Review of the UserGate proxy server - a comprehensive solution for providing public access to the Internet. Review of the UserGate proxy server - a comprehensive solution for providing shared access to the Internet Using transparent mode

Having connected the Internet in the office, every boss wants to know what he is paying for. Especially if the tariff is not unlimited, but based on traffic. There are several ways to solve the problems of traffic control and organizing access to the Internet on an enterprise scale. I will talk about implementing the UserGate proxy server to obtain statistics and control channel bandwidth using my experience as an example.

I’ll say right away that I used the UserGate service (version 4.2.0.3459), but the methods of organizing access and the technologies used are also used in other proxy servers. So the steps described here are generally suitable for other software solutions (for example, Kerio Winroute Firewall, or other proxies), with minor differences in the implementation details of the configuration interface.

I will describe the task assigned to me: There is a network of 20 machines, there is an ADSL modem in the same subnet (alternately 512/512 kbit/s). It is required to limit the maximum speed for users and keep track of traffic. The task is a little complicated by the fact that access to the modem settings is closed by the provider (access is only possible through the terminal, but the password is with the provider). The statistics page on the provider’s website is unavailable (Don’t ask why, there is only one answer - the company has such a relationship with the provider).

We install the usergate and activate it. To organize access to the network we will use NAT ( Network Address Translation- “network address translation”). For the technology to work, it is necessary to have two network cards on the machine where we will install the UserGate server (service) (There is a possibility that you can make NAT work on one network card by assigning two IP addresses to it in different subnets).

So, initial setup stage - NAT driver configuration(driver from UserGate, installed during the main installation of the service). Us two network interfaces required(read network cards) on the server hardware ( For me this was not a problem, because... I deployed UserGate on a virtual machine. And there you can make “many” network cards).

Ideally, to The modem itself is connected to one network card, A to the second - the entire network, from which they will access the Internet. In my case, the modem is installed in different rooms with the server (physical machine), and I’m too lazy and don’t have time to move the equipment (and in the near future, organizing a server room looms). I connected both network adapters to the same network (physically), but configured them for different subnets. Since I was unable to change the modem settings (access was blocked by the provider), I had to transfer all computers to another subnet (fortunately, this is done easily using DHCP).

Network card connected to the modem ( Internet) set up as before (according to data from the provider).

We appoint static IP address(in my case it is 192.168.0.5);
I did not change the subnet mask 255.255.255.0, but it can be configured in such a way that there will be only two devices in the subnet of the proxy server and modem;
Gateway - modem address 192.168.0.1
Addresses of the provider's DNS servers ( main and additional required).

Second network card, connected to the internal network ( intranet), set up as follows:

Static IP address, but in a different subnet(I have 192.168.1.5);
Mask according to your network settings (I have 255.255.255.0);
Gateway we do not indicate.
In the DNS server address field enter the address of the enterprise DNS server(if there is, if not, leave it blank).

Note: you must make sure that the use of the NAT component from UserGate is selected in the network interface settings.

After setting up network interfaces launch the UserGate service itself(don’t forget to configure it to work as a service to automatically launch with system rights) and go to the management console(possibly locally, or remotely). Go to “Network Rules” and select “ NAT Setup Wizard", you will need to indicate your intranet ( intranet) and the Internet ( internet) adapters. Intranet - an adapter connected to an internal network. The wizard will configure the NAT driver.

After that need to understand NAT rules, for which we go to “Network settings” - “NAT”. Each rule has several fields and a status (active and inactive). The essence of the fields is simple:

Title - the name of the rule, I recommend giving something meaningful(there is no need to write addresses and ports in this field, this information will already be available in the list of rules);
The receiver interface is yours intranet interface(in my case 192.168.1.5);
The sender interface is yours internet interface(on the same subnet with the modem, in my case 192.168.0.5);
Port— indicate which category this rule applies to ( for example, for the browser (HTTP) port 80, and for receiving mail, port 110). You can specify a range of ports, if you don't want to mess around, but it's not recommended to do this for the entire range of ports.
Protocol - select one of the options from the drop-down menu: TCP(usually), UPD or ICMP(for example, to operate the ping or tracert commands).

Initially, the list of rules already contains the most used rules necessary for the operation of mail and various types of programs. But I supplemented the standard list with my own rules: for running DNS queries (without using the forwarding option in UserGate), for running SSL secure connections, for running a torrent client, for running the Radmin program, and so on. Here are screenshots of my list of rules. The list is still small, but it is expanding over time (with the emergence of the need to work on a new port).

The next stage is setting up users. In my case I chose authorization by IP address and MAC address. There are authorization options only by IP address and Active Directory credentials. You can also use HTTP authorization (each time users first enter a password through the browser). We create users and groups of users And assign them the used NAT rules(We need to give the user Internet in the browser - we enable the HTTP rule with port 80 for him, we need to give him ICQ - the ICQ rule with then 5190).

Lastly, at the implementation stage, I configured users to work through a proxy. For this I used the DHCP service. The following settings are transferred to client machines:

The IP address is dynamic from DHCP in the range of the intranet subnet (in my case the range is 192.168.1.30 -192.168.1.200. I configured IP address reservation for the required machines).
Subnet mask (255.255.255.0)
Gateway - address of the machine with UserGate on the local network (Intranet address - 192.168.1.5)
DNS servers - I provide 3 addresses. The first is the address of the enterprise DNS server, the second and third are the provider’s DNS addresses. (The enterprise DNS is configured to forward to the provider’s DNS, so in the event of a “fall” of the local DNS, Internet names will be resolved on the provider’s DNS).

On this basic setup completed. Left check functionality, to do this, on the client machine you need (by receiving the settings from DHCP or adding them manually, in accordance with the recommendations above) launch the browser and open any page on the Internet. If something doesn't work, check the situation again:

Are the client network adapter settings correct? (does the machine with the proxy server ping?)
Is the user/computer authorized on the proxy server? (see UserGate authorization methods)
Do the user/group have NAT rules enabled that are necessary for operation? (for the browser to work, you need at least HTTP rules for the TCP protocol on port 80).
Are the traffic limits for the user or group exceeded? (I didn’t introduce this myself).

Now you can monitor connected users and the NAT rules they use in the “Monitoring” item of the proxy server management console.

Further proxy settings are already tuning, to specific requirements. The first thing I did was enable bandwidth limiting in user properties (later you can implement a system of rules to limit speed) and enable additional UserGate services - a proxy server (HTTP on port 8080, SOCKS5 on port 1080). Enabling proxy services allows you to use request caching. But it is necessary to carry out additional configuration of clients to work with the proxy server.

Any questions? I suggest asking them right here.

________________________________________

In this article I will tell you about a new product from Entensys, of which we are partners in three areas, UserGate Proxy & Firewall 6.2.1.

Good day, dear visitor. The year 2013 is behind us, for some it was difficult, for others it was easy, but time flies, and if you consider that one nanosecond is 10 −9 With. then it just flies. In this article I will tell you about a new product from Entensys, of which we are partners in three areas UserGate Proxy & Firewall 6.2.1.

From the point of view of administering version 6.2 of UserGate Proxy & Firewall 5.2F, the implementation of which we successfully practice in our IT outsourcing practice, is practically non-existent. We will use Hyper-V as a laboratory environment, namely two first-generation virtual machines, a server part on Windows Server 2008 R2 SP1, and a client part on Windows 7 SP1. For some reason unknown to me, UserGate version 6 does not install on Windows Server 2012 and Windows Server 2012 R2.

So, what is a proxy server?

Proxy server(from the English proxy - “representative, authorized”) is a service (set of programs) in computer networks that allows clients to make indirect requests to other network services. First, the client connects to the proxy server and requests a resource (for example, e-mail) located on another server. Then the proxy server either connects to the specified server and obtains the resource from it, or returns the resource from its own cache (in cases where the proxy has its own cache). In some cases, the client request or server response may be modified by the proxy server for certain purposes. A proxy server also allows you to protect the client’s computer from some network attacks and helps maintain the client’s anonymity.

WhatsuchUserGate Proxy & Firewall?

UserGate Proxy & Firewall is a comprehensive solution for connecting users to the Internet, providing full traffic accounting, access control and built-in network protection.

From the definition, let's look at what solutions Entensys provides in its product, how traffic is calculated, how access is limited, and what protection tools UserGate Proxy & Firewall provides.

What does it consist of?UserGate?

UserGate consists of several parts: a server, an administration console and several additional modules. The server is the main part of the proxy server, in which all its functionality is implemented. The UserGate server provides access to the Internet, counts traffic, keeps statistics of user activity on the network, and performs many other tasks.

UserGate Administration Console is a program designed to manage the UserGate server. The UserGate administration console communicates with the server part via a special secure protocol over TCP/IP, which allows you to perform remote server administration.

UserGate includes three additional modules: “Web Statistics”, “UserGate Authorization Client” and the “Application Control” module.

Server

Installing the UserGate server side is very simple, the only difference is the choice of database during the installation process. Access to the database is carried out directly (for the built-in Firebird database) or through an ODBC driver, which allows the UserGate server to work with databases of almost any format (MSAccess, MSSQL, MySQL). By default, the Firebird database is used. If you decide to update UserGate from previous versions, then you will have to say goodbye to the statistics database, because: For the statistics file, only the transfer of current user balances is supported; the traffic statistics themselves will not be transferred. The changes to the database were caused by performance problems with the old one and limitations on its size. The new Firebird database does not have such shortcomings.

Launching the administration console.

The console is installed on the server VM. When first launched, the administration console opens to the Connections page, which contains a single connection to the localhost server for the Administrator user. The connection password has not been set. You can connect the administration console to the server by double-clicking on the localhost-administrator line or by clicking the connect button on the control panel. You can create multiple connections in the UserGate administration console.

The connection settings specify the following parameters:

The server name is the name of the connection;
Username – login to connect to the server;
Server address – domain name or IP address of the UserGate server;
Port – TCP port used to connect to the server (by default, port 2345 is used);
Password – password for connection;
Ask for password when connecting – this option allows you to display a dialog for entering your username and password when connecting to the server;
Automatically connect to this server – the administration console will connect to this server automatically when launched.

When you first start the server, the system offers an installation wizard, which we refuse. Administration console settings are stored in the console.xml file located in the %UserGate%\Administrator directory.

Setting up connections behind NAT. Paragraph "General NAT Settings" allows you to set the timeout value for NAT connections via TCP, UDP or ICMP protocols. The timeout value determines the lifetime of a user connection through NAT when data transmission over the connection is completed. Let's leave this setting as default.

Attack detector is a special option that allows you to enable the internal mechanism to monitor and block the port scanner or attempts to occupy all server ports.

Block by browser line– a list of User-Agent’s browsers that can be blocked by the proxy server. Those. You can, for example, prevent older browsers such as IE 6.0 or Firefox 3.x from accessing the Internet.

Interfaces

The Interfaces section is the main one in the UserGate server settings, since it determines such issues as the correctness of traffic counting, the ability to create rules for the firewall, restrictions on the width of the Internet channel for traffic of a certain type, the establishment of relationships between networks and the order in which packets are processed by the NAT driver. “Interfaces” tab, select the desired type for the interfaces. So, for an adapter connected to the Internet, you should select the WAN type, for an adapter connected to a local network - the LAN type. Internet access for the VM is shared, respectively, the interface with the address 192.168.137.118 will be a WAN adapter, select the desired type and click “Apply”. Then we reboot the server.

Users and groups

Access to the Internet is provided only to users who have successfully completed authorization on the UserGate server. The program supports the following user authorization methods:

By IP address
By IP address range
By IP+MAC address
By MAC address
Authorization using HTTP (HTTP-basic, NTLM)
Authorization via login and password (Authorization Client)
Simplified authorization option via Active Directory

To use the last three authorization methods, you must install a special application on the user's workstation - the UserGate authorization client. The corresponding MSI package (AuthClientInstall.msi) is located in the %UserGate%\tools directory and can be used for automatic installation using Group Policy in Active Directory.

For terminal users, only the “Authorization via HTTP” option is provided. The corresponding option is enabled in the General settings item in the administration console.

You can create a new user through the item Add a new user or by clicking the button Add in the control panel on the page Users and groups.

There is another way to add users - scanning the network with ARP requests. You need to click on an empty space in the admin console on the page users and select item scan local network. Next, set the local network parameters and wait for the scan results. As a result, you will see a list of users who can be added to UserGate. Well, let’s check, click “Scan local network”

Set the parameters:

Works!

Adding a user

It is worth recalling that UserGate has an authentication priority, first physical and then logical. This method is not reliable, because... the user can change the IP address. What suits us is the import of Active Directory accounts, which we can import easily by clicking the “Import” button, then “Select” and the name of our account, “Ok”, “Ok”.

Select “Group”, leave the default “default”

Click “Ok” and save the changes.

Our user was added without any problems. It is also possible to synchronize AD groups on the “Groups” tab.

Setting up proxy services in UserGate

The following proxy servers are integrated into the UserGate server: HTTP (with support for the “FTP over HTTP” and HTTPS mode - Connect method), FTP, SOCKS4, SOCKS5, POP3 and SMTP, SIP and H323. Proxy server settings are available in the Services → Proxy settings section in the administration console. The main settings of the proxy server include: the interface and the port number on which the proxy operates. So, for example, let's enable a transparent HTTP proxy on our LAN interface. Let’s go to “Proxy Settings” and select HTTP.

Let's select our interface, leave everything as default and click "OK"

Using transparent mode

The “Transparent Mode” function in the proxy server settings is available if the UserGate server is installed along with the NAT driver. In transparent mode, the NAT UserGate driver listens to standard ports for services: 80 TCP for HTTP, 21 TCP for FTP, 110 and 25 TCP for POP3 and SMTP on the network interfaces of the computer with UserGate. If there are requests, it transfers them to the appropriate UserGate proxy server. When using transparent mode in network applications, users do not need to specify the address and port of the proxy server, which significantly reduces the administrator's work in terms of providing local network access to the Internet. However, in the network settings of workstations, the UserGate server must be specified as a gateway, and the DNS server address must be specified.

Mail proxies in UserGate

Mail proxy servers in UserGate are designed to work with the POP3 and SMTP protocols and for anti-virus scanning of mail traffic. When using the transparent operating mode of POP3 and SMTP proxy, the settings of the mail client on the user's workstation do not differ from the settings corresponding to the option with direct access to the Internet.

If the UserGate POP3 proxy is used in opaque mode, then in the settings of the mail client on the user's workstation, the IP address of the computer with UserGate and the port corresponding to the UserGate POP3 proxy must be specified as the POP3 server address. In addition, the login for authorization on the remote POP3 server is specified in the following format: email_address@POP3_server_address. For example, if the user has a mailbox [email protected], then as the Login for the UserGate POP3 proxy in the mail client you will need to specify: [email protected]@pop.mail123.com. This format is necessary so that the UserGate server can determine the address of the remote POP3 server.

If the UserGate SMTP proxy is used in non-transparent mode, then in the proxy settings you need to specify the IP address and port of the SMTP server that UserGate will use to send letters. In this case, in the settings of the mail client on the user's workstation, the IP address of the UserGate server and the port corresponding to the UserGate SMTP proxy must be specified as the SMTP server address. If authorization is required for sending, then in the mail client settings you need to specify the login and password corresponding to the SMTP server, which is specified in the SMTP proxy settings in UserGate.

Well, that sounds cool, let's check it out using mail.ru.

First of all, let's enable POP3 and SMTP proxies on our server. When enabling POP3, we will specify the LAN interface as standard port 110.

And also make sure that there is no checkmark for “Transparent proxy” and click “Ok” and “Apply”

Uncheck “Transparent mode” and write “Remote server settings”, in our case smtp.mail.ru. Why is only one server indicated? And here is the answer: it is assumed that the organization uses a single smtp server, and it is this server that is indicated in the SMTP proxy settings.

The first rule for POP3 should look like this.

Second, as Alexander Nevsky would say “Like this”

Don’t forget about the “Apply” button and move on to setting up the client. As we remember, “If the UserGate POP3 proxy is used in opaque mode, then in the settings of the mail client on the user’s workstation, the IP address of the computer with UserGate and the port corresponding to the UserGate POP3 proxy must be specified as the POP3 server address. In addition, the login for authorization on the remote POP3 server is specified in the following format: email_address@POP3_server_address." Let's act.

First, log in to the authorization client, then open regular Outlook; in our example, I created a test mailbox [email protected], and configure it by specifying our mailbox in a format understandable for UserGate [email protected]@pop.mail.ru, as well as POP and SMTP servers, our proxy address.

Click “Account Verification...”

Port assignment

UserGate supports the Port Forwarding function. If there are port assignment rules, the UserGate server redirects user requests arriving on a specific port of a given network interface of a computer with UserGate to another specified address and port, for example, to another computer on the local network. The Port Forwarding function is available for TCP and UDP protocols.

If port assignment is used to provide access from the Internet to an internal company resource, you must select Specified user as the Authorization parameter, otherwise port forwarding will not work. Don't forget to enable Remote Desktop.

Cache setup

One of the purposes of a proxy server is to cache network resources. Caching reduces the load on your Internet connection and speeds up access to frequently visited resources. The UserGate proxy server caches HTTP and FTP traffic. Cached documents are placed in the local %UserGate_data%\Cache folder. The cache settings indicate the maximum cache size and the storage time for cached documents.

Anti-virus scan

Three antivirus modules are integrated into the UserGate server: Kaspersky Lab antivirus, Panda Security and Avira. All anti-virus modules are designed to scan incoming traffic through HTTP, FTP and UserGate mail proxy servers, as well as outgoing traffic through SMTP proxies.

Anti-virus module settings are available in the Services → Anti-virus section of the administration console. For each antivirus, you can specify which protocols it should scan, set the frequency of updating anti-virus databases, and also specify URLs that do not need to be scanned (URL filter option). Additionally, in the settings you can specify a group of users whose traffic does not need to be subjected to anti-virus scanning.

Before turning on the antivirus, you must first update its database.

After the above functions, let’s move on to the frequently used ones, these are “Traffic Management” and “Application Control”.

Traffic control rules system

The UserGate server provides the ability to control user access to the Internet using traffic management rules. Traffic control rules are designed to prohibit access to certain network resources, to set restrictions on traffic consumption, to create a schedule for users on the Internet, and also to monitor the status of user accounts.

In our example, we will restrict access to a user who has references to vk.com in their request. To do this, go to “Traffic Management – Rules”

Give the rule a name and the action “Close connection”

After adding the site, move on to the next parameter, selecting a group or user, the rule can be set for both the user and the group, in our case the user “User”.

Application Control

The Internet access control policy received a logical continuation in the form of the Application Firewall module. The UserGate administrator can allow or deny access to the Internet not only for users, but also for network applications on the user's workstation. To do this, you need to install a special application App.FirewallService on user workstations. Installation of the package is possible both through the executable file and through the corresponding MSI package (AuthFwInstall.msi), located in the %Usergate%\tools directory.

Let's go to the "Application Control - Rules" module and create a prohibiting rule, for example, to prohibit the launch of IE. Click add a group, give it a name and set a rule for the group.

We select our created rule group, we can check the “Default Rule” checkbox, in this case the rules will be added to the “Default_Rules” group

Applying a rule to a user in user properties

Now we install Auth.Client and App.Firewall on the client station; after installation, IE should be blocked by the rules created earlier.

As we can see, the rule worked, now let’s disable the rules for the user to see how the rule works for the site vk.com. After disabling the rule on the usergate server, you need to wait 10 minutes (synchronization time with the server). Let's try to access the direct link

We try through the search engine google.com

As you can see, the rules work without any problems.

So, this article covers only a small part of the functions. Possible settings for the firewall, routing rules, and NAT rules are omitted. UserGate Proxy & Firewall provides a wide range of solutions, even a little more. The product performed very well, and most importantly, it was easy to set up. We will continue to use it in servicing clients’ IT infrastructures to solve typical problems!

Currently, no company can do its work without the Internet. The global network is actively used in business processes to solve a wide range of information, communication and marketing tasks. But at the same time, it is also a potential threat to information security. Email and web traffic is often used by attackers to distribute malware, phishing messages, etc.

Another potential danger of the Internet is its misuse by employees during working hours. Company employees, instead of performing their official duties, can spend time communicating on social networks, browsing various entertainment sites, downloading movies, music, unlicensed software, etc. This increases the direct and indirect costs of the company, reduces the productivity of office employees, and is a direct threat to information security (when visiting certain categories of unwanted sites, the risk of infecting your computer increases noticeably).

Therefore, in modern conditions, the problem of connecting a corporate network to the Internet must be solved taking into account all security requirements and monitoring the actions of employees. The UserGate Proxy & Firewall product provides a solution to the listed problems. It first appeared on the market about 10 years ago and was a fairly simple, but reliable and easy-to-use proxy server. This is what earned him his popularity in Russia and neighboring countries.

Currently, the developers continue to improve their brainchild, and have significantly expanded the functional content of the product, taking into account the realities in the field of information security. Not only major (about once every 2-3 years), but also minor (2-4 between major) versions of UserGate Proxy & Firewall are released quite regularly, in each of which the capabilities of the proxy server are expanded. Today it is a comprehensive product that can be used to solve the entire range of problems associated with sharing the Internet.

Composition of UserGate Proxy & Firewall

The basis of the UserGate Proxy & Firewall solution is the UserGate server. It is installed directly on a corporate Internet gateway and implements global network sharing, statistics maintenance, traffic counting, etc.

The access system is administered using the management console. This is a separate application that connects to the server via a special protocol over TCP/IP (a proprietary protocol is used, the transmission is protected using Open SSL technology with a key length of 1024 bits), which allows you to use it not only locally, but also remotely. Thus, the system administrator has the opportunity to manage UserGate Proxy & Firewall directly from his workplace, without needing physical access to the Internet gateway.

In addition, UserGate Proxy & Firewall implements a number of additional modules to solve various specific problems.

UserGate Statistics. A separate application that is installed on the computer of responsible employees and allows them to view Internet usage statistics.
Web statistics. The module for viewing statistics has been removed via a web browser. If necessary, it can be accessed not only from the local network, but also from the Internet.
Cache Explorer. A separate application for viewing cache contents saved by UserGate Proxy & Firewall.
UserGate authorization client. A separate application that is installed on end-user computers and provides the ability to use “advanced” authorization methods - using Active Directory, Windows login, etc.
Application Control. A separate application installed on workstations. It allows you to limit the list of programs that are allowed to access the Internet.

System requirements

The system requirements imposed by the proxy server on the computer are described in the table.

	Minimum Requirements	Recommended Configuration
CPU	1 GHz	1-2 GHz depending on the number of users
RAM	512 MB	512 MB – 1 GB depending on the number of users
operating system	Windows 2000/XP/2003/2008/7/2008 R2 (32- and 64-bit OS supported)
Internet connection	The type and capacity are determined in each specific case, based on the needs

Features of UserGate Proxy & Firewall

The UserGate Proxy & Firewall product has a wide range of capabilities to ensure collaboration on the Internet, protect the corporate information system from external threats, and control the use of the global network by users.

Organizing online collaboration

UserGate Proxy & Firewall allows you to organize collaboration on the Internet for a large number of users. To do this, it implements a number of proxy servers (for HTTP, FTP, POP3, SMTP, SOCKS4, SOCKS5, SIP and H323 protocols), its own NAT driver, and a DNS forwarding system.

Transparent proxy mode

Proxy servers in UserGate Proxy & Firewall can operate in transparent mode. In this case, no additional software configuration is required on the client side. To implement it, NAT technology is used.

Multi-provider support

The program in question can work with several network interfaces connected to different providers. This allows you to implement such features as redirecting traffic from different user groups to different Internet channels, as well as reserving Internet access.

TrafficManager

UserGate Proxy & Firewall implements the Traffic Manager module, designed for flexible control of the Internet channel width. With its help, you can specify the priority of various types of traffic, limit the data transfer rate for certain protocols, etc.

Caching

The program in question implements a caching system. It stores files downloaded by users on the hard drive of the Internet gateway and, upon subsequent access to them, does not download them again from the remote server. This allows you to reduce the load on the Internet channel and traffic consumption in general.

IP telephony support

An interesting feature of UserGate Proxy & Firewall is its support for IP telephony. In addition to SIP and H323 proxy servers, it implements such functions as SIP Registrar (in fact, IP telephony servers) and H323 GateKeeper.

UserGate Proxy & Firewall implements eight methods of user authorization. For example, by IP address, by MAC network card, as well as through Active Directory, logins and passwords specified by the administrator, Windows accounts.

Limiting traffic and access speed

The proxy server in question allows you to set rules that limit the use of the Internet. In particular, you can determine the daily, weekly or monthly limit of consumed traffic, the maximum data transfer speed, protocols allowed for use, etc. Rules can be tied to both individual users and entire groups of them.

Billing system

UserGate Proxy & Firewall implements its own billing system, which can be used to calculate the costs of using the Internet. Tariffs can be set either temporary or based on consumed traffic. At the same time, it is possible to flexibly configure them and automatically switch from one to another depending on the time of day or category of the site being viewed.

Application Control

UserGate Proxy & Firewall allows you to limit the list of applications that are allowed to access the Internet. This allows us to solve the problem of uniformity in the use of software on a local network. In addition, this module can serve as a means of additional protection against malware. Even if they are active on the computer, the Internet channel will not be available to them.

The proxy server in question allows you to restrict access to unwanted sites by category. For this purpose, Entensys URL Filtering cloud technology is used. It is based on a special database of sites, divided into 82 categories. It is through them that access can be limited. The database contains more than 500 million web projects and is constantly updated and edited by developers. It is worth noting that using category filtering requires purchasing an additional license.

Application Control

UserGate Proxy & Firewall implements a traffic filtering system based on the applications that generate it. This allows you to allow one software to access the Internet and block the network activity of another. It is worth noting the high flexibility of filtering rules. With their help, you can allow applications to work only using a specific protocol, transmitting network packets only to a specified IP address or range of IP addresses, etc. To implement this type of filtering, you need to install a special “Application Control” program on workstations, included in the delivery package product.

Statistics and reports

The proxy server in question keeps detailed statistics on Internet usage by all users. You can work with it using a special application or through a web interface. At the same time, a system for dividing access rights has been implemented, which allows responsible employees to view complete information, and other users - only their statistics. In the process of work, you can use tools such as filtering by various conditions, generating tabular and graphical reports, importing data into HTML format and Microsoft Excel and OpenOffice.org Calc programs.

Built-in DHCP server

UserGate Proxy & Firewall implements its own DHCP server, which can distribute IP addresses to clients from a pool specified by the administrator. This tool is not needed if the domain is raised in the enterprise information system. However, it can simplify the administration of computers in small peer-to-peer networks.

Built-in router

Another tool for the administrator is the built-in router. It allows you to combine two or more local networks, providing transparent two-way communication between them. At the same time, you can specify the protocols and services that will be allowed to use network connections.

Antivirus protection

Using UserGate Proxy & Firewall, all traffic passing through a proxy server can be scanned for the presence of malware. For this purpose, integrated modules developed by Kaspersky Lab and Panda Security are used. Moreover, traffic scanning can be carried out either by one of the specified anti-virus modules, or sequentially. It is worth noting that the use of antivirus software requires the purchase of additional licenses from the relevant manufacturers.

Firewall

The proxy server in question implements a full-fledged firewall that allows you to block unwanted network traffic and helps protect against external intrusions. At the same time, it is very easy to set up. When you enable or disable services and port assignment rules, the corresponding ports will be automatically opened or closed.

VPN support

UserGate Proxy & Firewall supports PPTP and L2TP protocols, which are used to communicate with VPN servers. This makes it easy to provide secure remote connections to the information resources of an enterprise or its branches.

Deploying UserGate Proxy & Firewall and working with it

The procedure for deploying the UserGate Proxy & Firewall proxy server can be divided into several stages.

Program installation.
Basic proxy server setup.
Creation of rules implementing corporate Internet use policy.
Adding users.

Stage 1. Installing the program

The installation procedure for UserGate Proxy & Firewall is very simple and does not require any special knowledge or skills from the performer. First of all, download the distribution from the developer’s official website, launch it and select the installer’s operating language. In the welcome window that opens, click on the “Next” button.

Figure 1. Installer welcome windowUserGateProxy &Firewall

In the next step, read the license agreement, accept it and click on “Next” again.

Figure 2. License agreementUserGateProxy &Firewall

The third stage is to select the components to install. If you are installing the program on an Internet gateway, you must enable the “UserGate Proxy & Firewall 5 Basic Files” item and select the necessary sub-items there. So, for example, if you do not have a license for anti-virus scanning modules or you are not going to use web statistics, then there is no need to install the corresponding modules. You can separately select the management console and the UserGate Statistics component. This may be required when installing the product on the computer of an administrator or responsible employee to remotely manage the proxy server and view reporting.

Here, if necessary, you can change the folder in which the product will be installed (the default folder is C:\Program Files\Entensys\UserGate 5\).

Figure 3. Selecting installation componentsUserGateProxy &Firewall

After this, the final installer window is displayed, in which you need to click on the “Install” button to start the process.

Figure 4. Final installer windowUserGateProxy &Firewall

The time it takes to complete the installation procedure depends on available system resources.

Figure 5. InstallationUserGateProxy &Firewall

A computer restart is required to complete the installation.

Stage 2. Basic proxy server setup

All proxy server administration work is carried out using the management console. It can be carried out either directly from the Internet gateway or remotely from the administrator’s workstation. If the console is installed together with the server on the same computer, the connection is created automatically. Otherwise, you need to configure the connection manually - specify the domain name or server IP address, port (2345 by default), login and password.

Figure 6. Setting up a connection to the serverUserGateProxy &Firewall

After connecting to the server for the first time, you need to configure the interfaces. This can be done on the control console tab of the same name. UserGate Proxy & Firewall automatically detects all available network interfaces and displays them in the list. Select among them those that “look” at the local network and change their type to LAN. All external interfaces must be of type WAN. In addition to network interfaces, the list includes connections such as PPoE, VPN, etc. They are immediately of the PPP type, which cannot be changed.

Figure 7. Configuring network interfacesUserGateProxy &Firewall

If necessary, you can organize an Internet channel reservation system. It allows you to automatically switch to another interface if the main one is unavailable. To use it, you must have two or more Internet connections. To set up a reservation, it is most convenient to use a special wizard. At the first stage, specify the main and backup connections.

Figure 8. Specifying the primary and backup connections inUserGateProxy &Firewall

At the second stage, enter the addresses of servers whose unavailability will mean a “down” of the channel. Please note that it is best to use popular services, and not just one, but several. This allows you to avoid switching to a backup channel due to internal server problems, mainline failure and other similar reasons. Additionally, you can enter the check interval and timeout for the Ping command.

Figure 9. List of servers to check the functionality of the connection inUserGateProxy &Firewall

All Internet channel reservation settings are displayed on the "Interfaces" page of the management console. Here you can change them manually without going through the setup wizard.

Figure 10. Internet channel reservation properties inUserGateProxy &Firewall

Next you need to configure the proxy server. To do this, open the “Services” section in the management console and select the “Proxy Settings” tab in it. In this case, a list of all available proxy servers will be displayed on the right side of the window. Turn on the necessary services and turn off all others.

Figure 11. List of proxy servers inUserGateProxy &Firewall

If necessary, you can change the operating parameters of any proxy server. This is done in a special window, called up by double-clicking on the desired item. In it you need to specify the network interfaces that the proxy server will listen to. In most cases, you will need to select all LAN connections. You don’t have to specify interfaces in the properties, but in this case UserGate Proxy & Firewall will listen to all of them, including external ones. Here you can also change the port on which the proxy server runs.

Additionally, in this window you can switch the proxy server to the so-called transparent operating mode. Its essence is as follows. When transparency is enabled, the NAT driver listens on the appropriate ports (80 TCP for HTTP, 110 TCP for POP3, etc.) of the Internet gateway, detects requests coming through them and forwards them to the proxy server. As a result, work is essentially carried out through a "proxy", but administrators no longer need to configure applications on workstations. All of them will work as if connected directly to the Internet. However, when using the transparent operating mode, it is necessary to reconfigure the network connection properties of the workstations (specify the IP address of the Internet gateway as the gateway and enter the DNS server).

Figure 12. Proxy server properties inUserGateProxy &Firewall

Next, you need to ensure that DNS requests pass through the proxy server. The easiest way to do this is using DNS forwarding. When using this technology, requests arriving at port 53 of the Internet gateway (only LAN interfaces are listened to) are redirected to the provider's DNS server. To enable it, go to the "DNS Settings" tab in the "Services" section. In the window that opens, enable DNS forwarding and specify the DNS server address. By default, it will be taken automatically from the settings of the WAN interface network card. However, if necessary, you can set your own list of DNS servers.

Figure 13. SetupDNS inUserGate Proxy & Firewall

Additionally, you can configure such product features as general bandwidth management, port forwarding, application control, etc. However, we will not discuss them in detail: UserGate Proxy & Firewall is too functional to describe its full configuration in one review. In addition, this product is accompanied by a fairly detailed help system.

Stage 3. Creating rules that implement corporate Internet use policy

An important feature of UserGate Proxy & Firewall is a traffic management system that allows you to prevent misuse of corporate Internet resources by organization employees, enhance the security of the information system and solve a number of other similar problems. It is based on rules that describe the behavior of the system in certain cases. The main work with them is carried out on the tab of the same name in the “Traffic Management” section. Here they can be created, deleted and edited. There can be any number of rules. However, it is not necessary that all of them should be involved. Rules are assigned to groups or users and work only for them.

Figure 14. List of traffic control rules inUserGateProxy &Firewall

Each rule represents one or more conditions combined with the logical operators AND or OR. When they are executed, the specified action is triggered. The rule properties window consists of five tabs. The first one sets the basic parameters: name, type of logic, as well as the object and the action to be performed with it. Here you have options such as closing the connection, disabling traffic counting, enabling speed limits, etc.

Figure 15. Basic parameters of a traffic control rule inUserGateProxy &Firewall

The second tab specifies the protocols for which the rule will work. By default they are all activated. However, the administrator can disable some of them.

Figure 16. Configuring protocols in a traffic control rule inUserGateProxy &Firewall

The next tab allows you to set a schedule, i.e. indicate the duration of the rule.

Figure 17. Configuring the traffic control rule action schedule inUserGateProxy &Firewall

The fourth tab is intended for entering restrictions on daily, weekly or monthly traffic consumption. The rule will be triggered when the user reaches a certain limit. In addition, on this tab you can set restrictions on the size of uploaded files.

Figure 18. Configuring consumption restrictions in a traffic control rule inUserGateProxy &Firewall

The last, fifth tab allows you to configure web content filtering. On it you can set conditions of four different types: by IP address (or range of IP addresses), by site address (including by fragment of the address), by content type (by entire categories - audio, video, pictures, text documents etc. or by individual extensions - *.avi, *.mp3, *.flv, etc.), as well as by category. It is worth noting that the type of filtered content can be specified.

Figure 19. Configuring web content filtering conditions in a traffic control rule inUserGateProxy &Firewall

The conditions described above can be combined in any combination, which allows you to create very flexible rules that describe almost any corporate policy for using the Internet.

Stage 4. Adding users

UserGate Proxy & Firewall provides two ways to add users: manually and by integrating with Active Directory. It is clear that the first of these is only intended for small companies that use a simple peer-to-peer network. If the organization has deployed a domain, then it is much easier and more efficient to use integration with Active Directory.

If you select the second option for adding users, you must first configure the synchronization settings. This can be done on the "Groups" tab of the "Users and Groups" section. To enter parameters, click on the “Setting up synchronization with AD” button and enter the domain name, controller address, administrator login and password, and data update frequency in the window that opens.

Figure 20. Synchronization settingsUserGateProxy &Firewall withActiveDirectory

Working with accounts begins with entering user groups, for each of which you can specify previously entered rules. At the same time, they will be distributed immediately to all accounts, which simplifies management.

Figure 21. List of groups inUserGateProxy &Firewall

After you finish working with groups, you can begin setting up the list of users. With the manual method, each account will have to be entered independently, setting all its properties, including the authorization method. During synchronization, the list of accounts is filled in and kept up to date automatically. If necessary, you can make changes to user accounts, for example, install a different authorization method (NTLM authorization is used by default).

Figure 22. List of accounts inUserGateProxy &Firewall

Here it is necessary to make a small digression. To use some authorization methods (login and password entered in UserGate Proxy & Firewall, Windows login, authorization through Active Directory) you must install a special program on workstations - the UserGate authorization client. Its installation package (AuthClientInstall.msi) is located in the Tools subfolder of the product installation directory. It can be installed either manually or using Active Directory group policies.

At this point, the initial setup procedure for UserGate Proxy & Firewall can be considered complete. Our proxy server is completely ready to work. In the future, the administrator can connect to it remotely at any time and change the previously specified parameters.

UserGate Proxy & Firewall refers to applications that do not require constant attention from the administrator. Connecting to the Internet, switching to a backup channel and back, monitoring the use of the global network by company employees and other actions are performed automatically. So, in fact, all further work comes down to studying statistics and, sometimes, changing some operating parameters.

To work with the information collected by the system, a special application can be used – “UserGate Statistics”. With its help, the administrator or responsible employee can view complete data, filtering it by date, destination, user, protocol, website category and other parameters, as well as export it in different formats.

Figure 24. Viewing statistics using a special application

There is another option for viewing the collected information - web statistics. With its help, you can study data using a browser. Interestingly, not only administrators, but also ordinary users can do this. At the same time, only their personal statistics will be available to them.

Figure 25. Viewing statistics using a browser

conclusions

In conclusion, let's summarize. A detailed examination of the capabilities of UserGate Proxy & Firewall showed that today this product is one of the most functional proxy servers present on the Russian market. With its help, you can solve almost any problem related to organizing shared access to the Internet.

An important feature of the product considered is the ability to implement corporate policies for using the global network. Denying access to potentially dangerous sites, blocking the loading of certain types of content, and some other features increase the level of security of the information system.

An important factor is the presence of security tools in UserGate Proxy & Firewall, which allow you to quickly and easily organize protection of the local network perimeter from external threats: antivirus and firewall. Of course, their use does not replace the need to protect workstations. However, a two-stage “defense”, during which network traffic is checked sequentially (first at the Internet gateway level, and then at the user computer level) usually turns out to be much more effective.

The main disadvantages of UserGate Proxy & Firewall are not technical, but rather “economic” in nature. We are talking about the need to annually renew licenses for the use of anti-virus modules, as well as a system for filtering sites based on categories. In principle, the proxy server can work without them, especially since the license for UserGate Proxy & Firewall itself is unlimited. However, these functions can significantly increase the security of the information system, and, therefore, their use is still desirable.

Today, the management of all companies has probably already appreciated the opportunities that the Internet provides for doing business. We are, of course, not talking about online stores and e-commerce, which, whatever one may say, today are more marketing tools than a real way to increase the turnover of goods or services. The global network is an excellent information environment, an almost inexhaustible source of a wide variety of data. In addition, it provides fast and cheap communication with both clients and partners of the company. The potential of the Internet for marketing cannot be discounted. Thus, it turns out that the Global Network, in general, can be considered a multifunctional business tool that can increase the efficiency of company employees in performing their duties.

However, first you need to provide these employees with access to the Internet. Simply connecting one computer to the Global Network is not a problem today. There are many ways this can be done. There are also many companies offering a practical solution to this problem. But it is unlikely that the Internet on one computer will be able to bring noticeable benefits to the company. Every employee should have access to the Internet from their workplace. And here we cannot do without special software, the so-called proxy server. In principle, the capabilities of operating systems of the Windows family make it possible to make any connection to the Internet common. In this case, other computers on the local network will have access to it. However, this decision is hardly worth considering at least seriously. The fact is that when choosing it, you will have to forget about control over the use of the Global Network by company employees. That is, anyone from any corporate computer can access the Internet and do whatever they want there. And what this threatens probably doesn’t need to be explained to anyone.

Thus, the only acceptable way for a company to organize the connection of all computers included in the corporate local network is a proxy server. Today there are many programs of this class on the market. But we will only talk about one development. It's called UserGate, and it was created by eSafeLine specialists. The main features of this program are its wide functionality and a very convenient Russian-language interface. In addition, it is worth noting that it is constantly evolving. Recently, a new, fourth version of this product was presented to the public.

So, UserGate. This software product consists of several separate modules. The first of them is the server itself. It must be installed on a computer directly connected to the Internet (Internet Gateway). It is the server that provides user access to the Global Network, counts the traffic used, maintains operation statistics, etc. The second module is intended for system administration. With its help, the responsible employee carries out all the configuration of the proxy server. The main feature of UserGate in this regard is that the administration module does not have to be located on the Internet gateway. Thus, we are talking about remote control of the proxy server. This is very good, since the system administrator gets the opportunity to manage Internet access directly from his workplace.

In addition, UserGate includes two more separate software modules. The first of them is needed for convenient viewing of Internet usage statistics and building reports based on it, and the second is for authorizing users in some cases. This approach goes well with the Russian-language and intuitive interface of all modules. All together, this allows you to quickly and without any problems set up shared access to the Global Network in any office.

But let's move on to analyzing the functionality of the UserGate proxy server. We need to start with the fact that this program immediately implements two different ways to configure DNS (perhaps the most important task when implementing public access). The first of them is NAT (Network Address Translation). It provides very accurate accounting of consumed traffic and allows users to use any protocols allowed by the administrator. However, it is worth noting that some network applications will not work correctly in this case. The second option is DNS forwarding. It has greater limitations compared to NAT, but can be used on computers with older operating families (Windows 95, 98 and NT).

Internet permissions are configured using the terms "user" and "user group". Moreover, interestingly, in the UserGate proxy server, the user is not necessarily a person. A computer can also play its role. That is, in the first case, access to the Internet is allowed to certain employees, and in the second - to all people sitting at a PC. Naturally, different methods of user authorization are used. If we are talking about computers, then they can be identified by their IP address, a combination of IP and MAC addresses, or a range of IP addresses. To authorize employees, special login/password pairs, data from Active Directory, name and password that match the Windows authorization information, etc. can be used. For ease of setup, users can be combined into groups. This approach allows you to manage access for all employees with the same rights (in the same positions) at once, rather than setting up each account separately.

The UserGate proxy server also has its own billing system. The administrator can set any number of tariffs that describe how much one unit of incoming or outgoing traffic or connection time costs. This allows you to keep accurate records of all Internet expenses linked to users. That is, the company management will always know who spent how much. By the way, tariffs can be made dependent on the current time, which allows you to accurately reproduce the pricing policy of the provider.

The UserGate proxy server allows you to implement any, no matter how complex, corporate Internet access policy. For this purpose, so-called rules are used. With their help, the administrator can set restrictions for users on operating time, on the amount of sent or received traffic per day or month, on the amount of time used per day or month, etc. If these limits are exceeded, access to the Global Network will be automatically blocked. In addition, using rules, you can impose restrictions on the access speed of individual users or entire groups of them.

Another example of the use of rules is restrictions on access to certain IP addresses or their ranges, to entire domain names or addresses containing certain strings, etc. That is, in fact, we are talking about filtering sites, with the help of which you can exclude visits employees of unwanted web projects. But, of course, these are not all examples of the application of the rules. With their help, you can, for example, switch tariffs depending on the site currently loading (necessary to take into account preferential traffic that exists with some providers), configure cutting out advertising banners, etc.

By the way, we have already said that the UserGate proxy server has a separate module for working with statistics. With its help, the administrator can view the consumed traffic at any time (total, for each user, for user groups, for sites, for server IP addresses, etc.). Moreover, all this is done very quickly using a convenient filter system. In addition, this module implements a report generator, with which the administrator can prepare any reports and export them to MS Excel format.

A very interesting solution from the developers is to integrate an anti-virus module into the firewall, which controls all incoming and outgoing traffic. Moreover, they did not reinvent the wheel, but integrated the development of Kaspersky Lab. This solution guarantees, firstly, truly reliable protection against all malicious programs, and secondly, regular updating of signature databases. Another important feature in terms of information security is the built-in firewall. And so it was created by UserGate developers independently. Unfortunately, it is worth noting that the firewall integrated into the proxy server is quite different in its capabilities from the leading products in this area. Strictly speaking, we are talking about a module that simply blocks traffic going through ports and protocols specified by the administrator to and from computers with specified IP addresses. It does not have an invisibility mode or some other functions that are generally required for firewalls.

Unfortunately, one article cannot include a detailed analysis of all the functions of the UserGate proxy server. Therefore, let’s at least simply list the most interesting of them, not included in our review. Firstly, it is caching of files downloaded from the Internet, which allows you to really save money on the services of the provider. Secondly, it is worth noting the Port mapping function, which allows you to bind any selected port of one of the local Ethernet interfaces to the desired port of the remote host (this function is necessary for the operation of network applications: bank-client systems, various games, etc.) . In addition, the UserGate proxy server implements such features as access to internal corporate resources, a task scheduler, connection to a proxy cascade, monitoring of traffic and IP addresses of active users, their logins, visited URLs in real time and much, much more other.

Well, now it’s time to take stock. We, dear readers, have examined in some detail the UserGate proxy server, with the help of which you can organize general access to the Internet in any office. And we were convinced that this development combines simplicity and ease of setup and use with a very extensive set of functionality. All this makes the latest version of UserGate a very attractive product.

Note: This article has been edited and updated with current data and additional links.

UserGate Proxy & Firewall is a UTM (Unified Threat Management) class Internet gateway that allows you to provide and control shared employee access to Internet resources, filter malicious, dangerous and unwanted sites, protect the company’s network from external intrusions and attacks, create virtual networks and organize a secure VPN access network resources from the outside, as well as manage channel width and Internet applications.

The product is an effective alternative to expensive software and hardware and is intended for use in small and medium-sized businesses, government agencies, and large organizations with a branch structure.

You can find all additional information about the product.

The program has additional paid modules:

Kaspersky Antivirus
Panda Antivirus
Avira Antivirus
Entensys URL Filtering

The license for each module is provided for one calendar year. You can test the operation of all modules in a trial key, which can be provided for a period of 1 to 3 months for an unlimited number of users.

You can read in detail about the licensing rules.

For all questions related to the purchase of Entensys solutions, please contact: [email protected] or by calling the toll-free line: 8-800-500-4032.

System requirements

To organize a gateway, you need a computer or server that must meet the following system requirements:

CPU frequency: from 1.2 GHz
RAM capacity: from 1024 Gb
HDD capacity: from 80 GB
Number of network adapters: 2 or more

The greater the number of users (relative to 75 users), the greater the server characteristics should be.

We recommend installing our product on a computer with a “clean” server operating system; the recommended operating system is Windows 2008/2012.
We do not guarantee the correct operation of UserGate Proxy&Firewall and/or the collaboration of third-party services and We do not recommend using it together with services on the gateway, which performs the following roles:

Is domain controller
Is a virtual machine hypervisor
Is terminal server
Acts as a high-load DBMS/DNS/HTTP server, etc.
Acts as a SIP server
Performs business-critical services or services
All of the above

UserGate Proxy&Firewall may currently conflict with the following types of software:

All without exception third party Firewall/Firewall solutions
BitDefender antivirus products
Anti-virus modules that perform the Firewall or Anti-Hacker function of most anti-virus products. It is recommended to disable these modules
Anti-virus modules that scan data transmitted via HTTP/SMTP/POP3 protocols; this may cause a delay when actively working through a proxy
Third-party software products that are capable of intercepting data from network adapters - “speed meters”, “shapers”, etc.
Active Windows Server role "Routing and Remote Access" in NAT/Internet Connection Sharing (ICS) mode

Attention! During installation, it is recommended to disable IPv6 protocol support on the gateway, provided that applications that use IPv6 are not used. The current implementation of UserGate Proxy&Firewall does not support the IPv6 protocol, and accordingly, filtering of this protocol is not carried out. Thus, the host can be accessible from the outside via the IPv6 protocol even with prohibitive firewall rules activated.

When configured correctly, UserGate Proxy&Firewall is compatible with the following services:

Microsoft Windows Server roles:

DNS server
DHCP server
Print server
File(SMB) server
Applications server
WSUS server
WEB server
WINS server
VPN server

And with third party products:

FTP/SFTP servers
Messaging servers - IRC/XMPP

When installing UserGate Proxy&Firewall, make sure that third-party software does not use the port or ports that UserGate Proxy&Firewall can use. By default, UserGate uses the following ports:

25 - SMTP proxy
80 - transparent HTTP proxy
110 - POP3 proxy
2345 - UserGate administrator console
5455 - UserGate VPN server
5456 - UserGate authorization client
5458 - DNS forwarding
8080 - HTTP proxy
8081 - UserGate web statistics

All ports can be changed using the UserGate administrator console.

Installing the program and selecting a database to work with

UserGate Proxy & Firewall Setup Wizard

A more detailed description of setting up NAT rules is described in this article:

UserGate Agent

After installing UserGate Proxy&Firewall Necessarily reboot the gateway. After authorization in the system, the UserGate agent icon in the Windows taskbar next to the clock should turn green. If the icon is gray, it means that an error occurred during the installation process and the UserGate Proxy&Firewall server service is not running, in this case, contact the appropriate section of the Entensys knowledge base, or contact Entensys technical support.

The product is configured through the UserGate Proxy&Firewall administration console, which can be called either by double-clicking on the UserGate agent icon or on the shortcut from the Start menu.
When you launch the administration console, the first step is to register your product.

General settings

In the General Settings section of the Administrator console, set the password for the Administrator user. Important! Do not use Unicode special characters or the product PIN as a password to access the administration console.

The UserGate Proxy&Firewall product has attack protection mechanism, you can also activate it in the "General Settings" menu. The attack protection mechanism is an active mechanism, a kind of "red button" that works on all interfaces. It is recommended to use this function in case of DDoS attacks or mass infection of computers within the local network with malware (viruses/worms/botnet applications). The attack protection mechanism can block users using file-sharing clients - torrents, direct connect, some types of VoIP clients/servers that actively exchange traffic. To get the IP addresses of blocked computers, open the file ProgramData\Entensys\Usergate6\logging\fw.log or Documents and Settings\All users\Application data\Entensys\Usergate6\logging\fw.log.

Attention! It is recommended to change the parameters described below only if there are a large number of clients/high gateway throughput requirements.

This section also contains the following settings: "Maximum number of connections" - the maximum number of all connections through NAT and through the UserGate Proxy&Firewall proxy.

"Maximum number of NAT connections" - the maximum number of connections that UserGate Proxy&Firewall can pass through the NAT driver.

If the number of clients is no more than 200-300, then it is not recommended to change the “Maximum number of connections” and “Maximum number of NAT connections” settings. Increasing these parameters can lead to a significant load on the gateway hardware and is recommended only when optimizing settings for a large number of clients.

Interfaces

Attention! Before doing this, be sure to check your network adapter settings in Windows! The interface connected to the local network (LAN) must not contain a gateway address! It is not necessary to specify DNS servers in the LAN adapter settings; the IP address must be assigned manually; we do not recommend obtaining it using DHCP.

The IP address of the LAN adapter must have a private IP address. It is acceptable to use an IP address from the following ranges:

10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

The distribution of private network addresses is described in RFC 1918 .

Using other ranges as addresses for the local network will lead to errors in the operation of UserGate Proxy&Firewall.

The interface connected to the Internet (WAN) must contain an IP address, network mask, gateway address, and DNS server addresses.
It is not recommended to use more than three DNS servers in the WAN adapter settings; this can lead to errors in network operation. First check the functionality of each DNS server using the nslookup command in the cmd.exe console, example:

nslookup usergate.ru 8.8.8.8

where 8.8.8.8 is the DNS server address. The response must contain the IP address of the requested server. If there is no response, then the DNS server is not valid, or DNS traffic is blocked.

It is necessary to determine the type of interfaces. The interface with an IP address that is connected to the internal network must be of type LAN; interface that is connected to the Internet - WAN.

If there are several WAN interfaces, then you need to select the main WAN interface through which all traffic will flow by right-clicking on it and selecting “Set as primary connection.” If you plan to use another WAN interface as a backup channel, we recommend using the "Setup Wizard".

Attention! When setting up a backup connection, it is recommended to specify not the DNS host name, but the IP address so that UserGate Proxy&Firewall periodically polls it using icmp (ping) requests and, if there is no response, turns on the backup connection. Make sure that the DNS servers in the network backup adapter settings in Windows are working.

Users and groups

In order for the client computer to log in to the gateway and gain access to the UserGate Proxy&Firewall and NAT services, it is necessary to add users. To simplify this procedure, use the scanning function - "Scan local network". UserGate Proxy&Firewall will independently scan the local network and provide a list of hosts that can be added to the list of users. Next, you can create groups and include users in them.

If you have deployed a domain controller, then you can configure synchronization of groups with groups in Active Directory, or import users from Active Directory, without constant synchronization with Active Directory.

We create a group that will be synchronized with the group or groups from AD, enter the necessary data in the "Synchronization with AD" menu, and restart the UserGate service using the UserGate agent. After 300 sec. users are automatically imported into the group. These users will have their authentication method set to AD.

Firewall

For correct and safe operation of the gateway it is necessary Necessarily configure the firewall.

The following firewall operation algorithm is recommended: block all traffic, and then add allowing rules in the necessary directions. To do this, the #NONUSER# rule must be set to “Deny” mode (this will prohibit all local traffic on the gateway). Carefully! If you configure UserGate Proxy&Firewall remotely, you will be disconnected from the server. Then you need to create allowing rules.

We allow all local traffic, on all ports from the gateway to the local network and from the local network to the gateway, by creating rules with the following parameters:

Source - "LAN", destination - "Any", services - ANY:FULL, action - "Allow"
Source - "Any", destination - "LAN", services - ANY:FULL, action - "Allow"

Then we create a rule that will open Internet access for the gateway:

Source - "WAN"; destination - "Any"; services - ANY:FULL; action - "Allow"

If you need to allow access for incoming connections on all ports to the gateway, then the rule will look like this:

Source - "Any"; destination - "WAN"; services - ANY:FULL; action - "Allow"

And if you need the gateway to accept incoming connections, for example, only via RDP (TCP:3389), and it can be pinged from the outside, then you need to create the following rule:

Source - "Any"; destination - "WAN"; services - Any ICMP, RDP; action - "Allow"

In all other cases, for security reasons, creating a rule for incoming connections is not necessary.

In order to give client computers access to the Internet, you need to create a network address translation (NAT) rule.

Source - "LAN"; destination - "WAN"; services - ANY:FULL; action - "Allow"; select users or groups to whom you want to grant access.

It is possible to configure firewall rules - to allow what is clearly prohibited and vice versa, to prohibit what is clearly allowed, depending on how you configure the #NON_USER# rule and what your company policy is. All rules have priority - rules work in order from top to bottom.

Options for various settings and examples of firewall rules can be viewed.

Other settings

Next, in the Services - Proxy section, you can enable the necessary proxy servers - HTTP, FTP, SMTP, POP3, SOCKS. Select the required interfaces; enabling the “listen on all interfaces” option may not be safe, because the proxy in this case will be available both on LAN interfaces and on external interfaces. The "transparent" proxy mode routes all traffic on the selected port to the proxy port; in this case, there is no need to specify a proxy on client computers. The proxy also remains available on the port specified in the settings of the proxy server itself.

If transparent proxy mode is enabled on the server (Services - Proxy Settings), then it is enough to specify the UserGate server as the main gateway in the network settings on the client machine. You can also specify the UserGate server as the DNS server; in this case, must be enabled.

If transparent mode is disabled on the server, then you need to enter the UserGate server address and the corresponding proxy port specified in Services - Proxy settings in the browser connection settings. You can see an example of setting up a UserGate server for such a case.

If your network has a configured DNS server, you can specify it in the UserGate DNS forwarding settings and the UserGate WAN adapter settings. In this case, both in NAT mode and in proxy mode, all DNS requests will be directed to this server.