UserGate Proxy & Firewall is a comprehensive solution for organizing public access to the Internet from a local network, recording traffic and protecting the corporate network from external threats. UserGate is an effective alternative to expensive software and hardware and is intended for use in small and medium-sized businesses.

Information Security

UserGate uses a comprehensive approach to local network security and modern methods of combating Internet threats, such as viruses, malware and hacker attacks.

Information security functions include:

• Virus protection
• Firewall
• Advanced NAT Driver
• Support for VPN connections

Virus protection

In order to qualitatively check traffic for the presence of malware, UserGate includes two anti-virus modules - Kaspersky Anti-Virus and Panda Antivirus. At the same time, double anti-virus scanning of traffic via HTTP, FTP, SMTP and POP3 protocols is provided.

It is important to note that the second largest source of virus spread, in addition to online threats, is removable storage media. UserGate, provided that the built-in anti-virus modules are used, eliminates threats emanating from the main source of viruses - network traffic. This eliminates the need to purchase expensive server-based antivirus solutions. However, for maximum local network protection, it is recommended to use a third-party antivirus to scan the file system on workstations.

Two "antivirus" partners of Entensys

Network administration

Using UserGate, you can perform some routine operations, which makes network administration easier. For example, the built-in DHCP server automates the process of issuing IP addresses to computers and other devices on the local network. If a computer with UserGate is connected to several local networks, the UserGate server can be configured as a router, providing transparent, bidirectional communication between local networks. Publishing resources allows you to provide access to internal company resources, such as the Web, FTP, VPN, or mail server. And finally, remote administration makes it possible to connect remotely via a local network or the Internet from any computer on which the UserGate Administration Console is installed.

• DHCP server
• Routing
• Publishing resources
• Remote administration

DHCP server

The DHCP service allows you to automate the process of issuing network settings to clients on the local network. The DHCP server can be started in the settings of the UserGate Administration Console, specifying which of the current network interfaces it will work on. Whenever a device joins or leaves the network, the DHCP server assigns a new or releases a previously assigned IP address accordingly.

When configuring DHCP, you must, at a minimum, specify a range (pool) of IP addresses, a network mask, and a lease time. The DHCP server will issue new addresses from a pool of IP addresses, but the administrator has the ability to create exceptions or reserve specific IP addresses. In addition, in the settings you can specify the default gateway, DNS and WINS server and domain, and also enable automatic proxy configuration.

If the DHCP server is active and issuing IP addresses, then the corresponding MAC addresses and lease time are displayed in the list at the bottom of the UserGate Administration Console. At the same time, the administrator has the ability to manually release any of the IP addresses issued by the DHCP server.

Routing

If a computer with UserGate is connected to several local networks, the UserGate server can be configured as a router, providing transparent, bidirectional communication between local networks. Any pair of local network interfaces can be combined by a routing rule, which can be created in the Firewall module. The rule type is determined automatically when you select the source and destination interfaces.

In addition, you can select the protocols and services allowed by this rule (such as HTTP, FTP). When the rule is active, user authorization for routing is not required, and incoming and outgoing packets will not be included in the overall statistics.

Publishing resources

Using the firewall in UserGate, you can provide access to internal company resources, for example, the Web, FTP, VPN or mail server. This is done by creating a rule in the Firewall module. When creating a rule and specifying a WAN adapter as a destination, UserGate automatically assigns the “Broadcast” type to this rule. The rule settings specify the specific protocol or service (HTTP, FTP, POP3, etc.), the source IP address or range, and, finally, the IP address and port of the computer on the local network to which requests that meet the specified conditions will be redirected .

Resource publishing is used not only to access the Web, FTP, VPN or mail server, but also to operate some Internet applications, such as bank-client, peer-to-peer networks, IP telephony, etc. Using UserGate, you can configure external access to any application on the local network.

Remote administration

You can connect to the UserGate server via a local network or remotely via the Internet from anywhere in the world. To do this, just install the UserGate Administration Console on your computer and specify the IP address and port of the UserGate server in the connection settings.

The ability to remotely administer a UserGate server is especially useful when it is necessary to administer several UserGate servers in different locations (for example, several Internet cafes). At the same time, administration is carried out from the same console - all available servers are displayed in the “Connections” list, and you can remotely connect to any of them.

In this article I will tell you about a new product from Entensys, of which we are partners in three areas, UserGate Proxy & Firewall 6.2.1.

Good day, dear visitor. The year 2013 is behind us, for some it was difficult, for others it was easy, but time flies, and if you consider that one nanosecond is 10 −9 With. then it just flies. In this article I will tell you about a new product from Entensys, of which we are partners in three areas UserGate Proxy & Firewall 6.2.1.

From the point of view of administering version 6.2 of UserGate Proxy & Firewall 5.2F, the implementation of which we successfully practice in our IT outsourcing practice, is practically non-existent. We will use Hyper-V as a laboratory environment, namely two first-generation virtual machines, a server part on Windows Server 2008 R2 SP1, and a client part on Windows 7 SP1. For some reason unknown to me, UserGate version 6 does not install on Windows Server 2012 and Windows Server 2012 R2.

So, what is a proxy server?

Proxy server(from the English proxy - “representative, authorized”) is a service (set of programs) in computer networks that allows clients to make indirect requests to other network services. First, the client connects to the proxy server and requests a resource (for example, e-mail) located on another server. Then the proxy server either connects to the specified server and obtains the resource from it, or returns the resource from its own cache (in cases where the proxy has its own cache). In some cases, the client request or server response may be modified by the proxy server for certain purposes. A proxy server also allows you to protect the client’s computer from some network attacks and helps maintain the client’s anonymity.

WhatsuchUserGate Proxy & Firewall?

UserGate Proxy & Firewall is a comprehensive solution for connecting users to the Internet, providing full traffic accounting, access control and built-in network protection.

From the definition, let's look at what solutions Entensys provides in its product, how traffic is calculated, how access is limited, and what protection tools UserGate Proxy & Firewall provides.

What does it consist of?UserGate?

UserGate consists of several parts: a server, an administration console and several additional modules. The server is the main part of the proxy server, in which all its functionality is implemented. The UserGate server provides access to the Internet, counts traffic, keeps statistics of user activity on the network, and performs many other tasks.

UserGate Administration Console is a program designed to manage the UserGate server. The UserGate administration console communicates with the server part via a special secure protocol over TCP/IP, which allows you to perform remote server administration.

UserGate includes three additional modules: “Web Statistics”, “UserGate Authorization Client” and the “Application Control” module.

Server

Installing the UserGate server side is very simple, the only difference is the choice of database during the installation process. Access to the database is carried out directly (for the built-in Firebird database) or through an ODBC driver, which allows the UserGate server to work with databases of almost any format (MSAccess, MSSQL, MySQL). By default, the Firebird database is used. If you decide to update UserGate from previous versions, then you will have to say goodbye to the statistics database, because: For the statistics file, only the transfer of current user balances is supported; the traffic statistics themselves will not be transferred. The changes to the database were caused by performance problems with the old one and limitations on its size. The new Firebird database does not have such shortcomings.

Launching the administration console.

The console is installed on the server VM. When first launched, the administration console opens to the Connections page, which contains a single connection to the localhost server for the Administrator user. The connection password has not been set. You can connect the administration console to the server by double-clicking on the localhost-administrator line or by clicking the connect button on the control panel. You can create multiple connections in the UserGate administration console.

The connection settings specify the following parameters:

• The server name is the name of the connection;
• Username – login to connect to the server;
• Server address – domain name or IP address of the UserGate server;
• Port – TCP port used to connect to the server (by default, port 2345 is used);
• Password – password for connection;
• Ask for password when connecting – this option allows you to display a dialog for entering your username and password when connecting to the server;
• Automatically connect to this server – the administration console will connect to this server automatically when launched.

When you first start the server, the system offers an installation wizard, which we refuse. Administration console settings are stored in the console.xml file located in the %UserGate%\Administrator directory.

Setting up connections behind NAT. Paragraph "General NAT Settings" allows you to set the timeout value for NAT connections via TCP, UDP or ICMP protocols. The timeout value determines the lifetime of a user connection through NAT when data transmission over the connection is completed. Let's leave this setting as default.

Attack detector is a special option that allows you to enable the internal mechanism to monitor and block the port scanner or attempts to occupy all server ports.

Block by browser line– a list of User-Agent’s browsers that can be blocked by the proxy server. Those. You can, for example, prevent older browsers such as IE 6.0 or Firefox 3.x from accessing the Internet.

Interfaces

The Interfaces section is the main one in the UserGate server settings, since it determines such issues as the correctness of traffic counting, the ability to create rules for the firewall, restrictions on the width of the Internet channel for traffic of a certain type, the establishment of relationships between networks and the order in which packets are processed by the NAT driver. “Interfaces” tab, select the desired type for the interfaces. So, for an adapter connected to the Internet, you should select the WAN type, for an adapter connected to a local network - the LAN type. Internet access for the VM is shared, respectively, the interface with the address 192.168.137.118 will be a WAN adapter, select the desired type and click “Apply”. Then we reboot the server.

Users and groups

Access to the Internet is provided only to users who have successfully completed authorization on the UserGate server. The program supports the following user authorization methods:

• By IP address
• By IP address range
• By IP+MAC address
• By MAC address
• Authorization using HTTP (HTTP-basic, NTLM)
• Authorization via login and password (Authorization Client)
• Simplified authorization option via Active Directory

To use the last three authorization methods, you must install a special application on the user's workstation - the UserGate authorization client. The corresponding MSI package (AuthClientInstall.msi) is located in the %UserGate%\tools directory and can be used for automatic installation using Group Policy in Active Directory.

For terminal users, only the “Authorization via HTTP” option is provided. The corresponding option is enabled in the General settings item in the administration console.

You can create a new user through the item Add a new user or by clicking the button Add in the control panel on the page Users and groups.

There is another way to add users - scanning the network with ARP requests. You need to click on an empty space in the admin console on the page users and select item scan local network. Next, set the local network parameters and wait for the scan results. As a result, you will see a list of users who can be added to UserGate. Well, let’s check, click “Scan local network”

Set the parameters:

Works!

Adding a user

It is worth recalling that UserGate has an authentication priority, first physical and then logical. This method is not reliable, because... the user can change the IP address. What suits us is the import of Active Directory accounts, which we can import easily by clicking the “Import” button, then “Select” and the name of our account, “Ok”, “Ok”.

Select “Group”, leave the default “default”

Click “Ok” and save the changes.

Our user was added without any problems. It is also possible to synchronize AD groups on the “Groups” tab.

Setting up proxy services in UserGate

The following proxy servers are integrated into the UserGate server: HTTP (with support for the “FTP over HTTP” and HTTPS mode - Connect method), FTP, SOCKS4, SOCKS5, POP3 and SMTP, SIP and H323. Proxy server settings are available in the Services → Proxy settings section in the administration console. The main settings of the proxy server include: the interface and the port number on which the proxy operates. So, for example, let's enable a transparent HTTP proxy on our LAN interface. Let’s go to “Proxy Settings” and select HTTP.

Let's select our interface, leave everything as default and click "OK"

Using transparent mode

The “Transparent Mode” function in the proxy server settings is available if the UserGate server is installed along with the NAT driver. In transparent mode, the NAT UserGate driver listens to standard ports for services: 80 TCP for HTTP, 21 TCP for FTP, 110 and 25 TCP for POP3 and SMTP on the network interfaces of the computer with UserGate. If there are requests, it transfers them to the appropriate UserGate proxy server. When using transparent mode in network applications, users do not need to specify the address and port of the proxy server, which significantly reduces the administrator's work in terms of providing local network access to the Internet. However, in the network settings of workstations, the UserGate server must be specified as a gateway, and the DNS server address must be specified.

Mail proxies in UserGate

Mail proxy servers in UserGate are designed to work with the POP3 and SMTP protocols and for anti-virus scanning of mail traffic. When using the transparent operating mode of POP3 and SMTP proxy, the settings of the mail client on the user's workstation do not differ from the settings corresponding to the option with direct access to the Internet.

If the UserGate POP3 proxy is used in opaque mode, then in the settings of the mail client on the user's workstation, the IP address of the computer with UserGate and the port corresponding to the UserGate POP3 proxy must be specified as the POP3 server address. In addition, the login for authorization on the remote POP3 server is specified in the following format: email_address@POP3_server_address. For example, if the user has a mailbox [email protected], then as the Login for the UserGate POP3 proxy in the mail client you will need to specify: [email protected]@pop.mail123.com. This format is necessary so that the UserGate server can determine the address of the remote POP3 server.

If the UserGate SMTP proxy is used in non-transparent mode, then in the proxy settings you need to specify the IP address and port of the SMTP server that UserGate will use to send letters. In this case, in the settings of the mail client on the user's workstation, the IP address of the UserGate server and the port corresponding to the UserGate SMTP proxy must be specified as the SMTP server address. If authorization is required for sending, then in the mail client settings you need to specify the login and password corresponding to the SMTP server, which is specified in the SMTP proxy settings in UserGate.

Well, that sounds cool, let's check it out using mail.ru.

First of all, let's enable POP3 and SMTP proxies on our server. When enabling POP3, we will specify the LAN interface as standard port 110.

And also make sure that there is no checkmark for “Transparent proxy” and click “Ok” and “Apply”

Uncheck “Transparent mode” and write “Remote server settings”, in our case smtp.mail.ru. Why is only one server indicated? And here is the answer: it is assumed that the organization uses a single smtp server, and it is this server that is indicated in the SMTP proxy settings.

The first rule for POP3 should look like this.

Second, as Alexander Nevsky would say “Like this”

Don’t forget about the “Apply” button and move on to setting up the client. As we remember, “If the UserGate POP3 proxy is used in opaque mode, then in the settings of the mail client on the user’s workstation, the IP address of the computer with UserGate and the port corresponding to the UserGate POP3 proxy must be specified as the POP3 server address. In addition, the login for authorization on the remote POP3 server is specified in the following format: email_address@POP3_server_address." Let's act.

First, log in to the authorization client, then open regular Outlook; in our example, I created a test mailbox [email protected], and configure it by specifying our mailbox in a format understandable for UserGate [email protected]@pop.mail.ru, as well as POP and SMTP servers, our proxy address.

Click “Account Verification...”

Port assignment

UserGate supports the Port Forwarding function. If there are port assignment rules, the UserGate server redirects user requests arriving on a specific port of a given network interface of a computer with UserGate to another specified address and port, for example, to another computer on the local network. The Port Forwarding function is available for TCP and UDP protocols.

If port assignment is used to provide access from the Internet to an internal company resource, you must select Specified user as the Authorization parameter, otherwise port forwarding will not work. Don't forget to enable Remote Desktop.

Cache setup

One of the purposes of a proxy server is to cache network resources. Caching reduces the load on your Internet connection and speeds up access to frequently visited resources. The UserGate proxy server caches HTTP and FTP traffic. Cached documents are placed in the local %UserGate_data%\Cache folder. The cache settings indicate the maximum cache size and the storage time for cached documents.

Anti-virus scan

Three antivirus modules are integrated into the UserGate server: Kaspersky Lab antivirus, Panda Security and Avira. All anti-virus modules are designed to scan incoming traffic through HTTP, FTP and UserGate mail proxy servers, as well as outgoing traffic through SMTP proxies.

Anti-virus module settings are available in the Services → Anti-virus section of the administration console. For each antivirus, you can specify which protocols it should scan, set the frequency of updating anti-virus databases, and also specify URLs that do not need to be scanned (URL Filter option). Additionally, in the settings you can specify a group of users whose traffic does not need to be subjected to anti-virus scanning.

Before turning on the antivirus, you must first update its database.

After the above functions, let’s move on to the frequently used ones, these are “Traffic Management” and “Application Control”.

Traffic control rules system

The UserGate server provides the ability to control user access to the Internet using traffic management rules. Traffic control rules are designed to prohibit access to certain network resources, to set restrictions on traffic consumption, to create a schedule for users on the Internet, and also to monitor the status of user accounts.

In our example, we will restrict access to a user who has references to vk.com in their request. To do this, go to “Traffic Management – ​​Rules”

Give the rule a name and the action “Close connection”

After adding the site, move on to the next parameter, selecting a group or user, the rule can be set for both the user and the group, in our case the user “User”.

Application Control

The Internet access control policy received a logical continuation in the form of the Application Firewall module. The UserGate administrator can allow or deny access to the Internet not only for users, but also for network applications on the user's workstation. To do this, you need to install a special application App.FirewallService on user workstations. Installation of the package is possible both through the executable file and through the corresponding MSI package (AuthFwInstall.msi), located in the %Usergate%\tools directory.

Let's go to the "Application Control - Rules" module and create a prohibiting rule, for example, to prohibit the launch of IE. Click add a group, give it a name and set a rule for the group.

We select our created rule group, we can check the “Default Rule” checkbox, in this case the rules will be added to the “Default_Rules” group

Applying a rule to a user in user properties

Now we install Auth.Client and App.Firewall on the client station; after installation, IE should be blocked by the rules created earlier.

As we can see, the rule worked, now let’s disable the rules for the user to see how the rule works for the site vk.com. After disabling the rule on the usergate server, you need to wait 10 minutes (synchronization time with the server). Let's try to access the direct link

We try through the search engine google.com

As you can see, the rules work without any problems.

So, this article covers only a small part of the functions. Possible settings for the firewall, routing rules, and NAT rules are omitted. UserGate Proxy & Firewall provides a wide range of solutions, even a little more. The product performed very well, and most importantly, it was easy to set up. We will continue to use it in servicing clients’ IT infrastructures to solve typical problems!

Organizing shared Internet access for local network users is one of the most common tasks that system administrators have to face. Nevertheless, it still raises many difficulties and questions. For example, how to ensure maximum security and complete controllability?

Introduction

Today we will look in detail at how to organize shared access to the Internet among employees of a certain hypothetical company. Let’s assume that their number will be in the range of 50–100 people, and all the usual services for such information systems are deployed on the local network: Windows domain, own mail server, FTP server.

To provide shared access, we will use a solution called UserGate Proxy & Firewall. It has several features. Firstly, this is a purely Russian development, unlike many localized products. Secondly, it has more than ten years of history. But the most important thing is the constant development of the product.

The first versions of this solution were relatively simple proxy servers that could only share a single Internet connection and keep statistics on its usage. The most widespread among them is build 2.8, which can still be found in small offices. The latest, sixth version is no longer called a proxy server by the developers themselves. According to them, this is a full-fledged UTM solution that covers a whole range of tasks related to security and control of user actions. Let's see if this is true.

Deploying UserGate Proxy & Firewall

During the installation, two steps are of interest (the remaining steps are standard for installing any software). The first of these is the selection of components. In addition to the basic files, we are asked to install four more server components - a VPN, two antiviruses (Panda and Kaspersky Anti-Virus) and a cache browser.

The VPN server module is installed as needed, that is, when the company plans to use remote access for employees or to combine several remote networks. It makes sense to install antiviruses only if the appropriate licenses have been purchased from the company. Their presence will allow you to scan Internet traffic, localize and block malware directly at the gateway. The cache browser will allow you to view web pages cached by the proxy server.

Additional functions

Banning unwanted sites

The solution supports Entensys URL Filtering technology. Essentially, it is a cloud-based database containing more than 500 million websites in different languages, divided into more than 70 categories. Its main difference is constant monitoring, during which web projects are constantly monitored and when the content changes, they are transferred to another category. This allows you to block all unwanted sites with a high degree of accuracy, simply by selecting certain categories.

The use of Entensys URL Filtering increases the safety of working on the Internet, and also helps to increase the efficiency of employees (by prohibiting social networks, entertainment sites, etc.). However, its use requires a paid subscription, which must be renewed every year.

In addition, the distribution includes two more components. The first one is the “Administrator Console”. This is a separate application designed, as the name suggests, to manage the UserGate Proxy & Firewall server. Its main feature is the ability to connect remotely. Thus, administrators or those responsible for Internet use do not need direct access to the Internet gateway.

The second additional component is web statistics. In essence, it is a web server that allows you to display detailed statistics on the use of the global network by company employees. On the one hand, this is, without a doubt, a useful and convenient component. After all, it allows you to receive data without installing additional software, including via the Internet. But on the other hand, it takes up unnecessary system resources of the Internet gateway. Therefore, it is better to install it only when it is really needed.

The second stage that you should pay attention to during the installation of UserGate Proxy & Firewall is choosing a database. In previous versions, UGPF could only function with MDB files, which affected overall system performance. Now there is a choice between two DBMSs - Firebird and MySQL. Moreover, the first one is included in the distribution kit, so when selecting it, no additional manipulations are required. If you want to use MySQL, you must first install and configure it. After the installation of server components is completed, it is necessary to prepare workstations for administrators and other responsible employees who can manage user access. It's very easy to do. It is enough to install the administration console from the same distribution on their work computers.

Additional functions

Built-in VPN server

Version 6.0 introduced the VPN server component. With its help, you can organize secure remote access for company employees to the local network or combine remote networks of individual branches of the organization into a single information space. This VPN server has all the necessary functionality to create server-to-server and client-to-server tunnels and routing between subnets.

Basic setup

All configuration of UserGate Proxy & Firewall is carried out using the management console. By default, after installation, a connection to the local server is already created. However, if you use it remotely, you will have to create the connection manually by specifying the IP address or host name of the Internet gateway, network port (default 2345) and authorization parameters.

After connecting to the server, you first need to configure the network interfaces. This can be done on the “Interfaces” tab of the “UserGate Server” section. The network card that “looks” into the local network is set to LAN type, and all other connections are set to WAN. “Temporary” connections, such as PPPoE, VPN, are automatically assigned the PPP type.

If a company has two or more connections to the global network, with one of them being the main one and the rest being backup ones, then automatic backup can be configured. This is quite easy to do. It is enough to add the necessary interfaces to the list of reserve ones, specify one or more control resources and the time for checking them. The operating principle of this system is as follows. UserGate automatically checks the availability of control sites at a specified interval. As soon as they stop responding, the product independently, without administrator intervention, switches to the backup channel. At the same time, checking the availability of control resources via the main interface continues. And as soon as it is successful, the switchback is automatically performed. The only thing you need to pay attention to when setting up is the choice of control resources. It is better to take several large sites, the stable operation of which is practically guaranteed.

Additional functions

Network Application Control

UserGate Proxy & Firewall implements such an interesting feature as control of network applications. Its goal is to prevent any unauthorized software from accessing the Internet. As part of the control settings, rules are created that allow or block the network operation of various programs (with or without version considerations). They can specify specific IP addresses and destination ports, which allows you to flexibly configure software access, allowing it to perform only certain actions on the Internet.

Application control allows you to develop a clear corporate policy on the use of programs and partially prevent the spread of malware.

After this, you can proceed directly to setting up proxy servers. In total, the solution under consideration implements seven of them: for the HTTP (including HTTPs), FTP, SOCKS, POP3, SMTP, SIP and H323 protocols. This is practically everything that a company's employees may need to work on the Internet. By default, only the HTTP proxy is enabled; all others can be activated if necessary.

Proxy servers in UserGate Proxy & Firewall can operate in two modes - normal and transparent. In the first case we are talking about a traditional proxy. The server receives requests from users and forwards them to external servers, and transmits the received responses to clients. This is a traditional solution, but it has its own inconveniences. In particular, it is necessary to configure each program that is used to work on the Internet (Internet browser, email client, ICQ, etc.) on each computer on the local network. This is, of course, a lot of work. Moreover, periodically, as new software is installed, it will repeat.

When choosing transparent mode, a special NAT driver is used, which is included in the delivery package of the solution in question. It listens on the appropriate ports (80 for HTTP, 21 for FTP, and so on), detects requests coming to them and passes them to the proxy server, from where they are sent further. This solution is more successful in the sense that software configuration on client machines is no longer necessary. The only thing that is required is to specify the IP address of the Internet gateway as the main gateway in the network connection of all workstations.

The next step is to configure DNS query forwarding. There are two ways to do this. The simplest of them is to enable so-called DNS forwarding. When using it, DNS requests arriving at the Internet gateway from clients are redirected to the specified servers (you can use either a DNS server from the network connection settings or any arbitrary DNS servers).

The second option is to create a NAT rule that will receive requests on port 53 (standard for DNS) and forward them to the external network. However, in this case, you will either have to manually register DNS servers in the network connection settings on all computers, or configure sending DNS requests through the Internet gateway from the domain controller server.

user management

After completing the basic setup, you can move on to working with users. You need to start by creating groups into which accounts will subsequently be combined. What is it for? Firstly, for subsequent integration with Active Directory. And secondly, you can assign rules to groups (we'll talk about them later), thus controlling access for a large number of users at once.

The next step is to add users to the system. You can do this in three different ways. For obvious reasons, we do not even consider the first of them, manual creation of each account. This option is only suitable for small networks with a small number of users. The second method is scanning the corporate network with ARP requests, during which the system itself determines the list of possible accounts. However, we choose the third option, which is the most optimal in terms of simplicity and ease of administration - integration with Active Directory. It is performed based on previously created groups. First you need to fill in the general integration parameters: specify the domain, the address of its controller, the user login and password with the necessary access rights to it, as well as the synchronization interval. After this, each group created in UserGate must be assigned one or more groups from Active Directory. As a matter of fact, the setup ends there. After saving all parameters, synchronization will be performed automatically.

Users created during authorization will by default use NTLM authorization, that is, authorization by domain login. This is a very convenient option, since the rules and traffic accounting system will work regardless of what computer the user is currently sitting at.

However, to use this authorization method you need additional software - a special client. This program works at the Winsock level and transmits user authorization parameters to the Internet gateway. Its distribution is included in the UserGate Proxy & Firewall package. You can quickly install the client on all workstations using Windows group policies.

By the way, NTLM authorization is far from the only method of authorizing company employees to work on the Internet. For example, if an organization practices strict binding of workers to workstations, then an IP address, MAC address, or a combination of both can be used to identify users. Using the same methods, you can organize access to a global network of various servers.

User control

One of the significant advantages of UGPF is its extensive user control capabilities. They are implemented using a system of traffic control rules. The principle of its operation is very simple. The administrator (or other responsible person) creates a set of rules, each of which represents one or more trigger conditions and the action that is performed when they occur. These rules are assigned to individual users or entire groups of them and allow you to automatically control their work on the Internet. There are four possible actions in total. The first one is to close the connection. It allows, for example, to block the downloading of certain files, prevent visiting unwanted sites, etc. The second action is to change the tariff. It is used in the tariff system, which is integrated into the product under review (we are not considering it, since it is not particularly relevant for corporate networks). The following action allows you to disable counting traffic received within this connection. In this case, the transmitted information is not taken into account when calculating daily, weekly and monthly consumption. And finally, the last action is to limit the speed to the specified value. It is very convenient to use to prevent channel clogging when downloading large files and solving other similar problems.

There are many more conditions in the traffic control rules - about ten. Some of them are relatively simple, such as maximum file size. This rule will be triggered when users try to download a file larger than the specified size. Other conditions are time-based. In particular, among them we can note the schedule (triggered by time and days of the week) and holidays (triggered on specified days).

Of greatest interest, however, are the terms and conditions associated with sites and content. In particular, they can be used to block or set other actions on certain types of content (for example, video, audio, executable files, text, pictures, etc.), specific web projects or their entire categories (Entensys URL Filtering technology is used for this). see box).

It is noteworthy that one rule can contain several conditions at once. In this case, the administrator can specify in which case it will be executed - if all conditions or any one of them are met. This allows you to create a very flexible policy for the use of the Internet by company employees, taking into account a large number of various nuances.

Setting up a firewall

An integral part of the UserGate NAT driver is a firewall; it helps solve various problems related to processing network traffic. For configuration, special rules are used, which can be one of three types: network address translation, routing and firewall. There can be an arbitrary number of rules in the system. In this case, they are applied in the order in which they are listed in the general list. Therefore, if incoming traffic matches several rules, it will be processed by the one that is located above the others.

Each rule is characterized by three main parameters. The first is the traffic source. This can be one or more specific hosts, the WAN or LAN interface of the Internet gateway. The second parameter is the purpose of the information. The LAN or WAN interface or dial-up connection can be specified here. The last main characteristic of a rule is the one or more services it applies to. In UserGate Proxy & Firewall, a service is understood as a pair of a protocol family (TCP, UDP, ICMP, arbitrary protocol) and a network port (or range of network ports). By default, the system already has an impressive set of pre-installed services, ranging from common ones (HTTP, HTTPs, DNS, ICQ) to specific ones (WebMoney, RAdmin, various online games, and so on). However, if necessary, the administrator can create his own services, for example, those describing how to work with online banking.

Each rule also has an action that it performs with traffic that matches the conditions. There are only two of them: allow or prohibit. In the first case, traffic flows unhindered along the specified route, while in the second it is blocked.

Network address translation rules use NAT technology. With their help, you can configure Internet access for workstations with local addresses. To do this, you need to create a rule, specifying the LAN interface as the source, and the WAN interface as the destination. Routing rules are applied if the solution in question will be used as a router between two local networks (it implements this feature). In this case, routing can be configured to carry traffic bidirectionally and transparently.

Firewall rules are used to process traffic that does not go to the proxy server, but directly to the Internet gateway. Immediately after installation, the system has one such rule that allows all network packets. In principle, if the Internet gateway being created will not be used as a workstation, then the action of the rule can be changed from “Allow” to “Deny”. In this case, any network activity on the computer will be blocked, except for transit NAT packets transmitted from the local network to the Internet and back.

Firewall rules allow you to publish any local services on the global network: web servers, FTP servers, mail servers, etc. At the same time, remote users have the opportunity to connect to them via the Internet. As an example, consider publishing a corporate FTP server. To do this, the administrator must create a rule in which select “Any” as the source, specify the desired WAN interface as the destination, and FTP as the service. After this, select the “Allow” action, enable traffic broadcasting and in the “Destination Address” field specify the IP address of the local FTP server and its network port.

After this configuration, all connections to the Internet gateway network cards via port 21 will be automatically redirected to the FTP server. By the way, during the setup process you can select not only the “native” one, but also any other service (or create your own). In this case, external users will have to contact a different port than 21. This approach is very convenient in cases where the information system has two or more services of the same type. For example, you can organize external access to the corporate portal via standard HTTP port 80, and access to UserGate web statistics via port 81.

External access to the internal mail server is configured in a similar way.

An important distinguishing feature of the implemented firewall is the intrusion prevention system. It works in a fully automatic mode, identifying unauthorized attempts based on signatures and heuristic methods and neutralizing them by blocking unwanted traffic flows or resetting dangerous connections.

Let's sum it up

In this review, we examined in some detail the organization of shared access of company employees to the Internet. In modern conditions, this is not the easiest process, since a large number of different nuances need to be taken into account. Moreover, both technical and organizational aspects are important, especially control of user actions.

Currently, no company can do its work without the Internet. The global network is actively used in business processes to solve a wide range of information, communication and marketing tasks. But at the same time, it is also a potential threat to information security. Email and web traffic is often used by attackers to distribute malware, phishing messages, etc.

Another potential danger of the Internet is its misuse by employees during working hours. Company employees, instead of performing their official duties, can spend time communicating on social networks, browsing various entertainment sites, downloading movies, music, unlicensed software, etc. This increases the direct and indirect costs of the company, reduces the productivity of office employees, and is a direct threat to information security (when visiting certain categories of unwanted sites, the risk of infecting your computer increases noticeably).

Therefore, in modern conditions, the problem of connecting a corporate network to the Internet must be solved taking into account all security requirements and monitoring the actions of employees. The UserGate Proxy & Firewall product provides a solution to the listed problems. It first appeared on the market about 10 years ago and was a fairly simple, but reliable and easy-to-use proxy server. This is what earned him his popularity in Russia and neighboring countries.

Currently, the developers continue to improve their brainchild, and have significantly expanded the functional content of the product, taking into account the realities in the field of information security. Not only major (about once every 2-3 years), but also minor (2-4 between major) versions of UserGate Proxy & Firewall are released quite regularly, in each of which the capabilities of the proxy server are expanded. Today it is a comprehensive product that can be used to solve the entire range of problems associated with sharing the Internet.

Composition of UserGate Proxy & Firewall

The basis of the UserGate Proxy & Firewall solution is the UserGate server. It is installed directly on a corporate Internet gateway and implements global network sharing, statistics maintenance, traffic counting, etc.

The access system is administered using the management console. This is a separate application that connects to the server via a special protocol over TCP/IP (a proprietary protocol is used, the transmission is protected using Open SSL technology with a key length of 1024 bits), which allows you to use it not only locally, but also remotely. Thus, the system administrator has the opportunity to manage UserGate Proxy & Firewall directly from his workplace, without needing physical access to the Internet gateway.

In addition, UserGate Proxy & Firewall implements a number of additional modules to solve various specific problems.

• UserGate Statistics. A separate application that is installed on the computer of responsible employees and allows them to view Internet usage statistics.
• Web statistics. The module for viewing statistics has been removed via a web browser. If necessary, it can be accessed not only from the local network, but also from the Internet.
• Cache Explorer. A separate application for viewing cache contents saved by UserGate Proxy & Firewall.
• UserGate authorization client. A separate application that is installed on end-user computers and provides the ability to use “advanced” authorization methods - using Active Directory, Windows login, etc.
• Application Control. A separate application installed on workstations. It allows you to limit the list of programs that are allowed to access the Internet.

System requirements

The system requirements imposed by the proxy server on the computer are described in the table.

	Minimum Requirements	Recommended Configuration
CPU	1 GHz	1-2 GHz depending on the number of users
RAM	512 MB	512 MB – 1 GB depending on the number of users
operating system	Windows 2000/XP/2003/2008/7/2008 R2 (32- and 64-bit OS supported)
Internet connection	The type and capacity are determined in each specific case, based on the needs

Features of UserGate Proxy & Firewall

The UserGate Proxy & Firewall product has a wide range of capabilities to ensure collaboration on the Internet, protect the corporate information system from external threats, and control the use of the global network by users.

Organizing online collaboration

UserGate Proxy & Firewall allows you to organize collaboration on the Internet for a large number of users. To do this, it implements a number of proxy servers (for HTTP, FTP, POP3, SMTP, SOCKS4, SOCKS5, SIP and H323 protocols), its own NAT driver, and a DNS forwarding system.

Transparent proxy mode

Proxy servers in UserGate Proxy & Firewall can operate in transparent mode. In this case, no additional software configuration is required on the client side. To implement it, NAT technology is used.

Multi-provider support

The program in question can work with several network interfaces connected to different providers. This allows you to implement such features as redirecting traffic from different user groups to different Internet channels, as well as reserving Internet access.

TrafficManager

UserGate Proxy & Firewall implements the Traffic Manager module, designed for flexible control of the Internet channel width. With its help, you can specify the priority of various types of traffic, limit the data transfer rate for certain protocols, etc.

Caching

The program in question implements a caching system. It stores files downloaded by users on the hard drive of the Internet gateway and, upon subsequent access to them, does not download them again from the remote server. This allows you to reduce the load on the Internet channel and traffic consumption in general.

IP telephony support

An interesting feature of UserGate Proxy & Firewall is its support for IP telephony. In addition to SIP and H323 proxy servers, it implements such functions as SIP Registrar (in fact, IP telephony servers) and H323 GateKeeper.

UserGate Proxy & Firewall implements eight methods of user authorization. For example, by IP address, by MAC network card, as well as through Active Directory, logins and passwords specified by the administrator, Windows accounts.

Limiting traffic and access speed

The proxy server in question allows you to set rules that limit the use of the Internet. In particular, you can determine the daily, weekly or monthly limit of consumed traffic, the maximum data transfer speed, protocols allowed for use, etc. Rules can be tied to both individual users and entire groups of them.

Billing system

UserGate Proxy & Firewall implements its own billing system, which can be used to calculate the costs of using the Internet. Tariffs can be set either temporary or based on consumed traffic. At the same time, it is possible to flexibly configure them and automatically switch from one to another depending on the time of day or category of the site being viewed.

Application Control

UserGate Proxy & Firewall allows you to limit the list of applications that are allowed to access the Internet. This allows us to solve the problem of uniformity in the use of software on a local network. In addition, this module can serve as a means of additional protection against malware. Even if they are active on the computer, the Internet channel will not be available to them.

The proxy server in question allows you to restrict access to unwanted sites by category. For this purpose, Entensys URL Filtering cloud technology is used. It is based on a special database of sites, divided into 82 categories. It is through them that access can be limited. The database contains more than 500 million web projects and is constantly updated and edited by developers. It is worth noting that using category filtering requires purchasing an additional license.

Application Control

UserGate Proxy & Firewall implements a traffic filtering system based on the applications that generate it. This allows you to allow one software to access the Internet and block the network activity of another. It is worth noting the high flexibility of filtering rules. With their help, you can allow applications to work only using a specific protocol, transmitting network packets only to a specified IP address or range of IP addresses, etc. To implement this type of filtering, you need to install a special “Application Control” program on workstations, included in the delivery package product.

Statistics and reports

The proxy server in question keeps detailed statistics on Internet usage by all users. You can work with it using a special application or through a web interface. At the same time, a system for dividing access rights has been implemented, which allows responsible employees to view complete information, and other users - only their statistics. In the process of work, you can use tools such as filtering by various conditions, generating tabular and graphical reports, importing data into HTML format and Microsoft Excel and OpenOffice.org Calc programs.

Built-in DHCP server

UserGate Proxy & Firewall implements its own DHCP server, which can distribute IP addresses to clients from a pool specified by the administrator. This tool is not needed if the domain is raised in the enterprise information system. However, it can simplify the administration of computers in small peer-to-peer networks.

Built-in router

Another tool for the administrator is the built-in router. It allows you to combine two or more local networks, providing transparent two-way communication between them. At the same time, you can specify the protocols and services that will be allowed to use network connections.

Antivirus protection

Using UserGate Proxy & Firewall, all traffic passing through a proxy server can be scanned for the presence of malware. For this purpose, integrated modules developed by Kaspersky Lab and Panda Security are used. Moreover, traffic scanning can be carried out either by one of the specified anti-virus modules, or sequentially. It is worth noting that the use of antivirus software requires the purchase of additional licenses from the relevant manufacturers.

Firewall

The proxy server in question implements a full-fledged firewall that allows you to block unwanted network traffic and helps protect against external intrusions. At the same time, it is very easy to set up. When you enable or disable services and port assignment rules, the corresponding ports will be automatically opened or closed.

VPN support

UserGate Proxy & Firewall supports PPTP and L2TP protocols, which are used to communicate with VPN servers. This makes it easy to provide secure remote connections to the information resources of an enterprise or its branches.

Deploying UserGate Proxy & Firewall and working with it

The procedure for deploying the UserGate Proxy & Firewall proxy server can be divided into several stages.

1. Program installation.
2. Basic proxy server setup.
3. Creation of rules implementing corporate Internet use policy.
4. Adding users.

Stage 1. Installing the program

The installation procedure for UserGate Proxy & Firewall is very simple and does not require any special knowledge or skills from the performer. First of all, download the distribution from the developer’s official website, launch it and select the installer’s operating language. In the welcome window that opens, click on the “Next” button.

Figure 1. Installer welcome windowUserGateProxy &Firewall

In the next step, read the license agreement, accept it and click on “Next” again.

Figure 2. License agreementUserGateProxy &Firewall

The third stage is to select the components to install. If you are installing the program on an Internet gateway, you must enable the “UserGate Proxy & Firewall 5 Basic Files” item and select the necessary sub-items there. So, for example, if you do not have a license for anti-virus scanning modules or you are not going to use web statistics, then there is no need to install the corresponding modules. You can separately select the management console and the UserGate Statistics component. This may be required when installing the product on the computer of an administrator or responsible employee to remotely manage the proxy server and view reporting.

Here, if necessary, you can change the folder in which the product will be installed (the default folder is C:\Program Files\Entensys\UserGate 5\).

Figure 3. Selecting installation componentsUserGateProxy &Firewall

After this, the final installer window is displayed, in which you need to click on the “Install” button to start the process.

Figure 4. Final installer windowUserGateProxy &Firewall

The time it takes to complete the installation procedure depends on available system resources.

Figure 5. InstallationUserGateProxy &Firewall

A computer restart is required to complete the installation.

Stage 2. Basic proxy server setup

All proxy server administration work is carried out using the management console. It can be carried out either directly from the Internet gateway or remotely from the administrator’s workstation. If the console is installed together with the server on the same computer, the connection is created automatically. Otherwise, you need to configure the connection manually - specify the domain name or server IP address, port (2345 by default), login and password.

Figure 6. Setting up a connection to the serverUserGateProxy &Firewall

After connecting to the server for the first time, you need to configure the interfaces. This can be done on the control console tab of the same name. UserGate Proxy & Firewall automatically detects all available network interfaces and displays them in the list. Select among them those that “look” at the local network and change their type to LAN. All external interfaces must be of type WAN. In addition to network interfaces, the list includes connections such as PPoE, VPN, etc. They are immediately of the PPP type, which cannot be changed.

Figure 7. Configuring network interfacesUserGateProxy &Firewall

If necessary, you can organize an Internet channel reservation system. It allows you to automatically switch to another interface if the main one is unavailable. To use it, you must have two or more Internet connections. To set up a reservation, it is most convenient to use a special wizard. At the first stage, specify the main and backup connections.

Figure 8. Specifying the primary and backup connections inUserGateProxy &Firewall

At the second stage, enter the addresses of servers whose unavailability will mean a “down” of the channel. Please note that it is best to use popular services, and not just one, but several. This allows you to avoid switching to a backup channel due to internal server problems, mainline failure and other similar reasons. Additionally, you can enter the check interval and timeout for the Ping command.

Figure 9. List of servers to check the functionality of the connection inUserGateProxy &Firewall

All Internet channel reservation settings are displayed on the "Interfaces" page of the management console. Here you can change them manually without going through the setup wizard.

Figure 10. Internet channel reservation properties inUserGateProxy &Firewall

Next you need to configure the proxy server. To do this, open the “Services” section in the management console and select the “Proxy Settings” tab in it. In this case, a list of all available proxy servers will be displayed on the right side of the window. Turn on the necessary services and turn off all others.

Figure 11. List of proxy servers inUserGateProxy &Firewall

If necessary, you can change the operating parameters of any proxy server. This is done in a special window, called up by double-clicking on the desired item. In it you need to specify the network interfaces that the proxy server will listen to. In most cases, you will need to select all LAN connections. You don’t have to specify interfaces in the properties, but in this case UserGate Proxy & Firewall will listen to all of them, including external ones. Here you can also change the port on which the proxy server runs.

Additionally, in this window you can switch the proxy server to the so-called transparent operating mode. Its essence is as follows. When transparency is enabled, the NAT driver listens on the appropriate ports (80 TCP for HTTP, 110 TCP for POP3, etc.) of the Internet gateway, detects requests coming through them and forwards them to the proxy server. As a result, work is essentially carried out through a "proxy", but administrators no longer need to configure applications on workstations. All of them will work as if connected directly to the Internet. However, when using the transparent operating mode, it is necessary to reconfigure the network connection properties of the workstations (specify the IP address of the Internet gateway as the gateway and enter the DNS server).

Figure 12. Proxy server properties inUserGateProxy &Firewall

Next, you need to ensure that DNS requests pass through the proxy server. The easiest way to do this is using DNS forwarding. When using this technology, requests arriving at port 53 of the Internet gateway (only LAN interfaces are listened to) are redirected to the provider's DNS server. To enable it, go to the "DNS Settings" tab in the "Services" section. In the window that opens, enable DNS forwarding and specify the DNS server address. By default, it will be taken automatically from the settings of the WAN interface network card. However, if necessary, you can set your own list of DNS servers.

Figure 13. SetupDNS inUserGate Proxy & Firewall

Additionally, you can configure such product features as general bandwidth management, port forwarding, application control, etc. However, we will not discuss them in detail: UserGate Proxy & Firewall is too functional to describe its full configuration in one review. In addition, this product is accompanied by a fairly detailed help system.

Stage 3. Creating rules that implement corporate Internet use policy

An important feature of UserGate Proxy & Firewall is a traffic management system that allows you to prevent misuse of corporate Internet resources by organization employees, enhance the security of the information system and solve a number of other similar problems. It is based on rules that describe the behavior of the system in certain cases. The main work with them is carried out on the tab of the same name in the “Traffic Management” section. Here they can be created, deleted and edited. There can be any number of rules. However, it is not necessary that all of them should be involved. Rules are assigned to groups or users and work only for them.

Figure 14. List of traffic control rules inUserGateProxy &Firewall

Each rule represents one or more conditions combined with the logical operators AND or OR. When they are executed, the specified action is triggered. The rule properties window consists of five tabs. The first one sets the basic parameters: name, type of logic, as well as the object and the action to be performed with it. Here you have options such as closing the connection, disabling traffic counting, enabling speed limits, etc.

Figure 15. Basic parameters of a traffic control rule inUserGateProxy &Firewall

The second tab specifies the protocols for which the rule will work. By default they are all activated. However, the administrator can disable some of them.

Figure 16. Configuring protocols in a traffic control rule inUserGateProxy &Firewall

The next tab allows you to set a schedule, i.e. indicate the duration of the rule.

Figure 17. Configuring the traffic control rule action schedule inUserGateProxy &Firewall

The fourth tab is intended for entering restrictions on daily, weekly or monthly traffic consumption. The rule will be triggered when the user reaches a certain limit. In addition, on this tab you can set restrictions on the size of uploaded files.

Figure 18. Configuring consumption restrictions in a traffic control rule inUserGateProxy &Firewall

The last, fifth tab allows you to configure web content filtering. On it you can set conditions of four different types: by IP address (or range of IP addresses), by site address (including by fragment of the address), by content type (by entire categories - audio, video, pictures, text documents etc. or by individual extensions - *.avi, *.mp3, *.flv, etc.), as well as by category. It is worth noting that the type of filtered content can be specified.

Figure 19. Configuring web content filtering conditions in a traffic control rule inUserGateProxy &Firewall

The conditions described above can be combined in any combination, which allows you to create very flexible rules that describe almost any corporate policy for using the Internet.

Stage 4. Adding users

UserGate Proxy & Firewall provides two ways to add users: manually and by integrating with Active Directory. It is clear that the first of these is only intended for small companies that use a simple peer-to-peer network. If the organization has deployed a domain, then it is much easier and more efficient to use integration with Active Directory.

If you select the second option for adding users, you must first configure the synchronization settings. This can be done on the "Groups" tab of the "Users and Groups" section. To enter parameters, click on the “Setting up synchronization with AD” button and enter the domain name, controller address, administrator login and password, and data update frequency in the window that opens.

Figure 20. Synchronization settingsUserGateProxy &Firewall withActiveDirectory

Working with accounts begins with entering user groups, for each of which you can specify previously entered rules. At the same time, they will be distributed immediately to all accounts, which simplifies management.

Figure 21. List of groups inUserGateProxy &Firewall

After you finish working with groups, you can begin setting up the list of users. With the manual method, each account will have to be entered independently, setting all its properties, including the authorization method. During synchronization, the list of accounts is filled in and kept up to date automatically. If necessary, you can make changes to user accounts, for example, install a different authorization method (NTLM authorization is used by default).

Figure 22. List of accounts inUserGateProxy &Firewall

Here it is necessary to make a small digression. To use some authorization methods (login and password entered in UserGate Proxy & Firewall, Windows login, authorization through Active Directory) you must install a special program on workstations - the UserGate authorization client. Its installation package (AuthClientInstall.msi) is located in the Tools subfolder of the product installation directory. It can be installed either manually or using Active Directory group policies.

At this point, the initial setup procedure for UserGate Proxy & Firewall can be considered complete. Our proxy server is completely ready to work. In the future, the administrator can connect to it remotely at any time and change the previously specified parameters.

UserGate Proxy & Firewall refers to applications that do not require constant attention from the administrator. Connecting to the Internet, switching to a backup channel and back, monitoring the use of the global network by company employees and other actions are performed automatically. So, in fact, all further work comes down to studying statistics and, sometimes, changing some operating parameters.

To work with the information collected by the system, a special application can be used – “UserGate Statistics”. With its help, the administrator or responsible employee can view complete data, filtering it by date, destination, user, protocol, website category and other parameters, as well as export it in different formats.

Figure 24. Viewing statistics using a special application

There is another option for viewing the collected information - web statistics. With its help, you can study data using a browser. Interestingly, not only administrators, but also ordinary users can do this. At the same time, only their personal statistics will be available to them.

Figure 25. Viewing statistics using a browser

conclusions

In conclusion, let's summarize. A detailed examination of the capabilities of UserGate Proxy & Firewall showed that today this product is one of the most functional proxy servers present on the Russian market. With its help, you can solve almost any problem related to organizing shared access to the Internet.

An important feature of the product considered is the ability to implement corporate policies for using the global network. Denying access to potentially dangerous sites, blocking the loading of certain types of content, and some other features increase the level of security of the information system.

An important factor is the presence of security tools in UserGate Proxy & Firewall, which allow you to quickly and easily organize protection of the local network perimeter from external threats: antivirus and firewall. Of course, their use does not replace the need to protect workstations. However, a two-stage “defense”, during which network traffic is checked sequentially (first at the Internet gateway level, and then at the user computer level) usually turns out to be much more effective.

The main disadvantages of UserGate Proxy & Firewall are not technical, but rather “economic” in nature. We are talking about the need to annually renew licenses for the use of anti-virus modules, as well as a system for filtering sites based on categories. In principle, the proxy server can work without them, especially since the license for UserGate Proxy & Firewall itself is unlimited. However, these functions can significantly increase the security of the information system, and, therefore, their use is still desirable.

Having connected the Internet in the office, every boss wants to know what he is paying for. Especially if the tariff is not unlimited, but based on traffic. There are several ways to solve the problems of traffic control and organizing access to the Internet on an enterprise scale. I will talk about implementing the UserGate proxy server to obtain statistics and control channel bandwidth using my experience as an example.

I’ll say right away that I used the UserGate service (version 4.2.0.3459), but the methods of organizing access and the technologies used are also used in other proxy servers. So the steps described here are generally suitable for other software solutions (for example, Kerio Winroute Firewall, or other proxies), with minor differences in the implementation details of the configuration interface.

I will describe the task assigned to me: There is a network of 20 machines, there is an ADSL modem in the same subnet (alternately 512/512 kbit/s). It is required to limit the maximum speed for users and keep track of traffic. The task is a little complicated by the fact that access to the modem settings is closed by the provider (access is only possible through the terminal, but the password is with the provider). The statistics page on the provider’s website is unavailable (Don’t ask why, there is only one answer - the company has such a relationship with the provider).

We install the usergate and activate it. To organize access to the network we will use NAT ( Network Address Translation- “network address translation”). For the technology to work, it is necessary to have two network cards on the machine where we will install the UserGate server (service) (There is a possibility that you can make NAT work on one network card by assigning two IP addresses to it in different subnets).

So, initial setup stage - NAT driver configuration(driver from UserGate, installed during the main installation of the service). Us two network interfaces required(read network cards) on the server hardware ( For me this was not a problem, because... I deployed UserGate on a virtual machine. And there you can make “many” network cards).

Ideally, to The modem itself is connected to one network card, A to the second - the entire network, from which they will access the Internet. In my case, the modem is installed in different rooms with the server (physical machine), and I’m too lazy and don’t have time to move the equipment (and in the near future, organizing a server room looms). I connected both network adapters to the same network (physically), but configured them for different subnets. Since I was unable to change the modem settings (access was blocked by the provider), I had to transfer all computers to another subnet (fortunately, this is done easily using DHCP).

Network card connected to the modem ( Internet) set up as before (according to data from the provider).

• We appoint static IP address(in my case it is 192.168.0.5);
• I did not change the subnet mask 255.255.255.0, but it can be configured in such a way that there will be only two devices in the subnet of the proxy server and modem;
• Gateway - modem address 192.168.0.1
• Addresses of the provider's DNS servers ( main and additional required).

Second network card, connected to the internal network ( intranet), set up as follows:

• Static IP address, but in a different subnet(I have 192.168.1.5);
• Mask according to your network settings (I have 255.255.255.0);
• Gateway we do not indicate.
• In the DNS server address field enter the address of the enterprise DNS server(if there is, if not, leave it blank).

Note: you must make sure that the use of the NAT component from UserGate is selected in the network interface settings.

After setting up network interfaces launch the UserGate service itself(don’t forget to configure it to work as a service to automatically launch with system rights) and go to the management console(possibly locally, or remotely). Go to “Network Rules” and select “ NAT Setup Wizard", you will need to indicate your intranet ( intranet) and the Internet ( internet) adapters. Intranet - an adapter connected to an internal network. The wizard will configure the NAT driver.

After that need to understand NAT rules, for which we go to “Network settings” - “NAT”. Each rule has several fields and a status (active and inactive). The essence of the fields is simple:

• Title - the name of the rule, I recommend giving something meaningful(there is no need to write addresses and ports in this field, this information will already be available in the list of rules);
• The receiver interface is yours intranet interface(in my case 192.168.1.5);
• The sender interface is yours internet interface(on the same subnet with the modem, in my case 192.168.0.5);
• Port— indicate which category this rule applies to ( for example, for the browser (HTTP) port 80, and for receiving mail, port 110). You can specify a range of ports, if you don't want to mess around, but it's not recommended to do this for the entire range of ports.
• Protocol - select one of the options from the drop-down menu: TCP(usually), UPD or ICMP(for example, to operate the ping or tracert commands).

Initially, the list of rules already contains the most used rules necessary for the operation of mail and various types of programs. But I supplemented the standard list with my own rules: for running DNS queries (without using the forwarding option in UserGate), for running SSL secure connections, for running a torrent client, for running the Radmin program, and so on. Here are screenshots of my list of rules. The list is still small, but it is expanding over time (with the emergence of the need to work on a new port).

The next stage is setting up users. In my case I chose authorization by IP address and MAC address. There are authorization options only by IP address and Active Directory credentials. You can also use HTTP authorization (each time users first enter a password through the browser). We create users and groups of users And assign them the used NAT rules(We need to give the user Internet in the browser - we enable the HTTP rule with port 80 for him, we need to give him ICQ - the ICQ rule with then 5190).

Lastly, at the implementation stage, I configured users to work through a proxy. For this I used the DHCP service. The following settings are transferred to client machines:

• The IP address is dynamic from DHCP in the range of the intranet subnet (in my case the range is 192.168.1.30 -192.168.1.200. I configured IP address reservation for the required machines).
• Subnet mask (255.255.255.0)
• Gateway - address of the machine with UserGate on the local network (Intranet address - 192.168.1.5)
• DNS servers - I provide 3 addresses. The first is the address of the enterprise DNS server, the second and third are the provider’s DNS addresses. (The enterprise DNS is configured to forward to the provider’s DNS, so in the event of a “fall” of the local DNS, Internet names will be resolved on the provider’s DNS).

On this basic setup completed. Left check functionality, to do this, on the client machine you need (by receiving the settings from DHCP or adding them manually, in accordance with the recommendations above) launch the browser and open any page on the Internet. If something doesn't work, check the situation again:

• Are the client network adapter settings correct? (does the machine with the proxy server ping?)
• Is the user/computer authorized on the proxy server? (see UserGate authorization methods)
• Do the user/group have NAT rules enabled that are necessary for operation? (for the browser to work, you need at least HTTP rules for the TCP protocol on port 80).
• Are the traffic limits for the user or group exceeded? (I didn’t introduce this myself).

Now you can monitor connected users and the NAT rules they use in the “Monitoring” item of the proxy server management console.

Further proxy settings are already tuning, to specific requirements. The first thing I did was enable bandwidth limiting in user properties (later you can implement a system of rules to limit speed) and enable additional UserGate services - a proxy server (HTTP on port 8080, SOCKS5 on port 1080). Enabling proxy services allows you to use request caching. But it is necessary to carry out additional configuration of clients to work with the proxy server.

Any questions? I suggest asking them right here.

________________________________________