SecureGUARD GmbH

Technical Blog for SecureGUARD Products and Solutions

Important notice for EPS Installations --> IP Address move

Hi @ all,

we changed or ISP and so we also got a new IP-Address Range.

As there are some predefined network objects within the firewall policy, on existing installations and also upgrade installations you have to change two custom computer objects:

products.secureguard.at

old IP: 91.118.108.18

new IP: 85.31.18.18

 

www.secureguard.at

old IP: 91.118.108.14

new IP: 85.31.18.14

 

Stay tuned for a lot of new articles in the next week.

Also a new version with a bunch of new features will be released soon.

Client VPN enable usernames with special characters

In this blogpost i want to cover an issues we currently faced within a support case.

Per default RRAS in Windows Server 2012 R2 doesn't allow special character within the username.

This includes e.g. ö,ä,ü for the german speaking area.

You will receive a failed authentication attempt when trying to login with a user including such a character.

To workaround this issue please process the following steps:

 

  1. Click Start and type cmd
  2. Right-click Command Prompt and choose Run as administrator
  3. Type the following command: REG ADD HLKM\SYSTEM\CurrentControlSet\Services\EapHost\Configuration /v IdentityEncodingFormat /t REG_DWORD /d 1
  4. Reboot

With this registry key Windows will allow the use of special characters within the usernames.

Due to support issues we cann't recommend the use of special characters within usernamen, but if you have an existing environment you can get it to work with this registry key.

ATTENTION: Only implement this registry key if you're facing the described issue as this can lead to unpredictable side effects.

Known Issue:

The above configuration change would however result in EAP-based authentication from a Windows 7 client to fail. To fix this case, the same registry key (shown above) can be set on the Windows 7 client so that the Windows 7 client uses ANSI format for EAP-based authentication protocols too.

 

 

 

 

Windows Update Issue: Local Windows Firewall stops logging and responding after installing Microsoft April 2016 updates

ATTENTION: Windows Update KB3147071 issues problems with the local Windows Firewall of Windows Server 2012 R2.

As Communication Gateway makes use of the local Windows Firewall this also affects CG in working correctly.

Please do not install KB3147071 on operating system instances Communication Gateway is installed on.

In case the update is already installed: uninstalling KB3147071 restores the local Windows Firewall functionality and will regain the full Communication Gateway experience.

Please be sure to disable the automatic update functionality for KB3147071 to prevent future installation.

As the known issue with KB3126593 is still under investigation by Microsoft, please also disable the automatic update functionality for update KB3126593.

As soon as we have further information from Microsoft, we will post an update.

UNDER INVESTIGATION: Windows Update Issue Patch Tuesday April 2016

We want to inform that an issue with Windows Updates released in April 2016 is currently under investigation.

We will update this post as soon as more information is available.

In the mean time we do not recommend installing Windows Updates released on April 12th, 2016 at EPS installations.

More information about Windows Update: https://technet.microsoft.com/en-us/library/security/ms16-apr.aspx

 

Web Access Rules - URL Permission Set

In the last part of the "Web Access Rules" blog post series I want to cover "URL Permission Set".

You can select one permission set per Web Access Rule.

There are two default preconfigured permission sets available: "Allow All" and "Block All"

You can also define custom URL Permission Sets:

There are two settings available for a URL Permission Set regarding Antivirus capabilities:

  1. Treat executable file as virus
  2. Treat encrypted file as virus

This settings are only active if both of the following applies:

  1. Antivirus is activated within the Web Access Rules General Settings
  2. You have valid subscription for the Web Security Add On

 

A Permission Set consists of one or more Permission entries. For each entry you can define if you want to Block or Allow the appropriate traffic.

You can mix-up Block and Allow entries as you want, but be aware that also the Permission Entries set is processed on a first-match base!

You can pick three different filter types:

All

All traffic will be blocked or allowed when using this type.

URL

You can specify specific URL's which you want to block or allow with an permission entry. You can also use regular expressions within the URL entries (e.g. *.secureguard.at).

URL-Category

If you have an active subscription of the Web Security Add On you can select from an URL filtering database consisting of more than 100 different categories.

 

 

Web Access Rules - Authentication Methods

In this blog post I want to cover the different available authentication methods for Web Access Rules.

A Web Access Rule allows HTTP/HTTPS traffic from a specific source to a specific destination.

There are three different possibilities for "Authentication Methods":

  1. No Authentication
  2. LDAP Authentication
  3. NTLM/Kerberos

No Authentication

If you select "No Authentication" the Web Access Rule will apply to all HTTP/HTTPS Traffic from the specified source to the specified destination (for sure depending on your "Rule Mode" settings ;-) ).

 

LDAP Authentication

If you want to make use of LDAP Authentication please make sure that the LDAP Authentication Settings are configured properly.

As soon as you select "LDAP Authentication" you will get a new "USERS/GROUPS" tab:

Within this Tab you can choose between Users or Groups and have to enter the appropriate User or Group Name as registered in LDAP:

 

NTLM/Kerberos Authentication

You can make use of this authentication method if the OS/appliance is part of an Active Directory Domain (or if you want to use local users and groups).

As soon as you select "NTLM/Kerberos Authentication" you will also get a new "USERS/GROUPS" tab:

As soon as you click plus, you get a selection wizard for selecting Users or Groups:

Within this dialog you can browse different locations (local machine or your entire Active Directory Forest) and search for Users and Groups to select them.

 

Synopsis

With Authentication, you can restrict the validity of a Web Access Rule to a specific set of Users or Groups. Please be aware that the "Web Access Rules" ruleset is processed by first-match. This is especially important if User are member in different Groups.

Also be aware that rules where LDAP or NTLM/Kerberos is configured will not match for transparent HTTP traffic. You have to define a specific ruleset for the transparent mode (without authentication).

Web Access Rules - Rule Modes

In todays blog post I want to cover the different Rule Modes when creating a Web Access Rule.

You can define the behavior with Rule Mode for every single Web Access Rule with the following Rule Modes:

Proxy

Allows or blocks web access using an explicit proxy IP address and port (which is configured within the HTTP Proxy setting within the Web Access Rules module). Every single client have to be configured with the appropriate settings. You can also use Kerberos authentication (if the server is domain joined) or LDAP authentication (LDAP Authentication settings have to be configured) with Proxy Mode.

The required Firewall Rules and NAT rules will be generated automatically.

Transparent

Allows or blocks web access as transparent proxy. On the clients the IP address of the server have to be configured as default gateway or as gateway on a dedicated route.

Please be aware that the transparent rule mode doesn't support authentication.

The required Firewall Rules and NAT Rules will be generated automatically.

 

Proxy and Transparent

Combines both modes proxy and transparent modes. All required Firewall Rules will be generated automatically.

Please be aware that authentication is only used when a client accesses the proxy via the dedicated IP address - port combination.

 

Manually create FW and NAT rules

By selecting this mode, firewall rules and NAT rules have to be created manually. Select this option if you want to use a dedicated external IP address used for hide-NAT. The other three modes use the primary IP-address configured on the external interface.

 

EPS15 Release 1.2 is available!

I'm proud to announce the availability of the 1.2 Version of EPS15.

Feature Highlights

The new version extends EPS15 with a sophisticated Intrusion Prevention System and SQL Server Logging with enhanced filtering capabilities. In addition under the hood performance and usability improvements are included as well.

More Information: SecureGUARD News

 

Upgrade

To upgrade from earlier version (EPS15 R1.0 and EPS15 R1.0 with installed Hotfix Package) just download the latest sources and perform an installation.

All configuration will be migrated automatically, except IDS settings.

 

How to get it

If you are an existing customer or registered for the EPS Newsletter you will get the appropriate download link per mail.

If you're not already registered, just sign up here to get the download link immediately: EPS Registration

The sources automatically include a 30day full featured trial license.