Alternative for MS TMG 2010 = pfSense ???
-
Thanks. I'll look into it.
KR,
Canefield -
Dear Marcello and others,
I've tried several attemps to forward requests to multiple servers without any result.
I can't get it right. What is the problem? I want to have multiple servers running on port 80 (HTTP) as well as 443 (HTTPS)My steps:
- Disabled the 'webConfigurator redirect rule' (System->Advanced)
- Added Backends (Services->Varnish->Backends)
2a) E.g.:
-
Backend name: WWW
-
IPAddress: 192.168.12.1
-
Port: 80
-
URL: /
-
Probe Interval: 5
-
Probe Timeout: 1
-
Probe Window: 5
-
Probe Threshold: 3
-
Backend Mappings: Map: Host, Match: Equals, Expression: www.domain.com, Grace:
- What is the difference between Host and URL by 'Backend Mappings->Map'?
- Performance metrics are not configured; I don't know what to do with it.
- I've also tried leaving 'Backend Mappings' clear and configured those under 'LB Directors'. That's what I'm trying to accomplish.- Enabled Varnish (Services->Varnish->Settings)
3a) Listening port 80, management port 81; accepted all defaults - No NAT rules for port 80 (Firewall->NAT)
- Rules, added listening port (Firewall->Rules->WAN)
5a) Proto: TCP, Source: *, Port: *, Destination: *, Port: 80 (HTTP), Gateway: *, Queue: none, Schedule: <empty>It does not work?!?
Can you give me some examples about configuring 'LB Directors'?
I want also to be able to forward multiple HTTPS requests. If I understood correctly I should use HAProxy for HTTPS forwarding. Can HAProxy do both (HTTP & HTTPS)? Should I use both (Varnish & HAProxy) or is it better to use just one of them? What is best? Performance?I didn't configured Postfix jet because of my issues with Varnish.
Thanks a lot,
Canefield</empty> -
Can you give me some examples about configuring 'LB Directors'?
To use load balance, leave empty Backend Mappings
check on varnish dashborad widget if varnish can sucessfull check server status based on url you provided for check.I want also to be able to forward multiple HTTPS requests. If I understood correctly I should use HAProxy for HTTPS forwarding. Can HAProxy do both (HTTP & HTTPS)? Should I use both (Varnish & HAProxy) or is it better to use just one of them? What is best? Performance?
I use varnish for http as it does cache and reduce server load(of course depending on your config).
Haproxy, AFAIK can't do host header https, just service balance.
I'm also planning to do this https function for this package using other package together(pound, relayd,…), but I need first to have some time to test it.
-
Marcello,
At the Varnish dashboard none of the servers are listed? How come?
Thanks,
CanefieldP.S. It is more difficult than I thought. Please step-by-step; otherwise I really mess up.
-
I'm also planning to do this https function for this package using other package together(pound, relayd,…), but I need first to have some time to test it.
What are you trying to put together? Combining packages like Varnish and Pound/Relayd, so just one product could do the job? Also based on host-headers? What is the estimate?
Thanks,
Canefield -
Thats exactly why PFSense is not an option for TMG….
All of this is included in TMG and not in PFsense. Use one package for http...another for https and a third for some other thing.
The more packages one runs, the more vulnerable your system will be.
-
What are you trying to put together? Combining packages like Varnish and Pound/Relayd, so just one product could do the job? Also based on host-headers? What is the estimate?
That's it. A Combining package for http/https publishing.
I have no estimate yet because I'm busy with sarg and mailscanner quarantine tab.
I'll do this as soon as I have time to help sysadmins on this kind of configuration.Apache+modsecurity for example is a package that does http/https proxy with memcache. I do not use it on pfsense but you can get help on this forum to configure it.
-
Thank you Marcello!
That is something we have been asking for for a long time….and remember the detailed logging that TMG has, it needs to be equivalent in pfsense.
Otherwise its useless.
-
Thats exactly why PFSense is not an option for TMG….
All of this is included in TMG and not in PFsense. Use one package for http...another for https and a third for some other thing.
The more packages one runs, the more vulnerable your system will be.
Not a usefull post in any way. :(
If you do not have a wildcard applied to ISA to remove https and check headers, you can't do this setup too.
You are saying That keeping things easy on pfsense will make it as vunerable as ISA.Pfsense is for sure an excelent option for Microsoft. I use this way for years.
-
That is something we have been asking for for a long time….and remember the detailed logging that TMG has, it needs to be equivalent in pfsense.
Otherwise its useless.
Unbelievable!
I'm saying that I want to help sysadmins and you think it will be useless if I can't reach a billion dollar company software.
-
Sorry mate….ISA is by far one of the most secure solutions out there...
The underlying windows is the culprit regarding security and therefore its better of as a second layer firewall.
I dont understand what you mean by wildcard....?
-
I dont understand what you mean by wildcard….?
Ask microsoft support.
You are looking like a troll.
-
Although there is some overlap between pfsense and TMG, they seem to cover quite different needs.
pfsense is primarily a firewall, multiwan device, NAT, router (especially if Quagga is included in base system someday), VPN concentrator, DHCP/DNS, and, to a lesser extent (many 3rd party packages still need improvements), it can be an IDS/IPS, rev-proxy and proxy+web-filter.
I've only had a cursory look at Microsoft's TMG 2010, but is seems to be primarily a L7 web-filter (anti-malware etc), a proxy which is tightly integrated with AD, a reverse proxy, all with good reporting. I've also seen TMG sometimes being labeled as a router/firewall/NAT/VPN-server.
Perhaps someone with intimate knowledge of TMG, who has tested it to its limits, can offer more insights about its actual strengths.
-
canefiled,
This information may be usefull for you.
http://forum.pfsense.org/index.php/topic,44735.msg249284.html#msg249284
-
Marcello,
Thanks for your reply. Still I can not figure out how to configure my overall configuration in pfSense. Especially the host-header part with HTTP and HTTPS and the backup MX using Postfix. Somehow I'm not able to get it work.
I suppose I will use M$ TMG 2010 instead for the time being. In the mean time I would appreciate it if you could help me with my overall configuration and needs to make TMG 2010 superfluous.
I read several articles and tutorials, but none of them answered my question. I am looking for an alternative for Microsoft TMG 2010; formely MS ISA 2006. I read such good comments about pfSense I wanted to give it a try. I am struggling the overview and configuration with pfSense.
Situation:
- one external IP;
- multiple servers
- 2x MS TMG 2010 (FO & LB (Fail-over & Load-balanced))
- 2x MS Exchange Edge (FO & LB); port 25
- 2x Postfix (FO & LB; for fallback/backup MX) if Edge are offline; port 25
- 3x MS RDP (FO & LB); port 3389
- 3x MS IIS (FO & LB); port 80, 443
- 2x MS SharePoint (FO & LB); port 80, 443, 987
- 2x FTP (FO & LB); port 21 - Wireless (multiple SSIDs)
Future request:
- VoIP
With MS TMG 2010 it is easy to configure above configuration; everything works as it should be. Can above configuration been applied to pfSense? Furthermore I want to install/configure a HTTP and HTTPS accelerator (in- and outbound) and/or load-balancer, proxy (with AV-functionality), backup MX and a robust firewall and logging. Then I have got a corporate wireless network and a guest network. I want to split those by some kind of mechanism and authority-based.
Is all of this possible? Can multiple pfSense configured to FO & LB? Can pfSense read host-header? Can it handle the above situation? What kind of system requirements is needed?
I have seen so many kinds of packages, I really do not know which to choose in what matter.
Regarding the future request; can anybody advise my about which system to choose referring to VoIP? Asterisk?
I know it is a lot, but perhaps you can help me out here. It would be great when you have some 'step-by-step' tutorials available.
Thanks in advance,
Canefield -
I dont understand what you mean by wildcard….?
Thc for the kind words.
Ask microsoft support.
You are looking like a troll.
-
I use both pfSense and TMG since I have many requirements. Use pfSense for all your network level configuration (multiple interfaces, routing, NAT & port forwarding, VPN termination etc.).
TMG is hands down superior for your publishing requirements. Your servers such as Exchange and IIS should have an application layer firewall such as TMG performing intrusion detection and Active Directory integrated access control. Without experience you will most likely fail to setup an equivalent linux protection layer since it requires complex configuration of several separate components. TMG can also provide authenticated internet access to LAN users using the TMG client and their internet rights are assigned according to their Windows login. This is far superior to an insecure by design captive portal.
-
Hi everyone!
It's my first post in English here so if I write something wrong, sorry.
The TMG is old and weak, there are many other solutions in activity, not only open Source like the PFSense.
The major problem with Microsoft is the propaganda, they sell you a product like it's the only solution in the entire universe. I'm a Windows user, but Linux/Unix is much more secure.I'm not here to rise any banner, but if you want to start a conversation about UTM Software, please, use something that have a possibility in combat. The PFSense project have a lot to evolve, but in front of a TMG/ISA…
So, "supermule", demonstrate for us some feature that TMG provides you better than PFSense... Well I'm pretty sure that YOU don't know how to use PFSense and now come here talking nonsense.
AD integration is an advantage, but Squid, Captive Portal, VPN and many other packages on PFSense can do that, with Freeradius2 it's even more easy.
You can't talk about something that you don't really know. ;)
I've tried a lot of systems for border security and I chose PFSense. I tested every solution I come to know and I finally decided on PFSense.
How many experience do you have as a Sysadmin? How many projects do you have implemented with PFSense?
Here in Brasil we say: "Those who talk too much will go say good morning to the horse".
-
Well guys,
A lot of 'nonsense'…could somebody help me out?
Thx,
Canefield -
I think the best thing you might want to try is either setting up a bounty or getting commercial support. https://portal.pfsense.org/index.php/support-subscription
What you are trying to accomplish is very specific and I'm guessing very few members outside of the PFsense team will be able to properly get it working. If you need step by step directions to make something work it will take a lot of time for another person to sit down, install, configure, troubleshoot, get it working, and document it so you can follow those directions. I'm sure the guys here would do if it they had the time but they also need to support their families so it's not really feasible to spend many hours without compensation.
As for VOIP software you can get any software you want cause it's all asterisk based. (Other than maybe a few commercial solutions like Cisco) If you want something that is quick to setup and configure PBX in a flash seemed to work well.
