Alternative for MS TMG 2010 = pfSense ???

canefield

Marcello,

After a mysterious reboot it worked like a charme. Still I'm confused what was tha part that broke and fixed everything.
Now I have only one rule in the reverse proxy.

When I want to make a difference by FQDN, what should I add/change to make it work?

Let's say I have four servers:

• 127.0.0.1 on 9443 => webGUI pfSense
• 192.168.150.3 on port 443 => MS Exchange OWA, Outlook Anywhere, Autodiscover
• 192.168.150.7 on port 443 => MS SharePoint
• 192.168.150.12 on port 80 => Corporate website

I would say first add choose to the 'web server' by IP-address and Listening port. Second add 'mappings'; so make a group and add the corresponding peers to it and make use of URIs. So for the first server (127.0.0.1) I have added the URI *; remote.domain.com (HTTPS), the second URI *; webmail.domain.com/owa, URI2 *; mail.domain.com/owa (HTTPS) and the third *; extranet.domain.com and the fourth URI *; www.domain.com (HTTP). But somehow the URI is not working as I thought it should be. I only want that is listenens to the specified URI. Everything else should be bounced. Could you give me several examples?

Thanks a lot,
Canefield

marcelloc

@canefield:

I would say first add choose to the 'web server' by IP-address and Listening port.

yes.

I've moved this answer to your squi3 package question.

http://forum.pfsense.org/index.php/topic,48709.msg257571.html#msg257571

canefield

So thanks again!

If the Squid URI works like it should be -futher explanations in the mentioned topic- this topic is almost finished. My next accomplishment will be the backup/fallback Postfix with Anti-SPAM/Virus. You already provided some information. I will look that up and will post my findings and problems :-).

As far I can remember you placed Postfix in front, but I want it to be as backup/fallback for the Exchange servers. So if those server become inaccessible/offline Postfix should be there in front as backup/fallback. All messeages may be stored in the Postfix mailqueue and if the Exchange servers are back online again all messages will be forwarded to them. I think of a configuration regarding message retainment and stuff. Also I am interested in the picture in 'vice versa', because I want to know about this too. Perhaps I will configure it the other way around? Any suggestions/considerations/ideas?

KR,
Canefield

marcelloc

canefield,

On postfix topic you can see a lot of suggestions.

I recomend postfix in front of your exchange server, but you can use it this way. configure postfix as a backup mx on your domain with a high value. Just like on dns round robin, mx choice is made by client. this way you will have mail servers sending messages to both mx.

Use postfix thread if have any other question.

att,
Marcello Coutinho

rmpf

Hi, I'll very happy to move from Isa to PFsense but some details still confused to me. You already know how ISA rules work. For example when creating a new rule you have the possibility to specify to whom apply that rule, maybe a user, maybe a group. How do Pfsense work with that???

marcelloc

@rmpf:

For example when creating a new rule you have the possibility to specify to whom apply that rule, maybe a user, maybe a group. How do Pfsense work with that???

AFAIK, you can only apply firewall rules to ips/ networks.

Using proxy servers like squid/squidguard/dansguardian you can apply http rules to users.

att,
Marcello Coutinho

rmpf

Hi, Marcello, you said firewall rules only apply to ips/ networks, but with proxy servers like squid/squidguard/dansguardian http rules can be apply to users. Ok, I have read
"Tutorial PFFense 2.0: Active Directory -> User Manager - http://forum.pfsense.org/index.php/topic,44689.0.html" but how to apply and specific dansguardian or squidguard rule to an specific user or group??? I don't see any space to assign an active directory user or group???? Because our inmediate situation with ISA we already have some groups created on Active Directory Like Internet Users and IT so the question is how to implement dansguardian or squidguard to limit or allow traffics to specific sites on those groups?

rmpf

@marcelloc:

@rmpf:

For example when creating a new rule you have the possibility to specify to whom apply that rule, maybe a user, maybe a group. How do Pfsense work with that???

AFAIK, you can only apply firewall rules to ips/ networks.

Using proxy servers like squid/squidguard/dansguardian you can apply http rules to users.

att,
Marcello Coutinho

marcelloc

Dansguardian has an ldap tab to fetch users from ad based on groups, take a look on dansguardian topic at packages to see how it works.

with auth popup, you can follow this how-to(it's in portuguese but translate.google.com can help you)
http://www.pfsense-br.org/blog/2012/01/pfsensesquidsquidguard-logando-no-active-directory/

without auth popup, you will need a more advaced setup to apply it, including installing and configuring samba on pfsense.

rmpf

Thanks!!! So then is possible to install samba for no auth popup but samba is not on the listed packages… Am I correct?

marcelloc

This is the topic(in portuguese again  :)) with a smailll tutorial to setup ntlm authentication on squid

http://forum.pfsense.org/index.php/topic,47532.msg249812.html#msg249812

rmpf

Thanks for the tip!! After completing the configuration witn samba It is possible to log the usernames for audit purposes?????

marcelloc

@rmpf:

Thanks for the tip!! After completing the configuration witn samba It is possible to log the usernames for audit purposes?????

Sure. You can use sarg to create reports.

Supermule

What will then happen if some of the packages get updated and it breaks the config that replaces TMG??

marcelloc

@Supermule:

What will then happen if some of the packages get updated and it breaks the config that replaces TMG??

In this case, package maintainers or anyone else can fix the problem or depending on the package and the problem, you can buy some commercial support hours and ask to fix it.

And what will then happen if microsoft decides to stop TMG development and keep it just fixing bugs?

canefield

Dear all,

I was on holiday a couple of days. I'm back and did a lot of testing and thing are actually working ::). Still I have some questions.

1. Has somebody thorough tested the build in OWA functionality? I encounter problems regarding the 'Outlook Anywhere' and 'AutoDiscover' aspects. It can not verify the servers nor the auto configuration. Only the webbased functionality is working like it suppose to be.

2. I also could use the 'webservers' and 'mappings' instead. But is it not so that I should than configure all URI's Exchange is using? Or can I use wildcard after the domain, e.g.: ;mail.domain.com/ ?

3. Than something else but related ofcourse. Is it possible to create some kind of redirect from HTTP to HTTPS? More specific, when browsing to 'http://webmail.domain.com' it get redirected to 'https://webmail.domain.com/owa'? Yes, all regarding M$ Exchange ;)

4. I'm hosting some kind of test-website right now (.NET ASPX). When browsing to that site I get some parts of the page, but seconds later IE is complaining and wants to reload the page. Why is not everything loaded into the page? Pictures especially and links won't work? How, why?

5. Related to #4, should I configure Squid Proxy first? Instead of currently only using Reverse Proxy? Anybody a good manual for Squid Proxy with caching, Windows Update, etc.?

Thanks a lot,
Canefield

marcelloc

@canefield:

1. Has somebody thorough tested the build in OWA functionality? I encounter problems regarding the 'Outlook Anywhere' and 'AutoDiscover' aspects. It can not verify the servers nor the auto configuration. Only the webbased functionality is working like it suppose to be.

I didn't  :(

@canefield:

2. I also could use the 'webservers' and 'mappings' instead. But is it not so that I should than configure all URI's Exchange is using? Or can I use wildcard after the domain, e.g.: ;mail.domain.com/ ?

I think wildcards are accepted by config but there are so many paths for owa?

@canefield:

3. Than something else but related ofcourse. Is it possible to create some kind of redirect from HTTP to HTTPS? More specific, when browsing to 'http://webmail.domain.com' it get redirected to 'https://webmail.domain.com/owa'? Yes, all regarding M$ Exchange ;)

The easiest way to do this is and redirect html on webserver

@canefield:

4. I'm hosting some kind of test-website right now (.NET ASPX). When browsing to that site I get some parts of the page, but seconds later IE is complaining and wants to reload the page. Why is not everything loaded into the page? Pictures especially and links won't work? How, why?

take a look on access log file for access_denied urls using tail -f

@canefield:

5. Related to #4, should I configure Squid Proxy first? Instead of currently only using Reverse Proxy?

You can use only reverse functions. I'm planning to build when time permits two conf files one for normal proxy and one for reverse proxy with no changes on gui. This way you can have two log files, one for normal proxy and other for reverse.

@canefield:

Anybody a good manual for Squid Proxy with caching, Windows Update, etc.?

Squid3 package on local cache tab, has these dynamic options o gui.

canefield

@marcelloc:

@canefield:

1. Has somebody thorough tested the build in OWA functionality? I encounter problems regarding the 'Outlook Anywhere' and 'AutoDiscover' aspects. It can not verify the servers nor the auto configuration. Only the webbased functionality is working like it suppose to be.

I didn't  :(
Somebody…please

@canefield:

2. I also could use the 'webservers' and 'mappings' instead. But is it not so that I should than configure all URI's Exchange is using? Or can I use wildcard after the domain, e.g.: ;mail.domain.com/ ?

I think wildcards are accepted by config but there are so many paths for owa?
I've checked it with the primary paths (/owa, /rpc, /autodiscover, /Microsoft-Server-ActiveSync, /ews, /ecp), without luck. Can sombody help?

@canefield:

3. Than something else but related ofcourse. Is it possible to create some kind of redirect from HTTP to HTTPS? More specific, when browsing to 'http://webmail.domain.com' it get redirected to 'https://webmail.domain.com/owa'? Yes, all regarding M$ Exchange ;)

The easiest way to do this is and redirect html on webserver
I want to mange this by pfSense…can that be done?

@canefield:

4. I'm hosting some kind of test-website right now (.NET ASPX). When browsing to that site I get some parts of the page, but seconds later IE is complaining and wants to reload the page. Why is not everything loaded into the page? Pictures especially and links won't work? How, why?

take a look on access log file for access_denied urls using tail -f
Could you give me additional information/instructions? I don't now much about Linux.

@canefield:

5. Related to #4, should I configure Squid Proxy first? Instead of currently only using Reverse Proxy?

You can use only reverse functions. I'm planning to build when time permits two conf files one for normal proxy and one for reverse proxy with no changes on gui. This way you can have two log files, one for normal proxy and other for reverse.
Perfect!

@canefield:

Anybody a good manual for Squid Proxy with caching, Windows Update, etc.?

Squid3 package on local cache tab, has these dynamic options o gui.
Any suggestions how to configure Squid for caching movies (YouTube), pictures, ISO's and Windows Updates?

All thank you very much,
Canefield

marcelloc

@canefield:

Could you give me additional information/instructions? I don't now much about Linux.

go to console/ssh, and do tail -f /var/squid/logs/access.log

@canefield:

Any suggestions how to configure Squid for caching movies (YouTube), pictures, ISO's and Windows Updates?

All options that I saw on tutorials are coded on gui, select these options on local cache tab and traffic mgmt

canefield

Dear Marcello and others,

@marcelloc:

@canefield:

Could you give me additional information/instructions? I don't now much about Linux.

go to console/ssh, and do tail -f /var/squid/logs/access.log
I've checked the log but is completely blanc

@canefield:

Any suggestions how to configure Squid for caching movies (YouTube), pictures, ISO's and Windows Updates?

All options that I saw on tutorials are coded on gui, select these options on local cache tab and traffic mgmt
You mean under 'Services=>Proxy server=>Local Cache'

Furthermore I'm trying configuring Squid3 with HAVP and SquidGuard. I read a lot of topics but don't have a clue what to use.
INET -> HAVP -> SQUID -> NETWORK or INET -> SQUID -> NETWORK
I want the internal network completely secured (HAVP), cached (SQUID) and filtered (SquidGuard).

I've tried several configurations, but all without my desires/wishes. Meaning trying to setup HAVP working with Squid and vise versa. Using transparent proxy and so on…no luck at all.
So first only used Squid as transparent proxy...but is transparent working. With everything configured I don't see/notice that Squid is my proxy. I did a check on 'whatismyip.com' and nothing illustrates I'm using a proxy; only if I configure it manually. So my first question, how to test if I'm really using the proxy? Second how to combine that with HAVP and SquidGuard? In which order (INET -> HAVP -> SQUID -> NETWORK or INET -> SQUID -> NETWORK) and why would you use/suggest that?

Also played around with Postfix. I've tried lots of possibilities, but can't get it to work. What to do for accepting domains and forward those to the appopriate servers? Do I need using the whitelists? Other configurations to keep in mind? When I want Postfix to scan on virusses etc. what is the best thing to use? Mailscanner? Do I need both or just Postfix?

And at last…no luck with configuring the reverse proxy. I can't get MS Exchange 2010 working with Outlook Anywhere (Outlook over RPC) nor my test website on ASPX and different host-headers.

I appreciate your time and effort,
Canefield