Access to the Internet using UserGate. Overview of the UserGate proxy server - a comprehensive solution for sharing Internet access Configuring usergate to work with the browser
Organization of Internet access sharing for users local network- one of the most common tasks that system administrators have to face. Nevertheless, it still raises many difficulties and questions. For example - how to ensure maximum security and full manageability?
Introduction
Today we will take a closer look at how to organize Internet sharing for employees of a hypothetical company. Let's assume that their number will be in the range of 50-100 people, and all the usual services for such information systems are deployed in the local network: Windows domain, own mail server, FTP server.
To provide sharing, we will use a solution called UserGate Proxy & Firewall. It has several features. Firstly, this is a purely Russian development, unlike many localized products. Secondly, it has more than ten years of history. But the most important thing is the constant development of the product.
The first versions of this solution were relatively simple proxy servers that could only share a single Internet connection and keep statistics on its use. The most widespread among them was build 2.8, which can still be found in small offices. The developers themselves no longer call the latest, sixth version, a proxy server. According to them, this is a full-fledged UTM solution that covers a whole range of tasks related to security and control of user actions. Let's see if that's the case.
Deploying UserGate Proxy & Firewall
During the installation, two stages are of interest (the remaining steps are standard for installing any software). The first one is the choice of components. In addition to the basic files, we are invited to install four more server components - a VPN, two antiviruses (Panda and Kaspersky Anti-Virus), and a cache browser.
The VPN server module is installed as needed, that is, when the company plans to use remote access for employees or to combine several remote networks. It makes sense to install antiviruses only if the appropriate licenses have been purchased from the company. Their presence will allow scanning Internet traffic, localizing and blocking malware directly on the gateway. Cache Browser will allow you to view web pages cached by the proxy server.
Additional functions
Ban on unwanted sites
The solution supports Entensys URL Filtering technology. In fact, it is a cloud-based database containing more than 500 million sites in different languages, divided into more than 70 categories. Its main difference is constant monitoring, during which web projects are constantly monitored and, when content changes, they are transferred to another category. This allows you to ban all unwanted sites with a high degree of accuracy, simply by selecting certain categories.
The use of Entensys URL Filtering increases the security of working on the Internet, and also improves the efficiency of employees (due to the prohibition social networks, entertainment sites, etc.). However, its use requires a paid subscription, which must be renewed every year.
In addition, the distribution includes two more components. The first one is "Admin Console". This is a separate application designed, as the name implies, to manage the UserGate Proxy & Firewall server. Its main feature is the ability to connect remotely. Thus, administrators or persons responsible for using the Internet do not need direct access to the Internet gateway.
The second additional component is web statistics. In fact, it is a web server that allows you to display detailed statistics on the use of the global network by company employees. On the one hand, it is, without a doubt, a useful and convenient component. After all, it allows you to receive data without installing additional software, including via the Internet. But on the other hand, it takes up extra system resources of the Internet gateway. Therefore, it is better to install it only when it is really needed.
The second step that you should pay attention to during the installation of UserGate Proxy & Firewall is the selection of a database. In previous versions, UGPF could only function with MDB files, which affected the performance of the system as a whole. Now there is a choice between two DBMS - Firebird and MySQL. Moreover, the first one is included in the distribution kit, so when choosing it, no additional manipulations are necessary. If you wish to use MySQL, then you must first install and configure it. After the installation of the server components is completed, it is necessary to prepare the workplaces of administrators and other responsible employees who can manage user access. It is very easy to do this. It is enough to install the administration console on their working computers from the same distribution kit.
Additional functions
Built-in VPN server
Version 6.0 introduced the VPN server component. It can be used to organize secure remote access employees of the company to a local network or combine remote networks of individual branches of the organization into a single information space. This VPN server has all the necessary functionality to create server-server and client-server tunnels and routing between subnets.
Basic setup
All configuration of UserGate Proxy & Firewall is carried out using the management console. By default, after installation, it already has a connection to the local server. However, if you are using it remotely, you will have to create the connection manually by specifying the Internet gateway IP address or hostname, network port (2345 by default) and authorization parameters.
After connecting to the server, the first thing to do is configure the network interfaces. You can do this on the "Interfaces" tab of the "UserGate Server" section. For the network card that "looks" into the local network, we set the type to LAN, and to all other connections - WAN. "Temporary" connections, such as PPPoE, VPN, are automatically assigned the PPP type.
If a company has two or more WAN connections, one of which is primary and the others are redundant, then you can set up automatic redundancy. To do this is quite simple. It is enough to add the necessary interfaces to the list of reserve ones, specify one or more control resources and the time of their check. The principle of operation of this system is as follows. UserGate automatically checks the availability of control sites at the specified interval. As soon as they stop responding, the product automatically, without administrator intervention, switches to the backup channel. At the same time, checking the availability of control resources on the main interface continues. And as soon as it is successful, the switch back is automatically performed. The only thing you need to pay attention to when setting up is the choice of control resources. It is better to take several large sites, the stable operation of which is almost guaranteed.
Additional functions
Network application control
UserGate Proxy & Firewall implements such an interesting feature as control of network applications. Its purpose is to prevent any unauthorized software from accessing the Internet. As part of the control setup, rules are created that allow or block network work various programs (with or without version). They can specify specific destination IP addresses and ports, which allows you to flexibly configure software access, allowing it to perform only certain actions on the Internet.
Application control allows you to develop a clear corporate policy on the use of programs, and partially prevent the spread of malware.
After that, you can proceed directly to setting up proxy servers. In total, seven of them are implemented in the solution under consideration: for the HTTP protocols (including HTTPs), FTP, SOCKS, POP3, SMTP, SIP and H323. This is almost everything that may be needed for the work of company employees on the Internet. By default, only the HTTP proxy is enabled, all others can be activated if necessary.
Proxy servers in UserGate Proxy & Firewall can operate in two modes - normal and transparent. In the first case, we are talking about a traditional proxy. The server receives requests from users and forwards them to external servers, and passes the received responses to clients. This is a traditional solution, but it has its drawbacks. In particular, it is necessary to configure each program that is used to work on the Internet (Internet browser, mail client, ICQ, etc.) on each computer in the local network. This, of course, is a big job. Moreover, periodically, as new software is installed, it will be repeated.
When choosing a transparent mode, a special NAT driver is used, which is included in the delivery package of the solution in question. It listens on the appropriate ports (80th for HTTP, 21st for FTP, and so on), detects incoming requests on them and passes them to the proxy server, from where they are sent further. This solution is more successful in the sense that software configuration on client machines is no longer needed. The only thing that is required is to specify the IP address of the Internet gateway as the main gateway in the network connection of all workstations.
The next step is to set up DNS query forwarding. This can be done in two ways. The simplest of them is to enable the so-called DNS forwarding. When using it, DNS requests coming to the Internet gateway from clients are redirected to the specified servers (can be used as a DNS server from the settings network connection, or any arbitrary DNS servers).
The second option is to create a NAT rule that will receive requests on the 53rd (standard for DNS) port and forward them to the external network. However, in this case, you will either have to manually register DNS servers on all computers in the network connection settings, or configure sending DNS queries through the Internet gateway from the domain controller server.
user management
After completing the basic setup, you can proceed to work with users. You need to start by creating groups into which accounts will subsequently be combined. What is it for? First, for subsequent integration with Active Directory. And secondly, you can assign rules to groups (we'll talk about them later), thus controlling access for a large number of users at once.
The next step is to add users to the system. This can be done in three different ways. The first of them, the manual creation of each account, we do not even consider for obvious reasons. This option is only suitable for small networks with a small number of users. The second way is to scan the corporate network with ARP requests, during which the system itself determines the list of possible accounts. However, we choose the third option, which is the most optimal in terms of simplicity and ease of administration - integration with Active Directory. It is performed on the basis of previously created groups. First you need to fill in the general integration settings: specify the domain, the address of its controller, the username and password of the user with the necessary access rights to it, as well as the synchronization interval. After that, each group created in UserGate must be assigned one or more groups from Active Directory. In fact, the setup ends here. After saving all the parameters, synchronization will be performed automatically.
Users created during authorization will by default use NTLM authorization, that is, authorization by domain login. This is a very convenient option, since the rules and the traffic accounting system will work regardless of which computer the user is currently sitting on.
True, to use this authorization method, additional software is required - a special client. This program works at the Winsock level and passes user authorization parameters to the Internet gateway. Its distribution kit is included in the UserGate Proxy & Firewall distribution package. You can quickly install the client on all workstations using Windows group policies.
By the way, NTLM authorization is far from the only method of authorizing company employees to work on the Internet. For example, if an organization practices a hard binding of workers to workstations, then you can use an IP address, a MAC address, or a combination of both to identify users. Using the same methods, you can organize access to the global network of various servers.
User control
One of the significant advantages of UGPF is the wide scope for user control. They are implemented using a system of traffic control rules. The principle of its work is very simple. The administrator (or other responsible person) creates a set of rules, each of which represents one or more trigger conditions and the action to be taken. These rules are assigned to individual users or their entire groups and allow you to automatically control their work on the Internet. There are four possible actions in total. The first one is to close the connection. It allows, for example, to prohibit the download of certain files, prevent visiting unwanted sites, and so on. The second step is to change the tariff. It is used in the billing system, which is integrated into the product under consideration (we do not consider it, since it is not particularly relevant for corporate networks). The next action allows you to disable the count of traffic received within this connection. In this case, the transmitted information is not taken into account when summing up the daily, weekly and monthly consumption. And finally, the last action is to limit the speed to the specified value. It is very convenient to use it to prevent the "clogging" of the channel when downloading large files and solving other similar problems.
There are much more conditions in traffic control rules - about ten. Some of these are relatively simple, such as the maximum file size. This rule will be triggered when users try to upload a file larger than the specified size. Other conditions are tied to time. In particular, among them one can note the schedule (triggering by time and days of the week) and holidays (triggered on specified days).
However, the most interesting are the conditions associated with sites and content. In particular, they can be used to block or set other actions on certain types of content (for example, video, audio, executable files, text, pictures, etc.), specific web projects or their entire categories (for this, Entensys URL Filtering technology is used, see sidebar).
It is noteworthy that one rule can contain several conditions at once. At the same time, the administrator can specify in which case it will be executed - if all conditions or any one of them are met. This allows you to create a very flexible policy for the use of the Internet by employees of the company, taking into account a large number of all sorts of nuances.
Firewall setup
An integral part of the NAT UserGate driver is a firewall, it solves various tasks processing related network traffic. For configuration, special rules are used, which can be one of three types: network address translation, routing, and firewall. There can be any number of rules in the system. They are applied in the order in which they are listed in the general list. Therefore, if incoming traffic matches several rules, it will be processed by the one that is located above the others.
Each rule is characterized by three main parameters. The first is the traffic source. This can be one or more specific hosts, the WAN or LAN interface of the Internet Gateway. The second parameter is the purpose of the information. The LAN or WAN interface or dial-up connection can be specified here. The last main characteristic of a rule is one or more services to which it applies. A service in UserGate Proxy & Firewall is a pair from a family of protocols (TCP, UDP, ICMP, arbitrary protocol) and a network port (or a range of network ports). By default, the system already has an impressive set of pre-installed services, ranging from common ones (HTTP, HTTPs, DNS, ICQ) to specific ones (WebMoney, RAdmin, various online games, and so on). However, if necessary, the administrator can also create his own services, for example, describing work with an online bank.
Also, each rule has an action that it performs with the traffic that matches the conditions. There are only two of them: allow or prohibit. In the first case, traffic passes freely along the specified route, and in the second case, it is blocked.
Network address translation rules use NAT technology. With their help, you can configure Internet access for workstations with local addresses. To do this, you need to create a rule specifying the LAN interface as the source and the WAN interface as the destination. Routing rules are applied if the solution in question will be used as a router between two local networks (it implements such a possibility). In this case, routing can be configured for bidirectional transparent traffic.
Firewall rules are used to process traffic that does not go to the proxy server, but directly to the Internet gateway. Immediately after installation, the system has one such rule that allows all network packets. In principle, if the created Internet gateway will not be used as a workstation, then the action of the rule can be changed from "Allow" to "Deny". In this case, any network activity will be blocked on the computer, except for transit NAT packets transmitted from the local network to the Internet and vice versa.
Firewall rules allow you to publish any local services on the global network: web servers, FTP servers, mail servers, and so on. At the same time, remote users have the opportunity to connect to them via the Internet. As an example, consider publishing a corporate FTP server. To do this, the administrator must create a rule in which select “Any” as the source, specify the desired WAN interface as the destination, and FTP as the service. After that, select the "Allow" action, enable traffic translation, and in the "Destination Address" field, specify the IP address of the local FTP server and its network port.
After this configuration, all incoming connections to the network cards of the Internet gateway on port 21 will be automatically redirected to the FTP server. By the way, during the setup process, you can choose not only the “native”, but also any other service (or create your own). In this case, external users will have to contact not on the 21st, but on a different port. This approach is very useful in cases where information system there are two or more services of the same type. For example, you can organize access from the outside to corporate portal on the standard HTTP port 80, and access to UserGate web statistics - on port 81.
External access to the internal mail server is configured in the same way.
Important distinguishing feature implemented firewall - intrusion prevention system. It works fully automatically, detecting unauthorized attempts based on signatures and heuristic methods and leveling them by blocking unwanted traffic flows or dropping dangerous connections.
Summing up
In this review, we examined in sufficient detail the organization of joint access of company employees to the Internet. In modern conditions, this is not the easiest process, since you need to take into account a large number of different nuances. Moreover, both technical and organizational aspects are important, especially the control of user actions.
Having connected the Internet in the office, every boss wants to know what he pays for. Especially if the tariff is not unlimited, but according to traffic. There are several ways to solve the problems of traffic control and organization of access to the Internet on an enterprise scale. I will talk about the implementation of the UserGate proxy server to get statistics and control the bandwidth of the channel using my experience as an example.
I must say right away that I used the UserGate service (version 4.2.0.3459), but the access organization methods and technologies used are also used in other proxy servers. So the steps described here are generally suitable for other software solutions (for example, Kerio Winroute Firewall, or other proxies), with slight differences in the implementation details of the configuration interface.
I will describe the task set for me: There is a network of 20 machines, there is an ADSL modem in the same subnet (alnim 512/512 kbps). It is required to limit the maximum speed to users and keep a record of traffic. The task is slightly complicated by the fact that access to the modem settings is closed by the provider (access is possible only through the terminal, but the provider has the password). The statistics page on the provider's website is not available (Don't ask why, there is only one answer - the company has such a relationship with the provider).
We put a usergate and activate it. To organize access to the network, we will use NAT ( Network Address Translation- "network address translation"). For the technology to work, it is necessary to have two network cards on the machine where we will install the UserGate server (service) (It is possible that you can make NAT work on one network card by assigning two IP addresses to it in different subnets).
So, First stage settings - NAT driver configuration(driver from UserGate, installed during the main installation of the service). Us Requires two network interfaces(read network cards) on the server hardware ( for me this was not a gap, because I deployed UserGate on a virtual machine. And there you can make "many" network cards).
Ideally, to one network card connects the modem itself, a to the second - the entire network from which they will access the Internet. In my case, the modem is installed in different rooms with a server (physical machine), and I am too lazy and have no time to transfer equipment (and in the near future, the organization of a server room looms). I connected both network adapters to the same network (physically), but configured them on different subnets. Since I can’t change the modem settings (access is closed by the provider), I had to transfer all computers to a different subnet (fortunately, using DHCP, this is done elementarily).
Network card connected to the modem ( the Internet) set up as before (according to the data from the provider).
- Assign static IP address(in my case it is 192.168.0.5);
- Subnet mask 255.255.255.0 - I did not change it, but it can be configured in such a way that there will be only two devices in the subnet of the proxy server and modem;
- Gateway - modem address 192.168.0.1
- ISP's DNS server addresses ( primary and secondary required).
Second network card, connected to the internal network ( intranet), set up as follows:
- Static IP address but on a different subnet(I have 192.168.1.5);
- Mask according to your network settings (I have 255.255.255.0);
- Gateway do not specify.
- In the DNS server address field enter the address of the company's DNS server(If yes, if not, leave blank).
Note: you need to make sure that the use of the NAT component from UserGate is checked in the network interface settings.
After configuring network interfaces start the UserGate service itself(don't forget to configure it to run as a service to automatically start with system rights) and go to the management console(You can do it locally or remotely). We go to " Network Rules” and choose “ NAT Setup Wizard“, you will need to specify your intranet ( intranet) and internet ( internet) adapters. Intranet - an adapter connected to an internal network. The wizard will configure the NAT driver.
Thereafter need to understand NAT rules, for which we go to "Network settings" - "NAT". Each rule has several fields and a status (active and inactive). The essence of the fields is simple:
- Name - the name of the rule, I recommend to give something meaningful(you do not need to write addresses and ports in this field, this information will be available in the list of rules anyway);
- The receiver interface is yours intranet interface(in my case 192.168.1.5);
- The sender interface is yours internet interface(on the same subnet as the modem, in my case 192.168.0.5);
- Port- specify which rub it belongs to this rule (for example, for a browser (HTTP) port 80, and for receiving mail 110 port). You can specify a range of ports if you don't want to mess around, but it's not recommended to do it on the whole range of ports.
- Protocol - select one of the options from the drop-down menu: TCP(usually), UPD or ICMP(for example, for the operation of the ping or tracert commands).
Initially, the list of rules already contains the most used rules necessary for the operation of mail and various kinds of programs. But I added my own rules to the standard list: for DNS queries (without using the forwarding option in UserGate), for secure SSL connections, for the torrent client, for the Radmin program, and so on. Here are screenshots of my list of rules. The list is still small - but it expands over time (with the need to work on a new port).
The next step is to set up users. In my case, I chose authorization by IP address and MAC address. There are options for authorization only by IP address and by Active Directory credentials. You can also use HTTP authorization (each time users first enter the password through the browser). Creating Users and User Groups and assign them the NAT rules to use(We need to give the user an Internet connection to the browser - we enable the HTTP rule with port 80 for it, we need to give ICQ - the ICQ rule with then 5190).
Lastly, at the implementation stage, I configured the users to work through a proxy. For this I used DHCP service. The following settings are sent to client machines:
- IP address - dynamic from DHCP in the range of the intranet subnet (in my case, the range is 192.168.1.30 -192.168.1.200. I set up an IP address reservation for the necessary machines).
- Subnet mask (255.255.255.0)
- Gateway - address of the machine with UserGate in the local network (Intranet address - 192.168.1.5)
- DNS servers - I betray 3 addresses. The first is the address of the enterprise's DNS server, the second and third are the provider's DNS addresses. (On the DNS of the enterprise, forwarding to the provider's DNS is configured, so in the event of a "fall" of the local DNS, Internet names will be resolved on the provider's DNS).
On this basic setup completed. Left check the functionality, for this, on the client machine, you need (by receiving the settings from DHCP or by adding them manually, in accordance with the recommendations above) launch a browser and open any page on the web. If something does not work, check the situation again:
- Are the client's network adapter settings correct? (does the machine with the proxy server ping?)
- Is the user/computer authorized on the proxy server? (see UserGate authorization methods)
- Does the user/group have NAT rules enabled for it to work? (for the browser to work, you need at least HTTP rules for the TCP protocol on port 80).
- Have the traffic limits for the user or group expired? (I did not enter this).
Now you can observe the connected users and the NAT rules they use in the "Monitoring" item of the proxy server management console.
Further proxy settings are already tuning, to specific requirements. The first thing I did was enable the bandwidth limit in the user properties (later you can implement a system of rules to limit the speed) and enable additional UserGate services - a proxy server (HTTP on port 8080, SOCKS5 on port 1080). Enabling proxy services allows you to use query caching. But it is necessary to carry out additional configuration of clients to work with a proxy server.
Leave questions? I suggest asking them right here.
________________________________________
After connecting the local network to the Internet, it makes sense to set up a traffic accounting system, and the Usergate program will help us with this. Usergate is a proxy server and allows you to control the access of computers from the local network to the Internet.
But, first, let's remember how we previously set up the network in the video course "Creating and configuring a local network between Windows 7 and WindowsXP", and how we provided access to all computers to the Internet through one communication channel. Schematically, it can be represented as follows, there are four computers that we have combined into a peer-to-peer network, we have chosen the workstation work-station-4-7, with the Windows 7 operating system, as a gateway, i.e. connected an additional network card with Internet access and allowed other computers on the network to access the Internet through this network connection. The remaining three machines are Internet clients and they, as a gateway and DNS, have the IP address of the computer distributing the Internet. Well, now let's deal with the issue of controlling access to the Internet.
Installing UserGate does not differ from installing a regular program, after installation the system asks to reboot, reboot. After the reboot, first of all, let's try to access the Internet, from the computer on which UserGate is installed - it turns out, but not from other computers, therefore, the Proxy server started working and by default prohibits everyone from accessing the Internet, so you need to configure it.
Launching the admin console Start \ Programs \UserGate\ Admin console) and here we have the console itself and the tab opens Connections. If we try to open any of the tabs on the left, a message is displayed (UserGate Admin Console is not connected to the UserGate Server), so at startup we open the Connections tab so that we can first connect to the UserGate server.
And so, the default Server Name is local; User – Administrator; The server is localhost, i.e. the server part is located on this computer; Port - 2345.
Double click on this entry and connect to the UserGate service, if the connection failed, check if the service is running ( ctrl+ alt+ Esc\ Services \UserGate)
Launches on first connection Setup WizardUserGate, press Not, as we will configure everything manually so that it is more clear what and where to look for. And first of all, go to the tab ServerUserGate\ Interfaces, here we indicate which network card looks at the Internet ( 192.168.137.2 - WAN), and which one to the local network ( 192.168.0.4 - LAN).
Further Users and Groups \ Users, there is only one user here, this is the machine itself on which the UserGate server is running and it is called Default, i.e. default. Let's add all users who will access the Internet, I have three of them:
Workstation-1-xp - 192.168.0.1
Workstation-2-xp - 192.168.0.2
Work-station-3-7 - 192.168.0.3
We leave the group and the tariff plan by default, the type of authorization, I will use it through the IP address, since I have them manually registered, and remain unchanged.
Now let's configure the proxy itself, go to Services \ Proxy settings \http, here we select the IP address that we specified as the gateway on client machines, I have this 192.168.0.4 and also check the box transparent mode, so as not to manually enter the proxy server address in browsers, in this case the browser will look at which gateway is specified in the network connection settings and will redirect requests to it.
"UserGate Proxy & Firewall v.6 Administrator's Guide Contents Introduction About the program System requirements Installing UserGate Proxy & Firewall Registration Updating..."
-- [ Page 1 ] --
UserGate Proxy & Firewall v.6
Admin Guide
Introduction
About the program
System requirements
Installing UserGate Proxy & Firewall
Registration
Update and removal
UserGate Proxy & Firewall Licensing Policy
Administration Console
Connection setup
Setting a connection password
UserGate Administrator Authentication
Setting a password for access to the UserGate statistics database
General NAT (Network Address Translation) settings
General settings
Interface setup
Traffic counting in UserGate
Backup channel support
Users and groups
Synchronization with Active Directory
Personal user statistics page
Terminal user support
Setting up services in UserGate
Configuring DHCP
Setting up proxy services in UserGate
Support for IP telephony protocols (SIP, H323)
SIP Registrar mode support
H323 protocol support
Mail proxies in UserGate
Using transparent mode
Cascading proxies
Port Assignment
Cache settings
Antivirus check
Scheduler in UserGate
DNS setting
Setting up a VPN server
Setting up an intrusion detection system (IDS)
Setting alerts
Firewall in UserGate
How a firewall works
ME event registration
Network Address Translation (NAT) Rules
Working with multiple providers
Automatic outgoing interface selection
www.usergate.ru
Publishing network resources
Setting up filtering rules
Routing Support
Speed limit in UserGate
Application control
Cache Explorer in UserGate
Traffic management in UserGate
Traffic rules system
Restricting access to Internet resources
Entensys URL Filtering
Setting a traffic consumption limit
File size limit
Filtering by Content-type
Billing system
Internet access billing
Periodic events
Dynamic tariff switching
Remote administration UserGate
Setting up a remote connection
Remote restart of the UserGate server
Checking the availability of a new version
UserGate web statistics
Evaluating the effectiveness of traffic control rules
Evaluation of the effectiveness of the antivirus
SIP usage statistics
Application
UserGate Integrity Control
Startup check
Debug information output
Getting technical support
www.usergate.ru
Introduction A proxy server is a set of programs that acts as an intermediary (from the English "proxy" - "intermediary") between user workstations and other network services.
The solution transmits all user requests to the Internet and, having received a response, sends it back. If the caching function is available, the proxy server remembers workstations accessing external resources, and if the request is repeated, it returns the resource from its own memory, which significantly reduces the request time.
In some cases, a client request or server response may be modified or blocked by a proxy server to perform certain tasks, such as preventing viruses from infecting workstations.
About UserGate Proxy & Firewall is a comprehensive solution for connecting users to the Internet, providing full traffic accounting, access control and built-in network protection.
UserGate allows you to charge users' access to the Internet, both by traffic and by network time. The administrator can add various tariff plans, dynamically switch tariffs, automate the withdrawal / accrual of funds and regulate access to Internet resources. The built-in firewall and anti-virus module allow you to protect the UserGate server and check the traffic passing through it for malicious code. You can use the built-in VPN server and client to securely connect to your organization's network.
UserGate consists of several parts: server, administration console (UserGateAdministrator) and several additional modules. The UserGate server (usergate.exe process) is the main part of the proxy server, which implements all of its functionality.
The UserGate server provides access to the Internet, performs traffic counting, maintains statistics on user activity on the network, and performs many other tasks.
The UserGate Administration Console is a program designed to manage the UserGate server. The UserGate administration console communicates with the server part via a special secure protocol over TCP/IP, which allows remote server administration.
UserGate includes three additional modules: "Web Statistics", "Authorization Client" and "Application Control" module.
www.entensys.ru
System Requirements UserGate Server is recommended to be installed on a computer with Windows XP/2003/7/8/2008/2008R2/2012 operating system connected to the Internet via a modem or any other connection. Server hardware requirements:
– – –
Installing UserGate Proxy & Firewall The UserGate installation procedure comes down to launching the installation file and selecting the options of the installation wizard. When installing the solution for the first time, it is enough to leave the default options. After installation is complete, you will need to restart your computer.
Registration To register the program, start the UserGate server, connect the administration console to the server, and select the menu item "Help" - "Register product". When you connect the administration console for the first time, a registration dialog will appear with two available options: a request for a demo key and a request for a full-featured key. The key request is performed online (HTTPS protocol), by accessing the usergate.ru website.
When requesting a full-featured key, you need to enter a special PIN code, which is issued upon purchase by UserGate Proxy & Firewall or by the support service for testing. In addition, when registering, you will need to enter an additional personal information(username, email address, country, region). Personal data is used solely to bind the license to the user and is not distributed in any way. After receiving the full or demo key, the UserGate server will be automatically restarted.
www.usergate.ru
Important! In demo mode, the UserGate Proxy & Firewall server will work for 30 days. When contacting Entensys, you can request a special PIN code for advanced testing. For example, you can request a demo key for three months. It is not possible to re-obtain a trial license without entering a special extended PIN code.
Important! When UserGate Proxy & Firewall is running, the status of the registration key is periodically checked. For correct operation of UserGate, it is necessary to allow access to the Internet via the HTTPS protocol. This is required to check the status of the key online. If the key verification fails three times, the license for the proxy server will be reset and the program registration dialog will appear. The program implements a counter for the maximum number of activations, which is 10 times. After exceeding this limit, you will be able to activate the product with your key only after contacting the support service at: http://entensys.ru/support.
Update and removal A new version UserGate Proxy & Firewall v.6 can be installed over previous versions of the fifth family. In this case, the installation wizard will offer to save or overwrite the config.cfg server settings file and the log.mdb statistics file. Both files are located in the directory where UserGate is installed (hereinafter referred to as “%UserGate%”). The UserGate v.6 server supports the UserGate v.4,5 settings format, so when the server is first started, the settings will be transferred to new format automatically.
Backwards compatibility of settings is not supported.
Attention! For the statistics file, only the transfer of current user balances is supported, traffic statistics itself will not be transferred.
The database changes were caused by performance issues with the old one and limits on its size. The new Firebird database does not have these drawbacks.
Uninstalling the UserGate server is done through the corresponding Start menu item Programs or through the Add/Remove Programs (Programs and Features in Windows 7/2008/2012) item in the Windows Control Panel. After uninstalling UserGate, some files will remain in the installation directory of the program, unless the delete all option has been set.
UserGate Proxy & Firewall Licensing Policy The UserGate server is designed to provide Internet access to LAN users. The maximum number of users who can simultaneously work on the Internet through UserGate is indicated by the number of "sessions" and is determined by the registration key.
The UserGate v.6 registration key is unique and does not match previous versions of UserGate. In the demo period, the solution works for 30 days with a limit of five sessions. The concept of "session" should not be confused with the number of Internet applications or connections that a user launches. The number of connections from one user can be anything, unless it is specifically limited.
www.usergate.ru
The anti-virus modules built into UserGate (from Kaspersky Lab, Panda Security and Avira), as well as the Entensys URL Filtering module, are licensed separately. In the demo version of UserGate, built-in modules can work for 30 days.
The Entensys URL Filtering module, designed to work with categories of sites, provides the ability to work in demo mode for a period of 30 days. When purchasing UserGate Proxy & Firewall with a filtering module, the Entensys URL Filtering license is valid for one year. When the subscription expires, resource filtering through the module will stop.
www.usergate.ru
Administration Console The Administration Console is an application designed to manage a local or remote UserGate server. To use the administration console, you must start the UserGate server by selecting the Start UserGate server item in the context menu of the UserGate agent (the icon in the system tray, hereinafter
- "agent"). You can start the administration console through the context menu of the agent or through the Start Programs menu item if the administration console is installed on another computer. To work with settings, you need to connect the administration console to the server.
Data exchange between the administration console and the UserGate server is performed using the SSL protocol. When the connection is initialized (SSLHandshake), one-way authentication is performed, during which the UserGate server sends its certificate to the administration console, located in the %UserGate%\ssl directory. A certificate or password from the side of the administration console is not required for connection.
Configuring Connections On first launch, the administration console opens to the Connections page, which has a single connection to the localhost server for the Administrator user. The connection password has not been set. You can connect the administration console to the server by double-clicking on the localhost-administrator line or by clicking the Connect button on the control panel. You can create multiple connections in the UserGate administration console. Connection settings include the following options:
The server name is the name of the connection;
Username - login to connect to the server;
Server address – domain name or IP address of the UserGate server;
Port – TCP port used to connect to the server (port 2345 is used by default);
Password – password for connection;
Ask for password when connecting – this option allows you to display a dialog for entering a username and password when connecting to the server;
Automatically connect to this server – the administration console will automatically connect to this server at startup.
Administration console settings are stored in the console.xml file located in the %UserGate%\Administrator\ directory. On the UserGate server side, the username and md5 hash of the password for connection are stored in the config.cfg file located in the %UserGate_data directory, where %UserGate_data% is the folder for Windows XP - (C:\Documents and Settings\All www.usergate.ru Users\Application Data\Entensys\UserGate6), for Windows 7/2008 folder – (C:\Documents and Settings\All Users\Entensys\UserGate6) Setting a connection password You can create a login and password to connect to the UserGate server on the General settings page in the Admin Settings section. In the same section, you can specify the TCP port for connecting to the server. For the new settings to take effect, you must restart the UserGate server (the Restart UserGate server item in the agent menu). After restarting the server, the new settings must also be specified in the connection settings in the administration console. Otherwise, the administrator will not be able to connect to the server.
Attention! In order to avoid problems with the functionality of the UserGate administration console, it is not recommended to change these settings!
Authentication of the UserGate administrator To successfully connect the administration console to the UserGate server, the administrator must pass the authentication procedure on the server side.
Administrator authentication is performed after an SSL connection of the administration console to the UserGate server is established. The console sends the login and md5 hash of the administrator password to the server. The UserGate server compares the received data with what is specified in the config.cfg settings file.
Authentication is considered successful if the data received from the administration console matches what is specified in the server settings. If authentication fails, the UserGate server terminates the SSL connection with the administration console. The result of the authentication procedure is logged in the usergate.log file located in the %UserGate_data%\logging\ directory.
Setting a password for access to the UserGate statistics database User statistics - traffic, visited resources, etc.
are recorded by the UserGate server in a special database. Access to the database is carried out directly (for the built-in Firebird database) or through the ODBC driver, which allows the UserGate server to work with databases of almost any format (MSAccess, MSSQL, MySQL). By default, the Firebird database is used - %UserGate_data%\usergate.fdb. Login and password to access the database - SYSDBA\masterkey. You can set a different password through the General settings Database settings item of the administration console.
NAT (Network Address Translation) General Settings The NAT General Settings item allows you to set the timeout value for NAT connections via TCP, UDP or ICMP protocols. The timeout value determines the lifetime of a user connection through NAT when data transfer over the connection is completed. The Output debug logs option is intended for debugging and allows, if necessary, to enable the mode of advanced logging of messages in the NAT UserGate driver.
The attack detector is a special option that allows you to use the internal mechanism to monitor and block the port scanner or www.usergate.ru attempts to seize all ports of the server. This module works in automatic mode, events will be written to the %UserGate_data%\logging\fw.log file.
Attention! The settings of this module can be changed through the configuration file config.cfg, section options.
General settings Block by browser string - a list of User-Agent's browsers that can be blocked by the proxy server. Those. you can, for example, prevent old browsers such as IE 6.0 or Firefox 3.x from accessing the Internet.
www.usergate.ru Configuring interfaces The Interfaces section (Fig. 1) is the main one in the UserGate server settings, since it determines such things as the correctness of traffic counting, the ability to create rules for a firewall, limiting the width of the Internet channel for a certain type of traffic, establishing relationships between networks and the order in which packets are processed by the NAT (Network Address Translation) driver.
Figure 1. Configuring server interfaces The Interfaces section lists all available network interfaces of the server on which UserGate is installed, including Dial-Up (VPN, PPPoE) connections.
For each network adapter, the UserGate administrator must specify its type. So, for an adapter connected to the Internet, you should select the WAN type, for an adapter connected to a local network, select the LAN type.
You cannot change the type of Dial-Up (VPN, PPPoE) connection. For such connections, the UserGate server will automatically set the PPP interface type.
You can specify the username and password for the Dial-Up (VPN) connection by double-clicking on the corresponding interface. The interface at the top of the list is the main Internet connection.
Traffic counting in UserGate Traffic passing through the UserGate server is recorded on the local network user who is the initiator of the connection, or on the www.usergate.ru UserGate server if the server is the connection initiator. A special user is provided for server traffic in UserGate statistics - UserGate Server. The UserGate Server user's account is credited with the traffic for updating anti-virus databases for the built-in modules of Kaspersky Lab, Panda Security, Avira, as well as name resolution traffic via DNS forwarding.
Traffic is taken into account in full, together with service headers.
Additionally, the ability to take into account Ethernet headers has been added.
If the types of server network adapters (LAN or WAN) are correctly specified, traffic in the direction "local network - UserGate server" (for example, access to shared network resources on the server) is not taken into account.
Important! The presence of third-party programs - firewalls or antiviruses (with the function of checking traffic) - can significantly affect the correct calculation of traffic in UserGate. It is not recommended to install third-party network programs on a computer with UserGate!
Backup channel support The interfaces page contains the backup channel setting. By clicking on the Setup Wizard button, you can select the interface that will be used as a backup channel. The second page implements a selection of hosts that will be checked by a proxy server for Internet connectivity. At the specified interval, the solution will check the availability of these hosts with an ICMP Echo-request. If a response from at least one given host returns, the connection is considered active. If no response is received from any host, then the connection will be considered inactive, and the main gateway in the system will change to the gateway of the backup channel. If at the same time NAT rules were created with a special Masquerade interface specified as an external interface, then such rules will be recreated in accordance with the current routing table. The created NAT rules will start working through the backup channel.
Figure 2. Backup channel configuration wizard www.
usergate.ru As a backup connection, the UserGate server can use both an Ethernet connection (dedicated channel, WAN interface) and a Dial-Up (VPN, PPPoE) connection (PPP interface). After switching to the backup Internet connection, the UserGate server will periodically check the availability of the main channel. If its performance is restored, the program will switch users to the main Internet connection.
www.usergate.ru
Users and groups To provide access to the Internet, you need to create users in UserGate. For convenience of administration, users can be combined into groups by territory or by access level. Logically, it is most correct to combine users into groups according to access levels, since in this case it is much easier to work with traffic control rules. By default, UserGate has only one group - default.
You can create a new user through the Add new user item or by clicking the Add button in the control panel on the Users and groups page. There is another way to add users - scanning the network with ARP requests. You need to click on an empty space in the admin console on the users page and select Scan the local network. Next, set the parameters of the local network and wait for the scan results. As a result, you will see a list of users that can be added to UserGate. Mandatory user parameters (Fig. 3) are the name, authorization type, authorization parameter (IP address, login and password, etc.), group and tariff. By default, all users belong to the default group. The username in UserGate must be unique. Additionally, in the user properties, you can define the level of user access to web statistics, set the internal phone number for H323, limit the number of connections for the user, enable NAT rules, traffic control rules, or rules for the Application Control module.
Figure 3. User profile in UserGate A user in UserGate inherits all the properties of the group to which he belongs, except for the tariff, which can be overridden.
The tariff specified in the user's properties will apply to the tariffication of all user connections. If Internet access is not charged, you can use an empty tariff called “default”.
www.usergate.ru
Synchronization with Active Directory User groups in UserGate can be synchronized with Active Directory groups. To use synchronization with Active Directory, a machine with UserGate Proxy & Firewall does not have to be a member of a domain.
Synchronization is set up in two steps. At the first stage, on the "Groups" page of the UserGate administrator console (Fig. 4), enable the Synchronization with AD option and specify the following parameters:
domain name IP address of the domain controller login and password for accessing Active Directory (username in the UPN – User Principal Name format is allowed) synchronization period (in seconds) option "sync groups with AD" and select one or more groups from Active Directory.
During synchronization, users from Active Directory belonging to the selected Active Directory groups will fit into UserGate groups. The type of authorization for imported users will be “HTTP Imported User State (NTLM)”.
(enabled/disabled) is controlled by the state of the corresponding account in the Active Directory domain.
www.usergate.ru Figure 4. Setting up synchronization with Active Directory Important! For synchronization, you need to ensure the passage of the LDAP protocol between the UserGate server and the domain controller.
www.usergate.ru User's personal statistics page Each user in UserGate has the opportunity to view the statistics page. The personal statistics page can be accessed at http://192.168.0.1:8080/statistics.html, where, for example, 192.168.0.1 is the local address of the UserGate machine, and 8080 is the port on which the HTTP proxy server is running. usergate. The user can view his personal extended statistics by logging in at - http://192.168.0.1:8081.
Attention! In version 6.x, the listening interface 127.0.0.1:8080 was added, which is needed for web statistics to work when the UserGate HTTP proxy server is disabled. In this regard, port 8080 on interface 127.0.0.1 will always be occupied by UserGate Proxy & Firewall while the usergate.exe process is running
By IP address By IP range By IP+MAC address By MAC address Authorization via HTTP (HTTP-basic, NTLM) Authorization via login and password (Authorization Client) Simplified version of authorization via Active Directory To use the last three methods of authorization installed on the user's workstation special application- UserGate authorization client. The corresponding MSI package (AuthClientInstall.msi) is located in the %UserGate%\tools directory and can be used for automatic group policy installation in Active Directory.
The administrative template for installing the authorization client using Active Directory Group Policy is also located in the %UserGate%\tools directory. On the site http://usergate.ru/support there is a video instruction for deploying the authorization client through group policy.
If the UserGate server is installed on a computer that is not included in the Active Directory domain, it is recommended to use a simplified authorization option through Active Directory. In this case, the UserGate server will compare the login and domain name received from the authorization client with the corresponding fields specified in the user profile without contacting the domain controller.
Support for terminal users To authorize terminal users in the UserGate proxy server, starting from version 6.5, a special software module, which is called "Terminal Authorization Agent". The distribution kit of the Terminal Agent program is located in the %UserGate%\tools folder and is called TerminalServerAgent*.msi. For 32-bit systems, you need to take the version “TerminalServerAgent32.msi”, and for 64-bit systems, TerminalServerAgent64.msi”. The program is an agent that periodically, once every 90 seconds, sends authorization information about all clients of the terminal server to the proxy server, and a driver that provides port spoofing for each terminal client. The combination of the user information and the ports associated with the user allows the proxy server to accurately identify terminal server users and apply various traffic control policies to them.
When installing a terminal agent, you will be asked to specify the IP address of the proxy server and the number of users. This is necessary for optimal use of free TCP\UDP ports of the terminal server.
www.usergate.ru
After installing the terminal server agent, it makes a request to the proxy server, and if everything goes well, three users are created on the server with the "AD login-password" authorization and the "NT AUTHORIY\*" login.
If you have such users in the console, then your terminal agent is ready to work.
The first way (synchronization with the Active Directory domain):
In the administrator console, on the page of user groups in the properties of the "synchronization with AD" option, you must specify the correct parameters for authorization with AD.
Then you need to create a new user group, and specify in it which user group in AD should be synchronized with the current group in the Proxy Server. Your users will then be added to this local UserGate Proxy user group. This completes the proxy server setup. After that, you need to log in as an AD user to the terminal server, and it will automatically be authorized on the proxy server without requiring you to enter a login and password. Terminal server users can be managed as normal proxy server users with authorization by IP address. Those. they can apply different rules NAT and/or traffic control rules.
The second way (importing users from an Active Directory domain):
Use the "import" of users from AD, it is configured on the page with users by clicking on the appropriate button - "import", in the interface of the UserGate administrator console.
You need to import users from AD into a specific local group on the proxy server. After that, all imported users who will request access to the Internet from the terminal server will have access to the Internet with the rights defined on the UserGate proxy server.
The third way (using local terminal server accounts):
This method is convenient for testing the operation of a terminal agent or for cases where the terminal server is not located in an Active Directory domain. In this case, you need to create a new user with the authorization type Login domain-AD", and specify the name of the terminal server computer as the "domain address", and the name of the user who will log in to the terminal server as the login. All users that will be created on the proxy server will access the Internet from the terminal server, with the rights defined on the UserGate proxy server.
It should be understood that there are some limitations of the terminal agent:
Protocols other than TCP\UDP cannot be passed from the terminal server to the Internet. For example, it will not be possible to launch PING from this server anywhere on the Internet through NAT.
www.usergate.ru The maximum number of users on a terminal server cannot exceed 220, while each user will be allocated no more than 200 ports for TCP\UDP protocols.
When restarting the UserGate proxy server, the terminal agent will not release anyone to the Internet until the first synchronization with the UserGate proxy server (up to 90 seconds).
HTTP authorization when working through a transparent proxy UserGate v.6 adds the possibility of HTTP authorization for a proxy server operating in transparent mode. If the browser on the user's workstation is not configured to use a proxy server, and the HTTP proxy in UserGate is enabled in transparent mode, then the request from an unauthorized user will be redirected to the authorization page, which requires you to specify a login and password.
After authorization, this page does not need to be closed. The authorization page is periodically updated through a special script, keeping the user session active. In this mode, the user will have access to all UserGate services, including the ability to work through NAT. To end the user session, you need to click Logout on the authorization page or simply close the authorization tab. and after 30-60 seconds authorization on the proxy server will disappear.
allow NetBIOSNameRequest (UDP:137) packets to pass between the UserGate server and the domain controller ensure NetBIOSSessionRequest (TCP:139) packets to pass between the UserGate server and the domain controller set the address and port of the UserGate HTTP proxy in the browser on the user's machine Important! To use NTLM authorization, a machine with UserGate installed may not be a member of an Active Directory domain.
Using the Authorization Client The UserGate authorization client is a network application operating at the Winsock level that connects to the UserGate server on a specific UDP port (port 5456 is used by default) and passes user authorization parameters: authorization type, login, password, etc.
www.usergate.ru
When first launched, the UserGate authorization client looks in the HKCU\Software\Policies\Entensys\Authclient branch of the system registry. The settings obtained through the group policy of the Active Directory domain can be located here. If the settings in the system registry are not found, the address of the UserGate server will have to be specified manually on the third tab from the top in the authorization client. After specifying the server address, click the Apply button and go to the second tab. This page specifies the user authorization parameters. Authorization client settings are stored in the HKCU\Software\Entensys\Authclient key in the system registry. The authorization client service log is stored in the Documents and Settings\%USER%\Application data\UserGate Client folder.
Additionally, a link to the user's personal statistics page has been added in the authorization client. You can change the appearance of the authorization client by editing the corresponding template in the form of *.xml file located in the directory where the client is installed.
www.usergate.ru
Configuring services in UserGate Configuring DHCP The service allows DHCP (Dynamic Host Configuration Protocol) to automate the process of issuing network settings to clients in the local network. In a network with a DHCP server, each network device can be dynamically assigned an IP address, gateway address, DNS, WINS server, and so on.
You can enable the DHCP server through the Services section DHCP server Add interface in the UserGate administration console or by clicking the Add button in the control panel. In the dialog that appears, select the network interface on which the DHCP server will run. In the minimum configuration for the DHCP server, it is enough to set the following parameters: IP address range (address pool), from which the server will issue addresses to clients on the local network; netmask and lease time.
The maximum pool size in UserGate cannot exceed 4000 addresses. If necessary, one or more IP addresses can be excluded from the selected address pool (Exclusions button). You can assign a permanent IP address to a specific device on the network by creating an appropriate binding in the Reservations section. The constancy of the IP address when renewing or obtaining a lease is ensured by binding (Reservation) to the MAC address of the network device. To create a binding, you just need to specify the IP address of the device.
The MAC address will be determined automatically by clicking on the appropriate button.
Figure 6. Configuring the UserGate DHCP server
The DHCP server in UserGate supports importing Windows DHCP server settings. The Windows DHCP settings must first be saved to a file. To do this, on the server where Windows DHCP is installed, start the command line mode (Start Run, type cmd and press Enter) and in the window that appears, run the command: netsh dhcp server IP dump filename, where IP is the IP address of your DHCP server. Import settings
www.usergate.ru
from the file is carried out through the corresponding button on the first page of the DHCP server configuration wizard.
The issued IP addresses are displayed in the lower half of the administration console window (Figure 8) along with information about the client (computer name, MAC address), start and end times of the lease. By selecting the issued IP address, you can add a user to UserGate, create a binding by MAC address, or release an IP address.
Figure 7. Deleting issued addresses
The released IP address will be placed in the pool of free addresses of the DHCP server after some time. An IP address release operation may be required if the computer that previously requested an address from the UserGate DHCP server is no longer present on the network or has changed its MAC address.
The DHCP server has the ability to respond to client requests when requesting the "wpad.dat" file. Using this method to get proxy server settings, you need to edit the template file, which is located in the "C:\program files\entensys\usergate6\wwwroot\wpad.dat" folder.
More detailed information this method of obtaining proxy server settings is described in Wikipedia.
Configuring proxy services in UserGate The following proxy servers are integrated into the UserGate server: HTTP (with support for “FTP over HTTP” and HTTPS mode, - Connect method), FTP, SOCKS4, SOCKS5, POP3 and SMTP, SIP and H323. The www.usergate.ru proxy server settings are available in the Services section Proxy settings in the administration console. The main proxy server settings include:
interface (Fig. 9) and the port number on which the proxy is running.
Figure 8. Basic proxy server settings By default, UserGate only includes an HTTP proxy that listens on TCP port 8080 on all available network interfaces of the server.
To configure the client's browser to work through a proxy server, it is enough to specify the address and port of the proxy in the corresponding settings item. In Internet Explorer, proxy settings are specified in the Tools menu Internet Options Connection LAN Settings. When working through an HTTP proxy, you do not need to specify the gateway and DNS in the TCP / IP network connection properties on the user's workstation, since the HTTP proxy itself will resolve the names.
For each proxy server, a cascading mode to an upstream proxy server is available.
Important! The port specified in the proxy server settings is automatically opened in the UserGate firewall. Therefore, from a security point of view, it is recommended to specify only the server's local network interfaces in the proxy settings.
Important! For more information about the settings of various browsers for a proxy server, see a special article in the Entensys knowledge base.
Support for IP telephony protocols (SIP, H323) UserGate implements the SIP Registrar stateful proxy function. The SIP proxy is enabled in the Services section Proxy settings and always works in transparent mode, listening on ports 5060 TCP and 5060 UDP. When using a SIP proxy on
www.usergate.ru
The Sessions page of the administration console displays information about the state of the active connection (registration, ringing, waiting, etc.), as well as information about the user name (or number), call duration, and the number of transmitted/received bytes. This information will also be recorded in the UserGate statistics database.
To use the UserGate SIP proxy in the TCP/IP properties on the user's workstation, you must specify the IP address of the UserGate server as the default gateway, and be sure to specify the address of the DNS server.
Let's illustrate the configuration of the client part using the SJPhone softphone and the Sipnet provider as an example. Launch SJPhone, select Options from the context menu and create a new profile. Enter the name of the profile (Fig. 10), for example, sipnet.ru. Set the profile type to Call through SIP-Proxy.
Figure 9. Creating a new profile in SJPhone In the Profile Options dialog box, you need to specify the proxy server address of your VoIP provider.
When you close the dialog, you will need to enter data for authorization on the server of your VoIP provider (username and password).
Figure 10. SJPhone www.usergate.ru profile settings Attention! If, when you enable the SIP proxy, your voice traffic does not pass in one direction or the other, then you need to either use a STUN proxy server or let traffic through NAT on all ports (ANY:FULL) for the necessary users. If you enable the NAT rule on all ports, the SIP proxy server will need to be disabled!
Support for SIP Registrar mode The SIP Registrar function allows using UserGate as a software PBX (Automatic Telephone Exchange) for a local network.
The SIP Registrar function works simultaneously with the SIP Proxy function. To authorize on the UserGate SIP Registrar in the SIP UAC (User Agent Client) settings, you need to specify:
UserGate address as SIP server address UserGate username (without spaces) any password H323 protocol support H323 protocol support allows using UserGate server as H323 Gatekeeper. The H323 proxy settings specify the interface on which the server will listen for client requests, the port number, and the address and port of the H323 gateway. To authorize on UserGate Gatekeeper, the user needs to specify the login (username in UserGate), password (any) and phone number specified in the user profile in UserGate.
Important! If UserGate GateKeeper receives a call to an H323 number that does not belong to any of the authorized UserGate users, the call will be redirected to H323 gateway. Calls to H323 gateway are made in CallModel: Direct mode.
Mail proxies in UserGate Mail proxies in UserGate are designed to work with POP3 and SMTP protocols and for anti-virus scanning of mail traffic.
When using the transparent POP3 mode and SMTP proxy, the mail client setting on the user's workstation is the same as the settings corresponding to the option with direct access to the Internet.
If the UserGate POP3 proxy is used in non-transparent mode, then in the settings of the mail client on the user's workstation, the IP address of the UserGate computer and the port corresponding to the UserGate POP3 proxy must be specified as the POP3 server address. In addition, the login for authorization on the remote POP3 server is specified in the following format:
email_address@POP3_server_address. For example, if the user has a mailbox [email protected], then as a login on
The UserGate POP3 proxy in the mail client will need to be specified:
[email protected]@pop.mail123.com. This format is required so that the UserGate server can determine the address of the remote POP3 server.
www.usergate.ru
If the UserGate SMTP proxy is used in non-transparent mode, then in the proxy settings you need to specify the IP address and port of the SMTP server that UserGate will use to send emails. In this case, in the settings of the mail client on the user's workstation, the IP address of the UserGate server and the port corresponding to the UserGate SMTP proxy must be specified as the SMTP server address. If authorization is required for sending, then in the mail client settings you need to specify the login and password corresponding to the SMTP server specified in the SMTP proxy settings in UserGate.
Using transparent mode The Transparent mode function in the proxy server settings is available if the UserGate server is installed along with the NAT driver. In transparent mode, the UserGate NAT driver listens on standard ports for services: 80 TCP for HTTP, 21 TCP for FTP, 110 and 25 TCP for POP3 and SMTP on the network interfaces of the UserGate computer.
If there are requests, it passes them to the corresponding UserGate proxy server. When using transparent mode in network applications, users do not need to specify the address and port of the proxy server, which significantly reduces the work of the administrator in terms of providing local network access to the Internet. However, in the network settings of the workstations, the UserGate server must be specified as a gateway, and the address of the DNS server must be specified.
Cascading proxies The UserGate server can work with the Internet connection both directly and through superior proxy servers. Such proxies are grouped in UserGate under Services Cascading proxies. UserGate supports the following types of cascading proxies: HTTP, HTTPS, Socks4, Socks5. In the settings of the cascading proxy, the standard parameters are specified: address and port. If the upstream proxy supports authorization, you can specify the appropriate login and password in the settings. The created cascading proxies become available in the proxy server settings in UserGate.
www.usergate.ru Figure 11 Parent proxies in UserGate Port assignment UserGate supports the Port mapping function. If there are rules for assigning ports, the UserGate server redirects user requests arriving at a specific port of a specified network interface of a computer with UserGate to another specified address and port, for example, to another computer on the local network.
The Port Forwarding feature is available for TCP and UDP protocols.
Figure 12. Port assignment in UserGate Important! If port assignment is used to provide access from the Internet to an internal company resource, you must select Specified user as the Authorization parameter www.usergate.ru, otherwise port forwarding will not work.
Configuring the cache One of the purposes of a proxy server is to cache network resources.
Caching reduces the load on your Internet connection and speeds up access to frequently visited resources. The UserGate proxy server performs HTTP and FTP traffic caching. Cached documents are placed in the local folder %UserGate_data%\Cache. The cache settings are:
cache size limit and cached document retention time.
Additionally, you can enable caching of dynamic pages and counting traffic from the cache. If the Read traffic from cache option is enabled, not only external (Internet) traffic will be recorded per user in UserGate, but also traffic received from the UserGate cache.
Attention! To see the current entries in the cache, you need to run a special utility to view the cache database. It is launched by right-clicking on the "UserGate Agent" icon in the system tray and selecting "Open Browser Cache".
Attention! If you have enabled the cache, and you still do not have any resources in the "cache browser", then you most likely need to enable a transparent proxy server for the HTTP protocol, on the "Services - Proxy Settings" page
Anti-virus scanning Three anti-virus modules are integrated into the UserGate server: Kaspersky Lab Anti-Virus, Panda Security and Avira. All anti-virus modules are designed to scan incoming traffic through HTTP, FTP and UserGate mail proxies, as well as outgoing traffic through SMTP proxies.
The anti-virus module settings are available in the Services Anti-virus section of the administration console (Fig. 14). For each anti-virus, you can specify which protocols it should check, set the frequency of updating anti-virus databases, and also specify URLs that are not required to be checked (URL filter option). Additionally, in the settings, you can specify a group of users whose traffic does not need to be subjected to anti-virus scanning.
www.usergate.ru
Figure 13. Anti-virus modules in UserGate Before launching the anti-virus modules, start updating the anti-virus databases and wait for it to complete. In the default settings, Kaspersky anti-virus databases are updated from the Kaspersky Lab website, and for Panda anti-virus, they are downloaded from Entensys servers.
The UserGate server supports simultaneous operation of three anti-virus modules. In this case, Kaspersky Anti-Virus will be the first to scan the traffic.
Important! When anti-virus traffic scanning is enabled, the UserGate server blocks multithreaded file downloads via HTTP and FTP. Blocking the ability to download part of a file over HTTP can lead to problems with the Windows Update service.
Scheduler in UserGate The UserGate server has a built-in task scheduler that can be used to perform the following tasks: initializing and disconnecting a DialUp connection, sending statistics to UserGate users, executing an arbitrary program, updating anti-virus databases, clearing the statistics database, checking the database size.
www.usergate.ru
Figure 14. Setting up the task scheduler The Run program item in the UserGate scheduler can also be used to execute a sequence of commands (scripts) from *.bat or *.cmd files.
Similar works:
« ACTION PLAN 2014-2015 CONFERENCE OF REGIONAL AND LOCAL AUTHORITIES ON THE EASTERN PARTNERSHIP ACTION PLAN ACTION PLAN OF THE CONFERENCE OF REGIONAL AND LOCAL GOVERNMENTS ON THE EASTERN PARTNERSHIP (CORLEAP) FOR 2014 AND UNTIL THE ANNUAL MEETING IN 2015 1. Introduction designed to promote local and...”
« Director of the Department of State Policy and Regulation in the Field of Geology and Subsoil Use of the Ministry of Natural Resources of Russia A.V. Eagle approved on August 23, 2013 I APPROVE Director of the Department of State Policy and Regulation in the Field of Geology and Subsoil Use of the Ministry of Natural Resources of Russia _ A.V. Eagle "_" 2013 AGREED Director of Federal State Unitary Enterprise Geological Exploration V.V. Shimansky "_"_ 2013 CONCLUSION of the Scientific and Methodological Council on Geological and Geophysical Technologies of Prospecting and Exploration of Solid Minerals ... "
« EDITOR'S COLUMN D DEAR FRIENDS! You are holding in your hands the first issue of the New Forest Journal this year. By tradition, its main theme was the last last year, the international exhibition-fair "Russian Forest". Of course, we considered this event not so much as an informational occasion, but as a platform for the development of policy, strategy and tactics for the development of the industry by forest industry specialists. It is from this point of view that we tried to cover the work of the seminars, ... "
« The program of the state final interdisciplinary exam is compiled in accordance with the provisions: on the final state certification of graduates federal state budgetary educational institution of higher vocational education"Russian Academy National economy and public service under the President Russian Federation"dated January 24, 2012, Moscow; on master's training (magistracy) in the federal state budgetary educational ... "
« List of performers Nechaev V.D. Head of the Strategic Development Program of the University, Rector Glazkov A.A. program manager of Strategic Development of the University, Vice-Rector for Science, Innovation and Strategic Development Sharaborova G.K. coordinator of the University's Strategic Development Program, director of the Center for Strategic Development Project curators: Sokolov E.F. Vice-Rector for Administrative and Economic Support Ognev A.S. vice-rector for science, ... "
« UDC 91:327 Lysenko A. V. Mathematical modeling as a method for studying the phenomenon of autonomism in political geography Taurida National University named after V. I. Vernadsky, Simferopol e-mail: [email protected] Annotation. The article discusses the possibility of using mathematical modeling as a method of studying political geography, reveals the concept of territorial autonomy, as well as the factors of its genesis. Keywords: math modeling,..."
"RIGHTS" in Murmansk APPROVED ACCEPTED Director of the Branch at a meeting of the Department of General Law PEI VPO BIEPP in Murmansk disciplines PEI VPO BIEPP v.g. Murmansk A.S. Korobeinikov Protocol No. 2_ dated "_09_" _September_ 2014 "_09_" September 2014 Educational and methodological complex of the discipline History of political and legal doctrines Specialty ... "
« TRUST FUND FOR THE RUSSIAN PROGRAM FOR DEVELOPMENT IN EDUCATION (READ) READ ANNUAL REPORT FOR results of reforms and a system for assessing educational achievements and acquired skills, the bank will help its partner countries answer key questions for shaping education reform policies: what advantages does our system have? what are its shortcomings? What measures to eliminate these shortcomings were the most effective? what are..."
« OKHUNOV ALISHER ORIPOVICH [email protected] TITLE SYLLABUS GENERAL INFORMATION INFORMATION ABOUT INSTRUCTORS DISCIPLINE POLICY "GENERAL ISSUES PROGRAM FINAL LEARNING OUTCOMES PRE-REQUISITES AND POST-REQUISITES OF SURGERY" CRITERIA AND RULES FOR ASSESSING STUDENTS' KNOWLEDGE AND SKILLS TYPE OF CONTROL SYLLABUS "GENERAL ISSUES OF SURGERY" ALISHER ORIPOVICH OKHUNOV [email protected] GENERAL INFORMATION: TITLE Name of the university: Tashkent Medical Academy GENERAL INFORMATION Department of General and Pediatric Surgery Location...»
« Foreign Relations Committee Implementation in St. Petersburg of St. Petersburg of the state policy of the Russian Federation in relation to compatriots abroad VIII St. Petersburg Forum of youth organizations of Russian compatriots and foreign Russian-language media "Russian Abroad" June 7-13, 2015 PROGRAM JUNE 7, SUNDAY Arrival of the Forum participants during the day Hotel "St. Petersburg" Address: Pirogovskaya embankment, 5/2 Registration of participants, issuance "Recruitment of the participant" ATTENTION!... "
« Curriculum of the additional entrance exam to the master's program for the specialty 1-23 80 06 "History of international relations and foreign policy" compiled on the basis of standard programs "History international relations” and “History of the foreign policy of Belarus”, as well as programs state exam in special disciplines for the specialty 1-23 01 01 "International Relations". Considered and recommended for approval at a meeting of the Department of International Relations Protocol No. 10 of 7 ... "
« The Russian-Chinese laboratory can choose a super-heavy rocket project for a week Space tether systems The following satellites of the Meteor series will not receive radar complexes The missing connection with the Russian scientific satellite Vernov has not yet been established 02/19/2015
« MINISTRY OF EDUCATION AND SCIENCE OF THE RUSSIAN FEDERATION Federal State Budgetary Educational Institution of Higher Professional Education"Kemerovo State University" APPROVED: Rector _ V. A. Volchek "" _ 2014 Main educational program higher education Specialty 030701 International relations Orientation (specialization) "World politics" Qualification (degree) specialist in the field of international relations Form of study full-time Kemerovo 2014 ... "
« ISLAM IN THE MODERN URALS Alexey Malashenko, Alexey Starostin APRIL 2015 ISLAM IN THE MODERN URALS Alexey Malashenko, Alexey Starostin This issue Working Papers was prepared by a non-profit, non-governmental research organization, the Carnegie Moscow Center. The Carnegie Endowment for International Peace and the Carnegie Moscow Center as an organization do not take a common position on social and political issues. The publication reflects the personal views of the authors, who should not ... "
« “The main principle of Knauf is that everything must be “mitdenken” (do it after thinking well together and taking into account the interests of those for whom you work). Gradually it key concept took root in Russia. From an interview with Yu.A. Mikhailov, CEO LLC "Knauf GIPS KOLPINO"Management practices of the Russian division of the international corporation: the experience of "Knauf CIS" * Gurkov Igor Borisovich, Kossov Vladimir Viktorovich Annotation Based on the analysis of the experience of the development of the Knauf CIS group in ... "
« Annex INFORMATION on the progress of execution of the Order of the Governor of the Omsk Region dated February 28, 2013 No. 25-r “On measures to implement the Decree of the Governor of the Omsk Region region dated January 16, 2013 No. 3" according to the Plan of Priority Actions for 2013 - 2014 for the implementation of the regional strategy of action in the interests of children in the Omsk region for 2013 - 2017 for 2013 Family policy of child protection...»
« DEPARTMENT OF EDUCATION AND YOUTH POLICY OF THE KHANTY-MANSIYSK AUTONOMOUS REGION - YUGRA State educational institution of the Higher professional education of the Khanty-Mansiysk Autonomous Okrug - Yugra "Surgut State Pedagogical University" Program of work experience BP.5. PEDAGOGICAL PRACTICE Direction of training 49.03.02 Physical culture for persons with health problems (Adaptive physical culture) Qualification (degree) ... "
« State Autonomous Educational Institution of Higher Professional Education "Moscow City University of Management of the Government of Moscow" Institute of Higher Professional Education Department government controlled and personnel policy I APPROVE Vice-rector for academic and scientific work A.A. Aleksandrov "_"_ 20_ Work program academic discipline"Methods of acceptance management decisions» for students of the direction 38.03.02 "Management" for full-time education Moscow ... "
« Series "Simple Finance" by Y. V. Brekhova HOW TO RECOGNIZE THE FINANCIAL PYRAMID Volgograd 2011 UDC 336 BBK 65.261 B 87 Brochure from the series "Simple Finance" completed in accordance with agreement 7(2) dated September 19, 2011, the Federal State Educational Institution of Higher Professional Education “Volgograd Academy of Public Administration” with the Committee for Budgetary and Financial Policy and the Treasury of the Administration of the Volgograd Region as part of the implementation of a long-term regional target program"Improving the level of financial literacy of the population and the development of financial..."
The materials of this site are posted for review, all rights belong to their authors.
If you do not agree that your material is posted on this site, please write to us We will remove it within 1-2 business days.
