SecureGUARD GmbH

Technical Blog for SecureGUARD Products and Solutions

Windows Update Issue: Local Windows Firewall stops logging and responding after installing Microsoft April 2016 updates

ATTENTION: Windows Update KB3147071 issues problems with the local Windows Firewall of Windows Server 2012 R2.

As Communication Gateway makes use of the local Windows Firewall this also affects CG in working correctly.

Please do not install KB3147071 on operating system instances Communication Gateway is installed on.

In case the update is already installed: uninstalling KB3147071 restores the local Windows Firewall functionality and will regain the full Communication Gateway experience.

Please be sure to disable the automatic update functionality for KB3147071 to prevent future installation.

As the known issue with KB3126593 is still under investigation by Microsoft, please also disable the automatic update functionality for update KB3126593.

As soon as we have further information from Microsoft, we will post an update.

UNDER INVESTIGATION: Windows Update Issue Patch Tuesday April 2016

We want to inform that an issue with Windows Updates released in April 2016 is currently under investigation.

We will update this post as soon as more information is available.

In the mean time we do not recommend installing Windows Updates released on April 12th, 2016 at EPS installations.

More information about Windows Update: https://technet.microsoft.com/en-us/library/security/ms16-apr.aspx

 

Web Access Rules - URL Permission Set

In the last part of the "Web Access Rules" blog post series I want to cover "URL Permission Set".

You can select one permission set per Web Access Rule.

There are two default preconfigured permission sets available: "Allow All" and "Block All"

You can also define custom URL Permission Sets:

There are two settings available for a URL Permission Set regarding Antivirus capabilities:

  1. Treat executable file as virus
  2. Treat encrypted file as virus

This settings are only active if both of the following applies:

  1. Antivirus is activated within the Web Access Rules General Settings
  2. You have valid subscription for the Web Security Add On

 

A Permission Set consists of one or more Permission entries. For each entry you can define if you want to Block or Allow the appropriate traffic.

You can mix-up Block and Allow entries as you want, but be aware that also the Permission Entries set is processed on a first-match base!

You can pick three different filter types:

All

All traffic will be blocked or allowed when using this type.

URL

You can specify specific URL's which you want to block or allow with an permission entry. You can also use regular expressions within the URL entries (e.g. *.secureguard.at).

URL-Category

If you have an active subscription of the Web Security Add On you can select from an URL filtering database consisting of more than 100 different categories.

 

 

Web Access Rules - Authentication Methods

In this blog post I want to cover the different available authentication methods for Web Access Rules.

A Web Access Rule allows HTTP/HTTPS traffic from a specific source to a specific destination.

There are three different possibilities for "Authentication Methods":

  1. No Authentication
  2. LDAP Authentication
  3. NTLM/Kerberos

No Authentication

If you select "No Authentication" the Web Access Rule will apply to all HTTP/HTTPS Traffic from the specified source to the specified destination (for sure depending on your "Rule Mode" settings ;-) ).

 

LDAP Authentication

If you want to make use of LDAP Authentication please make sure that the LDAP Authentication Settings are configured properly.

As soon as you select "LDAP Authentication" you will get a new "USERS/GROUPS" tab:

Within this Tab you can choose between Users or Groups and have to enter the appropriate User or Group Name as registered in LDAP:

 

NTLM/Kerberos Authentication

You can make use of this authentication method if the OS/appliance is part of an Active Directory Domain (or if you want to use local users and groups).

As soon as you select "NTLM/Kerberos Authentication" you will also get a new "USERS/GROUPS" tab:

As soon as you click plus, you get a selection wizard for selecting Users or Groups:

Within this dialog you can browse different locations (local machine or your entire Active Directory Forest) and search for Users and Groups to select them.

 

Synopsis

With Authentication, you can restrict the validity of a Web Access Rule to a specific set of Users or Groups. Please be aware that the "Web Access Rules" ruleset is processed by first-match. This is especially important if User are member in different Groups.

Also be aware that rules where LDAP or NTLM/Kerberos is configured will not match for transparent HTTP traffic. You have to define a specific ruleset for the transparent mode (without authentication).

Web Access Rules - Rule Modes

In todays blog post I want to cover the different Rule Modes when creating a Web Access Rule.

You can define the behavior with Rule Mode for every single Web Access Rule with the following Rule Modes:

Proxy

Allows or blocks web access using an explicit proxy IP address and port (which is configured within the HTTP Proxy setting within the Web Access Rules module). Every single client have to be configured with the appropriate settings. You can also use Kerberos authentication (if the server is domain joined) or LDAP authentication (LDAP Authentication settings have to be configured) with Proxy Mode.

The required Firewall Rules and NAT rules will be generated automatically.

Transparent

Allows or blocks web access as transparent proxy. On the clients the IP address of the server have to be configured as default gateway or as gateway on a dedicated route.

Please be aware that the transparent rule mode doesn't support authentication.

The required Firewall Rules and NAT Rules will be generated automatically.

 

Proxy and Transparent

Combines both modes proxy and transparent modes. All required Firewall Rules will be generated automatically.

Please be aware that authentication is only used when a client accesses the proxy via the dedicated IP address - port combination.

 

Manually create FW and NAT rules

By selecting this mode, firewall rules and NAT rules have to be created manually. Select this option if you want to use a dedicated external IP address used for hide-NAT. The other three modes use the primary IP-address configured on the external interface.

 

EPS15 Release 1.2 is available!

I'm proud to announce the availability of the 1.2 Version of EPS15.

Feature Highlights

The new version extends EPS15 with a sophisticated Intrusion Prevention System and SQL Server Logging with enhanced filtering capabilities. In addition under the hood performance and usability improvements are included as well.

More Information: SecureGUARD News

 

Upgrade

To upgrade from earlier version (EPS15 R1.0 and EPS15 R1.0 with installed Hotfix Package) just download the latest sources and perform an installation.

All configuration will be migrated automatically, except IDS settings.

 

How to get it

If you are an existing customer or registered for the EPS Newsletter you will get the appropriate download link per mail.

If you're not already registered, just sign up here to get the download link immediately: EPS Registration

The sources automatically include a 30day full featured trial license.

 

Windows Update Issue: Local Windows Firewall stops logging and responding after installing KB3126593

ATTENTION: Windows Update KB3126593 issues problems with the local Windows Firewall of Windows Server 2012 R2.

We already opened a support ticket at Microsoft:

This is a known issue at Microsoft. They will provide an updated KB as soon as possible.

As CG make use of the local Windows Firewall this also affects CG in working correctly.

Please do not install KB3126593 on operating system instances CG is installed on.

If you already installed KB3126593 you can uninstall it via "Control Panel - Programs and Features - View installed updates".

As soon as we have further information from Microsoft we will post an update.

 

Web Access Rules - General Settings

In todays blog post I want to cover the general settings for Web Access Rules.

Within the Web Access Rules Module you have the possibility to set several general settings in regarding web Proxy.

Enable Antivirus

With this switch you can globally enable/disable Antivirus scanning for all Web Access Rules.

 

LDAP Authentication

LDAP Authentication is needed if you want your users to authenticate against a LDAP directory.

To ensure best performance and authentication behavior we recommend to join the server to the local domain. You will not need to configure LDAP authentication if you do so, as KERBEROS will be used for accessing the directory.

 

HTTP Proxy

Within the HTTP Proxy settings you can define which local IP-addresses and ports are used to receive requests. As default all local configured IP-addresses (specified by 0.0.0.0) and port 8080 is used.

You can change this settings for your needs. We recommend to only use your internal networks IP-addresses as listening IP-addresses.

Next Proxy

Next Proxy settings are used to connect and send all allowed web traffic to an upstream proxy server. You can define ports for all supported protocols and also use authentication.