Alternative for MS TMG 2010 = pfSense ???
-
Dear all,
Please some kind of configuration/step-by-step examples? Only with plaintext I can not configure it the right way.
- How to get Postfix to listen on port 25, queue messages and forward to the corresponding mail-server.
- Just an example how to configure Varnish to do this job. I have an UCC certificate, can Varnish handle this?
Thanks in advance,
Canefield -
Postfix mini howto:
firewall rules -> wan
- create a wan rule to permit smtp traffic to wan address
postfix General tab
-
check enable postfix option
-
choose at least wan loopback interfaces
postifx domain tab
- fill your domain/internal smtp info
Postfix Antispam tab
-
follow default/recommended settings
-
Leave third part antispam unselected(try latter when you get better Knowledge on postfix)
Some screenshots/full thread for this package
http://forum.pfsense.org/index.php/topic,40622.0.html -
varnish super mini howto
varnish topic
http://forum.pfsense.org/index.php/topic,38271.msg197434.html#msg197434 -
Thanks. I'll look into it.
KR,
Canefield -
Dear Marcello and others,
I've tried several attemps to forward requests to multiple servers without any result.
I can't get it right. What is the problem? I want to have multiple servers running on port 80 (HTTP) as well as 443 (HTTPS)My steps:
- Disabled the 'webConfigurator redirect rule' (System->Advanced)
- Added Backends (Services->Varnish->Backends)
2a) E.g.:
-
Backend name: WWW
-
IPAddress: 192.168.12.1
-
Port: 80
-
URL: /
-
Probe Interval: 5
-
Probe Timeout: 1
-
Probe Window: 5
-
Probe Threshold: 3
-
Backend Mappings: Map: Host, Match: Equals, Expression: www.domain.com, Grace:
- What is the difference between Host and URL by 'Backend Mappings->Map'?
- Performance metrics are not configured; I don't know what to do with it.
- I've also tried leaving 'Backend Mappings' clear and configured those under 'LB Directors'. That's what I'm trying to accomplish.- Enabled Varnish (Services->Varnish->Settings)
3a) Listening port 80, management port 81; accepted all defaults - No NAT rules for port 80 (Firewall->NAT)
- Rules, added listening port (Firewall->Rules->WAN)
5a) Proto: TCP, Source: *, Port: *, Destination: *, Port: 80 (HTTP), Gateway: *, Queue: none, Schedule: <empty>It does not work?!?
Can you give me some examples about configuring 'LB Directors'?
I want also to be able to forward multiple HTTPS requests. If I understood correctly I should use HAProxy for HTTPS forwarding. Can HAProxy do both (HTTP & HTTPS)? Should I use both (Varnish & HAProxy) or is it better to use just one of them? What is best? Performance?I didn't configured Postfix jet because of my issues with Varnish.
Thanks a lot,
Canefield</empty> -
Can you give me some examples about configuring 'LB Directors'?
To use load balance, leave empty Backend Mappings
check on varnish dashborad widget if varnish can sucessfull check server status based on url you provided for check.I want also to be able to forward multiple HTTPS requests. If I understood correctly I should use HAProxy for HTTPS forwarding. Can HAProxy do both (HTTP & HTTPS)? Should I use both (Varnish & HAProxy) or is it better to use just one of them? What is best? Performance?
I use varnish for http as it does cache and reduce server load(of course depending on your config).
Haproxy, AFAIK can't do host header https, just service balance.
I'm also planning to do this https function for this package using other package together(pound, relayd,…), but I need first to have some time to test it.
-
Marcello,
At the Varnish dashboard none of the servers are listed? How come?
Thanks,
CanefieldP.S. It is more difficult than I thought. Please step-by-step; otherwise I really mess up.
-
I'm also planning to do this https function for this package using other package together(pound, relayd,…), but I need first to have some time to test it.
What are you trying to put together? Combining packages like Varnish and Pound/Relayd, so just one product could do the job? Also based on host-headers? What is the estimate?
Thanks,
Canefield -
Thats exactly why PFSense is not an option for TMG….
All of this is included in TMG and not in PFsense. Use one package for http...another for https and a third for some other thing.
The more packages one runs, the more vulnerable your system will be.
-
What are you trying to put together? Combining packages like Varnish and Pound/Relayd, so just one product could do the job? Also based on host-headers? What is the estimate?
That's it. A Combining package for http/https publishing.
I have no estimate yet because I'm busy with sarg and mailscanner quarantine tab.
I'll do this as soon as I have time to help sysadmins on this kind of configuration.Apache+modsecurity for example is a package that does http/https proxy with memcache. I do not use it on pfsense but you can get help on this forum to configure it.
-
Thank you Marcello!
That is something we have been asking for for a long time….and remember the detailed logging that TMG has, it needs to be equivalent in pfsense.
Otherwise its useless.
-
Thats exactly why PFSense is not an option for TMG….
All of this is included in TMG and not in PFsense. Use one package for http...another for https and a third for some other thing.
The more packages one runs, the more vulnerable your system will be.
Not a usefull post in any way. :(
If you do not have a wildcard applied to ISA to remove https and check headers, you can't do this setup too.
You are saying That keeping things easy on pfsense will make it as vunerable as ISA.Pfsense is for sure an excelent option for Microsoft. I use this way for years.
-
That is something we have been asking for for a long time….and remember the detailed logging that TMG has, it needs to be equivalent in pfsense.
Otherwise its useless.
Unbelievable!
I'm saying that I want to help sysadmins and you think it will be useless if I can't reach a billion dollar company software.
-
Sorry mate….ISA is by far one of the most secure solutions out there...
The underlying windows is the culprit regarding security and therefore its better of as a second layer firewall.
I dont understand what you mean by wildcard....?
-
I dont understand what you mean by wildcard….?
Ask microsoft support.
You are looking like a troll.
-
Although there is some overlap between pfsense and TMG, they seem to cover quite different needs.
pfsense is primarily a firewall, multiwan device, NAT, router (especially if Quagga is included in base system someday), VPN concentrator, DHCP/DNS, and, to a lesser extent (many 3rd party packages still need improvements), it can be an IDS/IPS, rev-proxy and proxy+web-filter.
I've only had a cursory look at Microsoft's TMG 2010, but is seems to be primarily a L7 web-filter (anti-malware etc), a proxy which is tightly integrated with AD, a reverse proxy, all with good reporting. I've also seen TMG sometimes being labeled as a router/firewall/NAT/VPN-server.
Perhaps someone with intimate knowledge of TMG, who has tested it to its limits, can offer more insights about its actual strengths.
-
canefiled,
This information may be usefull for you.
http://forum.pfsense.org/index.php/topic,44735.msg249284.html#msg249284
-
Marcello,
Thanks for your reply. Still I can not figure out how to configure my overall configuration in pfSense. Especially the host-header part with HTTP and HTTPS and the backup MX using Postfix. Somehow I'm not able to get it work.
I suppose I will use M$ TMG 2010 instead for the time being. In the mean time I would appreciate it if you could help me with my overall configuration and needs to make TMG 2010 superfluous.
I read several articles and tutorials, but none of them answered my question. I am looking for an alternative for Microsoft TMG 2010; formely MS ISA 2006. I read such good comments about pfSense I wanted to give it a try. I am struggling the overview and configuration with pfSense.
Situation:
- one external IP;
- multiple servers
- 2x MS TMG 2010 (FO & LB (Fail-over & Load-balanced))
- 2x MS Exchange Edge (FO & LB); port 25
- 2x Postfix (FO & LB; for fallback/backup MX) if Edge are offline; port 25
- 3x MS RDP (FO & LB); port 3389
- 3x MS IIS (FO & LB); port 80, 443
- 2x MS SharePoint (FO & LB); port 80, 443, 987
- 2x FTP (FO & LB); port 21 - Wireless (multiple SSIDs)
Future request:
- VoIP
With MS TMG 2010 it is easy to configure above configuration; everything works as it should be. Can above configuration been applied to pfSense? Furthermore I want to install/configure a HTTP and HTTPS accelerator (in- and outbound) and/or load-balancer, proxy (with AV-functionality), backup MX and a robust firewall and logging. Then I have got a corporate wireless network and a guest network. I want to split those by some kind of mechanism and authority-based.
Is all of this possible? Can multiple pfSense configured to FO & LB? Can pfSense read host-header? Can it handle the above situation? What kind of system requirements is needed?
I have seen so many kinds of packages, I really do not know which to choose in what matter.
Regarding the future request; can anybody advise my about which system to choose referring to VoIP? Asterisk?
I know it is a lot, but perhaps you can help me out here. It would be great when you have some 'step-by-step' tutorials available.
Thanks in advance,
Canefield -
I dont understand what you mean by wildcard….?
Thc for the kind words.
Ask microsoft support.
You are looking like a troll.
-
I use both pfSense and TMG since I have many requirements. Use pfSense for all your network level configuration (multiple interfaces, routing, NAT & port forwarding, VPN termination etc.).
TMG is hands down superior for your publishing requirements. Your servers such as Exchange and IIS should have an application layer firewall such as TMG performing intrusion detection and Active Directory integrated access control. Without experience you will most likely fail to setup an equivalent linux protection layer since it requires complex configuration of several separate components. TMG can also provide authenticated internet access to LAN users using the TMG client and their internet rights are assigned according to their Windows login. This is far superior to an insecure by design captive portal.
