Alternative for MS TMG 2010 = pfSense ???
-
In your example of Squid3, what is the webserver 127.0.0.1 on port 8443?
The pfsense gui.
127.0.0.1 - same host as squid3
8443 - pfsense gui port1. You have change the webGUI port in something else then 443 and disabled the redirect rule.
squid will listen on wan port 80 and 443. If you leave pfsense gui on same port, there will be two daemons trying to listen on the same port.
2. Added only a firewall rule to allow any to the WAN address of the pfSense to port 443
2a. Why not NAT+Firewall? Does the reverse proxy make NAT unnecessary?As squid daemon is listening on wan interface, you do not need to translate anything just allow access.
3. Than added the configuration as you posted in the Reverse Proxy settings. What are you seeing then? You are redirecting to webserver 127.0.0.1, so localhost. What is pfSense/Squid hosting?
This config will use squid to answer requests on port 443 and forward it to internal server(in this case 127.0.0.1) on port 8443
internet user –> squid3:443 --> internal server:8443
I need to clarify stuff to understand. Could you give me a start of working with the shell and tcpdump for monitoring the flow? Is the a package out there (GUI)?
There is on diagnostics, but on gui you need to wait x packages until it shows captured traffic.
-
Marcello,
I now fully understand the whole concept of it. Thanks for you explanation.
Still it does't function for me.Network
LAN; IP: 192.168.120.254 /24
WAN; IP: 192.168.2.254 /24, GW: 192.168.2.253 (DMZ)Installation and configuration
- I have changed the webGUI port from 443 to 9443 and disbaled the redirect rule
- Configured firewall rule to allow 443 from WAN (TCP;;;WAN address; HTTPS)
- Installed Squid3 package
- Enabled listening port Reverse Proxy on port 80 and 443 (just for now I only use port 443)
- Added webserser (127.0.0.1;9443;HTTPS)
- Added Mappings (Peer to 127.0.0.1; URI (*;<empty>))
Now I should get my own webGUI of pfSense if I went to https://www.domain.com/. Sadly it does't work for me. What could have gone wrong? Related to block private networks on the WAN-interface? Any other configuration mismatch I should be aware of? How hard could it be? I really don't have the slightest idea.
Thank a lot,
Canefield</empty> -
- Configured firewall rule to allow 443 from WAN (TCP;;;WAN address; HTTPS)
- Enabled listening port Reverse Proxy on port 80 and 443 (just for now I only use port 443)
Did you selected wan interface to listen on?
Now I should get my own webGUI of pfSense if I went to https://www.domain.com/. Sadly it does't work for me. What could have gone wrong? Related to block private networks on the WAN-interface? Any other configuration mismatch I should be aware of? How hard could it be? I really don't have the slightest idea.
Does https://www.domain.com/ points to firewall wan ip address?
Did you tried this access from internet or from lan?
You have private address assigned to wan interface(WAN; IP: 192.168.2.254 /24), why did you checked block private networks on the WAN-interface? ??? -
- Configured firewall rule to allow 443 from WAN (TCP;;;WAN address; HTTPS)
- Enabled listening port Reverse Proxy on port 80 and 443 (just for now I only use port 443)
Did you selected wan interface to listen on? =>YES
Now I should get my own webGUI of pfSense if I went to https://www.domain.com/. Sadly it does't work for me. What could have gone wrong? Related to block private networks on the WAN-interface? Any other configuration mismatch I should be aware of? How hard could it be? I really don't have the slightest idea.
Does https://www.domain.com/ points to firewall wan ip address? =>YES
Did you tried this access from internet or from lan? =>Internet
You have private address assigned to wan interface(WAN; IP: 192.168.2.254 /24), why did you checked block private networks on the WAN-interface? ??? =>No I did not, I wanted to check my settingsI did some research…I saw that my Squid3 service was for no reason down. I wasn't able to get it online via settings of GUI so I restarted pfSense. Now the service was online, but no results whatever. I checked if my port where open. That's the thing that supprised me the most. Both the ports aren't open; although I have the appropiate firewall rules in place on the right interface. I've also tried using the floating rule, but without any result. Is it Linux that always give 'stealth' back by a portscan? I think not, so what can it be? I assume that it ain't listening on port 80 and 443. What other ports are needed? None so far my understanding.
Thanks again,
Canefield -
Marcello,
After a mysterious reboot it worked like a charme. Still I'm confused what was tha part that broke and fixed everything.
Now I have only one rule in the reverse proxy.When I want to make a difference by FQDN, what should I add/change to make it work?
Let's say I have four servers:
- 127.0.0.1 on 9443 => webGUI pfSense
- 192.168.150.3 on port 443 => MS Exchange OWA, Outlook Anywhere, Autodiscover
- 192.168.150.7 on port 443 => MS SharePoint
- 192.168.150.12 on port 80 => Corporate website
I would say first add choose to the 'web server' by IP-address and Listening port. Second add 'mappings'; so make a group and add the corresponding peers to it and make use of URIs. So for the first server (127.0.0.1) I have added the URI *; remote.domain.com (HTTPS), the second URI *; webmail.domain.com/owa, URI2 *; mail.domain.com/owa (HTTPS) and the third *; extranet.domain.com and the fourth URI *; www.domain.com (HTTP). But somehow the URI is not working as I thought it should be. I only want that is listenens to the specified URI. Everything else should be bounced. Could you give me several examples?
Thanks a lot,
Canefield -
I would say first add choose to the 'web server' by IP-address and Listening port.
yes.
I've moved this answer to your squi3 package question.
http://forum.pfsense.org/index.php/topic,48709.msg257571.html#msg257571
-
So thanks again!
If the Squid URI works like it should be -futher explanations in the mentioned topic- this topic is almost finished. My next accomplishment will be the backup/fallback Postfix with Anti-SPAM/Virus. You already provided some information. I will look that up and will post my findings and problems :-).
As far I can remember you placed Postfix in front, but I want it to be as backup/fallback for the Exchange servers. So if those server become inaccessible/offline Postfix should be there in front as backup/fallback. All messeages may be stored in the Postfix mailqueue and if the Exchange servers are back online again all messages will be forwarded to them. I think of a configuration regarding message retainment and stuff. Also I am interested in the picture in 'vice versa', because I want to know about this too. Perhaps I will configure it the other way around? Any suggestions/considerations/ideas?
KR,
Canefield -
canefield,
On postfix topic you can see a lot of suggestions.
I recomend postfix in front of your exchange server, but you can use it this way. configure postfix as a backup mx on your domain with a high value. Just like on dns round robin, mx choice is made by client. this way you will have mail servers sending messages to both mx.
Use postfix thread if have any other question.
att,
Marcello Coutinho -
Hi, I'll very happy to move from Isa to PFsense but some details still confused to me. You already know how ISA rules work. For example when creating a new rule you have the possibility to specify to whom apply that rule, maybe a user, maybe a group. How do Pfsense work with that???
-
For example when creating a new rule you have the possibility to specify to whom apply that rule, maybe a user, maybe a group. How do Pfsense work with that???
AFAIK, you can only apply firewall rules to ips/ networks.
Using proxy servers like squid/squidguard/dansguardian you can apply http rules to users.
att,
Marcello Coutinho -
Hi, Marcello, you said firewall rules only apply to ips/ networks, but with proxy servers like squid/squidguard/dansguardian http rules can be apply to users. Ok, I have read
"Tutorial PFFense 2.0: Active Directory -> User Manager - http://forum.pfsense.org/index.php/topic,44689.0.html" but how to apply and specific dansguardian or squidguard rule to an specific user or group??? I don't see any space to assign an active directory user or group???? Because our inmediate situation with ISA we already have some groups created on Active Directory Like Internet Users and IT so the question is how to implement dansguardian or squidguard to limit or allow traffics to specific sites on those groups? -
For example when creating a new rule you have the possibility to specify to whom apply that rule, maybe a user, maybe a group. How do Pfsense work with that???
AFAIK, you can only apply firewall rules to ips/ networks.
Using proxy servers like squid/squidguard/dansguardian you can apply http rules to users.
att,
Marcello Coutinho -
Dansguardian has an ldap tab to fetch users from ad based on groups, take a look on dansguardian topic at packages to see how it works.
with auth popup, you can follow this how-to(it's in portuguese but translate.google.com can help you)
http://www.pfsense-br.org/blog/2012/01/pfsensesquidsquidguard-logando-no-active-directory/without auth popup, you will need a more advaced setup to apply it, including installing and configuring samba on pfsense.
-
Thanks!!! So then is possible to install samba for no auth popup but samba is not on the listed packages… Am I correct?
-
This is the topic(in portuguese again :)) with a smailll tutorial to setup ntlm authentication on squid
http://forum.pfsense.org/index.php/topic,47532.msg249812.html#msg249812
-
Thanks for the tip!! After completing the configuration witn samba It is possible to log the usernames for audit purposes?????
-
Thanks for the tip!! After completing the configuration witn samba It is possible to log the usernames for audit purposes?????
Sure. You can use sarg to create reports.
-
What will then happen if some of the packages get updated and it breaks the config that replaces TMG??
-
What will then happen if some of the packages get updated and it breaks the config that replaces TMG??
In this case, package maintainers or anyone else can fix the problem or depending on the package and the problem, you can buy some commercial support hours and ask to fix it.
And what will then happen if microsoft decides to stop TMG development and keep it just fixing bugs?
-
Dear all,
I was on holiday a couple of days. I'm back and did a lot of testing and thing are actually working ::). Still I have some questions.
-
Has somebody thorough tested the build in OWA functionality? I encounter problems regarding the 'Outlook Anywhere' and 'AutoDiscover' aspects. It can not verify the servers nor the auto configuration. Only the webbased functionality is working like it suppose to be.
-
I also could use the 'webservers' and 'mappings' instead. But is it not so that I should than configure all URI's Exchange is using? Or can I use wildcard after the domain, e.g.: ;mail.domain.com/ ?
-
Than something else but related ofcourse. Is it possible to create some kind of redirect from HTTP to HTTPS? More specific, when browsing to 'http://webmail.domain.com' it get redirected to 'https://webmail.domain.com/owa'? Yes, all regarding M$ Exchange ;)
-
I'm hosting some kind of test-website right now (.NET ASPX). When browsing to that site I get some parts of the page, but seconds later IE is complaining and wants to reload the page. Why is not everything loaded into the page? Pictures especially and links won't work? How, why?
-
Related to #4, should I configure Squid Proxy first? Instead of currently only using Reverse Proxy? Anybody a good manual for Squid Proxy with caching, Windows Update, etc.?
Thanks a lot,
Canefield -