Alternative for MS TMG 2010 = pfSense ???

canefield

Marcello,

I've did your config just now withour result…WHY?!?!

Thx,
Canefield

marcelloc

@canefield:

I've did your config just now withour result…WHY?!?!

I have no idea :(, I've published the screenshots and the package just after testing and making sure it was working.

You will need to improve your skills with opensource and start using console/ssh as well tcpdump. This way you can see package flow and log files.

The screenshots shows pfsense published on 8443 and squid reverse-proxying it on wan at port 443.

att,
Marcello Coutinho

canefield

Marcello,

I realy don't get it.
In your example of Squid3, what is the webserver 127.0.0.1 on port 8443?

1. You have change the webGUI port in something else then 443 and disabled the redirect rule.
2. Added only a firewall rule to allow any to the WAN address of the pfSense to port 443
2a. Why not NAT+Firewall? Does the reverse proxy make NAT unnecessary?
3. Than added the configuration as you posted in the Reverse Proxy settings. What are you seeing then? You are redirecting to webserver 127.0.0.1, so localhost. What is pfSense/Squid hosting?

I need to clarify stuff to understand. Could you give me a start of working with the shell and tcpdump for monitoring the flow? Is the a package out there (GUI)?

Thanks again,
Canefield

marcelloc

@canefield:

In your example of Squid3, what is the webserver 127.0.0.1 on port 8443?

The pfsense gui.
127.0.0.1 - same host as squid3
8443 - pfsense gui port

@canefield:

1. You have change the webGUI port in something else then 443 and disabled the redirect rule.

squid will listen on wan port 80 and 443. If you leave pfsense gui on same port, there will be two daemons trying to listen on the same port.

@canefield:

2. Added only a firewall rule to allow any to the WAN address of the pfSense to port 443
2a. Why not NAT+Firewall? Does the reverse proxy make NAT unnecessary?

As squid daemon is listening on wan interface, you do not need to translate anything just allow access.

@canefield:

3. Than added the configuration as you posted in the Reverse Proxy settings. What are you seeing then? You are redirecting to webserver 127.0.0.1, so localhost. What is pfSense/Squid hosting?

This config will use squid to answer requests on port 443 and forward it to internal server(in this case 127.0.0.1) on port 8443

internet user –> squid3:443 --> internal server:8443

@canefield:

I need to clarify stuff to understand. Could you give me a start of working with the shell and tcpdump for monitoring the flow? Is the a package out there (GUI)?

There is on diagnostics, but on gui you need to wait x packages until it shows captured traffic.

canefield

Marcello,

I now fully understand the whole concept of it. Thanks for you explanation.
Still it does't function for me.

Network
LAN; IP: 192.168.120.254 /24
WAN; IP: 192.168.2.254 /24, GW: 192.168.2.253 (DMZ)

Installation and configuration

1. I have changed the webGUI port from 443 to 9443 and disbaled the redirect rule
2. Configured firewall rule to allow 443 from WAN (TCP;;;WAN address; HTTPS)
3. Installed Squid3 package
4. Enabled listening port Reverse Proxy on port 80 and 443 (just for now I only use port 443)
5. Added webserser (127.0.0.1;9443;HTTPS)
6. Added Mappings (Peer to 127.0.0.1; URI (*;<empty>))

Now I should get my own webGUI of pfSense if I went to https://www.domain.com/. Sadly it does't work for me. What could have gone wrong? Related to block private networks on the WAN-interface? Any other configuration mismatch I should be aware of? How hard could it be? I really don't have the slightest idea.

Thank a lot,
Canefield</empty>

marcelloc

@canefield:

2. Configured firewall rule to allow 443 from WAN (TCP;;;WAN address; HTTPS)
3. Enabled listening port Reverse Proxy on port 80 and 443 (just for now I only use port 443)

Did you selected wan interface to listen on?

@canefield:

Now I should get my own webGUI of pfSense if I went to https://www.domain.com/. Sadly it does't work for me. What could have gone wrong? Related to block private networks on the WAN-interface? Any other configuration mismatch I should be aware of? How hard could it be? I really don't have the slightest idea.

Does https://www.domain.com/ points to firewall wan ip address?
Did you tried this access from internet or from lan?
You have private address assigned to wan interface(WAN; IP: 192.168.2.254 /24), why did you checked block private networks on the WAN-interface? ???

canefield

@marcelloc:

@canefield:

2. Configured firewall rule to allow 443 from WAN (TCP;;;WAN address; HTTPS)
3. Enabled listening port Reverse Proxy on port 80 and 443 (just for now I only use port 443)

Did you selected wan interface to listen on? =>YES

@canefield:

Now I should get my own webGUI of pfSense if I went to https://www.domain.com/. Sadly it does't work for me. What could have gone wrong? Related to block private networks on the WAN-interface? Any other configuration mismatch I should be aware of? How hard could it be? I really don't have the slightest idea.

Does https://www.domain.com/ points to firewall wan ip address? =>YES
Did you tried this access from internet or from lan? =>Internet
You have private address assigned to wan interface(WAN; IP: 192.168.2.254 /24), why did you checked block private networks on the WAN-interface? ??? =>No I did not, I wanted to check my settings

I did some research…I saw that my Squid3 service was for no reason down. I wasn't able to get it online via settings of GUI so I restarted pfSense. Now the service was online, but no results whatever. I checked if my port where open. That's the thing that supprised me the most. Both the ports aren't open; although I have the appropiate firewall rules in place on the right interface. I've also tried using the floating rule, but without any result. Is it Linux that always give 'stealth' back by a portscan? I think not, so what can it be? I assume that it ain't listening on port 80 and 443. What other ports are needed? None so far my understanding.

Thanks again,
Canefield

canefield

Marcello,

After a mysterious reboot it worked like a charme. Still I'm confused what was tha part that broke and fixed everything.
Now I have only one rule in the reverse proxy.

When I want to make a difference by FQDN, what should I add/change to make it work?

Let's say I have four servers:

• 127.0.0.1 on 9443 => webGUI pfSense
• 192.168.150.3 on port 443 => MS Exchange OWA, Outlook Anywhere, Autodiscover
• 192.168.150.7 on port 443 => MS SharePoint
• 192.168.150.12 on port 80 => Corporate website

I would say first add choose to the 'web server' by IP-address and Listening port. Second add 'mappings'; so make a group and add the corresponding peers to it and make use of URIs. So for the first server (127.0.0.1) I have added the URI *; remote.domain.com (HTTPS), the second URI *; webmail.domain.com/owa, URI2 *; mail.domain.com/owa (HTTPS) and the third *; extranet.domain.com and the fourth URI *; www.domain.com (HTTP). But somehow the URI is not working as I thought it should be. I only want that is listenens to the specified URI. Everything else should be bounced. Could you give me several examples?

Thanks a lot,
Canefield

marcelloc

@canefield:

I would say first add choose to the 'web server' by IP-address and Listening port.

yes.

I've moved this answer to your squi3 package question.

http://forum.pfsense.org/index.php/topic,48709.msg257571.html#msg257571

canefield

So thanks again!

If the Squid URI works like it should be -futher explanations in the mentioned topic- this topic is almost finished. My next accomplishment will be the backup/fallback Postfix with Anti-SPAM/Virus. You already provided some information. I will look that up and will post my findings and problems :-).

As far I can remember you placed Postfix in front, but I want it to be as backup/fallback for the Exchange servers. So if those server become inaccessible/offline Postfix should be there in front as backup/fallback. All messeages may be stored in the Postfix mailqueue and if the Exchange servers are back online again all messages will be forwarded to them. I think of a configuration regarding message retainment and stuff. Also I am interested in the picture in 'vice versa', because I want to know about this too. Perhaps I will configure it the other way around? Any suggestions/considerations/ideas?

KR,
Canefield

marcelloc

canefield,

On postfix topic you can see a lot of suggestions.

I recomend postfix in front of your exchange server, but you can use it this way. configure postfix as a backup mx on your domain with a high value. Just like on dns round robin, mx choice is made by client. this way you will have mail servers sending messages to both mx.

Use postfix thread if have any other question.

att,
Marcello Coutinho

rmpf

Hi, I'll very happy to move from Isa to PFsense but some details still confused to me. You already know how ISA rules work. For example when creating a new rule you have the possibility to specify to whom apply that rule, maybe a user, maybe a group. How do Pfsense work with that???

marcelloc

@rmpf:

For example when creating a new rule you have the possibility to specify to whom apply that rule, maybe a user, maybe a group. How do Pfsense work with that???

AFAIK, you can only apply firewall rules to ips/ networks.

Using proxy servers like squid/squidguard/dansguardian you can apply http rules to users.

att,
Marcello Coutinho

rmpf

Hi, Marcello, you said firewall rules only apply to ips/ networks, but with proxy servers like squid/squidguard/dansguardian http rules can be apply to users. Ok, I have read
"Tutorial PFFense 2.0: Active Directory -> User Manager - http://forum.pfsense.org/index.php/topic,44689.0.html" but how to apply and specific dansguardian or squidguard rule to an specific user or group??? I don't see any space to assign an active directory user or group???? Because our inmediate situation with ISA we already have some groups created on Active Directory Like Internet Users and IT so the question is how to implement dansguardian or squidguard to limit or allow traffics to specific sites on those groups?

rmpf

@marcelloc:

@rmpf:

For example when creating a new rule you have the possibility to specify to whom apply that rule, maybe a user, maybe a group. How do Pfsense work with that???

AFAIK, you can only apply firewall rules to ips/ networks.

Using proxy servers like squid/squidguard/dansguardian you can apply http rules to users.

att,
Marcello Coutinho

marcelloc

Dansguardian has an ldap tab to fetch users from ad based on groups, take a look on dansguardian topic at packages to see how it works.

with auth popup, you can follow this how-to(it's in portuguese but translate.google.com can help you)
http://www.pfsense-br.org/blog/2012/01/pfsensesquidsquidguard-logando-no-active-directory/

without auth popup, you will need a more advaced setup to apply it, including installing and configuring samba on pfsense.

rmpf

Thanks!!! So then is possible to install samba for no auth popup but samba is not on the listed packages… Am I correct?

marcelloc

This is the topic(in portuguese again  :)) with a smailll tutorial to setup ntlm authentication on squid

http://forum.pfsense.org/index.php/topic,47532.msg249812.html#msg249812

rmpf

Thanks for the tip!! After completing the configuration witn samba It is possible to log the usernames for audit purposes?????

marcelloc

@rmpf:

Thanks for the tip!! After completing the configuration witn samba It is possible to log the usernames for audit purposes?????

Sure. You can use sarg to create reports.