UserGate Proxy & Firewall

Administrator Manual

ContentINTRODUCTION..........................................................................................................................................................................4

USERGATE PROXY & FIREWALL.........................................................................................................................................4

SYSTEM REQUIREMENTS....................................................................................................................................................................5USERGATE SERVER INSTALLATION.....................................................................................................................................................5USERGATE REGISTRATION.................................................................................................................................................................6USERGATE UPDATE AND REMOVAL.....................................................................................................................................................6USERGATE LICENSING POLICY............................................................................................................................................................7

USERGATE ADMINISTRATION MODULE...........................................................................................................................7

CONNECTION SETTINGS.....................................................................................................................................................................8SETTING PASSWORD FOR CONNECTION.................................................................................................................................................9SETTING PASSWORD FOR STATISTICS DATABASE.....................................................................................................................................9NAT (NETWORK ADDRESS TRANSLATION) COMMON SETTINGS............................................................................................................9

INTERFACE SETTINGS...........................................................................................................................................................10

NETWORK TRAFFIC CALCULATION IN USERGATE................................................................................................................................12CONNECTION FAILOVER...................................................................................................................................................................12

USERS AND GROUPS...............................................................................................................................................................13

USER PERSONAL STATISTICS PAGE.....................................................................................................................................................15

USERS AUTHORIZATION METHODS.................................................................................................................................15

TERMINAL USERS SUPPORT...............................................................................................................................................................16USING HTTP AUTHORIZATION WITH TRANSPARENT PROXY..................................................................................................................17USING AUTHORIZATION CLIENT.......................................................................................................................................................18

USERGATE SERVICES SETTINGS........................................................................................................................................19

DHCP SETTINGS...........................................................................................................................................................................19PROXY SERVICE SETTINGS................................................................................................................................................................21SIP PROTOCOL SUPPORT.................................................................................................................................................................22USERGATE SIP REGISTRAR............................................................................................................................................................23H323 PROTOCOL SUPPORT..............................................................................................................................................................23USERGATE MAIL PROXIES...............................................................................................................................................................24PROXIES IN TRANSPARENT MODE.......................................................................................................................................................24PARENT PROXIES............................................................................................................................................................................25PORT MAPPING..............................................................................................................................................................................26CACHE SETTINGS...........................................................................................................................................................................26ANTIVIRUS SCANNING.....................................................................................................................................................................27USERGATE SCHEDULER..................................................................................................................................................................29DNS SETTINGS.............................................................................................................................................................................30

ALERT MANAGER....................................................................................................................................................................32

USERGATE FIREWALL...........................................................................................................................................................33

PRINCIPLE OF OPERATION................................................................................................................................................................33NETWORK ADDRESS TRANSLATION RULES (NAT).............................................................................................................................34WORKING WITH MULTIPLE INTERNET SERVICE PROVIDERS.....................................................................................................................35MASQUERADE FOR NAT RULES.......................................................................................................................................................36NETWORK RESOURCES PUBLISHING....................................................................................................................................................38FIREWALL FILTERING RULES.............................................................................................................................................................39ROUTING SUPPORT.........................................................................................................................................................................40

USERGATE SPEED LIMITATIONS.......................................................................................................................................41

TRAFFIC MANAGER................................................................................................................................................................42

APPLICATION FIREWALL.....................................................................................................................................................45

2

USERGATE CACHE EXPLORER...........................................................................................................................................47

USERGATE TRAFFIC MANAGEMENT................................................................................................................................48

TRAFFIC MANAGEMENT RULES..........................................................................................................................................................48INTERNET ACCESS RESTRICTION........................................................................................................................................................48BRIGHTCLOUD URL FILTERING......................................................................................................................................................49SETTING A TRAFFIC CONSUMPTION LIMIT............................................................................................................................................52FILE SIZE RESTRICTION....................................................................................................................................................................52CONTENT-TYPE FILTERING...............................................................................................................................................................53

BILLING SYSTEM.....................................................................................................................................................................55

INTERNET ACCESS TARIFFING............................................................................................................................................................55USER ACCOUNT STATUS CONTROL.....................................................................................................................................................55DYNAMIC BILLING PLANS SWITCHING................................................................................................................................................55

USERGATE REMOTE ADMINISTRATION.........................................................................................................................56

REMOTE CONNECTION SETTINGS.......................................................................................................................................................56RESTARTING USERGATE SERVER......................................................................................................................................................56CHECKING FOR THE NEW VERSION....................................................................................................................................................56

USERGATE STATISTICS UTILITY.......................................................................................................................................57

USERGATE WEB STATISTICS...............................................................................................................................................58

WEB STATISTICS SETTINGS..............................................................................................................................................................59TRAFFIC MANAGEMENT RULES EFFICIENCY RATING..............................................................................................................................59ANTIVIRUS EFFICIENCY RATING........................................................................................................................................................60SIP USAGE STATISTICS....................................................................................................................................................................61

3

Introduction

UserGate works as a proxy server, i.e. as an intermediate computer between your PC and the

Internet. All interactions with the Internet pass through UserGate. When you surf the Internet, your

computer automatically connects to the proxy server (UserGate) and requests the web page or file you

want that is located on an Internet server. Then proxy server either connects to the specified server and

receives the web page or finds it in the proxy’s cache (a temporary storage area for previously viewed

web pages and files). In some situations the proxy server can modify the request or a server’s response for

specific purposes, for example blocking access to inappropriate pages or images, or if a virus is detected.

UserGate Proxy & Firewall

UserGate is a comprehensive solution designed to connect users to the Internet, provide traffic

control, limit access and supply built-in network security tools.

UserGate enables the tariffing (pricing and limiting) of user Internet access based on traffic

amounts and time online. An administrator can add various billing plans, dynamically switch them and

control the access of Internet resources. The built-in Firewall and Antivirus module protects UserGate

server and identifies malicious software coming from the Internet.

UserGate consists of several modules: the Server, the Administration Console (UserGate

Administrator) and several others. UserGate Server (usergate.exe) is the central part, the core of the proxy

server, where its functional capabilities are embodied. The Server provides Internet access, implements

exact traffic calculations, tracks users’ online statistics, etc. UserGate Administration Console is a

program assigned to control the Server. The Administration Console communicates with the server

module by means of a special protocol above TCP/IP that enables server remote administration.

There are also four additional modules included in UserGate: UserGate Statistics, Web Statistics,

UserGate Authorization Client and Application Control.

4

System requirements

UserGate Server is recommended to be installed on Windows 2000/XP/2003 computers connected

to the Internet via a modem or any other type of connection. Server hardware requirements are as follows:

Network configuration Minimum requirements Recommended

requirementsSmall LAN: 2 to 5 users Pentium 1 GHz, 512 MB

RAM, Windows 2000, 56k

modem

Pentium 1 GHz, 512 MB

RAM, Windows 2000, DSL

Medium LAN: 5 to 20

users

Pentium 1 GHz, 512 MB

RAM, Windows 2000, 56k

modem

Pentium 1 GHz, 1 GB

RAM, Windows XP,

broadband Internet

connectionLarge LAN: more than 20

users

Pentium 1 GHz, 512 MB

RAM, Windows XP, ISDN

connection

Pentium 2 GHz, 1 GB

RAM, Windows 2003,

broadband Internet

connection

UserGate Server installation

To install UserGate Proxy & Firewall simply run the installation file and specify the Installation

options. When installing UserGate for the first time you can leave all of its installation options with their

default settings. During the installation process the installation Wizard will offer you to install UserGate

as a system service (UserGate Service) and will automatically disable the Internet Connection Service, if

it enabled.

5

Figure 1. UserGate NAT driver installation

Since UserGate NAT diver is not WHQL signed, during the installation process a “Hardware installation”

dialog will appear (Fig. 1). In order to install UserGate NAT driver properly you should press “Continue

Anyway” several times. After installation restart your computer.

UserGate registration

Unregistered version of UserGate Server runs for 30 days in evaluation mode and restricts the

number of simultaneous users to 5. To register, please start the UserGate Server, connect the

Administration Console to the Server, open “Help” and “Register Product” item in UserGate

Administration Console menu. Additionally, you can choose the same option on “About” page in

Administration Console. IN the appeared dialog enter your registration name and registration code into

the corresponding fields. Then click the OK buttons and restart UserGate Server. During the registration

process UserGate Server should be connected to the Internet.

UserGate update and removal

Before you install a new UserGate version it is recommended to remove the previous one and save

the server settings file (config.cfg file, located in the UserGate directory; hereinafter %UserGate%) and

the statistics database (log.mdb file, also located in %UserGate% folder).

6

UserGate Server v.5 supports the UserGate v.4 settings format. All settings from UserGate v.4

format will be converted into the new format after initial start of UserGate server. Compatibility with

earlier than UserGate v.4 version is not supported.

Removal of UserGate Server is accomplished by clicking on the removal item in the “Start –

Programs” menu or by using “Add or Remove Programs” in Control Panel. After removal, some files

remain in the UserGate directory, such as config.cfg (UserGate Server settings), log.mdb (UserGate

statistics database) and some others. When you install a newer version, all your settings are still there.

UserGate licensing policy

UserGate Server is designed to connect Local Area Network users to the Internet. The maximum

number of users simultaneously connected to the Internet via UserGate is called “number of sessions” and

is defined by a registration key. UserGate v.5 uses a registration unique key which does not support

previous versions of the UserGate software. Unregistered UserGate Server will run for 30 days in

evaluation mode and is restricted to 5 sessions. Please do not confuse the “session” concept with the

number of user-launched Internet applications or connections. In general, the number of user-launched

connections is arbitrary (unless otherwise limited).

UserGate’s integrated antivirus software (Kaspersky and/or Panda) requires independent licensing,

e.g. Kaspersky antivirus requires a special key file (*.key) located in the “%UserGate%\kav” directory.

The UserGate distribution kit includes the 30-day trial key for Kaspersky antivirus; however, this key is

not compatible with other keys of Kaspersky Lab products. The Panda antivirus license is built into the

UserGate Server registration key according to agreements with Panda Security.

License for the BrightCloud module, designed for site categorizing, is also included in the

UserGate license. The BrightCloud license period is restricted to one year. After the license period

expires, the BrightCloud online service becomes unavailable.

UserGate Administration module

UserGate Administration module is an application designed to control a local or remote UserGate

Server. To start UserGate Administrator, please first start UserGate Server by selecting “Start UserGate

7

Server” in the UserGate Agent context menu ( icon in the System Tray). You can also run UserGate

Administrator by means of “Start – Programs” if the module is installed on another computer.

In order to work with settings you should connect the Administration module to the Server.

Connection settings

At the initial start of UserGate Administration Console it opens on “Connections” page, where

only one connection is specified. In connection settings localhost is specified as a server address, login

name specified is Administrator and there is no connection password. To connect the Administration

Console to the UserGate server, double-click on the “localhost – Administrator” line or press the

“Connect” button on Control Panel. You can create several connections using Administration Console. It

is necessary to specify the following parameters in connection settings:

• Server name – connection name.

• User name – login to connect to server.

• Server address – domain name or UserGate Server IP address.

• Port – TCP port used to connect to Server (port 2345 is the default).

• Password – the connection password.

• Always ask for password – this option asks for your login and password whenever you connect to

UserGate Server.

• Automatically connect to this server – Administration module’s automatic connection to Server

when it starts.

Administration Console settings are stored in the file console.xml, located in the “%UserGate

%\Administrator\” folder. At the UserGate Server side, user names and connection passwords are stored

in the %UserGate%\config.cfg file.

8

Setting password for connection

You can set up login name and password fro connection settings through the “Administrator

Settings” section on “General Settings” page. In this section you can also specify a TCP port on which

UserGate server will be listening for connection with Administration Console. In order the new settings to

take effect it is necessary to restart the UserGate Server (“Restart UserGate Server” item in the Agent

menu). After restarting you should change the Administration Console connection settings as well,

otherwise the Administrator will fail to connect to the Server.

Setting password for statistics database

All user’s statistics, i.e. traffic, time online, resources visited are recorded by the UserGate Server

into a special database. UserGate works with its database via ODBC driver, which allows to use different

database formats (MS Access, MS SQL and MySQL). In order UserGate to work with MySQL database,

please use MySQL Connector v.3.51.

By default UserGate server uses a database in MS Access format (log.mdb file) with no password

specified. You can set a password on “General Settings – Database Settings” page in the

Administration console. For the standard statistics database (log.mdb), you should stop UserGate Server

after setting the password, then open the database in MS Access using the monopole mode and set a

password through “Tools – Security – Set database password”.

NAT (Network Address Translation) Common Settings

NAT Common Settings option allows to specify the time-out value for NAT connections through

TCP, UDP or ICMP protocols. Time-out defines the time of the user connection through NAT after the

data transfer is finished. Print Debug Log option is needed for debugging and allows to turn on the

extended logging mode of UserGate NAT driver, if needed.

9

Interface settings

The “Interface” page (Fig. 2) is the most important part of UserGate Server settings. It defines

such important features as traffic count accuracy, the possibility for creation Firewall rules, Internet

channel bandwidth restrictions, relationship between networks and the order of request processing by the

UserGate NAT (Network Address Translation) driver.

Figure 2. UserGate Server interface settings

All available network interfaces are listed on “Interface” page, including Dial-Up (VPN, PPPoE)

connections. UserGate administrator defines connection type for each network adapter, i.e. for a network

adapter connected with the Internet you should select WAN type, for a network adapter connected with

local area network LAN type should be selected. As for Dial-Up (VPN, PPPoE) connections (this type

cannot be changed manually), UserGate Server defines this type automatically as a PPP interface. For

10

Dial-Up (VPN) connection you can enter user name and password by double-click on the corresponding

interface. A network interface located at the top in interfaces list, becomes the primary Internet

connection automatically.

11

Network traffic calculation in UserGate

Traffic, passing through UserGate is assigned either to the user from local area network which

initiates the connection, or to the UserGate server itself if it initiates the connection. For the UserGate

server traffic there is a special predefined user - UserGate Server specified in statistics database.

UserGate Server traffic includes Kaspersky and Panda antivirus updates and DNS names resolving

through DNS-forwarding module and BrightCloud requests and responses.

When all UserGate server network adapters types (LAN or WAN) are specified correctly, traffic

in the direction of “local network – UserGate Server” (for example, accessing shared folder on the

UserGate server) is not taken into account during traffic calculation.

Important note! Using third party antivirus or firewall products (with the function of checking the

traffic) may seriously affect the correctness of UserGate traffic calculation. It’s not recommended to set

up and use any third party network product on the computer where UserGate Server is installed.

Connection failover

If there are several Internet connections, the “Connection Failover” option becomes available on

the “Interfaces” page. This option allows automatic switching of the UserGate Server to an alternative

Internet connection if there is no connection through the primary channel.

To use the “Connection Failover” option you should specify the following: the primary Internet

connection, one or several reserve channels and a list of “control hosts” (Fig. 3). UserGate will check the

availability of Internet connection by sending by sending ICMP echo-requests (the ping command) to the

specified. The request period is 30 seconds by default, which can be changed manually. The Timeout

parameter defines how long UserGate server will be waiting for ICMP echo reply packets. If several

“control hosts” are specified in “Connection Failover”, the UserGate Server will check them

consequently. A lack of response from all specified “control hosts” at the same time will be interpreted as

the primary Internet connection failure. Therefore, it is recommended to specify the most stable Internet

hosts as “control hosts”.

12

Figure 3. Connection Failover settings.

As a reserve connection UserGate Server can use either an Ethernet connection (dedicated

channel, WAN interface) or a Dial-Up (VPN, PPPoE) connection (PPP interface). In order Network

Address Translation (NAT) rules to work both with the primary and the reserve Internet channel you

should specify Masquerade as a destination in NAT rules. After switching to the reserve Internet

connection, UserGate Server regularly checks the primary channel availability and, if possible, switches

users back to the primary Internet connection.

Users and groups

To provide secure Internet access through UserGate, it is necessary to create the users’ accounts.

To simplify the common administration tasks UserGate administrator can create user groups according to

their access levels. The most common way is to combine users into groups by access level, because it

makes traffic management, for example setting traffic consumption limit, much easier. By default there is

only one group available in UserGate: the default group.

To create a new user, use the “Add new user” item or press the “Add” button on Control Panel’s

“Users and Groups” page. Then enter the settings as shown in Fig. 4: Name, Authorization type,

Authorization parameter (IP address, login etc), Group and Billing plan. By default all users belong to

the default group. Each user must have a unique name. You can also specify the access level to UserGate

13

Web-statistics, define an internal H323 phone number, and enable NAT rules, traffic-managing rules and/

or “Application Firewall” module rules.

Figure 4. UserGate user profile

Each newly defined user inherits all settings of a group which it belongs to including the billing

plan. The latter can be easily redefined in user’s profile. The billing plan specified in the each user’s

profile is used for the all connections tariffing (setting and monitoring the price of Internet traffic). You

may use a blank tariff if the Internet connection if it is not rated.

14

User personal statistics page

Every UserGate user can view his statistics page (Fig. 5). The user can access it at http://usergate,

if his browser is set to work through proxy, or at http://192.168.0.1:8080, where, for example,

192.168.0.1 is the local address of UserGate server, and 8080 is the port on which UserGate HTTP proxy

works.

Figure 5. User personal page in UserGate

On this page user can look through its statistics summary, open UserGate Web-Statistics page or

download UserGate authorization client if needed.

Users authorization methods

Internet access though UserGate is provided only for authorized users. UserGate supports the

following authorization methods:

• authorization by IP address (or IP address range)

• authorization by MAC address

15

• authorization by a combination of IP and MAC addresses

• HTTP authorization (Basic)

• authorization through name and password

• Windows Login authorization

• Active Directory authorization

• simplified version of Active Directory authorization

For the last four methods you should install UserGate Authorization Client on user’s workstation.

The corresponding MSI package (AuthClientInstall. msi) can be found in the “%UserGate%\tools” folder

and can be installed automatically through Active Directory group policy tools. “%UserGate%\tools”

folder also contains the corresponding administrative template (*.adm file).

When Active Directory authorization is used, UserGate Server obtains the authorization

parameters (login and password) from the Authorization Client, which is launched at the user

workstation, and checks them through the domain controller.

If UserGate Server is installed on a computer not included into Active Directory domain, it is

recommended to use the simplified version of Active Directory authorization. In this case UserGate

Server will compare the login and domain name received from the Authorization Client with the

corresponding fields, specified in the user profile, without requesting the domain controller.

Terminal users support

Along with the basic HTTP authorization support, UserGate Server also supports terminal user

HTTP authorization. You can enable this option on the “General Settings” page in the Administration

Console (Fig. 6). This method of authorization allows terminal users to connect to the Internet using their

individual UserGate accounts by means of a username and password for each connection.

16

Figure 6. Terminal users support

The “HTTP authorization for terminal users” mode is useful if you need to provide several

network applications running from a single computer under the different UserGate accounts. Thereto

please enter the appropriate proxy server (HTTP, Socks 5) address, port and authorization parameters

(username/password) for each network application.

Using HTTP authorization with transparent proxy

The transparent proxy HTTP authorization method is also added to UserGate v.5. If the user

browser is not set to use a proxy server and the UserGate HTTP proxy transparent mode is enabled, all

requests from unauthorized users will be forwarded to an authorization page where you have to specify

your username and password.

After authorization please do not close the page. The authorization page refreshes regularly by

means of a special script to keep the user session in active mode, which makes all UserGate services,

including NAT available for an authorized user. To end the session, press the Logout button on the

Authorization page.

Important note! Terminal users are not supported by this authorization method.

17

Using Authorization Client

UserGate Authorization Client is a network application that works at the Winsock level. It

connects to UserGate Server using a predefined UDP port (5456 by default) and sends user authorization

parameters: the authorization type, username and password.

In the Authorization Client settings you should specify (Fig. 7) UserGate server IP address and

port, authorization type and the corresponding parameters (username/password) as it is specified in the

user profile.

During the first start UserGate Authorization Client monitors the Registry key: “HKCU\Software\

Policies\Entensys\Auth client” to find settings obtained through Active Directory group policy. If these

settings are not found in the Registry, you should specify UserGate Server address manually in the third

tab in Authorization Client. After the server address definition, press the “Apply” button to check the

server availability. The specified authorization client settings are stored in the Registry key:

“HKCU\Software\Entensys\Auth client”. Authorization client log is saved in “Documents and Settings\

%USER%\Application data\UserGate Client” folder.

Figure 7. Authorization Client settings

UserGate Authorization Client shows received/sent bytes statistics, time spent online and the cost.

In addition to the Authorization Client there is a link on the user’s personal page. You can also change the

Authorization Client’s skin by editing the *.xml template located in the client’s parent folder.

Important note! Authorization Client. is not supported for Terminal users.

18

UserGate services settings

DHCP settings

DHCP service (Dynamic Host Configuration Protocol) automates the task of network settings

configuration for LAN clients. With DHCP server you can dynamically assign such parameters as IP

address, network mask, default gateway, DNS etc. for all network devices.

To enable UserGate DHCP server select “Services – DHCP Server – Add interface” item in

UserGate Administration Console or press the “Add” button in Control Panel. In the appeared dialog,

select the network interface on which DHCP server will be working. For the minimal DHCP server

configuration it is enough to set the following parameters: IP address range (address pull)—the range of

addresses to provide the addresses delivery to LAN clients by the server, the network mask and the lease

time. The maximum pull size in UserGate is 4000 addresses. You can exclude some IP addresses from

the address pull by using the “Exclusion” list. You can also attach a permanent IP address to a particular

network device by creating a corresponding reservation. To create a new reservation, please enter the IP

address only; the MAC address will be defined automatically when you press the corresponding button.

Figure 8. DHCP server settings

UserGate DHCP server supports import of MS Windows DHCP server settings. In order to use

this feature you should dump the Windows DHCP settings to a file. To do this, launch command prompt

(Start – Run – “cmd”) and type: netsh dhcp server IP dump > file_name, where IP is your DHCP server’s

19

IP address. Import from file can be performed through the corresponding button on the first page of

DHCP server wizard.

Already delivered IP addresses are shown in the lower part of “DHCP” page of the

Administration Console (Fig. 7) along with the client information (workstation name, MAC address) and

lease time values. By selecting a delivered IP address you can create a user profile, create IP-MAC

reservation or remove the given IP address.

Figure 9. Remove the issued IP address

The removed IP address will be placed again into the pull of DHCP sever free addresses after a certain

period of time. The “Remove client” option becomes useful if there were a workstation which has

received an IP address and it is taken offline later.

20

Proxy service settings

There are several proxy servers included in UserGate Server: HTTP proxy (supports FTP over

HTTP and HTTPS) and FTP proxy, SOCKS4, SOCKS5, POP3 and SMTP, SIP and H323. Proxy server

settings are located in “Services – Proxy Settings” of the Administration Console. The most important

settings are: interface (Fig. 10) and the number of the port where UserGate server is running.

Figure 10. Proxy server primary settings

If an interface is not specified in the proxy settings, the server will be listening to all available network

interfaces. By default, only HTTP proxy is enabled and it listen 8080 TCP port on all available network

interfaces.

To set the client browser to work through the proxy, you ca n specify proxy address and port in the

corresponding browser settings. For example in Internet Explorer you can make it through “Tools –

Internet Options – Connection – LAN Settings”. When working though HTTP proxy, specified in

browser settings, you do not need to specify the gateway and DNS in the TCP/IP settings of local area

network connection on a user workstation. For each proxy server you can specify an upstream proxy-

server.

Important note! Port, specified in the proxy server settings, is opened automatically in the UserGate

firewall. In order to ensure the higher security it’s recommended to specify only local network interfaces

in the proxy settings.

21

SIP protocol support

UserGate v.5 can operate as a stateful SIP proxy and as a SIP Registrar. Both functions can be

enabled in “Services – Proxy Settings” page. UserGate SIP proxy always works in transparent mode

listening to ports 5060 TCP and 5060 UDP. When working through UserGate SIP-proxy the information

about the current connection state (registration, call, waiting, etc) is shown on “Sessions” page in the

Administration Console. This information is also saved in the UserGate statistics database.

In order to work through UserGate SIP proxy you should specify the UserGate Server IP as the

default gateway in the TCP/IP settings on user’s workstation. Besides a DNS server address must be

specified.

Let us illustrate client side settings for SJPhone software phone and Sipnet.ru SIP provider as an

example. Start SJPhone, right-click on its icon in the system tray, choose “Options” item and “New” on

profiles page. Enter profile name (Fig. 11), for example “sipnet.ru”, specify “Calls through SIP Proxy”

as a profile type.

Figure 11. SJPhone profile creation

On “SIP Proxy” page specify your SIP provider address. In this example it is “sipnet.ru”. When

closing “Profiles option” dialog, enter your username and password for SIP provider in the appeared

dialog.

22

Figure 12. SJPhone profile settings

UserGate SIP Registrar

UserGate server can operate in SIP Registrar mode. In this mode UserGate works as a PBX (Private

Branch Exchange) for local area network. SIP Registrar function works simultaneously with the SIP-

proxy function. In order to authorize on UserGate SIP Registrar you should specify in the following:

• UserGate address as SIP server address

• UserGate user name (without spaces)

• Any password

H323 protocol support

Built-in H323 protocol support enables you to use UserGate Server as a H323 Gatekeeper. In the H323

proxy settings you need to specify the interface where on which UserGate will be listening for client

queries, port number and H323 gateway address and port. For authorization on UserGate H323

Gatekeeper, the user should specify his user name (user name in UserGate), password (you can specify

any password) and phone number (defined in user’s profile).

23

UserGate mail proxies

UserGate mail proxies are designed to support both the POP3 and SMTP protocols, as well as to

scan mail traffic for viruses. When UserGate POP3 and SMTP- proxies work in transparent mode, the

settings of mail client on a user’s workstation are the same as if it was connected directly to the Internet

(without proxies).

If UserGate POP3 proxy is used in non-transparent mode, in user’s mail client you should to

specify UserGate server IP address and port that correspond to POP3 proxy as a POP3 server address in.

In addition, you need to specify login for the remote POP3 server authorization in the following format:

e-mail_address@POP3_server_address. For example, if the user e-mail is user@mail.ru, you should enter

user@mail.ru@pop.mail.ru as the login for the UserGate POP3 proxy. This format is necessary for

UserGate to detect the remote POP server address.

If UserGate SMTP proxy is used in a non-transparent mode, you need to specify the SMTP server

IP address and port in the proxy settings section. In this case you enter the UserGate Server IP address

and port that correspond to the SMTP proxy as the SMTP server address in the mail client settings of the

user workstation.

If authorization is needed for sending mail, please enter the username and password that

correspond to the SMTP server shown in the UserGate SMTP proxy settings.

Proxies in transparent mode

The “Transparent Mode” option in the proxy server settings becomes enabled if UserGate Server

is installed along with a NAT driver. In transparent mode the UserGate NAT driver is listening to the

standard ports such as: 80 TCP for HTTP, 21 TCP for FTP, 110 and 25 TCP for POP3 and SMTP on

LAN network interfaces and send users’ requests to the corresponding proxy in UserGate. When

transparent mode is enabled, it is not required to specify the proxy server address and port in each

network application which considerably decreases administrator efforts for providing LAN-to-Internet

access. However, you need to specify UserGate Server as the gateway and specify a DNS server on each

LAN workstation’s settings.

24

Parent proxies

UserGate Server can work either with a direct Internet connection or through upstream or parent

proxies. UserGate supports the following parent proxy types: HTTP, HTTPS, Socks4 and Socks5. You

can create parent proxies on “Service – Parent Proxy” page. For each parent proxy you should specify:

its type, IP address and port. If the parent proxy supports authorization, you can specify the corresponding

login and password. All created parent proxies becomes available in UserGate proxy server settings.

Figure 13. Parent proxy in UserGate

25

Port mapping

Port mapping support is available in UserGate. Port mapping rules impart UserGate Server to

redirect user requests from specific ports of a UserGate workstation network interface to addresses and

ports specified by the rules. Port mapping is already enabled for TCP and UDP protocols and does not

require a UserGate NAT driver to be installed.

Figure 14. UserGate ports definition

Important note! If a port mapping is used to provide access to company internal resource access from

the Internet, you should use “Specified User” as the “Authorization setup” parameter.

Cache settings

An important purpose of a proxy server is resource caching, which reduces the Internet connection

load and greatly increase the speed of access to commonly visited resources. UserGate proxy implements

both HTTP and FTP traffic caching. Cached documents are saved in the “%UserGate%\Cache” folder.

On the “Cache” page in Administration Console you may specify the Cache size limit and the document

storage lifetime. You can also enable option “Calculate traffic from cache”. With this option enabled

UserGate server will calculate traffic from cache and assign it to LAN user as if a web-page was taken

from the Internet.

26

Antivirus scanning

There are two antivirus modules integrated in UserGate Server: Kaspersky Lab and Panda

Security. Both modules are assigned to scan incoming traffic through UserGate HTTP, FTP and mail

proxies, as well as outgoing traffic through SMTP proxy.

Antivirus settings are available on “Services – Antivirus” page in Administrator console (Fig.

15). You can specify the protocols for each antivirus to scan, setup the antivirus base update frequency

and enter URLs which is not necessary to check (URL Filter). You can also specify a group of users

whose traffic is not required to scan for viruses.

Figure 15. UserGate antivirus modules

Before running antivirus, you need to start antivirus bases update wait for update to complete. By

default, the Kaspersky antivirus updates are downloaded from the Kaspersky Lab FTP site, whereas

Panda antivirus updates from http://www.entensys.com.

27

UserGate Server supports both antivirus engines working simultaneously and allows you to

choose the protocols to be scanned by each antivirus, as well as traffic scan directions for each protocol if

it’s checked by both antiviruses.

Important note! When traffic scanning for viruses is enabled, UserGate Server blocks HTTP and FTP

multithreaded downloads. Blocking capability of transferring a part of the file through HTTP may cause

problems with Windows Update service.

28

UserGate Scheduler

There is a task scheduler built into UserGate, which enables Dial-Up connection initialization and

release, statistics reports delivery to users, arbitrary task executions, antivirus updates and statistics base

cleaning.

Even nonstandard tasks can be performed on schedule such as launching special kinds of *.bat or

*.cmd files using “Execute Program” in UserGate Scheduler.

Figure 16 Setting UserGate scheduler

29

DNS settings

UserGate supports two methods for the names resolving: DNS module and NAT rule. DNS

module is used with all UserGate services: proxy servers, BrightCloud URL-filtering, antivirus, etc. This

module is designed to handle DNS queries of different types, such as A, MX, PTR, and it also supports

recursive queries. Communication with UserGate services is performed on the Winsock level. By default,

DNS module listens to 5458 UDP port. Moreover, DNS module can use DNS servers specified in server

network settings or use the given DNS servers from a list. In there are several DNS servers specified,

UserGate calls are based on the response time. So if certain DNS server doesn’t provide timely response,

UserGate automatically calls other servers.

For resolving user DNS queries there is DNS forwarding mode. DNS forwarding settings are

available in “Services - DNS forwarding” section of the Administrator console. In the forwarding mode

DNS listens to 53 UDP port on UserGate server LAN adapters. DNS queries coming from the WAN

adapters are ignored.

Responses to DNS queries are cached in the server memory, so the rate of names resolving

process is greatly improved. Besides, DNS module looks for changes in the “%WINDIR

%\system32\drivers\etc\hosts” file putting records into its own cache. All records from the hosts file are

stored in the DNS own cache memory for all server time of work.

Figure 17. DNS settings

30

A NAT setup creates a NAT rule for port 53 UDP, which can be applied to all or some users. In

this case you should specify the “Internet provider’s DNS IP” as the DNS server on client workstation.

31

Alert Manager

The purpose of the “Alert manager” module is to inform a UserGate administrator about some

kind of events happed with UserGate Server. For example, you can create a virus detection alert, antivirus

module error alert or a “license expired” alert. The alert will be delivered by sending E-mail through

SMTP server specified in “Delivery Settings”.

Figure 18 Setting Alert manager

32

UserGate Firewall

Principle of operation

UserGate’s built-in Firewall, being a part of UserGate’s NAT driver, is designed to handle

network traffic according to predefined rules sets. In Firewall rule you need to specify source and

destination addresses, service (protocol-port pair) and action: “Send” or “Drop”. Firewall rule type is

defined automatically according to specified parameters. UserGate supports the following rule types:

network translation rule (NAT), Routing, and Firewall itself (FW).

In default settings only one firewall rule is available (#NONUSER# rule) which permits or silently

drops all outgoing network traffic if it comes not from UserGate server process and all unexpected

incoming traffic. If you enable “Drop” mode for #NONUSER# rule, UserGate Firewall will block all

incoming and outgoing packets except transit packets. This is the most secure settings for UserGate if it is

installed on a separate PC, working as a gateway only.

However, sometimes UserGate is being installed on a workstation that works as an internet

gateway at the same time. In this case you should create permissive Firewall rules. These rules will be

placed above the #NONUSER# rule. When UserGate server accepts a network packet it looks through

firewall rules in order to decide whether it should send or drop this packet. All firewall rules are scanned

in sequence from top to bottom in firewall rules list. When UserGate founds a first applicable firewall

rule for the given network packet it skips the rest part of rules. By changing firewall rule position in the

rules list UserGate Administrator may change its priority during scanning.

UserGate services, such as proxy servers, port mapping rules generate, so called, automatic

permissive Firewall rules. For example, when you turn on HTTP-proxy, build-in Firewall will

automatically create a corresponding permissive rule to maintain the proxy operation. Automatic firewall

rules are not represented in the rules list; you can remove them only by disabling the corresponding proxy

or port mapping rule. Nevertheless, UserGate administrator can block a permissive automatic rule by

creating an appropriate prohibitive rule and placing it at the top of the rules list.

33

Network Address Translation rules (NAT)

To create a new network address translation rule (Fig. 19) right-click on “Firewall Rules” page in

Administrator console and select “Add rule” item. Select UserGate LAN adapter as a source and one of

WAN or PPP interfaces as a destination, specify one or several services. On the last page you should

specify which users or groups are allowed to work through this NAT rule.

Figure 19. UserGate NAT rule creation

34

If a required service (protocol/port pair) is absent in the predefined services list, you can add it through

“New service” button or through “Services” page in Administration Console.

Important note! Prior to work through UserGate NAT, make sure that UserGate LAN IP address is

specified as a default gateway on user’s workstation. Besides, when user works through NAT it should

resolve domain names itself, so DNS server must be specified on user’s workstation.

Working with multiple Internet service providers

UserGate NAT driver supports simultaneous work with several external (Internet) connections.

For this purpose UserGate administrator can create several NAT rules sets with different destination

interfaces (WAN or PPP) (Fig. 20). Using this approach UserGate administrator can provide different

Internet providers for different groups of users in local area network. Applying two translation rule sets

for the same user or group is not recommended.

Figure 20. Working with multiple providers

35

Masquerade for NAT rules

In the presence of several external interfaces (WAN or PPP), UserGate administrator may choose

“Masquerade” as a destination address in a NAT rule. Masquerade function is used when outgoing

network interface used for packages transfer is not known beforehand. This choice means that an

outgoing network interface will be defined dynamically by comparing the destination host network

address with network address of all UserGate WAN or PPP- interfaces. If network address of a

destination host does not match with any WAN or PPP interface, the packet will be sent through the

Primary Internet channel. Besides, Masquerade function may be used for translation of network packets

within several external networks.

Figure 21 Automatic choice of the outgoing adapter in the NAT rules

36

Important note! While using the Connection Failover, the automatic outgoing interface selection option

in NAT rules is disabled. All NAT rules traffic with the Masquerade, specified as a destination, will go

through reserve Internet connection.

37

Network resources publishing

With UserGate Firewall you can open access to your company internal network resources from the

Internet; for example to Web-, FTP- and VPN-server or to a mail server. If resource publishing rule is

created all requests to a certain port of UserGate server external IP will be redirected to the internal server

according to the rule. The access to internal resource can be provided for all (source - Any) or for

specified Internet users (source – Host or Host range). In order to create a resource publishing rule you

need to specify only one service on “Services” page (Fig. 22) in “Add Network Rule” dialog.

Figure 22. FTP server publishing

38

Firewall filtering rules

It is a common practice when UserGate is installed on a PC which is used both as an Internet

gateway and as a workstation at the same time. If the #NONUSER# firewall rule is working in “Drop”

mode, it is necessary to create several special permissive firewall rules. For example, these rules can

permit outgoing requests and incoming responses for such basic protocols like HTTP, HTTPS, FTP,

POP3 and SMTP. An example of such rules is shown in Figure 23.

Figure 23. UserGate Server firewall rule

39

Routing support

If UserGate server is installed on a PC connected to several local area networks, UserGate can be

set up to act as a router providing transparent bidirectional connections between local networks. Firewall

routing rule can be set up between any pair of LAN interfaces (Fig. 24).

Figure 24. UserGate routing

Important note! UserGate authorization is not required for routing, and traffic count is not monitored.

40

UserGate speed limitations

UserGate supports two methods to limit network traffic speed. The simplest method is to set

traffic speed limit through a user profile or though a traffic rule (“Speed – Set up Speed”). This method is

not universal because it allows to restrict only incoming traffic speed for all connections without an

opportunity to distinguish between protocols or destination addresses and ports. This limitation

mechanism works for proxy services and for NAT traffic. With this method you cannot restrict traffic

speed for a group of users.

The second method to limit network traffic speed in UserGate is to use “Traffic Manager”(TM)

module. This method is more sophisticated and provides more possibilities for speed limitation. For

example you can make different restriction for incoming and outgoing traffic for different protocols.

Important note! When “Traffic Manager” is enabled all traffic speed limitations specified either in

user’s profile or in traffic rules are ignored.

41

Traffic Manager

UserGate “Traffic Manager”(TM) module is based on a well-known CBWFQ (Class-Based

Weighted Fair Queuing) algorithm. This algorithm provides network packets processing using FIFO

(First In First Out) queues based upon queue priority and packet classification. A part of the algorithm is

WFQ (Weighted Fair Queuing), when FIFO packet queues are processed by priorities and weight (size)

of packets. Also the algorithm of TM includes the “Shaper” functionality (restriction of a bandwidth for a

rule). Shaper also is processing queues by the priority. The other options are: Speed limit and Time delay.

Figure 25 Traffic Manager rules for setting speed limits

There are two types of rules in the TM module: adapter rules, or default rules, and user rules.

Default rules are designed for processing network packets that do not suit under user TM rules or for

processing all network packets when there are no user TM rules defined. Default rules are created

42

automatically for each WAN adapter of UserGate server. Default rules should be turned on to provide

TM operation. User rules are designed to handle specific traffic type. The following parameters are

accessible for TM user rule:

• Rule priority

• Traffic direction (incoming/outgoing),

• Maximum bandwidth value allowed (Kbps or Mbps),

• Packet delay (ms),

• Protocol (TCP/UDP/ICMP),

• Source IP and port,

• Destination IP (as an IP/mask) and destination port,

• Adapter to process the traffic by Bandwidth Manager.

Important note! The “Time Delay” parameter is designed for delaying network packets if their traffic

doesn’t fit into the specified bandwidth.

The priority of TM rule defines which FIFO queue will be used for packet processing. There are 8

priority queues defined: 4 absolute priority queues (HIGH, MEDIUM, NORMAL and LOW) and 4

queues with relative priority. Manageable traffic speed limiting is provided only for rules with relative

priorities. According to the speed limit specified, a package can be sent to the outgoing buffer, moved to

the beginning of the queue (if parameter “Time Delay” is specified) or rejected. Queues with an absolute

priority are intended for privileged traffic processing. If needed, this traffic can fill all the bandwidth of

the dedicated Internet channel. There is only one parameter that administrator can use to affect privileged

traffic processing – the absolute rule priority.

When creating the user TM rule the machine address in the local network can be specified as a

source. As a destination address you should always specify an external host or external network address.

To restrict NAT traffic speed it’s recommended to bind a user TM rule to UserGate server LAN

adapter because in this case the source address is not necessary to be specified (this traffic speed

limitation will be applied to all users). Traffic speed limit can be personified by specifying the source IP

address or IP addresses range.

To restrict traffic speed through proxies it’s recommended to bind the user TM rule to UserGate

WAN adapter without specifying the source address. Traffic speed limit through proxy can be set only for

all local network users. When creating TM user rule, please take into account the following:

43

• Traffic Manager is intended for traffic speed limiting for directions “Server ↔ Internet” and

“Local Network ↔ Internet”.

• If a network packet matches more than one limiting rules, Traffic Manager chooses only the first

suitable rule.

• Traffic Manager does not support Dial-Up connections.

A network packet, which does not suit any user TM rules, will be handled by the default rule.

There are two parameters specified in the default TM rule: speed limit (Kbps or Mbps) and priority. The

speed limit specified in the default TM rule is assumed to be the same for both incoming and outgoing

network traffic.

44

Application Firewall

Internet access management policy is a logical continuation of the Application Firewall. With

UserGate Server a system administrator can manage Internet access for both users and network

applications on a client workstation. To control client workstation applications in a local network, it is

necessary to install the App. Firewall Service application. Installation is possible as using the executable

file so by launching the MSI package (AuthFwInstall.msi) located in the “%UserGate %\tools” directory.

Network applications management is performed on basis of the administrator defined rules,

applied to a user or to a group of users. There are two types of rules in Application Firewall: default rules

and users’ rules. Any workstation with Application Firewall Service installed can get default rules under

the following conditions:

• Application Firewall service detects UserGate Server,

• A set of default rules was created.

Since all Application Firewall rules should belong to a certain rules group, a special Default rules folder

is assigned to store the default rules. A UserGate administrator can also create groups for User rules.

Initially, UserGate has only one default rule which allows any user network application to access any IP

address using any protocols. This rule is recommended to use at the beginning of Application Firewall

setup for gathering application usage statistics.

Application Firewall service obtains the User rules set only after the user authorization on

UserGate Server. A user can be authorized using Authorization Client or without it by using the address

of its workstation (IP address, MAC address or both). User rules can supplement or forbid the default

rules. When Authorization Client is used, Application Firewall creates a logical link between a Windows

and UserGate profile for the authorized user. Changing the Windows account when Authorization Client

is running will cancel all user’s rules operation. Application Firewall does not support HTTP

authorization. Application Firewall policy with default settings is defined as the following:

a) If UserGate Server is unavailable, all the network applications are allowed.

b) If UserGate Server is available, only local access of network applications and services is allowed.

The network application statistics of Application Firewall is stored in the user workstation’s local

folder %Program Files%\Entensys\Application Firewall\Cache and it is sent periodically (every 10

45

minutes approximately) to UserGate Server. The sending time span is defined by the Registry parameter

SendStatistics (HKLM\Software\Policies\Entensys\Application Firewall). Also, the proper Caching rules

are embedded in the Application Firewall. If UserGate Server is temporarily unavailable, Application

Firewall service works according to rules written in the local Cache during the updating time

(UpdateRules Registry parameter). By default the rules updates with period of 5 minutes.

User application statistics are available in “Application Firewall – Statistics”. User and

workstation information, and network application information is shown on Figure 26.

Figure 26. Network application statistics

UserGate administrators can create an application rule by double-clicking on the corresponding line on

the Application history page.

46

UserGate cache explorer

Cache Explorer (Fig. 27) allows viewing the cached content stored by UserGate. To start Cache

Explorer right-click UserGate Agent icon in the system tray and then click the Run Cache Explorer

menu item. Or, alternatively, click the corresponding item in the Windows Start menu. When starting

Cache Explorer you need to specify the location of the file cache.dat (UserGate cache file). Using Cache

Explorer interface you can search, sort and filter the cached content. Finally, you can select any files in a

list and then save them to a folder of your choice.

Figure 27 Cache explorer

47

UserGate traffic management

Traffic management rules

UserGate Server enables you to manage Internet access by using the traffic management rules.

These rules can forbid user access to certain network resources, set up traffic consumption limits, create

Internet scheduling and track user accounts. Traffic management rules are arranged in the form of an

action to be performed on a certain object. There are 4 object-action pairs defined in UserGate:

“Connection – Close”, “Traffic – Don’t count”, “Tariff – Change” and “Speed – Set up”. For a traffic

management rule to execute, you need to define the rule’s condition: time of day, day of week, URLs

(IP), traffic limit (per day, week or month), etc. Defined conditions may be combined using logical

“AND/OR” operators, allowing opportune flexibility when creating rules. Another opportunity is

provided by the possibility of applying rules both for all protocols and for particular ones. You should

apply rules created to users or user groups in UserGate.

Internet access restriction

Internet access restriction is a typical task of a proxy server. For this purpose there are

“Connection – Close” rules in UserGate. Working with the proxy server (HTTP, FTP), you may specify

the resource domain name (URL) as well as its IP address. UserGate Server can implement filtering by a

URL fragment (“Whole URL” item), by address part (“Server address” item) or by document address

(“Document URL” item).

48

Figure 28. URL filtering settings

When specifying an IP address you may specify it as a “Source” or as a “Destination” address.

The “Inverse” option means all IP addresses except the specified. Please note that if you need to forbid

access to some external hosts for NAT traffic you should specify their IP addresses but not domain

names, because UserGate NAT does not work with domain names.

Important note! In order to work the created rule must be applied to UserGate users of groups.

BrightCloud URL filtering

In the context of our technological partnership with BrightCloud Inc, we integrated the hosted

BrightCloud service and the BrightCloud Master Database into UserGate. A UserGate administrator can

forbid access to sites having certain content without even knowing those sites’ names. Additionally, it is

possible to get a report from UserGate Statistics about the site categories visited, e.g. Ads, Education,

News, etc. Using site categories allows more flexible policy of the Internet access management.

49

Categorized filtering is available for UserGate proxy services working in both transparent and

non-transparent modes and for NAT traffic. For NAT traffic categorized filtering will be available only if

user’s DNS requests goes through “DNS forwarding” module in UserGate.

To deny access to particular categories (Fig. 29), open “Traffic policy – Traffic rules” page,

create a “Connection – Close” rule and specify the unwanted category on the fifth page of the rule

creation dialog.

50

Figure 29. Categorized filtering rules

51

Setting a traffic consumption limit

You may apply the 'Connection – Close” traffic management rules to prohibit certain Internet

resources, but also you can use it to limit the traffic consumption. In this case you may specify a

maximum value of incoming/outgoing (or total) traffic per day, week or month as the condition (Fig. 30).

Figure 30. Traffic limit

If a traffic consumption limit is applied to a user, Internet access will be blocked completely or

partially (depending on additional parameters, e.g. protocols to which the rule is applied) as soon as the

limit is exceeded.

File size restriction

UserGate traffic management rules also enable an administrator to restrict the downloading of the

files larger than the maximum size specified. This option is enabled to the rule with “OR” logical type

and can be applied to HTTP proxy traffic only.

52

Content-type filtering

HTTP-proxy in UserGate can filter traffic by the Content-type field, which is included in the

header of a response to a user from a web server.The Content-Type header field is used to specify the

nature of the data (and its format) in a web-server response: whether it is audio or video content, image

(e.g. jpg, png etc.), or a document (MS Word, MS Excel). Content-type header field is analyzed by

UserGate and the corresponding content can be either blocked or allowed depending on the traffic rules

set by an administrator. Filtering by Content-type field can be used to block access to certain data types

and formats like video or audio files, disable JavaScript or prevent documents of a specific extension

from being transferred over the network.

53

Fig 31 HTTP filtering by Content-type

The content-types list is stored in the special *.xml file located in the

“%UserGate5%\Administrator” folder. UserGate administrator can add new content-types as in this

*.xml file or through the Administration Console. The link to ianna.org is added for this purpose.

54

Billing system

Internet access tariffing

Besides the direct traffic registration, UserGate Server can be used also for Internet connection

expenditure calculations. This opportunity is provided by its integrated billing system. Underlying the

billing system is a “billing plan” term. By default there is only one billing plan in UserGate with zero

values for incoming, outgoing and temporal traffic costs. If UserGate is used to provide paid Internet

access, UserGate administrator can create any number of billing plans according to Internet provider cost

policies or arbitrarily by its own preferences.

UserGate access billing plans can be applied both to users and/or user groups. By default Internet

connections of all users belonging to the same group are rated according to the group’s specified billing

plan. An administrator can redefine user billing plan at any time.

User account status control

The UserGate billing system perfectly supplements the integrated Traffic Management system. If

UserGate Server is used to provide the paid Internet access, you can use the Traffic Management system

to control user account status. Thus, in the “Connection – Close” rule you can enable the “Activate

tracking” option as a condition and specify the threshold value of a user account. The rule will become

active if a user’s account balance falls below a threshold value.

Dynamic billing plans switching

UserGate traffic management rules can be used for dynamic billing plans switching. The most

common task, related to a Dial-Up connection, is switching between day and night billing plans. Another

task is using the different billing plans for an Internet Service Provider’s internal network and for the

Internet. Both tasks are accomplished via the “Tariff – Change” rule.

55

UserGate remote administration

Remote connection settings

You can use the UserGate Administration module to control a remote server. In “Server address”

in connection settings, please specify the domain name or IP address of the remote machine with

UserGate running. To use the Administration module from a remote machine, you should run UserGate

installation wizard and select only UserGate Administration Console.

Restarting UserGate server

UserGate server remote restart function is added into Administration Console. It’s possible to

connect to the remote UserGate server and choose “File – Restart server” from the Administration

Console.

Checking for the new version

In “General Settings” of UserGate Administrator there is an option “Check for updates”. If this

option is enabled, UserGate Server requests the latest version availability from UserGate’s site. If the

version installed is earlier than the version available on the site, Administration Console displays the

proper message. In this case the administrator can download the new version from the site and install it.

Automatic UserGate upgrade is not supported yet.

56

UserGate statistics utility

Traffic statistics information is stored in UserGate Server’s own database. By default MS Access

is used as the database and it is located in the UserGate parent directory as log.mdb. Brief information

about the total traffic of users and groups is available in the “Monitoring” section of UserGate

Administrator. Detailed statistics is presented in the UserGate Statistics module – an application assigned

to work with the UserGate statistics database (Fig. 32).

Figure 32. UserGate statistics

You can obtain detailed statistics for each user or group by using filters. Filtering allows the

creation of reports by time of access, by protocols, by resources requested etc. The resulting report is

presented in a table which can be exported to MS Excel ,HTML or OpenOffice calc format.

57

UserGate Web statistics

There is a new statistics module added to UserGate v.5. The Web statistics module provides the

detailed statistics of Internet connection usage from any point of the world using an ordinary web-

browser. For web-statistics several access levels can be specified in UserGate user’s profile. Thus an

ordinary user may check his own statistics, a “Director” could see the statistics of any user, and an

“Administrator” is authorized to see all user statistics and to create Statistic report templates.

Figure 33. UserGate Web-statistics URLs page

Important note! UserGate web-statistics is turned on simultaneously with HTTP-proxy. Web statistics is

unavailable when HTTP-proxy is turned off.

Statistic information is represented now not only in table form, but in graphic diagrams as well to

make the reports easier to understand.

58

You can obtain statistics access by visiting the link https://192.168.0.1, (where 192.168.0.1 is the

UserGate Server address, for example) or via the corresponding link on the user personal statistics page

http://192.168.0.1:8080 (where 8080 is the UserGate HTTP proxy port). Certificate located in the

%UserGate%\ssl folder is used for an access to web-statistics through HTTPS protocol. Another

possibility to visit web-statistics page is to use the link from the last tab in UserGate authorization client.

Web statistics settings

In web-statistics settings you can select regional settings, enable a cache, specify its storage time,

and enable the recording of housekeeping information. View Settings allow the specification of the

number of bytes per kilobyte (according to way your provider defines “kilobyte”), indicate the

information specification details and enable URL addresses representation. In order to avoid excess

loading of the Statistics screen it is possible to turn off the user’s balance display.

Traffic management rules efficiency rating

To manage Internet access UserGate administrator can create traffic management rules and apply

them to a user or to group of users. However, a situation may occur when created rules work inefficiently.

For example, if a created rule is applied to all users, but actually acts only on “the most active” users, it

would be expedient to disable the rule for users, who do not need this rule's effect. Those users’ traffic

will be not exposed to needless checking, which may improve the server’s productivity.

59

Figure 34 Rules statistics for traffic management

To estimate a rule’s efficiency, there is a link “Rules events” in Web-statistics page. Only information

about “Connection – Close” rules is located here. With “Director” or “Administrator” privileges you can

obtain the “weight” of each URL in total rule actuation numbers.

Antivirus efficiency rating

Antivirus facilities allow the exclusion of some UserGate groups from being scanned for viruses.

Using Web statistics you can obtain a report about antivirus events per user. The statistic is available in

the “Antivirus events” section. For Chiefs and Administrators there is an additional statistic available,

showing each user’s “weight” in the number of total antivirus events (“Antivirus event statistics”).

60

Figure 35. Antivirus statistics

SIP usage statistics

UserGate web-statistics module allows monitoring how SIP is used. Select “Director charts - SIP

Statistic” in the Diagrams section to list UserGate users who use SIP. The list contains a name of a caller,

a destination address (number) and the call duration.

61

Figure 36. SIP statistics

62