specify the threshold value of a user account. The rule will become active if a user s account balance falls below the threshold value. Dynamic billing plans switching UserGate traffic management rules can be used to switch among dynamic billing plans. The most common task, related to a Dial-up connection, is switching between day and night billing plans. Another task is using the different billing plans for an Internet Service Provider s internal network and for the Internet. Both tasks are accomplished via the Tariff Change rule. UserGate remote administration Remote connection settings You can use the UserGate Administration module to control a remote server. In the Server address in the connection settings, please specify the domain name or IP address of the remote machine where UserGate is running. To use the Administration module from a remote machine, you should run the UserGate installation wizard and select only the UserGate Administration Console. 39

40 Restarting UserGate server The UserGate server remote restart function has been added into the Administration Console. It is possible to connect to the remote UserGate server and choose File Restart server from the Administration Console. Checking for the new version In General Settings under UserGate Administrator there is a Check for updates option. If this option is enabled, the UserGate Server requests the latest version availability from UserGate s site. If the version installed is older than the version available on the site, the Administration Console displays the proper message. In this case, the administrator can download the new version from the site and install it. Automatic UserGate upgrades are not yet supported. UserGate statistics utility Traffic statistics information is stored in the UserGate Server s own database. By default, MS Access is used as the database and is located in the UserGate parent directory as log.mdb. Brief information about the total traffic of users and groups is available in the Monitoring section of UserGate Administrator. Detailed statistics are presented in the UserGate Statistics module an application assigned to work with the UserGate statistics database (Fig. 32). Figure 32. UserGate statistics 40

41 You can obtain detailed statistics for each user or group by using filters. Filtering allows the creation of reports by time of access, by protocols, by resources requested, etc. The resulting report is presented in a table that can be exported to MS Excel, HTML, or OpenOffice calc formats. UserGate Web statistics A new statistics module has been added to UserGate v.5. The Web statistics module provides detailed statistics on Internet connection usage from anywhere in the world using an ordinary web browser. For web statistics, several access levels can be specified in the UserGate user s profile. Thus, an ordinary user may check his own statistics, a Director could see the statistics of any user, and an Administrator is authorized to see all user statistics and to create statistic report templates. Figure 33. UserGate Web statistics URLs page Important note! UserGate web statistics are enabled simultaneously with the HTTP proxy. Web statistics are unavailable when the HTTP proxy is turned off. Statistical information is represented now not only in table form, but in graphic diagrams as well to make the reports easier to understand. You can access statistics by visiting the link (where is the UserGate Server address, 41

42 for example) or via the corresponding link on the user s personal statistics page (where 8080 is the UserGate HTTP proxy port). The certificate located in the %UserGate%\ssl folder is used for access to web statistics through an HTTPS protocol. Another method of accessing the web statistics page is to use the link from the last tab in the UserGate Authorization Client. Web statistics settings In the web statistics settings, you can select regional settings, enable a cache, specify its storage time, and enable the logging of program events. View Settings allows you to specify the number of bytes per kilobyte (according to way your provider defines kilobyte ), indicate the information specification details, and enable URL address representation. In order to avoid excess load time on the Statistics screen, it is possible to turn off the user s balance display. Traffic management rules efficiency rating To manage Internet access, the UserGate administrator can create traffic management rules and apply them to a user or group of users. However, a situation may arise in which created rules are inefficient. For example, if the rule is applied to all users, but actually acts only on the most active users, it would be expedient to disable the rule for users who do not need this rule's effect. Those users traffic will be not exposed to needless checking, which may improve the server s productivity. Figure 34 Rules statistics for traffic management 42