UserGate Proxy & Firewall Administrator Manual

Content
INTRODUCTION..........................................................................................................................................................................4 USERGATE PROXY & FIREWALL.........................................................................................................................................4 SYSTEM REQUIREMENTS....................................................................................................................................................................5 USERGATE SERVER INSTALLATION.....................................................................................................................................................5 USERGATE REGISTRATION.................................................................................................................................................................6 USERGATE UPDATE AND REMOVAL.....................................................................................................................................................6 USERGATE LICENSING POLICY............................................................................................................................................................7 USERGATE ADMINISTRATION MODULE...........................................................................................................................7 CONNECTION SETTINGS.....................................................................................................................................................................8 SETTING PASSWORD FOR CONNECTION.................................................................................................................................................9 SETTING PASSWORD FOR STATISTICS DATABASE.....................................................................................................................................9 NAT (NETWORK ADDRESS TRANSLATION) COMMON SETTINGS............................................................................................................9 INTERFACE SETTINGS...........................................................................................................................................................10 NETWORK TRAFFIC CALCULATION IN USERGATE................................................................................................................................12 CONNECTION FAILOVER...................................................................................................................................................................12 USERS AND GROUPS...............................................................................................................................................................13 USER PERSONAL STATISTICS PAGE.....................................................................................................................................................15 USERS AUTHORIZATION METHODS.................................................................................................................................15 TERMINAL USERS SUPPORT...............................................................................................................................................................16 USING HTTP AUTHORIZATION WITH TRANSPARENT PROXY..................................................................................................................17 USING AUTHORIZATION CLIENT.......................................................................................................................................................18 USERGATE SERVICES SETTINGS........................................................................................................................................19 DHCP SETTINGS...........................................................................................................................................................................19 PROXY SERVICE SETTINGS................................................................................................................................................................21 SIP PROTOCOL SUPPORT.................................................................................................................................................................22 USERGATE SIP REGISTRAR............................................................................................................................................................23 H323 PROTOCOL SUPPORT..............................................................................................................................................................23 USERGATE MAIL PROXIES...............................................................................................................................................................24 PROXIES IN TRANSPARENT MODE.......................................................................................................................................................24 PARENT PROXIES............................................................................................................................................................................25 PORT MAPPING..............................................................................................................................................................................26 CACHE SETTINGS...........................................................................................................................................................................26 ANTIVIRUS SCANNING.....................................................................................................................................................................27 USERGATE SCHEDULER..................................................................................................................................................................29 DNS SETTINGS.............................................................................................................................................................................30 ALERT MANAGER....................................................................................................................................................................32 USERGATE FIREWALL...........................................................................................................................................................33 PRINCIPLE OF OPERATION................................................................................................................................................................33 NETWORK ADDRESS TRANSLATION RULES (NAT).............................................................................................................................34 WORKING WITH MULTIPLE INTERNET SERVICE PROVIDERS.....................................................................................................................35 MASQUERADE FOR NAT RULES.......................................................................................................................................................36 NETWORK RESOURCES PUBLISHING....................................................................................................................................................38 FIREWALL FILTERING RULES.............................................................................................................................................................39 ROUTING SUPPORT.........................................................................................................................................................................40 USERGATE SPEED LIMITATIONS.......................................................................................................................................41 TRAFFIC MANAGER................................................................................................................................................................42 APPLICATION FIREWALL.....................................................................................................................................................45

USERGATE CACHE EXPLORER...........................................................................................................................................47 USERGATE TRAFFIC MANAGEMENT................................................................................................................................48 TRAFFIC MANAGEMENT RULES ..........................................................................................................................................................48 INTERNET ACCESS RESTRICTION........................................................................................................................................................48 BRIGHTCLOUD URL FILTERING......................................................................................................................................................49 SETTING A TRAFFIC CONSUMPTION LIMIT............................................................................................................................................52 FILE SIZE RESTRICTION....................................................................................................................................................................52 CONTENT-TYPE FILTERING...............................................................................................................................................................53 BILLING SYSTEM.....................................................................................................................................................................55 INTERNET ACCESS TARIFFING............................................................................................................................................................55 USER ACCOUNT STATUS CONTROL.....................................................................................................................................................55 DYNAMIC BILLING PLANS SWITCHING................................................................................................................................................55 USERGATE REMOTE ADMINISTRATION.........................................................................................................................56 REMOTE CONNECTION SETTINGS.......................................................................................................................................................56 RESTARTING USERGATE SERVER......................................................................................................................................................56 CHECKING FOR THE NEW VERSION....................................................................................................................................................56 USERGATE STATISTICS UTILITY.......................................................................................................................................57 USERGATE WEB STATISTICS...............................................................................................................................................58 WEB STATISTICS SETTINGS..............................................................................................................................................................59 TRAFFIC MANAGEMENT RULES EFFICIENCY RATING..............................................................................................................................59 ANTIVIRUS EFFICIENCY RATING........................................................................................................................................................60 SIP USAGE STATISTICS....................................................................................................................................................................61

Introduction
UserGate works as a proxy server, i.e. as an intermediate computer between your PC and the Internet. All interactions with the Internet pass through UserGate. When you surf the Internet, your computer automatically connects to the proxy server (UserGate) and requests the web page or file you want that is located on an Internet server. Then proxy server either connects to the specified server and receives the web page or finds it in the proxys cache (a temporary storage area for previously viewed web pages and files). In some situations the proxy server can modify the request or a servers response for specific purposes, for example blocking access to inappropriate pages or images, or if a virus is detected.

UserGate Proxy & Firewall

UserGate is a comprehensive solution designed to connect users to the Internet, provide traffic control, limit access and supply built-in network security tools. UserGate enables the tariffing (pricing and limiting) of user Internet access based on traffic amounts and time online. An administrator can add various billing plans, dynamically switch them and control the access of Internet resources. The built-in Firewall and Antivirus module protects UserGate server and identifies malicious software coming from the Internet. UserGate consists of several modules: the Server, the Administration Console (UserGate Administrator) and several others. UserGate Server (usergate.exe) is the central part, the core of the proxy server, where its functional capabilities are embodied. The Server provides Internet access, implements exact traffic calculations, tracks users online statistics, etc. UserGate Administration Console is a program assigned to control the Server. The Administration Console communicates with the server module by means of a special protocol above TCP/IP that enables server remote administration. There are also four additional modules included in UserGate: UserGate Statistics, Web Statistics, UserGate Authorization Client and Application Control.

System requirements
UserGate Server is recommended to be installed on Windows 2000/XP/2003 computers connected to the Internet via a modem or any other type of connection. Server hardware requirements are as follows: Network configuration Small LAN: 2 to 5 users Minimum requirements Pentium 1 GHz, 512 MB RAM, Windows 2000, 56k Medium LAN: 5 to 20 users modem Pentium 1 GHz, 512 MB RAM, Windows 2000, 56k modem Large LAN: more than 20 users Pentium 1 GHz, 512 MB RAM, Windows XP, ISDN connection Recommended requirements Pentium 1 GHz, 512 MB RAM, Windows 2000, DSL Pentium 1 GHz, 1 GB RAM, Windows XP, broadband Internet connection Pentium 2 GHz, 1 GB RAM, Windows 2003, broadband Internet connection

UserGate Server installation

To install UserGate Proxy & Firewall simply run the installation file and specify the Installation options. When installing UserGate for the first time you can leave all of its installation options with their default settings. During the installation process the installation Wizard will offer you to install UserGate as a system service (UserGate Service) and will automatically disable the Internet Connection Service, if it enabled.

Figure 1. UserGate NAT driver installation

Since UserGate NAT diver is not WHQL signed, during the installation process a Hardware installation dialog will appear (Fig. 1). In order to install UserGate NAT driver properly you should press Continue Anyway several times. After installation restart your computer.

UserGate registration
Unregistered version of UserGate Server runs for 30 days in evaluation mode and restricts the number of simultaneous users to 5. To register, please start the UserGate Server, connect the Administration Console to the Server, open Help and Register Product item in UserGate Administration Console menu. Additionally, you can choose the same option on About page in Administration Console. IN the appeared dialog enter your registration name and registration code into the corresponding fields. Then click the OK buttons and restart UserGate Server. During the registration process UserGate Server should be connected to the Internet.

UserGate update and removal

Before you install a new UserGate version it is recommended to remove the previous one and save the server settings file (config.cfg file, located in the UserGate directory; hereinafter %UserGate%) and the statistics database (log.mdb file, also located in %UserGate% folder).

UserGate Server v.5 supports the UserGate v.4 settings format. All settings from UserGate v.4 format will be converted into the new format after initial start of UserGate server. Compatibility with earlier than UserGate v.4 version is not supported. Removal of UserGate Server is accomplished by clicking on the removal item in the Start Programs menu or by using Add or Remove Programs in Control Panel. After removal, some files remain in the UserGate directory, such as config.cfg (UserGate Server settings), log.mdb (UserGate statistics database) and some others. When you install a newer version, all your settings are still there.

UserGate licensing policy

UserGate Server is designed to connect Local Area Network users to the Internet. The maximum number of users simultaneously connected to the Internet via UserGate is called number of sessions and is defined by a registration key. UserGate v.5 uses a registration unique key which does not support previous versions of the UserGate software. Unregistered UserGate Server will run for 30 days in evaluation mode and is restricted to 5 sessions. Please do not confuse the session concept with the number of user-launched Internet applications or connections. In general, the number of user-launched connections is arbitrary (unless otherwise limited). UserGates integrated antivirus software (Kaspersky and/or Panda) requires independent licensing, e.g. Kaspersky antivirus requires a special key file (*.key) located in the %UserGate%\kav directory. The UserGate distribution kit includes the 30-day trial key for Kaspersky antivirus; however, this key is not compatible with other keys of Kaspersky Lab products. The Panda antivirus license is built into the UserGate Server registration key according to agreements with Panda Security. License for the BrightCloud module, designed for site categorizing, is also included in the UserGate license. The BrightCloud license period is restricted to one year. After the license period expires, the BrightCloud online service becomes unavailable.

UserGate Administration module

UserGate Administration module is an application designed to control a local or remote UserGate Server. To start UserGate Administrator, please first start UserGate Server by selecting Start UserGate 7

Server in the UserGate Agent context menu (

icon in the System Tray). You can also run UserGate

Administrator by means of Start Programs if the module is installed on another computer. In order to work with settings you should connect the Administration module to the Server.

Connection settings
At the initial start of UserGate Administration Console it opens on Connections page, where only one connection is specified. In connection settings localhost is specified as a server address, login name specified is Administrator and there is no connection password. To connect the Administration Console to the UserGate server, double-click on the localhost Administrator line or press the Connect button on Control Panel. You can create several connections using Administration Console. It is necessary to specify the following parameters in connection settings: Server name connection name. User name login to connect to server. Server address domain name or UserGate Server IP address. Port TCP port used to connect to Server (port 2345 is the default). Password the connection password. Always ask for password this option asks for your login and password whenever you connect to UserGate Server. Automatically connect to this server Administration modules automatic connection to Server when it starts. Administration Console settings are stored in the file console.xml, located in the %UserGate %\Administrator\ folder. At the UserGate Server side, user names and connection passwords are stored in the %UserGate%\config.cfg file.

Setting password for connection

You can set up login name and password fro connection settings through the Administrator Settings section on General Settings page. In this section you can also specify a TCP port on which UserGate server will be listening for connection with Administration Console. In order the new settings to take effect it is necessary to restart the UserGate Server (Restart UserGate Server item in the Agent menu). After restarting you should change the Administration Console connection settings as well, otherwise the Administrator will fail to connect to the Server.

Setting password for statistics database

All users statistics, i.e. traffic, time online, resources visited are recorded by the UserGate Server into a special database. UserGate works with its database via ODBC driver, which allows to use different database formats (MS Access, MS SQL and MySQL). In order UserGate to work with MySQL database, please use MySQL Connector v.3.51. By default UserGate server uses a database in MS Access format (log.mdb file) with no password specified. You can set a password on General Settings Database Settings page in the Administration console. For the standard statistics database (log.mdb), you should stop UserGate Server after setting the password, then open the database in MS Access using the monopole mode and set a password through Tools Security Set database password.

NAT (Network Address Translation) Common Settings

NAT Common Settings option allows to specify the time-out value for NAT connections through TCP, UDP or ICMP protocols. Time-out defines the time of the user connection through NAT after the data transfer is finished. Print Debug Log option is needed for debugging and allows to turn on the extended logging mode of UserGate NAT driver, if needed.

Interface settings
The Interface page (Fig. 2) is the most important part of UserGate Server settings. It defines such important features as traffic count accuracy, the possibility for creation Firewall rules, Internet channel bandwidth restrictions, relationship between networks and the order of request processing by the UserGate NAT (Network Address Translation) driver.

Figure 2. UserGate Server interface settings

All available network interfaces are listed on Interface page, including Dial-Up (VPN, PPPoE) connections. UserGate administrator defines connection type for each network adapter, i.e. for a network adapter connected with the Internet you should select WAN type, for a network adapter connected with local area network LAN type should be selected. As for Dial-Up (VPN, PPPoE) connections (this type cannot be changed manually), UserGate Server defines this type automatically as a PPP interface. For 10

Dial-Up (VPN) connection you can enter user name and password by double-click on the corresponding interface. A network interface located at the top in interfaces list, becomes the primary Internet connection automatically.

11

Network traffic calculation in UserGate

Traffic, passing through UserGate is assigned either to the user from local area network which initiates the connection, or to the UserGate server itself if it initiates the connection. For the UserGate server traffic there is a special predefined user - UserGate Server specified in statistics database. UserGate Server traffic includes Kaspersky and Panda antivirus updates and DNS names resolving through DNS-forwarding module and BrightCloud requests and responses. When all UserGate server network adapters types (LAN or WAN) are specified correctly, traffic in the direction of local network UserGate Server (for example, accessing shared folder on the UserGate server) is not taken into account during traffic calculation. Important note! Using third party antivirus or firewall products (with the function of checking the traffic) may seriously affect the correctness of UserGate traffic calculation. Its not recommended to set up and use any third party network product on the computer where UserGate Server is installed.

Connection failover
If there are several Internet connections, the Connection Failover option becomes available on the Interfaces page. This option allows automatic switching of the UserGate Server to an alternative Internet connection if there is no connection through the primary channel. To use the Connection Failover option you should specify the following: the primary Internet connection, one or several reserve channels and a list of control hosts (Fig. 3). UserGate will check the availability of Internet connection by sending by sending ICMP echo-requests (the ping command) to the specified. The request period is 30 seconds by default, which can be changed manually. The Timeout parameter defines how long UserGate server will be waiting for ICMP echo reply packets. If several control hosts are specified in Connection Failover, the UserGate Server will check them consequently. A lack of response from all specified control hosts at the same time will be interpreted as the primary Internet connection failure. Therefore, it is recommended to specify the most stable Internet hosts as control hosts.

12

Figure 3. Connection Failover settings.

As a reserve connection UserGate Server can use either an Ethernet connection (dedicated channel, WAN interface) or a Dial-Up (VPN, PPPoE) connection (PPP interface). In order Network Address Translation (NAT) rules to work both with the primary and the reserve Internet channel you should specify Masquerade as a destination in NAT rules. After switching to the reserve Internet connection, UserGate Server regularly checks the primary channel availability and, if possible, switches users back to the primary Internet connection.

Users and groups

To provide secure Internet access through UserGate, it is necessary to create the users accounts. To simplify the common administration tasks UserGate administrator can create user groups according to their access levels. The most common way is to combine users into groups by access level, because it makes traffic management, for example setting traffic consumption limit, much easier. By default there is only one group available in UserGate: the default group. To create a new user, use the Add new user item or press the Add button on Control Panels Users and Groups page. Then enter the settings as shown in Fig. 4: Name, Authorization type, Authorization parameter (IP address, login etc), Group and Billing plan. By default all users belong to the default group. Each user must have a unique name. You can also specify the access level to UserGate 13

Web-statistics, define an internal H323 phone number, and enable NAT rules, traffic-managing rules and/ or Application Firewall module rules.

Figure 4. UserGate user profile

Each newly defined user inherits all settings of a group which it belongs to including the billing plan. The latter can be easily redefined in users profile. The billing plan specified in the each users profile is used for the all connections tariffing (setting and monitoring the price of Internet traffic). You may use a blank tariff if the Internet connection if it is not rated.

14

User personal statistics page

Every UserGate user can view his statistics page (Fig. 5). The user can access it at http://usergate, if his browser is set to work through proxy, or at http://192.168.0.1:8080, where, for example, 192.168.0.1 is the local address of UserGate server, and 8080 is the port on which UserGate HTTP proxy works.

Figure 5. User personal page in UserGate

On this page user can look through its statistics summary, open UserGate Web-Statistics page or download UserGate authorization client if needed.

Users authorization methods

Internet access though UserGate is provided only for authorized users. UserGate supports the following authorization methods: authorization by IP address (or IP address range) authorization by MAC address 15

authorization by a combination of IP and MAC addresses HTTP authorization (Basic) authorization through name and password Windows Login authorization Active Directory authorization simplified version of Active Directory authorization For the last four methods you should install UserGate Authorization Client on users workstation.

The corresponding MSI package (AuthClientInstall. msi) can be found in the %UserGate%\tools folder and can be installed automatically through Active Directory group policy tools. %UserGate%\tools folder also contains the corresponding administrative template (*.adm file). When Active Directory authorization is used, UserGate Server obtains the authorization parameters (login and password) from the Authorization Client, which is launched at the user workstation, and checks them through the domain controller. If UserGate Server is installed on a computer not included into Active Directory domain, it is recommended to use the simplified version of Active Directory authorization. In this case UserGate Server will compare the login and domain name received from the Authorization Client with the corresponding fields, specified in the user profile, without requesting the domain controller.

Terminal users support

Along with the basic HTTP authorization support, UserGate Server also supports terminal user HTTP authorization. You can enable this option on the General Settings page in the Administration Console (Fig. 6). This method of authorization allows terminal users to connect to the Internet using their individual UserGate accounts by means of a username and password for each connection.

16

Figure 6. Terminal users support

The HTTP authorization for terminal users mode is useful if you need to provide several network applications running from a single computer under the different UserGate accounts. Thereto please enter the appropriate proxy server (HTTP, Socks 5) address, port and authorization parameters (username/password) for each network application.

Using HTTP authorization with transparent proxy

The transparent proxy HTTP authorization method is also added to UserGate v.5. If the user browser is not set to use a proxy server and the UserGate HTTP proxy transparent mode is enabled, all requests from unauthorized users will be forwarded to an authorization page where you have to specify your username and password. After authorization please do not close the page. The authorization page refreshes regularly by means of a special script to keep the user session in active mode, which makes all UserGate services, including NAT available for an authorized user. To end the session, press the Logout button on the Authorization page. Important note! Terminal users are not supported by this authorization method.

17

Using Authorization Client

UserGate Authorization Client is a network application that works at the Winsock level. It connects to UserGate Server using a predefined UDP port (5456 by default) and sends user authorization parameters: the authorization type, username and password. In the Authorization Client settings you should specify (Fig. 7) UserGate server IP address and port, authorization type and the corresponding parameters (username/password) as it is specified in the user profile. During the first start UserGate Authorization Client monitors the Registry key: HKCU\Software\ Policies\Entensys\Auth client to find settings obtained through Active Directory group policy. If these settings are not found in the Registry, you should specify UserGate Server address manually in the third tab in Authorization Client. After the server address definition, press the Apply button to check the server availability. The specified authorization client settings are stored in the Registry key: HKCU\Software\Entensys\Auth client. Authorization client log is saved in Documents and Settings\ %USER%\Application data\UserGate Client folder.

Figure 7. Authorization Client settings

UserGate Authorization Client shows received/sent bytes statistics, time spent online and the cost. In addition to the Authorization Client there is a link on the users personal page. You can also change the Authorization Clients skin by editing the *.xml template located in the clients parent folder. Important note! Authorization Client. is not supported for Terminal users.

18

UserGate services settings

DHCP settings
DHCP service (Dynamic Host Configuration Protocol) automates the task of network settings configuration for LAN clients. With DHCP server you can dynamically assign such parameters as IP address, network mask, default gateway, DNS etc. for all network devices. To enable UserGate DHCP server select Services DHCP Server Add interface item in UserGate Administration Console or press the Add button in Control Panel. In the appeared dialog, select the network interface on which DHCP server will be working. For the minimal DHCP server configuration it is enough to set the following parameters: IP address range (address pull)the range of addresses to provide the addresses delivery to LAN clients by the server, the network mask and the lease time. The maximum pull size in UserGate is 4000 addresses. You can exclude some IP addresses from the address pull by using the Exclusion list. You can also attach a permanent IP address to a particular network device by creating a corresponding reservation. To create a new reservation, please enter the IP address only; the MAC address will be defined automatically when you press the corresponding button.

Figure 8. DHCP server settings

UserGate DHCP server supports import of MS Windows DHCP server settings. In order to use this feature you should dump the Windows DHCP settings to a file. To do this, launch command prompt (Start Run cmd) and type: netsh dhcp server IP dump > file_name, where IP is your DHCP servers

19

IP address. Import from file can be performed through the corresponding button on the first page of DHCP server wizard. Already delivered IP addresses are shown in the lower part of DHCP page of the Administration Console (Fig. 7) along with the client information (workstation name, MAC address) and lease time values. By selecting a delivered IP address you can create a user profile, create IP-MAC reservation or remove the given IP address.

Figure 9. Remove the issued IP address

The removed IP address will be placed again into the pull of DHCP sever free addresses after a certain period of time. The Remove client option becomes useful if there were a workstation which has received an IP address and it is taken offline later.

20

Proxy service settings

There are several proxy servers included in UserGate Server: HTTP proxy (supports FTP over HTTP and HTTPS) and FTP proxy, SOCKS4, SOCKS5, POP3 and SMTP, SIP and H323. Proxy server settings are located in Services Proxy Settings of the Administration Console. The most important settings are: interface (Fig. 10) and the number of the port where UserGate server is running.

Figure 10. Proxy server primary settings

If an interface is not specified in the proxy settings, the server will be listening to all available network interfaces. By default, only HTTP proxy is enabled and it listen 8080 TCP port on all available network interfaces. To set the client browser to work through the proxy, you ca n specify proxy address and port in the corresponding browser settings. For example in Internet Explorer you can make it through Tools Internet Options Connection LAN Settings. When working though HTTP proxy, specified in browser settings, you do not need to specify the gateway and DNS in the TCP/IP settings of local area network connection on a user workstation. For each proxy server you can specify an upstream proxyserver. Important note! Port, specified in the proxy server settings, is opened automatically in the UserGate firewall. In order to ensure the higher security its recommended to specify only local network interfaces in the proxy settings.

21

SIP protocol support

UserGate v.5 can operate as a stateful SIP proxy and as a SIP Registrar. Both functions can be enabled in Services Proxy Settings page. UserGate SIP proxy always works in transparent mode listening to ports 5060 TCP and 5060 UDP. When working through UserGate SIP-proxy the information about the current connection state (registration, call, waiting, etc) is shown on Sessions page in the Administration Console. This information is also saved in the UserGate statistics database. In order to work through UserGate SIP proxy you should specify the UserGate Server IP as the default gateway in the TCP/IP settings on users workstation. Besides a DNS server address must be specified. Let us illustrate client side settings for SJPhone software phone and Sipnet.ru SIP provider as an example. Start SJPhone, right-click on its icon in the system tray, choose Options item and New on profiles page. Enter profile name (Fig. 11), for example sipnet.ru, specify Calls through SIP Proxy as a profile type.

Figure 11. SJPhone profile creation

On SIP Proxy page specify your SIP provider address. In this example it is sipnet.ru. When closing Profiles option dialog, enter your username and password for SIP provider in the appeared dialog.

22

Figure 12. SJPhone profile settings

UserGate SIP Registrar

UserGate server can operate in SIP Registrar mode. In this mode UserGate works as a PBX (Private Branch Exchange) for local area network. SIP Registrar function works simultaneously with the SIPproxy function. In order to authorize on UserGate SIP Registrar you should specify in the following: UserGate address as SIP server address UserGate user name (without spaces) Any password

H323 protocol support

Built-in H323 protocol support enables you to use UserGate Server as a H323 Gatekeeper. In the H323 proxy settings you need to specify the interface where on which UserGate will be listening for client queries, port number and H323 gateway address and port. For authorization on UserGate H323 Gatekeeper, the user should specify his user name (user name in UserGate), password (you can specify any password) and phone number (defined in users profile).

23

UserGate mail proxies

UserGate mail proxies are designed to support both the POP3 and SMTP protocols, as well as to scan mail traffic for viruses. When UserGate POP3 and SMTP- proxies work in transparent mode, the settings of mail client on a users workstation are the same as if it was connected directly to the Internet (without proxies). If UserGate POP3 proxy is used in non-transparent mode, in users mail client you should to specify UserGate server IP address and port that correspond to POP3 proxy as a POP3 server address in. In addition, you need to specify login for the remote POP3 server authorization in the following format: e-mail_address@POP3_server_address. For example, if the user e-mail is user@mail.ru, you should enter user@mail.ru@pop.mail.ru as the login for the UserGate POP3 proxy. This format is necessary for UserGate to detect the remote POP server address. If UserGate SMTP proxy is used in a non-transparent mode, you need to specify the SMTP server IP address and port in the proxy settings section. In this case you enter the UserGate Server IP address and port that correspond to the SMTP proxy as the SMTP server address in the mail client settings of the user workstation. If authorization is needed for sending mail, please enter the username and password that correspond to the SMTP server shown in the UserGate SMTP proxy settings.

Proxies in transparent mode

The Transparent Mode option in the proxy server settings becomes enabled if UserGate Server is installed along with a NAT driver. In transparent mode the UserGate NAT driver is listening to the standard ports such as: 80 TCP for HTTP, 21 TCP for FTP, 110 and 25 TCP for POP3 and SMTP on LAN network interfaces and send users requests to the corresponding proxy in UserGate. When transparent mode is enabled, it is not required to specify the proxy server address and port in each network application which considerably decreases administrator efforts for providing LAN-to-Internet access. However, you need to specify UserGate Server as the gateway and specify a DNS server on each LAN workstations settings.

24

Parent proxies
UserGate Server can work either with a direct Internet connection or through upstream or parent proxies. UserGate supports the following parent proxy types: HTTP, HTTPS, Socks4 and Socks5. You can create parent proxies on Service Parent Proxy page. For each parent proxy you should specify: its type, IP address and port. If the parent proxy supports authorization, you can specify the corresponding login and password. All created parent proxies becomes available in UserGate proxy server settings.

Figure 13. Parent proxy in UserGate

25

Port mapping
Port mapping support is available in UserGate. Port mapping rules impart UserGate Server to redirect user requests from specific ports of a UserGate workstation network interface to addresses and ports specified by the rules. Port mapping is already enabled for TCP and UDP protocols and does not require a UserGate NAT driver to be installed.

Figure 14. UserGate ports definition

Important note! If a port mapping is used to provide access to company internal resource access from the Internet, you should use Specified User as the Authorization setup parameter.

Cache settings
An important purpose of a proxy server is resource caching, which reduces the Internet connection load and greatly increase the speed of access to commonly visited resources. UserGate proxy implements both HTTP and FTP traffic caching. Cached documents are saved in the %UserGate%\Cache folder. On the Cache page in Administration Console you may specify the Cache size limit and the document storage lifetime. You can also enable option Calculate traffic from cache. With this option enabled UserGate server will calculate traffic from cache and assign it to LAN user as if a web-page was taken from the Internet.

26

Antivirus scanning
There are two antivirus modules integrated in UserGate Server: Kaspersky Lab and Panda Security. Both modules are assigned to scan incoming traffic through UserGate HTTP, FTP and mail proxies, as well as outgoing traffic through SMTP proxy. Antivirus settings are available on Services Antivirus page in Administrator console (Fig. 15). You can specify the protocols for each antivirus to scan, setup the antivirus base update frequency and enter URLs which is not necessary to check (URL Filter). You can also specify a group of users whose traffic is not required to scan for viruses.

Figure 15. UserGate antivirus modules

Before running antivirus, you need to start antivirus bases update wait for update to complete. By default, the Kaspersky antivirus updates are downloaded from the Kaspersky Lab FTP site, whereas Panda antivirus updates from http://www.entensys.com. 27

UserGate Server supports both antivirus engines working simultaneously and allows you to choose the protocols to be scanned by each antivirus, as well as traffic scan directions for each protocol if its checked by both antiviruses. Important note! When traffic scanning for viruses is enabled, UserGate Server blocks HTTP and FTP multithreaded downloads. Blocking capability of transferring a part of the file through HTTP may cause problems with Windows Update service.

28

UserGate Scheduler
There is a task scheduler built into UserGate, which enables Dial-Up connection initialization and release, statistics reports delivery to users, arbitrary task executions, antivirus updates and statistics base cleaning. Even nonstandard tasks can be performed on schedule such as launching special kinds of *.bat or *.cmd files using Execute Program in UserGate Scheduler.

Figure 16 Setting UserGate scheduler

29

DNS settings
UserGate supports two methods for the names resolving: DNS module and NAT rule. DNS module is used with all UserGate services: proxy servers, BrightCloud URL-filtering, antivirus, etc. This module is designed to handle DNS queries of different types, such as A, MX, PTR, and it also supports recursive queries. Communication with UserGate services is performed on the Winsock level. By default, DNS module listens to 5458 UDP port. Moreover, DNS module can use DNS servers specified in server network settings or use the given DNS servers from a list. In there are several DNS servers specified, UserGate calls are based on the response time. So if certain DNS server doesnt provide timely response, UserGate automatically calls other servers. For resolving user DNS queries there is DNS forwarding mode. DNS forwarding settings are available in Services - DNS forwarding section of the Administrator console. In the forwarding mode DNS listens to 53 UDP port on UserGate server LAN adapters. DNS queries coming from the WAN adapters are ignored. Responses to DNS queries are cached in the server memory, so the rate of names resolving process is greatly improved. Besides, DNS module looks for changes in the %WINDIR %\system32\drivers\etc\hosts file putting records into its own cache. All records from the hosts file are stored in the DNS own cache memory for all server time of work.

Figure 17. DNS settings

30

A NAT setup creates a NAT rule for port 53 UDP, which can be applied to all or some users. In this case you should specify the Internet providers DNS IP as the DNS server on client workstation.

31

Alert Manager
The purpose of the Alert manager module is to inform a UserGate administrator about some kind of events happed with UserGate Server. For example, you can create a virus detection alert, antivirus module error alert or a license expired alert. The alert will be delivered by sending E-mail through SMTP server specified in Delivery Settings.

Figure 18 Setting Alert manager

32

UserGate Firewall
Principle of operation
UserGates built-in Firewall, being a part of UserGates NAT driver, is designed to handle network traffic according to predefined rules sets. In Firewall rule you need to specify source and destination addresses, service (protocol-port pair) and action: Send or Drop. Firewall rule type is defined automatically according to specified parameters. UserGate supports the following rule types: network translation rule (NAT), Routing, and Firewall itself (FW). In default settings only one firewall rule is available (#NONUSER# rule) which permits or silently drops all outgoing network traffic if it comes not from UserGate server process and all unexpected incoming traffic. If you enable Drop mode for #NONUSER# rule, UserGate Firewall will block all incoming and outgoing packets except transit packets. This is the most secure settings for UserGate if it is installed on a separate PC, working as a gateway only. However, sometimes UserGate is being installed on a workstation that works as an internet gateway at the same time. In this case you should create permissive Firewall rules. These rules will be placed above the #NONUSER# rule. When UserGate server accepts a network packet it looks through firewall rules in order to decide whether it should send or drop this packet. All firewall rules are scanned in sequence from top to bottom in firewall rules list. When UserGate founds a first applicable firewall rule for the given network packet it skips the rest part of rules. By changing firewall rule position in the rules list UserGate Administrator may change its priority during scanning. UserGate services, such as proxy servers, port mapping rules generate, so called, automatic permissive Firewall rules. For example, when you turn on HTTP-proxy, build-in Firewall will automatically create a corresponding permissive rule to maintain the proxy operation. Automatic firewall rules are not represented in the rules list; you can remove them only by disabling the corresponding proxy or port mapping rule. Nevertheless, UserGate administrator can block a permissive automatic rule by creating an appropriate prohibitive rule and placing it at the top of the rules list.

33

Network Address Translation rules (NAT)

To create a new network address translation rule (Fig. 19) right-click on Firewall Rules page in Administrator console and select Add rule item. Select UserGate LAN adapter as a source and one of WAN or PPP interfaces as a destination, specify one or several services. On the last page you should specify which users or groups are allowed to work through this NAT rule.

Figure 19. UserGate NAT rule creation

34

If a required service (protocol/port pair) is absent in the predefined services list, you can add it through New service button or through Services page in Administration Console. Important note! Prior to work through UserGate NAT, make sure that UserGate LAN IP address is specified as a default gateway on users workstation. Besides, when user works through NAT it should resolve domain names itself, so DNS server must be specified on users workstation.

Working with multiple Internet service providers

UserGate NAT driver supports simultaneous work with several external (Internet) connections. For this purpose UserGate administrator can create several NAT rules sets with different destination interfaces (WAN or PPP) (Fig. 20). Using this approach UserGate administrator can provide different Internet providers for different groups of users in local area network. Applying two translation rule sets for the same user or group is not recommended.

Figure 20. Working with multiple providers

35

Masquerade for NAT rules

In the presence of several external interfaces (WAN or PPP), UserGate administrator may choose Masquerade as a destination address in a NAT rule. Masquerade function is used when outgoing network interface used for packages transfer is not known beforehand. This choice means that an outgoing network interface will be defined dynamically by comparing the destination host network address with network address of all UserGate WAN or PPP- interfaces. If network address of a destination host does not match with any WAN or PPP interface, the packet will be sent through the Primary Internet channel. Besides, Masquerade function may be used for translation of network packets within several external networks.

Figure 21 Automatic choice of the outgoing adapter in the NAT rules

36

Important note! While using the Connection Failover, the automatic outgoing interface selection option in NAT rules is disabled. All NAT rules traffic with the Masquerade, specified as a destination, will go through reserve Internet connection.

37

Network resources publishing

With UserGate Firewall you can open access to your company internal network resources from the Internet; for example to Web-, FTP- and VPN-server or to a mail server. If resource publishing rule is created all requests to a certain port of UserGate server external IP will be redirected to the internal server according to the rule. The access to internal resource can be provided for all (source - Any) or for specified Internet users (source Host or Host range). In order to create a resource publishing rule you need to specify only one service on Services page (Fig. 22) in Add Network Rule dialog.

Figure 22. FTP server publishing

38

Firewall filtering rules

It is a common practice when UserGate is installed on a PC which is used both as an Internet gateway and as a workstation at the same time. If the #NONUSER# firewall rule is working in Drop mode, it is necessary to create several special permissive firewall rules. For example, these rules can permit outgoing requests and incoming responses for such basic protocols like HTTP, HTTPS, FTP, POP3 and SMTP. An example of such rules is shown in Figure 23.

Figure 23. UserGate Server firewall rule

39

Routing support
If UserGate server is installed on a PC connected to several local area networks, UserGate can be set up to act as a router providing transparent bidirectional connections between local networks. Firewall routing rule can be set up between any pair of LAN interfaces (Fig. 24).

Figure 24. UserGate routing

Important note! UserGate authorization is not required for routing, and traffic count is not monitored.

40

UserGate speed limitations

UserGate supports two methods to limit network traffic speed. The simplest method is to set traffic speed limit through a user profile or though a traffic rule (Speed Set up Speed). This method is not universal because it allows to restrict only incoming traffic speed for all connections without an opportunity to distinguish between protocols or destination addresses and ports. This limitation mechanism works for proxy services and for NAT traffic. With this method you cannot restrict traffic speed for a group of users. The second method to limit network traffic speed in UserGate is to use Traffic Manager(TM) module. This method is more sophisticated and provides more possibilities for speed limitation. For example you can make different restriction for incoming and outgoing traffic for different protocols. Important note! When Traffic Manager is enabled all traffic speed limitations specified either in users profile or in traffic rules are ignored.

41

Traffic Manager
UserGate Traffic Manager(TM) module is based on a well-known CBWFQ (Class-Based Weighted Fair Queuing) algorithm. This algorithm provides network packets processing using FIFO (First In First Out) queues based upon queue priority and packet classification. A part of the algorithm is WFQ (Weighted Fair Queuing), when FIFO packet queues are processed by priorities and weight (size) of packets. Also the algorithm of TM includes the Shaper functionality (restriction of a bandwidth for a rule). Shaper also is processing queues by the priority. The other options are: Speed limit and Time delay.

Figure 25 Traffic Manager rules for setting speed limits

There are two types of rules in the TM module: adapter rules, or default rules, and user rules. Default rules are designed for processing network packets that do not suit under user TM rules or for processing all network packets when there are no user TM rules defined. Default rules are created 42

automatically for each WAN adapter of UserGate server. Default rules should be turned on to provide TM operation. User rules are designed to handle specific traffic type. The following parameters are accessible for TM user rule: Rule priority Traffic direction (incoming/outgoing), Maximum bandwidth value allowed (Kbps or Mbps), Packet delay (ms), Protocol (TCP/UDP/ICMP), Source IP and port, Destination IP (as an IP/mask) and destination port, Adapter to process the traffic by Bandwidth Manager.

Important note! The Time Delay parameter is designed for delaying network packets if their traffic doesnt fit into the specified bandwidth. The priority of TM rule defines which FIFO queue will be used for packet processing. There are 8 priority queues defined: 4 absolute priority queues (HIGH, MEDIUM, NORMAL and LOW) and 4 queues with relative priority. Manageable traffic speed limiting is provided only for rules with relative priorities. According to the speed limit specified, a package can be sent to the outgoing buffer, moved to the beginning of the queue (if parameter Time Delay is specified) or rejected. Queues with an absolute priority are intended for privileged traffic processing. If needed, this traffic can fill all the bandwidth of the dedicated Internet channel. There is only one parameter that administrator can use to affect privileged traffic processing the absolute rule priority. When creating the user TM rule the machine address in the local network can be specified as a source. As a destination address you should always specify an external host or external network address. To restrict NAT traffic speed its recommended to bind a user TM rule to UserGate server LAN adapter because in this case the source address is not necessary to be specified (this traffic speed limitation will be applied to all users). Traffic speed limit can be personified by specifying the source IP address or IP addresses range. To restrict traffic speed through proxies its recommended to bind the user TM rule to UserGate WAN adapter without specifying the source address. Traffic speed limit through proxy can be set only for all local network users. When creating TM user rule, please take into account the following:

43

Traffic Manager is intended for traffic speed limiting for directions Server Internet and Local Network Internet. If a network packet matches more than one limiting rules, Traffic Manager chooses only the first suitable rule. Traffic Manager does not support Dial-Up connections. A network packet, which does not suit any user TM rules, will be handled by the default rule.

There are two parameters specified in the default TM rule: speed limit (Kbps or Mbps) and priority. The speed limit specified in the default TM rule is assumed to be the same for both incoming and outgoing network traffic.

44

Application Firewall
Internet access management policy is a logical continuation of the Application Firewall. With UserGate Server a system administrator can manage Internet access for both users and network applications on a client workstation. To control client workstation applications in a local network, it is necessary to install the App. Firewall Service application. Installation is possible as using the executable file so by launching the MSI package (AuthFwInstall.msi) located in the %UserGate %\tools directory. Network applications management is performed on basis of the administrator defined rules, applied to a user or to a group of users. There are two types of rules in Application Firewall: default rules and users rules. Any workstation with Application Firewall Service installed can get default rules under the following conditions: Application Firewall service detects UserGate Server, A set of default rules was created.

Since all Application Firewall rules should belong to a certain rules group, a special Default rules folder is assigned to store the default rules. A UserGate administrator can also create groups for User rules. Initially, UserGate has only one default rule which allows any user network application to access any IP address using any protocols. This rule is recommended to use at the beginning of Application Firewall setup for gathering application usage statistics. Application Firewall service obtains the User rules set only after the user authorization on UserGate Server. A user can be authorized using Authorization Client or without it by using the address of its workstation (IP address, MAC address or both). User rules can supplement or forbid the default rules. When Authorization Client is used, Application Firewall creates a logical link between a Windows and UserGate profile for the authorized user. Changing the Windows account when Authorization Client is running will cancel all users rules operation. Application Firewall does not support HTTP authorization. Application Firewall policy with default settings is defined as the following: a) If UserGate Server is unavailable, all the network applications are allowed. b) If UserGate Server is available, only local access of network applications and services is allowed. The network application statistics of Application Firewall is stored in the user workstations local folder %Program Files%\Entensys\Application Firewall\Cache and it is sent periodically (every 10

45

minutes approximately) to UserGate Server. The sending time span is defined by the Registry parameter SendStatistics (HKLM\Software\Policies\Entensys\Application Firewall). Also, the proper Caching rules are embedded in the Application Firewall. If UserGate Server is temporarily unavailable, Application Firewall service works according to rules written in the local Cache during the updating time (UpdateRules Registry parameter). By default the rules updates with period of 5 minutes. User application statistics are available in Application Firewall Statistics. User and workstation information, and network application information is shown on Figure 26.

Figure 26. Network application statistics

UserGate administrators can create an application rule by double-clicking on the corresponding line on the Application history page.

46

UserGate cache explorer

Cache Explorer (Fig. 27) allows viewing the cached content stored by UserGate. To start Cache Explorer right-click UserGate Agent icon in the system tray and then click the Run Cache Explorer menu item. Or, alternatively, click the corresponding item in the Windows Start menu. When starting Cache Explorer you need to specify the location of the file cache.dat (UserGate cache file). Using Cache Explorer interface you can search, sort and filter the cached content. Finally, you can select any files in a list and then save them to a folder of your choice.

Figure 27 Cache explorer

47

UserGate traffic management

Traffic management rules
UserGate Server enables you to manage Internet access by using the traffic management rules. These rules can forbid user access to certain network resources, set up traffic consumption limits, create Internet scheduling and track user accounts. Traffic management rules are arranged in the form of an action to be performed on a certain object. There are 4 object-action pairs defined in UserGate: Connection Close, Traffic Dont count, Tariff Change and Speed Set up. For a traffic management rule to execute, you need to define the rules condition: time of day, day of week, URLs (IP), traffic limit (per day, week or month), etc. Defined conditions may be combined using logical AND/OR operators, allowing opportune flexibility when creating rules. Another opportunity is provided by the possibility of applying rules both for all protocols and for particular ones. You should apply rules created to users or user groups in UserGate.

Internet access restriction

Internet access restriction is a typical task of a proxy server. For this purpose there are Connection Close rules in UserGate. Working with the proxy server (HTTP, FTP), you may specify the resource domain name (URL) as well as its IP address. UserGate Server can implement filtering by a URL fragment (Whole URL item), by address part (Server address item) or by document address (Document URL item).

48

Figure 28. URL filtering settings

When specifying an IP address you may specify it as a Source or as a Destination address. The Inverse option means all IP addresses except the specified. Please note that if you need to forbid access to some external hosts for NAT traffic you should specify their IP addresses but not domain names, because UserGate NAT does not work with domain names. Important note! In order to work the created rule must be applied to UserGate users of groups.

BrightCloud URL filtering

In the context of our technological partnership with BrightCloud Inc, we integrated the hosted BrightCloud service and the BrightCloud Master Database into UserGate. A UserGate administrator can forbid access to sites having certain content without even knowing those sites names. Additionally, it is possible to get a report from UserGate Statistics about the site categories visited, e.g. Ads, Education, News, etc. Using site categories allows more flexible policy of the Internet access management.

49

Categorized filtering is available for UserGate proxy services working in both transparent and non-transparent modes and for NAT traffic. For NAT traffic categorized filtering will be available only if users DNS requests goes through DNS forwarding module in UserGate. To deny access to particular categories (Fig. 29), open Traffic policy Traffic rules page, create a Connection Close rule and specify the unwanted category on the fifth page of the rule creation dialog.

50

Figure 29. Categorized filtering rules

51

Setting a traffic consumption limit

You may apply the 'Connection Close traffic management rules to prohibit certain Internet resources, but also you can use it to limit the traffic consumption. In this case you may specify a maximum value of incoming/outgoing (or total) traffic per day, week or month as the condition (Fig. 30).

Figure 30. Traffic limit

If a traffic consumption limit is applied to a user, Internet access will be blocked completely or partially (depending on additional parameters, e.g. protocols to which the rule is applied) as soon as the limit is exceeded.

File size restriction

UserGate traffic management rules also enable an administrator to restrict the downloading of the files larger than the maximum size specified. This option is enabled to the rule with OR logical type and can be applied to HTTP proxy traffic only.

52

Content-type filtering
HTTP-proxy in UserGate can filter traffic by the Content-type field, which is included in the header of a response to a user from a web server.The Content-Type header field is used to specify the nature of the data (and its format) in a web-server response: whether it is audio or video content, image (e.g. jpg, png etc.), or a document (MS Word, MS Excel). Content-type header field is analyzed by UserGate and the corresponding content can be either blocked or allowed depending on the traffic rules set by an administrator. Filtering by Content-type field can be used to block access to certain data types and formats like video or audio files, disable JavaScript or prevent documents of a specific extension from being transferred over the network.

53

Fig 31 HTTP filtering by Content-type

The

content-types

list

is

stored

in

the

special

*.xml

file

located

in

the

%UserGate5%\Administrator folder. UserGate administrator can add new content-types as in this *.xml file or through the Administration Console. The link to ianna.org is added for this purpose. 54

Billing system
Internet access tariffing
Besides the direct traffic registration, UserGate Server can be used also for Internet connection expenditure calculations. This opportunity is provided by its integrated billing system. Underlying the billing system is a billing plan term. By default there is only one billing plan in UserGate with zero values for incoming, outgoing and temporal traffic costs. If UserGate is used to provide paid Internet access, UserGate administrator can create any number of billing plans according to Internet provider cost policies or arbitrarily by its own preferences. UserGate access billing plans can be applied both to users and/or user groups. By default Internet connections of all users belonging to the same group are rated according to the groups specified billing plan. An administrator can redefine user billing plan at any time.

User account status control

The UserGate billing system perfectly supplements the integrated Traffic Management system. If UserGate Server is used to provide the paid Internet access, you can use the Traffic Management system to control user account status. Thus, in the Connection Close rule you can enable the Activate tracking option as a condition and specify the threshold value of a user account. The rule will become active if a users account balance falls below a threshold value.

Dynamic billing plans switching

UserGate traffic management rules can be used for dynamic billing plans switching. The most common task, related to a Dial-Up connection, is switching between day and night billing plans. Another task is using the different billing plans for an Internet Service Providers internal network and for the Internet. Both tasks are accomplished via the Tariff Change rule.

55

UserGate remote administration

Remote connection settings
You can use the UserGate Administration module to control a remote server. In Server address in connection settings, please specify the domain name or IP address of the remote machine with UserGate running. To use the Administration module from a remote machine, you should run UserGate installation wizard and select only UserGate Administration Console.

Restarting UserGate server

UserGate server remote restart function is added into Administration Console. Its possible to connect to the remote UserGate server and choose File Restart server from the Administration Console.

Checking for the new version

In General Settings of UserGate Administrator there is an option Check for updates. If this option is enabled, UserGate Server requests the latest version availability from UserGates site. If the version installed is earlier than the version available on the site, Administration Console displays the proper message. In this case the administrator can download the new version from the site and install it. Automatic UserGate upgrade is not supported yet.

56

UserGate statistics utility

Traffic statistics information is stored in UserGate Servers own database. By default MS Access is used as the database and it is located in the UserGate parent directory as log.mdb. Brief information about the total traffic of users and groups is available in the Monitoring section of UserGate Administrator. Detailed statistics is presented in the UserGate Statistics module an application assigned to work with the UserGate statistics database (Fig. 32).

Figure 32. UserGate statistics

You can obtain detailed statistics for each user or group by using filters. Filtering allows the creation of reports by time of access, by protocols, by resources requested etc. The resulting report is presented in a table which can be exported to MS Excel ,HTML or OpenOffice calc format.

57

UserGate Web statistics

There is a new statistics module added to UserGate v.5. The Web statistics module provides the detailed statistics of Internet connection usage from any point of the world using an ordinary webbrowser. For web-statistics several access levels can be specified in UserGate users profile. Thus an ordinary user may check his own statistics, a Director could see the statistics of any user, and an Administrator is authorized to see all user statistics and to create Statistic report templates.

Figure 33. UserGate Web-statistics URLs page

Important note! UserGate web-statistics is turned on simultaneously with HTTP-proxy. Web statistics is unavailable when HTTP-proxy is turned off. Statistic information is represented now not only in table form, but in graphic diagrams as well to make the reports easier to understand.

58

You can obtain statistics access by visiting the link https://192.168.0.1, (where 192.168.0.1 is the UserGate Server address, for example) or via the corresponding link on the user personal statistics page http://192.168.0.1:8080 (where 8080 is the UserGate HTTP proxy port). Certificate located in the %UserGate%\ssl folder is used for an access to web-statistics through HTTPS protocol. Another possibility to visit web-statistics page is to use the link from the last tab in UserGate authorization client.

Web statistics settings

In web-statistics settings you can select regional settings, enable a cache, specify its storage time, and enable the recording of housekeeping information. View Settings allow the specification of the number of bytes per kilobyte (according to way your provider defines kilobyte), indicate the information specification details and enable URL addresses representation. In order to avoid excess loading of the Statistics screen it is possible to turn off the users balance display.

Traffic management rules efficiency rating

To manage Internet access UserGate administrator can create traffic management rules and apply them to a user or to group of users. However, a situation may occur when created rules work inefficiently. For example, if a created rule is applied to all users, but actually acts only on the most active users, it would be expedient to disable the rule for users, who do not need this rule's effect. Those users traffic will be not exposed to needless checking, which may improve the servers productivity.

59

Figure 34 Rules statistics for traffic management

To estimate a rules efficiency, there is a link Rules events in Web-statistics page. Only information about Connection Close rules is located here. With Director or Administrator privileges you can obtain the weight of each URL in total rule actuation numbers.

Antivirus efficiency rating

Antivirus facilities allow the exclusion of some UserGate groups from being scanned for viruses. Using Web statistics you can obtain a report about antivirus events per user. The statistic is available in the Antivirus events section. For Chiefs and Administrators there is an additional statistic available, showing each users weight in the number of total antivirus events (Antivirus event statistics).

60

Figure 35. Antivirus statistics

SIP usage statistics

UserGate web-statistics module allows monitoring how SIP is used. Select Director charts - SIP Statistic in the Diagrams section to list UserGate users who use SIP. The list contains a name of a caller, a destination address (number) and the call duration.

61

Figure 36. SIP statistics

62