UserGate UTM 4. Administrator's Guide. Entensys Administrator's Guide

Transcription

1 UserGate UTM 4 Administrator's Guide

2 Content Introduction... 5 Network security and protection from network threats... 5 Firewall... 5 Detection and prevention of intrusions... 5 Cloud-based anti-virus tool... 5 Gateway anti-virus tool for filtering files and attachments... 5 Anti-spam and anti-virus protection of traffic... 6 Robust protection from latest threats... 6 Improvements in network performance and reliability... 6 Support of redundant channels... 6 Traffic management and channel balancing... 6 Caching... 6 High availability... 6 Traffic management and Internet access control... 6 Internet access control... 7 User identification... 7 Support of the BYOD ("Bring Your Own Device") concept... 7 Content filtering and application control... 7 Internet filtering... 7 In-depth content analysis... 7 Access control for social media... 8 Support of HTTPS filtering... 8 Blocking of banners, pop-ups and tracking scripts... 8 Application control... 8 Other functions... 8 Real-time monitoring and statistics... 8 Resource publishing... 9 Load balancing... 9 DHCP server and DHCP relay... 9 Remote administration... 9 Initial configuration Managing the device General settings The Monitoring panel Installing license Clustering and high availability Backing up and restoring initial settings Exporting and importing settings Updating software Command-line interface (CLI) Managing certificates Creating SSL decryption certificates based on company s CA Logs export SNMP-based monitoring Managing access to the UserGate UTM console Configuring a network Configuring zones Configuring interfaces Configuring gateways

3 Configuring DHCP Configuring DNS Routes Users and devices Users Groups Authorization servers Active Directory connector Radius authorization server Kerberos authorization server Configuring a Captive portal Users of terminal servers Authorization agent for Windows Transient users BYOD policies Network policies Firewall NAT and routing NAT rules DNAT rules Routing rules Load balancing Traffic shaping Managing security policies Content filtering Requests to a white list Safe browsing Configuring HTTPS decryption Intrusion detection and prevention system Mail security Notifications Notification profiles Alert rules Libraries Morphology Services IP addresses Content types URL lists Time sets Bandwidth pools Response pages URL categories Applications s Phones Statistics

4 Monitoring Network monitoring Traffic Statistics Content filtering Rule log Search history Logs Event log Traffic log IDPS log Web access log Setting up a standalone statistics server Technical support Appendix 1: Installing a certificate issued by the local certification center Installing a certificate for Internet Explorer and Chrome in Windows Installing a certificate for Safari and Chrome in MacOSX Installing a certificate for Firefox

5 Introduction UserGate UTM is the comprehensive network gateway which implements the Unified Threat Management and features the built-in firewall, routing, gateway anti-virus tool, intrusion detection and prevention system (IDPS), VPN server, content filtering system, monitoring and statistics, and many more. This product provides everything you may need for efficient network management, traffic optimization and prevention of cyber-attacks. Network security and protection from network threats Firewall The firewall built into UserGate UTM filters the traffic at various levels (e.g. TCP, UDP, IP), thereby protecting your network from hacker attacks and various types of intrusions. Detection and prevention of intrusions Our intrusion detection and prevention system (IDPS) can quickly detect malicious network activity, identify, record and prevent various threats, and generate detailed reports on each suspicious event. Security breaches are usually detected by means of heuristic techniques and matching with signatures of already known attacks. Entensys regularly provides and updates its own databases of heuristic rules and virus signatures. IDPS can track and proactively block all the detected attacks in real time, e.g. terminate malicious network connections, send notifications to network administrators, log the suspicious activity, and so on. Cloud-based anti-virus tool The cloud-based anti-virus tool developed and regularly updated by Entensys efficiently protects users without sacrificing the overall network performance, since the signatures of all downloaded files and scripts are analyzed in the cloud rather than on local machines. Entensys uses the database containing hundreds of thousands of malicious signatures which is updated on the hourly basis via non-proprietary systems and special "sandboxes". This approach ideally fits high-load environments and can block malicious files using the so-called "zero day" techniques without impacting the overall network performance. Gateway anti-virus tool for filtering files and attachments All organizations want to keep their local networks and incoming traffic safe from viruses and spyware. UserGate UTM uses the anti-virus engine from Kaspersky Lab for checking incoming and outgoing traffic. 5

6 Anti-spam and anti-virus protection of traffic UserGate UTM can efficiently handle traffic of protocols (SMTP(S) and POP3(S)) and check it for spam messages and viruses. Robust protection from latest threats Various modules of UserGate UTM check downloaded content, scripts and files for both known and unknown malicious objects, analyze possible threats and proactively prevent them. These include the firewall, intrusion detection and prevention system, application control (at the L7 level), cloud-based antivirus tool, network traffic filtering, web reputation services, and special black lists from third parties. Thanks to combination of these tools for code analysis and web reputation checking, IT administrators can easily and efficiently avoid network threats and proactively prevent end devices from infections. Improvements in network performance and reliability Support of redundant channels UserGate UTM allows you to switch between available network channels from various ISPs, thereby making the Internet access much more reliable and resilient. Traffic management and channel balancing You can assign priorities to users and applications by means of the traffic management functionality, so that the most resource-intensive endpoints could not severely impact the overall network performance. This will ensure the agreed service level for all your mission-critical software. Caching Caching helps to boost the Internet access speed by showing previously saved content from a local storage. The cached content is persistently kept in server's RAM (RAM-Cache) for higher Internet speed. High availability The High Availability feature dramatically reduces the risks of hardware faults that can potentially impact UserGate UTM. Using this function, you can deploy the system on peer nodes and then set up automatic failover between them. The solution implements clustering and the high-availability VRRP cluster (activepassive). Traffic management and Internet access control 6

7 Internet access control UserGate UTM controls web applications and Internet access based on custom rules which you can easily adapt to your corporate policies. This will ensure multi-tier access to network resources and efficient sharing of bandwidth among various applications and services. In addition, the Internet access control functionality can automatically apply individual security settings to each user and resource in the network infrastructure. User identification UserGate UTM supports user authentication as well as individual firewall settings, content filtering and application control for each user by means of Active Directory, Kerberos, RADIUS, LDAP and other authentication tools. Network administrators are free to apply individual security settings for each user, group of users or, for example, all guest users at once. In addition, the system supports authentication via web interfaces, such as Captive portals, special Terminal Services Agents with configured rules, or via authorization agents for Windows-based platforms. UserGate UTM can also manage temporary users created by system administrators or registered on their own through SMS/ confirmations. Support of the BYOD ("Bring Your Own Device") concept You can set up special access policies for any user devices including laptops, tablets and smartphones. In UserGate UTM, you can limit the maximum number of devices per user (both total and currently used devices) as well as define a list of devices from which a particular user is allowed to access the corporate network. Content filtering and application control Internet filtering The Internet filtering module can significantly strengthen the security of your local network through full control over Internet connections and downloads as well as through blocking access to potentially malicious or unwanted web resources. In-depth content analysis UserGate UTM performs morphological analysis of web pages to check them for certain words or phrases, thereby restricting access to certain sections of a website without blocking the entire website or domain. This approach is efficient for various social media, forums and other Web 2.0 portals where most of the content is directly published by users. The system uses special morphological dictionaries of prohibited topics according to the national laws and regulations, such as "Profanity", "Pornography", "Suicide", "Drugs", "Terrorism", etc. 7

8 Access control for social media UserGate UTM allows you to block online games and various apps from Facebook, VKontakte, Odnoklassniki and other social media. Network administrators can provide access to social media in general, but prohibit or restrain certain unwanted actions in them. The system also supports filtering of individual pages and groups in social media by various criteria, such as extremist content, profanity, and more. Support of HTTPS filtering In addition to the standard web traffic, UserGate UTM can also filter encrypted HTTPS traffic. The server dynamically replaces certificates and provides the fully-featured traffic filtering tools including morphological content filtering. Blocking of banners, pop-ups and tracking scripts UserGate UTM can efficiently block banners and pop-ups. Websites often display third party content from banner networks which they cannot filter or control on their own. Since such banners may show unwanted content or even provide links to malicious web resources, it is reasonable to block them for higher safety and secure web surfing. Large IT corporations, such as Google and Facebook, track the online behavior of many Internet users via their own social media, web portals and search engines. UserGate UTM can efficiently block various scripts used for tracking user behavior on the Internet. Application control The application control functionality is based on regularly updated databases of signatures and can be used in firewall settings and bandwidth rules. This will help to avoid typical threats coming from network applications. Network administrators will be able to restrict usage of messengers, torrent clients and similar software for personal purposes while keeping the local network safe from Internet threats. Other functions Real-time monitoring and statistics UserGate UTM provides detailed web history which shows not only addresses of blocked websites, but also their category, morphological dictionary used for their blocking, and lots of other parameters. The system also provides the detailed history of search queries. Thanks to the built-in logging and prevention functionality, you can efficiently control the Internet access even without direct blocking and explicit restrictions. 8

9 Resource publishing Network administrators are often asked to provide temporary access for third parties to internal corporate resources including web/ servers, FTPs or VPNs. In this case, it is necessary to create a rule of forwarding queries from UserGate UTM to a machine in your local network where the corresponding service is launched. Load balancing UserGate UTM supports load balancing for various services within a local network including internal servers published on the Internet (DNAT) and internal servers without publication. The balancer uses various techniques to dynamically allocate queries received on the IP address of a virtual server to IP addresses of physical servers. DHCP server and DHCP relay Support of the Dynamic Host Configuration Protocol (DHCP) which allows network administrators to automate and manage allocation of IP addresses to various devices in local networks. Using the DHCP service, network administrators can manage and allocate IP addresses and automatically assign IP addresses to all newly connected devices in their local network. UserGate UTM is also able to work as a DHCP relay by forwarding DHCP requests from clients in different networks to the central DHCP server. Remote administration UserGate UTM provides a dedicated web interface for management and administration which helps network administrators to efficiently control all local networks in branches and remote offices of the organization. UserGate UTM also supports the SNMP v2 and SNMP v3 protocols for monitoring purposes. 9

10 Initial configuration UserGate UTM is usually implemented as a set of hardware and software (appliance) or as a virtual machine (virtual appliance) ready for deployment in a virtual environment. In both cases, UTM is equipped with four or more Ethernet interfaces. The eth0 interface is automatically allocated an IP address (via DHCP) and then added to the Management zone. To perform initial configuration, network administrator should connect to the web console via eth0. If the system fails to allocate an IP address to the Management interface automatically via DHCP, network administrator can assign it manually using CLI (Command-Line Interface). For more details on CLI, please refer to Command-Line Interface (CLI). All other interfaces are disabled by default and should be configured individually. Perform the following steps for initial configuration: If DHCP server is available Connect the eth0 interface to your corporate network with active DHCP server. Launch UTM. After rebooting, UTM will display the IP address to which you need to connect for product activation. Step 1. Connect to the management interface Static IP address Launch UTM. Assign an unallocated IP address to the eth0 using CLI (Command-Line Interface). For more details on CLI, please refer to Command-Line Interface (CLI). Connect to the web console of UserGate UTM using the specified address which should look like this: Step 2. Select a language Select a language which you want to use during the initial configuration process Step 3. Enter a password Specify the username and password for the web administration interface. Step 4. Register the system Enter PIN to activate the product and fill in the registration form. UserGate UTM will require the Internet access for proper activation. If you cannot activate the system on this step, you can perform it later on step 10 after setting up the network interfaces. 10

11 Step 5. Set up the zones and IP addresses of interfaces and then connect UTM to your corporate network Step 6. Set up the Internet gateway In the Interfaces section, enable the interfaces you need, allocate valid IP address from your local networks and then group these interfaces by zone. For details on how to manage interfaces, please refer to Configuring interfaces. By default, the system provides 4 predefined zones: Trusted (LAN); Untrusted (Internet); DMZ (DMZ); Management (administration network), eth0 interface In the Gateways section, specify the IP address of your Internet gateway (for the Internet access interface) in the Untrusted zone. For details on how to manage interfaces, please refer to Configuring gateways. Step 7. Specify DNS servers of the system In the DNS section, specify the IP addresses of DNS servers and the ISP/servers used in your corporate network. For details on how to manage interfaces, please refer to Configuring DNS. Step 8. Create the NAT rules In the NAT and Routing section, create the necessary NAT rules. The system is predefined with the NAT rule required for Internet access from the Trusted network ("TrustedàUntrusted"). For details on how to create NAT rules, please refer to NAT and Routing Step 9. Create the firewall rules In the Firewall section, create the necessary firewall rules. The system is predefined with the firewall rule required for unlimited Internet access from the Trusted network ("Internet for Trusted"), so you can simply enable it. For details on how to create firewall rules, please refer to Firewall Step 10. Register the product (if haven't registered it on step 4) In the Settings section, enter your PIN to register the product. For successful registration, make sure that the Internet connection is active and all the above steps are completed. For more details on product licensing, please refer to Installing license 11

12 Step 11. Create additional administrators (optional) In the Device management section, create additional system administrators and grant them necessary rights (via roles) Step 12. Set up user authorization (optional) In the Users and devices section, define the necessary methods of user authorization. The simplest way to do this is to create local UTM users with fixed IP addresses or disable user identification completely (i.e. apply the "Any" user to all rules). For details on other authorization options, please refer to User identification Step 13. Create the content filtering rules (optional) In the Content filtering section, create the HTTP(S) filtering rules. For more details on content filtering, please refer to the corresponding section Step 14. Create the safe browsing rules (optional) In the Safe browsing section, create the additional safe browsing rules. For more details on safe browsing, please refer to Safe browsing Step 15. Create the HTTPS decrypting rules (optional) In the HTTPS decryption section, create the capturing and decryption rules for HTTPS traffic. For more details on HTTPS decryption, please refer to Configuring HTTPS decryption Step 16. Create the rules of the intrusion detection and prevention system (IDPS) (optional) Enable the IDPS module in the Settings section. In the IDPS section, create the threat prevention rules for your network. For more details on IDPS rules, please refer to Intrusion detection and prevention system Once all the above steps are complete, UserGate UTM will be ready for work. For more details on the configuration process, please refer to the corresponding sections of this Guide. 12

13 Managing the device General settings The Settings section contains basic parameters of UserGate UTM, such as: Timezone Specify the timezone according to your actual location. The timezone is used for scheduling in rules as well as for displaying correct date and time in statistical reports, logs and other elements. Default language of the interface Default language that will be used in the console Enables or disables the following UTM modules: Modules Statistics IDPS module of the intrusion detection and prevention system Application control module for the signature-based detection of application traffic External ICAP server module for setting up communication between the system's server and an external ICAP server, e.g. a DLP system. Additional details are provided below in this chapter HTTP(S) proxy port allows to set custom HTTP(S) proxy port number. Default is TCP 8090 Captive portal Auth domain special domain name which is used by UTM to authorize users by Captive portal. This domain name should be resolved to the IP address of UTM interface connected to users. If users use UTM as DNS server then everything should work right away. Default is auth.captive Captive portal Logout domain special domain name which is used by UTM users to logout. This domain name should be resolved to the IP address of UTM interface connected to users. If users use UTM as DNS server then everything should work right away. Default is logout.captive Parameters of the statistics module: Collect statistics enables or disables collection of statistics 13

14 Status displays the current status of the statistics server Server address IP address of the statistics server. In most cases, is used (i.e. localhost) Port a TCP port on which the statistics server is listening for events Password authorization string for connecting to the statistics server If no license Defines the behavior of the filtering module when the license for Entensys URL filtering is missing or has expired. Possible options: Block (block the Internet access) and Pass without filtering Parameters of the proxy server's cache: Configuring HTTP caching Enabled/Disabled enables or disables caching Cache exclusions list of URLs which should not be cached Max cacheable object size (MB) objects of a larger size will not be cached The recommended value is 1 MB (set by default) RAM size (MB) amount of RAM available for caching It is not recommended that you allocate more than 20% of RAM for caching In order to pass the traffic to external ICAP servers, usually your DLP system, you should first set up parameters of the ICAP client of the UserGate UTM's server. To do this, click Settings and specify the necessary parameters: On/Off Enables or disables sending data to the ICAP server Server address IP address of the ICAP server Port Port of the ICAP server (usually 1344) Reqmod path Path used in the Reqmod mode on the ICAP server. URL for the Reqmod mode consist of this path and server's IP address and port. Set / as path if your ICAP server does not require Reqmod path 14

15 Respmod path Path used in the Respmod mode on the ICAP server. URL for the Respmod mode consist of this path and server's IP address and port. Set / as path if your ICAP server does not require Respmod path Maximum request size The maximum allowed size of a request sent to the ICAP server for analysis, in Mbytes Skip on errors When this option is enabled, UserGate UTM does not send data to the ICAP server if the ICAP server is not available or works improperly Important! Note that traffic is passed to ICAP servers before the content filtering rules are applied. Important! UserGate UTM uses the X-Authenticated-User field to pass the username to an ICAP server, the X-Client-Ip field to pass user s IP address and the X-Client-MAC field to pass user s MAC address. This page also provides various logging parameters. From here, network administrators can specify the modules for which they want to log events. Note also that excessively detailed logging may impact the overall server performance. Logging parameters: Specify the severity of messages to be logged: Event severity Errors Warnings Critical Info Specify the components for which you want to log events: Components Accounts and groups Bandwidth HTTPS decryption Device Firewall Console authorization Captive portal High availability Logs export 15

16 Content filtering IDPS Libraries NAT and routing Networking Safe browsing Settings Updates Mail security This page also provides parameters of log files for traffic, IDPS and web access. Events coming from corresponding services of UserGate UTM are recorded into these logs as text. Using this option, network administrators can set up the rotation period for log files. Parameters of log files: Rotation period for logs, in days Period in days after which a new events log will be created and the old events log will be deleted. You can also set up a logging schedule or archive logs for future use (see Exporting logs) Current size Displays the current size of the log Empty log Removes all data in the log. This functionality is useful when log files exceed their disk space quotas due to high activity of users. In such case, it is recommended that you adjust the Period rotation to avoid exceeding of quotas in future The Monitoring panel The Monitoring panel displays real-time information about operation of the system, such as active Ethernet ports, license, traffic charts, charts of DNS and HTTPS requests per unit of time, CPU load, memory usage, and more. All information on the Monitoring panel is grouped into easily customizable widgets. You can swap, remove, collapse or resize widgets as required. 16

17 Installing license UserGate UTM is licensed by the number of simultaneously connected devices. For example, if you have an end user license for 100 devices, then you are eligible to connect 100 devices with unique IP addresses at once, but the 101st device and the next ones will not gain access to your network. Note that the number of accounts in the system is not limited. After installing the license, you will be able to use UserGate UTM for an unlimited period of time. The following modules are licensed separately: The SU module provides the following benefits: Security Update (SU) updates for UTM software updates for signatures of the intrusion detection and prevention system updates for signatures of L7 applications technical support The module is provided for a 1-year period after which you will need to purchase a license in order to continue obtaining software updates and technical support. The ATP module includes the following: Advanced Threat Protection (ATP) 1-year subscription for Entensys URL filtering database 1-year subscription for up-to-date lists of prohibited websites according to some national laws, lists of phishing websites as well as black and white lists from Entensys 1-year subscription for morphological databases from Entensys 1-year subscription for the cloud-based anti-virus from Entensys 1-year subscription for the ad blocking module The module is licensed for a 1-year period, and upon its expiration: Entensys URL filtering will stop working Morphological filtering will stop working Lists of prohibited websites according to some national laws, lists of phishing websites as well as black and white lists from Entensys will continue working, but no updates will be available 17

18 The cloud-based anti-virus from Entensys will stop working The ad blocking module will stop working Kaspersky Anti-Virus (KAV) The Kaspersky Anti-Virus module includes a 1-year subscription for Kaspersky Anti-Virus. Mailsecurity Mailsecurity includes a 1-year subscription for traffic control based on the anti-spam and anti-virus module from Entensys. To register the product, perform the following steps: Step 1. Go to the monitoring panel Click the Monitoring icon in the top right corner Step 2. Register the product in the License info section In the License info section, click Register the product, enter your PIN and fill in the registration form Clustering and high availability UserGate UTM supports clustering which allows you to merge multiple UserGate UTM devices into a single cluster with shared settings. The following settings are shared across all nodes in a cluster: Zones Certificates DNS Authorization servers Terminal servers Groups Users Captive portal Captive profiles Firewall policies NAT and routing policies Bandwidth policies Content filtering policies Safe browsing HTTPS decryption 18

19 IDPS Libraries Notification profiles Notifications SNMP The following settings are individual for each node in a cluster: Interfaces Gateways DHCP Routes Logs export To create a new cluster, perform the following steps: Step 1. Perform initial configuration on the first node of your cluster For details, please refer to Initial configuration Step 2. On the first node of your cluster, configure a zone with interfaces that will be used for replication of the cluster In the Zones section, create a new dedicated zone for replication of cluster settings or use an existing one. The following services must be allowed in the zone settings: Administration console Cluster Do not use zones in which interfaces are connected to untrusted networks or the Internet Step 3. Specify the IP address for communication with other nodes of your cluster In the Device management section, select the current node of your cluster and click Edit. Specify the IP address of the interface from the zone configured on step 2 Step 4. Generate the Secret code on the first node of your cluster In the Device management section, click Generate secret code. Then copy the generated code to the Clipboard. This secret code is used for one-time authorization of the second node being added to your cluster 19

20 Connect to the web console of the second node in your cluster and select the language that you want to use during installation. Step 5. Connect the second node to your cluster Specify the interface for communication with the first node and allocate an IP address. Both cluster nodes must belong to the same subnetwork, e.g. IP addresses of the eth2 interfaces on both nodes are /24 and /24. Specify the IP address of the first node configured on step 3, paste the secret code and then click Connect. If IP addresses configured on step 2 in your cluster are valid, then the second node will be added to the cluster and all settings of the first node will be replicated to the second node Step 6. Assign zones to interfaces of the second node In the web console of the second node in your cluster, go to Network Interfaces and assign a valid zone to each interface. Zones and their settings have been already replicated from the first node of your cluster You can also merge two servers of your cluster into a single high-availability VRRP cluster, where the one server will be the master node for traffic handling and the other one will be the slave one. Note that the high-availability cluster requires a shared virtual IP address. Virtual IP address will be switched from master to slave node in the following situations: Slave does not receive confirmations that master node is available, for example, master node is switched off or is not reachable via network Connectivity checker is configured (see Gateways chapter) and there is no Internet access via any of gateways configured 20

21 To create a new high-availability cluster, perform the following steps: Step 1. Create a new cluster Create a new cluster as described above 21

22 Step 2. On both nodes of your clusters, set up the zone with interfaces that you want to use in the high-availability cluster. In the Zones section, create a new dedicated zone or use an existing one. Enable the VRRP service in the zone settings Step 3. Add nodes of your cluster to the highavailability VRRP cluster In the Device management High-availability cluster section, click Add and specify the virtual IP address of the cluster. Specify the nodes of your cluster (Primary node and Redundant node) and interfaces for communication with the virtual IP address. Step 4. Specify the virtual IP address for auth.captive and logout.captive If you are going to set up authorization via the Captive portal, then make sure that the system names of auth.captive and logout.captive are resolved into the IP address that you have previously configured as the virtual address of your cluster. To do this, create the following static records in the DNS section: auth.captive virtual_ip_address logout.captive virtual_ip_address Alternatively, it is possible to configure Captive portal Auth domain and Captive portal Logout domain. For more details refer to General Settings section of this manual UserGate UTM allows you to keep the working state of every node on the high-availability cluster. If one of the nodes is down, all users will be switched to the backup node along with all their sessions. To enable synchronization of sessions, perform the following steps: Step 1. Create a new high-availability cluster for interfaces connected to users Create a new high-availability cluster as described above Step 2. Create a new high-availability cluster for interfaces connected to the Internet Create a new high-availability cluster as described above Step 3. Enable synchronization of sessions Complete the following actions on each node of your high availability cluster. In the Device management High-availability cluster section, click Sessions sync, specify the interface which 22

23 will be used for synchronizing and then enable synchronization. In most cases, the same interfaces are used both for cluster and session synchronization. Backing up and restoring initial settings In UserGate UTM, you can easily backup the current system state and then restore it when necessary. This feature is especially useful when critical changes are applied to the system, such as installing UserGate UTM updates. It is recommended that you regularly make backups of your data. To create a new backup, perform the following steps: Step 1. Connect to the server console Connect a monitor to VGA (HDMI) and a keyboard to USB (if these ports are available on the device) or Connect you PC to the serial port of UserGate UTM through a special cable/usb-serial adapter. Run any software terminal supporting serial port connections, e.g. Putty for Windows. Establish a new serial port connection using the following connection parameters: n1 Step 2. Reboot the device In the Device management Server operations section of the web console, click Reboot. Step 3. Select the backup management menu while the system is rebooting While the device is booting, select Support menu and then Create backup. Boot menu is not shown if you connected via serial port. To get to Support menu press key 4 while device is booting. To select Create backup press key C, then Enter Step 4. Make a backup Insert a flash drive into the USB port of UserGate UTM. The server will format the flash drive and then save the current system state to it. Once the procedure is finished, the server will reboot To restore the previous system state from a backup, perform the following: 23

24 Step 1. Connect to the server console Connect a monitor to VGA (HDMI) and a keyboard to USB (if these ports are available on the device) or Connect you PC to the serial port of UserGate UTM through a special cable/usb-serial adapter. Run any software terminal supporting serial port connections, e.g. Putty for Windows. Establish a new serial port connection using the following connection parameters: n1 Step 2. Reboot the device In the Device management Server operations section of the web console, click Reboot Step 3. Select the backup management menu while the system is rebooting While the device is booting, select Support menu and then Restore backup. Boot menu is not shown if you connected via serial port. To get to Support menu press key 4 while device is booting. To select Restore backup press key R, then Enter Step 4. Restore the system from a backup Insert a flash drive with the latest backup into the USB port of UserGate UTM. Once the procedure is finished, the server will reboot To reset UserGate UTM to default settings, perform the following: Step 1. Connect to the server console Connect a monitor to VGA (HDMI) and a keyboard to USB (if these ports are available on the device) or Connect you PC to the serial port of UserGate UTM through a special cable/usb-serial adapter. Run any software terminal supporting serial port connections, e.g. Putty for Windows. Establish a new serial port connection using the following connection parameters: n1 Step 2. Reboot the device In the Device management Server operations section of the web console, click Reboot. 24

25 Step 3. Select the backup management menu while the system is rebooting While the device is booting, select Support menu and then Factory reset Once the procedure is finished, the server will reboot. Boot menu is not shown if you connected via serial port. To get to Support menu press key 4 while device is booting. To select Factory reset press key F, then Enter Exporting and importing settings Network administrators can save the UserGate UTM's current settings and then restore them on the same or another UserGate UTM server. Unlike the backup procedure, exporting/importing of settings will save only the current parameters rather than the current state of all system components. Important! Exporting/importing settings will not restore the cluster's state and licensing information. Once the import procedure is finished, register UserGate UTM with your PIN again and re-create the cluster if necessary. To export settings, perform the following steps: Step 1. Export the settings In the Device management section, click Server settings Export. The system will save the current settings of your server to the file called "database.bin" To apply the previously created settings, perform the following steps: Step 1. Import the settings In the Device management section, click Server settings Import and then browse to the previously created configuration file. Once the specified settings are applied to the server, the server will reboot 25

26 Important! Note that you can import settings only into the same version of UserGate UTM in which they have been created. Don't try to restore settings on a newer or older version, since this may cause critical failures in UserGate UTM. Updating software Entensys always does its best to deliver the top-quality software and regularly issues UserGate UTM updates for all subscribers of the Security Update licensing module (for details on licensing, please refer to Managing the device Installing license). Once a new update is available, the system will display the corresponding notification in the Device management section. Since installing UserGate UTM updates may take some time, it is recommended that you schedule it beforehand to avoid unplanned downtimes. To install updates, perform the following steps: Step 1. Create a new backup file Make a backup of UserGate UTM's current state as described in Device management Backing up and restoring initial settings. It is recommended that you perform this step before each update, so that you could recover the system in case of any faults during installation of updates. Step 2. Install updates In the Device management section, find the New updates available notification and click Install now. Once all the downloaded updates are installed, UserGate UTM will reboot Command-line interface (CLI) In UserGate UTM, you can define basic settings of the device using the command-line interface, or CLI. Using CLI, network administrators can run various diagnostic commands, such as ping, nslookup and traceroute, configure network interfaces and zones as well as reboot/shut down the device. CLI is especially useful for network diagnostics or when the web console is temporarily unavailable, e.g. due to invalid IP address or access control zone. You can connect to CLI physically through standard VGA/keyboard ports (if they are available on UserGate UTM) or a serial port or remotely via SSH. To connect to CLI using a monitor and a keyboard, perform the following steps: 26

27 Step 1. Connect a monitor and a keyboard to UserGate UTM Connect a monitor to VGA (HDMI) and a keyboard to USB Step 2. Log in to CLI Log in to CLI using the username and password of the Full Administrator (Admin by default). If UserGate UTM has not been initialized yet, then use the following credentials to access CLI: Admin/utm To connect to CLI using a serial port, perform the following steps: Step 1. Connect to UserGate UTM Connect your PC to UserGate UTM by means of a special cable for serial ports or a USB-Serial adapter Step 2. Run the terminal Run any software terminal supporting serial port connections, e.g. Putty for Windows. Establish a new serial port connection using the following connection parameters: n1 Step 3. Log in to CLI Log in to CLI using the username and password of the Full Administrator (Admin by default). If UserGate UTM has not been initialized yet, then use the following credentials to access CLI: Admin/utm To connect to CLI remotely via SSH, perform the following steps: Step 1. Enable access to CLI (by SSH) for the selected zone Enable access to CLI via the SSH protocol for the zone through which you are going to access CLI. The TCP 2200 port will be opened Step 2. Run an SSH terminal Run an SSH terminal on your PC, e.g. SSH for Linux or Putty for Windows. Specify the UserGate UTM address for address, 2200 for connection port, and the Full Administrator credentials for username and password (Admin by default). In Linux, the connection command should look like this: ssh Admin@IP-UTM -p

28 Step 3. Log in to CLI Log in to CLI using the password of the user you have specified on the previous step. If UserGate UTM has not been initialized yet, then use the following credentials to access CLI: Admin/utm Once you have successfully logged in to CLI, you can view the full list of supported commands by entering help. To view a detailed description of a command, use the following syntax: help command For example, if you want to view a detailed description of the iface command for configuring network interfaces, type the following: help Iface The following commands are supported: help Displays the full list of available commands exit quit Ctrl+D Log out of CLI A set of commands for viewing and configuring of action on unauthorized code change. Code integrity check runs every time UTM is booted. code-change-control show - shows current configuration code-change-control code-change-control set log - set action to log unauthorized code change to the event log. Requires to set password to change this setting code-change-control set block - set action to traffic block. If UTM founds any code change it creates a firewall rule which blocks all transit traffic. To disable or remove this firewall rule administrator has to disable code-changecontrol (set it to off). Requires to set password to change this setting to another value code-change-control set off - set code-change-control to off. Requires to enter password, which was set before config-change-control A set of commands for viewing and configuring of action on unauthorized config change. Before activating this control, administrator should complete configuration of the 28

29 UTM according with company requirement and then to freeze the configuration (set mode to log or block). Any change to configuration will be logged to the Event log or to log and block transit traffic. Config integrity check runs every few minutes. config-change-control show - shows current configuration. Default value is off config-change-control set log - set action to log unauthorized configuration change to the event log. Requires to set password to change this setting config-change-control set block - set action to traffic block. If UTM founds any configuration change it creates a firewall rule which blocks all transit traffic. To disable or remove this firewall rule administrator has to disable config-change-control (set it to off). Requires to set password to change this setting to another value config-change-control set off - set config-change-control to off. Requires to enter password, which was set before date Returns the server s local time gateway A set of commands for viewing and configuring gateway parameters. Type gateway help for more details iface A set of commands for viewing and configuring network interface parameters. Type iface help for more details license Show current license information node A set of commands for viewing and configuring cluster s nodes. Type node help for more details nslookup Returns an IP address of the specified host ping Pings the specified host proxy A set of commands for viewing and configuring of http/s proxy server. Administrator can set the following settings: add VIA to the HTTP headers. Default is set to false, which is the recommended value 29

30 add X-Forwarded-For to the HTTP headers. Default is set to false, which is the recommended value HTTP connection timeout - set the maximum waiting time for establishing connection to web server. Default value is 20 seconds HTTP loading timeout - set the maximum waiting time for a data from a web server. Default is 60 seconds Check proxy help for more information radmin A set of commands for viewing and configuring a remote access for Entensys technical support team to the UTM. nodes. Type radmin help for more details reboot Reboot the UserGate UTM server route Create, edit, delete routes shutdown Shuts down the UserGate UTM server traceroute Trace a connection up to the specified host webaccess A set of commands for viewing and configuring the web console s authentication mode. You can use this command to revert back from the X.509 Certificate mode to the Login and password mode zone A set of commands for viewing and configuring zone parameters. Type zone help for more details Managing certificates UserGate UTM uses the secure HTTPS protocol for managing devices. It is able to intercept/decrypt transit SSL traffic (HTTPS, SMTPS, POP3S) and to authenticate administrators based on their certificates. This UserGate UTM functionality is based on SSL certificates: 30

31 Web console SSL certificate This certificate is used by network administrators for establishing secure HTTPS connections with the UserGate UTM web console Captive portal SSL certificate This certificate is used by users for establishing secure HTTPS connections with the UserGate UTM Captive portal page. This certificate should be issued to Captive portal auth domain as it is defined in General settings. Default self-signed certificate for auth.captive (default value for Captive portal auth domain) is used SSL decrypt certificate This certificate is used for creating SSL certificates of Internet hosts for which the HTTPS, SMTPS, POP3S traffic should be decrypted. For example, when decrypting the HTTPS traffic from yahoo.com, the original certificate is issued by Subject name = yahoo.com Issuer name = VeriSign Class 3 Secure Server CA - G3 is replaced with Subject name = yahoo.com Issuer name = company name as specified on the certificate issued by the CA used in UserGate UTM SSL decrypt intermediate CA This certificate can be used in organizations where SSL decryption certificates are issued by a chain of certification authorities. Note that only public keys are required Web console auth CA Certification authority certificate which is used to authorize administrators to log into the web console. Administrator s certificate should be signed with this certificate for successful authorization Though you can create multiple certificates of the type web console SSL, Captive portal SSL certificate and SSL decrypt certificate, only one certificate of each type can be used at a time. It is possible to have and use more than one web console auth CA certificate at the same time. To create a new certificate, perform the following steps: Step 1. Create a new certificate Click Create in the Certificates section 31

32 Fill in the following mandatory fields: Step 2. Fill in the necessary fields name of the certificate that will be shown in the list of certificates certificate s description Country specify the country in which you want to issue the certificate Region or state specify the region or state in which you want to issue the certificate City specify the city in which you want to issue the certificate Company name specify the name of the company for which you want to issue the certificate Common name specify the name of the certificate. For compatibility with most web browsers, it is recommended that you use only Latin letters specify the address of your company Step 3. Set the type of created certificate Once the certificate is created, you need to set its type or decide what the certificate s roles should be. Select the created certificate in the list and press the Edit button. Set the certificate s type ( web console SSL, SSL decrypt or web console auth CA ). If you selected web console SSL, UserGate UTM will restart the web console to apply the changes. The SSL decrypt certificate will begin to work immediately. For more details about SSL decryption, please refer to Configuring HTTPS decryption In UserGate UTM, you can export the internally created certificates or import certificates from other systems, e.g. from the trusted certification authority of your company. To export a certificate, perform the following steps: Step 1. Select a certificate for exporting Select the desired certificate in the list of certificates Select the type of export: Step 2. Export the selected certificate Export certificate exports certificate's public key in the PEM format without exporting the certificate's private key. Use this file to set a trusted root certificate on every workstation. For more details, please refer to Appendix #1 32

33 Export private key exports the certificate's private key Important! It is recommended that you save the certificate and its private key for backup purpose. Important! Users can download SSL decrypt certificate directly from UserGate UTM from the link: Network zone should have Administrative console access enabled. To import an existing certificate, you should have the certificate's public and optionally private key and then perform the following: Step 1. Start the import Click the Import button Fill in the following fields: Step 2. Fill in the necessary fields name of the certificate as will be shown in the list of certificates certificate s description Upload a file containing the certificate's data Upload a file containing the certificate's private key Creating SSL decryption certificates based on company s CA If one or more certification authorities are already set up in your organization, you can use a certificate issued by your internal CA as the SSL decryption certificate. And if your internal CA is trusted for all business users, then SSL packets will be captured seamlessly and users will not be notified about substituted SSL certificates. Let s consider an example. Suppose that your organization has an internal CA which is based on Microsoft Enterprise CA and integrated with Active Directory, as shown in the picture below. Root CA Intermediate Sub CA1 Intermediate Sub CA2 33

34 In order to issue a new certificate for UserGate UTM using Sub CA2 and then set up this certificate as your SSL decryption certificate, perform the following steps: Step Step 1. Generate a CSR request for creation of a new certificate in UTM Select GenerateàNew CSR, fill in the necessary fields and then generate a new CSR. The system will create a private key and a request file. Click Export to download this file Using Microsoft CA, create a new certificate based on the downloaded CSR file by running the certreq utility: Step 2. Create a new certificated based on this CSR certreq.exe -submit -attrib "CertificateTemplate:SubCA" HTTPS_csr.pem or the web console. For more details, please refer to Microsoft s documentation. As a result, you will obtain a new certificate (public key) signed by Sub CA2 Step 3. Download the resulting certificate Download the certificate (public key) from the web console of Microsoft CA Step 4. Upload the certificate to the previously created CSR In UserGate UTM, select the CSR you ve previously created and then click Edit. Upload the certificate file and click Save Step 5. Specify the certificate as your SSL decryption certificate In UserGate UTM, select the CSR you ve previously created and then click Edit. In the Use as field, choose SSL decrypt certificate Step 6. Download certificates for the intermediary CAs (Sub CA1 and Sub CA2) In the web console of Microsoft CA, select and download certificates (public keys) for Sub CA1 and Sub CA2 Step 7. Upload the certificates for Sub CA1 and Sub CA2 to UTM Click Import to add the downloaded certificates for Sub CA1 and Sub CA2 into UTM Step 8. Specify the certificates for Sub CA1 and Sub CA2 as your intermediary SSL decryption certificates In UserGate UTM, select the uploaded certificates and click Edit. In the Use as field, choose SSL intermediate decrypt certificate for both these certificates 34

35 Logs export UserGate UTM supports the following logs: Web access IDPS Traffic Logs are various text files containing detailed description of system events. Log files are rotated according to the rotation policy (for more details, please refer to General settings). Each log can be sent to an external server for storing and future use. The system supports sending logs to SSH (SFTP), FTP and Syslog servers. You can set up a schedule according to which the logs will be sent to SSH and FTP servers. Sending to Syslog servers is performed each time a new record is added into a log. To start sending logs, you should create a logs export configuration in the Logs export section. Specify the following parameters when creating a new configuration: of the log export rule Optional field for rule description Select logs for export Logs for export Server type Web access log IDPS log Traffic log SSH (SFTP), FTP, Syslog Server address IP address or domain name of the server Protocol Only for Syslog servers (TCP or UDP) Port Server ports to which the data should be sent Login Username of the account used for connecting to a remote server. Not applicable for Syslog servers Password Password of the account used for connecting to a remote server. Not applicable for Syslog servers 35

36 Repeat password Confirmation of the password of the account used for connecting to a remote server. Not applicable for Syslog servers Directory path Server folder into which the log files will be copied. Not applicable for Syslog servers Select a schedule of sending logs. Not applicable for Syslog servers. Possible values: Daily Weekly Monthly Every hours Every minutes Advanced Schedule If you set the value manually, use the crontab-like format in which a string consists of six fields separated with spaces. Time in fields is specified in the following format: (minutes: 0-59) (hours: 0-23) (days of month: 0-31) (month: 0-12) (days of week: 0-6, 0 Sunday). You can also use the following symbols in the first five fields: Asterisk (*) denotes the entire range (from the first element up to the last one) Hyphen (-) denotes a numeric range. For example, "5-7" stands for 5, 6 and 7 Lists. These are numbers (or ranges) separated with commas. Example: "1,5,10,11" or "1-11,19-23" Asterisk, or a range with increment. Denotes a gap in a range. Increment is specified after the slash. For example, "2-10/2" stands for "2,4,6,8,10" while "*/2" in the "hours" field means "every two hours" SNMP-based monitoring UserGate UTM supports the SNMP v2c and SNMP v3 protocols for monitoring purposes. The system can use both SNMP queries and SNMP traps, thereby allowing you to track critical parameters of UserGate UTM directly from the SMNP management software deployed in your company. To set up the SNMP-based monitoring, you should first define the SNMP rules. To create a new SNMP rule, click Add in the SNMP section and specify the following parameters: 36

37 Rule name Trap host IP, port IP address of the trap server and the port on which the server will be listening for events (usually UDP 162). This option is necessary only if you want to send traps to the notification center Community SNMP community a string for identification of the UTM server and the SNMP management server for SNMP v2c. Make sure to use only digits and Latin letters Context Optional parameter which defines the SNMP context. Make sure to use only digits and Latin letters Version Specify the version of the SNMP protocol that you want to use in this rule. Possible values are SNMP v2 and SNMP v3 Operation: SNMP queries When enabled, the system will be retrieving and handling SNMP queries from the SNMP manager Operation: SNMP traps When enabled, the system will be sending SNMP traps to the management server Username Applicable for SNMP v3 only. Username for authorization of the SNMP manager Select an authentication mode for the SNMP manager. Possible values: Authentication type Without authentication, without encryption (noauthnopriv) With authentication, without encryption (authnopriv) With authentication, with encryption (authpriv) The most secure mode is authpriv Authentication algorithm Algorithm used for authentication Authentication password Password used for authentication 37

38 Encryption algorithm Algorithm used for encryption. Possible values are DES and AES Encryption password Password used for encryption Events Specify parameters which will be available for the SNMP manager. If you enabled sending traps, then the system will be sending a trap each time when the critical value is achieved Important! Make sure that all authentication settings for SNMP v2c (community) and SNMP v3 (user, authentication type, authentication algorithm, authentication password, encryption algorithm, encryption password) in the SNMP manager are exactly the same as in UserGate UTM. For more details on how to configure authentication parameters for your SNMP manager, please refer to the manuals of the SNMP management software you are using. By clicking Download MIBs, you can download MIB files with UTM monitoring parameters and then use them in your SNMP manager. Entensys has its own unique ID for SNMP (Private Enterprise Number). Managing access to the UserGate UTM console You can manage access to the UserGate UTM web console using additional accounts of network administrators, roles, password management policies and zone-based access permissions. As additional security measure, it is possible to use authentication to the web console based on administrators certificates. To create additional accounts of network administrators for the device, perform the following: Step 1. Create a new administrator s account In the Device management section, go to Administrators and click Add Fill in the following mandatory fields: Step 2. Fill in the necessary fields Enabled enables the selected user Login name username of the selected account Password and Password confirmation password of the selected account address of the network administrator 38

39 Role access level for the network administrator. The following roles are supported: Full Admin provides full permissions on managing the device Read-only provides permissions on viewing (but not changing) device settings Transient users admin provides permissions on managing temporary users. For more details on temporary users, please refer to Transient users Important! During the initial configuration, UserGate UTM creates the superuser called Admin which is the only user eligible to create accounts of other administrators. Administrator can set up additional security parameters for accounts of other network administrators, such as password complexity and blocking of accounts in case of multiple failed attempts to log in to the system. To set up these parameters, perform the following: Step 1. Configure the password policy In the Device management section, go to Administrators and click Configure Fill in the following mandatory fields: Step 2. Fill in the necessary fields Strong password the password must contain at least one uppercase character, at least one lowercase character, at least one digit and at least one special character and its total length must be eight characters or more Number of invalid auth attempts total number of unsuccessful attempts to log in to the administrator's account after which this account will be blocked for Block time Block time period for which the account will be blocked Admin can also specify zones from which the web console will be accessible (via the TCP 8001 port). Important! It is not recommended that you permit access to the web console from zones connected to untrusted networks or to the Internet. To enable access to the web console for a certain zone, go to the zone properties and enable the Administration console in the access control section. For more details on how to set up the access control for zones, please refer to the Configuring zones section. 39

40 You can enable authorization for users to access the web console using an administrators certificate. To enable this mode, you need to perform the following (openssl utility commands are shown as an example): Step 1. Create a new administrator s account Create account as it is described above in this chapter, e.g., create account for Administrator54 Create or import an existing certificate (only public key is required) of the type of Web console auth CA in accordance with the instructions in the Managing certificates chapter. Step 2. Create or import an existing certificate of the type of Web console auth CA To create a certificate with openssl, use the following commands: openssl req -x509 -subj '/C=UK/ST=London/O= MyCompany /CN=ca.mycompany.com' -newkey rsa:2048 -keyout ca-key.pem -out ca.pem nodes openssl rsa -in ca-key.pem -out ca-key.pem File named ca-key.pem will contain a private key, where ca.pem is the public key. Import public key for the UTM Step 3. Create certificates for administrators Create certificates for administrators using third party utilities. It is required that the Common field name exactly matches the name of the administrator s account as it was created in UTM in step 1. Example for openssl and user Administrator54: openssl req -subj '/C=UK/ST=London/O= MyCompany /CN=Administrator54' -out admin.csr -newkey rsa:2048 -keyout admin-key.pem nodes Step 4. Sign administrators certificates using the web console auth CA certificate created in step 2 Using third party utilities sign certificates for administrators using the web console auth CA certificate created in step 2. Example for openssl and user Administrator54: openssl x509 -req -days CA ca.pem -CAkey ca-key.pem -set_serial 1 -in admin.csr -out admin.pem openssl pkcs12 -export -in admin.pem -inkey admin-key.pem -out admin.p12 -name 'Administrator54 client certificate' File admin.p12 contains the signed Administrator54 s certificate 40

41 Step 5. Add signed certificates to OS which will be used by administrators to login to web console Add signed certificates to operating system (or to Firefox browser if it will be used to manage UTM) which will be used by administrators to login to web console. For details please refer to manual for your OS Step 6. Switch web console authentication mode to X.509 Certificate In General Settings change Web console authentication mode to X.509 Certificate 41

42 Configuring a network This section describes the basic network settings of UserGate UTM. Configuring zones In UserGate UTM, a zone is a logical conjunction of network interfaces. Security policies of UserGate UTM are based on zones of interfaces rather than individual interfaces. This makes security policies more flexible and dramatically simplifies the overall management of high-availability clusters. Note that zones are the same across all cluster nodes, i.e. this is a global setting for the entire cluster. It is recommended that you group interfaces into zones based on their functionality, e.g. a zone of LAN interfaces, a zone of Internet interfaces, a zone of interfaces with partner networks, etc. By default, UserGate UTM provides the following zones: Management Zone for interfaces connected to trusted networks, allowed for administering UTM Trusted Zone for interfaces connected to trusted networks, e.g. LANs Untrusted Zone for interfaces connected to untrusted network, e.g. the Internet DMZ Zone for interfaces connected to the DMZ network Cluster Zone for interfaces designated for cluster operations UserGate UTM administrators can also create additional zones. To create a new zone, perform the following steps: Step 1. Create a new zone Click Add and specify a name for your zone 42

43 Specify the following flood protection parameters in the zone for the TCP (SYN-flood), UDP and ICMP protocols: Step 2. Set up the flood protection parameters (optional) Alert threshold once the number of packets from a single IP address exceeds the specified limit, this event will be recorded in the system log Drop threshold once the number of packets from a single IP address exceeds the specified limit, UserGate UTM will start discarding packages from this IP address and will record this event in the system log Recommended values for TCP and UDP for the notification threshold and package discard threshold are 300 queries per second and 600 queries per second respectively. It is also recommended that you enable flood protection on all interfaces except Cluster zone. Flood protection exclusion allows you to set up a range of IP addresses excluded from flood protection. This can be useful, for example, on IP telephony servers that usually send lots of small UDP packets Specify UserGate UTM services that you want to make available for all clients connected to the zone. It is recommended that you disable all services in zones connected to untrusted networks and the Internet. The following services are supported: Step 3. Set up the access control parameters for the zone (optional) Ping allows you to ping UTM SNMP provides access to UTM via SNMP (UDP 161) Captive portal and block page displays the login page of the Captive portal and the blocking page (TCP 80, 443, 8002) Control XML-RPC allows you to manage the product via API (TCP 4040) Cluster allows you to merge multiple UserGate UTM nodes into a cluster (TCP 4369, TCP ) VRRP allows you to merge multiple UserGate UTM nodes into a high-availability cluster (IP protocol 112) Administrative console provides access to the web console (TCP 8001) DNS provides access to the DNS proxy service (TCP 53, UDP 53) HTTP(S) Proxy provides access to the HTTP(S) proxy service (TCP 8090) 43

44 Authorization agent provides access to the server for Windows authorization agents and terminal servers (UDP 1813) SMTP(S) Proxy anti-spam and anti-virus filtering service for the SMTP traffic Required only for publishing server in the Internet. For more details, please refer to Protecting traffic POP3(S) Proxy anti-spam and anti-virus filtering service for the POP3(S) traffic Required only for publishing server in the Internet. For more details, please refer to Protecting traffic CLI over SSH provides access for management using CLI (Command-line interface) via TCP 2200 Step 4. Set up the IPspoofing protection (optional) Using IP spoofing attacks, fraudsters can send a packet from an external network, e.g. from the Untrusted zone, to an internal network, e.g. to the Trusted zone. To do so, fraudsters spoof the source IP address with one of the possible IP addresses in the internal network, thereby making all responses to this packet go to an internal IP address. To avoid this, specify the IP ranges which are eligible to connect to interfaces in your internal zone, e.g. if your internal local network uses the range /8, then set up this range for IP spoofing protection in the Trusted zone. Configuring interfaces The interfaces section displays all physical and virtual interfaces available in the system and allows you to change their settings or add new VLAN interfaces. This section contains all interfaces of each node in the cluster. Note that settings of interfaces are node-specific, i.e. they are not global. Click Edit to change the network interface parameters: Enable or disable the interface Assign the interface to another zone Change the physical parameters of the interface MAC address and MTU size Select the allocation method for IP addresses static IP address or dynamic IP address obtained by DHCP Configure a DHCP relay on the selected interface. To do this, enable the DHCP relay, specify the IP address of the interface for which you want to add a relay in the UTM address field and then specify one or more DHCP servers to which you want to forward DHCP queries from clients Click Add VLAN to add a new virtual adapter and then configure it. Configuring gateways 44

45 To connect UserGate UTM to the Internet, specify the IP address of one or more gateways. If you use multiple ISPs for accessing the Internet, then specify gateways for each of them. Settings of gateway are unique for each node in the cluster. Example of a configuration with two ISPs: The eth1 interface with IP address is connected to ISP 1. To access the Internet using this ISP, add a new gateway with IP address The eth2 interface with IP address is connected to ISP 2. To access the Internet using this ISP, add a new gateway with IP address If you have two or more gateways, the system will be able to operate in two modes: Traffic balancing between gateways Enable the Balancing checkbox and specify the Weight of each gateway. In this mode, all the Internet traffic will be distributed between gateways according to the weights that you have specified (gateways with bigger weights will handle more traffic) Primary gateway with failover to redundant gateway Make one of the gateways a primary one and then configure the Connectivity checker by clicking the corresponding button in the interface. Connectivity checker will identify whether the host can access the Internet in the specified periods and will redirect all traffic to redundant gateways as they are listed in the console in case of the primary host failure By default, the Connectivity checker uses the public DNS server from Google ( ), but network administrators can easily switch to another host. Configuring DHCP The DHCP service (Dynamic Host Configuration Protocol) allows you to automate provisioning of network settings to clients in a local network. In a network with the DHCP server, each network device can be dynamically assigned an IP address, gateway address, and DNS. UserGate UTM is also able to work as a DHCP relay by forwarding DHCP requests from clients in different networks to the central DHCP server. For more details on how to configure a DNS relay, please refer to Configuring interfaces. In UserGate UTM, you can create multiple ranges of IP addresses that will be allocated via DHCP. A DHCP server works independently on each node of the high-availability cluster. To ensure high availability of 45

46 the DHCP server, make sure to configure DHCP on both nodes and allocate them non-overlapping IP ranges. To create a new DHCP range, click Add subnet and specify the following parameters: Enabled Enable or disable this DHCP range Node name Node of the cluster where this range will be created Interface Interface of the server om which the IP addresses from the new range will be allocated IP range Range of IP addresses allocated to clients by DHCP Mask Subnet mask allocated to clients by DHCP Lease time Period for which the IP addresses are allocated, in seconds Domain Domain name allocated to clients by DHCP Gateway IP address of the gateway allocated to clients by DHCP servers IP addresses of the DNS servers allocated to clients by DHCP Reserved hosts MAC addresses and their mapped IP addresses Ignored MAC List of MAC addresses that should be ignored by the DHCP server All assigned IP addresses are shown in the Leased addresses panel. Network administrators can release any assigned address by selecting it in the list and clicking Release. Configuring DNS 46

47 This section provides settings for the DNS and DNS proxy services. For proper operation of the product, UserGate UTM should be configured to resolve domain names into IP addresses. Specify valid IP address of the DNS servers in the System DNS servers parameter. The DNS proxy service allows network administrators to capture DNS queries from users and then modify them as required. Settings of the DNS proxy are as follows: DNS caching Enables or disables caching of DNS responses. It is recommended that you leave this option enabled for better performance DNS filtering Enables or disables filtering of DNS queries. This option requires an additional license for the corresponding module Recursive DNS queries Allows or prohibits the server to perform recursive DNS queries. It is recommended that you leave this option enabled Max TTL for DNS records (sec) Sets the maximum allowed lifetime of DNS records Limit of DNS requests per second for user Sets the limit on the number of DNS queries per second for each user. All queries exceeding the specified limiting will be discarded. The default value is 100 queries per second. It is not recommended that you set large values for this parameter, since DNS flood (DNS DoS attacks) is among the most frequent reasons of improper operation of DNS servers Only A and AAAA DNS records for unknown users (prohibit VPN over DNS) If enabled DNS server will respond to unknown users only requests for A and AAAA records blocking all other types. This can efficiently block any kind of VPN over DNS Using the DNS proxy rules, you can specify DNS servers to which the queries for certain domains will be forwarded. This option can be useful if your company uses an internal local domain, e.g. Active Directory, which is not connected to the Internet. 47

48 To create a new DNS proxy rule, perform the following: Step 1. Add a new rule Click Add and specify and (optional) Step 2. Specify a list of domains Provide a list of domains which you want to forward, e.g. localdomain.local. You can also use the "*" character to specify domain templates Step 3. Specify DNS servers Provide a list of IP addresses of DNS servers to which you want to forward queries for the specified domains In addition, you can specify static records of the "host" type (A-records) using the DNS proxy. To create a new static record, perform the following: Step 1. Add a new record Click Add and specify and (optional) Step 2. Provide the FQDN Specify the Fully Qualified Domain (FQDN) of the static record, e.g. Step 3. Specify IP addresses Provide a list of IP addresses which will be returned by the UserGate UTM server when this FQDN is requested Routes In this section, you can specify a route to the network available through a certain router. This can be useful when several IP subnets in your local network are integrated via a local router. A route is applied only to the cluster's node where it has been created. To add a new route, perform the following steps: Step 1. Select a node in your cluster From the drop-down menu, select a node in which you want to create a new route 48

49 Step 2. Specify the Destination Specify a destination subnet for the new route, e.g /24 or /32 Step 3. Specify the Gateway Provide the IP address of the gateway through which the specified subnet should be accessible. This IP address must be accessible from the UTM server Step 4. Specify an Interface Select an interface to which you want to add a new route Step 5. Specify Metric Specify metrics for the new route. If you have multiple routes, then the routes with lower metrics will have higher priorities 49

50 Users and devices Security policies, firewall rules, safe browsing rules and many other features of UserGate UTM can be applied to users or groups of users. Since policies can be applied only to the selected users, network administrators can flexibly adapt the entire network to the company's needs. Identification of users is a core feature of any UTM-based device. A user is identified when the system is able to exactly match their identity with the IP address of the device from which they are currently logged in. UserGate UTM offers multiple mechanisms of user identification: Identification by explicitly provided IP address Identification by username and password Identification of users of terminal servers from Microsoft using a special terminal service agent Identification of users via an authorization agent (for Windows-based systems) Identification of users by username and password is performed via the Captive portal which, in turn, can be configured to identify users via Active Directory, Radius, Kerberos or a local user database. UserGate UTM supports the following types of users: Unknown user Represents a set of users not identified by the system Known user Represents a set of users identified by the system. Various user identification methods are described below in more detail Any user The Any user is the set of Known users plus the set of Unknown users Certain user The Certain user represents users fully identified and authorized by the system, e.g. DOMAIN\User authorized through an Active Directory domain Users and groups of users can be registered directly on the UserGate UTM device these are the socalled local users and groups or synchronized with external directories, such as Microsoft Active Directory. Users In this section, you can add local users or edit properties of the already existing users imported from Microsoft Active Directory. In addition, you can also temporarily disable users or enable them again. 50

51 To create a new local user, you need to specify only one mandatory parameter (username). Though all other parameters are optional, it is recommended that you specify them for proper user identification: Username and password for identification by username and password. In this case, you will need to set up the Captive portal where users can enter their username and password for authorization IP address or an IP range for identification by IP address. In this case, make sure that all users are able to access the network from the specified IP address If a user is assigned both username/password and IP address, then the system will be using identification by IP address, i.e. IP-based identification has a higher priority. Users imported from Active Directory can also be identified via their username/password (a dedicated authorization server based on Active Directory is required) or IP address. They are assigned IP addresses similarly to local users. Note that each username must be unique among all UserGate UTM users including local users and those imported from Active Directory. Groups Groups of users will allow you to join users together and efficiently manage their security policies. Authorization servers Authorization servers are the external sources of user accounts for UserGate UTM. The system supports the following types of authorization servers: Active Directory authorization server Radius authorization server Kerberos authorization server The Radius and Kerberos authorization servers can only authorize users, while the authorization server based on Active Directory allows you to import and synchronize users and groups of users. Active Directory connector Active Directory connector allows you: Synchronize the Active Directory users with the local user database. Synchronized users and groups can be used for setting up filtering rules Authorize synchronized users via the Active Directory domain To create a new authorization server based on Active Directory, click Add, select Add Active Directory connector and then specify the following parameters: 51

52 Enabled Enables or disables usage of the specified authorization server of the authorization server SSL Specifies whether an SSL connection is needed for communication with the Active Directory domain controller Sync interval UserGate UTM will be initiating synchronization at the specified time periods. During synchronization, the system updates only accounts that have changed in Active Directory. The recommended interval for most cases is 3,600 seconds Retry interval Time period after which UserGate UTM will be initiating a new attempt to connect to the Active Directory server if the previous attempt has failed. The recommended value is 300 seconds Bind DN ("login") Username for connecting to the Active Directory server. The username must be in the DOMAIN\username or username@domain format. This user must be already created in the domain Password User password for connecting to the domain Servers List of IP addresses of Active Directory domain controllers. If you have a domain forest or domain tree, specify the IP addresses of the domain controllers that acts as the Global Catalog Roots List of starting paths in Active Directory from which the system will be synchronizing users and groups. Make sure to specify the full name, e.g. ou=office,dc=example,dc=com Once the server is created, check whether all parameters are correct by clicking Check connection. If all parameters are correct, the system will notify you about it, otherwise the system will display an error message. 52

53 If your server has been configured successfully, you will see the domain records in the Users and Groups sections. The synchronization of users is completed. To authorize synchronized users, you can use either the IPbased identification (make sure to assign an IP address to each synchronized user) or identification by username/password (in this case, you will need to create rules for the Captive portal). For more details on the Captive portal, please refer to the next chapters of this Guide. Radius authorization server The Radius authorization server allows you to authorize users on Radius servers, i.e. UserGate UTM will be serving as a Radius client. When authorizing via Radius, the UserGate UTM server sends the username and password to a Radius server which, in turn, notifies whether the authorization has been successful or not. Unlike authorization servers of Active Directory, Radius servers cannot provide a list of users to UserGate UTM, so that if you have not registered them in UTM beforehand (e.g. as local users or via synchronization with AD domain), then you will be able to use only Known (i.e. authorized on a Radius server) and Unknown (failed to authorize on a Radius server) users in your filtering policies. To create a new authorization server based on Radius, click Add, select Add RADIUS server and then specify the following parameters: Enabled Enables or disables usage of the specified authorization server Server name of the authorization server Shared secret Public key used by the Radius protocol for authorization Host IP address of the Radius server Port UDP port on which the Radius server is listening for authorization requests (UDP 1812 by default). Once the authorization server is created, you should set up the Captive portal for Radius-based authorization. For more details on the Captive portal, please refer to the next chapters of this Guide. Kerberos authorization server Authorization via Kerberos enables you with a transparent (without entering usernames and passwords) authorization of the Active Directory domain users, i.e. with the Single Sign On (SSO). During Kerberos- 53

54 based authorization, the UserGate UTM server is communicating with domain controllers to obtain the username of the corresponding user who wants to gain access to the Internet. Similar to Radius servers, Kerberos servers cannot provide a list of users to UserGate UTM, so that if you have not registered them in UTM beforehand (e.g. as local users or via synchronization with AD domain), then you will be able to use only Known (i.e. successfully authorized) and Unknown (failed to authorize) users in your filtering policies. To set up authorization via Kerberos, perform the following steps: Step 1. Configure DNS servers on UTM In the UTM settings, specify the IP address of the domain controller as a DNS server Step 2. Sync time with Active Directory In General settings enable time synchronization and set IP address of domain controller as primary NTP server Step 3. Create a new DNS record for the UTM server On the domain controller, create a new DNS record corresponding to the UserGate UTM workstation, e.g. utm.domain.loc Step 4. Create a new user for the UTM server Create a new user in the AD domain, e.g. utm@domain.loc with the enabled "password never expires" option. Important! Do not use symbols of national alphabets, such as Cyrillic, in name of UTM user and OU names, where this user resides Step 5. Create a new keytab file On the domain controller, create a new keytab file by running the following command as administrator (make sure to type this in one line!): ktpass.exe /princ HTTP/utm.domain.loc@DOMAIN.LOC /mapuser utm@domain.loc /crypto ALL /ptype KRB5_NT_PRINCIPAL /pass * /out C:\utm.keytab Step 6. Create a new authorization server of the Kerberos type Create a new authorization server of the Kerberos type, assign it a name and upload the keytab file generated on the previous step Step 7. Create a new rule for the Captive portal with the Kerberos-based authentication Configure the Captive portal to use the Kerberos-based authentication. For more details on the Captive portal, please refer to the next chapters of this Guide 54

55 Step 8. Enable access to the HTTP(S) service for the zone In the Zones section, enable access to the HTTP(S) proxy service for the zone to which the users with Kerberosbased authentication are connected Step 9. Set up the proxy server on user workstations On user workstations, enable the mandatory usage of proxy server as the FQDN name of UTM, e.g. utm.domain.loc, port 8090 Configuring a Captive portal A Captive portal allows you to authorize Unknown users by means of Active Directory, Radius, Kerberos or a local user database. In addition, you can allow users to register on their own in your Captive portal and confirm their registrations via SMS or by . Please keep in mind the following: Identified users, e.g. those with assigned IP addresses in the properties as well as those identified via authorization agents of the Windows terminal servers, do not need to authorize on the Captive portal. Such users are treated as Known users and therefore do not need any additional identification Authorization via the Captive portal is possible only via HTTP and HTTPS. For example, if you have created a firewall rule to allow the Internet access via FTP only to the Known users, then users will gain the Internet access only after identification, i.e. after they launch their web browser and authorize on the Captive portal If the Captive portal uses authorization via Active Directory, then a user must enter their domain name in the DOMAIN\username or username@domain format as their username To configure the Captive portal, perform the following steps: Step 1. Create a new authorization method, e.g. authorization via the Active Directory domain In the UserGate UTM console, go to the Users and devicesàauthorization servers section, click Add and then create a new authorization server Step 2. Create a new Captive profile and specify the authentication methods you want to use In the UserGate UTM console, go to the Users and devicesàcaptive profiles section, click Add and then create a new captive profile based on the previously created authorization method Step 3. Create a new rule for the Captive portal In the UserGate UTM console, go to the Users and devicesàcaptive portal section, click Add and then create a new rule for the Captive portal Step 4. Configure DNS records for domains Special domain names auth.captive and logout.captive are used internally by UserGate UTM for users 55

56 auth.captive and logout.captive authorization. Nothing should be done if users use UserGate UTM as DNS server. If another server is used, then these two domains should be resolved to the IP address of UserGate UTM which is connected to users network. Alternatively, it is possible to configure Captive portal Auth domain and Captive portal Logout domain. For more details refer to General Settings section of this manual For more information on how to create authorization methods, please refer to the previous chapters. Let's consider creation of a new Captive profile and rules for the Captive portal in more detail. To create a new Captive profile, click Add in the Captive profiles section and specify the following parameters: of the Captive profile of the Captive profile Auth page template Select an authorization page template. You can create authorization pages in the Libraries/Response pages section. If you want to allow users register on their own with subsequent SMS/ confirmation, then choose a template of the corresponding type (Captive portal: SMS auth/ Captive portal: auth) Defines how UserGate UTM should remember a user. The two options are possible: Authentication mode Use IP address. Once a user has successfully authorized via the Captive portal, UserGate UTM will remember its IP address and match all future connections from this IP address with this user. This method allows you to identify data passed via any protocol of the TCP/IP family, but will not be able to identify users behind NAT. This is the recommended value used by default. Use COOKIES. Once the user is successfully authorized via the Captive portal for the first time, UserGate UTM will add a special cookies file to the user's web browser in order to identify them in future. This method allows you to identify users behind NAT device, but only via the HTTP/S protocol and the same web browser in which the 56

57 user has authorized in the Captive portal. In addition, UserGate UTM will be forcibly decrypting all HTTPS connections in order to authorize HTTPS sessions of a user. Such user will always be identified as Unknown by firewall rules as there is no IP address associated with the user authenticated by cookie Redirect URL URL to which a user will redirected after successful authorization on the Captive portal. When not set, the user will be redirected to the URL they have initially requested Idle time This parameter specifies the period in seconds after which UserGate UTM will move a user from Known users to Unknown users in case of inactivity (no network packages received from the user's IP address) Expiration time This parameter specifies the period in seconds after which UserGate UTM will move a user from Known users to Unknown users. Once the specified period is over, the user will have to authorize on the Captive portal again Maximum authentication attempts Allowed number of failed authorization attempts for the Captive portal before the user account is locked Authentication lockout time Time period for which the user's account is blocked once the allowed number of failed authorization attempts is exceeded Show AD/LDAP domain selector on Captive Portal page If you use Active Directory as the authentication method, then a user will be able to select a domain name from the list on the authorization page when this parameter is enabled. When this parameter is disabled, a user must specify the target domain in the DOMAIN\username or username@domain format HTTPS for auth page Use HTTPS encryption for Captive portal authentication pages. It is required to have configured Captive portal SSL certificate. For more information about certificates please refer to Managing certificates chapter Authentication methods Authentication methods created before, e.g. Active Directory authorization server. If you have created several authorization methods, then they will be used in the same order as they are listed in the console. The Accept policy authorization method allows you to use 57

58 the authorization template without entering username and password, i.e. users must only accept the network access policy To allow users register on their own with subsequent confirmation via SMS or , configure the parameters on the Transient users registration tab. Please keep in mind that you should use a template of the corresponding type (Captive portal: SMS auth/ Captive portal: auth). Notification profile Notification profile that will be used for sending information about the created user and password. You can choose between two notification types SMS and . For more details on how to create a notification profile, please refer to Notifications Notification from Specify on whose behalf the message will be sent Notification subject Subject of the notification (for notifications only) Notification body Body of the message. You can use special variables {login} and {password} in the text which will be automatically replaced with the actual username and password. Transient users expiration date Date and time when the transient user's account will be disabled Transient user TTL Time period since the first authorization of the transient user after which the corresponding account will be disabled Password length Password length for created users Password complexity for created users. Can be Password complexity Numeric only digits Alphanumeric digits and letters Alphanumeric+special digits, letters and special symbols, like 58

59 Groups Group for transient users in which they are stored. For more details on groups for transient users, please refer to Transient users To create a new rule for the Captive portal, click Add in the rules section of the Captive portal and then specify the following parameters: of the rule for the Captive portal of the rule for the Captive portal Captive profile Select the Captive profile you have previously created You can also enable the Do not use authorization option if you don't want to use any authorization method. Source Addresses of the source. You can specify a certain zone, such as a Trusted or an IP range, as the source Destination IP addresses of the destination. You can also use IP addresses of countries (Geo-IP) Categories Categories of URL filtering for which the rule will be applied. Note that URL filtering requires the corresponding license. URLs Lists of URLs filtering for which the rule will be applied. Time Time period when the rule will be active Thus, by creating several rules for the Captive portal, you can set up multiple user identification policies for various zones, addresses and time periods. Important! Conditions specified on the rule's tab are applied according to the AND logic, i.e. the rule will be triggered only when all these conditions are met. If you want to use the OR logic, then you should create multiple rules. Important! Rules are applied in the same order as they are displayed in the console. You can change the order using the corresponding buttons. Important! When handling rules, the system applies only the first triggered rule. 59

60 If you want to log in to the system with another account or log out of the system, type or in your web browser and then click Log out. Users of terminal servers The terminal server is designed for remote provision of various services to users via the remote desktop or console. In most cases, one terminal server provides services to several or even hundreds of users. However, users of a terminal server can be difficult to identify, since they share the same IP address and UTM cannot track their network connections properly. To address this issue, consider using a special agent of the terminal service. The terminal service agent should be installed on all terminal servers where you are going to identify users. Basically, this agent is a service that transfers information about users and their network connections from the terminal server to the UserGate UTM server. Due to nature of TCP/IP protocol, the terminal service agent is able to identify user traffic only at the level of the TCP and UDP protocols. Traffic sent through all other protocols, such as ICMP, cannot be identified. Active directory connector is required for correct identification of terminal server users. To set up the user identification on terminal servers, perform the following steps: Step 1. Set up a password for terminal server agents In the UserGate UTM console, go to the Users and devicesàterminal servers section, click Configure and then specify the password for terminal server agents Step 2. Install the terminal server agent Install the terminal server agent on all servers where you want to identify users During installation, make sure to specify the IP address of the UserGate UTM server and the password that you have set on the previous step Step 3. Enable the necessary servers in the UTM console Once the agents are installed, the UTM console will display a list of terminal servers. By clicking Enable or Disable, you can enable or disable identification of users from the selected servers Now UTM is able to receive information of terminal users. Authorization agent for Windows The system also offers a special authorization agent yet another identification method for users who are working in the Windows operating system. The agent provides a convenient service which transfers information about users, such as their usernames and IP addresses, to the UserGate UTM server for proper 60

61 identification of all network connections, thereby eliminating the need for additional identification methods. To set up the user identification in the authorization agent, perform the following steps: Step 1. Set up a password for terminal server agents In the UserGate UTM console, go to the Users and devicesàterminal servers section, click Configure and then specify the password for terminal server agents Step 2. Install the authorization agent Using Active Directory Group policy install the authorization agent on all PCs where you are going to identify users During installation, make sure to specify the IP address of the UserGate UTM server and the password that you have set on the previous step Now UTM is able to receive information of users. If you have set up synchronization of user accounts with Active Directory, then all user names from Active Directory will be available in the system. Alternatively, if the list of users is missing in UTM, you can use Known users and Unknown users in UTM rules. Transient users In UTM, you can create lists of transient users. This is especially useful for hotels and public Wi-Fi networks with Internet access, when it is necessary to identify users and provide them access for a limited period of time. Transient users can be either created by network administrators beforehand, or they can register on their own with subsequent confirmation via SMS or by . To create a new list of transient users, perform the following steps: Step 1. Create a new administrator of transient users (optional) In the Device management section, go to Administrators and click Add. Select Transient users admin role. This role provides access to the console for managing transient users Step 2. Create a new group for transient users. This group will allow you to manage access policies for transient users In the UserGate UTM console, go to the Groups section, click Add and then create a new group with the Group for transient users option enabled. For more details on how to create user groups, please refer to the corresponding section of the Guide 61

62 Step 3. Connect to the console for managing transient users Type in your web browser and then specify the username and password of the device administrator or administrator of transient users created on Step 1 Click Create in the console and fill in the following fields: Step 4. Create a new list of users Number of users to create Comment Expiration date and time date and time when the transient user's account will be disabled TTL time period since the first authorization of the transient user after which the corresponding account will be disabled Password length - password length for created users Password complexity - password complexity for created users. Can be Numeric only digits Alphanumeric digits and letters Alphanumeric+special digits, letters and special symbols, like Groups the groups for transient users which has been created on Step 2 You can view the list of created users in the Users list section of the console for managing transient users. To allow users register in the system on their own, perform the following steps: Step 1. Create a new SMPP notification profile (for SMS confirmations) or SMTP notification profile (for confirmations) In the Notifications section, go to the Notification profiles, click Add and then create a new SMPP or SMTP notification profile. For more details on how to create a notification profile, please refer to Notifications Step 2. Create a new group for transient users. This group will allow you to manage access policies for transient users In the UserGate UTM console, go to the Groups section, click Add and then create a new group with the Group for transient users option enabled. For more details on how to create user groups, please refer to the corresponding section of the Guide 62

63 Step 3. Create a new Captive profile which uses notification profile that you have created for transient users In the Users and devices, go to the Captive profiles, create a new profile and use previously created notification profile. In the authorization page field, specify Captive portal: auth or Captive portal: SMS auth depending on the notification method that you are going to use. Set up the notification's text, the group for transient users and the time period when the new account will be valid. For more details on how to create notification profiles, please refer to Users and devicesàconfiguring a Captive portal Step 4. Create a new Captive portal rule with the Captive profile that you have created on the previous step In the Users and devices section, go to the Captive portal and create a new rule. Use previously created Captive profile. For more details on how to create Captive portal rules, please refer to Users and devicesàconfiguring a Captive portal BYOD policies Many companies allow their employees to work from their own devices and PCs, or BYOD devices ("Bring Your Own Device"). In UserGate UTM, network administrators can manage BYOD devices, e.g. through limiting Internet access from devices by device type, number of simultaneous devices per users or by specific model. Important! BYOD management requires properly configured authorization of users via the Captive portal. Note that BYOD policies cannot be applied to user devices that are not authorized via the Captive portal. For more details on the Captive portal, please refer to Configuring a Captive portal. To set up BYOD management, perform the following steps: Step 1. Create a new rule for the Captive portal For more details on how to create rules of the Captive portal, please refer to Configuring a Captive portal Step 2. Create a new BYOD policy Create one or more BYOD policy rules Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons. Important! If no rules have been created, then all device types will be allowed. 63

64 To create a new rule for the BYOD policy, click Add in the BYOD policies section and then specify the following parameters: of the BYOD policy rule Comment of the BYOD policy rule Action Allow use this option to allow connections from devices that meet the rule's criteria Deny use this option to prohibit connections from devices that meet the rule's criteria Administrator s approval required Applicable to "allow" rules only. When this option is enabled, each user device successfully authorized for the first time via the Captive portal will be added to the list of BYOD devices, but the Internet access will not be available until your network administrator confirms the device Maximum total devices Applicable to "allow" rules only. Maximum number of devices per user for Internet access. This parameter is not applicable to rules containing Known, Unknown or Any users Maximum active devices Applicable to "allow" rules only. Maximum number of simultaneous devices per user for Internet access. This parameter is not applicable to rules containing Known, Unknown or Any users Users/Groups List of users and groups of users to which this BYOD policy rule is applied Device type Device type to which this BYOD policy rule is applied Devices from which users connect to your network are listed in Users and devicesàbyod devices. Network administrators can prohibit or allow access from certain user device by selecting this device in the list and clicking Disable or Enable respectively. From here, you can also confirm access from a certain user device if the BYOD policy requires approval of your network administrator. 64

65 Network policies The Network policies section contains four subsections: Firewall NAT & routing Load balancing Traffic shaping Using network policies, your network administrators will be able to organize Internet access for users, publish internal resources on the Internet, and efficiently balance network bandwidth between services and applications. Important! Rules created in these sections are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. To grant Internet access to users, perform the following: Step 1. Create a NAT rule Please refer to NAT and routing Step 2. Create a "allow" firewall rule Please refer to Firewall Step 3. Set up the content filtering rules (optional) Please refer to Content filtering To publish an internal resource on the Internet, perform the following: Step 1. Create a DNAT rule Please refer to NAT and routing To set up the Internet access via alternative ISP for certain service or address, perform the following: 65

66 Step 1. Create a Route rule Please refer to NAT and routing To prohibit or allow certain type of traffic passing through UTM, perform the following: Step 1. Create a firewall rule Please refer to Firewall To distribute traffic to several internal servers, perform the following: Step 1. Create a load balancing rule For more details, please refer to Load balancing To limit the bandwidth allocated to certain service or application, perform the following: Step 1. Create a bandwidth rule For more details, please refer to Traffic shaping Firewall Based on various firewall rules, network administrators can allow or prohibit any type of transit network traffic passing through UTM. You can use zones, source/destination IP addresses, users, groups, services and applications as the matching criteria. Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons. Important! When no rules are defined, the transit traffic cannot pass through UTM. To create a new firewall rule, click Add in the Network policiesà Firewall section and specify the following parameters. 66

67 A rule is triggered only when all its criteria are met. Enabled Enables or disables a rule Policy name of a rule Action Deny blocks the traffic Allow allows the traffic Enable logging Logs information about traffic when a rule is triggered. It is recommended to enable logging limit to avoid high system utilization Apply rule to Source Any packets Only fragmented packets - only packets with fragmentation bit set Not fragmented packets - only packets wit fragmentation bit not set Zone(s) and IP addresses of the traffic source Users List of users and groups of users to which this rule will be applied. You can add users of the Any, Unknown, Known type. To apply rules to individual users or user of the Known type, make sure to set up authentication properly. For more details on user identification, please refer to User identification Destination Zone(s) and IP addresses of the traffic destination Service Service type, e.g. HTTP or HTTPS Application List of applications to which this rule will be applied. NAT and routing 67

68 Based on NAT and routing rules, network administrators can create additional rules for NAT, DNAT and routing. UserGate UTM supports NAT/DNAT for complex protocols which can use dynamic ports. The system is compatible with FTP, PPTP, SIP and H323. Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons. Important! To grant Internet access to users, you should create at least one NAT rule. NAT rules To create a new NAT rule, click Add in the Network policiesà NAT and routing section and specify the following parameters. A rule is triggered only when all its criteria are met. Enabled Enables or disables a rule Policy name Comment of a rule Type Select NAT SNAT IP address (external IP) Set IP address which will be used as source address for natted network packets. Make sense if there are several IP addresses assigned to the interfaces of destination zone. If field is empty then arbitrary address of destination zone will be used Enable logging Logs information about traffic when a rule is triggered. It is recommended to enable logging limit to avoid high system utilization Destination Zone(s) and IP addresses of the traffic destination (usually Untrusted). Services Service type, e.g. HTTP, HTTPS, etc. 68

69 Important! It is recommended that you create global NAT rules, e.g. a single NAT rule from your local network (i.e. Trusted zone) to the Internet (i.e. Untrusted zone), and then define access policies for users, services and applications through firewall rules. DNAT rules The DNAT rules are designed for publishing internal network resources on the Internet. To create a new DNAT rule, click Add in the Network policiesà NAT and routing section and specify the following parameters. A rule is triggered only when all its criteria are met. Enabled Enables or disables a rule Policy name Comment of a rule Type Select DNAT Enable logging Logs information about traffic when a rule is triggered. It is recommended to enable logging limit to avoid high system utilization Source Zone(s) and IP addresses of the traffic source (usually Untrusted zone, IP addresses of Internet users). Destination IP addresses of the traffic destination. Usually IP addresses of interfaces connected to Untrusted zone Services Type of the service that you are going to publish, e.g. HTTP. If no services are specified, the system will publish all services DNAT target IP IP address of the local PC that you are going to publish on the Internet DNAT target port Port on the published PC to which you are going to forward traffic. For example, if you specify HTTP (TCP 80), then UTM will be listening for requests on port 80 of the 69

70 external interface and then forward them to the published server to the port specified in this field Enable SNAT When this option is enabled, UserGate UTM will be replacing the source address with its own IP address in the network packets coming from an external network to the published server Routing rules Based on the routing rules, you can specify a dedicated route to the Internet for certain hosts and/or services. Suppose that your company uses 2 ISPs, so that all HTTP/HTTPS traffic is forwarded via ISP1 while ISP2 handles the remaining traffic. To do this, specify the Internet gateway of ISP2 as the default gateway and then create a new rule for forwarding all HTTP/HTTPS traffic to a gateway of ISP1. Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons. To create a new routing rule, click Add in the Network policiesà NAT and routing section and specify the following parameters. A rule is triggered only when all its criteria are met. Enabled Enables or disables a rule Policy name Comment of a rule Type Select Route Gateway Select an existing gateway. You can add more gateways in NetworkàGateways Source Zone(s) and IP addresses of the traffic source Services Service type, e.g. HTTP, HTTPS, etc. 70

71 Load balancing UserGate UTM supports load balancing for various services within a local network including internal servers published on the Internet (DNAT) and internal servers without publication. The balancer uses various techniques to dynamically allocate queries received on the IP address of a virtual server to IP addresses of physical servers. To set up balancing, create new balancing rules in the Network Load balancing section. Specify the following parameters when creating a balancing rule: Enabled Enables or disables a rule of the balancing rule of the balancing rule Virtual server IP Select an IP address from the list of addresses assigned to UTM network interfaces. If necessary, administrators can also add more IP addresses to any interface Protocol TCP or UDP for which you are going to perform load balancing Port Port for which you are going to perform load balancing You can choose between 4 load balancing methods: Scheduler Round robin each new connection is forwarded to the next server in the list to distribute load across all servers Weighted round robin this method is similar to Round robin except that each server is assigned a weight to distribute traffic according with servers performance Least connections each new connection is forwarded to the server which is serving the least number of connections at the moment Weighted least connections this method is similar to Least connections except that each server is assigned a weight to distribute traffic according with servers performance 71

72 Add a new pool of physical servers to which you are going to forward traffic. Specify the following parameters for each server: Real servers IP address of server Port to which you are going to forward user requests Weight. This factor allows for more efficient load distribution among physical servers when using Weighted round robin or Weighted least connections. Larger weights correspond to higher server loads Mode. Two options are possible: Gate forwards traffic to a virtual server by means of routing. Masq forwards traffic to a virtual server by means of NAT Failover mode is used when all physical servers are unavailable. To activate the fallback mode, enable it and then specify the following parameters: Fallback Monitoring IP address of the server to which requests will be forwarded in case of fallback Port to which you are going to forward user requests Mode. Two options are possible: Gate forwards traffic to a virtual server by means of routing. Masq forwards traffic to a virtual server by means of NAT Based on monitoring functionality, you can set up automatic health checking for physical servers. All servers that fail to pass the health check will be excluded from balancing Monitoring method for physical servers. Possible values: Mode ping checks availability of a node using the ping command connect checks availability of a node by establishing a TCP connection with a certain port negotiate checks availability of a node by sending the predefined HTTP or DNS query and matching the actual response with the expected one 72

73 Check interval Minimum time period between subsequent checks Check timeout Maximum time period of waiting for a response Max failures Number of failed attempts of physical server checking after which the server will be considered unavailable and therefore will be excluded from balancing Important! Balancing rules have a higher priority and therefore are applied before NAT/DNAT/routing rules. Traffic shaping The traffic shaping control rules allow you to limit access to network channels for certain users, hosts, services or applications. Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons. To create a new traffic shaping rule, click Add in the Network policiesà Traffic shaping section and specify the following parameters. A rule is triggered only when all its criteria are met. Enabled Enables or disables a rule Policy name of a rule Bandwidth pools Select a bandwidth. You can add more bandwidths in LibrariesàBandwidths Source Zone(s) and IP addresses of the traffic source Users Users or groups Destination Zone(s) and IP addresses of the traffic destination 73

74 Service Service type, e.g. HTTP, HTTPS, etc. Application List of applications for which you are going to limit bandwidth. Important! To use applications, make sure you enable the Application Control module in General settings 74

75 Managing security policies The Security policies section contains three subsections: Content filtering Safe browsing Decryption Intrusion prevention Mailsecurity Based on security policies, network administrators can perform the following: Set up the HTTP/S content filtering, e.g. prohibit access to certain categories of websites in the specified periods for individual users or configure the virus scanning of web content Set up safe browsing options, e.g. forced safe search, block social network application, log users search phrases and blocking of ads Set up the HTTPS decryption rules, e.g. to decrypt HTTPS in the "Forums" category for all users and decrypt HTTPS in the "Social media" category only for the selected users. Once the HTTP traffic is decrypted, the system will be able to apply various content filtering and safe browsing policies. Enable and set up the IDPS settings Set up spam filtering and virus scanning of the SMTP and POP3 traffic Important! Rules created in these sections are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. To set up HTTP content filtering, perform the following: Step 1. Create the content filtering rules Please refer to Content filtering To apply safe browsing options, perform the following: Step 1. Create the safe browsing rules Please refer to Safe browsing To set up decryption of HTTPS traffic, perform the following: 75

76 Step 1. Create the HTTPS decryption rules Please refer to Configuring HTTPS decryption To set up IDPS, perform the following: Step 1. Create the IDPS rules Please refer to Intrusion detection and prevention system To set up protection of the protocols, perform the following: Step 1. Create the traffic protection rules Please refer to traffic protection Content filtering Based on content filtering rules, network administrators can allow or prohibit certain content passed through HTTP and HTTPS (if the HTTPS decryption is configured). You can also forward content for further analysis to external servers via ICAP, e.g. to check the traffic in a 3rd party DLP system. Criteria of a rule can be as follows: Users and groups Certain words or phrases (morphology) on web pages Category of a website URL Zone and IP address of the source IP addresses of the destination MIME type of content Time Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons. 76

77 Important! If no rules have been created, then all content types will be allowed. Important! A rule is triggered only when all its criteria are met. To create a new content filtering rule, click Add in the Network policiesà Content filtering section and specify the following parameters. Enabled Enables or disables a rule Policy name of a rule Deny blocks the web page Action Warning notifies a user that a web page they are trying to access is unwanted. The user will decide on their own whether to access the page or not. Each web page view is logged Allow allows the traffic Check by Entensys cloud antivirus Applicable to the Deny rules only, i.e. if a web page is infected, the entire web resource will be blocked. If a rule contains additional conditions (categories, time, etc.), then the virus scan will be performed only when all criteria in the rule are met. Check by Kaspersky antivirus Applicable to the Deny rules only, i.e. if a web page is infected, the entire web resource will be blocked. If a rule contains additional conditions (categories, time, etc.), then the anti-virus scan will be performed only when all criteria in the rule are met. Important! Enable the Kaspersky Antivirus module in the General settings section. Enable logging Logs information when a rule is triggered Blocking page Specifies the blocking page that will be shown to users when a web resource they are trying to access is prohibited. You can either use an external page by selecting Use external URL or specify the UTM's blocking page. In this case, you can select an existing template of 77

78 the blocking page or create a new one in LibrariesàResponse pages Users List of users and groups of users to which this rule will be applied. You can add users of the Any, Unknown, Known type. To apply rules to individual users or user of the Known type, make sure to set up authentication properly. For more details on user identification, please refer to User identification Morphology List of morphology dictionaries for web page checks. If you have the corresponding license, Entensys will provide you with the list of various dictionaries, such as "Suicide", "Terrorism", "Pornography", "Profanity", "Gambling", "Drugs", and other. The dictionaries are available in English, German, Russian, Japanese and Arabic. Network administrators can also create their own dictionaries. For more details on how to work with morphological dictionaries, please refer to LibrariesàMorphology Categories List of categories from Entensys URL Filtering 3.0. Note that you will need the corresponding license in order to use categories. Entensys URL Filtering 3.0 is the largest database of web resources split into 73 categories for your convenience. Network administrators can efficiently manage access to unwanted web resources, such as pornography, malicious websites, online casinos, gambling websites, social media, and more URLs Lists of URLs. If you have the corresponding license, Entensys will provide you with the regularly updated lists of URLs, such as "Entensys black list", "Entensys white list", "List of prohibited websites according to some national laws", "Black list of phishing websites", and "Search engines without safe search". Network administrators can also create their own lists of URLs. For more details on how to work with lists of URLs, please refer to LibrariesàURL lists Content type Lists of MIME types. Network administrators can manage video content, audio content, images, executables, and more. Network administrators can also create their own groups of MIME types. For more details on how to work with MIME types, please refer to LibrariesàContent types 78

79 Source zone Zone of traffic source Source address Lists of IP address of the traffic source. For more details on how to work with lists of IP addresses, please refer to LibrariesàIP addresses Destination address Lists of IP address of the traffic destination. For more details on how to work with lists of IP addresses, please refer to LibrariesàIP addresses Time Time period when the rule will be active. Network administrators can add necessary time intervals in LibrariesàTime sets For more details on how to set up traffic forwarding to external ICAP servers, please refer to Settings. Important! Note that traffic is passed to ICAP servers before the content filtering rules are applied. Requests to a white list When a website is blocked according to content filtering rules, a user will see the blocking page which describes the reason of blocking along with the name of the filtering rule, website category, morphological database or the black list used for blocking. In addition, the blocking page allows a user to request adding this website to the white list if it has been blocked by mistake. When a user clicks Add to white list, the corresponding request will appear in Security policiesàrequests for white list. Network administrators can perform the following actions with user requests: Add to white list Adds the provided URL to the white list. The system will prompt network administrators to modify URL and select a white list to which this web resource will be added Delete Removes the request from the list of requests Reject URL Adds the requested URL to the list of discarded requests. Once the request is discarded, the Add to white list option will not be shown on the blocking page for this URL anymore. The list of discarded domains and URLs is displayed in the rejected requests window Reject domain Adds the domain of the requested URL to the list of discarded requests. Once the request is discarded, the 79

80 Add to white list option will not be available on the blocking page for this domain anymore. The list of discarded domains and URLs is displayed in the rejected requests window Network administrators can check the category of a web resource using the Check URL form. If the web resource appears to be in a wrong category, network administrators can request changing the category by suggest another category and clicking Suggest URL category. The system will send this request to Entensys, so that our support team could check it and make necessary updates to the Entensys URL Filtering database. Safe browsing In the Safe browsing section, network administrators can enable additional filtering parameters for HTTP and HTTPS (if the HTTPS encryption has been configured) including the following ones: Forced safe search for search engines (Google, Yandex, Yahoo, Bing, Rambler, Ask) and on YouTube. You can use this tool to block unwanted content by means of search portals, thereby ensuring high efficiency, e.g. when filtering responses to requests of graphical or video content Enables logging of users search queries Ad blocking. Even secure websites may sometimes display annoying ads or unwanted content on sidebars. UserGate UTM can address this issue and prevent ad banners from displaying on webpages Blocking of social network applications. Social networks have become an important part of our life. However, many companies don't allow their employees to play online games provided by social network at work. UTM can block such applications without any impact to all other functions of social networks Criteria of a rule can be as follows: Users and groups Time Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons. Important! If no rules have been created, then no additional safe browsing functions will be applied. Important! A rule is triggered only when all its criteria are met. To create a new content filtering rule, click Add in the Network policiesà Safe browsing section and specify the following parameters. Enabled Enables or disables a rule 80

81 Policy name of a rule Users List of users and groups of users to which this rule will be applied. You can add users of the Any, Unknown, Known type. To apply rules to individual users or user of the Known type, make sure to set up authentication properly. For more details on user identification, please refer to User identification Time Time period when the rule will be active. Network administrators can add necessary time intervals in LibrariesàTime sets Safe search Filtering options Search history AdBlock Block social network apps Configuring HTTPS decryption In this section, network administrators can set up inspection of the data passed by the HTTPS protocol. UTM uses the well-known technology called Man-In-The-Middle (MITM) which decrypts and analyzes content on the server side. HTTPS decryption is required for proper operation of content filtering rules and safe browsing. Based on these rules, you can set up HTTPS decryption for various categories of content, e.g. "Malware", "Anonymizers" or "Botnets", without decryption of safe categories, such as "Finance", "Government", etc. The system identifies category of a website according to the information passed in HTTPS requests, such as SNI (Server Indication) or Subject in the server certificate (when SNI is missing). The value of the Subject Alternative is ignored. After decryption and analysis, the data will be encrypted again with a certificate issued by the certification authority that you have previously specified in the Certificates section. Make sure to add this certificate to the trusted root certificates on users computers otherwise, web browsers on the user side will be displaying notification that the certificate has been compromised. For more details, please refer to Appendix 1. Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons. 81

82 Important! When no rules are defined, the system will not be capturing and decrypting HTTPS and therefore the content passed through HTTPS will not be filtered. Important! A rule is triggered only when all its criteria are met. To create a new HTTPS decryption rule, click Add in the Network policiesà HTTPS decryption section and specify the following parameters. Enabled Enables or disables a rule Rule name of a rule Action Decrypt Do not decrypt Block sites with invalid certificates Blocks access to servers with invalid HTTPS certificates, e.g. servers with expired/recalled certificates or issued for another domain name and/or by untrusted certification authority Users List of users and groups of users to which this rule will be applied. You can add users of the Any, Unknown, Known type. To apply rules to individual users or user of the Known type, make sure to set up authentication properly. For more details on user identification, please refer to User identification Destination address Lists of IP address of the traffic destination. For more details on how to work with lists of IP addresses, please refer to LibrariesàIP addresses Services Service for which rule will decrypt traffic. Can be HTTPS, SMTPS, POP3S Categories List of categories from Entensys URL Filtering 3.0. Note that you will need the corresponding license in order to use categories. Entensys URL Filtering 3.0 is the largest database of web resources split into 73 categories for your convenience. Network administrators can efficiently manage access to unwanted web resources, such as 82

83 pornography, malicious websites, online casinos, gambling websites, social media, and more Domains Lists of domains. Domain names to which this rule is applied. Domain names are created similar to lists of URLs except that only domain names can be used for HTTPS decryption (such as but not For more details on how to work with lists of URLs, please refer to LibrariesàURL lists Time Time period when the rule is active. Network administrators can add necessary time intervals in LibrariesàTime sets By default, UTM has decryption rule Decrypt all for unknown users which is required for authorization of unknown users on the Captive portal. Intrusion detection and prevention system The intrusion detection and prevention system (IDPS) can quickly detect malicious activity in your local network or from the Internet, identify, record and prevent various threats, and generate detailed reports on each suspicious event. Security breaches are usually detected by means of heuristic techniques and matching with signatures of already known attacks. If you have the corresponding license, Entensys will be regularly providing you with its up-to-date databases of heuristic rules and attacks signatures. IDPS can track and proactively block all the detected attacks in real time, e.g. terminate malicious network connections, send notifications to network administrators, log the suspicious activity, and so on. To get started with IDPS, perform the following: Step 1. Enable the IDPS module Enable the Intrusion Prevention module in the General settings section Step 2. Configure the IDPS policy Please refer to Configuring IDPS policy Step 3. Create the IDPS rules Please refer to Configuring IDPS rules To set up the IDPS policy, click IDPS policy in the Security policiesà Intrusion prevention section and specify the following fields: 83

84 Low risk Threats considered by Entensys as low risk threats. These are potential threats that does not directly impact the system, e.g. port scanning, etc Medium risk Threats considered by Entensys as medium risk threats. These are well-known threats, e.g. exploits against which all vendors have already issued bugfixes High risk Threats considered by Entensys as high risk threats. These are dangerous threats, e.g. new exploits against which vendors have not issued bugfixes yet Pass Skips the specified IDPS threats Alert Records threat details into the system log Drop Records threat details into the system log and blocks the corresponding traffic Network administrators can set up various actions depending on threat severity. The recommended IDPS policy is as follows: Low risk Pass Medium risk Alert High risk Drop IDPS policies will be applied to the traffic according to the IDPS rules. Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons. Important! If no rules have been created, then IDPS will not work. 84

85 Important! A rule is triggered only when all its criteria are met. To set up the IDPS rules, click Add in the Security policiesà IDPS section and specify the following fields: Enabled Enables or disables a rule Policy name of a rule Source Zone(s) and IP addresses of the traffic source Destination Zone(s) and IP addresses of the traffic destination Service Service type, e.g. HTTP, DNS, etc. Application List of applications to which this rule will be applied. Mail security In the Mail security section, you can set up virus and spam scanning of the transit traffic. The system supports the POP3(S) and SMTP(S) protocols. For proper operation of the traffic protection, make sure you have the license for the corresponding module. In most cases, you will need to protect the traffic coming from the Internet to your internal mail servers as well as the mail traffic coming from your servers or user PCs. To set up protection of the traffic coming from the Internet to your internal mail servers, perform the following: Step 1. Publish your mail server on the Internet Please refer to DNAT rules. It is recommended to create separate DNAT rules for SMTP and POP3, rather than combine them into one rule Step 2. Create firewall rule to allow mail traffic Create firewall rule which allows SMTP/POP3 traffic from Untrusted zone to the zone with mail servers 85

86 (usually Trusted zone). For details please refer to Firewall Step 3. Enable support of the SMTP(S) and POP3(S) services in the zone connected to the Internet Please refer to Configuring zones Step 4. Create the traffic protection rules Create the necessary traffic protection rules. For more details, please see below in this chapter If you need to protect the mail traffic without publishing your mail server on the Internet, perform the following steps: Step 1. Create the traffic protection rules Create the necessary traffic protection rules. For more details, please see below in this chapter To set up the mail traffic filtering rules, click Add in the Security policiesà Mail security section and specify the following fields: Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons. Important! If no rules have been created, then mail traffic will not be protected. Important! A rule is triggered only when all its criteria are met. Enabled Enables or disables a rule Rule name Comment of a rule Action Select an action that will to be applied to the mail traffic when all corresponding criteria are met: 86

87 Pass skips the traffic without changing it Mark puts a special tag in the "subject" or an additional field of messages Drop with error blocks a message and sends a notification about failed delivery attempt to the SMTP server (for the SMTP(S) traffic) or to the POP3 client (for the POP3(S) traffic) Drop without error drops a message without sending a notification Select an traffic scanning method: Scanning Header Entensys virus and spam check checks the traffic for spam and viruses Kaspersky virus check checks the traffic using Kaspersky engine DNSBL check (SMTP only) performs spam protection based on the DNSBL technology. Applicable to the SMTP traffic only. When the traffic is being scanned by DNSBL, the spammer's SMTP server is blocked by IP address even before a SMTP connection is established, thereby significantly reducing overall spam and virus scanning workload Field for placing the message tag Mark Text of the message tag Source Zone and IP address of the traffic source Users Users or groups of users to which the rule will be applied Destination Zone and IP address of the traffic destination Service Select an protocol (POP3 or SMTP) to which the rule will be applied Envelope from address of the sender as specified in the "Envelope from" field. Applicable to SMTP only Envelope to address of the recipient as specified in the "Envelope to" field. Applicable to SMTP only It is recommended that you use the following spam protection settings. For SMTP(S): 87

88 The first rule in the list should be blocking via DNSBL. It is recommended that you leave the Envelop from/envelop to fields blank. In this case, DNSBL will be proactively discarding connections with SMTP servers that are known as spam sources. When addresses recipients are added to exclusions, the system will be forced to receive each message entirely for analysis, and therefore the overall sever workload will increase The second rule is marking messages using Entensys virus and spam check. Here you can use any exclusions you want including Envelop from/envelop to. For POP3(S): Action Mark Scanning Entensys virus and spam check 88

89 Notifications In this section, you can set up notification profiles and then use them for sending notifications about various events, e.g. high CPU workload or sending a password to a user via SMS. Notification profiles Notification profiles specify the transport used for delivering notifications to recipients. The system supports 2 types of transport: SMTP, message delivery by SMPP, message delivery by SMS To create a new SMTP message profile, click Add in the Notificationsà Notification profiles section, select Add SMTP notification profile and then specify the following fields: of the profile of the profile Host IP address of the SMTP server that you are going to use for sending messages Port TCP port used by the SMTP server (usually port 25 for SMTP and port 465 for SMTP with SSL). Ask your server administrator to provide this value SSL Whether to use the SSL encryption Authorization Enables authorization for SMTP server connections Login Username of the account used for connecting to the SMTP server Password Password of the account used for connecting to the SMTP server To create a new SMPP message profile, click Add in the Notificationsà Notification profiles section, select Add SMPP notification profile and then specify the following fields: 89

90 of the profile of the profile Host IP address of the SMPP server that you are going to use for sending SMS messages Port TCP port used by the SMPP server (usually port 2775 for SMPP and port 3550 for SMPP with SSL). SSL Whether to use the SSL encryption Login Username of the account used for connecting to the SMPP server Password Password of the account used for connecting to the SMPP server Phone translation rules Allows to change prefix for phone numbers, i.e. change to This can be required by some SMPP providers Alert rules Based on alert rules, network administrators can send information about certain events of the UserGate UTM server to the specified recipients. To create a new notification rule, perform the following steps: Step 1. Create one or more notification profiles Please refer to NotificationsàNotification profiles Step 2. Create one or more groups of message recipients Please refer to Librariesà s and LibrariesàPhones Step 3. Create a new alert rule Add a new rule in the NotificationsàAlert rules section 90

91 Specify the following parameters when adding a new rule: Enabled Enables or disables a rule Rule name of a rule Notification profile Select a notification profile that you have previously created. The system will display a separate tab for adding phone numbers (for SMPP profiles) or for adding addresses (for SMTP profiles) Sender Specify the notification sender Subject Specify the notification subject Wait for next alert, seconds Specify the server's timeout before the next triggering of the rule Events Specify the events for which you want to receive notifications Phones Applicable for SMPP profiles only. Specify the groups of phone numbers to which SMS notifications will be sent s Applicable for SMTP profiles only. Specify the groups of s to which notifications will be sent 91

92 Libraries This large section provides all records, domain names, IP addresses, templates and other items that can be used in the UTM rules. By default, libraries already predefined with data, but network administrators can add custom items as required. Note that certain items in libraries are read-only, since they are provided and supported by Entensys. Libraries provided by Entensys are updated automatically, if you have the corresponding license. For more details on product licensing, please refer to Installing license. Morphology Morphological analysis is a mechanism designed to recognize certain words and phrases on websites. If a text contains too many unwanted words or phrases, the system will block access to the website. Morphological analysis is performed both when a user sends a new search query and when the requested web server responds to this query. Once the web server responds to the query, UserGate UTM scans the text on the web page and then calculates its total "weight" by matching words and phrases from various morphological categories. If the total "weight" of the web page is higher than that of a morphological category, the rule will be triggered. The system also takes into account all word forms of prohibited words when calculating the "weight". UserGate UTM searches word forms in its built-in dictionaries available in English, German, Russian, Japanese and Arabic. You can also subscribe for additional dictionaries offered by Entensys. These dictionaries are read-only. You will also need the corresponding license to use them. For more details on product licensing, please refer to Installing license. Suicide Morphological dictionary containing words and phrases related to suicide Terrorism Morphological dictionary containing words and phrases related to terrorism Profanity Morphological dictionary containing profane words and phrases Gambling Morphological dictionary containing words and phrases related to gambling Drugs Morphological dictionary containing words and phrases related to drugs 92

93 Pornography Morphological dictionary containing words and phrases related to pornography Restricted materials (Custom code) Morphological dictionary containing words and phrases not recommended for children according to some national laws. The GS1 suffix code for Entensys dictionaries comply with the national laws of the country. See for details To set up morphology-based filtering, perform the following: Step 1. Create one or more morphological categories and specify their weights Click Add and specify the name and weight of the new category Step 2. Specify the list of prohibited phrases with their weights Click Add and specify the necessary words and phrases. When adding a new word to any morphological dictionary, you can put the "!" modifier before the word, e.g. "!bassterd". In this case, the jargon word will not be converted in word forms during analysis this significantly reduces the risk of false positives Step 3. Create a new content filtering rule containing one or more morphological categories Please refer to Content filtering Network administrators can create custom dictionaries and distribute them from a single center to all UserGate UTM servers. To create a custom morphological database, perform the following steps: Create a new file called list.txt with words presented in the following format: Step 1. Create a new file with necessary phrases!word1!word2!word3 word

94 Lastword In this case, the total weight of the dictionary will be 100. You can also specify a weight for each word (the default value is 100) Step 2. Put this file into a new archive Zip the file into a new archive called list.zip Step 3. Create a new file with the necessary version of your dictionary Create a new file version.txt and specify the database version (e.g. "3") in it. Make sure to increment this value each time you update the morphological dictionary Step 4. Publish files on your web server Publish list.zip and version.txt on your website and make them available for download via http Step 5. Create a new morphological category and provide the URL for updating your dictionary Create a new morphological database on every UserGate UTM server. When creating a new database, make sure to provide an URL for installing updates. UserGate UTM will be checking for a new version on your website every 4 hours and automatically update your dictionary once a newer version is released Important! When creating a new morphological dictionary, it is highly recommended that you put the "!" modifier before each word in phrases containing more than three words. Note that the system will convert each word into all possible word forms (including cases, plural forms, grammatical tenses, etc.) when building a new morphological database and the resulting amount of words will be large. When you add long phrases, make sure to put the "!" modifier before each word that does not have word forms, e.g. before articles, prepositions and conjunctions. For example, phrase "how to commit a painless suicide" should be added as "!how!to commit!a suicide!painlessly". This will reduce the amount of possible phrase variants while preserving the main idea of initial phrase. Services The Services section contains a list of public TCP/IP-based services, such as HTTP, HTTPS, FTP, etc., that you can use when composing UTM rules. By default, the initial list of services is already predefined, but network administrators can add custom items as required. To add a new service, perform the following steps: Step 1. Create a new service Click Add and then specify the name and comment for the new service 94

95 Step 2. Specify the protocol and port Click Add and then select the necessary protocol from the list and specify the source and/or destination ports. To add port range use : (semicolon), e.g :33344 IP addresses The IP addresses section contains a list of IP ranges that you can use for composing UTM rules. By default, the initial list of addresses is already predefined, but network administrators can add custom items as required. To add a new list of addresses, perform the following steps: Step 1. Create list Click Add and then specify the name for the list of IP addresses Step 2. Specify the URL for updating your list (optional) Provide the server's address where your updatable list is hosted. Additional details about updatable lists are provided below in this chapter Step 3. Add IP addresses Click Add and enter the addresses. Address must be specified either as IP address or as IP address/subnet mask, e.g /24 Network administrators can create custom lists of IP addresses and distribute them from a single center to all UserGate UTM servers. To create a new list of IP addresses, perform the following steps: Step 1. Create a new file with necessary IP addresses Create a new file called list.txt containing a list of addresses Step 2. Put this file into a new archive Zip the file into a new archive called list.zip Step 3. Create a new file with the necessary version of your list Create a new file called version.txt and specify the list version (e.g. "3") in it. Make sure to increment this value each time you update the list 95

96 Step 4. Publish files on your web server Publish list.zip and version.txt on your website and make them available for download Step 5. Create a new list of IP addresses and provide an URL for installing updates Create a new list of IP addresses on every UserGate UTM server. When creating a new database, make sure to provide an URL for installing updates. UserGate UTM will be checking for a new version on your website every 4 hours and automatically update your list once a newer version is released Content types Based on filtering by content type, you can block downloads of certain files, e.g. prohibit all *.doc files. You can also subscribe for additional content types offered by Entensys. Note that these lists of content types are read-only. You will also need the corresponding license to use them. For more details on product licensing, please refer to Installing license. To set up filtering by content type, perform the following steps: Step 1. Create a new list of content types or select a predefined list from Entensys Click Add and specify the name for the new list of content types Step 2. Add the necessary MIME types to your list Add the content types you want to prohibit in the MIME format. You can find description of various MIME types on the Internet, e.g.: For example, to block all *.doc files, add the following MIME type: application/msword Step 3. Create a new content filtering rule containing one or more lists Please refer to Content filtering Network administrators can create custom lists of content types and distribute them from a single center to all UserGate UTM servers. To create a new list of IP addresses, perform the following steps: 96

97 Step 1. Create a new file with necessary content types Create a new file called list.txt containing a list of content types Step 2. Put this file into a new archive Zip the file into a new archive called list.zip Step 3. Create a new file with the necessary version of your list Create a new file called version.txt and specify the list version (e.g. "3") in it. Make sure to increment this value each time you update the list Step 4. Publish files on your web server Publish list.zip and version.txt on your website and make them available for download Step 5. Create a new list of content types and provide an URL for installing updates Create a new list of content types on every UserGate UTM server. When creating a new database, make sure to provide an URL for installing updates. UserGate UTM will be checking for a new version on your website every 4 hours and automatically update your list once a newer version is released URL lists On this page, you can create various lists of URLs and then use them as black and white lists for the content filtering rules. Note that Entensys offers its own updatable lists. You will also need the corresponding license to use them. For more details on product licensing, please refer to Installing license. Entensys black list This list contains URLs prohibited by some national laws Phishing black list This list contains URLs of known phishing websites Entensys white list This list contains URLs of known trusted websites and portals 97

98 Search engines without safesearch capability This list contains known search engines which do not provide safe search (family filter). We recommend to block such search engines for parental control, as they provide ability to get adult content Entensys black list (Custom code) This list contains URLs prohibited by some national laws. The GS1 suffix code for Entensys custom black/white lists comply with the national laws of the country. See for details To set up filtering based on lists of URLs, perform the following steps: Step 1. Create a new list of URLs Click Add and specify the name for the new list Add the necessary URLs to your list. You can use special characters ^, $ and * in the lists: Step 2. Add the necessary records to your list * stands for an arbitrary number of characters ^ denotes the start of the current line $ denotes the end of the current line Note that characters? and # are not allowed here Step 3. Create a new content filtering rule containing one or more lists Please refer to Content filtering All records that start with or or contain one or more "/" characters are handled as URLs with the HTTP(S) filtering, but not applied to the DNS filtering. Otherwise, such string will be treated as domain name and therefore will be applied for both DNS and HTTP(S) filtering. To block a website by exact address, use the "^" and "$" characters: ^ To block an exact URLs of all subfolders, use the "^" character: ^ To block a domain with all its URLs, use the following record: domain.com 98

99 Example of URL record interpretation: Sample record yahoo.com or *yahoo.com* ^*.yahoo.com$ ^mail.yahoo.com$ ^mail.yahoo.com/$ ^ com/personalfinance/$ ^yahoo.com/12345/ Handling of DNS requests Blocks the entire domain with its thirdlevel domains, e.g.: sport.yahoo.com mail.yahoo.com and qweryahoo.com Blocks only third-level domains, e.g.: sport.yahoo.com mail.yahoo.com Blocks only mail.yahoo.com Nothing is blocked Nothing is blocked Nothing is blocked Handling of HTTP requests Blocks the entire domain with all its URLs and third-level domains, e.g.: whatever.yahoo.com is blocked, e.g.: is blocked is blocked is blocked is not blocked is not blocked Blocks only Nothing is blocked, since the last "/" defines an URL, but neither "https" nor "http" are specified Blocks only Blocks Network administrators can create custom lists and distribute them from a single center to all UserGate UTM servers. To create a new list, perform the following steps: Create a new text file called list.txt with URLs presented in the following format: Step 1. Create a new file with the necessary list of URLs Step 2. Put this file into a new archive Zip the file into a new archive called list.zip 99

100 Step 3. Create a new file with the necessary version of your list Create a new file called version.txt and specify the list version (e.g. "3") in it. Make sure to increment this value each time you update the list Step 4. Publish files on your web server Publish list.zip and version.txt on your website and make them available for download Step 5. Create a new list of content types and provide an URL for installing updates Create a new list of URLs on every UserGate UTM server. When creating a new database, make sure to provide an URL for installing updates. UserGate UTM will be checking for a new version on your website every 4 hours and automatically update your list once a newer version is released Time sets Based on time sets, you can add time periods and then use them for composing various UTM rules. By default, the initial list is already predefined, but network administrators can add custom items as required. To add a new time set, perform the following steps: Step 1. Create a new time set Click Add and then specify the name for the time set Step 2. Add the necessary time periods to your time set Click Add and specify a new period. Make sure to provide a name and time range for the period Bandwidth pools The Bandwidth pools library item defines the data transfer speed that you can use for composing various rules and managing the network bandwidth. For more details on how to manage the network bandwidth, please refer to Traffic shaping. By default, the initial list is already predefined, but network administrators can add custom items as required. To add a new bandwidth item, perform the following steps: 100

101 Step 1. Create a new bandwidth item Click Add and then specify the name and description of the new bandwidth Step 2. Specify the speed Specify the data transfer speed in Kbytes/s Response pages Based on response page templates, network administrators can manage the appearance of the blocking and authorization pages of the Captive portal. Network administrators can apply various templates depending on the content filtering rules and rules of the Captive portal. UserGate UTM is pre-packed with three default types of templates, which are templates for the Captive portal, templates for user session control, and templates of the blocking page. Based on these built-in templates, you can create custom templates using your corporate style, logos, and language. Templates Blockpage Default blocking template Templates Captive portal user auth User authorization template for the Captive portal. The template displays a form for user authorization (by username and password). After a successful authorization, a user is granted the Internet access Templates Captive portal user auth + policy User authorization template for the Captive portal. The template displays a form for user authorization (by username and password) and network usage rules (Terms and Conditions) and then asks a user to accept the network access policy. After a successful authorization and policy acceptance, a user is granted the Internet access. Templates Captive portal: auth Template for user authorization via the Captive portal; this template allows users to register in the system on their own and then confirm their registration by Templates Captive portal: SMS auth Template for user authorization via the Captive portal; these templates allow users to register in the system on their own and then confirm their registration via SMS Templates Captive portal policy User authorization template for the Captive portal. The template does not require user authorization (by username and password), but displays the network usage rules (Terms and Conditions) and asks a user to accept the 101

102 network access policy. After accepting the network access policy, a user is granted the Internet access. Make sure to set up the Accept policy method as the default authentication method of the Captive profile for proper operation of this template Templates Captive portal user session Template for logging out of the current user session via or To create a new custom template, perform the following steps: Step 1. Export one of the default templates Select an existing template, click Export and then save it to a file Step 2. Modify the exported template Modify the template contents using an editor. It is not recommended that you use HTML editors, since they can corrupt the internal structure of your template. Instead, try to use simple text editors Step 3. Create a new template Click Add, select the corresponding template type, specify the name of the template and then save changes Step 4. Import the template modified on step 2 Select the newly created template, click Import and then choose a file containing the modified template URL categories Based on the URL Category library items, you can create groups of Entensys URL Filtering categories for convenient usage of content filtering rules. For example, network administrators can create a group called "Business Categories" and then add the corresponding categories into it. Note that you will have to install the corresponding license in order to use Entensys URL Filtering categories. By default, the initial list is already predefined, but network administrators can add custom items as required. 102

103 Threats Categories recommended for blocking for security reasons Parental Control Categories recommended for blocking in order to protect children from unwanted content Productivity Categories recommended for blocking in order to improve the labor discipline All categories Group containing all categories Safe categories Categories considered as secure ones. It is recommended that you disable morphological checks and capturing of HTTPS traffic for this group of categories in order to reduce false triggering Recommended for morphology checking Categories recommended for morphological checks. These categories do not include News, Finance, Government, Information Security, Kids websites and other categories in order to reduce false triggering. The same categories are recommended for HTTPS traffic capturing To add a new group of categories, perform the following steps: Step 1. Create a group of categories Click Add and then specify the name for the group Step 2. Add the categories Click Add and then select the necessary categories from the list Applications Based on Application library items, you can create groups of applications and then conveniently use them in firewall rules and bandwidth rules. For example, network administrators can create a group of applications called "Business Applications" and then add the corresponding applications into it. To add a new group of applications, perform the following steps: 103

104 Step 1. Create a group of applications Click Add and then specify the name for the group Step 2. Add the applications Click Add and then select the necessary applications from the list s Based on the library items, you can create groups of addresses and then use them in traffic filtering rules and notifications. To add a new group of s, perform the following steps: Step 1. Create a new group of s Click Add and then specify the name for the group Step 2. Add new s to the group Click Add and then add the necessary s Phones Based on the Phone library items, you can create groups of phone numbers and then use them in various SMPP notification rules. To add a new group of phone numbers, perform the following steps: Step 1. Create a new group of phone numbers Click Add and then specify the name for the group Step 2. Add new phone numbers to the group Click Add and then add the necessary phone numbers 104

105 Statistics In the Statistics section of the web console, you can view information about the current device status in near real-time. All information is split into three subsections, which are Monitoring, Statistics and Logs. By default, the statistics server is hosted directly on the UserGate UTM server, but you can also make it standalone in order to gain the following benefits: Higher performance of the UserGate UTM server Consolidated statistics from all nodes in your cluster For details on how to set up a standalone statistics server, please refer to the sections below. Monitoring Network monitoring In this subsection, you can view all network connections established through UserGate UTM. Network administrators can filter events by various criteria, e.g. by protocol (TCP/UDP/ICMP), TCP status (ESTABLESHED, SYS_SENT, etc.), and so on. Network administrators can also enable automatic updates of the displayed data or update this data manually by clicking Update. From here, it is also possible to block certain IP addresses across all protocols by selecting the necessary record and clicking Block source IP address. In this case, the system will create a new firewall rule that blocks all types of traffic from the specified IP address and then will add this rule to the very top of the list. To allow traffic coming from a blocked IP address, remove or disable the corresponding rule in the Firewall section. Traffic In this section, you can view the accumulated statistics of traffic usage across all users of UserGate UTM. The data can be filtered by time period. Network administrators can select a network interface and/or user account and view the detailed information about traffic usage. Statistics Content filtering In this section, you can view statistics of the Internet access usage by group, user, domain, website category, morphological database, triggered rule and reasons of blocking. Network administrators can select a range of dates and a user and then generate a detailed report. Reports can also be printed and downloaded in a table view. 105

106 Rule log In the Rules log section, you can view all triggered content filtering rules. To display rules in the statistics, make sure to enable the logging options in each rule. The following information is displayed: Direction Arrows display whether the triggered rule was a user request or a server response Action Blocking, warning or logging. For more details, please refer to Content filtering User and IP address of a user Rule of the triggered rule Morphology Morphological category for which the rule has been triggered Category Entensys URL filtering category for which the rule has been triggered URL URL of the resource User operating system Windows, MacOSX, Linux, Android, Windows mobile, ios Browser Web browser of the user Network administrators can apply various filters for convenient display of the triggered rules, e.g. view all triggered rules for a certain user account, domain, rule, request direction, or action. Network administrators can also view the log by website, i.e. display only requests and responses from user web browsers, or by domain, i.e. display only requests and responses from all devices and applications. Search history In the Search History section, you can view all search queries from users for which logging is enabled in the safe browsing policies. Logs In this section, you view various logs maintained by UserGate UTM. 106

107 Event log The event log displays events in which any settings of the UserGate UTM server have been changed, e.g. adding/removing/modifying data of a user account, rule or any other item. Here you can also view all login events for the web console, user authorization via the Captive portal, and so on. For convenience, you can filter events by component, e.g. by account and group, firewall, Captive portal, or severity, such as critical, errors, warnings, info. Traffic log The traffic log displays all events in which firewall rules or NAT rules have been triggered (providing that packet logging has been enabled). The log displays time of the event, action, e.g. NAT, ACCEPT, DROP, network interfaces, MAC and IP addresses of the source, IP address of the destination, protocol details, and more. You can also download the log for future analysis or use. For details on logs rotation, please refer to General settings. Additional information on how to upload logs to external servers automatically, please refer to Exporting logs. IDPS log The log of the Intrusion detection and prevention system displays the triggered IDPS signatures for which logging or blocking has been enabled. You can view event time, signature name, IP addresses of the source and destination, protocol details, and more. You can also download the log for future analysis or use. For details on logs rotation, please refer to General settings. Additional information on how to upload logs to external servers automatically, please refer to Exporting logs. Web access log The web access log displays all user requests sent to the Internet via HTTP and HTTPS. You can view event time, result of the operation, destination URL, HTTP method, and more. You can also download the log for future analysis or use. For details on logs rotation, please refer to General settings. Additional information on how to upload logs to external servers automatically, please refer to Exporting logs. Setting up a standalone statistics server A standalone statistics server will help you achieve higher performance of the UserGate UTM server and consolidate reports obtained from each node of the cluster. It is recommended that you always install a standalone statistics server when UserGate UTM operates in the cluster mode or handles very high workloads. 107

108 To set up a standalone statistics server, perform the following steps: Step 1. Select the relevant server Step 2. Install Ubuntu server x64 on this server Minimum server requirements to the statistics server are as follows: 4-core CPU 8 GB of RAM 1 TB of free disk space Please refer to the official documentation of Ubuntu OS Run the following commands in the Linux console: Step 3. Install the software of the statistics server echo 'deb trusty extra' sudo tee -a /etc/apt/sources.list wget -O - sudo apt-key add - sudo apt-get update sudo apt-get install utm-statistics Run the following command in the Linux console: Step 4. Obtain the token required for connection to this statistics server cat /opt/entensys/etc/utmstat_auth.cfg The output of this command should look like the following: {token, "dl6dd6v0xzozbyetlil20s8d2texno5k"}. {port, 22699}. The long string in quotes is the connection token you need Step 5. Set up UserGate UTM to use the standalone statistics server In the UserGate UTM web console, go to Settings- Statistics and then specify the IP address of your new server in the Statistics server field and the connection token in the Password field. 108

109 Technical support The technical support section of our website provides additional information on how to set up UserGate UTM. You can also submit your ticket here, and we will help to resolve your technical issue. 109

110 Appendix 1: Installing a certificate issued by the local certification center Download a certificate from the authorization center that you use for capturing the HTTPS traffic, as described in Managing certificates, and then follow the steps below. Installing a certificate for Internet Explorer and Chrome in Windows Open the folder with the DER certificate you have just downloaded and then double-click it: 110

111 The certificate details will appear. Click "Install certificate": 111

112 The certificate import wizard will be launched. Follow the wizard's on-screen instructions to import the certificate: Select a storage for the certificate and click "Browse": 112

113 Select "Trusted root certification centers" and click OK: Click "Finish": 113

114 When the security warning appears, click "Yes": The installation is complete. 114

115 Installing a certificate for Safari and Chrome in MacOSX Open the folder with the DER certificate you have just downloaded and double-click the file: The Keychain program will be launched. Select "Always trust this certificate": Enter the password to confirm the operation: 115

116 The certificate is now installed. 116

117 Installing a certificate for Firefox Installation of a certificate for Firefox is similar on all operating systems. Let's describe the installation process on Windows. Go to Firefox settings (ToolsàOptions): 117

118 Select Advanced and then open the Certificates tab. Click View certificates: 118

119 Then click Import and browse to the DER certificate that you have downloaded: 119

120 Enable the Trust this CA to identify web sites checkbox and click OK: The installation is complete 120