Alternative for MS TMG 2010 = pfSense ???

marcelloc

I only use PFSense as a frontend since the only thing it does, is NAT to ISA. the 2.01 was not stable enough and basic things were broken so for me 1.2.3 was the best option available.

ISA/TMG is easy but not good enough to stay on internet? Just like old M$ proxy 2.0? good to know. :)

I've never trusted microsoft with real ip, this is just one more example.

Supermule

HAHAHAHA it depends on how you configure it. It can easily act as a frontend. I chose PFSense insteaf because of the minimal footprint and that it runs on bare metal at the time.

Since ISA resides on Windows Server, I didnt want to use it because of windows and its complexity.

It is bloody good as a proxy/L7 firewall and that is what I use it for.

dhatz

I think TMG's main advantage is its tight integration with AD.

Supermule

And true L7 :)

canefield

canefield,

This setup can be done with pfsense, it will need some extra package to reach the best config and performance.

The tcp services you want to balance can be done using built in load balance on service menu.

squid+squidguard+havp as well squid+ dansguardian can do proxy with antivirus for internet access.

haproxy will be almost as easy to configure as load balance built in service and will do tcp,http and https balance/failover.

The hardware will depend on throughput you need but with all these features, I suggest at least a core 2 duo + 4g ram + fast disk + amd64 version.

posfix forwarder + mailscanner package can do a really good job on protecting your exchange server from internet and can also be configured to outbound messages from exchange.

Another suggestion:
Use custom install setup to create /usr and /var filesystem with softupdates, this will increase your disk performance(important for cache and spam filtering)

att,
Marcello Coutinho

Marcello (and others) thank a lot for your time. I still have a couple of questions.

When you speak of Squid you also mean Squid-Reverse?
You suggest two scenarios implementing proxy's, which one to choose in what situation? Your own opinion?
I matter of security you are not talking about using Snort, any reason? Other suggestions?
To have multiple servers active behind NAT using the same ports, what solution do you provide/advise?
- How to set this up running?
In the way of fallback/backup MX how to use/setup Postfix?

You are probably think, why so many question? To be honest, I am particulary specialized in Microsoft products. So this step approaching the Linux platform is completely new, surprising, exiting and promising. I really know a lot about mostly all Microsoft product and services, but nowadays I want to orientate more on Linux distrobutions. I am convinced I should always explorer my options and have a broader view in various areas.
So please help me as much as possible. Step-by-step tutorials are more than welcome.

Thanks in advance,
Canefield

marcelloc

@canefield:

When you speak of Squid you also mean Squid-Reverse?

Yes, squid-reverse can do inbound and outbound proxy.

@canefield:

You suggest two scenarios implementing proxy's, which one to choose in what situation? Your own opinion?

Dansguardian is not free for comercial use but has content filtering(something I need). I'm not using squidguard but is a great package too.

@canefield:

I matter of security you are not talking about using Snort, any reason? Other suggestions?

You can use snort but you have to first enable it as an IDS only, after you adjust this package to suppress rules you get false positives, then you can enable IPS mode.

@canefield:

To have multiple servers active behind NAT using the same ports, what solution do you provide/advise?
- How to set this up running?

I'm using varnish for http cache/balance and haproxy for https balance.

@canefield:

In the way of fallback/backup MX how to use/setup Postfix?

Postfix package can do a really good job on protecting exchange server from internet.
It does not has local mailboxes support, but can be configured to act as a backup mx by configuring main mx server as an internal smtp.

@canefield:

I really know a lot about mostly all Microsoft product and services, but nowadays I want to orientate more on Linux distrobutions. I am convinced I should always explorer my options and have a broader view in various areas.

Using the best of each so is, in my opinion, a great decision

canefield

Marcello,

Thanks for your reply. I make a note of what your are telling about Snort (IDS/IPS).

Could you (or somebody else) help me out with the configuration of the pfSense packages:

Varnish or Varnish3 & HAProxy or HAProxy Full
To get -in test- six LB servers up-and-running. I have two Exchange servers (LB & FO) configured and listening on port 80 and 443 (host-header: webmail.testing.com, only SSL), two SharePoint servers (LB & FO) configured and listening on port 80, 443 and 987 (host-header: extranet.testing.com, both HTTP and SSL) and two Web servers (LB & FO) configured and listening on port 80, 443 and 21 (SFTP) 989 & 990 (FTPS) (host-header: testing.com).
Postfix (as backup/fallback MX) & Mailscanner
First of all I want Postfix to handle the SMTP requests (in- and outbound) and checks for antimalware, virus, etc. Second, based on the domainname forward it to the corresponding Exchange/Linux server.
If one or all the mail-servers are down, for any reason, Postfix holds the messages in the queue and forwards them to the corresponding servers when they come back online. One thing to keep in mind is that all my Exchange servers are communication over TLS (certificate) and I want -if possible- that Postfix also communicate over TLS internally to the Exchange Egde servers.

For certainty, I only got one external IP-address.

Thanks a lot,
Canefield

marcelloc

Tls support on postfix package is not implemented yet, you need to allow your lan ip to send mail to exchange as a relay server.

On http balance, host headers can be set on varnish package, https for multiple host headers AFAIK will give you cert warnings if you do not have a wildcard cert applied to it.

On varnish you need first to define your internal servers on backend tab and then define load balance pools.
Varnish setup is not trivial, so it's better if listen it's daemon on other port then 80 until you get it working.

canefield

Dear all,

Please some kind of configuration/step-by-step examples? Only with plaintext I can not configure it the right way.

How to get Postfix to listen on port 25, queue messages and forward to the corresponding mail-server.
Just an example how to configure Varnish to do this job. I have an UCC certificate, can Varnish handle this?

Thanks in advance,
Canefield

marcelloc

Postfix mini howto:

firewall rules -> wan

create a wan rule to permit smtp traffic to wan address

postfix General tab

check enable postfix option
choose at least wan loopback interfaces

postifx domain tab

fill your domain/internal smtp info

Postfix Antispam tab

follow default/recommended settings
Leave third part antispam unselected(try latter when you get better Knowledge on postfix)

Some screenshots/full thread for this package
http://forum.pfsense.org/index.php/topic,40622.0.html

marcelloc

varnish super mini howto

varnish topic
http://forum.pfsense.org/index.php/topic,38271.msg197434.html#msg197434

canefield

Thanks. I'll look into it.

KR,
Canefield

canefield

Dear Marcello and others,

I've tried several attemps to forward requests to multiple servers without any result.
I can't get it right. What is the problem? I want to have multiple servers running on port 80 (HTTP) as well as 443 (HTTPS)

My steps:

Disabled the 'webConfigurator redirect rule' (System->Advanced)
Added Backends (Services->Varnish->Backends)
2a) E.g.:

Backend name: WWW
IPAddress: 192.168.12.1
Port: 80
URL: /
Probe Interval: 5
Probe Timeout: 1
Probe Window: 5
Probe Threshold: 3
Backend Mappings: Map: Host, Match: Equals, Expression: www.domain.com, Grace:

- What is the difference between Host and URL by 'Backend Mappings->Map'?
- Performance metrics are not configured; I don't know what to do with it.
- I've also tried leaving 'Backend Mappings' clear and configured those under 'LB Directors'. That's what I'm trying to accomplish.

Enabled Varnish (Services->Varnish->Settings)
3a) Listening port 80, management port 81; accepted all defaults
No NAT rules for port 80 (Firewall->NAT)
Rules, added listening port (Firewall->Rules->WAN)
5a) Proto: TCP, Source: *, Port: *, Destination: *, Port: 80 (HTTP), Gateway: *, Queue: none, Schedule: <empty>It does not work?!?

Can you give me some examples about configuring 'LB Directors'?
I want also to be able to forward multiple HTTPS requests. If I understood correctly I should use HAProxy for HTTPS forwarding. Can HAProxy do both (HTTP & HTTPS)? Should I use both (Varnish & HAProxy) or is it better to use just one of them? What is best? Performance?

I didn't configured Postfix jet because of my issues with Varnish.

Thanks a lot,
Canefield</empty>

marcelloc

@canefield:

Can you give me some examples about configuring 'LB Directors'?

To use load balance, leave empty Backend Mappings
check on varnish dashborad widget if varnish can sucessfull check server status based on url you provided for check.

@canefield:

I want also to be able to forward multiple HTTPS requests. If I understood correctly I should use HAProxy for HTTPS forwarding. Can HAProxy do both (HTTP & HTTPS)? Should I use both (Varnish & HAProxy) or is it better to use just one of them? What is best? Performance?

I use varnish for http as it does cache and reduce server load(of course depending on your config).

Haproxy, AFAIK can't do host header https, just service balance.

I'm also planning to do this https function for this package using other package together(pound, relayd,…), but I need first to have some time to test it.

backend_widget.png_thumb

load_balance.png_thumb

backend.png_thumb

canefield

Marcello,

At the Varnish dashboard none of the servers are listed? How come?

Thanks,
Canefield

P.S. It is more difficult than I thought. Please step-by-step; otherwise I really mess up.

canefield

I'm also planning to do this https function for this package using other package together(pound, relayd,…), but I need first to have some time to test it.

What are you trying to put together? Combining packages like Varnish and Pound/Relayd, so just one product could do the job? Also based on host-headers? What is the estimate?

Thanks,
Canefield

Supermule

Thats exactly why PFSense is not an option for TMG….

All of this is included in TMG and not in PFsense. Use one package for http...another for https and a third for some other thing.

The more packages one runs, the more vulnerable your system will be.

marcelloc

@canefield:

What are you trying to put together? Combining packages like Varnish and Pound/Relayd, so just one product could do the job? Also based on host-headers? What is the estimate?

That's it. A Combining package for http/https publishing.
I have no estimate yet because I'm busy with sarg and mailscanner quarantine tab.
I'll do this as soon as I have time to help sysadmins on this kind of configuration.

Apache+modsecurity for example is a package that does http/https proxy with memcache. I do not use it on pfsense but you can get help on this forum to configure it.

Supermule

Thank you Marcello!

That is something we have been asking for for a long time….and remember the detailed logging that TMG has, it needs to be equivalent in pfsense.

Otherwise its useless.

marcelloc

@Supermule:

Thats exactly why PFSense is not an option for TMG….

All of this is included in TMG and not in PFsense. Use one package for http...another for https and a third for some other thing.

The more packages one runs, the more vulnerable your system will be.

Not a usefull post in any way. :(
If you do not have a wildcard applied to ISA to remove https and check headers, you can't do this setup too.
You are saying That keeping things easy on pfsense will make it as vunerable as ISA.

Pfsense is for sure an excelent option for Microsoft. I use this way for years.