Creating and configuring a UserGate gateway in proxy server mode
UserGate
You will create a UserGate virtual machine in Yandex Cloud and set up the gateway in the proxy server mode. As a result of this, your employees will have free online access anytime and anywhere (from the office, home, cafes or other public places). To learn about advanced UserGate features, take the free course UserGate Getting Started
A typical diagram of running UserGate in the proxy server mode in Yandex Cloud is shown in the picture below.
To deploy a UserGate gateway:
- Prepare your cloud.
- Create a cloud network and subnet.
- Reserve a static public IP address.
- Create a UserGate VM.
- Set up the UserGate NGFW via the administrative console.
If you no longer need the resources you created, delete them.
Getting started
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The price for the UserGate gateway includes:
- Fee for continuously running VM (see Yandex Compute Cloud pricing).
- UserGate NGFW usage.
- A fee for using a public static IP address (see Yandex Virtual Private Cloud pricing).
Create a cloud network and subnet
Create a cloud network with subnets in the availability zones that will host your VM.
- On the folder page in the management console
, click Create resource in the top-right corner and select Network. - Enter the network name:
usergate-network
. - In the Advanced field, enable the Create subnets option.
- Click Create network.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
Create a network named
usergate-network
:yc vpc network create usergate-network
Result:
id: enptrcle5q3d3ktd33hj folder_id: b1g9hv2loamqfnbul7d9 created_at: "2022-06-08T09:25:03Z" name: usergate-network default_security_group_id: enpbsnnop4akg7ng70ll
For more information about the
yc vpc network create
command, see the CLI reference. -
Create the
usergate-subnet-ru-central1-a
network in theru-central1-a
availability zone:yc vpc subnet create usergate-subnet-ru-central1-a \ --zone ru-central1-a \ --network-name usergate-network \ --range 10.1.0.0/16
Result:
id: e9bnnssj8sc8mjhat9qk folder_id: b1g9hv2loamqfnbul7d9 created_at: "2022-06-08T09:27:00Z" name: usergate-subnet-ru-central1-a network_id: enptrcle5q3d3ktd33hj zone_id: ru-central1-a v4_cidr_blocks: - 10.1.0.0/16
For more information about the
yc vpc subnet create
command, see the CLI reference.
-
In the configuration file, describe the network parameters for
usergate-network
and its subnetusergate-subnet-ru-central1-a
:resource "yandex_vpc_network" "usergate-network" { name = "usergate-network" } resource "yandex_vpc_subnet" "usergate-subnet" { name = "usergate-subnet-ru-central1-a" zone = "ru-central1-a" network_id = "${yandex_vpc_network.usergate-network.id}" v4_cidr_blocks = ["10.1.0.0/16"] }
Learn more in the description of the yandex_vpc_network
and yandex_vpc_subnet resources in the Terraform provider documentation. -
Make sure the configuration files are valid.
-
In the command line, go to the directory where you created the configuration file.
-
Run the check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.
-
- Create a network named
usergate-network
using the gRPC API NetworkService/Create call or the REST API create method for the Network resource. - Create a subnet named
usergate-subnet-ru-central1-a
using the SubnetService/Create gRPC API call or the REST API create method for the Subnet resource.
Create a security group
-
In the management console
, go to the page of the folder where you want to create a group. -
In the list of services, select Virtual Private Cloud.
-
In the left-hand panel, select
Security groups. -
Click Create security group.
-
Enter the
usergate-sg
security group name. -
In the Network field, select
usergate-network
. -
Under Rules, create the following rules using the instructions below the table:
Traffic
directionDescription Port range Protocol Destination name /
SourceCIDR blocks Outgoing any
All
Any
CIDR
0.0.0.0/0
Incoming icmp
All
ICMPv6
CIDR
0.0.0.0/0
Incoming rdp
3389
TCP
CIDR
0.0.0.0/0
Incoming ssh
22
TCP
CIDR
0.0.0.0/0
Incoming usergate 8001
8001
TCP
CIDR
0.0.0.0/0
Incoming usergate 8090
8090
TCP
CIDR
0.0.0.0/0
- Go to the Egress or Ingress tab.
- Click Add rule. In the window that opens:
-
In the Port range field, specify a single port or a range of ports the traffic will come to or from.
-
In the Protocol field, specify the appropriate protocol or leave Any to allow traffic transmission over any protocol.
-
In the Destination name or Source field, select the purpose of the rule:
- CIDR: Rule will apply to the range of IP addresses. In the CIDR blocks field, specify the CIDR and masks of subnets that traffic will come to or from. To add multiple CIDRs, click Add CIDR.
- Security group: Rule will apply to the VMs from the current group or the selected security group.
-
Click Save.
-
-
Click Save.
Run the following command:
yc vpc security-group create usergate-sg \
--network-name usergate-network \
--rule direction=egress,port=any,protocol=any,v4-cidrs=[0.0.0.0/0] \
--rule direction=ingress,protocol=icmp,v4-cidrs=[0.0.0.0/0] \
--rule direction=ingress,port=3389,protocol=tcp,v4-cidrs=[0.0.0.0/0] \
--rule direction=ingress,port=22,protocol=tcp,v4-cidrs=[0.0.0.0/0] \
--rule direction=ingress,port=8001,protocol=tcp,v4-cidrs=[0.0.0.0/0] \
--rule direction=ingress,port=8090,protocol=tcp,v4-cidrs=[0.0.0.0/0]
Result:
id: enpu0e0nrqdnvk10r3lp
folder_id: b1g86q4m5vej8lkljme5
created_at: "2022-06-29T09:38:40Z"
name: usergate-sg
network_id: enp3srbi9u49pjvcejnb
status: ACTIVE
rules:
- id: enpdp9d0pingp28d04kn
direction: EGRESS
protocol_name: ANY
protocol_number: "-1"
cidr_blocks:
v4_cidr_blocks:
- 0.0.0.0/0
- id: enps2r5ru3s11mdark60
direction: INGRESS
protocol_name: ICMP
protocol_number: "1"
cidr_blocks:
v4_cidr_blocks:
- 0.0.0.0/0
- id: enpgonbui61ah7ifdc9i
direction: INGRESS
ports:
from_port: "3389"
to_port: "3389"
protocol_name: TCP
protocol_number: "6"
cidr_blocks:
v4_cidr_blocks:
- 0.0.0.0/0
- id: enpbg1jh11hvp9tu1mq9
direction: INGRESS
ports:
from_port: "22"
to_port: "22"
protocol_name: TCP
protocol_number: "6"
cidr_blocks:
v4_cidr_blocks:
- 0.0.0.0/0
- id: enpgdavevku7583jo3ah
direction: INGRESS
ports:
from_port: "8001"
to_port: "8001"
protocol_name: TCP
protocol_number: "6"
cidr_blocks:
v4_cidr_blocks:
- 0.0.0.0/0
- id: enp335ibig9kq7qvcg7q
direction: INGRESS
ports:
from_port: "8090"
to_port: "8090"
protocol_name: TCP
protocol_number: "6"
cidr_blocks:
v4_cidr_blocks:
- 0.0.0.0/0
For more information about the yc vpc security-group create
command, see the CLI reference.
-
Add the
usergate-sg
security group parameters to the configuration file:resource "yandex_vpc_security_group" "usergate-sg" { name = "usergate-sg" network_id = "${yandex_vpc_network.usergate-network.id}" egress { protocol = "ANY" port = "ANY" v4_cidr_blocks = ["0.0.0.0/0"] } ingress { protocol = "ICMP" port = "ANY" v4_cidr_blocks = ["0.0.0.0/0"] } ingress { protocol = "TCP" port = 3389 v4_cidr_blocks = ["0.0.0.0/0"] } ingress { protocol = "TCP" port = 22 v4_cidr_blocks = ["0.0.0.0/0"] } ingress { protocol = "TCP" port = 8001 v4_cidr_blocks = ["0.0.0.0/0"] } ingress { protocol = "TCP" port = 8090 v4_cidr_blocks = ["0.0.0.0/0"] } }
For more information about the
yandex_vpc_security_group
resource, see the Terraform provider documentation . -
Make sure the configuration files are valid.
-
In the command line, go to the directory where you created the configuration file.
-
Run the check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.
-
Use the SecurityGroupService/Create gRPC API call or the create REST API method.
Reserve a static public IP address
The gateway will need a static public IP address.
- In the management console
, go to the page of the folder where you want to reserve an IP address. - In the list of services, select Virtual Private Cloud.
- In the left-hand panel, select
IP addresses. - Click Reserve address.
- In the window that opens, select the
ru-central1-a
availability zone in the Availability zone field. - Click ** Reserve**.
Run this command:
yc vpc address create --external-ipv4 zone=ru-central1-a
Result:
id: e9b6un9gkso6stdh6b3p
folder_id: b1g7gvsi89m34pipa3ke
created_at: "2022-06-08T17:52:42Z"
external_ipv4_address:
address: 178.154.253.52
zone_id: ru-central1-a
requirements: {}
reserved: true
For more information about the yc vpc address create
command, see the CLI reference.
Create a UserGate VM
-
On the folder page in the management console
, click Create resource in the top-right corner. -
Select Virtual machine instance.
-
Enter the VM name:
usergate-proxy
. -
Select an availability zone
ru-central1-a
. -
Under Boot disk image, go to the Marketplace tab and select the UserGate NGFW image.
-
Under Computing resources:
-
Select the platform: Intel Ice Lake.
-
Specify the number of vCPUs and the amount of RAM:
- vCPU:
4
- Guaranteed vCPU performance:
100%
- RAM:
8 GB
Note
These parameters are appropriate for functional testing of the gateway. To calculate the parameters for the production workload, read the official recommendations
from UserGate. - vCPU:
-
-
Under Network settings:
- Select the
usergate-network
network and theusergate-subnet-ru-central1-a
subnet. - In the Public IP field, select List and then select the previously reserved IP from the list that opens.
- In the Security groups field, select the
usergate-sg
group from the list.
- Select the
-
Under Access, specify the information required to access the instance:
-
Enter username in the Login field.
-
In the SSH key field, paste the contents of the public key file.
You will need to create a key pair for the SSH connection yourself, see Creating an SSH key pair.
-
-
Click Create VM.
-
Create an SSH key pair.
-
Get the
usergate-sg
security group ID:yc vpc security-group get usergate-sg | grep "^id"
For more information about the
yc vpc security-group get
command, see the CLI reference. -
Run this command:
yc compute instance create \ --name usergate-proxy \ --memory 8 \ --cores 4 \ --zone ru-central1-a \ --network-interface subnet-name=usergate-subnet-ru-central1-a,nat-ip-version=ipv4,security-group-ids=<ID_of_the_usergate-sg_security_group> \ --create-boot-disk image-folder-id=standard-images,image-family=usergate-ngfw \ --ssh-key <path to the public part of the SSH key> \
Result:
id: fhm2na1siftpfhrfc03l folder_id: b1g86q4m5vej8lkljme5 created_at: "2022-06-09T11:15:52Z" name: usergate-proxy zone_id: ru-central1-a platform_id: standard-v2 resources: memory: "8589934592" cores: "4" core_fraction: "100" status: RUNNING boot_disk: mode: READ_WRITE device_name: fhmiq60rni2tqvjdiq3l auto_delete: true disk_id: fhmiq60rni2tqvjdiq3l network_interfaces: - index: "0" mac_address: d0:0d:2b:a8:3c:93 subnet_id: e9bqlr188as7rgsgh4kn primary_v4_address: address: 10.1.0.27 one_to_one_nat: address: 51.250.72.1 ip_version: IPV4 fqdn: fhm2na1siftpfhrfc03l.auto.internal scheduling_policy: {} network_settings: type: STANDARD placement_policy: {}
For more information about the
yc compute instance create
command, see the CLI reference.
-
Get an ID of the latest version of the UserGate NGFW gateway from the list of public images.
-
In the configuration file, describe the parameters of the
usergate-proxy
VM:resource "yandex_compute_instance" "usergate-proxy" { name = "usergate-proxy" platform_id = "standard-v3" zone = "ru-central1-a" hostname = "usergate" resources { cores = 4 core_fraction = 100 memory = 8 } boot_disk { initialize_params { image_id = "<UserGate_NGFW_image_ID>" size = 110 } } network_interface { subnet_id = "${yandex_vpc_subnet.usergate-subnet.id}" nat = true security_group_ids = <usergate-sg_security_group_ID> } }
To learn more, see the yandex_compute_instance
resource description in the Terraform provider documentation. -
Make sure the configuration files are valid.
-
In the command line, go to the directory where you created the configuration file.
-
Run the check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.
-
Create the usergate-proxy
VM using the REST API create method for the Instance resource.
Set up the UserGate NGFW via the administrative console
To set up the gateway, go to the UserGate NGFW administrative console at https://<VM_public_IP>:8001
and log in with the default credentials: Admin
as the username and utm
as the password.
When you are logged in, the system prompts you to change the default password and update the OS.
Set up the gateway to run in the proxy server mode
Set up the UserGate NGFW for running in the proxy server mode:
- In the top menu, select Settings.
- In the menu on the left, go to Network ⟶ Zones.
- Click on the
Trusted
zone name. - Click Access control, then enable Administration console. Click Save.
- In the menu on the left, go to Network ⟶ Interfaces.
- Click the
port0
network interface name. - In the General tab, in the Zone field, select the
Trusted
zone from the list. Click Save. - In the menu on the left, click Network policies ⟶ Firewall.
- Click the preset rule:
Allow trusted to untrusted
. - Click Destination and disable the
Untrusted
zone. Click Save. - Enable the rule:
Allow trusted to untrusted
. To do this, select the line with the rule and click Enable at the top of the screen. - In the menu on the left, click Network policies ⟶ NAT and routing.
- Click the preset rule:
NAT from trusted to untrusted
. - Click Destination and change the destination zone from
Untrusted
toTrusted
. Click Save. - Enable the rule:
NAT from Trusted to Untrusted
. To do this, select the line with the rule and click Enable at the top of the screen.
Now the gateway has been set up. Now, you can use UserGate as a proxy server by specifying a public IP address and port 8090
in the browser settings.
Set up the traffic filtering rules
We recommend that you use the following default policies: Block to botnets
, Block from botnets
, and Example block RU RKN by IP list
. First change several parameters in them:
- Click Network policies ⟶ Firewall.
- Click the name of the preset rule.
- Click Source and change the source zone from
Untrusted
toTrusted
. - Click Destination and disable the
Untrusted
zone. - Click Save.
- Enable the selected rule. To do this, select the line with the rule and click Enable at the top of the screen.
For higher security, set up more traffic filtering rules:
-
Click Network policies ⟶ Firewall.
-
Add the first blocking rule:
-
At the top of the screen, click Add.
-
Specify the rule parameters:
- Name:
Block QUIC protocol
. - Action: Deny.
- Name:
-
Click Source and select
Trusted
. -
Click Service.
-
Click Add.
-
Select the service
Quick UDP Internet Connections
, then click Add. After that, click Close. -
Click Save.
-
-
Add the second blocking rule:
-
At the top of the screen, click Add.
-
Specify the rule parameters:
- Name:
Block Windows updates
. - Action: Deny.
- Name:
-
Click Source and select
Trusted
. -
Click Applications.
-
Click Add ⟶ Add applications.
-
Select the
Microsoft Update
application, then click Add. -
Select the
WinUpdate
application, then click Add. After that, click Close. -
Click Save.
-
You can also add other traffic filtering rules. We don't recommend combining services and applications in the same rule. The rule might not trigger in this case.
Set up the content filtering rules
Enable the following default policies: Example black list
, Example threats sites
, and Example AV check
:
- Go to the Security policies ⟶ Content filtering section.
- Click the line with the selected rule, then click Enable at the top of the screen.
For higher security, set up more content filtering rules:
-
Go to the Security policies ⟶ Content filtering section.
-
Add the filtering rule:
-
At the top of the screen, click Add.
-
Specify the rule parameters:
- Name:
Block social media
. - Actions: Deny.
- Name:
-
Click Source and select
Trusted
. -
Click Categories.
-
Click Add.
-
Type
Social media
in the search bar, then click Add. After that, click Close. -
Click Save.
-
You can also add other content filtering rules. We don't recommend adding multiple parameters to the same rule. The rule might not trigger in this case.
Set up SSL inspection
By default, UserGate uses its own CA (Default)
certificate to decrypt the traffic. But you can also add your own certificate.
To add a certificate:
-
Click UserGate ⟶ Certificates.
-
At the top of the screen, click Import.
-
Fill out the certificate parameters:
- Name: Type any name.
- Certificate file: Select the certificate file in the DER, PEM, or PKCS12 format.
- (Optional) Private key: Select a private key for the certificate.
- (Optional) Password: Password for your private key or PKCS12 container.
- (Optional) Certificate chain: Select a file if you need to return a complete certificate chain to your clients.
-
Click Save.
-
Click the name of the certificate you added.
-
In the Used field, select SSL inspection.
-
Click Save.
-
Add a rule for SSL inspection:
-
Go to the Security policies ⟶ SSL inspection section.
-
At the top of the screen, click Add.
-
Fill out the rule parameters and click Save.
To implement SSL inspection, you can also use the rule:
Decrypt all for unknown users
.
-
How to delete the resources you created
To stop paying for the resources you created:
- Delete the VM
usergate-proxy
. - Delete the static public IP address.