UserGate V5 English Manual
-
Upload
alex-yamamoto -
Category
Documents
-
view
287 -
download
0
Transcript of UserGate V5 English Manual
UserGate Proxy & Firewall
Administrator Manual
ContentINTRODUCTION..........................................................................................................................................................................4
USERGATE PROXY & FIREWALL.........................................................................................................................................4
SYSTEM REQUIREMENTS....................................................................................................................................................................5USERGATE SERVER INSTALLATION.....................................................................................................................................................5USERGATE REGISTRATION.................................................................................................................................................................6USERGATE UPDATE AND REMOVAL.....................................................................................................................................................6USERGATE LICENSING POLICY............................................................................................................................................................7
USERGATE ADMINISTRATION MODULE...........................................................................................................................7
CONNECTION SETTINGS.....................................................................................................................................................................8SETTING PASSWORD FOR CONNECTION.................................................................................................................................................9SETTING PASSWORD FOR STATISTICS DATABASE.....................................................................................................................................9NAT (NETWORK ADDRESS TRANSLATION) COMMON SETTINGS............................................................................................................9
INTERFACE SETTINGS...........................................................................................................................................................10
NETWORK TRAFFIC CALCULATION IN USERGATE................................................................................................................................12CONNECTION FAILOVER...................................................................................................................................................................12
USERS AND GROUPS...............................................................................................................................................................13
USER PERSONAL STATISTICS PAGE.....................................................................................................................................................15
USERS AUTHORIZATION METHODS.................................................................................................................................15
TERMINAL USERS SUPPORT...............................................................................................................................................................16USING HTTP AUTHORIZATION WITH TRANSPARENT PROXY..................................................................................................................17USING AUTHORIZATION CLIENT.......................................................................................................................................................18
USERGATE SERVICES SETTINGS........................................................................................................................................19
DHCP SETTINGS...........................................................................................................................................................................19PROXY SERVICE SETTINGS................................................................................................................................................................21SIP PROTOCOL SUPPORT.................................................................................................................................................................22USERGATE SIP REGISTRAR............................................................................................................................................................23H323 PROTOCOL SUPPORT..............................................................................................................................................................23USERGATE MAIL PROXIES...............................................................................................................................................................24PROXIES IN TRANSPARENT MODE.......................................................................................................................................................24PARENT PROXIES............................................................................................................................................................................25PORT MAPPING..............................................................................................................................................................................26CACHE SETTINGS...........................................................................................................................................................................26ANTIVIRUS SCANNING.....................................................................................................................................................................27USERGATE SCHEDULER..................................................................................................................................................................29DNS SETTINGS.............................................................................................................................................................................30
ALERT MANAGER....................................................................................................................................................................32
USERGATE FIREWALL...........................................................................................................................................................33
PRINCIPLE OF OPERATION................................................................................................................................................................33NETWORK ADDRESS TRANSLATION RULES (NAT).............................................................................................................................34WORKING WITH MULTIPLE INTERNET SERVICE PROVIDERS.....................................................................................................................35MASQUERADE FOR NAT RULES.......................................................................................................................................................36NETWORK RESOURCES PUBLISHING....................................................................................................................................................38FIREWALL FILTERING RULES.............................................................................................................................................................39ROUTING SUPPORT.........................................................................................................................................................................40
USERGATE SPEED LIMITATIONS.......................................................................................................................................41
TRAFFIC MANAGER................................................................................................................................................................42
APPLICATION FIREWALL.....................................................................................................................................................45
2
USERGATE CACHE EXPLORER...........................................................................................................................................47
USERGATE TRAFFIC MANAGEMENT................................................................................................................................48
TRAFFIC MANAGEMENT RULES..........................................................................................................................................................48INTERNET ACCESS RESTRICTION........................................................................................................................................................48BRIGHTCLOUD URL FILTERING......................................................................................................................................................49SETTING A TRAFFIC CONSUMPTION LIMIT............................................................................................................................................52FILE SIZE RESTRICTION....................................................................................................................................................................52CONTENT-TYPE FILTERING...............................................................................................................................................................53
BILLING SYSTEM.....................................................................................................................................................................55
INTERNET ACCESS TARIFFING............................................................................................................................................................55USER ACCOUNT STATUS CONTROL.....................................................................................................................................................55DYNAMIC BILLING PLANS SWITCHING................................................................................................................................................55
USERGATE REMOTE ADMINISTRATION.........................................................................................................................56
REMOTE CONNECTION SETTINGS.......................................................................................................................................................56RESTARTING USERGATE SERVER......................................................................................................................................................56CHECKING FOR THE NEW VERSION....................................................................................................................................................56
USERGATE STATISTICS UTILITY.......................................................................................................................................57
USERGATE WEB STATISTICS...............................................................................................................................................58
WEB STATISTICS SETTINGS..............................................................................................................................................................59TRAFFIC MANAGEMENT RULES EFFICIENCY RATING..............................................................................................................................59ANTIVIRUS EFFICIENCY RATING........................................................................................................................................................60SIP USAGE STATISTICS....................................................................................................................................................................61
3
Introduction
UserGate works as a proxy server, i.e. as an intermediate computer between your PC and the
Internet. All interactions with the Internet pass through UserGate. When you surf the Internet, your
computer automatically connects to the proxy server (UserGate) and requests the web page or file you
want that is located on an Internet server. Then proxy server either connects to the specified server and
receives the web page or finds it in the proxy’s cache (a temporary storage area for previously viewed
web pages and files). In some situations the proxy server can modify the request or a server’s response for
specific purposes, for example blocking access to inappropriate pages or images, or if a virus is detected.
UserGate Proxy & Firewall
UserGate is a comprehensive solution designed to connect users to the Internet, provide traffic
control, limit access and supply built-in network security tools.
UserGate enables the tariffing (pricing and limiting) of user Internet access based on traffic
amounts and time online. An administrator can add various billing plans, dynamically switch them and
control the access of Internet resources. The built-in Firewall and Antivirus module protects UserGate
server and identifies malicious software coming from the Internet.
UserGate consists of several modules: the Server, the Administration Console (UserGate
Administrator) and several others. UserGate Server (usergate.exe) is the central part, the core of the proxy
server, where its functional capabilities are embodied. The Server provides Internet access, implements
exact traffic calculations, tracks users’ online statistics, etc. UserGate Administration Console is a
program assigned to control the Server. The Administration Console communicates with the server
module by means of a special protocol above TCP/IP that enables server remote administration.
There are also four additional modules included in UserGate: UserGate Statistics, Web Statistics,
UserGate Authorization Client and Application Control.
4
System requirements
UserGate Server is recommended to be installed on Windows 2000/XP/2003 computers connected
to the Internet via a modem or any other type of connection. Server hardware requirements are as follows:
Network configuration Minimum requirements Recommended
requirementsSmall LAN: 2 to 5 users Pentium 1 GHz, 512 MB
RAM, Windows 2000, 56k
modem
Pentium 1 GHz, 512 MB
RAM, Windows 2000, DSL
Medium LAN: 5 to 20
users
Pentium 1 GHz, 512 MB
RAM, Windows 2000, 56k
modem
Pentium 1 GHz, 1 GB
RAM, Windows XP,
broadband Internet
connectionLarge LAN: more than 20
users
Pentium 1 GHz, 512 MB
RAM, Windows XP, ISDN
connection
Pentium 2 GHz, 1 GB
RAM, Windows 2003,
broadband Internet
connection
UserGate Server installation
To install UserGate Proxy & Firewall simply run the installation file and specify the Installation
options. When installing UserGate for the first time you can leave all of its installation options with their
default settings. During the installation process the installation Wizard will offer you to install UserGate
as a system service (UserGate Service) and will automatically disable the Internet Connection Service, if
it enabled.
5
Figure 1. UserGate NAT driver installation
Since UserGate NAT diver is not WHQL signed, during the installation process a “Hardware installation”
dialog will appear (Fig. 1). In order to install UserGate NAT driver properly you should press “Continue
Anyway” several times. After installation restart your computer.
UserGate registration
Unregistered version of UserGate Server runs for 30 days in evaluation mode and restricts the
number of simultaneous users to 5. To register, please start the UserGate Server, connect the
Administration Console to the Server, open “Help” and “Register Product” item in UserGate
Administration Console menu. Additionally, you can choose the same option on “About” page in
Administration Console. IN the appeared dialog enter your registration name and registration code into
the corresponding fields. Then click the OK buttons and restart UserGate Server. During the registration
process UserGate Server should be connected to the Internet.
UserGate update and removal
Before you install a new UserGate version it is recommended to remove the previous one and save
the server settings file (config.cfg file, located in the UserGate directory; hereinafter %UserGate%) and
the statistics database (log.mdb file, also located in %UserGate% folder).
6
UserGate Server v.5 supports the UserGate v.4 settings format. All settings from UserGate v.4
format will be converted into the new format after initial start of UserGate server. Compatibility with
earlier than UserGate v.4 version is not supported.
Removal of UserGate Server is accomplished by clicking on the removal item in the “Start –
Programs” menu or by using “Add or Remove Programs” in Control Panel. After removal, some files
remain in the UserGate directory, such as config.cfg (UserGate Server settings), log.mdb (UserGate
statistics database) and some others. When you install a newer version, all your settings are still there.
UserGate licensing policy
UserGate Server is designed to connect Local Area Network users to the Internet. The maximum
number of users simultaneously connected to the Internet via UserGate is called “number of sessions” and
is defined by a registration key. UserGate v.5 uses a registration unique key which does not support
previous versions of the UserGate software. Unregistered UserGate Server will run for 30 days in
evaluation mode and is restricted to 5 sessions. Please do not confuse the “session” concept with the
number of user-launched Internet applications or connections. In general, the number of user-launched
connections is arbitrary (unless otherwise limited).
UserGate’s integrated antivirus software (Kaspersky and/or Panda) requires independent licensing,
e.g. Kaspersky antivirus requires a special key file (*.key) located in the “%UserGate%\kav” directory.
The UserGate distribution kit includes the 30-day trial key for Kaspersky antivirus; however, this key is
not compatible with other keys of Kaspersky Lab products. The Panda antivirus license is built into the
UserGate Server registration key according to agreements with Panda Security.
License for the BrightCloud module, designed for site categorizing, is also included in the
UserGate license. The BrightCloud license period is restricted to one year. After the license period
expires, the BrightCloud online service becomes unavailable.
UserGate Administration module
UserGate Administration module is an application designed to control a local or remote UserGate
Server. To start UserGate Administrator, please first start UserGate Server by selecting “Start UserGate
7
Server” in the UserGate Agent context menu ( icon in the System Tray). You can also run UserGate
Administrator by means of “Start – Programs” if the module is installed on another computer.
In order to work with settings you should connect the Administration module to the Server.
Connection settings
At the initial start of UserGate Administration Console it opens on “Connections” page, where
only one connection is specified. In connection settings localhost is specified as a server address, login
name specified is Administrator and there is no connection password. To connect the Administration
Console to the UserGate server, double-click on the “localhost – Administrator” line or press the
“Connect” button on Control Panel. You can create several connections using Administration Console. It
is necessary to specify the following parameters in connection settings:
• Server name – connection name.
• User name – login to connect to server.
• Server address – domain name or UserGate Server IP address.
• Port – TCP port used to connect to Server (port 2345 is the default).
• Password – the connection password.
• Always ask for password – this option asks for your login and password whenever you connect to
UserGate Server.
• Automatically connect to this server – Administration module’s automatic connection to Server
when it starts.
Administration Console settings are stored in the file console.xml, located in the “%UserGate
%\Administrator\” folder. At the UserGate Server side, user names and connection passwords are stored
in the %UserGate%\config.cfg file.
8
Setting password for connection
You can set up login name and password fro connection settings through the “Administrator
Settings” section on “General Settings” page. In this section you can also specify a TCP port on which
UserGate server will be listening for connection with Administration Console. In order the new settings to
take effect it is necessary to restart the UserGate Server (“Restart UserGate Server” item in the Agent
menu). After restarting you should change the Administration Console connection settings as well,
otherwise the Administrator will fail to connect to the Server.
Setting password for statistics database
All user’s statistics, i.e. traffic, time online, resources visited are recorded by the UserGate Server
into a special database. UserGate works with its database via ODBC driver, which allows to use different
database formats (MS Access, MS SQL and MySQL). In order UserGate to work with MySQL database,
please use MySQL Connector v.3.51.
By default UserGate server uses a database in MS Access format (log.mdb file) with no password
specified. You can set a password on “General Settings – Database Settings” page in the
Administration console. For the standard statistics database (log.mdb), you should stop UserGate Server
after setting the password, then open the database in MS Access using the monopole mode and set a
password through “Tools – Security – Set database password”.
NAT (Network Address Translation) Common Settings
NAT Common Settings option allows to specify the time-out value for NAT connections through
TCP, UDP or ICMP protocols. Time-out defines the time of the user connection through NAT after the
data transfer is finished. Print Debug Log option is needed for debugging and allows to turn on the
extended logging mode of UserGate NAT driver, if needed.
9
Interface settings
The “Interface” page (Fig. 2) is the most important part of UserGate Server settings. It defines
such important features as traffic count accuracy, the possibility for creation Firewall rules, Internet
channel bandwidth restrictions, relationship between networks and the order of request processing by the
UserGate NAT (Network Address Translation) driver.
Figure 2. UserGate Server interface settings
All available network interfaces are listed on “Interface” page, including Dial-Up (VPN, PPPoE)
connections. UserGate administrator defines connection type for each network adapter, i.e. for a network
adapter connected with the Internet you should select WAN type, for a network adapter connected with
local area network LAN type should be selected. As for Dial-Up (VPN, PPPoE) connections (this type
cannot be changed manually), UserGate Server defines this type automatically as a PPP interface. For
10
Dial-Up (VPN) connection you can enter user name and password by double-click on the corresponding
interface. A network interface located at the top in interfaces list, becomes the primary Internet
connection automatically.
11
Network traffic calculation in UserGate
Traffic, passing through UserGate is assigned either to the user from local area network which
initiates the connection, or to the UserGate server itself if it initiates the connection. For the UserGate
server traffic there is a special predefined user - UserGate Server specified in statistics database.
UserGate Server traffic includes Kaspersky and Panda antivirus updates and DNS names resolving
through DNS-forwarding module and BrightCloud requests and responses.
When all UserGate server network adapters types (LAN or WAN) are specified correctly, traffic
in the direction of “local network – UserGate Server” (for example, accessing shared folder on the
UserGate server) is not taken into account during traffic calculation.
Important note! Using third party antivirus or firewall products (with the function of checking the
traffic) may seriously affect the correctness of UserGate traffic calculation. It’s not recommended to set
up and use any third party network product on the computer where UserGate Server is installed.
Connection failover
If there are several Internet connections, the “Connection Failover” option becomes available on
the “Interfaces” page. This option allows automatic switching of the UserGate Server to an alternative
Internet connection if there is no connection through the primary channel.
To use the “Connection Failover” option you should specify the following: the primary Internet
connection, one or several reserve channels and a list of “control hosts” (Fig. 3). UserGate will check the
availability of Internet connection by sending by sending ICMP echo-requests (the ping command) to the
specified. The request period is 30 seconds by default, which can be changed manually. The Timeout
parameter defines how long UserGate server will be waiting for ICMP echo reply packets. If several
“control hosts” are specified in “Connection Failover”, the UserGate Server will check them
consequently. A lack of response from all specified “control hosts” at the same time will be interpreted as
the primary Internet connection failure. Therefore, it is recommended to specify the most stable Internet
hosts as “control hosts”.
12
Figure 3. Connection Failover settings.
As a reserve connection UserGate Server can use either an Ethernet connection (dedicated
channel, WAN interface) or a Dial-Up (VPN, PPPoE) connection (PPP interface). In order Network
Address Translation (NAT) rules to work both with the primary and the reserve Internet channel you
should specify Masquerade as a destination in NAT rules. After switching to the reserve Internet
connection, UserGate Server regularly checks the primary channel availability and, if possible, switches
users back to the primary Internet connection.
Users and groups
To provide secure Internet access through UserGate, it is necessary to create the users’ accounts.
To simplify the common administration tasks UserGate administrator can create user groups according to
their access levels. The most common way is to combine users into groups by access level, because it
makes traffic management, for example setting traffic consumption limit, much easier. By default there is
only one group available in UserGate: the default group.
To create a new user, use the “Add new user” item or press the “Add” button on Control Panel’s
“Users and Groups” page. Then enter the settings as shown in Fig. 4: Name, Authorization type,
Authorization parameter (IP address, login etc), Group and Billing plan. By default all users belong to
the default group. Each user must have a unique name. You can also specify the access level to UserGate
13
Web-statistics, define an internal H323 phone number, and enable NAT rules, traffic-managing rules and/
or “Application Firewall” module rules.
Figure 4. UserGate user profile
Each newly defined user inherits all settings of a group which it belongs to including the billing
plan. The latter can be easily redefined in user’s profile. The billing plan specified in the each user’s
profile is used for the all connections tariffing (setting and monitoring the price of Internet traffic). You
may use a blank tariff if the Internet connection if it is not rated.
14
User personal statistics page
Every UserGate user can view his statistics page (Fig. 5). The user can access it at http://usergate,
if his browser is set to work through proxy, or at http://192.168.0.1:8080, where, for example,
192.168.0.1 is the local address of UserGate server, and 8080 is the port on which UserGate HTTP proxy
works.
Figure 5. User personal page in UserGate
On this page user can look through its statistics summary, open UserGate Web-Statistics page or
download UserGate authorization client if needed.
Users authorization methods
Internet access though UserGate is provided only for authorized users. UserGate supports the
following authorization methods:
• authorization by IP address (or IP address range)
• authorization by MAC address
15
• authorization by a combination of IP and MAC addresses
• HTTP authorization (Basic)
• authorization through name and password
• Windows Login authorization
• Active Directory authorization
• simplified version of Active Directory authorization
For the last four methods you should install UserGate Authorization Client on user’s workstation.
The corresponding MSI package (AuthClientInstall. msi) can be found in the “%UserGate%\tools” folder
and can be installed automatically through Active Directory group policy tools. “%UserGate%\tools”
folder also contains the corresponding administrative template (*.adm file).
When Active Directory authorization is used, UserGate Server obtains the authorization
parameters (login and password) from the Authorization Client, which is launched at the user
workstation, and checks them through the domain controller.
If UserGate Server is installed on a computer not included into Active Directory domain, it is
recommended to use the simplified version of Active Directory authorization. In this case UserGate
Server will compare the login and domain name received from the Authorization Client with the
corresponding fields, specified in the user profile, without requesting the domain controller.
Terminal users support
Along with the basic HTTP authorization support, UserGate Server also supports terminal user
HTTP authorization. You can enable this option on the “General Settings” page in the Administration
Console (Fig. 6). This method of authorization allows terminal users to connect to the Internet using their
individual UserGate accounts by means of a username and password for each connection.
16
Figure 6. Terminal users support
The “HTTP authorization for terminal users” mode is useful if you need to provide several
network applications running from a single computer under the different UserGate accounts. Thereto
please enter the appropriate proxy server (HTTP, Socks 5) address, port and authorization parameters
(username/password) for each network application.
Using HTTP authorization with transparent proxy
The transparent proxy HTTP authorization method is also added to UserGate v.5. If the user
browser is not set to use a proxy server and the UserGate HTTP proxy transparent mode is enabled, all
requests from unauthorized users will be forwarded to an authorization page where you have to specify
your username and password.
After authorization please do not close the page. The authorization page refreshes regularly by
means of a special script to keep the user session in active mode, which makes all UserGate services,
including NAT available for an authorized user. To end the session, press the Logout button on the
Authorization page.
Important note! Terminal users are not supported by this authorization method.
17
Using Authorization Client
UserGate Authorization Client is a network application that works at the Winsock level. It
connects to UserGate Server using a predefined UDP port (5456 by default) and sends user authorization
parameters: the authorization type, username and password.
In the Authorization Client settings you should specify (Fig. 7) UserGate server IP address and
port, authorization type and the corresponding parameters (username/password) as it is specified in the
user profile.
During the first start UserGate Authorization Client monitors the Registry key: “HKCU\Software\
Policies\Entensys\Auth client” to find settings obtained through Active Directory group policy. If these
settings are not found in the Registry, you should specify UserGate Server address manually in the third
tab in Authorization Client. After the server address definition, press the “Apply” button to check the
server availability. The specified authorization client settings are stored in the Registry key:
“HKCU\Software\Entensys\Auth client”. Authorization client log is saved in “Documents and Settings\
%USER%\Application data\UserGate Client” folder.
Figure 7. Authorization Client settings
UserGate Authorization Client shows received/sent bytes statistics, time spent online and the cost.
In addition to the Authorization Client there is a link on the user’s personal page. You can also change the
Authorization Client’s skin by editing the *.xml template located in the client’s parent folder.
Important note! Authorization Client. is not supported for Terminal users.
18
UserGate services settings
DHCP settings
DHCP service (Dynamic Host Configuration Protocol) automates the task of network settings
configuration for LAN clients. With DHCP server you can dynamically assign such parameters as IP
address, network mask, default gateway, DNS etc. for all network devices.
To enable UserGate DHCP server select “Services – DHCP Server – Add interface” item in
UserGate Administration Console or press the “Add” button in Control Panel. In the appeared dialog,
select the network interface on which DHCP server will be working. For the minimal DHCP server
configuration it is enough to set the following parameters: IP address range (address pull)—the range of
addresses to provide the addresses delivery to LAN clients by the server, the network mask and the lease
time. The maximum pull size in UserGate is 4000 addresses. You can exclude some IP addresses from
the address pull by using the “Exclusion” list. You can also attach a permanent IP address to a particular
network device by creating a corresponding reservation. To create a new reservation, please enter the IP
address only; the MAC address will be defined automatically when you press the corresponding button.
Figure 8. DHCP server settings
UserGate DHCP server supports import of MS Windows DHCP server settings. In order to use
this feature you should dump the Windows DHCP settings to a file. To do this, launch command prompt
(Start – Run – “cmd”) and type: netsh dhcp server IP dump > file_name, where IP is your DHCP server’s
19
IP address. Import from file can be performed through the corresponding button on the first page of
DHCP server wizard.
Already delivered IP addresses are shown in the lower part of “DHCP” page of the
Administration Console (Fig. 7) along with the client information (workstation name, MAC address) and
lease time values. By selecting a delivered IP address you can create a user profile, create IP-MAC
reservation or remove the given IP address.
Figure 9. Remove the issued IP address
The removed IP address will be placed again into the pull of DHCP sever free addresses after a certain
period of time. The “Remove client” option becomes useful if there were a workstation which has
received an IP address and it is taken offline later.
20
Proxy service settings
There are several proxy servers included in UserGate Server: HTTP proxy (supports FTP over
HTTP and HTTPS) and FTP proxy, SOCKS4, SOCKS5, POP3 and SMTP, SIP and H323. Proxy server
settings are located in “Services – Proxy Settings” of the Administration Console. The most important
settings are: interface (Fig. 10) and the number of the port where UserGate server is running.
Figure 10. Proxy server primary settings
If an interface is not specified in the proxy settings, the server will be listening to all available network
interfaces. By default, only HTTP proxy is enabled and it listen 8080 TCP port on all available network
interfaces.
To set the client browser to work through the proxy, you ca n specify proxy address and port in the
corresponding browser settings. For example in Internet Explorer you can make it through “Tools –
Internet Options – Connection – LAN Settings”. When working though HTTP proxy, specified in
browser settings, you do not need to specify the gateway and DNS in the TCP/IP settings of local area
network connection on a user workstation. For each proxy server you can specify an upstream proxy-
server.
Important note! Port, specified in the proxy server settings, is opened automatically in the UserGate
firewall. In order to ensure the higher security it’s recommended to specify only local network interfaces
in the proxy settings.
21
SIP protocol support
UserGate v.5 can operate as a stateful SIP proxy and as a SIP Registrar. Both functions can be
enabled in “Services – Proxy Settings” page. UserGate SIP proxy always works in transparent mode
listening to ports 5060 TCP and 5060 UDP. When working through UserGate SIP-proxy the information
about the current connection state (registration, call, waiting, etc) is shown on “Sessions” page in the
Administration Console. This information is also saved in the UserGate statistics database.
In order to work through UserGate SIP proxy you should specify the UserGate Server IP as the
default gateway in the TCP/IP settings on user’s workstation. Besides a DNS server address must be
specified.
Let us illustrate client side settings for SJPhone software phone and Sipnet.ru SIP provider as an
example. Start SJPhone, right-click on its icon in the system tray, choose “Options” item and “New” on
profiles page. Enter profile name (Fig. 11), for example “sipnet.ru”, specify “Calls through SIP Proxy”
as a profile type.
Figure 11. SJPhone profile creation
On “SIP Proxy” page specify your SIP provider address. In this example it is “sipnet.ru”. When
closing “Profiles option” dialog, enter your username and password for SIP provider in the appeared
dialog.
22
Figure 12. SJPhone profile settings
UserGate SIP Registrar
UserGate server can operate in SIP Registrar mode. In this mode UserGate works as a PBX (Private
Branch Exchange) for local area network. SIP Registrar function works simultaneously with the SIP-
proxy function. In order to authorize on UserGate SIP Registrar you should specify in the following:
• UserGate address as SIP server address
• UserGate user name (without spaces)
• Any password
H323 protocol support
Built-in H323 protocol support enables you to use UserGate Server as a H323 Gatekeeper. In the H323
proxy settings you need to specify the interface where on which UserGate will be listening for client
queries, port number and H323 gateway address and port. For authorization on UserGate H323
Gatekeeper, the user should specify his user name (user name in UserGate), password (you can specify
any password) and phone number (defined in user’s profile).
23
UserGate mail proxies
UserGate mail proxies are designed to support both the POP3 and SMTP protocols, as well as to
scan mail traffic for viruses. When UserGate POP3 and SMTP- proxies work in transparent mode, the
settings of mail client on a user’s workstation are the same as if it was connected directly to the Internet
(without proxies).
If UserGate POP3 proxy is used in non-transparent mode, in user’s mail client you should to
specify UserGate server IP address and port that correspond to POP3 proxy as a POP3 server address in.
In addition, you need to specify login for the remote POP3 server authorization in the following format:
e-mail_address@POP3_server_address. For example, if the user e-mail is [email protected], you should enter
[email protected]@pop.mail.ru as the login for the UserGate POP3 proxy. This format is necessary for
UserGate to detect the remote POP server address.
If UserGate SMTP proxy is used in a non-transparent mode, you need to specify the SMTP server
IP address and port in the proxy settings section. In this case you enter the UserGate Server IP address
and port that correspond to the SMTP proxy as the SMTP server address in the mail client settings of the
user workstation.
If authorization is needed for sending mail, please enter the username and password that
correspond to the SMTP server shown in the UserGate SMTP proxy settings.
Proxies in transparent mode
The “Transparent Mode” option in the proxy server settings becomes enabled if UserGate Server
is installed along with a NAT driver. In transparent mode the UserGate NAT driver is listening to the
standard ports such as: 80 TCP for HTTP, 21 TCP for FTP, 110 and 25 TCP for POP3 and SMTP on
LAN network interfaces and send users’ requests to the corresponding proxy in UserGate. When
transparent mode is enabled, it is not required to specify the proxy server address and port in each
network application which considerably decreases administrator efforts for providing LAN-to-Internet
access. However, you need to specify UserGate Server as the gateway and specify a DNS server on each
LAN workstation’s settings.
24
Parent proxies
UserGate Server can work either with a direct Internet connection or through upstream or parent
proxies. UserGate supports the following parent proxy types: HTTP, HTTPS, Socks4 and Socks5. You
can create parent proxies on “Service – Parent Proxy” page. For each parent proxy you should specify:
its type, IP address and port. If the parent proxy supports authorization, you can specify the corresponding
login and password. All created parent proxies becomes available in UserGate proxy server settings.
Figure 13. Parent proxy in UserGate
25
Port mapping
Port mapping support is available in UserGate. Port mapping rules impart UserGate Server to
redirect user requests from specific ports of a UserGate workstation network interface to addresses and
ports specified by the rules. Port mapping is already enabled for TCP and UDP protocols and does not
require a UserGate NAT driver to be installed.
Figure 14. UserGate ports definition
Important note! If a port mapping is used to provide access to company internal resource access from
the Internet, you should use “Specified User” as the “Authorization setup” parameter.
Cache settings
An important purpose of a proxy server is resource caching, which reduces the Internet connection
load and greatly increase the speed of access to commonly visited resources. UserGate proxy implements
both HTTP and FTP traffic caching. Cached documents are saved in the “%UserGate%\Cache” folder.
On the “Cache” page in Administration Console you may specify the Cache size limit and the document
storage lifetime. You can also enable option “Calculate traffic from cache”. With this option enabled
UserGate server will calculate traffic from cache and assign it to LAN user as if a web-page was taken
from the Internet.
26
Antivirus scanning
There are two antivirus modules integrated in UserGate Server: Kaspersky Lab and Panda
Security. Both modules are assigned to scan incoming traffic through UserGate HTTP, FTP and mail
proxies, as well as outgoing traffic through SMTP proxy.
Antivirus settings are available on “Services – Antivirus” page in Administrator console (Fig.
15). You can specify the protocols for each antivirus to scan, setup the antivirus base update frequency
and enter URLs which is not necessary to check (URL Filter). You can also specify a group of users
whose traffic is not required to scan for viruses.
Figure 15. UserGate antivirus modules
Before running antivirus, you need to start antivirus bases update wait for update to complete. By
default, the Kaspersky antivirus updates are downloaded from the Kaspersky Lab FTP site, whereas
Panda antivirus updates from http://www.entensys.com.
27
UserGate Server supports both antivirus engines working simultaneously and allows you to
choose the protocols to be scanned by each antivirus, as well as traffic scan directions for each protocol if
it’s checked by both antiviruses.
Important note! When traffic scanning for viruses is enabled, UserGate Server blocks HTTP and FTP
multithreaded downloads. Blocking capability of transferring a part of the file through HTTP may cause
problems with Windows Update service.
28
UserGate Scheduler
There is a task scheduler built into UserGate, which enables Dial-Up connection initialization and
release, statistics reports delivery to users, arbitrary task executions, antivirus updates and statistics base
cleaning.
Even nonstandard tasks can be performed on schedule such as launching special kinds of *.bat or
*.cmd files using “Execute Program” in UserGate Scheduler.
Figure 16 Setting UserGate scheduler
29
DNS settings
UserGate supports two methods for the names resolving: DNS module and NAT rule. DNS
module is used with all UserGate services: proxy servers, BrightCloud URL-filtering, antivirus, etc. This
module is designed to handle DNS queries of different types, such as A, MX, PTR, and it also supports
recursive queries. Communication with UserGate services is performed on the Winsock level. By default,
DNS module listens to 5458 UDP port. Moreover, DNS module can use DNS servers specified in server
network settings or use the given DNS servers from a list. In there are several DNS servers specified,
UserGate calls are based on the response time. So if certain DNS server doesn’t provide timely response,
UserGate automatically calls other servers.
For resolving user DNS queries there is DNS forwarding mode. DNS forwarding settings are
available in “Services - DNS forwarding” section of the Administrator console. In the forwarding mode
DNS listens to 53 UDP port on UserGate server LAN adapters. DNS queries coming from the WAN
adapters are ignored.
Responses to DNS queries are cached in the server memory, so the rate of names resolving
process is greatly improved. Besides, DNS module looks for changes in the “%WINDIR
%\system32\drivers\etc\hosts” file putting records into its own cache. All records from the hosts file are
stored in the DNS own cache memory for all server time of work.
Figure 17. DNS settings
30
A NAT setup creates a NAT rule for port 53 UDP, which can be applied to all or some users. In
this case you should specify the “Internet provider’s DNS IP” as the DNS server on client workstation.
31
Alert Manager
The purpose of the “Alert manager” module is to inform a UserGate administrator about some
kind of events happed with UserGate Server. For example, you can create a virus detection alert, antivirus
module error alert or a “license expired” alert. The alert will be delivered by sending E-mail through
SMTP server specified in “Delivery Settings”.
Figure 18 Setting Alert manager
32
UserGate Firewall
Principle of operation
UserGate’s built-in Firewall, being a part of UserGate’s NAT driver, is designed to handle
network traffic according to predefined rules sets. In Firewall rule you need to specify source and
destination addresses, service (protocol-port pair) and action: “Send” or “Drop”. Firewall rule type is
defined automatically according to specified parameters. UserGate supports the following rule types:
network translation rule (NAT), Routing, and Firewall itself (FW).
In default settings only one firewall rule is available (#NONUSER# rule) which permits or silently
drops all outgoing network traffic if it comes not from UserGate server process and all unexpected
incoming traffic. If you enable “Drop” mode for #NONUSER# rule, UserGate Firewall will block all
incoming and outgoing packets except transit packets. This is the most secure settings for UserGate if it is
installed on a separate PC, working as a gateway only.
However, sometimes UserGate is being installed on a workstation that works as an internet
gateway at the same time. In this case you should create permissive Firewall rules. These rules will be
placed above the #NONUSER# rule. When UserGate server accepts a network packet it looks through
firewall rules in order to decide whether it should send or drop this packet. All firewall rules are scanned
in sequence from top to bottom in firewall rules list. When UserGate founds a first applicable firewall
rule for the given network packet it skips the rest part of rules. By changing firewall rule position in the
rules list UserGate Administrator may change its priority during scanning.
UserGate services, such as proxy servers, port mapping rules generate, so called, automatic
permissive Firewall rules. For example, when you turn on HTTP-proxy, build-in Firewall will
automatically create a corresponding permissive rule to maintain the proxy operation. Automatic firewall
rules are not represented in the rules list; you can remove them only by disabling the corresponding proxy
or port mapping rule. Nevertheless, UserGate administrator can block a permissive automatic rule by
creating an appropriate prohibitive rule and placing it at the top of the rules list.
33
Network Address Translation rules (NAT)
To create a new network address translation rule (Fig. 19) right-click on “Firewall Rules” page in
Administrator console and select “Add rule” item. Select UserGate LAN adapter as a source and one of
WAN or PPP interfaces as a destination, specify one or several services. On the last page you should
specify which users or groups are allowed to work through this NAT rule.
Figure 19. UserGate NAT rule creation
34
If a required service (protocol/port pair) is absent in the predefined services list, you can add it through
“New service” button or through “Services” page in Administration Console.
Important note! Prior to work through UserGate NAT, make sure that UserGate LAN IP address is
specified as a default gateway on user’s workstation. Besides, when user works through NAT it should
resolve domain names itself, so DNS server must be specified on user’s workstation.
Working with multiple Internet service providers
UserGate NAT driver supports simultaneous work with several external (Internet) connections.
For this purpose UserGate administrator can create several NAT rules sets with different destination
interfaces (WAN or PPP) (Fig. 20). Using this approach UserGate administrator can provide different
Internet providers for different groups of users in local area network. Applying two translation rule sets
for the same user or group is not recommended.
Figure 20. Working with multiple providers
35
Masquerade for NAT rules
In the presence of several external interfaces (WAN or PPP), UserGate administrator may choose
“Masquerade” as a destination address in a NAT rule. Masquerade function is used when outgoing
network interface used for packages transfer is not known beforehand. This choice means that an
outgoing network interface will be defined dynamically by comparing the destination host network
address with network address of all UserGate WAN or PPP- interfaces. If network address of a
destination host does not match with any WAN or PPP interface, the packet will be sent through the
Primary Internet channel. Besides, Masquerade function may be used for translation of network packets
within several external networks.
Figure 21 Automatic choice of the outgoing adapter in the NAT rules
36
Important note! While using the Connection Failover, the automatic outgoing interface selection option
in NAT rules is disabled. All NAT rules traffic with the Masquerade, specified as a destination, will go
through reserve Internet connection.
37
Network resources publishing
With UserGate Firewall you can open access to your company internal network resources from the
Internet; for example to Web-, FTP- and VPN-server or to a mail server. If resource publishing rule is
created all requests to a certain port of UserGate server external IP will be redirected to the internal server
according to the rule. The access to internal resource can be provided for all (source - Any) or for
specified Internet users (source – Host or Host range). In order to create a resource publishing rule you
need to specify only one service on “Services” page (Fig. 22) in “Add Network Rule” dialog.
Figure 22. FTP server publishing
38
Firewall filtering rules
It is a common practice when UserGate is installed on a PC which is used both as an Internet
gateway and as a workstation at the same time. If the #NONUSER# firewall rule is working in “Drop”
mode, it is necessary to create several special permissive firewall rules. For example, these rules can
permit outgoing requests and incoming responses for such basic protocols like HTTP, HTTPS, FTP,
POP3 and SMTP. An example of such rules is shown in Figure 23.
Figure 23. UserGate Server firewall rule
39
Routing support
If UserGate server is installed on a PC connected to several local area networks, UserGate can be
set up to act as a router providing transparent bidirectional connections between local networks. Firewall
routing rule can be set up between any pair of LAN interfaces (Fig. 24).
Figure 24. UserGate routing
Important note! UserGate authorization is not required for routing, and traffic count is not monitored.
40
UserGate speed limitations
UserGate supports two methods to limit network traffic speed. The simplest method is to set
traffic speed limit through a user profile or though a traffic rule (“Speed – Set up Speed”). This method is
not universal because it allows to restrict only incoming traffic speed for all connections without an
opportunity to distinguish between protocols or destination addresses and ports. This limitation
mechanism works for proxy services and for NAT traffic. With this method you cannot restrict traffic
speed for a group of users.
The second method to limit network traffic speed in UserGate is to use “Traffic Manager”(TM)
module. This method is more sophisticated and provides more possibilities for speed limitation. For
example you can make different restriction for incoming and outgoing traffic for different protocols.
Important note! When “Traffic Manager” is enabled all traffic speed limitations specified either in
user’s profile or in traffic rules are ignored.
41
Traffic Manager
UserGate “Traffic Manager”(TM) module is based on a well-known CBWFQ (Class-Based
Weighted Fair Queuing) algorithm. This algorithm provides network packets processing using FIFO
(First In First Out) queues based upon queue priority and packet classification. A part of the algorithm is
WFQ (Weighted Fair Queuing), when FIFO packet queues are processed by priorities and weight (size)
of packets. Also the algorithm of TM includes the “Shaper” functionality (restriction of a bandwidth for a
rule). Shaper also is processing queues by the priority. The other options are: Speed limit and Time delay.
Figure 25 Traffic Manager rules for setting speed limits
There are two types of rules in the TM module: adapter rules, or default rules, and user rules.
Default rules are designed for processing network packets that do not suit under user TM rules or for
processing all network packets when there are no user TM rules defined. Default rules are created
42
automatically for each WAN adapter of UserGate server. Default rules should be turned on to provide
TM operation. User rules are designed to handle specific traffic type. The following parameters are
accessible for TM user rule:
• Rule priority
• Traffic direction (incoming/outgoing),
• Maximum bandwidth value allowed (Kbps or Mbps),
• Packet delay (ms),
• Protocol (TCP/UDP/ICMP),
• Source IP and port,
• Destination IP (as an IP/mask) and destination port,
• Adapter to process the traffic by Bandwidth Manager.
Important note! The “Time Delay” parameter is designed for delaying network packets if their traffic
doesn’t fit into the specified bandwidth.
The priority of TM rule defines which FIFO queue will be used for packet processing. There are 8
priority queues defined: 4 absolute priority queues (HIGH, MEDIUM, NORMAL and LOW) and 4
queues with relative priority. Manageable traffic speed limiting is provided only for rules with relative
priorities. According to the speed limit specified, a package can be sent to the outgoing buffer, moved to
the beginning of the queue (if parameter “Time Delay” is specified) or rejected. Queues with an absolute
priority are intended for privileged traffic processing. If needed, this traffic can fill all the bandwidth of
the dedicated Internet channel. There is only one parameter that administrator can use to affect privileged
traffic processing – the absolute rule priority.
When creating the user TM rule the machine address in the local network can be specified as a
source. As a destination address you should always specify an external host or external network address.
To restrict NAT traffic speed it’s recommended to bind a user TM rule to UserGate server LAN
adapter because in this case the source address is not necessary to be specified (this traffic speed
limitation will be applied to all users). Traffic speed limit can be personified by specifying the source IP
address or IP addresses range.
To restrict traffic speed through proxies it’s recommended to bind the user TM rule to UserGate
WAN adapter without specifying the source address. Traffic speed limit through proxy can be set only for
all local network users. When creating TM user rule, please take into account the following:
43
• Traffic Manager is intended for traffic speed limiting for directions “Server ↔ Internet” and
“Local Network ↔ Internet”.
• If a network packet matches more than one limiting rules, Traffic Manager chooses only the first
suitable rule.
• Traffic Manager does not support Dial-Up connections.
A network packet, which does not suit any user TM rules, will be handled by the default rule.
There are two parameters specified in the default TM rule: speed limit (Kbps or Mbps) and priority. The
speed limit specified in the default TM rule is assumed to be the same for both incoming and outgoing
network traffic.
44
Application Firewall
Internet access management policy is a logical continuation of the Application Firewall. With
UserGate Server a system administrator can manage Internet access for both users and network
applications on a client workstation. To control client workstation applications in a local network, it is
necessary to install the App. Firewall Service application. Installation is possible as using the executable
file so by launching the MSI package (AuthFwInstall.msi) located in the “%UserGate %\tools” directory.
Network applications management is performed on basis of the administrator defined rules,
applied to a user or to a group of users. There are two types of rules in Application Firewall: default rules
and users’ rules. Any workstation with Application Firewall Service installed can get default rules under
the following conditions:
• Application Firewall service detects UserGate Server,
• A set of default rules was created.
Since all Application Firewall rules should belong to a certain rules group, a special Default rules folder
is assigned to store the default rules. A UserGate administrator can also create groups for User rules.
Initially, UserGate has only one default rule which allows any user network application to access any IP
address using any protocols. This rule is recommended to use at the beginning of Application Firewall
setup for gathering application usage statistics.
Application Firewall service obtains the User rules set only after the user authorization on
UserGate Server. A user can be authorized using Authorization Client or without it by using the address
of its workstation (IP address, MAC address or both). User rules can supplement or forbid the default
rules. When Authorization Client is used, Application Firewall creates a logical link between a Windows
and UserGate profile for the authorized user. Changing the Windows account when Authorization Client
is running will cancel all user’s rules operation. Application Firewall does not support HTTP
authorization. Application Firewall policy with default settings is defined as the following:
a) If UserGate Server is unavailable, all the network applications are allowed.
b) If UserGate Server is available, only local access of network applications and services is allowed.
The network application statistics of Application Firewall is stored in the user workstation’s local
folder %Program Files%\Entensys\Application Firewall\Cache and it is sent periodically (every 10
45
minutes approximately) to UserGate Server. The sending time span is defined by the Registry parameter
SendStatistics (HKLM\Software\Policies\Entensys\Application Firewall). Also, the proper Caching rules
are embedded in the Application Firewall. If UserGate Server is temporarily unavailable, Application
Firewall service works according to rules written in the local Cache during the updating time
(UpdateRules Registry parameter). By default the rules updates with period of 5 minutes.
User application statistics are available in “Application Firewall – Statistics”. User and
workstation information, and network application information is shown on Figure 26.
Figure 26. Network application statistics
UserGate administrators can create an application rule by double-clicking on the corresponding line on
the Application history page.
46
UserGate cache explorer
Cache Explorer (Fig. 27) allows viewing the cached content stored by UserGate. To start Cache
Explorer right-click UserGate Agent icon in the system tray and then click the Run Cache Explorer
menu item. Or, alternatively, click the corresponding item in the Windows Start menu. When starting
Cache Explorer you need to specify the location of the file cache.dat (UserGate cache file). Using Cache
Explorer interface you can search, sort and filter the cached content. Finally, you can select any files in a
list and then save them to a folder of your choice.
Figure 27 Cache explorer
47
UserGate traffic management
Traffic management rules
UserGate Server enables you to manage Internet access by using the traffic management rules.
These rules can forbid user access to certain network resources, set up traffic consumption limits, create
Internet scheduling and track user accounts. Traffic management rules are arranged in the form of an
action to be performed on a certain object. There are 4 object-action pairs defined in UserGate:
“Connection – Close”, “Traffic – Don’t count”, “Tariff – Change” and “Speed – Set up”. For a traffic
management rule to execute, you need to define the rule’s condition: time of day, day of week, URLs
(IP), traffic limit (per day, week or month), etc. Defined conditions may be combined using logical
“AND/OR” operators, allowing opportune flexibility when creating rules. Another opportunity is
provided by the possibility of applying rules both for all protocols and for particular ones. You should
apply rules created to users or user groups in UserGate.
Internet access restriction
Internet access restriction is a typical task of a proxy server. For this purpose there are
“Connection – Close” rules in UserGate. Working with the proxy server (HTTP, FTP), you may specify
the resource domain name (URL) as well as its IP address. UserGate Server can implement filtering by a
URL fragment (“Whole URL” item), by address part (“Server address” item) or by document address
(“Document URL” item).
48
Figure 28. URL filtering settings
When specifying an IP address you may specify it as a “Source” or as a “Destination” address.
The “Inverse” option means all IP addresses except the specified. Please note that if you need to forbid
access to some external hosts for NAT traffic you should specify their IP addresses but not domain
names, because UserGate NAT does not work with domain names.
Important note! In order to work the created rule must be applied to UserGate users of groups.
BrightCloud URL filtering
In the context of our technological partnership with BrightCloud Inc, we integrated the hosted
BrightCloud service and the BrightCloud Master Database into UserGate. A UserGate administrator can
forbid access to sites having certain content without even knowing those sites’ names. Additionally, it is
possible to get a report from UserGate Statistics about the site categories visited, e.g. Ads, Education,
News, etc. Using site categories allows more flexible policy of the Internet access management.
49
Categorized filtering is available for UserGate proxy services working in both transparent and
non-transparent modes and for NAT traffic. For NAT traffic categorized filtering will be available only if
user’s DNS requests goes through “DNS forwarding” module in UserGate.
To deny access to particular categories (Fig. 29), open “Traffic policy – Traffic rules” page,
create a “Connection – Close” rule and specify the unwanted category on the fifth page of the rule
creation dialog.
50
Figure 29. Categorized filtering rules
51
Setting a traffic consumption limit
You may apply the 'Connection – Close” traffic management rules to prohibit certain Internet
resources, but also you can use it to limit the traffic consumption. In this case you may specify a
maximum value of incoming/outgoing (or total) traffic per day, week or month as the condition (Fig. 30).
Figure 30. Traffic limit
If a traffic consumption limit is applied to a user, Internet access will be blocked completely or
partially (depending on additional parameters, e.g. protocols to which the rule is applied) as soon as the
limit is exceeded.
File size restriction
UserGate traffic management rules also enable an administrator to restrict the downloading of the
files larger than the maximum size specified. This option is enabled to the rule with “OR” logical type
and can be applied to HTTP proxy traffic only.
52
Content-type filtering
HTTP-proxy in UserGate can filter traffic by the Content-type field, which is included in the
header of a response to a user from a web server.The Content-Type header field is used to specify the
nature of the data (and its format) in a web-server response: whether it is audio or video content, image
(e.g. jpg, png etc.), or a document (MS Word, MS Excel). Content-type header field is analyzed by
UserGate and the corresponding content can be either blocked or allowed depending on the traffic rules
set by an administrator. Filtering by Content-type field can be used to block access to certain data types
and formats like video or audio files, disable JavaScript or prevent documents of a specific extension
from being transferred over the network.
53
Fig 31 HTTP filtering by Content-type
The content-types list is stored in the special *.xml file located in the
“%UserGate5%\Administrator” folder. UserGate administrator can add new content-types as in this
*.xml file or through the Administration Console. The link to ianna.org is added for this purpose.
54
Billing system
Internet access tariffing
Besides the direct traffic registration, UserGate Server can be used also for Internet connection
expenditure calculations. This opportunity is provided by its integrated billing system. Underlying the
billing system is a “billing plan” term. By default there is only one billing plan in UserGate with zero
values for incoming, outgoing and temporal traffic costs. If UserGate is used to provide paid Internet
access, UserGate administrator can create any number of billing plans according to Internet provider cost
policies or arbitrarily by its own preferences.
UserGate access billing plans can be applied both to users and/or user groups. By default Internet
connections of all users belonging to the same group are rated according to the group’s specified billing
plan. An administrator can redefine user billing plan at any time.
User account status control
The UserGate billing system perfectly supplements the integrated Traffic Management system. If
UserGate Server is used to provide the paid Internet access, you can use the Traffic Management system
to control user account status. Thus, in the “Connection – Close” rule you can enable the “Activate
tracking” option as a condition and specify the threshold value of a user account. The rule will become
active if a user’s account balance falls below a threshold value.
Dynamic billing plans switching
UserGate traffic management rules can be used for dynamic billing plans switching. The most
common task, related to a Dial-Up connection, is switching between day and night billing plans. Another
task is using the different billing plans for an Internet Service Provider’s internal network and for the
Internet. Both tasks are accomplished via the “Tariff – Change” rule.
55
UserGate remote administration
Remote connection settings
You can use the UserGate Administration module to control a remote server. In “Server address”
in connection settings, please specify the domain name or IP address of the remote machine with
UserGate running. To use the Administration module from a remote machine, you should run UserGate
installation wizard and select only UserGate Administration Console.
Restarting UserGate server
UserGate server remote restart function is added into Administration Console. It’s possible to
connect to the remote UserGate server and choose “File – Restart server” from the Administration
Console.
Checking for the new version
In “General Settings” of UserGate Administrator there is an option “Check for updates”. If this
option is enabled, UserGate Server requests the latest version availability from UserGate’s site. If the
version installed is earlier than the version available on the site, Administration Console displays the
proper message. In this case the administrator can download the new version from the site and install it.
Automatic UserGate upgrade is not supported yet.
56
UserGate statistics utility
Traffic statistics information is stored in UserGate Server’s own database. By default MS Access
is used as the database and it is located in the UserGate parent directory as log.mdb. Brief information
about the total traffic of users and groups is available in the “Monitoring” section of UserGate
Administrator. Detailed statistics is presented in the UserGate Statistics module – an application assigned
to work with the UserGate statistics database (Fig. 32).
Figure 32. UserGate statistics
You can obtain detailed statistics for each user or group by using filters. Filtering allows the
creation of reports by time of access, by protocols, by resources requested etc. The resulting report is
presented in a table which can be exported to MS Excel ,HTML or OpenOffice calc format.
57
UserGate Web statistics
There is a new statistics module added to UserGate v.5. The Web statistics module provides the
detailed statistics of Internet connection usage from any point of the world using an ordinary web-
browser. For web-statistics several access levels can be specified in UserGate user’s profile. Thus an
ordinary user may check his own statistics, a “Director” could see the statistics of any user, and an
“Administrator” is authorized to see all user statistics and to create Statistic report templates.
Figure 33. UserGate Web-statistics URLs page
Important note! UserGate web-statistics is turned on simultaneously with HTTP-proxy. Web statistics is
unavailable when HTTP-proxy is turned off.
Statistic information is represented now not only in table form, but in graphic diagrams as well to
make the reports easier to understand.
58
You can obtain statistics access by visiting the link https://192.168.0.1, (where 192.168.0.1 is the
UserGate Server address, for example) or via the corresponding link on the user personal statistics page
http://192.168.0.1:8080 (where 8080 is the UserGate HTTP proxy port). Certificate located in the
%UserGate%\ssl folder is used for an access to web-statistics through HTTPS protocol. Another
possibility to visit web-statistics page is to use the link from the last tab in UserGate authorization client.
Web statistics settings
In web-statistics settings you can select regional settings, enable a cache, specify its storage time,
and enable the recording of housekeeping information. View Settings allow the specification of the
number of bytes per kilobyte (according to way your provider defines “kilobyte”), indicate the
information specification details and enable URL addresses representation. In order to avoid excess
loading of the Statistics screen it is possible to turn off the user’s balance display.
Traffic management rules efficiency rating
To manage Internet access UserGate administrator can create traffic management rules and apply
them to a user or to group of users. However, a situation may occur when created rules work inefficiently.
For example, if a created rule is applied to all users, but actually acts only on “the most active” users, it
would be expedient to disable the rule for users, who do not need this rule's effect. Those users’ traffic
will be not exposed to needless checking, which may improve the server’s productivity.
59
Figure 34 Rules statistics for traffic management
To estimate a rule’s efficiency, there is a link “Rules events” in Web-statistics page. Only information
about “Connection – Close” rules is located here. With “Director” or “Administrator” privileges you can
obtain the “weight” of each URL in total rule actuation numbers.
Antivirus efficiency rating
Antivirus facilities allow the exclusion of some UserGate groups from being scanned for viruses.
Using Web statistics you can obtain a report about antivirus events per user. The statistic is available in
the “Antivirus events” section. For Chiefs and Administrators there is an additional statistic available,
showing each user’s “weight” in the number of total antivirus events (“Antivirus event statistics”).
60
Figure 35. Antivirus statistics
SIP usage statistics
UserGate web-statistics module allows monitoring how SIP is used. Select “Director charts - SIP
Statistic” in the Diagrams section to list UserGate users who use SIP. The list contains a name of a caller,
a destination address (number) and the call duration.
61
Figure 36. SIP statistics
62