Contact UsGet started

Setting up a UserGate proxy server

Written by
Updated at May 7, 2025

UserGate is a next-generation firewall from a Russia-based company UserGate.

In this tutorial, we will create a Yandex Cloud UserGate VM configured as a proxy server. This configuration will give your employees secure internet access from the office or anywhere else, like home or public places. To learn more about UserGate, sign up to our free course UserGate Getting Started.

The diagram below shows a Yandex Cloud network configuration with UserGate acting as a proxy server.

To set up a UserGate gateway:

  1. Get your cloud ready.
  2. Create a cloud network with a subnet.
  3. Reserve a static public IP address.
  4. Create a UserGate VM.
  5. Set up the UserGate NGFW.

If you no longer need the resources you created, delete them.

Getting started

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The cost of the UserGate gateway infrastructure includes:

Create a cloud network with a subnet

Create a cloud network with a subnet in the availability zone where your VM will reside.

  1. On the folder dashboard in the management console, click Create resource in the top-right corner and select Network.
  2. Specify the network name: usergate-network.
  3. In the Advanced field, enable Create subnets.
  4. Click Create network.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. Create a network named usergate-network:

    yc vpc network create usergate-network

    Result:

    id: enptrcle5q3d********
folder_id: b1g9hv2loamq********
created_at: "2022-06-08T09:25:03Z"
name: usergate-network
default_security_group_id: enpbsnnop4ak********

    For more information about the yc vpc network create command, see the CLI reference.

  2. Create the usergate-subnet-ru-central1-d subnet in the ru-central1-d availability zone:

    yc vpc subnet create usergate-subnet-ru-central1-d \
  --zone ru-central1-d \
  --network-name usergate-network \
  --range 10.1.0.0/16

    Result:

    id: e9bnnssj8sc8********
folder_id: b1g9hv2loamq********
created_at: "2022-06-08T09:27:00Z"
name: usergate-subnet-ru-central1-d
network_id: enptrcle5q3d********
zone_id: ru-central1-d
v4_cidr_blocks:
- 10.1.0.0/16

    For more information about the yc vpc subnet create command, see the CLI reference.

  1. Describe usergate-network and the usergate-subnet-ru-central1-d subnet in the terraform configuration file:

    resource "yandex_vpc_network" "usergate-network" {
  name = "usergate-network"
}

resource "yandex_vpc_subnet" "usergate-subnet" {
  name           = "usergate-subnet-ru-central1-d"
  zone           = "ru-central1-d"
  network_id     = "${yandex_vpc_network.usergate-network.id}"
  v4_cidr_blocks = ["10.1.0.0/16"]
}

    For more information, see the yandex_vpc_network and yandex_vpc_subnet resource descriptions in the Terraform provider documentation.

  2. Make sure the configuration files are correct.

    1. In the terminal, navigate to your configuration file directory.

    2. Run a check using this command:

      terraform plan

    If the configuration is correct, you will see a detailed description of new resources; otherwise, Terraform will display configuration errors.

  3. Deploy your cloud resources.

    1. Once your configuration is correct, run this command:

      terraform apply

    2. When asked to confirm changes, type yes and press Enter.

  1. To create usergate-network, use the NetworkService/Create gRPC API call or the create REST API method for the Network resource.
  2. To create the usergate-subnet-ru-central1-d subnet, use the SubnetService/Create gRPC API call or the create REST API method for the Subnet resource.

Create a security group

  1. In the management console, navigate to the folder where you want to create a group.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Security groups.

  4. Click Create security group.

  5. Specify the security group name: usergate-sg.

  6. In the Network field, select usergate-network.

  7. Under Rules, create the following rules using steps below:

    Traffic
    direction    		 Description Port range Protocol Destination name /
    Source    		 CIDR blocks
    Outbound any All Any CIDR 0.0.0.0/0
    Inbound icmp All ICMPv6 CIDR 0.0.0.0/0
    Inbound rdp 3389 TCP CIDR 0.0.0.0/0
    Inbound ssh 22 TCP CIDR 0.0.0.0/0
    Inbound usergate 8001 8001 TCP CIDR 0.0.0.0/0
    Inbound usergate 8090 8090 TCP CIDR 0.0.0.0/0
    1. Navigate to the Egress or Ingress tab for outbound or inbound rule, respectively.
    2. Click Add. In the window that opens:

      1. In the Port range field, specify a single port or a range of ports open for inbound or outbound traffic.

      2. In the Protocol field, specify the required protocol or leave Any to allow traffic over any protocol.

      3. In the Destination name or Source field, select the scope of the rule:

        • CIDR: Rule will apply to the range of IP addresses. In the CIDR blocks field, specify the CIDR blocks of traffic’s source or destination subnets. To add multiple CIDRs, click Add.
        • Security group: Rule will apply to the current or the selected security group VMs..

      4. Click Save.

  8. Click Save.

Run this command:

yc vpc security-group create usergate-sg \
  --network-name usergate-network \
  --rule direction=egress,port=any,protocol=any,v4-cidrs=[0.0.0.0/0] \
  --rule direction=ingress,protocol=icmp,v4-cidrs=[0.0.0.0/0] \
  --rule direction=ingress,port=3389,protocol=tcp,v4-cidrs=[0.0.0.0/0] \
  --rule direction=ingress,port=22,protocol=tcp,v4-cidrs=[0.0.0.0/0] \
  --rule direction=ingress,port=8001,protocol=tcp,v4-cidrs=[0.0.0.0/0] \
  --rule direction=ingress,port=8090,protocol=tcp,v4-cidrs=[0.0.0.0/0]

Result:

id: enpu0e0nrqdn********
folder_id: b1g86q4m5vej********
created_at: "2022-06-29T09:38:40Z"
name: usergate-sg
network_id: enp3srbi9u49********
status: ACTIVE
rules:
- id: enpdp9d0ping********
  direction: EGRESS
  protocol_name: ANY
  protocol_number: "-1"
  cidr_blocks:
    v4_cidr_blocks:
    - 0.0.0.0/0
- id: enps2r5ru3s1********
  direction: INGRESS
  protocol_name: ICMP
  protocol_number: "1"
  cidr_blocks:
    v4_cidr_blocks:
    - 0.0.0.0/0
- id: enpgonbui61a********
  direction: INGRESS
  ports:
    from_port: "3389"
    to_port: "3389"
  protocol_name: TCP
  protocol_number: "6"
  cidr_blocks:
    v4_cidr_blocks:
    - 0.0.0.0/0
- id: enpbg1jh11hv********
  direction: INGRESS
  ports:
    from_port: "22"
    to_port: "22"
  protocol_name: TCP
  protocol_number: "6"
  cidr_blocks:
    v4_cidr_blocks:
    - 0.0.0.0/0
- id: enpgdavevku7********
  direction: INGRESS
  ports:
    from_port: "8001"
    to_port: "8001"
  protocol_name: TCP
  protocol_number: "6"
  cidr_blocks:
    v4_cidr_blocks:
    - 0.0.0.0/0
- id: enp335ibig9k********
  direction: INGRESS
  ports:
    from_port: "8090"
    to_port: "8090"
  protocol_name: TCP
  protocol_number: "6"
  cidr_blocks:
    v4_cidr_blocks:
    - 0.0.0.0/0

For more information about the yc vpc security-group create command, see the CLI reference.

  1. Add the usergate-sg security group description to the terraform configuration file:

    resource "yandex_vpc_security_group" "usergate-sg" {
  name       = "usergate-sg"
  network_id = "${yandex_vpc_network.usergate-network.id}"

  egress {
    protocol       = "ANY"
    port           = "ANY"
    v4_cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    protocol       = "ICMP"
    port           = "ANY"
    v4_cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    protocol       = "TCP"
    port           = 3389
    v4_cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    protocol       = "TCP"
    port           = 22
    v4_cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    protocol       = "TCP"
    port           = 8001
    v4_cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    protocol       = "TCP"
    port           = 8090
    v4_cidr_blocks = ["0.0.0.0/0"]
  }
}

    For more information about the yandex_vpc_security_group resource, see the Terraform provider documentation.

  2. Make sure the configuration files are correct.

    1. In the terminal, navigate to your configuration file directory.

    2. Run a check using this command:

      terraform plan

    If the configuration is correct, you will see a detailed description of new resources; otherwise, Terraform will display configuration errors.

  3. Deploy your cloud resources.

    1. Once your configuration is correct, run this command:

      terraform apply

    2. When asked to confirm changes, type yes and press Enter.

Use the SecurityGroupService/Create gRPC API call or the create REST API method.

Reserve a static public IP address

Your gateway will need a static public IP address.

  1. In the management console, navigate to the folder where you want to reserve an IP address.
  2. In the list of services, select Virtual Private Cloud.
  3. In the left-hand panel, select IP addresses.
  4. Click Reserve address.
  5. In the window that opens, select ru-central1-d in the Availability zone field.
  6. Click ** Reserve**.

Run this command:

yc vpc address create --external-ipv4 zone=ru-central1-d

Result:

id: e9b6un9gkso6********
folder_id: b1g7gvsi89m3********
created_at: "2022-06-08T17:52:42Z"
external_ipv4_address:
  address: 178.154.253.52
  zone_id: ru-central1-d
  requirements: {}
reserved: true

For more information about the yc vpc address create command, see the CLI reference.

Create a UserGate VM

  1. On the folder page in the management console, click Create resource and select Virtual machine instance.

  2. Under Boot disk image, in the Product search field, type UserGate NGFW and select a public UserGate NGFW image.

  3. Under Location, select the ru-central1-d availability zone.

  4. Under Computing resources, navigate to the Custom tab and specify the required platform, number of vCPUs, and amount of RAM:

    • Platform: Intel Ice Lake
    • vCPU: 4
    • Guaranteed vCPU performance: 100%
    • RAM: 8 GB

    Note

    These settings will suffice for the gateway functional testing. For the production environment, use the UserGate official recommendations.

  5. Under Network settings:

    • In the Subnet field, select usergate-network and usergate-subnet-ru-central1-d.
    • In the Public IP address field, select List and then select the previously reserved IP address from the list that opens.
    • In the Security groups field, select the usergate-sg group from the list.

  6. Under Access, select the SSH key option, and specify the VM access credentials:

    • Under Login, specify a username. Do not use root or other reserved usernames. To perform operations requiring root privileges, use the sudo command.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no saved SSH keys in your profile, or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.

  7. Under General information, specify the VM name: usergate-proxy.

  8. Click Create VM.

  1. Create an SSH key pair.

  2. Get the usergate-sg security group ID:

    yc vpc security-group get usergate-sg | grep "^id"

    For more information about the yc vpc security-group get command, see the CLI reference.

  3. Run this command:

    yc compute instance create \
  --name usergate-proxy \
  --memory 8 \
  --cores 4 \
  --zone ru-central1-d \
  --network-interface subnet-name=usergate-subnet-ru-central1-d,nat-ip-version=ipv4,security-group-ids=<usergate-sg_security_group_ID> \
  --create-boot-disk image-folder-id=standard-images,image-family=usergate-ngfw \
  --ssh-key <path_to_public_part_of_SSH_key> \

    Result:

    id: fhm2na1siftp********
folder_id: b1g86q4m5vej********
created_at: "2022-06-09T11:15:52Z"
name: usergate-proxy
zone_id: ru-central1-d
platform_id: standard-v2
resources:
  memory: "8589934592"
  cores: "4"
  core_fraction: "100"
status: RUNNING
boot_disk:
  mode: READ_WRITE
  device_name: fhmiq60rni2t********
  auto_delete: true
  disk_id: fhmiq60rni2t********
network_interfaces:
- index: "0"
  mac_address: d0:0d:2b:a8:3c:93
  subnet_id: e9bqlr188as7********
  primary_v4_address:
    address: 10.1.0.27
    one_to_one_nat:
      address: 51.250.72.1
      ip_version: IPV4
fqdn: fhm2na1siftp********.auto.internal
scheduling_policy: {}
network_settings:
  type: STANDARD
placement_policy: {}

    For more information about the yc compute instance create command, see the CLI reference.

  1. In the list of public images, find the latest version of the UserGate NGFW and get its ID.

  2. Describe the usergate-proxy VM settings in the terraform configuration file:

    resource "yandex_compute_disk" "boot-disk" {
  name     = "boot-disk"
  type     = "network-hdd"
  zone     = "ru-central1-d"
  size     = "110"
  image_id = "<UserGate_NGFW_image_ID>"
}

resource "yandex_compute_instance" "usergate-proxy" {
  name        = "usergate-proxy"
  platform_id = "standard-v3"
  zone        = "ru-central1-d"
  hostname    = "usergate"
  resources {
    cores         = 4
    core_fraction = 100
    memory        = 8
  }

  boot_disk {
    disk_id = yandex_compute_disk.boot-disk.id
  }

  network_interface {
    subnet_id          = "${yandex_vpc_subnet.usergate-subnet.id}"
    nat                = true
    security_group_ids = <usergate-sg_security_group_ID>
  }
}

    For more information, see the yandex_compute_instance resource description in the Terraform provider documentation.

  3. Make sure the configuration files are correct.

    1. In the terminal, navigate to your configuration file directory.

    2. Run a check using this command:

      terraform plan

    If the configuration is correct, you will see a detailed description of new resources; otherwise, Terraform will display configuration errors.

  4. Deploy your cloud resources.

    1. Once your configuration is correct, run this command:

      terraform apply

    2. When asked to confirm changes, type yes and press Enter.

To create the usergate-proxy VM, use the create REST API method for the Instance resource.

Set up the UserGate NGFW

Open the UserGate NGFW admin web UI at https://<VM_public_IP>:8001 and log in with the default credentials: Admin / utm.

Once you log in, the system will prompt you to change the default password and update the OS.

Configure your gateway as a proxy server

Set up the UserGate NGFW as a proxy server:

  1. In the top menu, select Settings.
  2. In the left menu, navigate to NetworkZones.
  3. Click the Trusted zone.
  4. Click Access control, enable Administration console, and click Save.
  5. In the left menu, navigate to NetworkInterfaces.
  6. Click the port0 network interface.
  7. On the General tab, select Trusted in the Zone field and click Save.
  8. In the left menu, click Network policiesFirewall.
  9. Click the Allow trusted to untrusted preset rule.
  10. Navigate to the Destination tab and disable the Untrusted zone. click Save.
  11. Enable the Allow trusted to untrusted rule by selecting it and clicking Enable at the top of the screen.
  12. In the left menu, click Network policiesNAT and routing.
  13. Click the NAT from Trusted to Untrusted preset rule.
  14. Navigate to the Destination tab and change the destination zone from Untrusted to Trusted. Click Save.
  15. Enable the NAT from Trusted to Untrusted rule by selecting it and clicking Enable at the top of the screen.

Now once you configured the UserGate gateway, you can use it as a proxy server by specifying its public IP address and the 8090 port in the browser settings.

Set up traffic filtering rules

We recommend using the Block to botnets, Block from botnets, and Example block RU RKN by IP list default policies with customized settings:

  1. Click Network policiesFirewall.
  2. Click the name of the preset default policy from the list above.
  3. Navigate to the Source tab and change the source zone from Untrusted to Trusted.
  4. Navigate to the Destination tab and disable the Untrusted zone.
  5. Click Save.
  6. Enable the selected rule by selecting it and clicking Enable at the top of the screen.

Add more rules to enhance security:

  1. Click Network policiesFirewall.

  2. Add the first blocking rule:

    1. At the top of the screen, click Add.

    2. Specify the rule settings:

      • Name: Block QUIC protocol
      • Action: Deny

    3. Navigate to the Source tab and select Trusted.

    4. Click Service.

    5. Click Add.

    6. Select Quick UDP Internet Connections, click Add, and then Close.

    7. Click Save.

  3. Add the second blocking rule:

    1. At the top of the screen, click Add.

    2. Specify the rule settings:

      • Name: Block Windows updates
      • Action: Deny

    3. Navigate to the Source tab and select Trusted.

    4. Click Applications.

    5. Click AddAdd applications.

    6. Select the Microsoft Update app and click Add.

    7. Select the WinUpdate app, click Add, and then Close.

    8. Click Save.

You can add more traffic filtering rules. When doing that, avoid combining services and applications in the same rule; otherwise, it might not trigger.

Set up content filtering rules

We recommend you to use the Example black list, Example threats sites, and Example AV check default policies:

  1. Navigate to the Security policiesContent filtering section.
  2. Enable the rules listed above by selecting them and clicking Enable at the top of the screen.

You can add more rules to enhance security:

  1. Navigate to the Security policiesContent filtering section.

  2. Add the content filtering rule:

    1. At the top of the screen, click Add.

    2. Specify the rule settings:

      • Name: Block social media
      • Actions: Deny

    3. Navigate to the Source tab and select Trusted.

    4. Click Categories.

    5. Click Add.

    6. Type Social media in the search bar, click Add, and then Close.

    7. Click Save.

You can add more content filtering rules. When doing that, avoid adding multiple settings to the same rule; otherwise, it might not trigger.

Set up SSL inspection

By default to decrypt traffic, UserGate uses the CA (Default) certificate but you can also add your own certificate.

To add a certificate:

  1. Click UserGateCertificates.

  2. At the top of the screen, click Import.

  3. Fill out the certificate information:

    • Name: Certificate name of your choice.
    • Certificate file: Certificate file in DER, PEM, or PKCS12 format.
    • Private key: Optional, certificate private key.
    • Password: Optional, private key or PKCS12 container password.
    • Certificate chain: Optional, certificate chain file.

  4. Click Save.

  5. Click the name of the new certificate.

  6. In the Used field, select SSL inspection.

  7. Click Save.

  8. Add an SSL inspection rule:

    1. Navigate to the Security policiesSSL inspection section.

    2. At the top of the screen, click Add.

    3. Specify the rule settings and click Save.

      Alternatively, you can use the Decrypt all for unknown users default SSL inspection rule.

How to delete the resources you created

To stop paying for the resources you created:

  1. Delete the usergate-proxy VM.
  2. Delete the static public IP address.
Previous
Secure user access to cloud resources based on WireGuard VPN
Next
Creating and configuring a UserGate gateway in firewall mode