We want to inform you that the Windows Update issues with KB3147071 and KB3126593 are confirmed as a bug in Windows Server 2012 R2.
More Information: https://support.microsoft.com/en-us/kb/3155768
If you are facing this issue please install the following Update Rollup from May 17th, 2016:
ATTENTION: Windows Update KB3147071 issues problems with the local Windows Firewall of Windows Server 2012 R2.
As Communication Gateway makes use of the local Windows Firewall this also affects CG in working correctly.
Please do not install KB3147071 on operating system instances Communication Gateway is installed on.
In case the update is already installed: uninstalling KB3147071 restores the local Windows Firewall functionality and will regain the full Communication Gateway experience.
Please be sure to disable the automatic update functionality for KB3147071 to prevent future installation.
As the known issue with KB3126593 is still under investigation by Microsoft, please also disable the automatic update functionality for update KB3126593.
As soon as we have further information from Microsoft, we will post an update.
We want to inform that an issue with Windows Updates released in April 2016 is currently under investigation.
We will update this post as soon as more information is available.
In the mean time we do not recommend installing Windows Updates released on April 12th, 2016 at EPS installations.
More information about Windows Update: https://technet.microsoft.com/en-us/library/security/ms16-apr.aspx
In the last part of the "Web Access Rules" blog post series I want to cover "URL Permission Set".
You can select one permission set per Web Access Rule.
There are two default preconfigured permission sets available: "Allow All" and "Block All"
You can also define custom URL Permission Sets:
There are two settings available for a URL Permission Set regarding Antivirus capabilities:
- Treat executable file as virus
- Treat encrypted file as virus
This settings are only active if both of the following applies:
- Antivirus is activated within the Web Access Rules General Settings
- You have valid subscription for the Web Security Add On
A Permission Set consists of one or more Permission entries. For each entry you can define if you want to Block or Allow the appropriate traffic.
You can mix-up Block and Allow entries as you want, but be aware that also the Permission Entries set is processed on a first-match base!
You can pick three different filter types:
All traffic will be blocked or allowed when using this type.
You can specify specific URL's which you want to block or allow with an permission entry. You can also use regular expressions within the URL entries (e.g. *.secureguard.at).
If you have an active subscription of the Web Security Add On you can select from an URL filtering database consisting of more than 100 different categories.
In this blog post I want to cover the different available authentication methods for Web Access Rules.
A Web Access Rule allows HTTP/HTTPS traffic from a specific source to a specific destination.
There are three different possibilities for "Authentication Methods":
- No Authentication
- LDAP Authentication
If you select "No Authentication" the Web Access Rule will apply to all HTTP/HTTPS Traffic from the specified source to the specified destination (for sure depending on your "Rule Mode" settings ;-) ).
If you want to make use of LDAP Authentication please make sure that the LDAP Authentication Settings are configured properly.
As soon as you select "LDAP Authentication" you will get a new "USERS/GROUPS" tab:
Within this Tab you can choose between Users or Groups and have to enter the appropriate User or Group Name as registered in LDAP:
You can make use of this authentication method if the OS/appliance is part of an Active Directory Domain (or if you want to use local users and groups).
As soon as you select "NTLM/Kerberos Authentication" you will also get a new "USERS/GROUPS" tab:
As soon as you click plus, you get a selection wizard for selecting Users or Groups:
Within this dialog you can browse different locations (local machine or your entire Active Directory Forest) and search for Users and Groups to select them.
With Authentication, you can restrict the validity of a Web Access Rule to a specific set of Users or Groups. Please be aware that the "Web Access Rules" ruleset is processed by first-match. This is especially important if User are member in different Groups.
Also be aware that rules where LDAP or NTLM/Kerberos is configured will not match for transparent HTTP traffic. You have to define a specific ruleset for the transparent mode (without authentication).
In todays blog post I want to cover the different Rule Modes when creating a Web Access Rule.
You can define the behavior with Rule Mode for every single Web Access Rule with the following Rule Modes:
Allows or blocks web access using an explicit proxy IP address and port (which is configured within the HTTP Proxy setting within the Web Access Rules module). Every single client have to be configured with the appropriate settings. You can also use Kerberos authentication (if the server is domain joined) or LDAP authentication (LDAP Authentication settings have to be configured) with Proxy Mode.
The required Firewall Rules and NAT rules will be generated automatically.
Allows or blocks web access as transparent proxy. On the clients the IP address of the server have to be configured as default gateway or as gateway on a dedicated route.
Please be aware that the transparent rule mode doesn't support authentication.
The required Firewall Rules and NAT Rules will be generated automatically.
Proxy and Transparent
Combines both modes proxy and transparent modes. All required Firewall Rules will be generated automatically.
Please be aware that authentication is only used when a client accesses the proxy via the dedicated IP address - port combination.
Manually create FW and NAT rules
By selecting this mode, firewall rules and NAT rules have to be created manually. Select this option if you want to use a dedicated external IP address used for hide-NAT. The other three modes use the primary IP-address configured on the external interface.
I'm proud to announce the availability of the 1.2 Version of EPS15.
The new version extends EPS15 with a sophisticated Intrusion Prevention System and SQL Server Logging with enhanced filtering capabilities. In addition under the hood performance and usability improvements are included as well.
More Information: SecureGUARD News
To upgrade from earlier version (EPS15 R1.0 and EPS15 R1.0 with installed Hotfix Package) just download the latest sources and perform an installation.
All configuration will be migrated automatically, except IDS settings.
How to get it
If you are an existing customer or registered for the EPS Newsletter you will get the appropriate download link per mail.
If you're not already registered, just sign up here to get the download link immediately: EPS Registration
The sources automatically include a 30day full featured trial license.
ATTENTION: Windows Update KB3126593 issues problems with the local Windows Firewall of Windows Server 2012 R2.
We already opened a support ticket at Microsoft:
This is a known issue at Microsoft. They will provide an updated KB as soon as possible.
As CG make use of the local Windows Firewall this also affects CG in working correctly.
Please do not install KB3126593 on operating system instances CG is installed on.
If you already installed KB3126593 you can uninstall it via "Control Panel - Programs and Features - View installed updates".
As soon as we have further information from Microsoft we will post an update.
In todays blog post I want to cover the general settings for Web Access Rules.
Within the Web Access Rules Module you have the possibility to set several general settings in regarding web Proxy.
With this switch you can globally enable/disable Antivirus scanning for all Web Access Rules.
LDAP Authentication is needed if you want your users to authenticate against a LDAP directory.
To ensure best performance and authentication behavior we recommend to join the server to the local domain. You will not need to configure LDAP authentication if you do so, as KERBEROS will be used for accessing the directory.
Within the HTTP Proxy settings you can define which local IP-addresses and ports are used to receive requests. As default all local configured IP-addresses (specified by 0.0.0.0) and port 8080 is used.
You can change this settings for your needs. We recommend to only use your internal networks IP-addresses as listening IP-addresses.
Next Proxy settings are used to connect and send all allowed web traffic to an upstream proxy server. You can define ports for all supported protocols and also use authentication.
in this post I want to give a deep-dive into the NAT capabilities of EPS.
Within the NAT Rules Module of the SecureGUARD Management interface you are able to create NAT rules to mask:
- Source IP
- Destination IP
- Source Port
- Destination Port
- and combinations of the previous
Overview of the "Add NAT Configuration"
There are four different NAT modes:
NAT Mode: NAT
The NAT mode NAT is used to statically translate a specific IP-address/port combination to another combination.
Make an internal terminal server (accessible via Port 3389) available from an external network to allow access this service.
- Network Conditions
- FROM: External
- TO: Localhost
- Protocol Conditions: RDP
- Network Translation
- Translation Destination: target terminal server
NAT Mode: Hide NAT
The NAT mode Hide NAT is used to mask source IP-Addresses. The source port is replaced with a dynamically assigned port number.
Mask IP-Addresses of internal client when accessing external ressources.
- Network Conditions
- FROM: internal Network or IP-address range
- TO: External Network
- Protocol Conditions: All Traffic
- Network Translation
- Translation Source: external IP address of the operating system environment EPS is installed on.
NAT Mode: RouteBasedHideNAT
The NAT mode RouteBasedHideNAT is an extended version of Hide NAT which can be used to determine the adapters IP-address automatically.
RouteBasedHideNAT supports also DHCP activated adapters.
Mask the IP address of internal clients when using a DHCP assigned IP address from your ISP.
- Network Condition
- FROM: Internal network or IP-address range
- TO: External network
- Protocol Condition: Any Protocol
NAT Mode: Proxy NAT
The NAT Mode Proxy NAT is used to enable transparent web proxy capabilities. It redirects incoming http traffic to web proxy. This type of NAT rules is automatically created if you configure a Web Access Rule with either "Proxy and Transparent" or "Transparent" rule mode selected.