From UntangleWiki

Untangle Server User's Guide

Policy Manager

Other Links: Policy Manager Description Page Policy Manager Screenshots Policy Manager Forums Policy Manager FAQs

---

Contents 1 About Policy Manager 2 Settings 2.1 About Virtual Racks 2.1.1 Parent Racks 2.2 Using Policies To Route Traffic To Racks 2.3 Deciding When To Use Multiple Racks 2.4 Creating Special Racks for Servers 2.5 Adding a Virtual Rack To Untangle Server 2.6 Preparing To Assign Users To Policies 2.7 Creating Custom Policies 2.8 Routing Behind a Simple Web Page Request 2.9 Example: Creating a Custom Policy for a School 2.9.1 Policy #1 2.9.2 Policy #2 3 Event Log 4 Related Topics 5 Policy Manager FAQs 5.1 Can I use my existing Active Directory groups to create policies for different groups of users? 5.2 When should I create a virtual rack? 5.3 I'm using the Untangle Server's OpenVPN. Do I need to create extra virtual racks/policies for the VPN users? 5.4 I only want to scan inbound email traffic, not outbound. Do I need to create a new virtual rack and policies? 5.5 I created a new custom policy. Now it's not there. Why? 5.6 Why can't I add/remove entries from the Default Policies tab?

About Policy Manager

The Policy Manager is a powerful and advanced feature of the Untangle Server. Advanced Policy Management with Custom Racks is a commercial or paid option on the Untangle Server. You can, however, use No Rack and Default Rack policies in the Lite package.

The Policy Manager works by creating rules, or policies. Using policies, you can route traffic based on the network interface and/or endpoints. A policy binds traffic that matches certain criteria to a Virtual Rack. Policy Manager enables you to:

• Use multiple, distinct copies (instances) of any filter applications, but not services.
• Install and configure each instance into a different rack.
• Assign each rack a policy.
• Route a particular type of traffic to the a chosen rack.

Settings

Since the policy rules are implemented differently for most networks, the settings will be covered a bit differently than the other applications.

About Virtual Racks

Virtual Racks provide a way to handle different network policies for different users, computers, interfaces, traffic, etc. Often one configuration is needed for one group of people or one time of day, and a completely different configuration for another group of people/computers or another time of day. Virtual Racks provide a way to manage configuration.

For example, a school can have a "Student Rack" for the student policy, and a "Staff Rack" for the teachers and administrators. These racks provide two completely separate configurations to process traffic and rules can be configured to map students' traffic to the "Student Rack" and teachers' traffic to the "Staff Rack." The racks may be similar in many ways (like they both contain Virus Blocker), but they may have completely different Web Filter configurations.

Applications are not installed into an Untangle Server, but into a virtual rack. By default, Untangle has a single virtual rack called the Default Rack. You cannot remove this rack. The Default Rack serves as the default rack that processes traffic if no policy rules are configured. You can also create custom virtual racks. Your Untangle can have many virtual racks and each rack can contain zero or more applications. The racks are customizable in that you can apply different rules for any Application, though Service applications apply to all racks.

You can map traffic to racks by creating policy rules. Traffic arrives at one network interface of your Untangle Server and leaves on another. After the traffic enters and before it exits the Untangle Server, several applications can scan and/or modify the traffic. To illustrate how the Untangle Server handles traffic, go to Routing Behind a Simple Web Page Request.

Parent Racks

To ease the configuration of multiple racks we recommend using the Parent Rack system. Upon creating a new rack, you can set the new rack to have a Parent Rack - if you use this system, the new rack will be created with all of the settings inherited from the rack you specify as the Parent. If you need to change settings, just add the application to the new rack. The app installed in the child will override the settings from the parent and the child rack app can now be configured as desired. This is useful because it saves you from having to reconfigure applications you want to operate the same in multiple racks, such as the virus scanners.

Using the example of a school, we would have students going to the Default Rack, then create a new Teacher Rack which uses the Default Rack as it's Parent Rack. If you go to the Teacher Rack, all the apps will be greyed out and you will not be able to modify any settings because they are copied from the Default Rack. By adding in a new copy of Web Filter, you can modify the web filter settings so the teachers can access websites the students cannot, however settings for all other applications will still be copied from the Default Rack.

Using Policies To Route Traffic To Racks

The Untangle Server routes traffic to racks by consulting its list of policies. Think of policies as rules, binding a type of traffic to a rack. A given policy can be expressed as:

If the traffic looks like X, route it to rack Y

Where Y is the name of the rack and X defines the type of traffic. The simplest way to differentiate traffic is by its:

• Interfaces: The client and server's Internal, External, DMZ, VPN interfaces. The list of interfaces depends on the network interfaces that you have installed in the Untangle Server.
• Endpoints: The IP address of client and server. Partition traffic based on one or both endpoints enables you to target traffic to a a rack of Applications between locations as granular as specific computers.

Deciding When To Use Multiple Racks

Are you wondering if you need more than the Default Rack? Normally, you don't. However, if you cannot configure a given Application to meet all of your needs, you might need more than one rack. Here are some common use cases for additional racks:

• Applying very different requirements to different sets of users: If your organization is a large school, you might need two different racks: one for students and one for teachers. There are many websites that you want teachers and librarians to access, but you do not want students to access . For an example, go to Example: Creating a Custom Policy for a School.

Tip: If you only have a few users that need to bypass web content controls, consider using Pass Lists in Passed Clients, not a separate rack. In this case, a pass list is an easier solution to implement and maintain.

• Setting up a DMZ to host an Internet-facing web server: The policies associated with web traffic to your own web server (filtering, scanning) should be different than those for employees browsing the web. Simply create a DMZ Rack, then apply a custom policy that handles the traffic from the External interface to the DMZ interface.

• Setting up a special file transfer relationship between your organization and an external business partner: File transfers between these two groups may permit certain file types (executable code), yet these file type transfers are blocked for the general Internet. Simply create a Partner Rack and a Company Rack.

• Setting up a VPN: Since many users use a VPN to access a protected network from home (where their home networks might not be as secure), you might want to restrict access to critical internal systems by VPN users.

The previous list highlights cases where a single instance of an Application cannot be configured for all situations (for example, Web Filter should scan for traffic from desktops yet not to a company's own web server). Multiple racks let you install and configure instances of just those Applications that you need for the type of traffic you are dealing with.

Creating Special Racks for Servers

Use a special rack called a No Rack to apply policies to servers, not users. The most common case where you might need to use a No Rack is if you want two Microsoft Exchange Servers to communicate with each other. This way, the Microsoft Exchange Servers' traffic will not be filtered by any Applications.

As discussed in About Routing and Virtual Racks, the Untangle Server ships with a single rack called Default Rack, and you can install additional, custom virtual racks. All newly created racks contain only the service applications, which run on all racks.

The No Rack virtual rack does not appear in the virtual rack drop-down list (in the main interface). It is not a rack because it is not designed to contain Applications. No Rack is available by default from within the Policy Manager. When you modify a default policy or create a custom policy for the No Rack, simply specify No Rack from the drop-down list of virtual racks. For minimal protection, the No Rack does enable NAT.

Adding a Virtual Rack To Untangle Server

Add additional virtual racks beyond the Default Rack that Untangle Server provides if you want to use custom policies. If you want to create custom policies, you must install Policy Manager. To learn about virtual racks, go to Deciding When To Use Multiple Virtual Racks.

1. Launch the Policy Manager.
2. From the Policy Manager, click the add (+) button.
3. Specify the rack name, and provide a description to state the purpose of the rack, then click Update, then Save.
4. Verify that the rack was created: From the Rack Dashboard, select the Rack drop-down list as shown in Creating Virtual Racks, then select the rack that you just created. By default, this new virtual rack contains only service Applications.

Next Step: Install, configure, and turn on Software Products to your new rack. Go to Installing Software Products.

Preparing To Assign Users To Policies

Normally you'd simply configure your router for DHCP, allowing the router to automatically assign IP addresses to users' computers. The most common way to assign users to a policy is done by user IP address. If the router assigns the IP address automatically to a user's computer and that IP address changes (which is inevitable), the Policy Manager can no longer enforce policies for that user. Because of this, you should assign static IP addresses to virtual rack users. After all, you're asking the Policy Manager to keep track of users and their activity. When you assign static IP addresses, group users into logical IP address ranges.

In a 255.255.255.0 network, where you have IP address 192.168.1.1-192.168.1.254 and using the example in Example: Creating a Custom Policy for a School, create the following ranges on your router — whether that router is an Untangle Server or not:

• 192.168.1.51-192.168.1.150 (Teachers & Staff)
• 192.168.1.151-192.168.1.254 (Students)

To assign a static IP address to a computer when your router is an Untangle Server, go to Assigning Network Computers Static IP Addresses.

Creating Custom Policies

If you want to create custom policies, you must install Policy Manager. As mentioned in About Routing and Virtual Racks, most deployments do not need to create custom policies. However, you need to create a custom policy to do any of the following:

• Differentiate traffic both on network interfaces and endpoints.
• Create a policy that applies to one user in a virtual rack.
• Create policies that apply to specific times during the day or week.

Before You Begin:

• Review the example in Example: Creating a Custom Policy for a School.
• Create a Virtual Rack other than Default Rack. Go to Adding a Virtual Rack To Untangle Server.
• For each virtual rack user, assign a static IP address. Go to Preparing To Assign Users To Policies.

1. Launch the Policy Manager.
2. In the Policies table, click the add (+) button.
3. Specify the endpoints, interfaces, and virtual rack for the new custom policy, and click Update.

Protocol	The network protocol of the traffic that you want the Untangle Server to scan. Valid values are TCP, UDP, PING or TCP & UDP.
Interface	The network interfaces on which the traffic travels. Your choices are Internal, External, DMZ, any other network interface that is installed, any WAN interface, and any non-WAN interface.
Address	The IP address(es) to which you want the policy to apply. The address are described in the IP Matcher format. Any is a valid value, and means that the client address is removed as a traffic selection criteria. See also Preparing To Assign Users To Policies.
Port	The port on which you want the policy to apply. Valid values are in Port Matcher format. Note that Port Matcher supports the value any. Tip: If you don't wish to scan certain types of traffic, do not create an empty Virtual Rack. Instead, select No rack as the rack in your custom policy.
Users	The user to whom you want this policy to apply. The users from your Active Directory are listed as (Active Directory). The users from your Local LDAP directory are not listed and must be entered in manually.
Time of Day	The range of time, based on a 24-hr clock (also called military/army/railway time), that you want to policy to be active. In 24-hour time clock, the day begins at midnight, 00:00, and the day ends at 23:59.
Days of Week	The days that you want the policy to be active.
Rack	A list of available virtual racks. Select one of these virtual racks for each policy. If you do not want to scan certain types of traffic, do not create an empty virtual rack. Instead, select No rack from the drop-down list. The Enable this Policy check box enables you to activate or deactivate a policy. If you clear the checkbox, you deactivate the policy without deleting the policy settings.

4. If you added more than one custom policy, Reorder them if necessary. Policies should be listed in order as they are evaluated in the order that they are listed.
5. If you don't want the Untangle Server to evaluate this policy at this time, clear the live check box to disable it.
6. Click Save.

Routing Behind a Simple Web Page Request

The Untangle Server uses the following pieces of information to process a web page request:

• The IP address of the requester (client) and the IP address and port of the requestee (server) These IP addresses are called endpoints. The client and server is defined by client-server architecture.
• Two network interfaces—the client's interface and the server's interface.

To make routing easier to visualize, consider this scenario:

Emma is sitting at her desktop on the protected network (connected to the internal interface). Emma decides she wants to learn more about networking so she visits Google in her web browser. Since Emma's computer is behind an Untangle Server running NAT, the IP address of her computer is 10.0.0.129. When Emma opens the Google home page in her browser, the Untangle Server sees a TCP traffic request from IP address 10.0.0.129 (Emma's computer) to IP address 66.102.7.99 on port 80 (66.102.7.99 is one of the many IP addresses of Google). After Emma makes the page request from her desktop and until that request arrives at Google, the following sequence of events occur: A request is sent from Emma's machine (10.0.0.129) to the Untangle Server (which acts as the network gateway) where it is received on the your Untangle Server's internal interface. The Untangle Server now considers this request's client interface to be the internal interface. The Untangle Server inspects the request, and finds the source/client IP address to be 10.0.0.129. Using the destination name of www.google.com, the Untangle Server sends a request to a DNS server, who returns the IP address 66.102.7.99. It adds the Google web server port number onto the destination address (66.102.7.99:80). Untangle evaluates the policy rules and sends the traffic a Virtual Racks for inspection. One or more apps in the given Virtual Rack inspect this traffic. In this case, the Web Filter inspects the request and finds no malicious or flagged content. The Untangle Server consults its policies to determine the server interface of the traffic to that server IP:port, 66.102.7.99:80. In this case, the Untangle Server determines that the server is connected to the external interface. The request is sent from the Untangle Server to 66.102.7.99:80, exiting the Untangle Server on the external interface. In this example, Emma's request had two endpoints: Emma's machine and Google's Web Server.

Example: Creating a Custom Policy for a School

Imagine that you are the Network Administrator at a public school. Let's assume that you need to create policies that enforce the following workplace environment:

• No web content restrictions for teachers and other staff. In this case, use the Default Rack for teachers and administrators.
• Many web content restrictions for students when they are (or should be) in class. For example, they cannot access www.myspace.com during class. In this case, create a virtual rack called Student Work Rack.
• Some web content restrictions for students when they are on break. For example, they can access www.myspace.com during break. In this case, create a virtual rack called Student Play Rack.

Reordering Custom Policies

This example assumes a 255.255.255.0 network that provides an IP address range of 192.168.1.1-192.168.1.254. The router has the following IP addresses assigned, as described in Preparing To Assign Users To Policies:

• 192.168.1.51-192.168.1.150 (Teachers & Staff)
• 192.168.1.151-192.168.1.254 (Students)

The following example shows these two policies:

• Policy #1: Uses Student Play Rack to enable students to visit www.myspace.com during lunch.
• Policy #2: Uses Student Work Rack to block students from visiting www.myspace.com during class.

NOTE: policies are evaluated in the order they are listed and the FIRST policy that matches a network event is the one that is applied to the event. Thus, in this example, we want the 'Student Play' policy to come first, so when it matches an event access to the controlled site is permitted. Then, we want the 'Student Work' policy to come second so the controlled site is denied otherwise. Then, we want the 'Default' policy to come last in the list, so any default rules are enforced as a fail safe, i.e., should a teacher be accessing the web from a student computer but not necessarily accessing myspace.

Policy #1

Policy #2

Event Log

There isn't one!

Related Topics

• About Untangle Server's Network Interfaces
• Networking and Web Address Syntax

Policy Manager FAQs

Can I use my existing Active Directory groups to create policies for different groups of users?

Yes, if you're using the Directory Connector application you can use Policy Manager to accomplish this. Simply set up the policy to your liking, click Users, and you will be able to select your groups from the list.

When should I create a virtual rack?

Create a virtual rack when you want to apply different rules to different users. For more information, go to Deciding When To Use Multiple Virtual Racks.

I'm using the Untangle Server's OpenVPN. Do I need to create extra virtual racks/policies for the VPN users?

You do not have to create extra virtual racks/policies to use VPN. The VPN interface is, by default, inside the external and DMZ interfaces, but outside of the internal interface. The single Default Rack is sufficient for most deployments.

One case where you would need to create extra virtual racks/policies is when not all VPN users are equal and you want to apply different rules to different VPN users. If all VPN users are equal, have the policies dealing with the VPN interface route traffic to the Default Rack.

I only want to scan inbound email traffic, not outbound. Do I need to create a new virtual rack and policies?

No. By default, outbound email traffic is not scanned. If you would like it to be, this option is available in Spam Blocker.

I created a new custom policy. Now it's not there. Why?

Custom policies are a feature of Policy Manager (included in Standard and Premium Packages). If you do not have a valid subscription to Policy Manager (or a trial) you can not create new policies.

Why can't I add/remove entries from the Default Policies tab?

Default Policies ensure that all possible types of traffic are handled by the Virtual Racks.

If you were allowed to delete a Default Policy and you did not add a Custom Policy that is the equivalent of the Default Policy that you deleted, the Untangle Server would be unable to handle some types of traffic.