Alternative for MS TMG 2010 = pfSense ???

marcelloc

@canefield:

As you illustrated in the forst postings I did exactly the same and added NAT and Firewall rules. I'm using port 8080 and 8443.

When using proxy, you do not need nat, just firewall rules on wan allowing access to wan address at port 8080/8443.

canefield

Marcello,

I've now followed your published configuration; so I started over again. So I installed Squid3 went to Reverse Proxy and added everything exactly as you posted.

Then I made two rules in the WAN (Firewall->Rules->WAN) to allow listening on port 80 and 443.
My intention is to publish several sites/domains. First of all I want to publish the CAS-servers; so the Exchange webmail services (https://webmail.domain.com/owa and all other related URLs (autodiscover, rpc, etc.)).
All servers are configured on the default ports.

Furthermore, do I have to configure an alternative port for the webGUI? I'm now accessing it internally via https.

You probably see my configuration mis-match.
See the pictures as attached.

Thanks already,
Canefield

marcelloc

@canefield:

Furthermore, do I have to configure an alternative port for the webGUI? I'm now accessing it internally via https.

Yes, you need to change pfsense gui port to other then 443.

Your wan firewall rule should be
source any
source port any
destination wan address
destination port 80

source any
source port any
destination wan address
destination port 443

on system -> advanced, change pfsense prot to other then 443 and disable web gui redirect rule

canefield

Marcello,

I did everything you mentioned but without any result.
So my firewall rules are been changed and the webGUI to 9443.

Network
LAN; IP: 192.168.120.254 /24
WAN; IP: 192.168.2.254 /24, GW: 192.168.2.253 (DMZ)

Reverse Proxy
If I understand it correctly you enable listening on port 80 and/or 443 via tab 'General'. So with the firewall rule all requests are allowed and transfered to the WAN address (192.168.2.254 in my case) and Squid3 (reverse) will apply to those. Furthermore in the tab 'Web Servers' I configure all my internal web servers and related. As I make up out of your example my internal web server is listening to port 8443, correct? In my case my servers are listening to all default ports, so 80 and 443. Should I change here the port from 8443 to 443? Then in the tab 'Mappings' I can combine web servers in groups and select all needed. Right? Than one thing I do not understand is the URIs. What does this do and how to configure. You gave an example of *;<emtpy>, but what can I do with it?

Could you give me an working example of let's say four servers; two listening on port 443 and two on port 80. The first two (listening on port 443) are Exchange servers (owa, autodiscover, outlook anywhere, mail tips, etc.) and the other two (listening on port 80) just hosting plaintext website. The first one 'www.domain.com' and the second one 'extranet.example.com'. No screenshots are needed, in text is fine too. You ofcource may decide, but I thougt screenshots will cost you a lot of your precious time. Thanks for all the time and effort already.

LAN-network
From my pfSense I can't resolve internal DNS names. Where to configure internal DNS servers per network/adapter? I will have several more adapters in place with all another subnet and servers.

Many thanks,
Canefield</emtpy>

marcelloc

canefield,

Try first one server before you reach full config.

@canefield:

Should I change here the port from 8443 to 443?

Yes. it must be your web server listening port

@canefield:

Then in the tab 'Mappings' I can combine web servers in groups and select all needed. Right?

yes, show sites/urls you need to balance/publish and then select webservers that will receive this requests

@canefield:

Than one thing I do not understand is the URIs. What does this do and how to configure. You gave an example of *;<emtpy>, but what can I do with it?</emtpy>

• means what path of this site you will forward to internal host, * means all urls/dirs.
  the <empty value="">must be a site fqdn when you have multiple websites do forward.
  example:
• www.mydomain.com
• forum.mydomain.com

@canefield:

Could you give me an working example of let's say four servers; two listening on port 443 and two on port 80. The first two (listening on port 443) are Exchange servers (owa, autodiscover, outlook anywhere, mail tips, etc.) and the other two (listening on port 80) just hosting plaintext website. The first one 'www.domain.com' and the second one 'extranet.example.com'. No screenshots are needed, in text is fine too. You ofcource may decide, but I thougt screenshots will cost you a lot of your precious time. Thanks for all the time and effort already.

The code from squid-reverse has options for only one owa server, I did not had time to test it with two owas.
I don't have a working example with multiple hosts with squid3, just that screenshot you saw.

@canefield:

LAN-network
From my pfSense I can't resolve internal DNS names. Where to configure internal DNS servers per network/adapter? I will have several more adapters in place with all another subnet and servers.

dns server is used by pfsense, not by interface. You need one dns server that can do internal and external name resolution.
To clarify this idea, internet users will dnslookup your external dns to www.mydomain.com. when this package arrives on your pfsense, it will do another dnslookup to find your internal dns if you specified a hostname instead of an ip address.</empty>

canefield

Marcello,

Thanks again…I'm trying to configure it right now. As there some kind of 'live' log to see if the traffic is accepted and past further on?
I'm looking at 'Status->System Logs->Firewall', but can't see a thing regarding my request on port 443.

What I have done first is entered the IP in the OWA-part of the reverse proxy, but without any result so far.

Thanks,
Canefield

Edit: I've did your config just now withour result...WHY?!?!

marcelloc

@canefield:

Thanks again…I'm trying to configure it right now. As there some kind of 'live' log to see if the traffic is accepted and past further on?
I'm looking at 'Status->System Logs->Firewall', but can't see a thing regarding my request on port 443.

If you enabled squid logs, it will be on /var/logs/squid/access.log

using ssh to connect to pfsense(system-> advanced) you can use
tail -f /var/logs/squid/access.log

canefield

Marcello,

I've did your config just now withour result…WHY?!?!

Thx,
Canefield

marcelloc

@canefield:

I've did your config just now withour result…WHY?!?!

I have no idea :(, I've published the screenshots and the package just after testing and making sure it was working.

You will need to improve your skills with opensource and start using console/ssh as well tcpdump. This way you can see package flow and log files.

The screenshots shows pfsense published on 8443 and squid reverse-proxying it on wan at port 443.

att,
Marcello Coutinho

canefield

Marcello,

I realy don't get it.
In your example of Squid3, what is the webserver 127.0.0.1 on port 8443?

1. You have change the webGUI port in something else then 443 and disabled the redirect rule.
2. Added only a firewall rule to allow any to the WAN address of the pfSense to port 443
2a. Why not NAT+Firewall? Does the reverse proxy make NAT unnecessary?
3. Than added the configuration as you posted in the Reverse Proxy settings. What are you seeing then? You are redirecting to webserver 127.0.0.1, so localhost. What is pfSense/Squid hosting?

I need to clarify stuff to understand. Could you give me a start of working with the shell and tcpdump for monitoring the flow? Is the a package out there (GUI)?

Thanks again,
Canefield

marcelloc

@canefield:

In your example of Squid3, what is the webserver 127.0.0.1 on port 8443?

The pfsense gui.
127.0.0.1 - same host as squid3
8443 - pfsense gui port

@canefield:

1. You have change the webGUI port in something else then 443 and disabled the redirect rule.

squid will listen on wan port 80 and 443. If you leave pfsense gui on same port, there will be two daemons trying to listen on the same port.

@canefield:

2. Added only a firewall rule to allow any to the WAN address of the pfSense to port 443
2a. Why not NAT+Firewall? Does the reverse proxy make NAT unnecessary?

As squid daemon is listening on wan interface, you do not need to translate anything just allow access.

@canefield:

3. Than added the configuration as you posted in the Reverse Proxy settings. What are you seeing then? You are redirecting to webserver 127.0.0.1, so localhost. What is pfSense/Squid hosting?

This config will use squid to answer requests on port 443 and forward it to internal server(in this case 127.0.0.1) on port 8443

internet user –> squid3:443 --> internal server:8443

@canefield:

I need to clarify stuff to understand. Could you give me a start of working with the shell and tcpdump for monitoring the flow? Is the a package out there (GUI)?

There is on diagnostics, but on gui you need to wait x packages until it shows captured traffic.

canefield

Marcello,

I now fully understand the whole concept of it. Thanks for you explanation.
Still it does't function for me.

Network
LAN; IP: 192.168.120.254 /24
WAN; IP: 192.168.2.254 /24, GW: 192.168.2.253 (DMZ)

Installation and configuration

1. I have changed the webGUI port from 443 to 9443 and disbaled the redirect rule
2. Configured firewall rule to allow 443 from WAN (TCP;;;WAN address; HTTPS)
3. Installed Squid3 package
4. Enabled listening port Reverse Proxy on port 80 and 443 (just for now I only use port 443)
5. Added webserser (127.0.0.1;9443;HTTPS)
6. Added Mappings (Peer to 127.0.0.1; URI (*;<empty>))

Now I should get my own webGUI of pfSense if I went to https://www.domain.com/. Sadly it does't work for me. What could have gone wrong? Related to block private networks on the WAN-interface? Any other configuration mismatch I should be aware of? How hard could it be? I really don't have the slightest idea.

Thank a lot,
Canefield</empty>

marcelloc

@canefield:

2. Configured firewall rule to allow 443 from WAN (TCP;;;WAN address; HTTPS)
3. Enabled listening port Reverse Proxy on port 80 and 443 (just for now I only use port 443)

Did you selected wan interface to listen on?

@canefield:

Now I should get my own webGUI of pfSense if I went to https://www.domain.com/. Sadly it does't work for me. What could have gone wrong? Related to block private networks on the WAN-interface? Any other configuration mismatch I should be aware of? How hard could it be? I really don't have the slightest idea.

Does https://www.domain.com/ points to firewall wan ip address?
Did you tried this access from internet or from lan?
You have private address assigned to wan interface(WAN; IP: 192.168.2.254 /24), why did you checked block private networks on the WAN-interface? ???

canefield

@marcelloc:

@canefield:

2. Configured firewall rule to allow 443 from WAN (TCP;;;WAN address; HTTPS)
3. Enabled listening port Reverse Proxy on port 80 and 443 (just for now I only use port 443)

Did you selected wan interface to listen on? =>YES

@canefield:

Now I should get my own webGUI of pfSense if I went to https://www.domain.com/. Sadly it does't work for me. What could have gone wrong? Related to block private networks on the WAN-interface? Any other configuration mismatch I should be aware of? How hard could it be? I really don't have the slightest idea.

Does https://www.domain.com/ points to firewall wan ip address? =>YES
Did you tried this access from internet or from lan? =>Internet
You have private address assigned to wan interface(WAN; IP: 192.168.2.254 /24), why did you checked block private networks on the WAN-interface? ??? =>No I did not, I wanted to check my settings

I did some research…I saw that my Squid3 service was for no reason down. I wasn't able to get it online via settings of GUI so I restarted pfSense. Now the service was online, but no results whatever. I checked if my port where open. That's the thing that supprised me the most. Both the ports aren't open; although I have the appropiate firewall rules in place on the right interface. I've also tried using the floating rule, but without any result. Is it Linux that always give 'stealth' back by a portscan? I think not, so what can it be? I assume that it ain't listening on port 80 and 443. What other ports are needed? None so far my understanding.

Thanks again,
Canefield

canefield

Marcello,

After a mysterious reboot it worked like a charme. Still I'm confused what was tha part that broke and fixed everything.
Now I have only one rule in the reverse proxy.

When I want to make a difference by FQDN, what should I add/change to make it work?

Let's say I have four servers:

• 127.0.0.1 on 9443 => webGUI pfSense
• 192.168.150.3 on port 443 => MS Exchange OWA, Outlook Anywhere, Autodiscover
• 192.168.150.7 on port 443 => MS SharePoint
• 192.168.150.12 on port 80 => Corporate website

I would say first add choose to the 'web server' by IP-address and Listening port. Second add 'mappings'; so make a group and add the corresponding peers to it and make use of URIs. So for the first server (127.0.0.1) I have added the URI *; remote.domain.com (HTTPS), the second URI *; webmail.domain.com/owa, URI2 *; mail.domain.com/owa (HTTPS) and the third *; extranet.domain.com and the fourth URI *; www.domain.com (HTTP). But somehow the URI is not working as I thought it should be. I only want that is listenens to the specified URI. Everything else should be bounced. Could you give me several examples?

Thanks a lot,
Canefield

marcelloc

@canefield:

I would say first add choose to the 'web server' by IP-address and Listening port.

yes.

I've moved this answer to your squi3 package question.

http://forum.pfsense.org/index.php/topic,48709.msg257571.html#msg257571

canefield

So thanks again!

If the Squid URI works like it should be -futher explanations in the mentioned topic- this topic is almost finished. My next accomplishment will be the backup/fallback Postfix with Anti-SPAM/Virus. You already provided some information. I will look that up and will post my findings and problems :-).

As far I can remember you placed Postfix in front, but I want it to be as backup/fallback for the Exchange servers. So if those server become inaccessible/offline Postfix should be there in front as backup/fallback. All messeages may be stored in the Postfix mailqueue and if the Exchange servers are back online again all messages will be forwarded to them. I think of a configuration regarding message retainment and stuff. Also I am interested in the picture in 'vice versa', because I want to know about this too. Perhaps I will configure it the other way around? Any suggestions/considerations/ideas?

KR,
Canefield

marcelloc

canefield,

On postfix topic you can see a lot of suggestions.

I recomend postfix in front of your exchange server, but you can use it this way. configure postfix as a backup mx on your domain with a high value. Just like on dns round robin, mx choice is made by client. this way you will have mail servers sending messages to both mx.

Use postfix thread if have any other question.

att,
Marcello Coutinho

rmpf

Hi, I'll very happy to move from Isa to PFsense but some details still confused to me. You already know how ISA rules work. For example when creating a new rule you have the possibility to specify to whom apply that rule, maybe a user, maybe a group. How do Pfsense work with that???

marcelloc

@rmpf:

For example when creating a new rule you have the possibility to specify to whom apply that rule, maybe a user, maybe a group. How do Pfsense work with that???

AFAIK, you can only apply firewall rules to ips/ networks.

Using proxy servers like squid/squidguard/dansguardian you can apply http rules to users.

att,
Marcello Coutinho