SecureGUARD GmbH

Technical Blog for SecureGUARD Products and Solutions

EPS15 Release 1.2 is available!

I'm proud to announce the availability of the 1.2 Version of EPS15.

Feature Highlights

The new version extends EPS15 with a sophisticated Intrusion Prevention System and SQL Server Logging with enhanced filtering capabilities. In addition under the hood performance and usability improvements are included as well.

More Information: SecureGUARD News



To upgrade from earlier version (EPS15 R1.0 and EPS15 R1.0 with installed Hotfix Package) just download the latest sources and perform an installation.

All configuration will be migrated automatically, except IDS settings.


How to get it

If you are an existing customer or registered for the EPS Newsletter you will get the appropriate download link per mail.

If you're not already registered, just sign up here to get the download link immediately: EPS Registration

The sources automatically include a 30day full featured trial license.


Windows Update Issue: Local Windows Firewall stops logging and responding after installing KB3126593

ATTENTION: Windows Update KB3126593 issues problems with the local Windows Firewall of Windows Server 2012 R2.

We already opened a support ticket at Microsoft:

This is a known issue at Microsoft. They will provide an updated KB as soon as possible.

As CG make use of the local Windows Firewall this also affects CG in working correctly.

Please do not install KB3126593 on operating system instances CG is installed on.

If you already installed KB3126593 you can uninstall it via "Control Panel - Programs and Features - View installed updates".

As soon as we have further information from Microsoft we will post an update.


Web Access Rules - General Settings

In todays blog post I want to cover the general settings for Web Access Rules.

Within the Web Access Rules Module you have the possibility to set several general settings in regarding web Proxy.

Enable Antivirus

With this switch you can globally enable/disable Antivirus scanning for all Web Access Rules.


LDAP Authentication

LDAP Authentication is needed if you want your users to authenticate against a LDAP directory.

To ensure best performance and authentication behavior we recommend to join the server to the local domain. You will not need to configure LDAP authentication if you do so, as KERBEROS will be used for accessing the directory.


HTTP Proxy

Within the HTTP Proxy settings you can define which local IP-addresses and ports are used to receive requests. As default all local configured IP-addresses (specified by and port 8080 is used.

You can change this settings for your needs. We recommend to only use your internal networks IP-addresses as listening IP-addresses.

Next Proxy

Next Proxy settings are used to connect and send all allowed web traffic to an upstream proxy server. You can define ports for all supported protocols and also use authentication.

NAT Rules and NAT Modes

in this post I want to give a deep-dive into the NAT capabilities of EPS.

Within the NAT Rules Module of the SecureGUARD Management interface you are able to create NAT rules to mask:

  • Source IP
  • Destination IP
  • Source Port
  • Destination Port
  • and combinations of the previous

Overview of the "Add NAT Configuration"

There are four different NAT modes:

  • NAT
  • HideNAT
  • RouteBasedHideNAT
  • ProxyNAT



The NAT mode NAT is used to statically translate a specific IP-address/port combination to another combination.

Use-case example

Make an internal terminal server (accessible via Port 3389) available from an external network to allow access this service.

Configuration example

  • Network Conditions
    • FROM: External
    • TO: Localhost
  • Protocol Conditions: RDP
  • Network Translation
    • Translation Destination: target terminal server

NAT Mode: Hide NAT

The NAT mode Hide NAT is used to mask source IP-Addresses. The source port is replaced with a dynamically assigned port number.

Use-case example

Mask IP-Addresses of internal client when accessing external ressources.

Configuration example

  • Network Conditions
    • FROM: internal Network or IP-address range
    • TO: External Network
  • Protocol Conditions: All Traffic
  • Network Translation
    • Translation Source: external IP address of the operating system environment EPS is installed on.

NAT Mode: RouteBasedHideNAT

The NAT mode RouteBasedHideNAT is an extended version of Hide NAT which can be used to determine the adapters IP-address automatically.

RouteBasedHideNAT supports also DHCP activated adapters.

Use-case example

Mask the IP address of internal clients when using a DHCP assigned IP address from your ISP.


Configuration example

  • Network Condition
    • FROM: Internal network or IP-address range
    • TO: External network
  • Protocol Condition: Any Protocol


NAT Mode: Proxy NAT

The NAT Mode Proxy NAT is used to enable transparent web proxy capabilities. It redirects incoming http traffic to web proxy. This type of NAT rules is automatically created if you configure a Web Access Rule with either "Proxy and Transparent" or "Transparent" rule mode selected.

Network Interfaces

Within the SecureGUARD Management Client you can find a complete network module.

This module consists of three Parts:


In this overview all physical or virtual network adapter connected to the operating system environment are listed and can be configured by selecting a specific interface and click "Edit Selected Interface".

Best practices with the appropriate settings includes (like on every Windows-based environment):

  • Default Gateway is a global entry, only define on the external interface. Create dedicated routes for all internal networks.
  • Make use of an internal DNS server whenever possible. Define DNS Servers only on one network interface (you can specify more than one DNS server if available or necessary).


Within the teaming module you can also create tagged VLAN interfaces on physical adapters. (as in Windows Server 2012 R2 a VLAN interface is created via a team of one or more network adapter).

Routing Table

Within the Routing Table module your are able to view the currently active IPv4 or IPv6 routes and create new routes an create new route entries for dedicated network destinations.

Networks and Computers

In this post I want to give a deep dive in network and computer objects.


A Network consists of one or more IPv4 and/or IPv6 address ranges. A network is not bound to a network adapter. IP-address ranges in a network don't have to be consecutive.

There are two BuiltIn network objects which are not subject to edit:

1. All Networks: includes all IPv4 and IPv6 addresses

2. Localhost: includes all IPv4 and IPv6 addresses configured on any network interface on the operating system environment where CG is installed.


Networks for private address ranges as defined in RFC 1918 are created during installation. This networks can be edited or deleted as needed.


Add Network 

To add a new network just click the "Create Network" button on top of the Network Tasks within the "Commands Pane".

You can define also exclusions from an IP-address range.

One important thing to think about is the "Localhost Handling". With this selection you can define the behavior of the firewall engine with IP addresses configured on the local system.

1. Exclude Localhost: automatically excludes all configured IP addresses from the local system to the created network in the background.

2. Include Localhost: automatically includes all configured IP addresses from the local system to the created network in the background.

3. None: Localhost addresses are not processed separately. If an addresses of the local system is within the specified range, they stay included. Otherwise they stay excluded.


Network Sets

A network set consists of one or more specific networks.



Computer objects are used to define names for specific IP addresses for better usability within the different rule sets.

Computer Sets

Computer Sets are collections of computer objects and can be used with different rule sets.

Rules, Rules, Rules

In this blog post I want to give an overview of the different rules sets within SecureGUARD EPS.

Firewall Rules

Firewall Rules are to allow or block traffic from a specific source to a specific destination on network layer.

There are four different sorts of Firewall Rules:

1. System Rules

Are used to configure the local Windows Firewall to allow or block traffic from and to "localhost".

2. BuiltIn Rules

There is only one BuiltIn Rule which blocks all traffic which is applied as last rule. This rule can't be edited.

3. Custom Rules

This is the right place for your custom rules. Please be aware of the order as the Custom Rules set is evaluated on a first match and skip evaluation base.

4. "Created by" Rules

Some modules create the needed rules automatically to work as expected. So no additional custom rule have to be created.

This includes: Publishing Rules, Web Access Rules, Client-VPN, S2S-VPN

"Created by" rules can't be edited.


Publishing Rules

Publishing Rules are used for enable access to internal webserver or application server from external.

How to publish different services will be covered in one of the next blog posts.


NAT Rules

NAT Rules are used to mask networks, IP-address ranges and also specific server or services.


Web Access Rules

Web Access Rules grant or block access to web resources. Either via a specific proxy port or also as a transparent proxy.

With proxy mode also authentication via Microsoft AD and LDAP is possible.


E-Mail Rules

E-Mail Rules are to configure routes for incoming or outgoing mail traffic to an internal mail server.



EPS vs. Communication Gateway - What are the differences?

In this blog post I want to specify the difference between the two terms from the title.


SecureGUARD Edge Protection Suite (EPS)

is a bundle consisting of the following three parts:

Communication Gateway

Web Protection Add-on

Mail Protection Add-on


SecureGUARD Communication Gateway (CG15)

is the name of the software solution from SecureGUARD based on the solid fundament of Microsoft Windows Server 2012 R2.

It contains all software parts from SecureGUARD and also 3rd-Party products.

CG15 is licensed per operating system environment. (virtual or physical installation)

A Communication Gateway license includes all available functionalities except of the features of the Web and Mail Protection Add-on (authenticating web proxy feature is included within CG15 license).


Web Protection Add-on

extends SecureGUARD Communication Gateway with URL-Filtering (115 predefined categories) and AntiVirus for web protocols. The Web Protection Add-on is licensed on a per user base.


Mail Protection Addon

extends SecureGUARD Communication Gateway with AnitSpam, AntiVirus for mail protocols and Greylisting capabilities. The Mail Protection Add-on is also licensed on a per user base.


 Questions? --> please use the Contact formular I will try to answer them as soon as possible.



License Module

In today's post I want to cover the functionality of the License Module.

During the installation process the installer automatically connects to to obtain a 30-day evaluation license.

This eval covers all functionalities and 100 User eval licenses for the Web and Mail Security Addons.

 After the first start of the SecureGUARD Management client the license module should look like this:

After purchasing a license from SecureGUARD you can use the serial number and activation key combination from the delivery note to activate your product:

A serial number can only be active once. So if you want to use your license key on another hardware or virtual installation you have to choose "Override existing activations".

Best regards,



Installation Process

In this post I want to cover the installation process of EPS15.

You can download the sources including a 30 day trial license with a short registration at:

A download link will be sent to you immediately per mail after the registration.

For the installation you have to use a user which is member of the local "Administrators" group.

To obtain the 30-day trial license access to "" via HTTPS (port 443) is necessary.

The installer will automatically connect to this site and apply the license.

If no license can be applied or also if the license expires, any further configuration changes to the software will not be applied excluding the local IP address settings and license information.

If no internet connection is available please contact us at and we will generate a offline license package for you.

The installation process itself is pretty straight forward:

Start the installation, carefully read and accept the license agreement and then wait till the installation is finished.

During the installation process all needed Windows Server 2012 R2 Features and Roles, SecureGUARD software parts and 3rd Party software like IKARUS are installed automatically.

An up-to-date version of URL-Filtering and AntiVirus Database is also downloaded during the installation procedure.

After the successfull installation you can start with the configuration of the solution.



Markus Grudl