Gateway.Management is a next-generation content filter and Internet gateway designed with a purposeful architecture to maximize on-premise performance with cloud-based intelligence. DNS, as a fundamental building block of the Internet, is at the core of this software along with strategic and dynamic firewall rules designed to allow a homeowner, a business owner, or an enterprise IT team to enforce desired policies without the use of proxies, SSL inspection, or other traditional techniques.
Gateway Management Business gives you granular control over each user’s Internet experience. The following features can be applied network wide or on a device by device basis:
To maintain speed, Gateway Management Business performs all filtering on your ClearOS box. It is controlled with a Cloud based interface. For extended information see the Gateway.Management website for more details.
<div classes #id width uk-grid :language> <div classes #id width uk-width-medium-3-1 :language><div classes #id width pdflink :language>PDF</div> </div><div classes #id width uk-width-medium-3-2 :language> Product Overview and Availability </div> </div>
<note>For Gateway Management to be effective, it must be the DNS server for for your LAN devices. If you have a separate DNS server on your LAN, any devices using the separate DNS server for their queries will not be protected by Gateway Management.
If you want to run a separate DNS server on your LAN and have Gateway management protect the LAN, only ClearOS should point to it. Also the ClearOS DHCP server should hand out its own LAN IP as the DNS server to the clients.</note>
<note warning>Please note that the Proxy/Content Filter and Gateway Management apps are mutually exclusive. If you have the Proxy/Content Filter running, you should not use Gateway Management and vice-versa</note>
Before you begin the installation, you will want to document the following items that will help you with your deployment and configuration:
<div classes #id width uk-grid :language> <div classes #id width uk-width-medium-3-1 :language><div classes #id width pdflink :language>PDF</div> </div><div classes #id width uk-width-medium-3-2 :language> Procurement, Introduction and pre-installation </div> </div>
To deploy this app you will need to make arrangements with your IT staff to decommission certain services and functions that may be running. The following items should be done to accomplish the transition to Gateway.Management:
Plan on a maintenance window of 30-60 minutes for the deployment and initial configuration of this app.
<div classes #id width uk-grid :language> <div classes #id width uk-width-medium-3-1 :language><div classes #id width pdflink :language>PDF</div> </div><div classes #id width uk-width-medium-3-2 :language> Installation and deployment </div> </div>
If your system does not have this app available, you can install it via the Marketplace.
When installed and configured, an email will be sent to the account of record for the registration of your ClearOS server. If you are unsure about what email address this is, please log into your ClearSDN portal for your account.
You can find this feature in the menu system at the following location:
<navigation>Gateway | Filtering | Gateway Management Business</navigation>
Once you have Gateway Management Business installed on the server, it is time to configure and initialize the service.
<note warning>Note that some features cannot be enforced in Standalone mode. For example, in Gateway mode firewall rules are used to ensure that Gateway Management cannot be bypassed by changing a device's DNS server. In Standalone mode this cannot be enforced. The recommended configuration is to use this app in Gateway mode under ClearOS.</note>
The Box ID is a unique identifier used by the Gateway Management cloud system. You may need this information if you re-provision your ClearOS system.
When a web page is blocked, Gateway Management displays a block page. This allows you to select from which IP that page will be displayed. This IP must NOT be on the same subnet as the LAN interface and it must not be in use. You typically want to use the IP address given by default unless that address lies in a range already used by your environment.
The Gateway Management dashboard controls all of your related settings.
After completing the setup, visiting the Gateway Management Business page in your ClearOS web-based configuration tool will give you a link to open your cloud dashboard.
You can also visit https://dashboard.gateway.management directly.
Key to the management of your new gateway's management is the use of policies that you will create. These lists include authoritative lists, black lists, white lists, and rainbow lists. The following order of operations exists for all policies:
Once a match has been achieved, the other policy rules are disregarded for a particular DNS request.
<div classes #id width uk-grid :language> <div classes #id width uk-width-medium-3-1 :language><div classes #id width pdflink :language>PDF</div> </div><div classes #id width uk-width-medium-3-2 :language> Lists Rule Sets and Devices </div> </div>
One important additional security feature provided by Gateway.Management is the “Don't Talk to Strangers” feature (or DTTS.) This feature makes it so that connections that do not have a DNS resolution are proactively blocked by the gateway. This means that a number of applications and services that try to circumvent DNS (like many Bittorrents, unauthorized VPNs, botnets, et al.) will be blocked.
To create bypass rules, look for the DTTS Bypass feature.
<div classes #id width uk-grid :language> <div classes #id width uk-width-medium-3-1 :language><div classes #id width pdflink :language>PDF</div> </div><div classes #id width uk-width-medium-3-2 :language> Don’t Talk To Strangers (DTTS) </div> </div>
The more you customize your environment the more difficult it will be for internet abusers to circumvent or exploit your network.
<div classes #id width uk-grid :language> <div classes #id width uk-width-medium-3-1 :language><div classes #id width pdflink :language>PDF</div> </div><div classes #id width uk-width-medium-3-2 :language> Customization and Tailoring </div> </div>
If you are using Active Directory in your environment, you will want to customize and tailor the mechanisms of your DNS resolution to properly configure Gateway.Management and AD DNS to work together.
Please see this DNSThingy support article for setting up Gateway management in an Active Directory domain.
Please see the note below about the No Internet rule in an AD environment.
You can edit the device names of devices behind your gateway to make them more manageable and to increase visibility in reporting. In the Devices section, click the 'edit' button to manage individual devices.
You can also add devices manually if layer 3 discovery is not in place. Simply add the device.
Tags can be used to group larger networks for more efficient management
The Block Page Assistant is a plugin for Google Chrome that allows your secure browser to give a descriptive block message instead of a security warning.
Users who are blocked can request unblocks from their block page. These will queue in your 'Unblock Requests' page in the Gateway.Management portal. You can manually or automatically whitelist the requests.
You can only auto-whitelist as long as the page is:
You can add Managers so that additional people can manage your whitelists and unblock requests can be processed by multiple trusted individuals.
You can customize your block page in the interface. Don't forget to whitelist your block page!!!
This is a somewhat draconian rule and will disable Rainbow lists. If you have an Active Directory environment, it probably also cut off your Intranet including shares and anything which needs the AD DNS server for name resolution. It will, therefore, stop logging onto an Active Directory domain as well.
It may be more appropriate to: