Gateway.Management is a next-generation content filter and Internet gateway designed with a purposeful architecture to maximize on-premise performance with cloud-based intelligence. DNS, as a fundamental building block of the Internet, is at the core of this software along with strategic and dynamic firewall rules designed to allow a homeowner, a business owner, or an enterprise IT team to enforce desired policies without the use of proxies, SSL inspection, or other traditional techniques.
Gateway Management Business gives you granular control over each user’s Internet experience. The following features can be applied network wide or on a device by device basis:
To maintain speed, Gateway Management Business performs all filtering on your ClearOS box. It is controlled with a Cloud based interface. For extended information see the Gateway.Management website for more details.
Before you begin the installation, you will want to document the following items that will help you with your deployment and configuration:
To deploy this app you will need to make arrangements with your IT staff to decommission certain services and functions that may be running. The following items should be done to accomplish the transition to Gateway.Management:
Plan on a maintenance window of 30-60 minutes for the deployment and initial configuration of this app.
If your system does not have this app available, you can install it via the Marketplace.
When installed and configured, an email will be sent to the account of record for the registration of your ClearOS server. If you are unsure about what email address this is, please log into your ClearSDN portal for your account.
You can find this feature in the menu system at the following location:
<navigation>Gateway | Filtering | Gateway Management Business</navigation>
Once you have Gateway Management Business installed on the server, it is time to configure and initialize the service.
The Box ID is a unique identifier used by the Gateway Management cloud system. You may need this information if you re-provision your ClearOS system.
When a web page is blocked, Gateway Management displays a block page. This allows you to select from which IP that page will be displayed. This IP must NOT be on the same subnet as the LAN interface and it must not be in use. You typically want to use the IP address given by default unless that address lies in a range already used by your environment.
The Gateway Management dashboard controls all of your related settings.
After completing the setup, visiting the Gateway Management Business page in your ClearOS web-based configuration tool will give you a link to open your cloud dashboard.
You can also visit https://dashboard.gateway.management directly.
Key to the management of your new gateway's management is the use of policies that you will create. These lists include authoritative lists, black lists, white lists, and rainbow lists. The following order of operations exists for all policies:
Once a match has been achieved, the other policy rules are disregarded for a particular DNS request.
One important additional security feature provided by Gateway.Management is the “Don't Talk to Strangers” feature (or DTTS.) This feature makes it so that connections that do not have a DNS resolution are proactively blocked by the gateway. This means that a number of applications and services that try to circumvent DNS (like many Bittorrents, unauthorized VPNs, botnets, et al.) will be blocked.
To create bypass rules, look for the DTTS Bypass feature.
The more you customize your environment the more difficult it will be for internet abusers to circumvent or exploit your network.
If you are using Active Directory in your environment, you will want to customize and tailor the mechanisms of your DNS resolution to properly configure Gateway.Management and AD DNS to work together.
Please see this ADAMnetworks support article for setting up Gateway management in an Active Directory domain.
Please see the note below about the No Internet rule in an AD environment.
You can edit the device names of devices behind your gateway to make them more manageable and to increase visibility in reporting. In the Devices section, click the 'edit' button to manage individual devices.
You can also add devices manually if layer 3 discovery is not in place. Simply add the device.
Tags can be used to group larger networks for more efficient management
The Block Page Assistant is a plugin for Google Chrome that allows your secure browser to give a descriptive block message instead of a security warning.
Users who are blocked can request unblocks from their block page. These will queue in your 'Unblock Requests' page in the Gateway.Management portal. You can manually or automatically whitelist the requests.
You can only auto-whitelist as long as the page is:
You can add Managers so that additional people can manage your whitelists and unblock requests can be processed by multiple trusted individuals.
You can customize your block page in the interface. Don't forget to whitelist your block page!!!
This is a somewhat draconian rule and will disable Rainbow lists. If you have an Active Directory environment, it probably also cut off your Intranet including shares and anything which needs the AD DNS server for name resolution. It will, therefore, stop logging onto an Active Directory domain as well.
It may be more appropriate to:
If you have a Whitelist type of policy which covers ClearOS you could end up blocking more than you expect. You will block all ClearOS updates and Marketplace transactions and a bunch of other things. At a minimum you should subscribe to the ClearOS Resources Verified Whitelist under Subscriptions and then enable the subscription in your policy. This will allow ClearOS updates to function. A number of programs will still be blocked depending on how you use your server. You may need to create a My Rules rule and add domains such as clamav.net (for the antivirus), a bunch of domains for the RBL lookups (for the Anti Spam engine), api.letsencrypt.org (for Let's Encrypt certificates - see below) and so on. This will take a bit of monitoring the logs at the beginning. You could filter the logs for 127.0.0.1 and see what is being blocked but you will want to do this over a period of days or more. As a sledgehammer you could whitelist the whole server (127.0.0.1) but this is not ideal if you want to pursue a Whitelist policy which gives you most protection.
Please see the OpenVPN with Gateway Management/DNSThingy section of the OpenVPN documentation.
Depending on your default settings, and especially if Gateway Management is in the Block All/Allow by Exception, or possibly if you have the Allow Only the Good mode as a default policy, the Let's Encrypt servers may be blocked and you will not be able to obtain or renew certificates. You can test from the command line by doing:
If you get no replies, then you will need to create a Whitelist rule and add it to your policy. If that does not work, create a Forwarding/Rainbow List and forward api.letsencrypt.org to your preferred DNS server (or something like 220.127.116.11 or 18.104.22.168) and enable this rule in your default rule set.