Alternative for MS TMG 2010 = pfSense ???
-
Hi everyone!
It's my first post in English here so if I write something wrong, sorry.
The TMG is old and weak, there are many other solutions in activity, not only open Source like the PFSense.
The major problem with Microsoft is the propaganda, they sell you a product like it's the only solution in the entire universe. I'm a Windows user, but Linux/Unix is much more secure.I'm not here to rise any banner, but if you want to start a conversation about UTM Software, please, use something that have a possibility in combat. The PFSense project have a lot to evolve, but in front of a TMG/ISA…
So, "supermule", demonstrate for us some feature that TMG provides you better than PFSense... Well I'm pretty sure that YOU don't know how to use PFSense and now come here talking nonsense.
AD integration is an advantage, but Squid, Captive Portal, VPN and many other packages on PFSense can do that, with Freeradius2 it's even more easy.
You can't talk about something that you don't really know. ;)
I've tried a lot of systems for border security and I chose PFSense. I tested every solution I come to know and I finally decided on PFSense.
How many experience do you have as a Sysadmin? How many projects do you have implemented with PFSense?
Here in Brasil we say: "Those who talk too much will go say good morning to the horse".
-
Well guys,
A lot of 'nonsense'…could somebody help me out?
Thx,
Canefield -
I think the best thing you might want to try is either setting up a bounty or getting commercial support. https://portal.pfsense.org/index.php/support-subscription
What you are trying to accomplish is very specific and I'm guessing very few members outside of the PFsense team will be able to properly get it working. If you need step by step directions to make something work it will take a lot of time for another person to sit down, install, configure, troubleshoot, get it working, and document it so you can follow those directions. I'm sure the guys here would do if it they had the time but they also need to support their families so it's not really feasible to spend many hours without compensation.
As for VOIP software you can get any software you want cause it's all asterisk based. (Other than maybe a few commercial solutions like Cisco) If you want something that is quick to setup and configure PBX in a flash seemed to work well.
-
Hi,
I understand it is a 'hell of a job' to make somekind of instructions. The thing is we as IT want to implement a solution based on Linux. Then convince other staff-members and management to switch to a stable and proper security system, then that is already inplace.
So at first we cannot effort commercial support.Some of you that have time, please help us making a better world with pfSense.
KR,
Canefield -
The thing is we as IT want to implement a solution based on Linux.
Pfsense is based on FreeBSD, so it's a Unix/BSD solution. ;)
-
Why just don't use every possible solution?
pfSense -> TMG -> network
?
One time I was at a conference on advanced applications in the server environment they recommended "use every possible solution, there is no obstacle to cooperate Linux/Unix/Windows together to achieve same goal". -
It really depends on scale.
TMG offers you a tightly integrated system, which can be very convenient if you're an all-Microsoft shop, and requires only very basic knowledge to get running. On the other hand, e.g. varnish running on Linux/BSD is primarily aimed to high-performance setups, does a great deal more, but has a much steeper learning curve.
-
Hey all,
Could somebody give me any example? I suppose people already worked with Squid-Reverse or Varnish proxy isn't it?
Thanks in advance,
Canefield -
What point on varnish config did You got working?
-
Marcello,
Also Varnish didn't work for me! Based on LB and host-header as well as solo host-header I didn't could get it work. But as far I understand from you it is better to use Squid isn't?
Please provide me with some config that works and how to implement that.
Thanks a lot,
Canefield -
Anybody?
-
Canefield,
I'll publish this week an updated GUI for squid3/squid-reverse with reverse proxy resigned.
-
canefield,
I've just published squid3 with better reverse gui, take a look and see if you can configure your server with this package
squid3 - New GUI with sync, normal and reverse proxy
att,
Marcello Coutinho -
Marcello,
First of all thanks for all your precious time and effort so far.
I've still got problems configuring Squid 3 as a reverse proxy. Somehow I can't manage it to work properly.
As you illustrated in the forst postings I did exactly the same and added NAT and Firewall rules. I'm using port 8080 and 8443.How come…?!?!
Thanks a lot,
Canefield -
As you illustrated in the forst postings I did exactly the same and added NAT and Firewall rules. I'm using port 8080 and 8443.
When using proxy, you do not need nat, just firewall rules on wan allowing access to wan address at port 8080/8443.
-
Marcello,
I've now followed your published configuration; so I started over again. So I installed Squid3 went to Reverse Proxy and added everything exactly as you posted.
Then I made two rules in the WAN (Firewall->Rules->WAN) to allow listening on port 80 and 443.
My intention is to publish several sites/domains. First of all I want to publish the CAS-servers; so the Exchange webmail services (https://webmail.domain.com/owa and all other related URLs (autodiscover, rpc, etc.)).
All servers are configured on the default ports.Furthermore, do I have to configure an alternative port for the webGUI? I'm now accessing it internally via https.
You probably see my configuration mis-match.
See the pictures as attached.Thanks already,
Canefield
-
Furthermore, do I have to configure an alternative port for the webGUI? I'm now accessing it internally via https.
Yes, you need to change pfsense gui port to other then 443.
Your wan firewall rule should be
source any
source port any
destination wan address
destination port 80source any
source port any
destination wan address
destination port 443on system -> advanced, change pfsense prot to other then 443 and disable web gui redirect rule
-
Marcello,
I did everything you mentioned but without any result.
So my firewall rules are been changed and the webGUI to 9443.Network
LAN; IP: 192.168.120.254 /24
WAN; IP: 192.168.2.254 /24, GW: 192.168.2.253 (DMZ)Reverse Proxy
If I understand it correctly you enable listening on port 80 and/or 443 via tab 'General'. So with the firewall rule all requests are allowed and transfered to the WAN address (192.168.2.254 in my case) and Squid3 (reverse) will apply to those. Furthermore in the tab 'Web Servers' I configure all my internal web servers and related. As I make up out of your example my internal web server is listening to port 8443, correct? In my case my servers are listening to all default ports, so 80 and 443. Should I change here the port from 8443 to 443? Then in the tab 'Mappings' I can combine web servers in groups and select all needed. Right? Than one thing I do not understand is the URIs. What does this do and how to configure. You gave an example of *;<emtpy>, but what can I do with it?Could you give me an working example of let's say four servers; two listening on port 443 and two on port 80. The first two (listening on port 443) are Exchange servers (owa, autodiscover, outlook anywhere, mail tips, etc.) and the other two (listening on port 80) just hosting plaintext website. The first one 'www.domain.com' and the second one 'extranet.example.com'. No screenshots are needed, in text is fine too. You ofcource may decide, but I thougt screenshots will cost you a lot of your precious time. Thanks for all the time and effort already.
LAN-network
From my pfSense I can't resolve internal DNS names. Where to configure internal DNS servers per network/adapter? I will have several more adapters in place with all another subnet and servers.Many thanks,
Canefield</emtpy> -
canefield,
Try first one server before you reach full config.
Should I change here the port from 8443 to 443?
Yes. it must be your web server listening port
Then in the tab 'Mappings' I can combine web servers in groups and select all needed. Right?
yes, show sites/urls you need to balance/publish and then select webservers that will receive this requests
Than one thing I do not understand is the URIs. What does this do and how to configure. You gave an example of *;<emtpy>, but what can I do with it?</emtpy>
- means what path of this site you will forward to internal host, * means all urls/dirs.
the <empty value="">must be a site fqdn when you have multiple websites do forward.
example: - www.mydomain.com
- forum.mydomain.com
Could you give me an working example of let's say four servers; two listening on port 443 and two on port 80. The first two (listening on port 443) are Exchange servers (owa, autodiscover, outlook anywhere, mail tips, etc.) and the other two (listening on port 80) just hosting plaintext website. The first one 'www.domain.com' and the second one 'extranet.example.com'. No screenshots are needed, in text is fine too. You ofcource may decide, but I thougt screenshots will cost you a lot of your precious time. Thanks for all the time and effort already.
The code from squid-reverse has options for only one owa server, I did not had time to test it with two owas.
I don't have a working example with multiple hosts with squid3, just that screenshot you saw.LAN-network
From my pfSense I can't resolve internal DNS names. Where to configure internal DNS servers per network/adapter? I will have several more adapters in place with all another subnet and servers.dns server is used by pfsense, not by interface. You need one dns server that can do internal and external name resolution.
To clarify this idea, internet users will dnslookup your external dns to www.mydomain.com. when this package arrives on your pfsense, it will do another dnslookup to find your internal dns if you specified a hostname instead of an ip address.</empty> - means what path of this site you will forward to internal host, * means all urls/dirs.
-
Marcello,
Thanks again…I'm trying to configure it right now. As there some kind of 'live' log to see if the traffic is accepted and past further on?
I'm looking at 'Status->System Logs->Firewall', but can't see a thing regarding my request on port 443.What I have done first is entered the IP in the OWA-part of the reverse proxy, but without any result so far.
Thanks,
CanefieldEdit: I've did your config just now withour result...WHY?!?!
