Alternative for MS TMG 2010 = pfSense ???

toomeek

Why just don't use every possible solution?
pfSense -> TMG -> network
?
One time I was at a conference on advanced applications in the server environment they recommended "use every possible solution, there is no obstacle to cooperate Linux/Unix/Windows together to achieve same goal".

dhatz

It really depends on scale.

TMG offers you a tightly integrated system, which can be very convenient if you're an all-Microsoft shop, and requires only very basic knowledge to get running. On the other hand, e.g. varnish running on Linux/BSD is primarily aimed to high-performance setups, does a great deal more, but has a much steeper learning curve.

canefield

Hey all,

Could somebody give me any example? I suppose people already worked with Squid-Reverse or Varnish proxy isn't it?

Thanks in advance,
Canefield

marcelloc

What point on varnish config did You got working?

canefield

Marcello,

Also Varnish didn't work for me! Based on LB and host-header as well as solo host-header I didn't could get it work. But as far I understand from you it is better to use Squid isn't?

Please provide me with some config that works and how to implement that.

Thanks a lot,
Canefield

canefield

Anybody?

marcelloc

Canefield,

I'll publish this week an updated GUI for squid3/squid-reverse with reverse proxy resigned.

marcelloc

canefield,

I've just published squid3 with better reverse gui, take a look and see if you can configure your server with this package

squid3 - New GUI with sync, normal and reverse proxy

att,
Marcello Coutinho

canefield

Marcello,

First of all thanks for all your precious time and effort so far.

I've still got problems configuring Squid 3 as a reverse proxy. Somehow I can't manage it to work properly.
As you illustrated in the forst postings I did exactly the same and added NAT and Firewall rules. I'm using port 8080 and 8443.

How come…?!?!

Thanks a lot,
Canefield

marcelloc

@canefield:

As you illustrated in the forst postings I did exactly the same and added NAT and Firewall rules. I'm using port 8080 and 8443.

When using proxy, you do not need nat, just firewall rules on wan allowing access to wan address at port 8080/8443.

canefield

Marcello,

I've now followed your published configuration; so I started over again. So I installed Squid3 went to Reverse Proxy and added everything exactly as you posted.

Then I made two rules in the WAN (Firewall->Rules->WAN) to allow listening on port 80 and 443.
My intention is to publish several sites/domains. First of all I want to publish the CAS-servers; so the Exchange webmail services (https://webmail.domain.com/owa and all other related URLs (autodiscover, rpc, etc.)).
All servers are configured on the default ports.

Furthermore, do I have to configure an alternative port for the webGUI? I'm now accessing it internally via https.

You probably see my configuration mis-match.
See the pictures as attached.

Thanks already,
Canefield

marcelloc

@canefield:

Furthermore, do I have to configure an alternative port for the webGUI? I'm now accessing it internally via https.

Yes, you need to change pfsense gui port to other then 443.

Your wan firewall rule should be
source any
source port any
destination wan address
destination port 80

source any
source port any
destination wan address
destination port 443

on system -> advanced, change pfsense prot to other then 443 and disable web gui redirect rule

canefield

Marcello,

I did everything you mentioned but without any result.
So my firewall rules are been changed and the webGUI to 9443.

Network
LAN; IP: 192.168.120.254 /24
WAN; IP: 192.168.2.254 /24, GW: 192.168.2.253 (DMZ)

Reverse Proxy
If I understand it correctly you enable listening on port 80 and/or 443 via tab 'General'. So with the firewall rule all requests are allowed and transfered to the WAN address (192.168.2.254 in my case) and Squid3 (reverse) will apply to those. Furthermore in the tab 'Web Servers' I configure all my internal web servers and related. As I make up out of your example my internal web server is listening to port 8443, correct? In my case my servers are listening to all default ports, so 80 and 443. Should I change here the port from 8443 to 443? Then in the tab 'Mappings' I can combine web servers in groups and select all needed. Right? Than one thing I do not understand is the URIs. What does this do and how to configure. You gave an example of *;<emtpy>, but what can I do with it?

Could you give me an working example of let's say four servers; two listening on port 443 and two on port 80. The first two (listening on port 443) are Exchange servers (owa, autodiscover, outlook anywhere, mail tips, etc.) and the other two (listening on port 80) just hosting plaintext website. The first one 'www.domain.com' and the second one 'extranet.example.com'. No screenshots are needed, in text is fine too. You ofcource may decide, but I thougt screenshots will cost you a lot of your precious time. Thanks for all the time and effort already.

LAN-network
From my pfSense I can't resolve internal DNS names. Where to configure internal DNS servers per network/adapter? I will have several more adapters in place with all another subnet and servers.

Many thanks,
Canefield</emtpy>

marcelloc

canefield,

Try first one server before you reach full config.

@canefield:

Should I change here the port from 8443 to 443?

Yes. it must be your web server listening port

@canefield:

Then in the tab 'Mappings' I can combine web servers in groups and select all needed. Right?

yes, show sites/urls you need to balance/publish and then select webservers that will receive this requests

@canefield:

Than one thing I do not understand is the URIs. What does this do and how to configure. You gave an example of *;<emtpy>, but what can I do with it?</emtpy>

• means what path of this site you will forward to internal host, * means all urls/dirs.
  the <empty value="">must be a site fqdn when you have multiple websites do forward.
  example:
• www.mydomain.com
• forum.mydomain.com

@canefield:

Could you give me an working example of let's say four servers; two listening on port 443 and two on port 80. The first two (listening on port 443) are Exchange servers (owa, autodiscover, outlook anywhere, mail tips, etc.) and the other two (listening on port 80) just hosting plaintext website. The first one 'www.domain.com' and the second one 'extranet.example.com'. No screenshots are needed, in text is fine too. You ofcource may decide, but I thougt screenshots will cost you a lot of your precious time. Thanks for all the time and effort already.

The code from squid-reverse has options for only one owa server, I did not had time to test it with two owas.
I don't have a working example with multiple hosts with squid3, just that screenshot you saw.

@canefield:

LAN-network
From my pfSense I can't resolve internal DNS names. Where to configure internal DNS servers per network/adapter? I will have several more adapters in place with all another subnet and servers.

dns server is used by pfsense, not by interface. You need one dns server that can do internal and external name resolution.
To clarify this idea, internet users will dnslookup your external dns to www.mydomain.com. when this package arrives on your pfsense, it will do another dnslookup to find your internal dns if you specified a hostname instead of an ip address.</empty>

canefield

Marcello,

Thanks again…I'm trying to configure it right now. As there some kind of 'live' log to see if the traffic is accepted and past further on?
I'm looking at 'Status->System Logs->Firewall', but can't see a thing regarding my request on port 443.

What I have done first is entered the IP in the OWA-part of the reverse proxy, but without any result so far.

Thanks,
Canefield

Edit: I've did your config just now withour result...WHY?!?!

marcelloc

@canefield:

Thanks again…I'm trying to configure it right now. As there some kind of 'live' log to see if the traffic is accepted and past further on?
I'm looking at 'Status->System Logs->Firewall', but can't see a thing regarding my request on port 443.

If you enabled squid logs, it will be on /var/logs/squid/access.log

using ssh to connect to pfsense(system-> advanced) you can use
tail -f /var/logs/squid/access.log

canefield

Marcello,

I've did your config just now withour result…WHY?!?!

Thx,
Canefield

marcelloc

@canefield:

I've did your config just now withour result…WHY?!?!

I have no idea :(, I've published the screenshots and the package just after testing and making sure it was working.

You will need to improve your skills with opensource and start using console/ssh as well tcpdump. This way you can see package flow and log files.

The screenshots shows pfsense published on 8443 and squid reverse-proxying it on wan at port 443.

att,
Marcello Coutinho

canefield

Marcello,

I realy don't get it.
In your example of Squid3, what is the webserver 127.0.0.1 on port 8443?

1. You have change the webGUI port in something else then 443 and disabled the redirect rule.
2. Added only a firewall rule to allow any to the WAN address of the pfSense to port 443
2a. Why not NAT+Firewall? Does the reverse proxy make NAT unnecessary?
3. Than added the configuration as you posted in the Reverse Proxy settings. What are you seeing then? You are redirecting to webserver 127.0.0.1, so localhost. What is pfSense/Squid hosting?

I need to clarify stuff to understand. Could you give me a start of working with the shell and tcpdump for monitoring the flow? Is the a package out there (GUI)?

Thanks again,
Canefield

marcelloc

@canefield:

In your example of Squid3, what is the webserver 127.0.0.1 on port 8443?

The pfsense gui.
127.0.0.1 - same host as squid3
8443 - pfsense gui port

@canefield:

1. You have change the webGUI port in something else then 443 and disabled the redirect rule.

squid will listen on wan port 80 and 443. If you leave pfsense gui on same port, there will be two daemons trying to listen on the same port.

@canefield:

2. Added only a firewall rule to allow any to the WAN address of the pfSense to port 443
2a. Why not NAT+Firewall? Does the reverse proxy make NAT unnecessary?

As squid daemon is listening on wan interface, you do not need to translate anything just allow access.

@canefield:

3. Than added the configuration as you posted in the Reverse Proxy settings. What are you seeing then? You are redirecting to webserver 127.0.0.1, so localhost. What is pfSense/Squid hosting?

This config will use squid to answer requests on port 443 and forward it to internal server(in this case 127.0.0.1) on port 8443

internet user –> squid3:443 --> internal server:8443

@canefield:

I need to clarify stuff to understand. Could you give me a start of working with the shell and tcpdump for monitoring the flow? Is the a package out there (GUI)?

There is on diagnostics, but on gui you need to wait x packages until it shows captured traffic.