Alternative for MS TMG 2010 = pfSense ???
-
Anybody? Please help me out here…I want to use this free/open source solution instead of commercial software.
Thanks for your time and effort; I appreciate it,
Canefield -
pfsense in its base configuration is first and foremost a firewall/router with advanced functionality such as traffic shaping.
From a quick look at your requirements, much of what you want can be achieved using a combination of 3rd party reverse-proxy software (namely varnish & haproxy), which can also be installed on pfsense itself, and are available as separate packages.
As a starting point, I would suggest that you get another external IP, setup a pfsense box in front of TMG and start moving certain services (e.g. http, then https etc)
-
Hi there,
I do not have the possibility to add/purchase another external IP. I hoped it in my case, but unfortunately.
I thought of using the following packages:
- Snort as (additional) Firewall (IDS/IPS)
- Squid-Reverse + SquidGuard (reverse-proxy; web performance HTTP/HTTPS)
- HAVP (mean proxy for antivirus)
What (reverse)proxy should I use? You are suggesting others? Why?
Moreover I want to:
- accelerate/boost my in- and outbound web requests
- sevicing multilpe servers behind NAT
These issues is still very vague for me.
So you are indicating that my wishes are possible with pfSense? Could you give me more advise about the packages I should use? I really do not have a clue which package to use. Which system requirements?
Is there some kind of tutorial out there?Hounesty, it disappionts me how many comments I get at this discussion. Is it not great if pfSense could do the job instead of other commercial software. This should enthuse all people of this forum, is it not? Let pfSense rule the world (especially in what it can do).
Thanks in advance,
Canefield -
I have TMG with a PFSense router/firewall in front.
TMG has L7 and is much easier to setup than all the 3rd party software in PFSense. If anything doesnt work, its difficult to see what is the reason for it.
Furthermore the logging in TMG is much nicer. Keep the TMG.
I am running 1.2.3 since performance has deteriorated and NAT reflection is broken in all the 2.0 releases I have tried.
-
Hi,
Thanks for your reply…but really I only want to be able using pfSense.
Somebody any other ideas? How to setup and configure this scenario with pfSense only?KR,
Canefield -
I am running 1.2.3 since performance has deteriorated and NAT reflection is broken in all the 2.0 releases I have tried.
Strange that you say that you find 1.2.3 better than 2.x, which is based on a newer FreeBSD version, with updated kernel, NIC drivers etc.
Also, while pfsense's NAT reflection may have problems (in fact it doesn't work at all with UDP), there are very few situations where one really has to resort to using NAT Reflection instead of some alternative like split-DNS.
-
I have TMG with a PFSense router/firewall in front.
TMG has L7 and is much easier to setup than all the 3rd party software in PFSense. If anything doesnt work, its difficult to see what is the reason for it.
Furthermore the logging in TMG is much nicer. Keep the TMG.
I am running 1.2.3 since performance has deteriorated and NAT reflection is broken in all the 2.0 releases I have tried.
Supermule,
Not trying to be offensive and sorry if it sounds like but why you keep trying pfsense as you prefer and recommend TMG to every user on this forum? ???
canefield,
This setup can be done with pfsense, it will need some extra package to reach the best config and performance.
The tcp services you want to balance can be done using built in load balance on service menu.
squid+squidguard+havp as well squid+ dansguardian can do proxy with antivirus for internet access.
haproxy will be almost as easy to configure as load balance built in service and will do tcp,http and https balance/failover.
The hardware will depend on throughput you need but with all these features, I suggest at least a core 2 duo + 4g ram + fast disk + amd64 version.
posfix forwarder + mailscanner package can do a really good job on protecting your exchange server from internet and can also be configured to outbound messages from exchange.
Another suggestion:
Use custom install setup to create /usr and /var filesystem with softupdates, this will increase your disk performance(important for cache and spam filtering)att,
Marcello Coutinho -
Hey Marcello :) I like TMG for the things it does….
Its all about user friendliness and I love PFSense. Have been using it since it broke of from M0n0wall.
I dont like the 2.01 release since it needs a lot of moving around in the tabs to configure very simple tasks.
The TMG has a very useful intuitive user interface and if you set it up as a proxy then you wont have to dig around to cinfigure things....it is right there in the tabs when publishing a server...it changes depending on what you want to publish but you dont have to change anything to the basic setup everytime. It is very very easy see if the thing you are doing is working. It has a test rule button that gives you detailed information about what could be wrong and you dont have to search 3 different packages to watch the logs.
I only use PFSense as a frontend since the only thing it does, is NAT to ISA. the 2.01 was not stable enough and basic things were broken so for me 1.2.3 was the best option available.
-
the 2.01 was not stable enough and basic things were broken
I'm sure the developers would appreciate receiving detailed bug reports.
-
I posted most of the finds on redmine….
-
I only use PFSense as a frontend since the only thing it does, is NAT to ISA. the 2.01 was not stable enough and basic things were broken so for me 1.2.3 was the best option available.
ISA/TMG is easy but not good enough to stay on internet? Just like old M$ proxy 2.0? good to know. :)
I've never trusted microsoft with real ip, this is just one more example.
-
HAHAHAHA it depends on how you configure it. It can easily act as a frontend. I chose PFSense insteaf because of the minimal footprint and that it runs on bare metal at the time.
Since ISA resides on Windows Server, I didnt want to use it because of windows and its complexity.
It is bloody good as a proxy/L7 firewall and that is what I use it for.
-
I think TMG's main advantage is its tight integration with AD.
-
And true L7 :)
-
canefield,
This setup can be done with pfsense, it will need some extra package to reach the best config and performance.
The tcp services you want to balance can be done using built in load balance on service menu.
squid+squidguard+havp as well squid+ dansguardian can do proxy with antivirus for internet access.
haproxy will be almost as easy to configure as load balance built in service and will do tcp,http and https balance/failover.
The hardware will depend on throughput you need but with all these features, I suggest at least a core 2 duo + 4g ram + fast disk + amd64 version.
posfix forwarder + mailscanner package can do a really good job on protecting your exchange server from internet and can also be configured to outbound messages from exchange.
Another suggestion:
Use custom install setup to create /usr and /var filesystem with softupdates, this will increase your disk performance(important for cache and spam filtering)att,
Marcello CoutinhoMarcello (and others) thank a lot for your time. I still have a couple of questions.
- When you speak of Squid you also mean Squid-Reverse?
- You suggest two scenarios implementing proxy's, which one to choose in what situation? Your own opinion?
- I matter of security you are not talking about using Snort, any reason? Other suggestions?
- To have multiple servers active behind NAT using the same ports, what solution do you provide/advise?
- How to set this up running? - In the way of fallback/backup MX how to use/setup Postfix?
You are probably think, why so many question? To be honest, I am particulary specialized in Microsoft products. So this step approaching the Linux platform is completely new, surprising, exiting and promising. I really know a lot about mostly all Microsoft product and services, but nowadays I want to orientate more on Linux distrobutions. I am convinced I should always explorer my options and have a broader view in various areas.
So please help me as much as possible. Step-by-step tutorials are more than welcome.Thanks in advance,
Canefield -
- When you speak of Squid you also mean Squid-Reverse?
Yes, squid-reverse can do inbound and outbound proxy.
- You suggest two scenarios implementing proxy's, which one to choose in what situation? Your own opinion?
Dansguardian is not free for comercial use but has content filtering(something I need). I'm not using squidguard but is a great package too.
- I matter of security you are not talking about using Snort, any reason? Other suggestions?
You can use snort but you have to first enable it as an IDS only, after you adjust this package to suppress rules you get false positives, then you can enable IPS mode.
- To have multiple servers active behind NAT using the same ports, what solution do you provide/advise?
- How to set this up running?
I'm using varnish for http cache/balance and haproxy for https balance.
- In the way of fallback/backup MX how to use/setup Postfix?
Postfix package can do a really good job on protecting exchange server from internet.
It does not has local mailboxes support, but can be configured to act as a backup mx by configuring main mx server as an internal smtp.I really know a lot about mostly all Microsoft product and services, but nowadays I want to orientate more on Linux distrobutions. I am convinced I should always explorer my options and have a broader view in various areas.
Using the best of each so is, in my opinion, a great decision
-
Marcello,
Thanks for your reply. I make a note of what your are telling about Snort (IDS/IPS).
Could you (or somebody else) help me out with the configuration of the pfSense packages:
-
Varnish or Varnish3 & HAProxy or HAProxy Full
To get -in test- six LB servers up-and-running. I have two Exchange servers (LB & FO) configured and listening on port 80 and 443 (host-header: webmail.testing.com, only SSL), two SharePoint servers (LB & FO) configured and listening on port 80, 443 and 987 (host-header: extranet.testing.com, both HTTP and SSL) and two Web servers (LB & FO) configured and listening on port 80, 443 and 21 (SFTP) 989 & 990 (FTPS) (host-header: testing.com). -
Postfix (as backup/fallback MX) & Mailscanner
First of all I want Postfix to handle the SMTP requests (in- and outbound) and checks for antimalware, virus, etc. Second, based on the domainname forward it to the corresponding Exchange/Linux server.
If one or all the mail-servers are down, for any reason, Postfix holds the messages in the queue and forwards them to the corresponding servers when they come back online. One thing to keep in mind is that all my Exchange servers are communication over TLS (certificate) and I want -if possible- that Postfix also communicate over TLS internally to the Exchange Egde servers.
For certainty, I only got one external IP-address.
Thanks a lot,
Canefield -
-
Tls support on postfix package is not implemented yet, you need to allow your lan ip to send mail to exchange as a relay server.
On http balance, host headers can be set on varnish package, https for multiple host headers AFAIK will give you cert warnings if you do not have a wildcard cert applied to it.
On varnish you need first to define your internal servers on backend tab and then define load balance pools.
Varnish setup is not trivial, so it's better if listen it's daemon on other port then 80 until you get it working. -
Dear all,
Please some kind of configuration/step-by-step examples? Only with plaintext I can not configure it the right way.
- How to get Postfix to listen on port 25, queue messages and forward to the corresponding mail-server.
- Just an example how to configure Varnish to do this job. I have an UCC certificate, can Varnish handle this?
Thanks in advance,
Canefield -
Postfix mini howto:
firewall rules -> wan
- create a wan rule to permit smtp traffic to wan address
postfix General tab
-
check enable postfix option
-
choose at least wan loopback interfaces
postifx domain tab
- fill your domain/internal smtp info
Postfix Antispam tab
-
follow default/recommended settings
-
Leave third part antispam unselected(try latter when you get better Knowledge on postfix)
Some screenshots/full thread for this package
http://forum.pfsense.org/index.php/topic,40622.0.html