content:en_us:7_ug_gateway_management_business

Gateway Management - Business

Product Overview and Availability

Gateway.Management is a next-generation content filter and Internet gateway designed with a purposeful architecture to maximize on-premise performance with cloud-based intelligence. DNS, as a fundamental building block of the Internet, is at the core of this software along with strategic and dynamic firewall rules designed to allow a homeowner, a business owner, or an enterprise IT team to enforce desired policies without the use of proxies, SSL inspection, or other traditional techniques.

Gateway Management Business gives you granular control over each user’s Internet experience. The following features can be applied network wide or on a device by device basis:

  • Block inappropriate content
  • Block phishing and identify theft attempts
  • Block ads (even on mobile devices connected to WiFi)
  • Block behavioural profiling
  • Manage shared and custom lists

To maintain speed, Gateway Management Business performs all filtering on your ClearOS box. It is controlled with a Cloud based interface. For extended information see the Gateway.Management website for more details.

Click Link below for PDF

PDF Product Overview and Availability

For Gateway Management to be effective, it must be the DNS server for for your LAN devices. If you have a separate DNS server on your LAN, any devices using the separate DNS server for their queries will not be protected by Gateway Management.
If you want to run a separate DNS server on your LAN and have Gateway management protect the LAN, only ClearOS should point to it. Also the ClearOS DHCP server should hand out its own LAN IP as the DNS server to the clients.
Please note that the Proxy/Content Filter and Gateway Management apps are mutually exclusive. If you have the Proxy/Content Filter running, you should not use Gateway Management and vice-versa

Getting Started

Procurement, Introduction and Pre-installation

Before you begin the installation, you will want to document the following items that will help you with your deployment and configuration:

  • Document all your internal domains on your local area network(s) (eg. mycompany.local)
  • Document all external domains for the purpose of split DNS administration. (eg. remote.example.com)
  • Document your current DHCP range(s) and statically assigned devices (eg. 192.168.5.100-200)
  • Document all your reverse DNS zones (eg. 5.168.192.in-addr.arpa)
  • Document your internal DNS servers (eg. 192.168.5.2, 192.168.5.3)
  • Document all your internal Active Directory and Samba Directory Servers if you have them (eg. 192.168.5.4, 192.168.5.5)
  • Document any proxy servers in use (if any)
  • List all your core business applications which require Internet access (eg. accounting, banking, and applications with their own Internet update mechanisms)
  • Verify you have layer 2 visibility of the machines under management from the gateway devices
  • Document your IPv4 and IPv6 configurations and setting on your network.

Click Link below for PDF

PDF Procurement, Introduction and pre-installation

Installation and deployment

To deploy this app you will need to make arrangements with your IT staff to decommission certain services and functions that may be running. The following items should be done to accomplish the transition to Gateway.Management:

  • If this is an additional gateway, you will want to stop the DHCP services on the original gateway.
  • Start the DHCP server on the same server that is running Gateway.Management assuming that this is the new, single gateway for your network. If this does not describe your network configuration, you may need to contact support or visit the forums for assistance and recommendations.
  • Install and activate the software. Follow the steps below for finding the app in the Marketplace and navigating to that app. Once the installation is complete, enable the app and then start the app. Unless the IP address listed in the 'Block Page IP' conflicts with network resources in your LAN, or Enterprise, please use that IP listed by default. If you need to change it, you may need to contact technical support.
  • Check the email account on record if this is your first installation. Then validate the software status and verify that your gateway device is online at the Gateway.Management portal
  • Run through the Quality Assurance steps which include:
    • Edit the list for your device to ensure that you can view all logs
      • Confirm this with the Who Am I tool
      • Verify that the dashboards are links in the log files
    • Verify that the 'MyBox' tool links back to your device locally. (eg. https://192.168.5.1:81)
    • Validate an end-user device
      • Make sure that the MAC address is correct. If not, you likely don't have layer 2 visibility to all your devices from your gateway.

Plan on a maintenance window of 30-60 minutes for the deployment and initial configuration of this app.

Click Link below for PDF

PDF Installation and deployment

Downloading and Installing the App from the Marketplace

If your system does not have this app available, you can install it via the Marketplace.

When installed and configured, an email will be sent to the account of record for the registration of your ClearOS server. If you are unsure about what email address this is, please log into your ClearSDN portal for your account.

Finding the App in the Menu

You can find this feature in the menu system at the following location:

<navigation>Gateway | Filtering | Gateway Management Business</navigation>

Gateway Management in the Marketplace

Configuration

Once you have Gateway Management Business installed on the server, it is time to configure and initialize the service.

Setup

Note that some features cannot be enforced in Standalone mode. For example, in Gateway mode firewall rules are used to ensure that Gateway Management cannot be bypassed by changing a device's DNS server. In Standalone mode this cannot be enforced. The recommended configuration is to use this app in Gateway mode under ClearOS.

Box ID

The Box ID is a unique identifier used by the Gateway Management cloud system. You may need this information if you re-provision your ClearOS system.

Available LAN IP for Block Page

When a web page is blocked, Gateway Management displays a block page. This allows you to select from which IP that page will be displayed. This IP must NOT be on the same subnet as the LAN interface and it must not be in use. You typically want to use the IP address given by default unless that address lies in a range already used by your environment.

Logging into the Gateway Management Dashboard

The Gateway Management dashboard controls all of your related settings.

After completing the setup, visiting the Gateway Management Business page in your ClearOS web-based configuration tool will give you a link to open your cloud dashboard.

Dashboard

You can also visit https://dashboard.gateway.management directly.

Using the Web at Gateway.Management

Lists, Rule Sets and Devices

Key to the management of your new gateway's management is the use of policies that you will create. These lists include authoritative lists, black lists, white lists, and rainbow lists. The following order of operations exists for all policies:

  • Authoritative
  • Rainbow
  • Black
  • White

Once a match has been achieved, the other policy rules are disregarded for a particular DNS request.

Click Link below for PDF

PDF Lists Rule Sets and Devices

Don't Talk to Strangers - Feature

One important additional security feature provided by Gateway.Management is the “Don't Talk to Strangers” feature (or DTTS.) This feature makes it so that connections that do not have a DNS resolution are proactively blocked by the gateway. This means that a number of applications and services that try to circumvent DNS (like many Bittorrents, unauthorized VPNs, botnets, et al.) will be blocked.

To create bypass rules, look for the DTTS Bypass feature.

Click Link below for PDF

PDF Don’t Talk To Strangers (DTTS)

Customization and Tailoring

The more you customize your environment the more difficult it will be for internet abusers to circumvent or exploit your network.

Click Link below for PDF

PDF Customization and Tailoring

Active Directory Considerations

If you are using Active Directory in your environment, you will want to customize and tailor the mechanisms of your DNS resolution to properly configure Gateway.Management and AD DNS to work together.

Please see this ADAMnetworks support article for setting up Gateway management in an Active Directory domain.

Please see the note below about the No Internet rule in an AD environment.

Customizing Device names

You can edit the device names of devices behind your gateway to make them more manageable and to increase visibility in reporting. In the Devices section, click the 'edit' button to manage individual devices.

You can also add devices manually if layer 3 discovery is not in place. Simply add the device.

Tags

Tags can be used to group larger networks for more efficient management

Block Page Assistant

The Block Page Assistant is a plugin for Google Chrome that allows your secure browser to give a descriptive block message instead of a security warning.

Unblocking

Users who are blocked can request unblocks from their block page. These will queue in your 'Unblock Requests' page in the Gateway.Management portal. You can manually or automatically whitelist the requests.

You can only auto-whitelist as long as the page is:

  • Listed under Google SafeBrowsing
  • In an acceptable Category site
  • Is not adult content
  • Is of known good reputation

Managers

You can add Managers so that additional people can manage your whitelists and unblock requests can be processed by multiple trusted individuals.

Additional Resources

Customized Block Page

You can customize your block page in the interface. Don't forget to whitelist your block page!!!

No Internet Rule Set with Active Directory Domains

This is a somewhat draconian rule and will disable Rainbow lists. If you have an Active Directory environment, it probably also cut off your Intranet including shares and anything which needs the AD DNS server for name resolution. It will, therefore, stop logging onto an Active Directory domain as well.

It may be more appropriate to:

  • Create a new Rule Set of the Whitelist type
  • Add your Domain to the list and possibly your reverse domain (e.g. 1.168.192.in-arpa)
  • Enable any Rainbow rule for Active Directory Domain Controllers.
  • Assign your devices to this Rule Set rather than the No Internet rule set

Troubleshooting

ClearOS Updates and Whitelist policies

If you have a Whitelist type of policy which covers ClearOS you could end up blocking more than you expect. You will block all ClearOS updates and Marketplace transactions and a bunch of other things. At a minimum you should subscribe to the ClearOS Resources Verified Whitelist under Subscriptions and then enable the subscription in your policy. This will allow ClearOS updates to function. A number of programs will still be blocked depending on how you use your server. You may need to create a My Rules rule and add domains such as clamav.net (for the antivirus), a bunch of domains for the RBL lookups (for the Anti Spam engine), api.letsencrypt.org (for Let's Encrypt certificates - see below) and so on. This will take a bit of monitoring the logs at the beginning. You could filter the logs for 127.0.0.1 and see what is being blocked but you will want to do this over a period of days or more. As a sledgehammer you could whitelist the whole server (127.0.0.1) but this is not ideal if you want to pursue a Whitelist policy which gives you most protection.

OpenVPN

Please see the OpenVPN with Gateway Management/DNSThingy section of the OpenVPN documentation.

If you have had any enablers or any custom firewall set up to allow LAN access by OpenVPN, since Gateway Management v2.5 was released, these are no longer necessary and can be removed

Let's Encrypt

Depending on your default settings, and especially if Gateway Management is in the Block All/Allow by Exception, or possibly if you have the Allow Only the Good mode as a default policy, the Let's Encrypt servers may be blocked and you will not be able to obtain or renew certificates. You can test from the command line by doing:

ping acme-v02.api.letsencrypt.org

If you get no replies, then you will need to create a Whitelist rule and add it to your policy. If that does not work, create a Forwarding/Rainbow List and forward api.letsencrypt.org to your preferred DNS server (or something like 1.1.1.1 or 8.8.8.8) and enable this rule in your default rule set.

Help

content/en_us/7_ug_gateway_management_business.txt · Last modified: 2021/11/08 16:29 by 62.30.63.90