home › Mozilla Firefox › What is usergate. Review of UserGate proxy server - a comprehensive solution for providing general Internet access. Control of network applications

What is usergate. Review of UserGate proxy server - a comprehensive solution for providing general Internet access. Control of network applications

Today, the management of all companies has probably already appreciated the opportunities that the Internet provides for doing business. This is, of course, not about online stores and e-commerce, which, whatever one may say, today are more marketing tools than in a real way increasing the turnover of goods or services. The global network is an excellent information environment, an almost inexhaustible source of a wide variety of data. In addition, it provides fast and cheap communication with both clients and partners of the firm. One cannot discount the marketing opportunities of the Internet. Thus, it turns out that the global network, in general, can be considered a multifunctional business tool that can increase the efficiency of the company's employees performing their duties.

However, first you need to provide these employees with Internet access. Just connecting one computer to the global network is not a problem today. There are many ways to do this. There are also many companies offering a practical solution to this problem. But it is unlikely that the Internet on one computer can bring a noticeable benefit to the company. Every employee should have access to the Web from his workplace. And here we cannot do without special software, the so-called proxy server. In principle, the capabilities of operating systems of the Windows family allow you to make any connection to the Internet shared. In this case, other computers from local network... However, this decision should hardly be taken seriously. The fact is that when choosing it, you will have to forget about control over the use of the Global Network by the company's employees. That is, any person from any corporate computer can access the Internet and do whatever they want there. And what this threatens, probably, does not need to be explained to anyone.

Thus, the only acceptable way for the company to organize the connection of all computers included in the corporate LAN is a proxy server. There are many programs of this class on the market today. But we will only talk about one development. It is called UserGate and was created by eSafeLine specialists. The main features of this program are wide functionality and a very convenient Russian-language interface. In addition, it is worth noting that it is constantly evolving. Recently a new, fourth version of this product was presented to the public.

So UserGate. This software product consists of several separate modules. The first one is the server itself. It must be installed on a computer directly connected to the Internet (Internet gateway). It is the server that implements user access to the global network, calculates the traffic used, keeps statistics of work, etc. The second module is intended for system administration. With its help, the responsible employee carries out all the proxy server settings. Main feature UserGate in this regard is that the administration module does not have to be placed on the Internet gateway. Thus, we are talking about remote control of the proxy server. This is very good because the system administrator gets the ability to control Internet access directly from his workplace.

In addition, UserGate includes two more separate software modules. The first one is needed for convenient viewing of Internet usage statistics and building reports on its basis, and the second one - for user authorization in some cases. This approach is perfectly combined with the Russian-language and intuitive interface of all modules. Together, this allows you to quickly and without any problems set up a shared access to the global network in any office.

But let's move on to analyzing the functionality of the UserGate proxy server. You need to start with the fact that this program immediately implements two different methods of setting up DNS (perhaps the most important task when implementing public access). The first one is NAT (Network Address Translation). network addresses). It provides a very accurate accounting of the traffic consumed and allows users to use any protocol allowed by the administrator. However, it should be noted that some network applications will not work correctly in this case. The second option is DNS forwarding. It has more limitations than NAT, but it can be used on computers with legacy operating families (Windows 95, 98 and NT).

Internet permissions are configured using the terms "user" and "user group". Moreover, interestingly, in the UserGate proxy server, a user is not necessarily a person. A computer can also play its role. That is, in the first case, access to the Internet is allowed for certain employees, and in the second - for all people who sit down at some kind of PC. Naturally, different methods of user authorization are used. When it comes to computers, they can be identified by their IP address, a bunch of IP and MAC addresses, and a range of IP addresses. To authorize employees, special username / password pairs, data from Active Directory, name and password that match the authorization windows information, etc. For convenience, users can be grouped into groups. This approach allows you to manage access immediately for all employees with the same rights (who are in the same positions), and not configure each account separately.

The UserGate proxy server also has its own billing system. The administrator can set any number of tariffs describing how much one unit of incoming or outgoing traffic or connection time costs. This allows you to keep accurate records of all Internet expenses with reference to users. That is, the company's management will always know who spent how much. By the way, tariffs can be made dependent on the current time, which allows you to exactly reproduce the provider's pricing policy.

UserGate proxy server allows you to implement any, no matter how complex, corporate Internet access policy. For this, so-called rules are used. With their help, the administrator can set limits for users by working time, by the amount of traffic sent or received per day or month, by the amount of time used per day or month, etc. If these limits are exceeded, access to the WAN will be automatically blocked. In addition, using rules, you can impose restrictions on the access speed of individual users or their entire groups.

Another example of the use of rules is restrictions on access to certain IP addresses or their ranges, to entire domain names or addresses containing certain strings, etc. That is, in fact, we are talking about filtering sites with which you can exclude visits employees of unwanted web projects. But, naturally, these are not all examples of the application of the rules. With their help, you can, for example, implement tariff switching depending on the this moment site (it is necessary to take into account the preferential traffic that exists with some providers), configure cutting advertising banners etc.

By the way, we have already said that the UserGate proxy server has a separate module for working with statistics. With its help, the administrator can view the consumed traffic at any time (total, for each user, for user groups, for sites, for server IP addresses, etc.). And all this is done very quickly using a convenient filter system. In addition, this module implements a report generator, with the help of which the administrator can draw up any report and export it to MS Excel format.

A very interesting solution of the developers is to integrate an anti-virus module into the firewall, which controls all incoming and outgoing traffic. And they did not reinvent the wheel, but integrated the development of Kaspersky Lab. Such a solution guarantees, firstly, truly reliable protection against all malicious programs, and secondly, regular updates of the signature databases. Another important plan information security a built-in firewall is a feature. And so it was created by the UserGate developers themselves. Unfortunately, it should be noted that the firewall integrated into the proxy server is quite different in its capabilities from the leading products in this area. Strictly speaking, we are talking about a module that simply blocks traffic going through the ports and protocols specified by the administrator to and from computers with specified IP addresses. It does not have an invisibility mode, or some other, in general, functions that are required for firewalls.

Unfortunately, one article cannot include detailed analysis all functions of UserGate proxy server. Therefore, let's at least simply list the most interesting ones that were not included in our review. Firstly, it caches files downloaded from the Internet, which allows you to really save money on the provider's services. Secondly, it is worth noting the Port mapping function, which allows you to bind any selected port of one of the local Ethernet interfaces to the desired port of the remote host (this function is necessary for the operation of network applications: bank-client systems, various games, etc.) ... In addition, the UserGate proxy server implements such features as access to internal corporate resources, a task scheduler, connection to a proxy cascade, monitoring traffic and IP addresses of active users, their logins, visited URLs in real time, and much, much other.

Well, now it's time to take stock. Dear readers, we have analyzed in some detail the UserGate proxy server, which can be used to organize general Internet access in any office. And we were convinced that this development combines simplicity and ease of setup and use with a very extensive set of functionality. It all does latest version UserGate is a very attractive product.

Currently, no company can do without the Internet in its work. The global network is actively used in business processes to solve a wide range of information, communication and marketing tasks. But, at the same time, it is also a potential threat to information security. Mail and web traffic is often used by cybercriminals to spread about malware, phishing messages, and so on.

Another potential danger of the Internet is its misuse by employees during working hours. Company employees, instead of performing their official duties, can spend time communicating on social networks, browse all kinds of entertainment sites, download films, music, unlicensed software etc. This increases the direct and indirect costs of the company, reduces the productivity of office workers, is a direct threat to information security (when visiting some categories of unwanted sites, the risk of computer infection increases noticeably).

Therefore, in modern conditions, the task of connecting a corporate network to the Internet must be solved taking into account all the requirements for security and control of employee actions. UserGate Proxy & Firewall provides solutions to the listed tasks. It first appeared on the market about 10 years ago and was a fairly simple, but reliable and easy-to-use proxy server. This is what he earned his popularity in Russia and neighboring countries.

Currently, the developers continue to improve their brainchild, and have significantly expanded functional content product taking into account the realities in the field of information security. Not only major (approximately once every 2-3 years), but also minor (2-4 between major) versions of UserGate Proxy & Firewall are released quite regularly, each of which expands the proxy server's capabilities. Today it is a complex product that can be used to solve the whole range of problems associated with sharing the Internet.

UserGate Proxy & Firewall composition

The UserGate Proxy & Firewall solution is based on the UserGate server. It installs directly on a corporate Internet gateway and implements global network sharing, statistics, traffic counting, etc.

The access system is administered using the control console. This is a separate application that connects to the server using a special protocol over TCP / IP (a proprietary protocol is used, the transmission is protected using Open SSL technology with a key length of 1024 bits), which allows it to be used not only locally, but also remotely. Thus, the system administrator can manage UserGate Proxy & Firewall directly from his workplace, without the need for physical access to the Internet gateway.

In addition, UserGate Proxy & Firewall implements a number of additional modules for solving various specific tasks.

UserGate statistics... A separate application that is installed on the computer of responsible employees and allows them to view statistics on Internet use.
Web statistics... The module for viewing statistics has been removed via a web browser. If necessary, it can be accessed not only from the local network, but also from the Internet.
Cache Browser... A separate application for viewing the contents of the cache saved by UserGate Proxy & Firewall.
UserGate authorization client... A separate application that is installed on end-user computers and provides the ability to use "advanced" authorization methods - using Active Directory, Windows login, etc.
Application control... A separate application installed on workstations. It allows you to restrict the list of programs that are allowed to access the Internet.

System requirements

The system requirements of a proxy server for a computer are described in the table.

	Minimum Requirements	Recommended configuration
CPU	1 GHz	1-2 GHz depending on the number of users
RAM	512 MB	512 MB - 1 GB depending on the number of users
Operating system	Windows 2000 / XP / 2003/2008/7/2008 R2 (32- and 64-bit OS supported)
Internet connection	The type and capacity are determined on a case-by-case basis, based on the needs

UserGate Proxy & Firewall features

UserGate Proxy & Firewall has a wide range of capabilities to provide working together on the Internet, protecting the corporate information system from external threats, controlling the use of the global network by users.

Collaborating on the Internet

UserGate Proxy & Firewall allows a large number of users to collaborate on the Internet. To do this, it implements a number of proxy servers (for HTTP, FTP, POP3, SMTP, SOCKS4, SOCKS5, SIP and H323 protocols), its own NAT driver, and a DNS forwarding system.

Transparent proxy mode

Proxy servers in UserGate Proxy & Firewall can operate in transparent mode. In this case, it is not required additional setting client side software. NAT technology is used for its implementation.

Multi-provider support

The program in question can work with several network interfaces connected to different providers. This makes it possible to implement such features as traffic redirection from different user groups to different Internet channels, as well as redundant Internet access.

TrafficManager

UserGate Proxy & Firewall has a Traffic Manager module designed for flexible control of the Internet bandwidth. You can use it to specify the priority different types traffic, limit the data transfer rate for certain protocols, etc.

Caching

The program under consideration implements a caching system. It saves the files uploaded by users on the hard disk of the Internet gateway and, upon subsequent calls to them, does not download them again from the remote server. This allows you to reduce the load of the Internet channel and the consumption of traffic in general.

IP telephony support

An interesting feature of UserGate Proxy & Firewall is support for IP telephony. In addition to SIP and H323 proxy servers, it implements such functions as SIP Registrar (in fact, IP telephony servers) and H323 GateKeeper.

UserGate Proxy & Firewall implements eight user authorization methods. For example, by IP address, by MAC of the network card, as well as by means of Active Directory, usernames and passwords set by the administrator, Windows accounts.

Limiting traffic and access speed

The considered proxy server allows you to set rules that restrict the use of the Internet. In particular, you can define the daily, weekly or monthly limit of consumed traffic, the maximum data transfer rate, the protocols allowed for use, etc. Rules can be tied both to individual users and to their entire groups.

Billing system

UserGate Proxy & Firewall has its own billing system, which can be used to calculate the costs of using the Internet. Tariffs can be set both for temporary and for consumed traffic. At the same time, the possibility of flexible customization is available and automatic switching from one to another, depending on the time of day or the category of the site being viewed.

Application control

UserGate Proxy & Firewall allows you to restrict the list of applications that are allowed to access the Internet. This allows you to solve the problem of uniformity of software use in the local network. Moreover, this module can provide additional protection against malware. Even if they are active on the computer, the Internet channel will not be available to them.

The considered proxy server allows you to restrict access to unwanted sites by categories. For this, the "cloud" technology Entensys URL Filtering is used. It is based on a special database of sites, divided into 82 categories. It is on them that you can restrict access. The database contains over 500 million web projects, is constantly updated and edited by developers. It should be noted that using category filtering requires the purchase of an additional license.

Application control

UserGate Proxy & Firewall implements a traffic filtering system based on the applications that generate it. This allows one software to access the Internet and block the network activity of another. It should be noted that the filtering rules are highly flexible. With their help, you can allow applications to work only under a certain protocol, transfer network packets only to a specified IP address or range of IP addresses, etc. To implement this type of filtering, you need to install a special Application Control program on workstations that is included in the delivery product.

Statistics and reports

The proxy server in question keeps detailed statistics on the use of the Internet by all users. Working with it is carried out using a special application or through the web interface. At the same time, a system for the separation of access rights has been implemented, which allows responsible employees to view complete information, and other users - only their statistics. In the process, you can use tools such as filtering by various conditions, generating tabular and graphical reports, importing data into HTML format, and microsoft programs Excel and OpenOffice.org Calc.

Built-in DHCP server

UserGate Proxy & Firewall has its own DHCP server, which can distribute IP addresses to clients from the pool specified by the administrator. This tool is not needed if information system the enterprise has raised the domain. However, it can simplify the administration of computers in small peer-to-peer networks.

Built-in router

Another tool for the administrator is the built-in router. It allows you to connect two or more local area networks, providing transparent two-way communication between them. In this case, you can specify the protocols and services that will be allowed to use network connections.

Antivirus protection

UserGate Proxy & Firewall can be used to check all traffic passing through the proxy server for malware. For this, integrated modules developed by Kaspersky Lab and Panda Security are used. Moreover, traffic scanning can be performed either by one of the specified anti-virus modules, or sequentially. It should be noted that the use of anti-virus software requires the purchase of additional licenses from the respective manufacturers.

Firewall

In the considered proxy server, a full-fledged firewall is implemented, which allows you to block unwanted network traffic and helps protect against external intrusions. At the same time, it is very easy to configure. When you enable or disable services and port assignment rules, the corresponding ports will automatically open or close.

VPN support

UserGate Proxy & Firewall supports PPTP and L2TP protocols, which are used to communicate with VPN servers. This makes it easy to provide secure remote connections to information resources of the enterprise or its branches.

Deploying and working with UserGate Proxy & Firewall

The UserGate Proxy & Firewall proxy server deployment procedure can be divided into several stages.

Program installation.
Basic proxy server setup.
Creation of rules that enforce corporate Internet policy.
User entry.

Stage 1. Installing the program

The UserGate Proxy & Firewall installation procedure is very simple and does not require any special knowledge and skills from the contractor. First of all, we download the distribution kit from the developer's official website, launch it and select the language for the installer. In the opening welcome window, click on the "Next" button.

Figure 1. Welcome window of the installerUserGateProxy &Firewall

At the next step, we read the license agreement, accept it and click on "Next" again.

Figure 2. License AgreementUserGateProxy &Firewall

The third step is to select the components to install. If the application is being installed on an Internet gateway, you must enable the "UserGate Proxy & Firewall 5 base files" item and select the necessary sub-items in it. So, for example, if you do not have a license for anti-virus scan modules or you are not going to use web statistics, then there is no need to install the corresponding modules. Separately, you can select the management console and the "UserGate Statistics" component. This may be required when installing the product on the computer of an administrator or responsible employee for remote control proxy and reporting viewer.

Here, if necessary, you can change the folder where the product will be installed (by default, the folder C: \\ Program Files \\ Entensys \\ UserGate 5 \\ is used).

Figure 3. Selecting installation componentsUserGateProxy &Firewall

After that, the final window of the installer is displayed, in which to start the process, you must click on the "Install" button.

Figure 4. The final window of the installerUserGateProxy &Firewall

The installation time depends on the available system resources.

Figure 5. InstallationUserGateProxy &Firewall

A computer restart is required to complete the installation.

Stage 2. Basic proxy server configuration

All proxy server administration work is done using the management console. It can be carried out both directly from the Internet gateway and remotely from the administrator's workplace. If the console is installed together with the server on the same computer, then the connection is created automatically. Otherwise, you need to configure the connection manually - specify the domain name or IP-address of the server, port (2345 by default), login and password.

Figure 6. Configuring connection to the serverUserGateProxy &Firewall

After the first connection to the server, you need to configure the interfaces. This can be done on the tab of the management console of the same name. UserGate Proxy & Firewall automatically detects all available network interfaces and displays them in the list. Select among them those that "look" in the local network and change their type to LAN. All external interfaces must be of the WAN type. In addition to network interfaces, the list contains connections such as PPoE, VPN, etc. They immediately have the PPP type, which cannot be changed.

Figure 7. Configuring network interfacesUserGateProxy &Firewall

If necessary, you can organize a reservation system for the Internet channel. It allows you to automatically switch to another interface when the main one is unavailable. To use it, you need two or more Internet connections. The most convenient way to set up a reservation is to use a special wizard. At the first stage, specify the main and backup connections.

Figure 8. Indication of primary and backup connections inUserGateProxy &Firewall

At the second stage, enter the addresses of the servers, the unavailability of which will mean the "drop" of the channel. Please note that it is best to use popular services, and not one, but several. This avoids switching to a backup link due to internal server problems, trunk failure, and other similar reasons. Optionally, you can enter a check interval and a Ping command timeout.

Figure 9. List of servers for checking the connection efficiency inUserGateProxy &Firewall

All Internet channel reservation settings are displayed on the "Interfaces" page of the management console. Here you can also change them manually without going to the setup wizard.

Figure 10. Properties of Internet channel reservation inUserGateProxy &Firewall

Next, you need to configure the proxy server. To do this, open the "Services" section in the management console and select the "Proxy settings" tab in it. In this case, a list of all available proxy servers will be displayed in the right part of the window. Turn on necessary services and turn off all others.

Figure 11. List of proxy servers inUserGateProxy &Firewall

If necessary, you can change the parameters of any proxy server. This is done in a special window called by double clicking on the desired item. In it, you need to specify the network interfaces that the proxy server will listen to. In most cases, you will need to select all LAN connections. Interfaces can be omitted in the properties, but in this case UserGate Proxy & Firewall will listen to all of them, including external ones. Here you can also change the port on which the proxy server is running.

Additionally, in this window, you can switch the proxy server to the so-called transparent mode of operation. Its essence is as follows. When transparency is enabled, the NAT driver listens on the appropriate ports (TCP 80 for HTTP, TCP 110 for POP3, etc.) of the Internet gateway, detects incoming requests through them, and forwards them to the proxy server. As a result, work is essentially done through a "proxy", but administrators no longer need to configure applications on workstations. They will all work as if they were directly connected to the Internet. However, when using the transparent mode of operation, it is necessary to reconfigure the properties of the network connection of workstations (specify the IP address of the Internet gateway as a gateway and enter the DNS server).

Figure 12. Properties of the proxy server inUserGateProxy &Firewall

Next, you need to ensure that DNS requests pass through the proxy server. The easiest way to do this is through DNS forwarding. When this technology is used, requests coming to port 53 of the Internet gateway (only LAN interfaces are listened to) are redirected to the provider's DNS server. To enable it, go to the "DNS Settings" tab in the "Services" section. In the window that opens, enable DNS forwarding and specify the address of the DNS server. By default, it will be taken automatically from the configuration of the WAN interface network card. However, if necessary, you can set own list DNS servers.

Figure 13. Setting DNS in UserGate Proxy & Firewall

Additionally, you can configure such product features as general bandwidth management, port forwarding, application control, etc. However, we will not go into details about them: UserGate Proxy & Firewall is too functional to describe its full configuration in one overview. In addition, this product is accompanied by a fairly detailed help system.

Stage 3. Create rules that enforce corporate Internet policy

An important feature of UserGate Proxy & Firewall is its traffic control system, which allows you to prevent inappropriate use of corporate Internet resources by the organization's employees, to strengthen the security of the information system and to solve a number of other similar problems. It is based on rules that describe the behavior of the system in certain cases. The main work with them is carried out on the tab of the same name in the "Traffic Management" section. Here you can create, delete and edit them. There can be any number of rules. However, not all of them must be involved. Rules are assigned to groups or users and work only for them.

Figure 14. List of traffic control rules inUserGateProxy &Firewall

Each rule represents one or more conditions combined logical operations AND or OR. When they are executed, the specified action is triggered. The rule properties window consists of five tabs. The first one sets the basic parameters: name, type of logic, as well as the object and the action performed with it. Here options are available such as close the connection, disable traffic counting, enable speed limiting, etc.

Figure 15. Basic parameters of the traffic control rule inUserGateProxy &Firewall

The second tab specifies the protocols for which the rule will work. By default they are all activated. However, the administrator can disable some of them.

Figure 16. Configuring protocols in a traffic control rule inUserGateProxy &Firewall

The next tab allows you to set the schedule, i.e. specify the duration of the rule.

Figure 17. Configuring the schedule for the traffic control rule inUserGateProxy &Firewall

The fourth tab is designed to enter restrictions on daily, weekly or monthly traffic consumption. The rule will be triggered when the user reaches a certain limit. In addition, on this tab you can set limits on the size of uploaded files.

Figure 18. Configuring consumption limits in a traffic control rule inUserGateProxy &Firewall

The last, fifth tab allows you to configure the filtering of web content. On it, you can set the conditions of four different types: by IP address (or a range of IP addresses), by the site address (including by the fragment of the address), by the type of content (by whole categories - audio, video, pictures, text documents, etc., or by individual extensions - * .avi, * .mp3, * .flv, etc.), as well as by category. It should be noted that the type of content to be filtered can be set.

Figure 19. Configuring the conditions for filtering web content in the traffic control rule inUserGateProxy &Firewall

The conditions described above can be combined in any combination, which allows you to create very flexible rules describing almost any corporate policy for using the Internet.

Stage 4. Entering users

UserGate Proxy & Firewall offers two ways to add users: manually and by integrating with Active Directory. It is clear that the first one is only for small businesses that use a simple peer-to-peer network. If the organization has a domain deployed, it is much easier and more efficient to use the integration with Active Directory.

If you choose the second option for adding users, then you must first configure the synchronization settings. You can do this on the "Groups" tab of the "Users and Groups" section. To enter the parameters, click on the "Configure synchronization with AD" button and enter the domain name, controller address, administrator login and password, and data refresh rate in the window that opens.

Figure 20. Synchronization settingsUserGateProxy &Firewall withActiveDirectory

Working with accounts begins with entering user groups, for each of which you can specify previously entered rules. At the same time, they will be distributed immediately to all accounts, which simplifies management.

Figure 21. List of groups inUserGateProxy &Firewall

After you finish working with groups, you can start configuring the list of users. With the manual method, each account will have to be entered independently, setting all its properties, including the authorization method. During synchronization, the list of accounts is filled in and kept up to date automatically. If necessary, you can make changes to user accounts, for example, set a different authorization method (NTLM authorization is used by default).

Figure 22. List of accounts inUserGateProxy &Firewall

A small digression is needed here. To use some authorization methods (login and password entered in UserGate Proxy & Firewall, Windows login, authorization via Active Directory.), A special program must be installed on workstations - the UserGate authorization client. Its installation package (AuthClientInstall.msi) is located in the Tools subfolder of the product installation directory. It can be installed either manually or using Active Directory group policies.

This completes the initial configuration of UserGate Proxy & Firewall. Our proxy server is completely ready to work. In the future, the administrator can connect to it remotely at any time and change the previously set parameters.

UserGate Proxy & Firewall belongs to applications that do not need constant attention from the administrator. Connecting to the Internet, switching to a backup channel and vice versa, monitoring the use of the global network by company employees and other actions are performed automatically. So, in fact, all further work is reduced to studying statistics and, sometimes, changing some parameters of work.

To work with the information collected by the system, special application - "UserGate Statistics". With its help, the administrator or responsible employee can view the complete data, filtering it by date, destination, user, protocol, website category and other parameters, as well as export it in different formats.

Figure 24. Viewing statistics using a special application

There is another option for viewing the collected information - web statistics. With its help, you can explore the data using a browser. It is interesting that not only administrators, but also ordinary users can do this. At the same time, only their personal statistics will be available to them.

Figure 25. Viewing statistics using a browser

findings

In conclusion, let's summarize. A detailed review of UserGate Proxy & Firewall capabilities has shown that today this product is one of the most functional proxy servers on the Russian market. With its help, you can solve almost any problem related to the organization of sharing access to the Internet.

An important feature of the considered product is the ability to implement a corporate policy for using the global network. Denying access to potentially dangerous sites, blocking the download of certain types of content and some other features increase the degree of security of the information system.

An important factor is the availability of security tools in UserGate Proxy & Firewall, which allow you to quickly and easily organize protection of the local network perimeter from external threats: antivirus and firewall. Of course, their use does not obviate the need to protect workstations. Nevertheless, a two-stage "defense", during which network traffic is checked sequentially (first at the Internet gateway level, and then at the level of users' computers) is usually much more effective.

The main disadvantages of UserGate Proxy & Firewall are not technical, but rather "economic". We are talking about the need for an annual renewal of licenses for the use of antivirus modules, as well as a site filtering system based on categories. In principle, a proxy server can work without them, moreover, the license for UserGate Proxy & Firewall itself is unlimited. However, these functions can significantly increase the security of the information system, and, therefore, their use is still desirable.

Sharing access to the Internet for local network users is one of the most common tasks faced by system administrators. Nevertheless, it still raises many difficulties and questions. For example, how to ensure maximum safety and complete controllability?

Introduction

Today we will take a closer look at how to organize shared access to the Internet for employees of a certain hypothetical company. Suppose that their number will be in the range of 50-100 people, and all the services usual for such information systems are deployed in the local network: a Windows domain, its own mail server, an FTP server.

For sharing, we will use a solution called UserGate Proxy & Firewall. It has several features. First, it's clean russian development, unlike many localized products. Secondly, it has more than ten years of history. But the most important thing is constant product development.

The first versions of this solution were relatively simple proxy servers that could only provide sharing of one Internet connection and keep statistics on its use. The most widespread among them was build 2.8, which can still be found in small offices. The last, sixth version, the developers themselves no longer call a proxy server. According to them, this is a complete UTM solution that covers a whole range of tasks related to security and user control. Let's see if this is so.

Deploying UserGate Proxy & Firewall

During the installation, two stages are of interest (the rest of the steps are standard for installing any software). The first is component selection. In addition to the basic files, we are offered to install four more server components - a VPN, two antiviruses (Panda and Kaspersky Anti-Virus) and a cache browser.

The VPN server module is installed on demand, that is, when the company plans to use remote access for employees or to combine several remote networks. It makes sense to install antiviruses only if the company has purchased the appropriate licenses. Their presence will allow you to scan Internet traffic, localize and block malware directly at the gateway. The Cache Browser will provide a view of the web pages cached by the proxy server.

Additional functions

Banning unwanted sites

The solution supports Entensys URL Filtering technology. Basically, it is a cloud-based database containing over 500 million sites on different languagesbroken down into over 70 categories. Its main difference is constant monitoring, during which web projects are constantly monitored and, when content changes, are transferred to another category. This allows you to ban all unwanted sites with a high degree of accuracy by simply selecting certain categories.

The use of Entensys URL Filtering increases the safety of working on the Internet, as well as contributes to increasing the efficiency of employees (by prohibiting social networks, entertainment sites, etc.). However, its use requires paid subscriptionwhich must be renewed every year.

In addition, the distribution includes two more components. The first is the Administrator Console. This is a separate application designed, as the name implies, to manage the UserGate Proxy & Firewall server. Its main feature is the ability remote connection... Thus, administrators or those responsible for using the Internet do not need direct access to the Internet gateway.

The second additional component is web statistics. In fact, it is a web server that allows you to display detailed statistics on the use of the global network by company employees. On the one hand, it is undoubtedly a useful and convenient component. After all, it allows you to receive data without installing additional software, including via the Internet. But on the other hand, it takes extra system resources internet gateway. Therefore, it is better to install it only when you really need it.

The second step that you should pay attention to during the installation of UserGate Proxy & Firewall is choosing a database. IN previous versions UGPF could only function with MDB files, which affected overall system performance. Now there is a choice between two DBMS - Firebird and MySQL. Moreover, the first is included in the distribution kit, so when choosing it, no additional manipulations are required. If you want to use MySQL, you must first install and configure it. After the installation of the server components is complete, it is necessary to prepare the workstations of administrators and other responsible employees who can control user access. This is very easy to do. It is enough to install the administration console from the same distribution kit on their work computers.

Additional functions

Built-in VPN Server

Version 6.0 introduces the VPN server component. It can be used to organize secure remote access of company employees to the local network or to combine remote networks of individual branches of the organization into a single information space. This VPN server has all the necessary functionality for creating server-to-server and client-to-server tunnels and routing between subnets.

Basic setup

All UserGate Proxy & Firewall configuration is done using the management console. By default, after installation, a connection to the local server is already created in it. However, if you use it remotely, then the connection will have to be created manually by specifying the IP address or hostname of the Internet gateway, network port (2345 by default) and authorization parameters.

After connecting to the server, you first need to configure the network interfaces. This can be done on the "Interfaces" tab of the "UserGate Server" section. We set the LAN type to the network card that "looks" into the local network, and WAN for all other connections. "Temporary" connections, such as PPPoE, VPN, are automatically assigned the PPP type.

If your company has two or more WAN connections, one of which is primary and the others are backup, then you can set up automatic backup. This is quite easy to do. It is enough to add required interfaces in the reserve list, indicate one or more control resources and the time of their check. The principle of operation of this system is as follows. UserGate automatically checks the availability of control sites at a specified interval. As soon as they stop responding, the product automatically switches to the backup channel without administrator intervention. At the same time, checking the availability of control resources on the main interface continues. And as soon as it is successful, the switch back is automatically performed. The only thing to look out for when setting up is the selection of control resources. It is better to take several large sites, the stable operation of which is almost guaranteed.

Additional functions

Control of network applications

UserGate Proxy & Firewall implements the following interesting opportunitylike controlling network applications. Its purpose is to deny access to the Internet for any unauthorized software. As part of the control settings, rules are created that allow or block the network operation of various programs (with or without version). They can specify specific IP addresses and destination ports, which allows you to flexibly configure software access, allowing it to perform only certain actions on the Internet.

Application Control allows you to develop a clear corporate policy on the use of programs, to partially prevent the spread of malware.

After that, you can go directly to setting up proxy servers. In total, seven of them are implemented in the solution under consideration: for the HTTP protocols (including HTTPs), FTP, SOCKS, POP3, SMTP, SIP and H323. This is practically all that may be needed for the work of company employees on the Internet. By default, only the HTTP proxy is enabled, all others can be activated if necessary.

Proxy servers in UserGate Proxy & Firewall can operate in two modes - normal and transparent. In the first case, we are talking about a traditional proxy. The server receives requests from users and forwards them to external servers, and sends the received responses to clients. This is a traditional solution, but it has its disadvantages. In particular, it is necessary to configure each program that is used to work on the Internet (Internet browser, mail client, ICQ, etc.), on each computer in the local network. This is, of course, a lot of work. Moreover, from time to time, as new software is installed, it will be repeated.

When choosing transparent mode, a special NAT driver is used, which is included in the package of the considered solution. It listens on the appropriate ports (80th for HTTP, 21st for FTP, and so on), detects incoming requests and forwards them to the proxy server, from where they are sent further. This solution is more successful in the sense that software configuration on client machines is no longer needed. The only thing that is required is to specify the IP address of the Internet gateway in the network connection of all workstations as the default gateway.

The next step is to configure DNS forwarding. This can be done in two ways. The simplest of these is to enable so-called DNS forwarding. When using it, DNS requests coming to the Internet gateway from clients are redirected to the specified servers (you can use either the DNS server from the network connection parameters, or any arbitrary DNS servers).

The second option is to create a NAT rule that will accept requests on the 53rd (standard for DNS) port and forward them to the external network. However, in this case, you will either have to manually register DNS servers in the settings of network connections on all computers, or configure sending DNS queries through the Internet gateway from the server of the domain controller.

user management

After finishing basic setting you can proceed to work with users. You need to start by creating groups, into which accounts will subsequently be combined. What is it for? First, for subsequent integration with Active Directory. And secondly, groups can be assigned rules (we'll talk about them later), thus controlling access to a large number of users at once.

The next step is to add users to the system. This can be done with three different ways... The first of them, manual creation of each account, we for obvious reasons do not even consider. This option is only suitable for small networks with a small number of users. The second method is scanning the corporate network with ARP requests, during which the system itself determines the list of possible accounts. However, we choose the third option, the most optimal from the point of view of simplicity and ease of administration - integration with Active Directory. It is performed on the basis of previously created groups. First, you need to fill in the general integration parameters: specify the domain, the address of its controller, the username and password of the user with necessary rights access to it, as well as the synchronization interval. After that, each group created in UserGate should be assigned one or several groups from Active Directory. Strictly speaking, the setup ends there. After saving all parameters, synchronization will be performed automatically.

By default, users created during authorization will use NTLM authorization, that is, authorization by domain login. This is a very convenient option, since the rules and traffic accounting system will work regardless of which computer the user is currently sitting at.

However, to use this authorization method, additional software is required - a special client. This program works at the Winsock level and sends user authorization parameters to the Internet gateway. Its distribution kit is included in the UserGate Proxy & Firewall package. You can quickly install the client on all workstations using Windows Group Policies.

By the way, NTLM authorization is far from the only method of authorizing company employees to work on the Internet. For example, if the organization practices strict binding of workers to workstations, then you can use an IP address, MAC address, or a combination of both to identify users. Using the same methods, you can organize access to the global network of various servers.

User control

One of the significant advantages of UGPF is its extensive user control capabilities. They are implemented using a system of traffic control rules. The principle of its operation is very simple. The administrator (or other responsible person) creates a set of rules, each of which represents one or more trigger conditions and the action to be performed. These rules are assigned to individual users or their entire groups and allow automatic control of their work on the Internet. There are four possible actions implemented. The first is to close the connection. It allows, for example, to block the download of certain files, to prevent visiting unwanted sites, and more. The second step is to change the tariff. It is used in the billing system, which is integrated into the product in question (we do not consider it, since for corporate networks it is not particularly relevant). Next action allows you to disable the counting of traffic received within this connection. In this case transmitted information not taken into account when summing up daily, weekly and monthly consumption. And finally, the last action is to limit the speed to the specified value. It is very convenient to use to prevent "clogging" the channel when downloading large files and other similar tasks.

There are much more conditions in traffic control rules - about ten. Some of them are relatively simple, such as the maximum file size. This rule will be triggered when users try to upload a file larger than the specified size. Other conditions are time bound. In particular, among them you can note the schedule (triggered by time and days of the week) and holidays (triggered on specified days).

However, the most interesting are the terms related to sites and content. In particular, they can be used to block or set other actions on certain types of content (for example, video, audio, executable files, text, images, etc.), specific web projects or their entire categories (for this, the Entensys URL Filtering technology is used, see sidebar).

It is noteworthy that one rule can contain several conditions at once. In this case, the administrator can indicate in which case it will be performed - if all conditions are met or any one of them. This allows you to create a very flexible policy for using the Internet by company employees, taking into account a large number of all kinds of nuances.

Firewall configuration

An integral part of the UserGate NAT driver is a firewall, with its help various tasks related to processing network traffic are solved. For configuration, special rules are used, which can be of one of three types: network address translation, routing and firewall. There can be any number of rules in the system. In this case, they are applied in the order in which they are listed in the general list. Therefore, if the incoming traffic matches several rules, it will be processed by the one that is located above the others.

Each rule is characterized by three main parameters. The first is the traffic source. It can be one or more specific hosts, WAN or LAN interface of the Internet gateway. The second parameter is the purpose of the information. Here you can specify LAN or WAN interface or dial-up connection. The last main characteristic of a rule is one or more services to which it applies. A service in UserGate Proxy & Firewall means a pair from a family of protocols (TCP, UDP, ICMP, arbitrary protocol) and network port (or range of network ports). By default, the system already has an impressive set of pre-installed services, ranging from common (HTTP, HTTPs, DNS, ICQ) and ending with specific (WebMoney, RAdmin, various online games, and so on). However, if necessary, the administrator can create his own services, for example, describing the work with the online bank.

Also, each rule has an action that it performs with traffic that matches the conditions. There are only two of them: allow or deny. In the first case, traffic flows freely along the specified route, and in the second, it is blocked.

The network address translation rules use NAT technology. With their help, you can configure Internet access for workstations with local addresses. To do this, you need to create a rule specifying the LAN interface as the source and the WAN interface as the sink. Routing rules are applied if the solution in question will be used as a router between two local networks (it implements this feature). In this case, routing can be configured for bidirectional transparent traffic.

Firewall rules are used to process traffic that does not go to the proxy server, but directly to the Internet gateway. Immediately after installation, the system has one such rule that allows all network packets. In principle, if the created Internet gateway will not be used as a workstation, then the rule action can be changed from “Allow” to “Deny”. In this case, any network activity will be blocked on the computer, except for transit NAT packets transmitted from the local network to the Internet and vice versa.

Firewall rules allow any local services to be published on the global network: web servers, FTP servers, mail servers And so on. This allows remote users to connect to them via the Internet. Consider publishing a corporate FTP server as an example. To do this, the administrator must create a rule in which select "Any" as the source, specify the desired WAN interface as the destination, and FTP as the service. After that, select the "Allow" action, enable traffic broadcasting and in the "Destination address" field specify the IP address of the local FTP server and its network port.

After this configuration, all connections coming to the network cards of the Internet gateway on port 21 will be automatically redirected to the FTP server. By the way, during the setup process, you can select not only "native", but any other service (or create your own). In this case, external users will have to contact not the 21st, but a different port. This approach is very convenient in cases where the information system has two or more services of the same type. For example, you can organize external access to the corporate portal via the standard HTTP port 80, and access to UserGate web statistics via port 81.

External access to the internal mail server is configured in the same way.

Important distinctive feature implemented firewall - intrusion prevention system. It works fully automatically, detecting, based on signatures and heuristic methods, attempts to unauthorized influence and leveling them by blocking unwanted traffic flows or dropping dangerous connections.

Summing up

In this review, we examined in some detail the organization of joint access of company employees to the Internet. In modern conditions, this is not the easiest process, since a large number of different nuances must be taken into account. Moreover, both technical and organizational aspects are important, especially the control of user actions.

Note:This article has been edited, updated with relevant data and additional links.

UserGate Proxy & Firewall is an Internet gateway of the UTM (Unified Threat Management) class that allows you to provide and control the general access of employees to Internet resources, filter malicious, dangerous and unwanted sites, protect the company's network from external intrusions and attacks, create virtual networks and organize secure VPN access to network resources from the outside, as well as manage bandwidth and Internet applications.

The product is an effective alternative to expensive software and hardware and is intended for use in small and medium-sized businesses, government agencies, and large organizations with a branch structure.

You can find all additional information about the product.

The program has additional paid modules:

Kaspersky Antivirus
Panda Antivirus
Avira Antivirus
Entensys URL Filtering

Each module is licensed for one calendar year. You can test the work of all modules in a trial key, which can be provided for a period of 1 to 3 months for an unlimited number of users.

You can read more about the licensing rules.

For all questions related to purchasing Entensys solutions, please contact: [email protected] or by calling the toll free line: 8-800-500-4032.

System requirements

To organize a gateway, you need a computer or server that must meet the following system requirements:

CPU frequency: from 1.2 GHz
RAM volume: from 1024 Gb
HDD capacity: from 80 GB
Number of network adapters: 2 or more

The larger the number of users (relative to 75 users), the more server characteristics should be.

We recommend installing our product on a computer with a "clean" server room. operating system, the recommended operating system is Windows 2008/2012.
We do not guarantee the correct operation of UserGate Proxy & Firewall and / or the collaboration of third-party services and do not recommend sharing it with services on the gateway, which performs the following roles:

Is an domain controller
Is a virtual machine hypervisor
Is an terminal server
Serves as a high-load DBMS / DNS / HTTP server, etc.
Serves as a SIP server
Executes services or services critical to business processes
All of the above

UserGate Proxy & Firewall currently may conflict with the following types of software:

All without exception third party Firewall / Firewall solutions
BitDefender Antivirus Products
Anti-virus modules that perform the function of Firewall or "Anti-hacker" of most anti-virus products. It is recommended to disable these modules
Antivirus modules that scan data transmitted via HTTP / SMTP / POP3 protocols, this may cause a delay during active work through a proxy
Third party software productscapable of intercepting data from network adapters - "speed meters", "shapers", etc.
Active role Windows Server "Routing and remote access"in NAT / Internet Connection Sharing (ICS) mode

Attention!During installation, it is recommended to disable IPv6 support on the gateway, provided that applications that use IPv6 are not used. The current implementation of UserGate Proxy & Firewall does not support IPv6, and therefore no filtering of this protocol is performed. Thus, the host can be accessed from the outside via IPv6 even if the firewall deny rules are activated.

If configured correctly, UserGate Proxy & Firewall is compatible with the following services and services:

Roles Microsoft Windows Server:

DNS server
DHCP server
Print server
File (SMB) server
Applications server
WSUS server
WEB server
WINS server
VPN server

And with third party products:

FTP / SFTP servers
Messaging Servers - IRC / XMPP

When installing UserGate Proxy & Firewall, make sure that third-party software does not use the port or ports that UserGate Proxy & Firewall can use. By default, UserGate uses the following ports:

25 - SMTP proxy
80 - transparent HTTP proxy
110 - POP3 proxy
2345 - UserGate administrator console
5455 - UserGate VPN Server
5456 - UserGate authorization client
5458 - DNS Forwarding
8080 - HTTP proxy
8081 - UserGate web statistics

All ports can be changed using the UserGate Administrator Console.

Installing the program and choosing a database for work

UserGate Proxy & Firewall Configuration Wizard

A more detailed description of configuring NAT rules is described in this article:

UserGate agent

After installing UserGate Proxy & Firewall necessarily reboot the gateway. After authorization in the system, in the panel windows tasks next to the clock, the UserGate agent icon should turn green. If the icon is gray, then an error occurred during the installation process and the UserGate Proxy & Firewall server service has not been started, in this case, refer to the corresponding section of the Entensys knowledge base or to the technical support of Entensys.

The product is configured via the UserGate Proxy & Firewall administration console, which can be invoked either by double-clicking on the UserGate agent icon or by clicking the shortcut from the "Start" menu.
When starting the Administration Console, the first step is to register the product.

General settings

In the General Settings section of the Administrator Console, set the password for the Administrator user. Important! Do not use unicode specials or product PINs as a password to access the administration console.

UserGate Proxy & Firewall has attack defense mechanism, you can also activate it in the "General settings" menu. The attack defense mechanism is an active mechanism, a kind of "red button" that works on all interfaces. It is recommended to use this function in case of DDoS attacks or mass malware infection (viruses / worms / botnet applications) of computers within the local network. The attack protection mechanism can block users using file-sharing clients - torrents, direct connect, some types of VoIP clients / servers that are actively exchanging traffic. To get the ip addresses of blocked computers, open the file ProgramData \\ Entensys \\ Usergate6 \\ logging \\ fw.log or Documents and Settings \\ All users \\ Application data \\ Entensys \\ Usergate6 \\ logging \\ fw.log.

Attention!The parameters described below are recommended to be changed only when a large number customers / high requirements for bandwidth gateway.

This section also contains the following settings: "Maximum number of connections" - the maximum number of all connections through NAT and UserGate Proxy & Firewall.

"Maximum number of NAT connections" - the maximum number of connections that UserGate Proxy & Firewall can pass through the NAT driver.

If the number of clients is not more than 200-300, then it is not recommended to change the settings "Maximum number of connections" and "Maximum number of NAT connections". Increasing these parameters can lead to a significant load on the gateway equipment and is recommended only if the settings are optimized for a large number of clients.

Interfaces

Attention! Before doing this, be sure to check the settings of network adapters in Windows! The interface connected to the local area network (LAN) must not contain the gateway address! It is not necessary to specify DNS servers in the LAN adapter settings, the IP address must be assigned manually, we do not recommend obtaining it using DHCP.

The IP address of the LAN adapter must have a private IP address. it is allowed to use an IP address from the following ranges:

10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16 / 12 prefix) 192.168.0.0 - 192.168.255.255 (192.168 / 16 prefix)

The allocation of private network addresses is described in RFC 1918 .

Using other ranges as addresses for the local network will lead to errors in UserGate Proxy & Firewall operation.

An interface connected to the Internet (WAN) must contain an IP address, netmask, gateway address, and DNS server addresses.
It is not recommended to use more than three DNS servers in the WAN adapter settings, this may lead to network errors. Pre-check the health of each DNS server using the nslookup command in the cmd.exe console, for example:

nslookup usergate.ru 8.8.8.8

where 8.8.8.8 is the DNS server address. The response must contain the IP address of the requested server. If there is no answer, then the DNS server is not valid, or DNS traffic is blocked.

It is necessary to define the type of interfaces. The interface with the IP address that is connected to the internal network must be of the LAN type; the interface that is connected to the Internet - WAN.

If there are several WAN interfaces, then you need to select the main WAN interface through which all traffic will go by clicking right click mouse over it and selecting "Set by main connection". If you plan to use another WAN interface as a backup channel, we recommend using the "Configuration Wizard".

Attention! When configuring a backup connection, it is recommended to set not a DNS host name, but an IP address so that UserGate Proxy & Firewall will periodically poll it using icmp (ping) requests and, if there is no response, enable the backup connection. Make sure the DNS servers in the NIC settings in Windows are operational.

Users and groups

In order for the client computer to be able to authorize on the gateway and gain access to the UserGate Proxy & Firewall and NAT services, you need to add users. To simplify this procedure, use the scan function - "Scan LAN". UserGate Proxy & Firewall will automatically scan the local network and provide a list of hosts that can be added to the list of users. Next, you can create groups and include users in them.

If you have a deployed domain controller, then you can configure synchronization of groups with groups in Active Directory, or import users from Active Directory, without constant synchronization with Active Directory.

Create a group that will be synchronized with a group or groups from AD, enter the necessary data in the "Synchronize with AD" menu, restart the UserGate service using the UserGate agent. After 300 sec. users are automatically imported to the group. These users will have an authorization method - AD.

Firewall

For correct and safe operation of the gateway, you must necessarily configure the firewall.

The following algorithm of the firewall is recommended: deny all traffic, and then add allowing rules in the necessary directions. To do this, the # NONUSER # rule must be switched to the "Deny" mode (this will deny all local traffic on the gateway). Caution! If you configure UserGate Proxy & Firewall remotely, disconnection from the server will follow. Then you need to create allowing rules.

Allow all local traffic, on all ports from the gateway to the local network and from the local network to the gateway, by creating rules with the following parameters:

Source - "LAN", destination - "Any", services - ANY: FULL, action - "Allow"
Source - "Any", destination - "LAN", services - ANY: FULL, action - "Allow"

Then we create a rule that will open Internet access for the gateway:

Source - "WAN"; destination - "Any"; services - ANY: FULL; action - "Allow"

If you need to allow access of incoming connections on all ports to the gateway, then the rule will look like this:

Source - "Any"; destination - "WAN"; services - ANY: FULL; action - "Allow"

And if you need the gateway to accept incoming connections, for example, only via RDP (TCP: 3389), and it could be pinged from the outside, then you need to create the following rule:

Source - "Any"; destination - "WAN"; services - Any ICMP, RDP; action - "Allow"

In all other cases, for security reasons, you do not need to create a rule for incoming connections.

In order to give client computers access to the Internet, you need to create a network address translation (NAT) rule.

Source - "LAN"; destination - "WAN"; services - ANY: FULL; action - "Allow"; select users or groups to whom you want to grant access.

It is possible to configure firewall rules - allow what is explicitly prohibited and vice versa, prohibit what is explicitly allowed, depending on how you configure the # NON_USER # rule and what your company policy is. All rules have priority - rules work in order from top to bottom.

Options for various settings and examples of firewall rules can be viewed.

Other settings

Further, in the services - proxy section, you can enable the necessary proxy servers - HTTP, FTP, SMTP, POP3, SOCKS. Select the required interfaces, enabling the "listen on all interfaces" option will be insecure. the proxy in this case will be available both on LAN interfaces and on external interfaces... The "transparent" proxy mode routes all traffic on the selected port to the proxy port, in this case, on client computers, you do not need to specify a proxy. The proxy also remains available on the port specified in the settings of the proxy server itself.

If the transparent proxy mode is enabled on the server (Services - Proxy settings), then it is enough to specify the UserGate server as the main gateway in the network settings on the client machine. UserGate server can also be specified as DNS server, in this case it must be enabled.

If the transparent mode is disabled on the server, you need to register the UserGate server address and the corresponding proxy port specified in Services - Proxy settings in the browser connection settings. An example of configuring UserGate server for such a case can be viewed.

If your network has a configured DNS server, you can specify it in the UserGate DNS forwarding settings and UserGate WAN adapter settings. In this case, both in NAT mode and in proxy mode, all DNS requests will be directed to this server.

Popular in the category: