Setting up a UserGate proxy server
UserGate
In this tutorial, we will create a Yandex Cloud UserGate VM configured as a proxy server. This configuration will give your employees secure internet access from the office or anywhere else, like home or public places. To learn more about UserGate, sign up to our free course UserGate Getting Started
The diagram below shows a Yandex Cloud network configuration with UserGate acting as a proxy server.
To set up a UserGate gateway:
- Get your cloud ready.
- Create a cloud network with a subnet.
- Reserve a static public IP address.
- Create a UserGate VM.
- Set up the UserGate NGFW.
If you no longer need the resources you created, delete them.
Getting started
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The cost of the UserGate gateway infrastructure includes:
- Fee for a continuously running VM (see Yandex Compute Cloud pricing).
- Fee for using UserGate NGFW.
- Fee for a public static IP address (see Yandex Virtual Private Cloud pricing).
Create a cloud network with a subnet
Create a cloud network with a subnet in the availability zone where your VM will reside.
- On the folder dashboard in the management console
, click Create resource in the top-right corner and select Network. - Specify the network name:
usergate-network
. - In the Advanced field, enable Create subnets.
- Click Create network.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name
or --folder-id
parameter.
-
Create a network named
usergate-network
:yc vpc network create usergate-network
Result:
id: enptrcle5q3d******** folder_id: b1g9hv2loamq******** created_at: "2022-06-08T09:25:03Z" name: usergate-network default_security_group_id: enpbsnnop4ak********
For more information about the
yc vpc network create
command, see the CLI reference. -
Create the
usergate-subnet-ru-central1-d
subnet in theru-central1-d
availability zone:yc vpc subnet create usergate-subnet-ru-central1-d \ --zone ru-central1-d \ --network-name usergate-network \ --range 10.1.0.0/16
Result:
id: e9bnnssj8sc8******** folder_id: b1g9hv2loamq******** created_at: "2022-06-08T09:27:00Z" name: usergate-subnet-ru-central1-d network_id: enptrcle5q3d******** zone_id: ru-central1-d v4_cidr_blocks: - 10.1.0.0/16
For more information about the
yc vpc subnet create
command, see the CLI reference.
-
Describe
usergate-network
and theusergate-subnet-ru-central1-d
subnet in the terraform configuration file:resource "yandex_vpc_network" "usergate-network" { name = "usergate-network" } resource "yandex_vpc_subnet" "usergate-subnet" { name = "usergate-subnet-ru-central1-d" zone = "ru-central1-d" network_id = "${yandex_vpc_network.usergate-network.id}" v4_cidr_blocks = ["10.1.0.0/16"] }
For more information, see the yandex_vpc_network
and yandex_vpc_subnet resource descriptions in the Terraform provider documentation. -
Make sure the configuration files are correct.
-
In the terminal, navigate to your configuration file directory.
-
Run a check using this command:
terraform plan
If the configuration is correct, you will see a detailed description of new resources; otherwise, Terraform will display configuration errors.
-
-
Deploy your cloud resources.
-
Once your configuration is correct, run this command:
terraform apply
-
When asked to confirm changes, type
yes
and press Enter.
-
- To create
usergate-network
, use the NetworkService/Create gRPC API call or the create REST API method for the Network resource. - To create the
usergate-subnet-ru-central1-d
subnet, use the SubnetService/Create gRPC API call or the create REST API method for the Subnet resource.
Create a security group
-
In the management console
, navigate to the folder where you want to create a group. -
In the list of services, select Virtual Private Cloud.
-
In the left-hand panel, select
Security groups. -
Click Create security group.
-
Specify the security group name:
usergate-sg
. -
In the Network field, select
usergate-network
. -
Under Rules, create the following rules using steps below:
Traffic
directionDescription Port range Protocol Destination name /
SourceCIDR blocks Outbound any
All
Any
CIDR
0.0.0.0/0
Inbound icmp
All
ICMPv6
CIDR
0.0.0.0/0
Inbound rdp
3389
TCP
CIDR
0.0.0.0/0
Inbound ssh
22
TCP
CIDR
0.0.0.0/0
Inbound usergate 8001
8001
TCP
CIDR
0.0.0.0/0
Inbound usergate 8090
8090
TCP
CIDR
0.0.0.0/0
- Navigate to the Egress or Ingress tab for outbound or inbound rule, respectively.
- Click Add. In the window that opens:
-
In the Port range field, specify a single port or a range of ports open for inbound or outbound traffic.
-
In the Protocol field, specify the required protocol or leave Any to allow traffic over any protocol.
-
In the Destination name or Source field, select the scope of the rule:
- CIDR: Rule will apply to the range of IP addresses. In the CIDR blocks field, specify the CIDR blocks of traffic’s source or destination subnets. To add multiple CIDRs, click Add.
- Security group: Rule will apply to the current or the selected security group VMs..
-
Click Save.
-
-
Click Save.
Run this command:
yc vpc security-group create usergate-sg \
--network-name usergate-network \
--rule direction=egress,port=any,protocol=any,v4-cidrs=[0.0.0.0/0] \
--rule direction=ingress,protocol=icmp,v4-cidrs=[0.0.0.0/0] \
--rule direction=ingress,port=3389,protocol=tcp,v4-cidrs=[0.0.0.0/0] \
--rule direction=ingress,port=22,protocol=tcp,v4-cidrs=[0.0.0.0/0] \
--rule direction=ingress,port=8001,protocol=tcp,v4-cidrs=[0.0.0.0/0] \
--rule direction=ingress,port=8090,protocol=tcp,v4-cidrs=[0.0.0.0/0]
Result:
id: enpu0e0nrqdn********
folder_id: b1g86q4m5vej********
created_at: "2022-06-29T09:38:40Z"
name: usergate-sg
network_id: enp3srbi9u49********
status: ACTIVE
rules:
- id: enpdp9d0ping********
direction: EGRESS
protocol_name: ANY
protocol_number: "-1"
cidr_blocks:
v4_cidr_blocks:
- 0.0.0.0/0
- id: enps2r5ru3s1********
direction: INGRESS
protocol_name: ICMP
protocol_number: "1"
cidr_blocks:
v4_cidr_blocks:
- 0.0.0.0/0
- id: enpgonbui61a********
direction: INGRESS
ports:
from_port: "3389"
to_port: "3389"
protocol_name: TCP
protocol_number: "6"
cidr_blocks:
v4_cidr_blocks:
- 0.0.0.0/0
- id: enpbg1jh11hv********
direction: INGRESS
ports:
from_port: "22"
to_port: "22"
protocol_name: TCP
protocol_number: "6"
cidr_blocks:
v4_cidr_blocks:
- 0.0.0.0/0
- id: enpgdavevku7********
direction: INGRESS
ports:
from_port: "8001"
to_port: "8001"
protocol_name: TCP
protocol_number: "6"
cidr_blocks:
v4_cidr_blocks:
- 0.0.0.0/0
- id: enp335ibig9k********
direction: INGRESS
ports:
from_port: "8090"
to_port: "8090"
protocol_name: TCP
protocol_number: "6"
cidr_blocks:
v4_cidr_blocks:
- 0.0.0.0/0
For more information about the yc vpc security-group create
command, see the CLI reference.
-
Add the
usergate-sg
security group description to the terraform configuration file:resource "yandex_vpc_security_group" "usergate-sg" { name = "usergate-sg" network_id = "${yandex_vpc_network.usergate-network.id}" egress { protocol = "ANY" port = "ANY" v4_cidr_blocks = ["0.0.0.0/0"] } ingress { protocol = "ICMP" port = "ANY" v4_cidr_blocks = ["0.0.0.0/0"] } ingress { protocol = "TCP" port = 3389 v4_cidr_blocks = ["0.0.0.0/0"] } ingress { protocol = "TCP" port = 22 v4_cidr_blocks = ["0.0.0.0/0"] } ingress { protocol = "TCP" port = 8001 v4_cidr_blocks = ["0.0.0.0/0"] } ingress { protocol = "TCP" port = 8090 v4_cidr_blocks = ["0.0.0.0/0"] } }
For more information about the
yandex_vpc_security_group
resource, see the Terraform provider documentation . -
Make sure the configuration files are correct.
-
In the terminal, navigate to your configuration file directory.
-
Run a check using this command:
terraform plan
If the configuration is correct, you will see a detailed description of new resources; otherwise, Terraform will display configuration errors.
-
-
Deploy your cloud resources.
-
Once your configuration is correct, run this command:
terraform apply
-
When asked to confirm changes, type
yes
and press Enter.
-
Use the SecurityGroupService/Create gRPC API call or the create REST API method.
Reserve a static public IP address
Your gateway will need a static public IP address.
- In the management console
, navigate to the folder where you want to reserve an IP address. - In the list of services, select Virtual Private Cloud.
- In the left-hand panel, select
IP addresses. - Click Reserve address.
- In the window that opens, select
ru-central1-d
in the Availability zone field. - Click ** Reserve**.
Run this command:
yc vpc address create --external-ipv4 zone=ru-central1-d
Result:
id: e9b6un9gkso6********
folder_id: b1g7gvsi89m3********
created_at: "2022-06-08T17:52:42Z"
external_ipv4_address:
address: 178.154.253.52
zone_id: ru-central1-d
requirements: {}
reserved: true
For more information about the yc vpc address create
command, see the CLI reference.
Create a UserGate VM
-
On the folder page in the management console
, click Create resource and selectVirtual machine instance
. -
Under Boot disk image, in the Product search field, type
UserGate NGFW
and select a public UserGate NGFW image. -
Under Location, select the
ru-central1-d
availability zone. -
Under Computing resources, navigate to the
Custom
tab and specify the required platform, number of vCPUs, and amount of RAM:- Platform:
Intel Ice Lake
- vCPU:
4
- Guaranteed vCPU performance:
100%
- RAM:
8 GB
Note
These settings will suffice for the gateway functional testing. For the production environment, use the UserGate official recommendations
. - Platform:
-
Under Network settings:
- In the Subnet field, select
usergate-network
andusergate-subnet-ru-central1-d
. - In the Public IP address field, select
List
and then select the previously reserved IP address from the list that opens. - In the Security groups field, select the
usergate-sg
group from the list.
- In the Subnet field, select
-
Under Access, select the SSH key option, and specify the VM access credentials:
- Under Login, specify a username. Do not use
root
or other reserved usernames. To perform operations requiring root privileges, use thesudo
command. -
In the SSH key field, select the SSH key saved in your organization user profile.
If there are no saved SSH keys in your profile, or you want to add a new key:
- Click Add key.
- Enter a name for the SSH key.
- Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
- Click Add.
The SSH key will be added to your organization user profile.
If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.
- Under Login, specify a username. Do not use
-
Under General information, specify the VM name:
usergate-proxy
. -
Click Create VM.
-
Create an SSH key pair.
-
Get the
usergate-sg
security group ID:yc vpc security-group get usergate-sg | grep "^id"
For more information about the
yc vpc security-group get
command, see the CLI reference. -
Run this command:
yc compute instance create \ --name usergate-proxy \ --memory 8 \ --cores 4 \ --zone ru-central1-d \ --network-interface subnet-name=usergate-subnet-ru-central1-d,nat-ip-version=ipv4,security-group-ids=<usergate-sg_security_group_ID> \ --create-boot-disk image-folder-id=standard-images,image-family=usergate-ngfw \ --ssh-key <path_to_public_part_of_SSH_key> \
Result:
id: fhm2na1siftp******** folder_id: b1g86q4m5vej******** created_at: "2022-06-09T11:15:52Z" name: usergate-proxy zone_id: ru-central1-d platform_id: standard-v2 resources: memory: "8589934592" cores: "4" core_fraction: "100" status: RUNNING boot_disk: mode: READ_WRITE device_name: fhmiq60rni2t******** auto_delete: true disk_id: fhmiq60rni2t******** network_interfaces: - index: "0" mac_address: d0:0d:2b:a8:3c:93 subnet_id: e9bqlr188as7******** primary_v4_address: address: 10.1.0.27 one_to_one_nat: address: 51.250.72.1 ip_version: IPV4 fqdn: fhm2na1siftp********.auto.internal scheduling_policy: {} network_settings: type: STANDARD placement_policy: {}
For more information about the
yc compute instance create
command, see the CLI reference.
-
In the list of public images, find the latest version of the UserGate NGFW and get its ID.
-
Describe the
usergate-proxy
VM settings in the terraform configuration file:resource "yandex_compute_disk" "boot-disk" { name = "boot-disk" type = "network-hdd" zone = "ru-central1-d" size = "110" image_id = "<UserGate_NGFW_image_ID>" } resource "yandex_compute_instance" "usergate-proxy" { name = "usergate-proxy" platform_id = "standard-v3" zone = "ru-central1-d" hostname = "usergate" resources { cores = 4 core_fraction = 100 memory = 8 } boot_disk { disk_id = yandex_compute_disk.boot-disk.id } network_interface { subnet_id = "${yandex_vpc_subnet.usergate-subnet.id}" nat = true security_group_ids = <usergate-sg_security_group_ID> } }
For more information, see the yandex_compute_instance
resource description in the Terraform provider documentation. -
Make sure the configuration files are correct.
-
In the terminal, navigate to your configuration file directory.
-
Run a check using this command:
terraform plan
If the configuration is correct, you will see a detailed description of new resources; otherwise, Terraform will display configuration errors.
-
-
Deploy your cloud resources.
-
Once your configuration is correct, run this command:
terraform apply
-
When asked to confirm changes, type
yes
and press Enter.
-
To create the usergate-proxy
VM, use the create REST API method for the Instance resource.
Set up the UserGate NGFW
Open the UserGate NGFW admin web UI at https://<VM_public_IP>:8001
and log in with the default credentials: Admin
/ utm
.
Once you log in, the system will prompt you to change the default password and update the OS.
Configure your gateway as a proxy server
Set up the UserGate NGFW as a proxy server:
- In the top menu, select Settings.
- In the left menu, navigate to Network ⟶ Zones.
- Click the
Trusted
zone. - Click Access control, enable Administration console, and click Save.
- In the left menu, navigate to Network ⟶ Interfaces.
- Click the
port0
network interface. - On the General tab, select
Trusted
in the Zone field and click Save. - In the left menu, click Network policies ⟶ Firewall.
- Click the
Allow trusted to untrusted
preset rule. - Navigate to the Destination tab and disable the
Untrusted
zone. click Save. - Enable the
Allow trusted to untrusted
rule by selecting it and clicking Enable at the top of the screen. - In the left menu, click Network policies ⟶ NAT and routing.
- Click the
NAT from Trusted to Untrusted
preset rule. - Navigate to the Destination tab and change the destination zone from
Untrusted
toTrusted
. Click Save. - Enable the
NAT from Trusted to Untrusted
rule by selecting it and clicking Enable at the top of the screen.
Now once you configured the UserGate gateway, you can use it as a proxy server by specifying its public IP address and the 8090
port in the browser settings.
Set up traffic filtering rules
We recommend using the Block to botnets
, Block from botnets
, and Example block RU RKN by IP list
default policies with customized settings:
- Click Network policies ⟶ Firewall.
- Click the name of the preset default policy from the list above.
- Navigate to the Source tab and change the source zone from
Untrusted
toTrusted
. - Navigate to the Destination tab and disable the
Untrusted
zone. - Click Save.
- Enable the selected rule by selecting it and clicking Enable at the top of the screen.
Add more rules to enhance security:
-
Click Network policies ⟶ Firewall.
-
Add the first blocking rule:
-
At the top of the screen, click Add.
-
Specify the rule settings:
- Name:
Block QUIC protocol
- Action: Deny
- Name:
-
Navigate to the Source tab and select
Trusted
. -
Click Service.
-
Click Add.
-
Select
Quick UDP Internet Connections
, click Add, and then Close. -
Click Save.
-
-
Add the second blocking rule:
-
At the top of the screen, click Add.
-
Specify the rule settings:
- Name:
Block Windows updates
- Action: Deny
- Name:
-
Navigate to the Source tab and select
Trusted
. -
Click Applications.
-
Click Add ⟶ Add applications.
-
Select the
Microsoft Update
app and click Add. -
Select the
WinUpdate
app, click Add, and then Close. -
Click Save.
-
You can add more traffic filtering rules. When doing that, avoid combining services and applications in the same rule; otherwise, it might not trigger.
Set up content filtering rules
We recommend you to use the Example black list
, Example threats sites
, and Example AV check
default policies:
- Navigate to the Security policies ⟶ Content filtering section.
- Enable the rules listed above by selecting them and clicking Enable at the top of the screen.
You can add more rules to enhance security:
-
Navigate to the Security policies ⟶ Content filtering section.
-
Add the content filtering rule:
-
At the top of the screen, click Add.
-
Specify the rule settings:
- Name:
Block social media
- Actions: Deny
- Name:
-
Navigate to the Source tab and select
Trusted
. -
Click Categories.
-
Click Add.
-
Type
Social media
in the search bar, click Add, and then Close. -
Click Save.
-
You can add more content filtering rules. When doing that, avoid adding multiple settings to the same rule; otherwise, it might not trigger.
Set up SSL inspection
By default to decrypt traffic, UserGate uses the CA (Default)
certificate but you can also add your own certificate.
To add a certificate:
-
Click UserGate ⟶ Certificates.
-
At the top of the screen, click Import.
-
Fill out the certificate information:
- Name: Certificate name of your choice.
- Certificate file: Certificate file in DER, PEM, or PKCS12 format.
- Private key: Optional, certificate private key.
- Password: Optional, private key or PKCS12 container password.
- Certificate chain: Optional, certificate chain file.
-
Click Save.
-
Click the name of the new certificate.
-
In the Used field, select SSL inspection.
-
Click Save.
-
Add an SSL inspection rule:
-
Navigate to the Security policies ⟶ SSL inspection section.
-
At the top of the screen, click Add.
-
Specify the rule settings and click Save.
Alternatively, you can use the
Decrypt all for unknown users
default SSL inspection rule.
-
How to delete the resources you created
To stop paying for the resources you created: