Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Creating and configuring a UserGate gateway in proxy server mode

Written by
Updated at October 17, 2024

UserGate is a next-generation firewall from UserGate, a Russia-based cyber and network security company.

You will create a UserGate virtual machine in Yandex Cloud and set up the gateway in the proxy server mode. As a result, your employees will have secure internet access from anywhere (office, home, cafe, other public areas). To learn about advanced UserGate features, take the free course UserGate Getting Started.

A typical diagram of running UserGate in the proxy server mode in Yandex Cloud is shown in the picture below.

To deploy a UserGate gateway:

  1. Prepare your cloud.
  2. Create a cloud network and subnet.
  3. Reserve a static public IP address.
  4. Create a UserGate VM.
  5. Set up the UserGate NGFW via the administrative console.

If you no longer need the resources you created, delete them.

Getting started

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The price for the UserGate gateway includes:

Create a cloud network and subnet

Create a cloud network with subnets in the availability zones that will host your VM.

  1. On the folder page in the management console, click Create resource in the top-right corner and select Network.
  2. Enter the network name: usergate-network.
  3. In the Advanced field, enable the Create subnets option.
  4. Click Create network.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. Create a network named usergate-network:

    yc vpc network create usergate-network

    Result:

    id: enptrcle5q3d********
folder_id: b1g9hv2loamq********
created_at: "2022-06-08T09:25:03Z"
name: usergate-network
default_security_group_id: enpbsnnop4ak********

    For more information about the yc vpc network create command, see the CLI reference.

  2. Create a subnet named usergate-subnet-ru-central1-a in the ru-central1-a availability zone:

    yc vpc subnet create usergate-subnet-ru-central1-a \
  --zone ru-central1-a \
  --network-name usergate-network \
  --range 10.1.0.0/16

    Result:

    id: e9bnnssj8sc8********
folder_id: b1g9hv2loamq********
created_at: "2022-06-08T09:27:00Z"
name: usergate-subnet-ru-central1-a
network_id: enptrcle5q3d********
zone_id: ru-central1-a
v4_cidr_blocks:
- 10.1.0.0/16

    For more information about the yc vpc subnet create command, see the CLI reference.

  1. In the configuration file, describe the network parameters for usergate-network and its usergate-subnet-ru-central1-a subnet:

    resource "yandex_vpc_network" "usergate-network" {
  name = "usergate-network"
}

resource "yandex_vpc_subnet" "usergate-subnet" {
  name           = "usergate-subnet-ru-central1-a"
  zone           = "ru-central1-a"
  network_id     = "${yandex_vpc_network.usergate-network.id}"
  v4_cidr_blocks = ["10.1.0.0/16"]
}

    For more information, see the description of the yandex_vpc_network and yandex_vpc_subnet resources in the Terraform provider documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the folder where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources: type yes in the terminal and press Enter.

  1. Create a network named usergate-network using the NetworkService/Create gRPC API call or the create REST API method for the Network resource.
  2. Create a subnet named usergate-subnet-ru-central1-a using the SubnetService/Create gRPC API call or the create REST API method for the Subnet resource.

Create a security group

  1. In the management console, go to the page of the folder where you want to create a group.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Security groups.

  4. Click Create security group.

  5. Enter the security group name: usergate-sg.

  6. In the Network field, select usergate-network.

  7. Under Rules, create the following rules using the instructions below the table:

    Traffic
    direction    		 Description Port range Protocol Destination name /
    Source    		 CIDR blocks
    Outgoing any All Any CIDR 0.0.0.0/0
    Incoming icmp All ICMPv6 CIDR 0.0.0.0/0
    Incoming rdp 3389 TCP CIDR 0.0.0.0/0
    Incoming ssh 22 TCP CIDR 0.0.0.0/0
    Incoming usergate 8001 8001 TCP CIDR 0.0.0.0/0
    Incoming usergate 8090 8090 TCP CIDR 0.0.0.0/0
    1. Go to the Egress or Ingress tab.
    2. Click Add rule. In the window that opens:

      1. In the Port range field, specify a single port or a range of ports the traffic will come to or from.

      2. In the Protocol field, specify the appropriate protocol or leave Any to allow traffic transmission over any protocol.

      3. In the Destination name or Source field, select the purpose of the rule:

        • CIDR: Rule will apply to the range of IP addresses. In the CIDR blocks field, specify the CIDR and masks of subnets that traffic will come to or from. To add multiple CIDRs, click Add CIDR.
        • Security group: Rule will apply to the VMs from the current group or the selected security group.

      4. Click Save.

  8. Click Save.

Run the following command:

yc vpc security-group create usergate-sg \
  --network-name usergate-network \
  --rule direction=egress,port=any,protocol=any,v4-cidrs=[0.0.0.0/0] \
  --rule direction=ingress,protocol=icmp,v4-cidrs=[0.0.0.0/0] \
  --rule direction=ingress,port=3389,protocol=tcp,v4-cidrs=[0.0.0.0/0] \
  --rule direction=ingress,port=22,protocol=tcp,v4-cidrs=[0.0.0.0/0] \
  --rule direction=ingress,port=8001,protocol=tcp,v4-cidrs=[0.0.0.0/0] \
  --rule direction=ingress,port=8090,protocol=tcp,v4-cidrs=[0.0.0.0/0]

Result:

id: enpu0e0nrqdn********
folder_id: b1g86q4m5vej********
created_at: "2022-06-29T09:38:40Z"
name: usergate-sg
network_id: enp3srbi9u49********
status: ACTIVE
rules:
- id: enpdp9d0ping********
  direction: EGRESS
  protocol_name: ANY
  protocol_number: "-1"
  cidr_blocks:
    v4_cidr_blocks:
    - 0.0.0.0/0
- id: enps2r5ru3s1********
  direction: INGRESS
  protocol_name: ICMP
  protocol_number: "1"
  cidr_blocks:
    v4_cidr_blocks:
    - 0.0.0.0/0
- id: enpgonbui61a********
  direction: INGRESS
  ports:
    from_port: "3389"
    to_port: "3389"
  protocol_name: TCP
  protocol_number: "6"
  cidr_blocks:
    v4_cidr_blocks:
    - 0.0.0.0/0
- id: enpbg1jh11hv********
  direction: INGRESS
  ports:
    from_port: "22"
    to_port: "22"
  protocol_name: TCP
  protocol_number: "6"
  cidr_blocks:
    v4_cidr_blocks:
    - 0.0.0.0/0
- id: enpgdavevku7********
  direction: INGRESS
  ports:
    from_port: "8001"
    to_port: "8001"
  protocol_name: TCP
  protocol_number: "6"
  cidr_blocks:
    v4_cidr_blocks:
    - 0.0.0.0/0
- id: enp335ibig9k********
  direction: INGRESS
  ports:
    from_port: "8090"
    to_port: "8090"
  protocol_name: TCP
  protocol_number: "6"
  cidr_blocks:
    v4_cidr_blocks:
    - 0.0.0.0/0

For more information about the yc vpc security-group create command, see the CLI reference.

  1. Add the usergate-sg security group parameters to the configuration file:

    resource "yandex_vpc_security_group" "usergate-sg" {
  name       = "usergate-sg"
  network_id = "${yandex_vpc_network.usergate-network.id}"

  egress {
    protocol       = "ANY"
    port           = "ANY"
    v4_cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    protocol       = "ICMP"
    port           = "ANY"
    v4_cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    protocol       = "TCP"
    port           = 3389
    v4_cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    protocol       = "TCP"
    port           = 22
    v4_cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    protocol       = "TCP"
    port           = 8001
    v4_cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    protocol       = "TCP"
    port           = 8090
    v4_cidr_blocks = ["0.0.0.0/0"]
  }
}

    For more information about the resource, see the Terraform provider documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the folder where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources: type yes in the terminal and press Enter.

Use the SecurityGroupService/Create gRPC API call or the create REST API method.

Reserve a static public IP address

The gateway will need a static public IP address.

  1. In the management console, go to the page of the folder where you want to reserve an IP address.
  2. In the list of services, select Virtual Private Cloud.
  3. In the left-hand panel, select IP addresses.
  4. Click Reserve address.
  5. In the window that opens, select the ru-central1-a availability zone in the Availability zone field.
  6. Click ** Reserve**.

Run this command:

yc vpc address create --external-ipv4 zone=ru-central1-a

Result:

id: e9b6un9gkso6********
folder_id: b1g7gvsi89m3********
created_at: "2022-06-08T17:52:42Z"
external_ipv4_address:
  address: 178.154.253.52
  zone_id: ru-central1-a
  requirements: {}
reserved: true

For more information about the yc vpc address create command, see the CLI reference.

Create a UserGate VM

  1. On the folder page in the management console, click Create resource in the top-right corner.

  2. Select Virtual machine instance.

  3. Enter the VM name: usergate-proxy.

  4. Select the availability zone: ru-central1-a.

  5. Under Boot disk image, go to the Marketplace tab and select the UserGate NGFW image.

  6. Under Computing resources:

    • Select the platform: Intel Ice Lake.

    • Specify the required number of vCPUs and the amount of RAM:

      • vCPU: 4
      • Guaranteed vCPU performance: 100%
      • RAM: 8 GB

      Note

      These parameters are appropriate for functional testing of the gateway. To calculate the parameters for a production workload, refer to the UserGate product guidelines.

  7. Under Network settings:

    • Select the network: usergate-network the subnet: usergate-subnet-ru-central1-a.
    • In the Public IP field, select List and then select the previously reserved IP from the list that opens.
    • In the Security groups field, select the usergate-sg group from the list.

  8. Under Access, specify the data for access to the VM:

    • Enter the username into the Login field.

    • In the SSH key field, paste the contents of the public key file.

      You will need to create a key pair for the SSH connection yourself; see Creating an SSH key pair for details.

  9. Click Create VM.

  1. Create an SSH key pair.

  2. Get the usergate-sg security group ID:

    yc vpc security-group get usergate-sg | grep "^id"

    For more information about the yc vpc security-group get command, see the CLI reference.

  3. Run this command:

    yc compute instance create \
  --name usergate-proxy \
  --memory 8 \
  --cores 4 \
  --zone ru-central1-a \
  --network-interface subnet-name=usergate-subnet-ru-central1-a,nat-ip-version=ipv4,security-group-ids=<usergate-sg_security_group_ID> \
  --create-boot-disk image-folder-id=standard-images,image-family=usergate-ngfw \
  --ssh-key <path_to_public_part_of_SSH_key> \

    Result:

    id: fhm2na1siftp********
folder_id: b1g86q4m5vej********
created_at: "2022-06-09T11:15:52Z"
name: usergate-proxy
zone_id: ru-central1-a
platform_id: standard-v2
resources:
  memory: "8589934592"
  cores: "4"
  core_fraction: "100"
status: RUNNING
boot_disk:
  mode: READ_WRITE
  device_name: fhmiq60rni2t********
  auto_delete: true
  disk_id: fhmiq60rni2t********
network_interfaces:
- index: "0"
  mac_address: d0:0d:2b:a8:3c:93
  subnet_id: e9bqlr188as7********
  primary_v4_address:
    address: 10.1.0.27
    one_to_one_nat:
      address: 51.250.72.1
      ip_version: IPV4
fqdn: fhm2na1siftp********.auto.internal
scheduling_policy: {}
network_settings:
  type: STANDARD
placement_policy: {}

    For more information about the yc compute instance create command, see the CLI reference.

  1. Get an ID of the latest version of the UserGate NGFW gateway from the list of public images.

  2. In the configuration file, describe the parameters of the usergate-proxy VM:

    resource "yandex_compute_disk" "boot-disk" {
  name     = "boot-disk"
  type     = "network-hdd"
  zone     = "ru-central1-a"
  size     = "110"
  image_id = "<UserGate_NGFW_image_ID>"
}

resource "yandex_compute_instance" "usergate-proxy" {
  name        = "usergate-proxy"
  platform_id = "standard-v3"
  zone        = "ru-central1-a"
  hostname    = "usergate"
  resources {
    cores         = 4
    core_fraction = 100
    memory        = 8
  }

  boot_disk {
    disk_id = yandex_compute_disk.boot-disk.id
  }

  network_interface {
    subnet_id          = "${yandex_vpc_subnet.usergate-subnet.id}"
    nat                = true
    security_group_ids = <usergate-sg_security_group_ID>
  }
}

    For more information, see the yandex_compute_instance resource description in the Terraform provider documentation.

  3. Make sure the configuration files are correct.

    1. In the command line, go to the folder where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.

  4. Deploy cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources: type yes in the terminal and press Enter.

Create a VM named usergate-proxy using the create REST API method for the Instance resource.

Set up the UserGate NGFW via the admin console

To set up a gateway, go to the UserGate NGFW admin console at https://<VM_public_IP_address>:8001 and log in with the default credentials (username: Admin, password: utm).

When you are logged in, the system prompts you to change the default password and update the OS.

Set up the gateway to run in the proxy server mode

Set up the UserGate NGFW for running in the proxy server mode:

  1. In the top menu, select Settings.
  2. In the menu on the left, go to NetworkZones.
  3. Click the Trusted zone name.
  4. Click Access control, then enable Administration console. Click Save.
  5. In the menu on the left, go to NetworkInterfaces.
  6. Click the port0 network interface name.
  7. In the General tab, in the Zone field, select the Trusted zone from the list. Click Save.
  8. In the menu on the left, click Network policiesFirewall.
  9. Click the name of the preset Allow trusted to untrusted rule.
  10. Go to the Destination tab and disable the Untrusted zone. Click Save.
  11. Enable the Allow trusted to untrusted rule. To do this, select the line with the rule and click Enable at the top of the screen.
  12. In the menu on the left, click Network policiesNAT and routing.
  13. Click the name of the preset NAT from Trusted to Untrusted rule.
  14. Go to the Destination tab and change the destination zone from Untrusted to Trusted. Click Save.
  15. Enable the NAT from Trusted to Untrusted rule. To do this, select the line with the rule and click Enable at the top of the screen.

Now the gateway has been set up. You can now use UserGate as a proxy server by specifying a public IP address and the 8090 port in the browser settings.

Set up the traffic filtering rules

We recommend using the following default policies: Block to botnets, Block from botnets, and Example block RU RKN by IP list. First change several parameters in them:

  1. Click Network policiesFirewall.
  2. Click the name of the preset rule.
  3. Click Source and change the source zone from Untrusted to Trusted.
  4. Go to the Destination tab and disable the Untrusted zone.
  5. Click Save.
  6. Enable the selected rule. To do this, select the line with the rule and click Enable at the top of the screen.

For higher security, set up more traffic filtering rules:

  1. Click Network policiesFirewall.

  2. Add the first blocking rule:

    1. At the top of the screen, click Add.

    2. Specify the rule parameters:

      • Name: Block QUIC protocol.
      • Action: Deny.

    3. Go to the Source tab and select Trusted.

    4. Click Service.

    5. Click Add.

    6. Select Quick UDP Internet Connections and click Add. After that, click Close.

    7. Click Save.

  3. Add the second blocking rule:

    1. At the top of the screen, click Add.

    2. Specify the rule parameters:

      • Name: Block Windows updates.
      • Action: Deny.

    3. Go to the Source tab and select Trusted.

    4. Click Applications.

    5. Click AddAdd applications.

    6. Select the Microsoft Update app and click Add.

    7. Select the WinUpdate app and click Add. After that, click Close.

    8. Click Save.

You can also add other traffic filtering rules. We don't recommend combining services and applications in the same rule. The rule might not trigger in this case.

Set up the content filtering rules

We recommend enabling the following default policies: Example black list, Example threats sites, and Example AV check:

  1. Go to the Security policiesContent filtering section.
  2. Click the line with the selected rule, then click Enable at the top of the screen.

For higher security, set up more content filtering rules:

  1. Go to the Security policiesContent filtering section.

  2. Add the filtering rule:

    1. At the top of the screen, click Add.

    2. Specify the rule parameters:

      • Name: Block social media.
      • Actions: Deny.

    3. Go to the Source tab and select Trusted.

    4. Click Categories.

    5. Click Add.

    6. Type Social media in the search bar, then click Add. After that, click Close.

    7. Click Save.

You can also add other content filtering rules. We don't recommend adding multiple parameters to the same rule. The rule might not trigger in this case.

Set up SSL inspection

By default, UserGate uses its own CA (Default) certificate to decrypt traffic. You can also add your own certificate.

To add a certificate:

  1. Click UserGateCertificates.

  2. At the top of the screen, click Import.

  3. Fill out the certificate parameters:

    • Name: Type any name.
    • Certificate file: Select the certificate file in the DER, PEM, or PKCS12 format.
    • (Optional) Private key: Select a private key for the certificate.
    • (Optional) Password: Password for your private key or PKCS12 container.
    • (Optional) Certificate chain: Select a file if you need to return a complete certificate chain to your clients.

  4. Click Save.

  5. Click the name of the certificate you added.

  6. In the Used field, select SSL inspection.

  7. Click Save.

  8. Add a rule for SSL inspection:

    1. Go to the Security policiesSSL inspection section.

    2. At the top of the screen, click Add.

    3. Fill out the rule parameters and click Save.

      You can also use the Decrypt all for unknown users default rule to enable SSL inspection.

How to delete the resources you created

To stop paying for the resources you created:

  1. Delete the usergate-proxy VM.
  2. Delete the static public IP address.
Previous
Secure user access to cloud resources based on WireGuard VPN
Next
Configuring a network for Yandex Data Processing