SecureGUARD GmbH

Technical Blog for SecureGUARD Products and Solutions

Web Access Rules - General Settings

In todays blog post I want to cover the general settings for Web Access Rules.

Within the Web Access Rules Module you have the possibility to set several general settings in regarding web Proxy.

Enable Antivirus

With this switch you can globally enable/disable Antivirus scanning for all Web Access Rules.

 

LDAP Authentication

LDAP Authentication is needed if you want your users to authenticate against a LDAP directory.

To ensure best performance and authentication behavior we recommend to join the server to the local domain. You will not need to configure LDAP authentication if you do so, as KERBEROS will be used for accessing the directory.

 

HTTP Proxy

Within the HTTP Proxy settings you can define which local IP-addresses and ports are used to receive requests. As default all local configured IP-addresses (specified by 0.0.0.0) and port 8080 is used.

You can change this settings for your needs. We recommend to only use your internal networks IP-addresses as listening IP-addresses.

Next Proxy

Next Proxy settings are used to connect and send all allowed web traffic to an upstream proxy server. You can define ports for all supported protocols and also use authentication.

NAT Rules and NAT Modes

in this post I want to give a deep-dive into the NAT capabilities of EPS.

Within the NAT Rules Module of the SecureGUARD Management interface you are able to create NAT rules to mask:

  • Source IP
  • Destination IP
  • Source Port
  • Destination Port
  • and combinations of the previous

Overview of the "Add NAT Configuration"

There are four different NAT modes:

  • NAT
  • HideNAT
  • RouteBasedHideNAT
  • ProxyNAT

 

NAT Mode: NAT

The NAT mode NAT is used to statically translate a specific IP-address/port combination to another combination.

Use-case example

Make an internal terminal server (accessible via Port 3389) available from an external network to allow access this service.

Configuration example

  • Network Conditions
    • FROM: External
    • TO: Localhost
  • Protocol Conditions: RDP
  • Network Translation
    • Translation Destination: target terminal server

NAT Mode: Hide NAT

The NAT mode Hide NAT is used to mask source IP-Addresses. The source port is replaced with a dynamically assigned port number.

Use-case example

Mask IP-Addresses of internal client when accessing external ressources.

Configuration example

  • Network Conditions
    • FROM: internal Network or IP-address range
    • TO: External Network
  • Protocol Conditions: All Traffic
  • Network Translation
    • Translation Source: external IP address of the operating system environment EPS is installed on.

NAT Mode: RouteBasedHideNAT

The NAT mode RouteBasedHideNAT is an extended version of Hide NAT which can be used to determine the adapters IP-address automatically.

RouteBasedHideNAT supports also DHCP activated adapters.

Use-case example

Mask the IP address of internal clients when using a DHCP assigned IP address from your ISP.

 

Configuration example

  • Network Condition
    • FROM: Internal network or IP-address range
    • TO: External network
  • Protocol Condition: Any Protocol

 

NAT Mode: Proxy NAT

The NAT Mode Proxy NAT is used to enable transparent web proxy capabilities. It redirects incoming http traffic to web proxy. This type of NAT rules is automatically created if you configure a Web Access Rule with either "Proxy and Transparent" or "Transparent" rule mode selected.

Network Interfaces

Within the SecureGUARD Management Client you can find a complete network module.

This module consists of three Parts:

Interfaces

In this overview all physical or virtual network adapter connected to the operating system environment are listed and can be configured by selecting a specific interface and click "Edit Selected Interface".

Best practices with the appropriate settings includes (like on every Windows-based environment):

  • Default Gateway is a global entry, only define on the external interface. Create dedicated routes for all internal networks.
  • Make use of an internal DNS server whenever possible. Define DNS Servers only on one network interface (you can specify more than one DNS server if available or necessary).

Teaming

Within the teaming module you can also create tagged VLAN interfaces on physical adapters. (as in Windows Server 2012 R2 a VLAN interface is created via a team of one or more network adapter).

Routing Table

Within the Routing Table module your are able to view the currently active IPv4 or IPv6 routes and create new routes an create new route entries for dedicated network destinations.

Networks and Computers

In this post I want to give a deep dive in network and computer objects.

Networks

A Network consists of one or more IPv4 and/or IPv6 address ranges. A network is not bound to a network adapter. IP-address ranges in a network don't have to be consecutive.

There are two BuiltIn network objects which are not subject to edit:

1. All Networks: includes all IPv4 and IPv6 addresses

2. Localhost: includes all IPv4 and IPv6 addresses configured on any network interface on the operating system environment where CG is installed.

 

Networks for private address ranges as defined in RFC 1918 are created during installation. This networks can be edited or deleted as needed.

 

Add Network 

To add a new network just click the "Create Network" button on top of the Network Tasks within the "Commands Pane".

You can define also exclusions from an IP-address range.

One important thing to think about is the "Localhost Handling". With this selection you can define the behavior of the firewall engine with IP addresses configured on the local system.

1. Exclude Localhost: automatically excludes all configured IP addresses from the local system to the created network in the background.

2. Include Localhost: automatically includes all configured IP addresses from the local system to the created network in the background.

3. None: Localhost addresses are not processed separately. If an addresses of the local system is within the specified range, they stay included. Otherwise they stay excluded.

 

Network Sets

A network set consists of one or more specific networks.

 

Computers

Computer objects are used to define names for specific IP addresses for better usability within the different rule sets.

Computer Sets

Computer Sets are collections of computer objects and can be used with different rule sets.

Rules, Rules, Rules

In this blog post I want to give an overview of the different rules sets within SecureGUARD EPS.

Firewall Rules

Firewall Rules are to allow or block traffic from a specific source to a specific destination on network layer.

There are four different sorts of Firewall Rules:

1. System Rules

Are used to configure the local Windows Firewall to allow or block traffic from and to "localhost".

2. BuiltIn Rules

There is only one BuiltIn Rule which blocks all traffic which is applied as last rule. This rule can't be edited.

3. Custom Rules

This is the right place for your custom rules. Please be aware of the order as the Custom Rules set is evaluated on a first match and skip evaluation base.

4. "Created by" Rules

Some modules create the needed rules automatically to work as expected. So no additional custom rule have to be created.

This includes: Publishing Rules, Web Access Rules, Client-VPN, S2S-VPN

"Created by" rules can't be edited.

 

Publishing Rules

Publishing Rules are used for enable access to internal webserver or application server from external.

How to publish different services will be covered in one of the next blog posts.

 

NAT Rules

NAT Rules are used to mask networks, IP-address ranges and also specific server or services.

 

Web Access Rules

Web Access Rules grant or block access to web resources. Either via a specific proxy port or also as a transparent proxy.

With proxy mode also authentication via Microsoft AD and LDAP is possible.

 

E-Mail Rules

E-Mail Rules are to configure routes for incoming or outgoing mail traffic to an internal mail server.

 

 

EPS vs. Communication Gateway - What are the differences?

In this blog post I want to specify the difference between the two terms from the title.

 

SecureGUARD Edge Protection Suite (EPS)

is a bundle consisting of the following three parts:

Communication Gateway

Web Protection Add-on

Mail Protection Add-on

 

SecureGUARD Communication Gateway (CG15)

is the name of the software solution from SecureGUARD based on the solid fundament of Microsoft Windows Server 2012 R2.

It contains all software parts from SecureGUARD and also 3rd-Party products.

CG15 is licensed per operating system environment. (virtual or physical installation)

A Communication Gateway license includes all available functionalities except of the features of the Web and Mail Protection Add-on (authenticating web proxy feature is included within CG15 license).

 

Web Protection Add-on

extends SecureGUARD Communication Gateway with URL-Filtering (115 predefined categories) and AntiVirus for web protocols. The Web Protection Add-on is licensed on a per user base.

 

Mail Protection Addon

extends SecureGUARD Communication Gateway with AnitSpam, AntiVirus for mail protocols and Greylisting capabilities. The Mail Protection Add-on is also licensed on a per user base.

 

 Questions? --> please use the Contact formular I will try to answer them as soon as possible.

Regards,

Markus

License Module

In today's post I want to cover the functionality of the License Module.

During the installation process the installer automatically connects to https://products.secureguard.at to obtain a 30-day evaluation license.

This eval covers all functionalities and 100 User eval licenses for the Web and Mail Security Addons.

 After the first start of the SecureGUARD Management client the license module should look like this:

After purchasing a license from SecureGUARD you can use the serial number and activation key combination from the delivery note to activate your product:

A serial number can only be active once. So if you want to use your license key on another hardware or virtual installation you have to choose "Override existing activations".

Best regards,

Markus

 

Installation Process

In this post I want to cover the installation process of EPS15.

You can download the sources including a 30 day trial license with a short registration at: http://www.secureguard.at/Company/EPSregistration

A download link will be sent to you immediately per mail after the registration.

For the installation you have to use a user which is member of the local "Administrators" group.

To obtain the 30-day trial license access to "products.secureguard.at" via HTTPS (port 443) is necessary.

The installer will automatically connect to this site and apply the license.

If no license can be applied or also if the license expires, any further configuration changes to the software will not be applied excluding the local IP address settings and license information.

If no internet connection is available please contact us at support@secureguard.at and we will generate a offline license package for you.

The installation process itself is pretty straight forward:

Start the installation, carefully read and accept the license agreement and then wait till the installation is finished.

During the installation process all needed Windows Server 2012 R2 Features and Roles, SecureGUARD software parts and 3rd Party software like IKARUS gateway.security are installed automatically.

An up-to-date version of URL-Filtering and AntiVirus Database is also downloaded during the installation procedure.

After the successfull installation you can start with the configuration of the solution.

 

Regards,

Markus Grudl

Hardware- and Software-Requirements

In this blog post I want to go through the requirements for SecureGUARD Edge Protection Suite 2015.

EPS 2015 is based on Microsoft Windows Server 2012 R2 and is able to run either on dedicated hardware or in a virtual machine.

In both cases the following system requirements apply:

  • min. 1,4GHz 64-bit processor
  • min. 4GB RAM
  • min. 64GB HDD/SSD
  • min. 1Gb Ethernet Adapter

ATTENTION: if you plan to use EPS 2015 in a single NIC scenario only web-proxy capabilities are supported!

Let's now have an overview of the software requirement:

  • Windows Server 2012 R2
  • Standard or Datacenter Installation
  • only "Installation with GUI" is supported!
We strongly recommend to bring the operating system up-to-date.
At least these updates are required for the installation:
 
In the next post I will go through the installation process.
 
Regards,
Markus
 

Welcome to the SecureGUARD GmbH Technical Blog!

In this first blog post I want to proudly welcome you on our new technical blog.

Here you will find technical information about SecureGUARD products and solutions, success stories and general annoncement.

We'll update the blog on a regular base with how-to's, step-by-step guides and loads of content.

Stay tuned for an inside view of our solutions.

Regards,

Markus Grudl