The Proxy Menu¶

Select Proxy from the menu bar at the top of the screen.

A proxy is a service on your Endian UTM Appliance that can act as a gatekeeper between
clients (e.g. a web browser) and network services (e.g. a web server on the internet).
Clients connect to the proxy which in turn can retrieve, cache, filter and potentially block
the information from the original server. A proxy is called transparent if all traffic goes
through it, of the client’s configuration. Non-transparent proxies hence rely on the
collaboration of the client (e.g. the proxy settings of your web browser).

Following is a list of proxies that are available on Endian Firewall. Each proxy can be
configured via the links that are in the submenu on the left side of the screen:

 HTTP - configure the web proxy including access

policies, authentication, content filter and antivirus
 POP3 - configure the proxy for retrieving mail via the
POP protocol, including spam filter and antivirus
 FTP - enable or disable the FTP proxy (check files
that are downloaded via FTP for viruses)
 SMTP - configure the proxy for sending or retrieving
mail via the SMTP protocol, including spam filter and
antivirus
 DNS - configure the caching domain name server
(DNS) including anti-spyware

Each section will be explained individually below.

HTTP¶

Select Proxy from the menu bar at the top of the screen, then select HTTP from the
submenu on the left side of the screen.

Configuration¶
Click on the Enable HTTP Proxy toggle to enable the HTTP proxy (Endian UTM Appliance
uses the Squid caching proxy). Once the proxy is up and running, a number of controls
appear.

First of all, you can define the way users in each zone (GREEN and, if enabled also
ORANGE, BLUE) can access the proxy. Per zone choices are:

not transparent
the proxy server is available to anyone (no need to
log in) but you need to configure your browser
manually or tell the browser to search for a proxy
(WPAD or PAC)

transparent
the proxy server is available to anyone and no
browser configuration is needed (HTTP traffic is
intercepted and forwarded to the proxy server)

Note

If you want to disable the proxy for a certain zone

you must set it to transparent in this zone and add
the zone’s subnet to the Bypass transparent proxy
from SUBNET/IP/MAC field in the Bypass
transparent proxy section.

Some browsers, including Internet Explorer and

Firefox, are able to automatically detect proxy
servers by using the Web Proxy Autodiscovery
Protocol (WPAD). Most browsers also support proxy
auto-configuration (PAC) through a special URL.
When using an Endian UTM Appliance the URL
looks like this: http://<IP OF YOUR
FIREWALL>/proxy.pac.

Next, comes a section with global configuration

options:

Port used by proxy

the TCP port on which the proxy server (defaults to
8080) is listening for connections

Language of error messages

the language in which error messages are displayed

Visible hostname
the proxy server will assume this as its hostname
(will also show at the bottom of error messages)

Email used for notification (cache

admin)
the proxy server will show this email address in error
messages

Max download size (incoming)

limit for HTTP file downloads in KB (0 means
unlimited)

Max upload size (outgoing)

limit for HTTP file uploads (such as used by HTML
forms with file uploads) in KB (0 means unlimited)

Then you will find a number

of additional options, each in
its own panel that can be
expanded by clicking on the
+ icon:

Allowed Ports and SSL

Ports

Allowed Ports (from client)

list the TCP destination ports to which the proxy
server will accept connections when using HTTP
(one per line, comments start with #)

Allowed SSL Ports

(from client)
list the TCP destination ports to which the proxy
server will accept connections when using HTTPS
(one per line, comments start with #)
 Log settings

Log enabled
log all URLs being accessed through the proxy
(master switch)

Log query terms

also log parameters in the URL (such as ?id=123)

Log
useragents
also log useragents, i.e. which web browsers access
the web

Log
contentfi
ltering
also log when content is filtered

Fire
wall
logg
ing
(tran
spar
ent
prox
ies
only
)
have the firewall log web accesses (transparent
proxies only)

B
y
p
a
s
s

t
r
a
n
s
p
a
r
e
n
t
p
r
o
x
y

B
y
p
a
s
s

t
r
a
n
s
p
a
r
e
n
t
p
r
o
x
y

f
r
o
m

S
U
B
N
 E
T
/
I
P
/
M
A
C
specify sources that are not subject to transparent
proxying; give one SUBNET, IP address or MAC
address per line

By
pa
ss
tra
ns
par
ent
pro
xy
to
SU
BN
ET
/IP
specify destinations that are not subject to
transparent proxying; give one SUBNET or IP
address per line

Cache
manag
ement

Cache
size on
harddi
sk
(MB)
specify the amount of memory the proxy should
allocate for caching web sites on the harddisk (in
megabytes)

Cache size
within
 memory
(MB)
specify the amount of memory the proxy should
allocate for caching web sites in the system memory
(in megabytes)

Maximum
object size
(MB)
specify the upper size limit of objects that should be
cached (in megabytes)

Minimum object
size (MB)
specify the lower size limit of objects that should be
cached (in megabytes)

Enable offline mod

if this option is on, the proxy will never try to update
cached objects from the upstream webserver -
clients can then browse cached, static websites even
after the uplink went down

Clear cache
if this button is clicked the cache of the proxy is
flushed.

Do not cache thes

in this textarea you can specify which domains
should not be cached (one domain per line)

Upstream proxy

Upstream proxy
use this option to make your Endian UTM
Appliance‘s proxy connect to another (upstream)
proxy; specify the upstream proxy as “host:port”

upstream usernam
if authentication for the upstream proxy is required
you can specify the credentials here

Username / client
forward the username / client IP address to the
upstream proxy

Click the Save bu

configuration cha
the Apply button
changes to becom

Authentication

Endian UTM App

different authe
Authentication (N
eDirectory, AD),
(NTLM) and Rad
needs different c
is described be
configuration para

Authentication rea
this text will be shown in the authentication dialog
and will be used as realm for kerberos/winbind when
joining an Active Directory Domain (use FQDN of
PDC when Windows Active Directory is used for
authentication).

Number of Authen
the maximum number of authentication processes
that can run simultaneously

Authentication cac
the time in minutes authentication data should be
cached

Number of differen
the maximum number of IP addresses from which a
user can connect to the proxy simultaneously

User / IP cache TT
the time in minutes an IP address will be associated
with the logged in user

The following para

manage users
When clicking on this button the user management
interface will be opened.

manage groups
When clicking on this button the user management
interface will be opened.

Min password leng

Here you can set the minimum password length for
local users.

The following para

LDAP server
the IP address or fully qualified domain name of your
LDAP server

Port of LDAP serv

the port on which the server is listening

Bind DN settings
the base distinguished name, this is the start point of
your search

LDAP type
here you can choose whether you are using an
Active Directory server, a Novell eDirectory server,
an LDAP version 2 server or an LDAP version 3
server

Bind DN usernam
the fully distinguished name of a bind DN user, the
user must have permission to read user attributes

Bind DN password
the password of the user

user objectClass
the bind DN user must be part of this objectClass

group objectClass
the bind DN group must be part of this objectClass

The following para

Domainname of A
the active directory domain you want to join (use
FQDN)

Join Domain
click here to join the domain (first the authentication
settings needs to be saved and applied)

PDC hostname
the hostname of the primary domain controller

PDC IP address
the IP address of the primary domain controller
(needed to create the required DNS entries /
settings)

BDC hostname
the hostname of the backup domain controller

BDC IP address
the IP address of the backup domain controller
(needed to create the required DNS entries /
settings)

In order to be able
met: - The authen
The system clocks
name. - The PDC

Since version 2.3

generated when th

The following para

RADIUS server
the address of the RADIUS server
 Port
the port on which the RADIUS server is listening

Identifier
an additional identifier

Shared secret
the password to be used

Access policy¶

The access policy

policies based on

You can view you

filter type. To add

Source
Here you can choose the sources to which this rule
will be applied. This can be either <ANY>, a Zone, a
list of Network/IP or MAC addresses (one address
per line).

Destination
Here you can choose the destinations to which this
rule will be applied. This can be either <ANY>, a
Zone, a list of Network/IP addresses (one address
per line) or a list of domains (one domain per line).

Authentication
Here you can choose to which authenticated users
this rule should be applied. This can choose whether
you want to create a group based or a user based
rule. One or more users / groups, to which the policy
will be applied, can then be selected

Time restriction
Specify whether the rule has effect on specific days
and/or a time period.

Useragents
From this list you can choose allowed clients and
browsers.

Mimetypes
If mimetypes of incoming files should be blocked add
them to this list (one per line). Mimetypes can only
be blocked and not allowed (whitelisted), therefore
this option is only available in Deny access policies.
This allows you to block files not corresponding to
the company policy (for example multimedia files).

Access policy
Specify whether you want the rule to allow web
access or to deny it.

Filter profile
Choose antivirus scan only to create a rule which
only scans for viruses, choose content filter only to
create a rule which analyzes the content of web
pages and filters it according to the settings of the
chosen Content filter profile. If you choose
unrestricted no checks will be performed.

Policy status
Specify if the rule is enabled or disabled. Disabled
rules will not be applied.

Position
Specify where to place the new rule. Smaller
numbers have higher priority.

Since version 2.3

domain just for a c

You can then chan

Content filter¶

To be able to use
which can be defin
 The first is called
an advanced phra
requested URLs a

The screen is divid

Activate antivirus
Enable both the content filter (Dansguardian) and
the antivirus proxy (HAVP).

Enable logging
Log blocked requests.

Platform for Intern

Enable parental control based on PICS metadata.

Max. score for phr

Specify the maximum score level of a trustworthy
page (50-300). You can tune this level: if children
browse the web through Endian Firewall you should
set a value around 50, for teenagers it should be 100
and for young adults 160.

Content Filter
This section allows filter configuration based on
phrase analysis. You can block or allow a category
of sites by clicking on the icon beside it.
Subcategories are shown when clicking on the +
icon.

URL Blacklist
This section allows configuration of filtering based on
URL comparison. You can block or allow a category
of sites by clicking on the icon beside the category
name. Subcategories are shown by clicking on +
icon.

Custom black and

Content filtering may cause false positives and false
negatives - here you can list domains that should
always be blocked or allowed regardless of the
results of the content filter’s analysis.
 Phrase analysis re

When whitelisting

 google.com i
 maps.google
 maps.google
 you will have t

Click on Save to s

You can then edit

Antivirus¶

In this section you

Max. content scan

Specify the maximum size for files that should be
scanned for viruses.

Do not scan the fo

A list of URLs that will not be scanned for viruses
(one per line).

Click on Save to s

AD join¶

In this section you

POP3¶

Select Proxy from

Global settings
 On this page you
emails. If you wan

Spam filter¶

On this page you

Spam subject tag

Here you can specify a prefix for the spam email’s
subject.

Required hits
This option defines how many hits are required for a
message to consider it spam. The default value is 5.

Enable message d
If you want to detect spam using message digests
you can enable this option. Note that this might slow
down your POP3 proxy.

White list
Here you can whitelist sender email-addresses (one
address per line). It is also possible to whitelist whole
domains by using wildcards, e.g. *@example.com.

Black list
Here you can blacklist sender email-addresses (one
address per line). It is also possible to blacklist whole
domains by using wildcards, e.g. *@example.com.

FTP¶

Select Proxy from

The FTP (File Tra

Note

Only connections

You can enable th

 Firewall logs outgo
Show outgoing connections in the firewall log.

Specify sources (left panel) or destinations (right

panel), that are not subject to transparent FTP
proxying. Always specify one subnet, IP address or
MAC address per line. Endian UTM Appliance
supports transparent FTP proxying with frox if and
only if it is directly connected to the internet.

be used if you have your own mail server running on your LAN (GREEN interface) or your DMZ (ORANGE

ffic (incoming and outgoing mail) can be scanned for viruses, spam and other threats. Mail will be blocked if
he need of port forwards.

This enables the SMTP proxy in order to accept

requests on port 25.

If the transparent mode is enabled, all requests to

destination port 25 will be intercepted and forwarded
 to the SMTP proxy without the need to change the
configuration on your clients.

e whether a message is spam or not.

Check this box if you would like to filter spam emails.

If checked the spam filter options will be shown.
Black-, White- and Greylists can be configured in the
Proxy ‣ SMTP ‣ Black- & Whitelists section.

Check this box if you would like to use the

commtouch anti-spam engine to filter the emails.

Choose between:

 move to default quarantine location: spam

mails will be moved to the default location on
the harddrive (in /var/amavis/virusmails)
 move to custom quarantine location: you can
specify a custom location on the harddrive to
which spam mails will be moved
 send to quarantine email address: spam
mails will be forwarded to a custom email
address you specify
 mark as spam: mail will be marked as spam
before it is delivered

Here you can specify a prefix for the subject of

marked spam emails.

Here you can provide an email-address that will

receive a notification for each spam email that is
processed.
 If SpamAssassin’s spam score is greater than this
number X-Spam-Status and X-Spam-Level headers
are added to the email.

If SpamAssassin’s spam score is greater than this

number mails are tagged with the Spam subject and
an X-Spam-Flag header.

Mails that exceed this spam score will be moved to

the quarantine.

Send notification emails only if the spam score is

below this number.

Check this box if you want to enable greylisting.

The greylisting delay in seconds can be a value

between 30 and 3600.

n order to reach a personalized and stronger filter (bayes).

Check this box if you would like to filter emails for

viruses. If checked the virus options will be shown.

Choose between:

 move to default quarantine location: mails

containing virus will be moved to the default
location on the harddrive (in
/var/amavis/virusmails)
  move to custom quarantine location: mails
containing a virus will be moved to the
specified location on the harddrive
 send to quarantine email address: mails
containing virus will be forwarded to the
specified email address
 pass to recipient (regardless of bad
contents): mail containing virus will be
delivered normally

il.

Check this box if you would like to block mails that

contain attached files with certain extensions. If
checked the file extension options will be shown.

Choose between:

 move to default quarantine location: mails

containing blocked files will be moved to the
default location on the harddrive (in
/var/amavis/virusmails)
 move to custom quarantine location: mails
containing blocked files will be moved to the
specified location on the harddrive
 send to quarantine email address: mails
containing blocked files will be forwarded to
the specified email address
 pass to recipient (regardless of bad
contents): mails containing blocked files will
be delivered normally

You can select one or more file extensions to be

blocked. In order to select multiple files press the
control key and click on the desired entries with your
mouse.
 Whenever an email with an attachment that is
blocked due to its file extension is found, a
notification email is sent to this address.

If you enable this option, files with double extensions

will be blocked since these files are usually created
to harm computers (blocked double extensions are
composed of any extension followed by .exe, .com,
.vbs, .pif, .scr, .bat, .cmd or .dll).

specify sources that are not subject to transparent

proxying; give one SUBNET, IP address or MAC
address per line

specify destinations that are not subject to

transparent proxying; give one SUBNET or IP
address per line

s.

Mails from these addresses or domains will always

be accepted.

Mails from these addresses or domains will never be

accepted.
 Mails to these addresses or domains will always be
accepted.

Mails to these addresses or domains will never be

accepted.

Mails that have been sent from these IP addresses

or hosts will always be accepted.

Mails that have been sent from these IP addresses

or hosts will never be accepted.

whitelist a domain(with subdomains):

example.com

whitelist only subdomains:

.example.com

whitelist a single address:

[email protected]

[email protected]

whitelist a domain/IPs:
example.com

192.168.100.0/24

d in one of the blacklists, emails from it will be refused without further notice. This saves more bandwith than

This RBL is based on submissions from its users

(www.spamcop.net).
 This list replaces sbl-xbl.spamhaus.org and contains
the Spamhaus block list as well as Spamhaus’
exploits block list and its policy block list.

The CBL takes its source data from very large

spamtraps. It only lists IPs exhibiting characteristics
which are specific to open proxies of various sorts
(HTTP, socks, AnalogX, wingate etc.) that have
been abused to send spam, worms/viruses that do
their own direct mail transmission, or some types of
trojan-horse or “stealth” spamware, without doing
open proxy tests of any kind.

This contains a list of Dynamic IP Address ranges

(www.au.sorbs.net).

A publicly available DNS blacklist which is

permanently regenerated from the IP blacklist and
the spam hash table of the spam filter NiX Spam.

This is a list which contains domains or IP networks

whose administrators choose not to obey to the
RFCs, the standards of the net (www.rfc-
ignorant.org).

at mail will be refused without the possibility to recover it. You also have no direct influence on the RBLs.
 You can whitelist email-addresses or whole domains
in this textarea, e.g. test@|endian.com| or the
domain endian.com (one entry per line).

You can whitelist a mailserver’s address here. This

means that all emails coming from this server’s
address will not be checked for spam (one entry per
line).

You can whitelist email-addresses or whole domains

in this textarea from being detected as spam, e.g.
test@|endian.com| or the domain endian.com (one
entry per line).

You can blacklist email-addresses or whole domains

in this textarea, which will then be detected as spam,
e.g. test@|endian.com| or the domain endian.com
(one entry per line).

NGE zone - you need to declare the domains which will be accepted by the SMTP proxy and to which of your
asily possible to use Endian UTM Appliance as a backup MX.

The domain this mailserver is responsible for.

The IP address of the mailserver.

isting entries can be edited and deleted by clicking on the respective icon (as described in the legend at the
d recipient address or are sent from the specified sender address.

Specify whether you want to apply this copying

process for a certain Sender or Recipient.

Here you specify the mail address of the recipient or

sender (depending on what you have chosen
above).

The mail address where you want to send the copy

of the emails.

s which are explained in the legend at the bottom of the page.

messages. Do not abuse this feature.

Check this box if you want to use a smarthost to

deliver emails. If checked the additional options are
shown.

Here you can enter the address of the smarthost.

Here you can enter the port of the smarthost (default

is 25).
 Check this box if the smarthost requires
authentication. If checked the additional options are
shown.

This username is used for authentication.

This password is used for authentication

Here you can choose the authentication methods

that are supported by your smarthost. PLAIN,
LOGIN, CRAM-MD5 and DIGEST-MD5 are
supported.

might get problems sending mails to other mail servers. More and more mail servers check whether your IP
use a smarthost for sending emails.

s to accept your emails and relays them for you. Normally you may use your provider’s SMTP server as

hentication when sending emails. Most of all this is important for SMTP connections that are opened from the

Check this box if you want to enable IMAP

authentication. If checked additional options are
revealed.

Here you can enter the address of the IMAP server.

Here you can enter the port of the IMAP server

(default is 993).
 This setting defines how many concurrent logins
should be possible through your Endian UTM
Appliance.

options are:

If this is enabled the connecting client must send a

HELO (or EHLO) command at the beginning of an
SMTP session.

Reject the connecting client when the client HELO or

EHLO parameter supplies an invalid hostname.

The hostname to send with the SMTP EHLO or

HELO command. The default value is the IP of RED.
Specify a hostname or IP address.

Optionally you can enter an email address here that

will receive a blind carbon copy of each message
that goes through the SMTP proxy.

The language in which error messages should be

sent.

Check if the recipients address is valid before

sending the message.

The maximum number of errors a remote SMTP

client is allowed to produce without delivering mail.
The SMTP Proxy server disconnects once this limit
is exceeded (default 20).

The maximum size a single message is allowed to

have.
P server can be defined. The options are:

Reject the request when the RCPT TO address is

not in fully-qualified domain name form, as required
by the RFC.

Reject the connecting client if the hostname supplied

with the HELO or EHLO command is not a fully-
qualified domain name as required by the RFC.

Reject the connection if the domain of the recipient

email address has no DNS A or MX record.

Reject the connection if the domain of the sender

email address has no DNS A or MX record.

the Save button.

Commtouch anti-spam engine. The following options can be configured:

Check this box if you want to skip spamassassin if

commtouch marks a message as spam.

Here IPs and networks which should not be checked

by commtouch can be defined.

g options can be configured:

Every email with a tag level above this value will be

recognized as spam (between -10 and 10).
 Every email with a tag level above this value will be
identified as bulk mail (between -10 and 10).

Every email with a tag level above this value will is

suspected to contain spam (between -10 and 10).

Emails with a tag level below this value will be

classified as unknown (between -10 and 10).

Emails with a tag level below this value will be

recognized as non-spam mails(between -10 and 10).

d and applied by clicking on the Save button.

menu bar at the top of the screen, then select DNS from the submenu on the left side of the screen.

change the settings for the DNS proxy. It is divided into three subpages.

enable the transparent DNS proxy for the GREEN, ORANGE and BLUE zones (if they are active). You can
source addresses the proxy will be bypassed in the lower left textarea. These sources can be IP addresses,
and MAC addresses (one per line). In the lower right textarea you can enter destinations for which the proxy
xtarea IP addresses and addresses of subnets can be entered. To save the settings you must click on the

add custom nameservers for specific domains. You can add a new custom nameserver by clicking on the
e server for a domain link. To change an existing entry you have to click on the pencil icon in its row. Clicking
l delete the custom nameserver in that row. The following details can be saved for custom nameservers:
 The domain for which you want to use the custom
nameserver.

The IP address of the namserver.

An additional comment you might want to save.

re¶

ge you can configure how your Endian UTM Appliance should react if a domain name has to be resolved
wn to be used by spyware. The options that can be set are:

If enabled these requests will be redirected to

localhost.

ct requests to spyware listening post

If this is enabled the requests will be redirected to
the spyware listening post instead of localhost.

hitelist domains
Domain names that are entered here are not treated
as spyware targets regardless of the list’s content.

Blacklist domains
Domain names that are entered here are always
treated as spyware targets regardless of the list’s
content

Spyware domain list update schedule

Here you can specify how often the spyware domain
list should be updated. Possible values are Hourly,
Daily, Weekly and Monthly. By moving the mouse
cursor over the respective question mark you can
see when exactly the updates will be performed.

The settings are saved and applied by clicking on the Save button.