Alternative for MS TMG 2010 = pfSense ???
-
Marcello,
Thanks for your reply. Still I can not figure out how to configure my overall configuration in pfSense. Especially the host-header part with HTTP and HTTPS and the backup MX using Postfix. Somehow I'm not able to get it work.
I suppose I will use M$ TMG 2010 instead for the time being. In the mean time I would appreciate it if you could help me with my overall configuration and needs to make TMG 2010 superfluous.
I read several articles and tutorials, but none of them answered my question. I am looking for an alternative for Microsoft TMG 2010; formely MS ISA 2006. I read such good comments about pfSense I wanted to give it a try. I am struggling the overview and configuration with pfSense.
Situation:
- one external IP;
- multiple servers
- 2x MS TMG 2010 (FO & LB (Fail-over & Load-balanced))
- 2x MS Exchange Edge (FO & LB); port 25
- 2x Postfix (FO & LB; for fallback/backup MX) if Edge are offline; port 25
- 3x MS RDP (FO & LB); port 3389
- 3x MS IIS (FO & LB); port 80, 443
- 2x MS SharePoint (FO & LB); port 80, 443, 987
- 2x FTP (FO & LB); port 21 - Wireless (multiple SSIDs)
Future request:
- VoIP
With MS TMG 2010 it is easy to configure above configuration; everything works as it should be. Can above configuration been applied to pfSense? Furthermore I want to install/configure a HTTP and HTTPS accelerator (in- and outbound) and/or load-balancer, proxy (with AV-functionality), backup MX and a robust firewall and logging. Then I have got a corporate wireless network and a guest network. I want to split those by some kind of mechanism and authority-based.
Is all of this possible? Can multiple pfSense configured to FO & LB? Can pfSense read host-header? Can it handle the above situation? What kind of system requirements is needed?
I have seen so many kinds of packages, I really do not know which to choose in what matter.
Regarding the future request; can anybody advise my about which system to choose referring to VoIP? Asterisk?
I know it is a lot, but perhaps you can help me out here. It would be great when you have some 'step-by-step' tutorials available.
Thanks in advance,
Canefield -
I dont understand what you mean by wildcard….?
Thc for the kind words.
Ask microsoft support.
You are looking like a troll.
-
I use both pfSense and TMG since I have many requirements. Use pfSense for all your network level configuration (multiple interfaces, routing, NAT & port forwarding, VPN termination etc.).
TMG is hands down superior for your publishing requirements. Your servers such as Exchange and IIS should have an application layer firewall such as TMG performing intrusion detection and Active Directory integrated access control. Without experience you will most likely fail to setup an equivalent linux protection layer since it requires complex configuration of several separate components. TMG can also provide authenticated internet access to LAN users using the TMG client and their internet rights are assigned according to their Windows login. This is far superior to an insecure by design captive portal.
-
Hi everyone!
It's my first post in English here so if I write something wrong, sorry.
The TMG is old and weak, there are many other solutions in activity, not only open Source like the PFSense.
The major problem with Microsoft is the propaganda, they sell you a product like it's the only solution in the entire universe. I'm a Windows user, but Linux/Unix is much more secure.I'm not here to rise any banner, but if you want to start a conversation about UTM Software, please, use something that have a possibility in combat. The PFSense project have a lot to evolve, but in front of a TMG/ISA…
So, "supermule", demonstrate for us some feature that TMG provides you better than PFSense... Well I'm pretty sure that YOU don't know how to use PFSense and now come here talking nonsense.
AD integration is an advantage, but Squid, Captive Portal, VPN and many other packages on PFSense can do that, with Freeradius2 it's even more easy.
You can't talk about something that you don't really know. ;)
I've tried a lot of systems for border security and I chose PFSense. I tested every solution I come to know and I finally decided on PFSense.
How many experience do you have as a Sysadmin? How many projects do you have implemented with PFSense?
Here in Brasil we say: "Those who talk too much will go say good morning to the horse".
-
Well guys,
A lot of 'nonsense'…could somebody help me out?
Thx,
Canefield -
I think the best thing you might want to try is either setting up a bounty or getting commercial support. https://portal.pfsense.org/index.php/support-subscription
What you are trying to accomplish is very specific and I'm guessing very few members outside of the PFsense team will be able to properly get it working. If you need step by step directions to make something work it will take a lot of time for another person to sit down, install, configure, troubleshoot, get it working, and document it so you can follow those directions. I'm sure the guys here would do if it they had the time but they also need to support their families so it's not really feasible to spend many hours without compensation.
As for VOIP software you can get any software you want cause it's all asterisk based. (Other than maybe a few commercial solutions like Cisco) If you want something that is quick to setup and configure PBX in a flash seemed to work well.
-
Hi,
I understand it is a 'hell of a job' to make somekind of instructions. The thing is we as IT want to implement a solution based on Linux. Then convince other staff-members and management to switch to a stable and proper security system, then that is already inplace.
So at first we cannot effort commercial support.Some of you that have time, please help us making a better world with pfSense.
KR,
Canefield -
The thing is we as IT want to implement a solution based on Linux.
Pfsense is based on FreeBSD, so it's a Unix/BSD solution. ;)
-
Why just don't use every possible solution?
pfSense -> TMG -> network
?
One time I was at a conference on advanced applications in the server environment they recommended "use every possible solution, there is no obstacle to cooperate Linux/Unix/Windows together to achieve same goal". -
It really depends on scale.
TMG offers you a tightly integrated system, which can be very convenient if you're an all-Microsoft shop, and requires only very basic knowledge to get running. On the other hand, e.g. varnish running on Linux/BSD is primarily aimed to high-performance setups, does a great deal more, but has a much steeper learning curve.
-
Hey all,
Could somebody give me any example? I suppose people already worked with Squid-Reverse or Varnish proxy isn't it?
Thanks in advance,
Canefield -
What point on varnish config did You got working?
-
Marcello,
Also Varnish didn't work for me! Based on LB and host-header as well as solo host-header I didn't could get it work. But as far I understand from you it is better to use Squid isn't?
Please provide me with some config that works and how to implement that.
Thanks a lot,
Canefield -
Anybody?
-
Canefield,
I'll publish this week an updated GUI for squid3/squid-reverse with reverse proxy resigned.
-
canefield,
I've just published squid3 with better reverse gui, take a look and see if you can configure your server with this package
squid3 - New GUI with sync, normal and reverse proxy
att,
Marcello Coutinho -
Marcello,
First of all thanks for all your precious time and effort so far.
I've still got problems configuring Squid 3 as a reverse proxy. Somehow I can't manage it to work properly.
As you illustrated in the forst postings I did exactly the same and added NAT and Firewall rules. I'm using port 8080 and 8443.How come…?!?!
Thanks a lot,
Canefield -
As you illustrated in the forst postings I did exactly the same and added NAT and Firewall rules. I'm using port 8080 and 8443.
When using proxy, you do not need nat, just firewall rules on wan allowing access to wan address at port 8080/8443.
-
Marcello,
I've now followed your published configuration; so I started over again. So I installed Squid3 went to Reverse Proxy and added everything exactly as you posted.
Then I made two rules in the WAN (Firewall->Rules->WAN) to allow listening on port 80 and 443.
My intention is to publish several sites/domains. First of all I want to publish the CAS-servers; so the Exchange webmail services (https://webmail.domain.com/owa and all other related URLs (autodiscover, rpc, etc.)).
All servers are configured on the default ports.Furthermore, do I have to configure an alternative port for the webGUI? I'm now accessing it internally via https.
You probably see my configuration mis-match.
See the pictures as attached.Thanks already,
Canefield
-
Furthermore, do I have to configure an alternative port for the webGUI? I'm now accessing it internally via https.
Yes, you need to change pfsense gui port to other then 443.
Your wan firewall rule should be
source any
source port any
destination wan address
destination port 80source any
source port any
destination wan address
destination port 443on system -> advanced, change pfsense prot to other then 443 and disable web gui redirect rule