Contact UsGet started

Creating and configuring a UserGate gateway in proxy server mode

Written by
Updated at October 17, 2024

UserGate is a next-generation firewall created by a Russia-based company Usergate.

You will create a UserGate virtual machine in Yandex Cloud and set up the gateway in the proxy server mode. As a result of this, your employees will have free online access anytime and anywhere (from the office, home, cafes or other public places). To learn about advanced UserGate features, take the free course UserGate Getting Started.

A typical diagram of running UserGate in the proxy server mode in Yandex Cloud is shown in the picture below.

To deploy a UserGate gateway:

  1. Prepare your cloud.
  2. Create a cloud network and subnet.
  3. Reserve a static public IP address.
  4. Create a UserGate VM.
  5. Set up the UserGate NGFW via the administrative console.

If you no longer need the resources you created, delete them.

Getting started

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The price for the UserGate gateway includes:

Create a cloud network and subnet

Create a cloud network with subnets in the availability zones that will host your VM.

  1. On the folder page in the management console, click Create resource in the top-right corner and select Network.
  2. Enter the network name: usergate-network.
  3. In the Advanced field, enable the Create subnets option.
  4. Click Create network.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. Create a network named usergate-network:

    yc vpc network create usergate-network

    Result:

    id: enptrcle5q3d3ktd33hj
folder_id: b1g9hv2loamqfnbul7d9
created_at: "2022-06-08T09:25:03Z"
name: usergate-network
default_security_group_id: enpbsnnop4akg7ng70ll

    For more information about the yc vpc network create command, see the CLI reference.

  2. Create the usergate-subnet-ru-central1-a network in the ru-central1-a availability zone:

    yc vpc subnet create usergate-subnet-ru-central1-a \
  --zone ru-central1-a \
  --network-name usergate-network \
  --range 10.1.0.0/16

    Result:

    id: e9bnnssj8sc8mjhat9qk
folder_id: b1g9hv2loamqfnbul7d9
created_at: "2022-06-08T09:27:00Z"
name: usergate-subnet-ru-central1-a
network_id: enptrcle5q3d3ktd33hj
zone_id: ru-central1-a
v4_cidr_blocks:
- 10.1.0.0/16

    For more information about the yc vpc subnet create command, see the CLI reference.

  1. In the configuration file, describe the network parameters for usergate-network and its subnet usergate-subnet-ru-central1-a:

    resource "yandex_vpc_network" "usergate-network" {
  name = "usergate-network"
}

resource "yandex_vpc_subnet" "usergate-subnet" {
  name           = "usergate-subnet-ru-central1-a"
  zone           = "ru-central1-a"
  network_id     = "${yandex_vpc_network.usergate-network.id}"
  v4_cidr_blocks = ["10.1.0.0/16"]
}

    Learn more in the description of the yandex_vpc_network and yandex_vpc_subnet resources in the Terraform provider documentation.

  2. Make sure the configuration files are valid.

    1. In the command line, go to the directory where you created the configuration file.

    2. Run the check using this command:

      terraform plan

    If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources: type yes in the terminal and press Enter.

  1. Create a network named usergate-network using the gRPC API NetworkService/Create call or the REST API create method for the Network resource.
  2. Create a subnet named usergate-subnet-ru-central1-a using the SubnetService/Create gRPC API call or the REST API create method for the Subnet resource.

Create a security group

  1. In the management console, go to the page of the folder where you want to create a group.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Security groups.

  4. Click Create security group.

  5. Enter the usergate-sg security group name.

  6. In the Network field, select usergate-network.

  7. Under Rules, create the following rules using the instructions below the table:

    Traffic
    direction    		 Description Port range Protocol Destination name /
    Source    		 CIDR blocks
    Outgoing any All Any CIDR 0.0.0.0/0
    Incoming icmp All ICMPv6 CIDR 0.0.0.0/0
    Incoming rdp 3389 TCP CIDR 0.0.0.0/0
    Incoming ssh 22 TCP CIDR 0.0.0.0/0
    Incoming usergate 8001 8001 TCP CIDR 0.0.0.0/0
    Incoming usergate 8090 8090 TCP CIDR 0.0.0.0/0
    1. Go to the Egress or Ingress tab.
    2. Click Add rule. In the window that opens:

      1. In the Port range field, specify a single port or a range of ports the traffic will come to or from.

      2. In the Protocol field, specify the appropriate protocol or leave Any to allow traffic transmission over any protocol.

      3. In the Destination name or Source field, select the purpose of the rule:

        • CIDR: Rule will apply to the range of IP addresses. In the CIDR blocks field, specify the CIDR and masks of subnets that traffic will come to or from. To add multiple CIDRs, click Add CIDR.
        • Security group: Rule will apply to the VMs from the current group or the selected security group.

      4. Click Save.

  8. Click Save.

Run the following command:

yc vpc security-group create usergate-sg \
  --network-name usergate-network \
  --rule direction=egress,port=any,protocol=any,v4-cidrs=[0.0.0.0/0] \
  --rule direction=ingress,protocol=icmp,v4-cidrs=[0.0.0.0/0] \
  --rule direction=ingress,port=3389,protocol=tcp,v4-cidrs=[0.0.0.0/0] \
  --rule direction=ingress,port=22,protocol=tcp,v4-cidrs=[0.0.0.0/0] \
  --rule direction=ingress,port=8001,protocol=tcp,v4-cidrs=[0.0.0.0/0] \
  --rule direction=ingress,port=8090,protocol=tcp,v4-cidrs=[0.0.0.0/0]

Result:

id: enpu0e0nrqdnvk10r3lp
folder_id: b1g86q4m5vej8lkljme5
created_at: "2022-06-29T09:38:40Z"
name: usergate-sg
network_id: enp3srbi9u49pjvcejnb
status: ACTIVE
rules:
- id: enpdp9d0pingp28d04kn
  direction: EGRESS
  protocol_name: ANY
  protocol_number: "-1"
  cidr_blocks:
    v4_cidr_blocks:
    - 0.0.0.0/0
- id: enps2r5ru3s11mdark60
  direction: INGRESS
  protocol_name: ICMP
  protocol_number: "1"
  cidr_blocks:
    v4_cidr_blocks:
    - 0.0.0.0/0
- id: enpgonbui61ah7ifdc9i
  direction: INGRESS
  ports:
    from_port: "3389"
    to_port: "3389"
  protocol_name: TCP
  protocol_number: "6"
  cidr_blocks:
    v4_cidr_blocks:
    - 0.0.0.0/0
- id: enpbg1jh11hvp9tu1mq9
  direction: INGRESS
  ports:
    from_port: "22"
    to_port: "22"
  protocol_name: TCP
  protocol_number: "6"
  cidr_blocks:
    v4_cidr_blocks:
    - 0.0.0.0/0
- id: enpgdavevku7583jo3ah
  direction: INGRESS
  ports:
    from_port: "8001"
    to_port: "8001"
  protocol_name: TCP
  protocol_number: "6"
  cidr_blocks:
    v4_cidr_blocks:
    - 0.0.0.0/0
- id: enp335ibig9kq7qvcg7q
  direction: INGRESS
  ports:
    from_port: "8090"
    to_port: "8090"
  protocol_name: TCP
  protocol_number: "6"
  cidr_blocks:
    v4_cidr_blocks:
    - 0.0.0.0/0

For more information about the yc vpc security-group create command, see the CLI reference.

  1. Add the usergate-sg security group parameters to the configuration file:

    resource "yandex_vpc_security_group" "usergate-sg" {
  name       = "usergate-sg"
  network_id = "${yandex_vpc_network.usergate-network.id}"

  egress {
    protocol       = "ANY"
    port           = "ANY"
    v4_cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    protocol       = "ICMP"
    port           = "ANY"
    v4_cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    protocol       = "TCP"
    port           = 3389
    v4_cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    protocol       = "TCP"
    port           = 22
    v4_cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    protocol       = "TCP"
    port           = 8001
    v4_cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    protocol       = "TCP"
    port           = 8090
    v4_cidr_blocks = ["0.0.0.0/0"]
  }
}

    For more information about the yandex_vpc_security_group resource, see the Terraform provider documentation.

  2. Make sure the configuration files are valid.

    1. In the command line, go to the directory where you created the configuration file.

    2. Run the check using this command:

      terraform plan

    If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources: type yes in the terminal and press Enter.

Use the SecurityGroupService/Create gRPC API call or the create REST API method.

Reserve a static public IP address

The gateway will need a static public IP address.

  1. In the management console, go to the page of the folder where you want to reserve an IP address.
  2. In the list of services, select Virtual Private Cloud.
  3. In the left-hand panel, select IP addresses.
  4. Click Reserve address.
  5. In the window that opens, select the ru-central1-a availability zone in the Availability zone field.
  6. Click ** Reserve**.

Run this command:

yc vpc address create --external-ipv4 zone=ru-central1-a

Result:

id: e9b6un9gkso6stdh6b3p
folder_id: b1g7gvsi89m34pipa3ke
created_at: "2022-06-08T17:52:42Z"
external_ipv4_address:
  address: 178.154.253.52
  zone_id: ru-central1-a
  requirements: {}
reserved: true

For more information about the yc vpc address create command, see the CLI reference.

Create a UserGate VM

  1. On the folder page in the management console, click Create resource in the top-right corner.

  2. Select Virtual machine instance.

  3. Enter the VM name: usergate-proxy.

  4. Select an availability zone ru-central1-a.

  5. Under Boot disk image, go to the Marketplace tab and select the UserGate NGFW image.

  6. Under Computing resources:

    • Select the platform: Intel Ice Lake.

    • Specify the number of vCPUs and the amount of RAM:

      • vCPU: 4
      • Guaranteed vCPU performance: 100%
      • RAM: 8 GB

      Note

      These parameters are appropriate for functional testing of the gateway. To calculate the parameters for the production workload, read the official recommendations from UserGate.

  7. Under Network settings:

    • Select the usergate-network network and the usergate-subnet-ru-central1-a subnet.
    • In the Public IP field, select List and then select the previously reserved IP from the list that opens.
    • In the Security groups field, select the usergate-sg group from the list.

  8. Under Access, specify the information required to access the instance:

    • Enter username in the Login field.

    • In the SSH key field, paste the contents of the public key file.

      You will need to create a key pair for the SSH connection yourself, see Creating an SSH key pair.

  9. Click Create VM.

  1. Create an SSH key pair.

  2. Get the usergate-sg security group ID:

    yc vpc security-group get usergate-sg | grep "^id"

    For more information about the yc vpc security-group get command, see the CLI reference.

  3. Run this command:

    yc compute instance create \
  --name usergate-proxy \
  --memory 8 \
  --cores 4 \
  --zone ru-central1-a \
  --network-interface subnet-name=usergate-subnet-ru-central1-a,nat-ip-version=ipv4,security-group-ids=<ID_of_the_usergate-sg_security_group> \
  --create-boot-disk image-folder-id=standard-images,image-family=usergate-ngfw \
  --ssh-key <path to the public part of the SSH key> \

    Result:

    id: fhm2na1siftpfhrfc03l
folder_id: b1g86q4m5vej8lkljme5
created_at: "2022-06-09T11:15:52Z"
name: usergate-proxy
zone_id: ru-central1-a
platform_id: standard-v2
resources:
  memory: "8589934592"
  cores: "4"
  core_fraction: "100"
status: RUNNING
boot_disk:
  mode: READ_WRITE
  device_name: fhmiq60rni2tqvjdiq3l
  auto_delete: true
  disk_id: fhmiq60rni2tqvjdiq3l
network_interfaces:
- index: "0"
  mac_address: d0:0d:2b:a8:3c:93
  subnet_id: e9bqlr188as7rgsgh4kn
  primary_v4_address:
    address: 10.1.0.27
    one_to_one_nat:
      address: 51.250.72.1
      ip_version: IPV4
fqdn: fhm2na1siftpfhrfc03l.auto.internal
scheduling_policy: {}
network_settings:
  type: STANDARD
placement_policy: {}

    For more information about the yc compute instance create command, see the CLI reference.

  1. Get an ID of the latest version of the UserGate NGFW gateway from the list of public images.

  2. In the configuration file, describe the parameters of the usergate-proxy VM:

    resource "yandex_compute_instance" "usergate-proxy" {
  name        = "usergate-proxy"
  platform_id = "standard-v3"
  zone        = "ru-central1-a"
  hostname    = "usergate"
  resources {
    cores         = 4
    core_fraction = 100
    memory        = 8
  }

  boot_disk {
    initialize_params {
      image_id = "<UserGate_NGFW_image_ID>"
      size     = 110
    }
  }

  network_interface {
    subnet_id          = "${yandex_vpc_subnet.usergate-subnet.id}"
    nat                = true
    security_group_ids = <usergate-sg_security_group_ID>
  }
}

    To learn more, see the yandex_compute_instance resource description in the Terraform provider documentation.

  3. Make sure the configuration files are valid.

    1. In the command line, go to the directory where you created the configuration file.

    2. Run the check using this command:

      terraform plan

    If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.

  4. Deploy cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources: type yes in the terminal and press Enter.

Create the usergate-proxy VM using the REST API create method for the Instance resource.

Set up the UserGate NGFW via the administrative console

To set up the gateway, go to the UserGate NGFW administrative console at https://<VM_public_IP>:8001 and log in with the default credentials: Admin as the username and utm as the password.

When you are logged in, the system prompts you to change the default password and update the OS.

Set up the gateway to run in the proxy server mode

Set up the UserGate NGFW for running in the proxy server mode:

  1. In the top menu, select Settings.
  2. In the menu on the left, go to NetworkZones.
  3. Click on the Trusted zone name.
  4. Click Access control, then enable Administration console. Click Save.
  5. In the menu on the left, go to NetworkInterfaces.
  6. Click the port0 network interface name.
  7. In the General tab, in the Zone field, select the Trusted zone from the list. Click Save.
  8. In the menu on the left, click Network policiesFirewall.
  9. Click the preset rule: Allow trusted to untrusted.
  10. Click Destination and disable the Untrusted zone. Click Save.
  11. Enable the rule: Allow trusted to untrusted. To do this, select the line with the rule and click Enable at the top of the screen.
  12. In the menu on the left, click Network policiesNAT and routing.
  13. Click the preset rule: NAT from trusted to untrusted.
  14. Click Destination and change the destination zone from Untrusted to Trusted. Click Save.
  15. Enable the rule: NAT from Trusted to Untrusted. To do this, select the line with the rule and click Enable at the top of the screen.

Now the gateway has been set up. Now, you can use UserGate as a proxy server by specifying a public IP address and port 8090 in the browser settings.

Set up the traffic filtering rules

We recommend that you use the following default policies: Block to botnets, Block from botnets, and Example block RU RKN by IP list. First change several parameters in them:

  1. Click Network policiesFirewall.
  2. Click the name of the preset rule.
  3. Click Source and change the source zone from Untrusted to Trusted.
  4. Click Destination and disable the Untrusted zone.
  5. Click Save.
  6. Enable the selected rule. To do this, select the line with the rule and click Enable at the top of the screen.

For higher security, set up more traffic filtering rules:

  1. Click Network policiesFirewall.

  2. Add the first blocking rule:

    1. At the top of the screen, click Add.

    2. Specify the rule parameters:

      • Name: Block QUIC protocol.
      • Action: Deny.

    3. Click Source and select Trusted.

    4. Click Service.

    5. Click Add.

    6. Select the service Quick UDP Internet Connections, then click Add. After that, click Close.

    7. Click Save.

  3. Add the second blocking rule:

    1. At the top of the screen, click Add.

    2. Specify the rule parameters:

      • Name: Block Windows updates.
      • Action: Deny.

    3. Click Source and select Trusted.

    4. Click Applications.

    5. Click AddAdd applications.

    6. Select the Microsoft Update application, then click Add.

    7. Select the WinUpdate application, then click Add. After that, click Close.

    8. Click Save.

You can also add other traffic filtering rules. We don't recommend combining services and applications in the same rule. The rule might not trigger in this case.

Set up the content filtering rules

Enable the following default policies: Example black list, Example threats sites, and Example AV check:

  1. Go to the Security policiesContent filtering section.
  2. Click the line with the selected rule, then click Enable at the top of the screen.

For higher security, set up more content filtering rules:

  1. Go to the Security policiesContent filtering section.

  2. Add the filtering rule:

    1. At the top of the screen, click Add.

    2. Specify the rule parameters:

      • Name: Block social media.
      • Actions: Deny.

    3. Click Source and select Trusted.

    4. Click Categories.

    5. Click Add.

    6. Type Social media in the search bar, then click Add. After that, click Close.

    7. Click Save.

You can also add other content filtering rules. We don't recommend adding multiple parameters to the same rule. The rule might not trigger in this case.

Set up SSL inspection

By default, UserGate uses its own CA (Default) certificate to decrypt the traffic. But you can also add your own certificate.

To add a certificate:

  1. Click UserGateCertificates.

  2. At the top of the screen, click Import.

  3. Fill out the certificate parameters:

    • Name: Type any name.
    • Certificate file: Select the certificate file in the DER, PEM, or PKCS12 format.
    • (Optional) Private key: Select a private key for the certificate.
    • (Optional) Password: Password for your private key or PKCS12 container.
    • (Optional) Certificate chain: Select a file if you need to return a complete certificate chain to your clients.

  4. Click Save.

  5. Click the name of the certificate you added.

  6. In the Used field, select SSL inspection.

  7. Click Save.

  8. Add a rule for SSL inspection:

    1. Go to the Security policiesSSL inspection section.

    2. At the top of the screen, click Add.

    3. Fill out the rule parameters and click Save.

      To implement SSL inspection, you can also use the rule: Decrypt all for unknown users.

How to delete the resources you created

To stop paying for the resources you created:

  1. Delete the VM usergate-proxy.
  2. Delete the static public IP address.
Previous
Connecting to a cloud network using OpenVPN
Next
Configuring a local caching DNS resolver