Edge Threat Management Wiki - Arista - User contributions [en]

Live Support

2018-06-22T19:31:37Z

Cknickerbocker: /* Support */

[[Category:Applications]]
Live_Support
Live_Support#Support

{| width='100%'
|-
| align="center" | [[Image:LiveSupport.png|128px]]     '''Untangle Support'''
| align="center" |
{|
|-
| Other Links:
|-
|[http://www.untangle.com/store/live-support-conf.html Live Support Description Page]
|-
|[http://forums.untangle.com/ Untangle Forums]
|-
|[[Live Support FAQs]]
|}
|}
 
----

== About Live Support ==

Live Support entitles users with access to Untangle's support team via phone and email.

To learn more about this service, visit the [http://www.untangle.com/store/live-support-conf.html Support] page. Live Support includes [[Configuration Backup]].

== Support ==

The '''Get Support''' button opens our ticketing system, which is also reachable at [https://support.untangle.com support.untangle.com]. You can also email us directly at <tt>support at untangle dot com</tt> which will automatically create a support ticket.

Please include as much information as possible when filing a ticket, and please remember that a Live Support subscription is required to work directly with the support team. We will be unable to escalate free customer issues to the engineering team.

'''Support Information''' lists information will help Untangle Support verify your license and identify your box:

* '''UID''': The ''unique identifier number'' for your Untangle. This number is generated during the install process.
* '''Build''': The exact build version your Untangle is running.

== Related Topics ==

* [[Configuration Backup]]

== Live Support FAQs ==

{{:Live Support FAQs}}

Network Configuration

2018-06-01T20:31:44Z

Cknickerbocker: /* VRRP */

= Network Configuration =

The most critical configuration in Untangle is the proper configuration of your network settings in [[Config]] > [[Network]]. For simple, networks the configuration completed during the [[Setup Wizard]] is probably sufficient. However, some networks have multiple WANs, multiple LANs, various subnets, VLANs, VRRP, etc. This describes how networking operates and is configured in Untangle.

== Cardinal Rules ==

There are several key rules to how Untangle operates that should be understood before deploying Untangle in an advanced/complex network.

{|
|
[[File:alert.jpg|right|100px|caption]]
|
# '''Untangle MUST be installed in-line.'''
# '''Untangle MUST have a working internet connection.'''
# '''Untangle routes ALL traffic according to its routing table.'''
|}

'''Untangle MUST be installed in-line.''' Untangle is a gateway product, and it is designed to be in-line with network traffic. Some network administrators want to deploy some of the functionality of Untangle without installing Untangle in-line. This isn't how Untangle is designed and it will likely not work.

For example, [[Spam Blocker]] will filter SMTP as it passes through Untangle. It will not store-and-forward to your email server like some products. [[Web Filter]] will filter web traffic as it passes through Untangle. It is does not operate as a explicit proxy that you "point" clients' browsers to send web traffic. All applications and functionality are designed to operate in a context where Untangle is installed in-line with the network flow of traffic.

'''Untangle MUST have a working internet connection.''' Untangle and many Untangle apps rely on cloud services. Untangle must have a working and consistent connection with the internet. This includes unfiltered HTTPS, HTTP, and DNS access to various cloud services. Without a valid internet connection and configuration many functions of Untangle will not work properly.

'''Untangle routes ALL traffic according to its routing table.''' Obviously, this is how all routers operate. They receive packets on an interface and then lookup in the routing table/rules where to send it. Where Untangle differs is that Untangle is often installed as a bridge or with some interfaces bridged together. In the Untangle context, two bridged interfaces share a configuration (some products call them "zones"). Traffic passing between bridged interfaces are still subject to this cardinal rule.

This is often a surprise to people on complex networks as effectively you will need to tell Untangle where to send all the traffic on your network if you want it to go to the correct place. If you have a subnet that Untangle doesn't have a route for, then it will be sent to the default gateway even if that subnet is internal. For Untangle to operate correctly, you must configure Untangle with a complete routing table so it knows how to reach all hosts on your network.

== Placing Untangle on the Network ==

The first step, after understanding the above cardinal rules, is to decide where to place Untangle on the network. Obviously, Untangle must be installed in-line with all network traffic so this provides a two options:

# Install Untangle as the gateway/firewall for the network.
# Install Untangle ''behind'' an existing gateway/firewall in flow with traffic.

Installing Untangle as the gateway/firewall is recommended. It is usually the simplest approach and it allows Untangle to leverage its full feature set including [[WAN Failover]] and [[WAN Balancer]]. This also places it in a convenient place to handle other seperate internal networks (like wireless segments) that may only connected at the gateway. Also, If you have tagged VLANs it is much simpler to run Untangle as a endpoint of those VLANs. This is commonly referred to as ''router mode.''

However, often organizations don't want to replace the existing gateway/firewall or can't because it is controlled by a different organization. In these cases, installing Untangle as a "bridge" behind the gateway allows Untangle and the apps to scan and process network traffic without providing the routing functions of your firewall. This is commonly referred to as ''bridge mode.''

Also, technically you can stick Untangle ''in front of'' an existing firewall. Typically firewall/gateways use NAT so all internal hosts share external IPs. This means by the time the traffic reaches the Untangle outside the firewall the source address of all internal communication will have the public address of the firewall. As such, Untangle can not differentiate between internal hosts so much of the functionality of Untangle (web filter, reports, shield, etc) is severely compromised. Installing Untangle outside a NAT device is never recommended.

== Configuring the Interfaces ==

The second major step, after choosing a place to deploy Untangle, is configuring the interfaces. All the configuration options of interfaces are documented in [[Interfaces|the Interfaces documentation]].
Likely, External and Internal and are already configured from the [[Setup Wizard]].

After the setup wizard you might still need to do some of the following configuration

* Configure additional subnets on the External/Internal.

Because Untangle routes all traffic according to its routing table. Additional routes/aliases may be required for any additional subnets on your network.
More information on that in [[Installation#Configure Other Subnets]]

* Configure additional interfaces

After the setup wizard only External and Internal are configured. Additional interfaces are disabled and still require configuration.
More information on that in [[Installation#Configure Other Interfaces]]

* Configure any tagged VLANs

If you have tagged VLANs (802.1q) on your network. You will need to add [[Network Configuration#VLANs|VLAN Tagged Interfaces]].

== Bridging ==

When two interfaces are bridged in Untangle this means they are effectively sharing a configuration.
Some products use the concept of "zones." In this terminology, bridging two interfaces puts those interfaces in the same "zone" or "network space."

=== Standard Bridge Mode ===

The most common scenario this is used is in ''bridge mode'' where the External is bridged to the Internal.
This is extremely useful when there is a firewall upstream.

For example, if the firewall is 192.168.1.1, then you can configured External as 192.168.1.2/24 with 192.168.1.1 as the gateway.
The internal hosts all have 192.168.1.* addresses and can continue to use 192.168.1.1 as a gateway (192.168.1.2 will also work as a gateway).

[[Image:bridge_scenario_standard.png|center|Standard Bridge Mode]]

It is important to remember that even when bridging ''Untangle routes ALL traffic according to its routing table.''
This means if you have other subnets besides 192.168.1.* like 192.168.2.*, then you will need to add aliases or routes for them otherwise that traffic will go to the default gateway.

=== DMZ Bridge ===

Another common scenario to use bridging is when Untangle has a public IP (1.2.3.2 in this example), but you have other public servers with public IPs (1.2.3.*).
You could put those servers on the private network and use [[Port Forward Rules]]. But lets assume you wanted to keep them configured with public IPs to keep them separate from the internal and avoid any NAT/port forwarding issues.

In this case, you can bridge a "DMZ" interface to your external and it essentially shares the configuration and "zone" with external.
This means you can place servers with public IPs on that segment and they can continue to use 1.2.3.1 as a gateway.

[[Image:bridge_scenario_dmz.png|center|DMZ Bridge]]

=== Additional Port ===

You can also just use bridge mode to provide alternate ports to existing interfaces/zones.
Be careful, as traffic between the two goes through Untangle!

For example, if ''Interface 2'' is configured as 192.168.1.1/24 and ''Interface 3'' is bridged to ''Interface 2'', then they are both effectively 192.168.1.1.
Basically ''Interface 3'' becomes an additional port for the ''Interface 2'' network.

[[Image:bridge_scenario1_internal.png|center|Scenario 1: Additional Port]]

This is almost identical to a configuration without ''Interface 3'' where ''Interface 2'' is plugged into a switch with two free ports.

[[Image:bridge_scenario2_internal.png|center|Scenario 2: Use a switch]]

There are some important differences:
* In scenario 1, traffic between ''Interface 2'' and ''Interface 3'' goes through Untangle and is routed via Untangle's routing table
* In scenario 1, traffic between ''Interface 2'' and ''Interface 3'' goes through Untangle and is scanned by the apps (if not bypassed via [[Bypass Rules]])

=== What "bridged" really means. ===

In untangle when two interfaces are bridged it means that they are in the same zone or that they both connect to the same network space. As the [[Network_Configuration#Cardinal_Rules|cardinal]] rules explain, '''Untangle routes all traffic according to its routing table''' - even those crossing between two bridged interfaces. This is sometimes called ''brouting'' or a ''brouter'' - unlike how a traditional layer-2 bridge/switch behaves.

It means that packets coming inside one side of a bridge will NOT necessarily exit the other side of the bridge. It also means that packets destined with a specific route will be routed according to Untangle's routing table. '''All traffic is routed according to Untangle's routing table.''' It also means MAC addresses are not maintained across segments, even if they are bridged together as packets are brouted.

This may cause you to wonder how Untangle works in the traditional "Bridge Mode." The answer is simple, for outbound traffic to the internet untangle will route that to its default gateway which was probably where the traffic was headed anyway and definitely where it should go. For inbound traffic Untangle knows the where each local host on the bridged segment lives and it routes it directly. So inbound and outbound traffic both flow as expected.

Where things get complicated is when networks have more complicated routes and do not configure Untangle with those routes. Assume Untangle is installed in traditional bridge mode on a 192.168.1.1/24 network. Lets assume the network also has another internal network of 192.168.2.1/24 behind an internal router 192.168.1.100. There is probably already a route on the existing firewall telling it that 192.168.2.* can be reached behind 192.168.1.100. If the user then inserts untangle in bridge mode and configures it as 192.168.1.2, the entire 192.168.1.* network will work but none of the traffic on 192.168.2.* will work. Why? Because Untangle routes *all* traffic according to its routing table. The firewall will route 192.168.2.* traffic to 192.168.1.100. When that traffic passes through Untangle it will not route it to 192.168.1.100 - it will route it according to its routing table. Since it knows nothing about 192.168.2.* and those addresses aren't local, it will be sent back out to the default gateway. As such the 192.168.2.* network will be completely offline as return traffic from the internet will not reach those hosts. Once a 192.168.2.0/24 route to 192.168.1.100 is added to Untangle traffic will flow as expected. The routing table on Untangle must reflect the layout of the network.

Another common scenario is bridging two separate networks with one Untangle server. Lets look at an example with 4 interfaces: network1External, network1Internal, network2External, network2Internal. network1Internal is bridged to network1External. network2Internal is bridged to network2External. The problem with this scenario is that '''Untangle routes all traffic according to its routing table.''' If traffic comes in on network2Internal and is bound for the internet it will '''NOT''' be sent out network2External just because that's where it was originally headed. It will be routed according to Untangle's routing table, which is the default route of Untangle - probably network1External's gateway! To setup this scenario one must use WAN Balancer and routes to assure that traffic coming in network2Internal is routed via network2External. This is true whether or not the separate network or separate physical networks or separate VLAN networks.

The key to using bridge mode effectively is understanding how Untangle routes traffic. While bridging can often be convenient it can also create headaches for complicated setups.

== NAT ==

NAT or Network Address Translation is the operation of rewriting the source address of packets. Typically this is used so many internal hosts with internal IPs (192.168.*.*, 10.*.*.*, etc) can share one or several public IPs.

There are 3 ways that NAT is done is Untangle:

# If you check ''NAT traffic exiting this interface (and bridged peers)'' on any WAN interface configuration.
# If you check ''NAT traffic coming from this interface (and bridged peers)'' on any non-WAN interface configuration.
# If you add a [[NAT Rules|NAT Rule]]

=== NAT traffic exiting this interface (and bridged peers) ===

The first option is ''NAT traffic exiting this interface (and bridged peers)'', as described in the [[Interfaces]] documentation, will NAT any traffic exiting this interface and any of its bridged peers. This is the enabled by default on all WANs, and is enabled if Untangle is installed as a router via the [[Setup Wizard]].

What this means is that any and all traffic exiting that WAN interface or bridged peers will be NATd to ''auto'' which is the current primary address of that WAN interface. Traffic between this interface and any bridged peers will not be NATd. Checking this option also blocks all traffic coming to this WAN that is not to a local process or explicitly forwarded with a [[Port Forward Rules|Port Forward Rule]].

=== NAT traffic coming from this interface (and bridged peers) ===

The second option is ''NAT traffic coming from this interface (and bridged peers)'', as described in the [[Interfaces]] documentation, will NAT any traffic coming from this interface and any of its bridged peers. This is not enabled by default.

What this means is that all traffic from this interfaces will get NATd to ''auto'' which is the primary address of which ever interface the traffic it exits. Traffic between this interface and any bridged peers will not be NATd. Checking this option also blocks all traffic to this non-WAN except traffic forwarded with a [[Port Forward Rules|Port Forward Rule]].

=== When and Where to perform NAT ===

If there are only two interfaces in Untangle the first and second options are identical. When there are multiple internal subnets you will need to configure where you wish to NAT so that you have the desired behavior.

If you wish internal networks to be able to speak with each other (ie 192.168.1.100 should be able to reach 192.168.2.100 on a different interface) then you do not want to NAT between those networks.

[[Image:nat_scenario_wan.png|center|Scenario 1:NAT at WAN]]

As such, you should uncheck ''NAT traffic coming from this interface (and bridged peers)'' on both LAN interfaces, and check ''NAT traffic exiting this interface (and bridged peers)'' on the WAN(s).

If you wish for internal networks to be completely separate such that they can not speak to each other then you want to check ''NAT traffic coming from this interface (and bridged peers)'' on the non-WAN interfaces. This means NAT will be performed on all traffic from these LANs and inbound sessions will be blocked unless explicitly forwarded with [[Port Forward Rules]].

[[Image:nat_scenario_lans.png|center|Scenario 1:NAT at LAN]]

=== NAT Rules ===

The third option is explicitly configuring exactly what should be NATd to what address with [[NAT Rules]]. Be aware, these rules do not also explicitly block any inbound traffic like the two NAT options.
NAT rules can be used in conjunction with the two NAT checkboxes and any matched NAT rule will take precedence. Most networks need only one the first two options, but sometimes there are scenarios where a NAT rule is wanted desired such as [[1:1 NAT]] or when you want to guarantee that certain traffic (like SMTP exiting an email server) uses another address other than the primary WAN address.

If no NAT option is enabled (all unchecked and no NAT rules) then Untangle will route like a typical router without performing any NAT operation.

''Note:'' The ''NAT traffic exiting this interface (and bridged peers)'' option in WAN is equivalent to appending an ''Auto'' NAT rule to the end of the [[NAT Rules]] matching all traffic with ''Destination Interface'' equal to that WAN or any bridged peer but excluding traffic between any bridged peers in that zone. It also includes a [[Filter Rules|forward filter rule]] to block inbound sessions from this WAN or bridged peers not explicitly port forwarded excluding sessions between any bridged peers in that zone.

''Note:'' The ''NAT traffic coming from this interface (and bridged peers)'' option in WAN is equivalent to appending an ''Auto'' NAT rule to the end of the [[NAT Rules]] matching all traffic with ''Source Interface'' equal to that non-WAN or any bridged peer but excluding traffic between any bridged peers in that zone. It also includes a [[Filter Rules|forward filter rule]] to block inbound sessions to this non-WAN or bridged peers not explicitly port forwarded, excluding sessions between any bridged peers in that zone.

== VLANs ==

VLANs or [http://http://en.wikipedia.org/wiki/Virtual_LAN Virtual LANs] are commonly used so that multiple subnets can share the same wire while maintaining complete separation including separate broadcast domains.

<blockquote>
'''IMPORTANT:'''

The term VLAN is sometimes also used to describe putting multiple untagged (no 802.1q tag) subnets on the same wire. For example, Untangle is in bridge mode as 192.168.1.2/24 but there is also a 192.168.2.* on the same wire.
If there are no 802.1q tags on the 192.168.2.* traffic - it is '''NOT''' a VLAN and new VLAN interfaces should '''NOT''' be created on Untangle. In this scenario you should use guidance in [[Installation#Configure Other Subnets]] to properly configure Untangle to handle these subnets. VLAN interfaces will '''ONLY''' handle tagged 802.1q packets and all packets sent to a VLAN interface will be tagged with 802.1q tags.
</blockquote>

VLANs have several uses. Often you want multiple completely separate internal subnets on a network, but you do not want to run multiple physical ethernet networks through a building. VLANs allow you to run multiple networks on the same physical wire while still guaranteeing they are completely separate and secure. To do this you must have VLAN enabled switches and products through-out the network. VLANs can also be useful if you have limited ethernet ports on Untangle and wish to overload a single NIC with two separate purposes. This requires that NIC to be connected to a VLAN enabled switch.

To create a VLAN interface click on the ''Add Tagged VLAN Interface'' button at the bottom of the interfaces grid on the [[Config]] > [[Network]] > [[Interfaces]]. This will create a new ''virtual interface.'' First, you will need to give this interface a new name, and also select the ''Parent Interface.'' The ''Parent Interface'' is the physical interface that this VLAN virtual interface exists on. Then you will need to configure an ''802.1q Tag'' which is an integer between 1 and 4094 inclusive. After this you will configure the interface just like any interface.

This new ''VLAN interface'' is just like a physical interface in all ways. This means you can configured this VLAN interface exactly like any physical interface. It is completely separate from the physical parent interface. Any packet coming in on the physical parent interface with the 802.1q tag matching the configured value (1-4094) will be considered by Untangle to be coming in the VLAN interface. Any packet sent to the virtual VLAN interface will actually be sent on the physical parent interface with the configured 802.1q tag. All untagged packets on the physical parent interface will be processed like normal through the physical parent interface, only 802.1q tagged packets with the matching 802.1q tag will be processed by the VLAN interface.

After configuring Untangle with the appropriate tagged VLAN interfaces, you will need to configured some VLAN-enabled managed switch to properly process the packets as desired. For example, [http://vinf.net/2011/01/27/how-to-configure-a-port-based-vlan-on-an-hp-procurve-1810g-switch/ here is a document] describing how to configure a HP procurve switch.

<blockquote>
''Note:'' VLAN interfaces are completely separate from their physical parents, however they do share the same physical NIC and as such will be limited by the throughput of the physical NIC. For example, if you have two 100Mbit tagged VLAN WANs on the same physical 100Mbit NIC, then you will still be limited to 100Mbit total on both WANs at any given time.
</blockquote>

''Example:'' We want to have two completely separate LANs on our network but we only have one wire or one network card. As such we need a VLAN enabled switch. Configure the internal interface with the IP and configuration from LAN 1. Create a tagged VLAN interface with 802.1q tag ''3.'' Configured the new VLAN interface with the IP and configuration for LAN 2. Now configure your VLAN switch to send VLAN 3 packets to the appropriate ports with LAN 2 hosts. In this scenario we are using the same wire but have two separate LANs with separate broadcasts domains.

[[Image:vlan_scenario_twolans.png|center|Two LANs with VLANs]]

''Note:'' If you want to use a single wire and/or network card but you don't care about keeping the two LANs seperate, you don't need VLANs and can just use aliases/routes.

===Configuring VLAN on Untangle in Bridge Mode===

Some users want to configure untangle in bridge mode in the middle of a VLANed network.
This is possible, but '''NOT RECOMMENDED'''. It is suggested to install Untangle as the gateway and terminate VLANs on an addressed VLAN interface. However, if you wish to install Untangle as a bridge in the middle of several (V)LANs simultaneously, the following instructions will allow you to establish multiple bridges and then enter the routes to tell Untangle that if traffic enters on a specific interface it should exit the bridged peer.

*You will need to create 2 virtual interfaces for each VLAN you want to set up.
<blockquote>
#One as a child to the external interface
#One as a child to the internal interface
</blockquote>

*To set up the external's VLAN interface
<blockquote>
#Click on Create a tagged VLAN interface
#Give the interface a name that's easily identifiable by you
#Set the Parent Interface to External
#Set the 802.1q tag
#Config type must be "Addressed"
#Under IPv4 configuration, assign a unique static IP to the interface.
#Enter the IP address for the VLAN gateway
#Enter DNS servers you would like to use
</blockquote>
[[Image:external_vlan.png|400px|center|Scenario 1: Additional Port]]

*To set up the internal's VLAN interface
<blockquote>
#Click on Create a tagged VLAN interface
#Give the interface a name that's easily identifiable by you
#Set the Parent Interface to Internal
#Set the same 802.1q tag that you configured on the external VLAN interface
#Config type must be "Bridged"
#Bridge this interface to the external VLAN interface
</blockquote>
[[Image:internal_vlan.png|400px|center|Scenario 1: Additional Port]]

*Go to WAN Balancer and set the weights to send 100% of network traffic out of your untagged external interface

*Click over to the Route Rules tab and create a new rule
<blockquote>
#Source Interface : [Internal VLAN interface]
#Destination WAN : [External VLAN interface]
</blockquote>

== VRRP ==

VRRP provides network level redundancy.

Multiple Untangles can be run in parallel in a high availability configuration.
In this configuration one Untangle will be the "master" and one or more Untangles will be the "slaves."
In the event the master fails, one of the remaining slave Untangles will take over the master role such that network traffic continues to flow without interruption.

Untangle uses VRRP or [http://en.wikipedia.org/wiki/Virtual_Router_Redundancy_Protocol Virtual Redundancy Router Protocol] to handle the switching between Untangle servers.
All Untangle servers must be on and all configured with a share VRRP Virtual Address. The master is the only Untangle to answer/handle traffic routed to the VRRP Virtual Address.
If the master fails an "election" is held over VRRP and the next highest priority slave will begin handling traffic to the VRRP Virtual Address.

All Untangles interfaces must be configured statically, and there must be no bridged interfaces. Parallel Untangles configured as bridges will create a bridge loop!

=== VRRP Basic Example ===

A common configuration is running two Untangles to act as the gateway for the internal network.
For example, lets assume Untangle 1, the master, has a public IP of 1.2.3.4 and an internal IP of 192.168.1.2.
Lets assume Untangle 2 has a public IP of 1.2.3.5 and an internal IP of 192.168.1.3.
Both are running in "router" mode and doing NAT and acting as a gateway. Note that all IPs must be unique!
This configuration requires each untangle to have its own external IP!

Now we configure Untangle 1 to have a VRRP Virtual Address of 192.168.1.1 on the Internal interface, and also configure Untangle 2 to also have a VRRP Virtual Address of 192.168.1.1 its Internal interface
They both share the same VRRP Virtual Address. Each Untangle in the group must have the same VRRP ID. So lets give Untangle 1 a VRRP ID of 1 and also give Untangle 2 a VRRP ID of 1.
We want Untangle 1 to be the master when its on and working without issues so give it a higher priority of 100.
Untangle 2 is the slave so it should be given a lower priority so lets give it a lower priority of 50.

[[Image:VrrpSingle.png|center|Simple VRRP Example]]

[[Image:VrrpUntangle1Internal.png|center|VRRP Untangle 1 Config]]

[[Image:VrrpUntangle2Internal.png|center|VRRP Untangle 2 Config]]

Configure your internal hosts to use the VRRP Virtual Address (192.168.1.1) as the gateway. In this configuration the master will route all traffic to 192.168.1.1 just like a regular address.
Should the master fail within a few seconds the slave will become the new master and start routing traffic.

Note: You should configure the DHCP server to hand out 192.168.1.1 as the default gateway. If untangle is providing DHCP. Configure Untangle 1 as the "authoritative" with 192.168.1.1 as the "Gateway Override." Configure Untangle 2 the same but as non-authoritative. This way Untangle 1 will handle all DHCP unless it is down, in which case Untangle 2 will handle DHCP.

=== VRRP External Example ===

The above example work great for outbound traffic, but if you have inbound traffic being port forwarded that traffic might fail if the Untangle owning that address fails.
VRRP can also be used to provide redundancy for inbound traffic. For example, similar to above, lets assume you have Untangle 1 with 1.2.3.4 and Untangle 2 with 1.2.3.5.

You can configure both with a shared VRRP Virtual Address of 1.2.3.3. Now configure port forwards on both Untangle for traffic destined to 1.2.3.3 to the appropriate internal host.
Only the master will handle traffic to 1.2.3.3. If the master fails the slave will take over traffic handling for 1.2.3.3 and port forwarding. External hosts will still be able to reach local services should the master fail.

In this scenario [[NAT Rules]] can also be configured if outbound traffic should use the same address regardless of which server is handling the traffic.

=== VRRP Combined Example ===

It is also possible to combine VRRP on multiple interfaces. For example, combine the above two examples. VRRP
can be used to provide redundancy on both interfaces. VRRP IDs must be unique for each server. For example, the external on both should be VRRP ID 1 and the internal on both should be VRRP ID 2.
In this scenario VRRP is "grouped" such that if the server loses its "master" status on one interface it will also release its master status on other interfaces.

[[Image:VrrpDouble.png|center|Simple Combined Example]]

[[Image:VrrpUntangle1External.png|center|VRRP Untangle 1 Config]]

[[Image:VrrpUntangle2External.png|center|VRRP Untangle 2 Config]]

[[Image:VrrpUntangle1Internal.png|center|VRRP Untangle 1 Config]]

[[Image:VrrpUntangle2Internal.png|center|VRRP Untangle 2 Config]]

For example, in the picture above if the Internal interface on Untangle 1 is unplugged, then Untangle 2 will become the master and start responding to 192.168.1.1.
Untangle 1 will also release its master status on the external interface so that Untangle 2 will also handle 1.2.3.3. This is to avoid any scenarios where Untangle 1 is master the external address and Untangle 2 is master on the internal address.

=== VRRP FAQs ===

==== What kind of problems count as a failure for VRRP purposes? ====

Most critical hardware issues such as power outages, crashes, or freezes will immediately cause the VRRP broadcast to stop and the slave will immediately take over.
Furthermore, if some common errors are detected in software such as the NIC being unplugged then the VRRP broadcast is stopped.

==== How can I see which is the VRRP master? ====

The VRRP status is available in the VRRP settings. The ''Is VRRP Master?'' indicator will be green if master.

==== How can I test my VRRP configuration? ====

Simply configure VRRP then unplug one of the VRRP Untangle interfaces. The slave should immediately take over and you should still be able to ping the VRRP Virtual Address.

==== How quickly does traffic switch? ====

VRRP acts very quickly in the case of a failure and usually switches in less than a few seconds. However, TCP sessions will be reset as state is lost.

==== Is state shared between Untangles? ====

No. There is zero state sharing between Untangle. The session tables are separate, so sessions will be reset if the slave takes over. Furthermore application data is not shared or synchronized between servers.
This includes things like host tables, captive portal logins, openvpn state, ipsec state, email quarantines, reports, quotas & penalty boxes, web filter bypass states, antispam learning, etc.

==== Can I run VRRP in bridge mode? ====

No. "Slave" untangles are still live, they just do not handle traffic to the VRRP Virtual Address. As such if any bridge loop is created with bridged interfaces between the master and slave the network will stop functioning.

Administration Notifications

2018-04-27T14:32:32Z

Cknickerbocker: /* Notifications */

Administration_Notifications
Administration_Notifications

= Overview =

[[Image:Administrator_Alert.png|right]]

Administration Notifications appear as an exclamation point icon at the top of the rack when logged into the Administration interface or in the "Notifications" widget on the dashboard. When logging in, the server will runs a series of tests which can take a few minutes and then it will display the administration alert icon if there are any alerts. Tests are only performed on login, to force a retest just refresh the browser or click refresh on the Notification widget on the dashboard.

Notifications are displayed to alert the administrator of common misconfigurations or issues.

= Notifications =

{| width=100% border="1" cellpadding="2"
|-
!width="50%"|Text
!width="50%"|Description

|-
| Upgrades are available and ready to be installed.''
| The server detected software upgrades that have not been applied. Upgrades can be applied in [[Config]] > [[Upgrade]].

|-
| DNS connectivity failed: ''DNS Server IP''
| The specified server's DNS settings is not providing DNS resolution. Check DNS settings of your WAN interfaces in [[Config]] > [[Network]] > [[Interfaces]]. It is recommended to use your ISP's DNS servers.

|-
| Failed to connect to Untangle. ''[address:port]''
| Untangle failed to successfully connect to the Untangle servers. Check your network setting to make sure they are valid and that Untangle is online. Also check there is no firewall between Untangle and the internet that could be blocking connectivity. Untangle requires an active connection to the internet for proper operation.

|-
| Free disk space is low. ''[ xx% free ]''
| Free disk space is running low. Contact Untangle support for help determining what is using disk space and what to do about it. Please note that our recommended minimum hard disk size is at least 80Gigs.

|-
| Disk errors reported.
''Error text''
| The disk (hard drive) returned some errors for certain commands. This usually means the disk has bad sectors which are non-responsive. In this case the disk (hard drive) should be immediately replaced.

|-
| ''Rack Name'' contains two or more ''Application 1''
| The given rack contains two or more instances of the same application. While possible this is never desired as it decreases performance and increases management complexity. Remove one of the duplicate applications.

|-
| ''Rack Name'' contains redundant apps: ''Application 1'' and ''Application 2''
| Some applications in Untangle are redundant and should not both be installed in the same rack at the same time. For example, Spam Blocker is a super-set to Spam Blocker Lite. If both are run no additional spam will be blocked, but messages will be scanned twice incurring a performance hit. Remove the redundant application.

|-
| Bridge (''Interface 1'' <-> ''Interface 2'') may be backwards. Gateway (''Gateway IP'') is on ''Interface 2''.
| Often bridges can be plugged in with the WAN interfaces on the LAN and the LAN interface on the WAN. This works and passes traffic, however several applications do not behave as expected. If this is show it has detected that the gateway for the main bridge interface is not on the expected interface. It is recommended to go into [[Config]] > [[Network]] > [[Interfaces]] and unplug each interface one at a time and verify and correct the mapping of interfaces by swapping cables around.

|-
| ''Interface 1'' interface NIC has a high number of ''RX/TX'' errors.
| This indicates that ''ifconfig'' shows a high number of RX or TX errors on the given interface card. This is typically a network layer or NIC issue. If possible, try another NIC or different duplex setting in /admin/index.do#config/network/advanced/network_cards.

|-
| Spam Blocker [Lite] is installed but an unsupported DNS server is used
| Spam Blocker and Spam Blocker Lite rely on DNSBL (DNS blacklists) to categorize spam. Several publicly available and often used DNS servers do not supply access to these services. For example, google(8.8.8.8, 8.8.4.4), opendns(208.67.222.222, 208.67.222.220), level3(4.2.2.1,4.2.2.2) do not provide resolution for DNSBL queries. It is recommended to configure Untangle to use your ISP's DNS servers for effective spam filtering. If spam filtering is not required simply uninstall the spam filtering application from the rack.

|-
| Spam Blocker [Lite] is installed but a DNS server (X, Y) fails to resolve DNSBL queries.
| This means one of the configured DNS servers does not properly resolve DNSBL queries. This will greatly degrade Spam Blocker and Spam Blocker Lite's ability to detect spam. Try configuring a different DNS server. To test this manually run ''host 2.0.0.127.zen.spamhaus.org your_DNS_server'' in the terminal where "your_DNS_server" is the IP of your DNS server. If it does not return results then DNSBL queries are not being properly resolved by that server.

|-
| Web Filter is installed but a DNS server (X, Y) fails to resolve categorization queries.
| This means one of the configured DNS servers does not properly resolve Web Filter category queries. Web Filter uses DNS to query for the categorization of unknown sites. If the configured DNS servers do not properly respond to categorization queries then Web Filter will not function correctly and may slow web traffic significantly.

|-
| A DNS server responds slowly. (X,Y,Z) This may negatively effect Web Filter performance.
| This means the specified DNS server (Y) on interface (X) responded slowly (in Z milliseconds) to a Web Filter categorization request. Web Filter will automatically request categorization of unknown and never before seen URLs. If DNS is performing poorly Web Filter categorization will also be slow and may negatively effect web traffic latency as Web Filter categorizes websites.

|-
| Event processing is slow (x ms).
| Event logging is slow. This is shown when event logging takes more than 15ms on average. This can be caused by a slow disk or an extremely busy server. If you see this message, you can try a couple things. 1) Use a faster disk/disk controller to the daemon is able to more quickly write events. 2) Create less events by turning off apps and/or bypassing traffic that need not be scanned.

|-
| Event processing is delayed (x minute delay).
| The event logging daemon that logs events to the database is behind. This happens when "events" are happening quicker than the events can be written to the database. This can be caused by a slow disk or a busy network. Events will be stored in queued in memory until they can be written to the disk. If the time it takes for an event to happen to be logged to the database reaches a time greater than 10 minutes this warning appears. This is not necessarily an issue, but the administrator should be aware when viewing reports and events that they will be delayed by x minutes. You can try a few things to resolve this alert: 1) Use a faster disk/disk controller to the daemon is able to more quickly write events. 2) Create less events by turning off apps and/or bypassing traffic that need not be scanned.

|-
| Packet processing recently overloaded
| This warning means that at "''nf_queue: full at * entries, dropping packets(s)''" was found in "''/var/log/kern.log.''" This means packets were incoming faster than the server was able to handle them. This usually indicates some misconfiguration or performance issue, or that some traffic needs to be [[Installation#Bypass_Rules|bypassed]]. This can also indicate that the server is undersized for the current task and is short on memory (swapping) or disk I/O throughput or processing power. For further help with this alert, contact Untangle support.

|-
| The shield is disabled. This can cause performance and stability problems.
| The shield is disabled in [[Config]] > [[System]] > [[Shield]]. While sometimes useful for testing, this configuration will cause performance and stability problems. To fix verify that ''Enable Shield'' is checked.

|-
| Route to unreachable address: 1.2.3.4
| A static route exists in [[Config]] > [[Network]] > [[Routes]], but the next hop is unreachable. All traffic for this route will be dropped.

|-
| Currently the number of devices significantly exceeds the number of licensed devices. (x > y)
| The number of devices for which NGFW has recently processed traffic (x) is greater than the number of allowed devices (y) for the license existing on the NGFW server. In order to return to compliance it may be necessary to bypass devices or get a larger license. Please contact support@untangle.com for help.

|-
| DNS and DHCP services are not functioning.
| This means that the DNS and DHCP service is not properly functioning. This is a serious issue that must be resolved in order for Untangle to function properly. The usual cause of this is invalid options or syntax in [[Config]] > [[Network]] > Advanced > [[DHCP & DNS]], or in the interface settings in [[Config]] > [[Interfaces]] > Edit > DHCP Configuration > DHCP Options.

|}

Purchasing & Subscription FAQs

2018-02-09T16:19:20Z

Cknickerbocker: /* I just purchased a product, however it is still reporting as a trial version? */

[[FAQs|All Untangle FAQs]]

== How does Untangle NG Firewall licensing work? ==

Untangle NG Firewall licensing is done by each NG Firewall that you have deployed. You '''cannot''' buy one set of licensing and share it across multiple NG Firewall deployments. You count the number of networked devices that are installed on the LAN side of your NG Firewall and that is the pricing band/bucket you need to purchase for in the Untangle licensing model. If you already have Untangle installed you can click on the '''Hosts''' count at the top of the rack to see the devices on your network. Our current pricing model allows you to purchase a monthly, 1-year, 3-year or 5-year subscription for any given NG Firewall deployment. For licensing purposes, a user is defined as a device (pc, laptop, etc) on the network. If multiple people use the same pc, it still counts as one user. NG Firewall tracks the number of devices connecting through it, and user environments that exceed the license entitlement will be flagged for further review by Untangle. At this time, we do not automatically disable the software when usage exceeds the license count, but can do so after review of the violation(s).

== How do I transfer my paid license? ==

''Video for this process is available [https://support.untangle.com/hc/en-us/articles/201661956 here].'' 

'''IMPORTANT:''' Please be sure to download the config backups (if needed) prior to the transfer. Once you transfer the license, the config backups will be unavailable.
 
Steps to transfer the license to the new server. 
1. Login to the store with the store account. 
2. On the top menu, click Subscriptions. 
[[Image:subscriptions-uid.png|none|512px|Remove Subscriptions]]
3. Click the '''Name/UID''' link for the subscription you want to transfer. 
4. This will remove the subscription from the appliance. Click '''Remove''' to confirm. Once removed, the subscription becomes a voucher available for use on another NG Firewall UID. 
5. To add the license to another NG Firewall UID, click the '''unassigned''' link on the Subscriptions tab. 
[[Image:subscriptions-unassigned.png|none|512px|Click Unassigned]]
6. Select a device from the list to transfer the subscriptions to and click '''Add'''. 
[[Image:subscriptions-add.png|none|512px|Add Subscription]]
 

==What's a voucher and voucher key?==

A voucher is a "gift certificate" for a specific NG Firewall [https://www.untangle.com/software-packages package or individual application]. A voucher key is a unique alphanumeric code that enables you to redeem your voucher.
 

==Can a voucher expire?==

Yes. When you purchase a voucher you can select a monthly or yearly subscription that automatically renews. The subscription period begins as of the time the voucher was purchased. So, it's important that you redeem that voucher as soon as possible to get the "biggest bang for your buck."

==Why would I want to purchase a voucher?==

* If you are an end-user, but you aren't in front of the NG Firewall (you're at the airport), a voucher provides you a way to purchase now and install at your convenience.

* If you are an Untangle Partner:

:* It's very efficient to purchase a set of vouchers using one transaction, and redeem the vouchers as you install NG Firewalls.

:* If you do not intend to install the NG Firewall yourself, you can simplify the installation process by sending the voucher to your customer.

:* If you're looking to court a customer, a voucher is a wonderful gift, though not as tasty as chocolate and not nearly as expensive as a diamond.

==How do I redeem a voucher?==

''Video for this process is available [https://support.untangle.com/hc/en-us/articles/201661966 here].'' 

There are two ways to redeem a voucher.

First: (Primarily used if you were the purchaser of the voucher or have store account access to the account where the voucher was purchased)
# Log-in to your Untangle Server.
# From the Navigation pane, click on the '''My Account''' button on the bottom left.
# Log into your Store Account you used to purchase your Voucher.
# Click on '''My Subscriptions''', then '''Manage Vouchers'''.
# Check the box next to the voucher(s) you'd like to redeem.
# Click on the '''Redeem''' button. The software should automatically install, refresh the web GUI to verify.

Second: (Primarily used if you did not purchase the voucher through your store account)
# Follow steps 1-4 above.
# Click the link '''Enter and Redeem a New Voucher Key'''.
# Enter the voucher key(s) in the space(s) provided.
# Verify the UID, server description and the IP address of your server are correct.
# Click the '''Continue''' button. The software should automatically start install, refresh the web GUI to verify.



==Why do I get a monthly web confirmation from authorization.net?==

Untangle uses authorization.net to process your monthly subscriptions. The first month you receive an email confirmation from Untangle; however, authorization.net sends you all subsequent email confirmations.

==Why doesn't my authorization.net confirmation have a description?==

We're sorry for this inconvenience. We will be making regular updates to our store, so stay tuned. In the meantime, you can compare the authorization.net confirmation against the invoices in My Invoices.

==How do I purchase Untangle NG Firewall software?==

Currently there are two ways to make a purchase of NG Firewall software.

An '''off-GUI''' purchase is when you purchase a subscription directly from Untangle's store without being logged into a deployed NG Firewall. An 'off-GUI' purchase results in a voucher you can redeem at any time, keeping in mind that until you redeem the voucher, you don't have full access to the capabilities of the subscription you've purchased until you complete the redemption of the voucher. Additionally, it's important to note that your subscription expiration count-down starts from the day you purchase your subscription not the date you redeem the voucher.

Log-in to your account if you already have one. If you don’t have one, you should be able to create one. Once you’ve created an account, you’ll need to click on the 'Store' icon in the upper right-hand corner of the website. You’ll then select the subscription(s) that you’d like to purchase and then select from the right hand side of the product webpage the correct number of pc’s for your pricing band and the correct term/period for the length of your subscription. You then can click the 'Add to Cart' button. Once you’ve done that, you should be able to either add more items to your cart by clicking the 'Continue Shopping' button or changing the quantity in the shopping cart itself. You then click on the 'Proceed to Check-out' button to finish your purchase. You'll receive an order confirmation and your voucher key. (see How do I redeem a voucher? [[http://wiki.untangle.com/index.php/Purchasing_%26_Subscription_FAQs#How_do_I_redeem_a_voucher.3F]] section of the wiki)

An '''on-GUI''' purchase is when you purchase from your NG Firewall directly. If you purchase via the 'on-GUI' method, the store and the server should talk to each other and the server will automatically download the software you've purchased. We do recommend that you use Firefox when doing this process because some browsers (i.e. Internet Explorer) don't translate the code properly and won't allow the store and the server to communicate, which causes the process to fail.

The '''on-GUI''' process is the easiest way to purchase a NG Firewall subscription. You start by logging into your NG Firewall and you click on the 'My Account' button in your admin interface. It should prompt you to log-in to your account if you already have one. If you don’t have one, you should be able to create one. Once you’ve created an account, you’ll need to click on the 'Store' icon in the upper right-hand corner of the website. You’ll then select the subscription(s) that you’d like to purchase and then select from the right hand side of the product webpage the correct number of pc’s for your pricing band and the correct term/period for the length of your subscription. You then can click the 'Add to Cart' button. Once you’ve done that, you should be able to either add more items to your cart by clicking the 'Continue Shopping' button or changing the quantity in the shopping cart itself, or you can click on the 'Proceed to Check-out' button to finish your purchase. By purchasing while logged into your Untangle server the software should automatically download when your purchase is completed.

If you have any problems with either of these two ways to purchase, please contact support at 408-598-4299 option 2, or via e-mail at support@untangle.com .

==How do I access the Store?==

You can access the Untangle store by clicking on any product in your '''Apps''', or directly from https://store.untangle.com.

==Do I have a store account?==

You do not have a store account by default. However, if you've ever purchased a subscription or redeemed a subscription, you have a store account.

==How do I decide which products I should purchase?==

The products that you need depend on your network. Use the Application Wizard. Go to [[Apps#Choosing Which Software Products To Install|Choosing Which Software Products To Install]].

==How do I subscribe to a Paid Software Product==

You can download paid Software Products through your NG Firewall's '''Apps'''. This process takes only a few minutes. For instructions, go to [[Apps#Choosing Which Software Products To Install|Choosing Which Software Products To Install]].

==I reinstalled my NG Firewall software. Why can't I reinstall my paid subscriptions?==

If you've reinstalled your NG Firewall, your paid Software Products no longer automatically appear in your rack and when you visit the Untangle Store, you're prompted to purchase ('''Buy Now''') the subscriptions that you've already purchased.

Your Untangle purchases are associated with your [[#What's a UID?|UID]]. When you reinstalled your NG Firewall on the same appliance, computer or reinstalled on a different machine, you deleted this information. This is true even if you restore from a backup: The UID is not saved as part of a backup, only your configuration.

You can confirm that this is the issue that you're having by simply comparing the UID that appears on your NG Firewall with the UID that appears in '''My Subscriptions'''. The UIDs must match.

[[Image:VerifyActivationKey.png|thumbnail|center]]

If they don't match, the solution is to migrate your subscriptions to the new UID in the Untangle store. Currently, you must be on-GUI on the newer unit to compete this process.
For self help on transferring the subscription, please visit here[http://wiki.untangle.com/index.php/Purchasing_%26_Subscription_FAQs#After_a_reinstall.2C_how_do_I_transfer_an_old_subscription_to_a_new_Untangle_server.3F].
If you need further assistance, [http://www.untangle.com/index.php?option=com_content&task=view&id=83&Itemid=187 contact Technical Support] so that we can walk you through this process. The migration is quick, but requires that you provide information about your account.



== What happens if I stop paying Untangle for my subscription(s)? ==

When your NG Firewall communicates with the licensing server your license will be revoked. You will no longer be able to use anything but the 'Free Package' applications and modules. You will see 'No License Found' on the face-plate of the application module inside the NG Firewall Admin interface. It's very easy to get your account back working again by contacting Untangle sales (sales@untangle.com) to renew your subscription and all of your previous settings will return.

== What's a UID? ==

A UID (or Unique IDentifier) is a unique 16-digital alpha numeric code that identifies your Untangle Server. To determine your server's UID, from the Untangle Server, go to '''Config''' > '''System Info''' tab > '''Version'''.

* If you '''reinstall''' your NG Firewall, you will get a new UID, and you may need to transfer any previous subscriptions to be authorized for the new UID.
* If you '''reset''' to factory defaults, your Untangle Server maintains its UID.

The UID also helps Untangle Technical Support identify your server when you call for Technical Support.

== What's a discount code? ==

Sometimes Untangle discounts its Software Products, and such offers are only available for a short period of time.

[[Image:Discount.png|thumbnail|center]]

In order to have this discount applied to your subscription purchase, type in the advertised discount code.



== How do I know if my subscription was canceled? ==

If your subscription was canceled, either because you unsubscribed or for non-payment (i.e. your credit card expired), that subscription no longer appears under '''My Subscriptions'''.

== How do I know if my trial has expired? ==

You can identify an expired trial by looking at the application's faceplate in the rack. If expired, the app's faceplate indicates <tt>Free Trial Expired</tt>. If it hasn't expired, then the faceplate indicates how many days remain before the trial expires.

== Can I make configuration changes to an expired trial? ==

Yes. When a trial expires for a software product, you can still access the applications's configuration tabs and make changes to the product; however, the product is disabled.

== If a trial expires and then I purchase, What happens to my settings? ==

A trial expiration doesn't delete your configuration settings for a product. When you purchase the product, NG Firewall simply replaces the expired product in your rack with the purchased product, preserving all configuration settings that you set during the trial period. However, as is the case with a purchased product, if you uninstall the product from the rack, you will lose all configuration data.

== Does a reset to factory defaults reset trials? ==

No.

== How can I get my trials reset? ==

We'd be happy to reset your trials, however this will be at the discretion of your Account Manager (Support will '''not''' do this directly). You'll need to check the 'Allow Support Access...' checkbox under Config > System and provide your Account Manager with the UID of the NG Firewall box in question for us to complete the reset, though a small percentage of installations (mostly those in bridge mode) may need to enable SSH as outlined [http://wiki.untangle.com/index.php/Enable_SSH here].

== Do my other applications still work after my trials expire? ==

Yes. The [http://www.untangle.com/index.php?option=com_content&task=view&id=86&Itemid=179 open-source (free) products] remain in your rack and never expire.

== How do I turn-off auto-renewal, unsubscribe or cancel the subscription for one or more paid products? ==

There are two ways to cancel your subscription.

First, you can simply disable the auto-renewal feature inside your store account. This is located on the '''My Subscriptions''' page ('''Server view''' or '''Subscription view''') of our online store. You just need to click the drop-down by the subscription that you want to turn off the auto-renewal for. By doing this the subscription stays valid until the expiration date of the subscription, thus giving you the full length of the subscription term you purchased previously.

Second, if you want us to cancel your subscription immediately, you'll need to contact our accounting department at their e-mail address and make the request through to them. [mailto:accounting@untangle.com]

== I just purchased a product, however it is still reporting as a trial version? ==

First please make sure the subscription has been assigned to your UID. [https://support.untangle.com/hc/en-us/articles/115012197907-How-to-assign-transfer-a-subscription Here is a link to our Knowledge Base] that describes the assignment process.

If the Untangle still shows trials try the following:
From your NG Firewall, click '''Config''' then click '''About''', then select the '''License''' tab and finally click '''Refresh''' in the lower left corner. This will force the Untangle to refresh license status from the license server.

== How do I know if my subscription needs to be enabled for renewal? ==

If your subscription is not set to auto-renew at the end of the current subscription period, you'll need to enable that renewal prior to the expiration date to ensure there is no interruption to the service on your NG Firewall To determine if you need to enable renewal on your subscription(s), here are a few easy steps to follow:

# Login to your Untangle Store account [http://store.untangle.com]
# Click on the '''My Subscriptions''' link on the left side of the screen
# You'll then need to click the '''Subscription View''' on the upper right-side of that screen
# You will be able to see if something is '''Enabled''' or '''Disabled''' for the Auto-renewal

== How do I renew my subscription(s)? ==

If you need to enable your subscription(s) for renewal, here are the steps necessary:

# Login to your Untangle Store account [http://store.untangle.com]
# Click on the '''My Subscriptions''' link on the left side of the screen
# You'll then need to click the '''Subscription View''' on the upper right-side of that screen
# You will be able to see if something is '''Enabled''' or '''Disabled''' for the Auto-renewal
# You can change it from '''Disabled''' to '''Enabled''' by click the drop-down and selecting the appropriate option.

== I've renewed my subscription, but the renewal date remains unchanged. Why? ==

If your subscription is enabled for renewal, but the renewal date still shows the same date as before, don't worry. Because we won't charge your account for the subscription renewal until the renewal date, the renewal date will not change until that charge takes place.

For example, let's say you enabled a subscription for renewal with a renewal date of November 11, 2010. On November 11, 2010, we will charge your account for the cost of the renewal, and update your renewal date to November 11, 2011.

Remember, if your subscription does not appear when you click on the Renewals link in your Untangle Store Account, that means it is enabled for renewal.

== What is an "Upgrade Order"? ==

First, you can upgrade from one product to another, i.e. from just Web Filter to Complete Package. To accomplish this, you'll need to contact our sales team at [mailto:sales@untangle.com] and they will send you an e-mail template that you'll need to fill out in order to have accounting do the manual process and billing on the back-end. You will then be notified when you can do a re-install of the upgraded subscription on to your existing NG Firewall deployment.

For changes to the duration of your subscription (i.e., one month to annual) or changes to the number of licensed devices (i.e. 1-10 to 11-50), go to your "My Account" page. You will find upgrade options under "Subscriptions".

== I placed an Upgrade Order, but my subscription's renewal date stayed the same. Why? ==

Because an upgrade order simply adds a new term to the end of the current term, the renewal date on your subscription will remain unchanged until the listed renewal date.

For example, let's say you placed an Upgrade Order to convert a subscription from a Yearly to a 2-Yearly term on June 15, 2010, and the current renewal date is July 1, 2010. On July 1, 2010, the renewal date on your subscription will be updated to July 1, 2012.

File:Administrator Alert.png

2018-02-01T21:17:17Z

Cknickerbocker:

Administration Notifications

2018-02-01T21:14:32Z

Cknickerbocker: /* Overview */

Administration_Notifications
Administration_Notifications

= Overview =

[[Image:Administrator_Alert.png|right]]

Administration Notifications appear as an exclamation point icon at the top of the rack when logged into the Administration interface. When logging in, the server will runs a series of tests which can take a few minutes and then it will display the administration alert icon if there are any alerts.

Notifications are typically displayed to alert the administrator of common mis-configurations or issues.

= Notifications =

{| width=100% border="1" cellpadding="2"
|-
!width="50%"|Text
!width="50%"|Description

|-
| Upgrades are available and ready to be installed.''
| The server detected software upgrades that have not been applied. Upgrades can be applied in [[Config]] > [[Upgrade]].

|-
| DNS connectivity failed: ''DNS Server IP''
| The specified server's DNS settings is not providing DNS resolution. Check DNS settings of your WAN interfaces in [[Config]] > [[Network]] > [[Interfaces]]. It is recommended to use your ISP's DNS servers.

|-
| Failed to connect to Untangle. ''[address:port]''
| Untangle failed to successfully connect to the Untangle servers. Check your network setting to make sure they are valid and that Untangle is online. Also check there is no firewall between Untangle and the internet that could be blocking connectivity. Untangle requires an active connection to the internet for proper operation.

|-
| Free disk space is low. ''[ xx% free ]''
| Free disk space is running low. Contact Untangle support for help determining what is using disk space and what to do about it.

|-
| Disk errors reported.
''Error text''
| The disk (hard drive) returned some errors for certain commands. This usually means the disk has bad sectors which are non-responsive. In this case the disk (hard drive) should be immediately replaced.

|-
| ''Rack Name'' contains two or more ''Application 1''
| The given rack contains two or more instances of the same application. While possible this is never desired as it decreases performance and increases management complexity. Remove one of the duplicate applications.

|-
| ''Rack Name'' contains redundant apps: ''Application 1'' and ''Application 2''
| Some applications in Untangle are redundant and should not both be installed in the same rack at the same time. For example, Spam Blocker is a super-set to Spam Blocker Lite. If both are run no additional spam will be blocked, but messages will be scanned twice incurring a performance hit. Remove the redundant application.

|-
| Bridge (''Interface 1'' <-> ''Interface 2'') may be backwards. Gateway (''Gateway IP'') is on ''Interface 2''.
| Often bridges can be plugged in with the WAN interfaces on the LAN and the LAN interface on the WAN. This works and passes traffic, however several applications do not behave as expected. If this is show it has detected that the gateway for the main bridge interface is not on the expected interface. It is recommended to go into [[Config]] > [[Network]] > [[Interfaces]] and unplug each interface one at a time and verify and correct the mapping of interfaces by swapping cables around.

|-
| ''Interface 1'' interface NIC has a high number of ''RX/TX'' errors.
| This indicates that ''ifconfig'' shows a high number of RX or TX errors on the given interface card. This is typically a network layer or NIC issue. If possible, try another NIC or different duplex setting in /admin/index.do#config/network/advanced/network_cards.

|-
| Spam Blocker [Lite] is installed but an unsupported DNS server is used
| Spam Blocker and Spam Blocker Lite rely on DNSBL (DNS blacklists) to categorize spam. Several publicly available and often used DNS servers do not supply access to these services. For example, google(8.8.8.8, 8.8.4.4), opendns(208.67.222.222, 208.67.222.220), level3(4.2.2.1,4.2.2.2) do not provide resolution for DNSBL queries. It is recommended to configure Untangle to use your ISP's DNS servers for effective spam filtering. If spam filtering is not required simply uninstall the spam filtering application from the rack.

|-
| Spam Blocker [Lite] is installed but a DNS server (X, Y) fails to resolve DNSBL queries.
| This means one of the configured DNS servers does not properly resolve DNSBL queries. This will greatly degrade Spam Blocker and Spam Blocker Lite's ability to detect spam. Try configuring a different DNS server. To test this manually run ''host 2.0.0.127.zen.spamhaus.org your_DNS_server'' in the terminal where "your_DNS_server" is the IP of your DNS server. If it does not return results then DNSBL queries are not being properly resolved by that server.

|-
| Web Filter is installed but a DNS server (X, Y) fails to resolve categorization queries.
| This means one of the configured DNS servers does not properly resolve Web Filter category queries. Web Filter uses DNS to query for the categorization of unknown sites. If the configured DNS servers do not properly respond to categorization queries then Web Filter will not function correctly and may slow web traffic significantly.

|-
| A DNS server responds slowly. (X,Y,Z) This may negatively effect Web Filter performance.
| This means the specified DNS server (Y) on interface (X) responded slowly (in Z milliseconds) to a Web Filter categorization request. Web Filter will automatically request categorization of unknown and never before seen URLs. If DNS is performing poorly Web Filter categorization will also be slow and may negatively effect web traffic latency as Web Filter categorizes websites.

|-
| Event processing is slow (x ms).
| Event logging is slow. This is shown when event logging takes more than 15ms on average. This can be caused by a slow disk or an extremely busy server. If you see this message, you can try a couple things. 1) Use a faster disk/disk controller to the daemon is able to more quickly write events. 2) Create less events by turning off apps and/or bypassing traffic that need not be scanned.

|-
| Event processing is delayed (x minute delay).
| The event logging daemon that logs events to the database is behind. This happens when "events" are happening quicker than the events can be written to the database. This can be caused by a slow disk or a busy network. Events will be stored in queued in memory until they can be written to the disk. If the time it takes for an event to happen to be logged to the database reaches a time greater than 10 minutes this warning appears. This is not necessarily an issue, but the administrator should be aware when viewing reports and events that they will be delayed by x minutes. You can try a few things to resolve this alert: 1) Use a faster disk/disk controller to the daemon is able to more quickly write events. 2) Create less events by turning off apps and/or bypassing traffic that need not be scanned.

|-
| Packet processing recently overloaded
| This warning means that at "''nf_queue: full at * entries, dropping packets(s)''" was found in "''/var/log/kern.log.''" This means packets were incoming faster than the server was able to handle them. This usually indicates some misconfiguration or performance issue, or that some traffic needs to be [[Installation#Bypass_Rules|bypassed]]. This can also indicate that the server is undersized for the current task and is short on memory (swapping) or disk I/O throughput or processing power. For further help with this alert, contact Untangle support.

|-
| The shield is disabled. This can cause performance and stability problems.
| The shield is disabled in [[Config]] > [[System]] > [[Shield]]. While sometimes useful for testing, this configuration will cause performance and stability problems. To fix verify that ''Enable Shield'' is checked.

|-
| Route to unreachable address: 1.2.3.4
| A static route exists in [[Config]] > [[Network]] > [[Routes]], but the next hop is unreachable. All traffic for this route will be dropped.

|-
| Running 64-bit with less than 2 gigabytes RAM is not suggested.
| Untangle 64-bit is installed but the system recognizes less than 2 gigs total memory. It is suggested to run the 32-bit version if you have less than 2 gigs RAM. The 32-bit version is more memory efficient for smaller servers but only supports up to 3 gigabytes of RAM. The 64-bit version is less memory efficient on smaller servers but supports hundreds of gigabytes of RAM.

|-
| Currently the number of devices significantly exceeds the number of licensed devices. (x > y)
| The number of devices for which NGFW has recently processed traffic (x) is greater than the number of allowed devices (y) for the license existing on the NGFW server. In order to return to compliance it may be necessary to bypass devices or get a larger license. Please contact support@untangle.com for help.

|}

Administration Notifications

2018-02-01T21:14:07Z

Cknickerbocker: /* Overview */

Administration_Notifications
Administration_Notifications

= Overview =

[[Image:admin_alerts.png|right]]

Administration Notifications appear as an exclamation point icon at the top of the rack when logged into the Administration interface. When logging in, the server will runs a series of tests which can take a few minutes and then it will display the administration alert icon if there are any alerts.

Notifications are typically displayed to alert the administrator of common mis-configurations or issues.

= Notifications =

{| width=100% border="1" cellpadding="2"
|-
!width="50%"|Text
!width="50%"|Description

|-
| Upgrades are available and ready to be installed.''
| The server detected software upgrades that have not been applied. Upgrades can be applied in [[Config]] > [[Upgrade]].

|-
| DNS connectivity failed: ''DNS Server IP''
| The specified server's DNS settings is not providing DNS resolution. Check DNS settings of your WAN interfaces in [[Config]] > [[Network]] > [[Interfaces]]. It is recommended to use your ISP's DNS servers.

|-
| Failed to connect to Untangle. ''[address:port]''
| Untangle failed to successfully connect to the Untangle servers. Check your network setting to make sure they are valid and that Untangle is online. Also check there is no firewall between Untangle and the internet that could be blocking connectivity. Untangle requires an active connection to the internet for proper operation.

|-
| Free disk space is low. ''[ xx% free ]''
| Free disk space is running low. Contact Untangle support for help determining what is using disk space and what to do about it.

|-
| Disk errors reported.
''Error text''
| The disk (hard drive) returned some errors for certain commands. This usually means the disk has bad sectors which are non-responsive. In this case the disk (hard drive) should be immediately replaced.

|-
| ''Rack Name'' contains two or more ''Application 1''
| The given rack contains two or more instances of the same application. While possible this is never desired as it decreases performance and increases management complexity. Remove one of the duplicate applications.

|-
| ''Rack Name'' contains redundant apps: ''Application 1'' and ''Application 2''
| Some applications in Untangle are redundant and should not both be installed in the same rack at the same time. For example, Spam Blocker is a super-set to Spam Blocker Lite. If both are run no additional spam will be blocked, but messages will be scanned twice incurring a performance hit. Remove the redundant application.

|-
| Bridge (''Interface 1'' <-> ''Interface 2'') may be backwards. Gateway (''Gateway IP'') is on ''Interface 2''.
| Often bridges can be plugged in with the WAN interfaces on the LAN and the LAN interface on the WAN. This works and passes traffic, however several applications do not behave as expected. If this is show it has detected that the gateway for the main bridge interface is not on the expected interface. It is recommended to go into [[Config]] > [[Network]] > [[Interfaces]] and unplug each interface one at a time and verify and correct the mapping of interfaces by swapping cables around.

|-
| ''Interface 1'' interface NIC has a high number of ''RX/TX'' errors.
| This indicates that ''ifconfig'' shows a high number of RX or TX errors on the given interface card. This is typically a network layer or NIC issue. If possible, try another NIC or different duplex setting in /admin/index.do#config/network/advanced/network_cards.

|-
| Spam Blocker [Lite] is installed but an unsupported DNS server is used
| Spam Blocker and Spam Blocker Lite rely on DNSBL (DNS blacklists) to categorize spam. Several publicly available and often used DNS servers do not supply access to these services. For example, google(8.8.8.8, 8.8.4.4), opendns(208.67.222.222, 208.67.222.220), level3(4.2.2.1,4.2.2.2) do not provide resolution for DNSBL queries. It is recommended to configure Untangle to use your ISP's DNS servers for effective spam filtering. If spam filtering is not required simply uninstall the spam filtering application from the rack.

|-
| Spam Blocker [Lite] is installed but a DNS server (X, Y) fails to resolve DNSBL queries.
| This means one of the configured DNS servers does not properly resolve DNSBL queries. This will greatly degrade Spam Blocker and Spam Blocker Lite's ability to detect spam. Try configuring a different DNS server. To test this manually run ''host 2.0.0.127.zen.spamhaus.org your_DNS_server'' in the terminal where "your_DNS_server" is the IP of your DNS server. If it does not return results then DNSBL queries are not being properly resolved by that server.

|-
| Web Filter is installed but a DNS server (X, Y) fails to resolve categorization queries.
| This means one of the configured DNS servers does not properly resolve Web Filter category queries. Web Filter uses DNS to query for the categorization of unknown sites. If the configured DNS servers do not properly respond to categorization queries then Web Filter will not function correctly and may slow web traffic significantly.

|-
| A DNS server responds slowly. (X,Y,Z) This may negatively effect Web Filter performance.
| This means the specified DNS server (Y) on interface (X) responded slowly (in Z milliseconds) to a Web Filter categorization request. Web Filter will automatically request categorization of unknown and never before seen URLs. If DNS is performing poorly Web Filter categorization will also be slow and may negatively effect web traffic latency as Web Filter categorizes websites.

|-
| Event processing is slow (x ms).
| Event logging is slow. This is shown when event logging takes more than 15ms on average. This can be caused by a slow disk or an extremely busy server. If you see this message, you can try a couple things. 1) Use a faster disk/disk controller to the daemon is able to more quickly write events. 2) Create less events by turning off apps and/or bypassing traffic that need not be scanned.

|-
| Event processing is delayed (x minute delay).
| The event logging daemon that logs events to the database is behind. This happens when "events" are happening quicker than the events can be written to the database. This can be caused by a slow disk or a busy network. Events will be stored in queued in memory until they can be written to the disk. If the time it takes for an event to happen to be logged to the database reaches a time greater than 10 minutes this warning appears. This is not necessarily an issue, but the administrator should be aware when viewing reports and events that they will be delayed by x minutes. You can try a few things to resolve this alert: 1) Use a faster disk/disk controller to the daemon is able to more quickly write events. 2) Create less events by turning off apps and/or bypassing traffic that need not be scanned.

|-
| Packet processing recently overloaded
| This warning means that at "''nf_queue: full at * entries, dropping packets(s)''" was found in "''/var/log/kern.log.''" This means packets were incoming faster than the server was able to handle them. This usually indicates some misconfiguration or performance issue, or that some traffic needs to be [[Installation#Bypass_Rules|bypassed]]. This can also indicate that the server is undersized for the current task and is short on memory (swapping) or disk I/O throughput or processing power. For further help with this alert, contact Untangle support.

|-
| The shield is disabled. This can cause performance and stability problems.
| The shield is disabled in [[Config]] > [[System]] > [[Shield]]. While sometimes useful for testing, this configuration will cause performance and stability problems. To fix verify that ''Enable Shield'' is checked.

|-
| Route to unreachable address: 1.2.3.4
| A static route exists in [[Config]] > [[Network]] > [[Routes]], but the next hop is unreachable. All traffic for this route will be dropped.

|-
| Running 64-bit with less than 2 gigabytes RAM is not suggested.
| Untangle 64-bit is installed but the system recognizes less than 2 gigs total memory. It is suggested to run the 32-bit version if you have less than 2 gigs RAM. The 32-bit version is more memory efficient for smaller servers but only supports up to 3 gigabytes of RAM. The 64-bit version is less memory efficient on smaller servers but supports hundreds of gigabytes of RAM.

|-
| Currently the number of devices significantly exceeds the number of licensed devices. (x > y)
| The number of devices for which NGFW has recently processed traffic (x) is greater than the number of allowed devices (y) for the license existing on the NGFW server. In order to return to compliance it may be necessary to bypass devices or get a larger license. Please contact support@untangle.com for help.

|}

Directory Connector

2017-10-18T17:20:11Z

Cknickerbocker: /* Active Directory Server Login Monitor Agent */

[[Category:Applications]]
Directory_Connector
Directory_Connector#Status
Directory_Connector#User_Notification_API
Directory_Connector#Active_Directory
Directory_Connector#RADIUS
Directory_Connector#Google
Directory_Connector#Facebook
Directory_Connector#Reports

{| width='100%'
|-
| align="center" | [[Image:DirectoryConnector_128x128.png]]     '''Directory Connector'''
| align="center" |
{|
|-
| Other Links:
|-
|[http://www.untangle.com/store/directory-connector-conf.html Directory Connector Description Page]
|-
|[http://demo.untangle.com/admin/index.do#service/directory-connector Directory Connector Demo]
|-
|[http://forums.untangle.com/directory-connector/ Directory Connector Forums]
|-
|[[Directory Connector Reports]]
|-
|[[Directory Connector FAQs]]
|}
|}
 

----

== About Directory Connector ==

Directory Connector provides functionality to integrate with Microsoft's [http://en.wikipedia.org/wiki/Active_Directory Active Directory] or servers that support [http://en.wikipedia.org/wiki/RADIUS RADIUS], as well as some tools manager the [[Host Viewer]] username mapping for the hosts on the network.

Directory Connector provides many tools to assist with [[User Management]].

== Settings ==

This section reviews the different settings and configuration options available for Directory Connector.

=== Status ===

This displays the current status and some statistics.

{{ServiceAppScreenshot|directory-connector|status}}

=== User Notification API ===

The "User Notification API" is a webapp running on the NGFW that various external scripts can call to notify Untangle that a specific user is logged into a specific IP. The userapi webapp is used to update and maintain the associated usernames in the [[Host Viewer]] so that [[User Matcher]] in [[Rules]] match correctly. When a username is associated with the ''Username'' in [[Rules#Condition_List|rules conditions]] matches as expected.

This API can be called:

# manually
# via the ''User Notification Login Script''
# via the ''Active Directory Server Login Monitor Agent''
# via any custom script or external program

*'''Enable/Disable''' If enabled the User Notification API is enabled. If disabled, the User Notification is completely disabled.
*'''Secret Key''': If specified, only API calls specifying the correct secret key will be allowed. All other requests are ignored. If not specified, it is not required to use the API however the clientIP argument is ignored to avoid API abuse.

The webapp lives at ''http://SERVERIP/userapi/registration'' on the server and can be called with the following arguments:

{| border="1" cellpadding="2"
|+
! Argument !! Example !! Description
|-
| clientIp
| 192.168.1.100
| The client IP address of the host in question
|-
| username
| foobar
| The username to associate with the client IP.
|-
| hostname
| machinename
| The hostname to associate with the client IP.
|-
| action
| ''login'' or ''logout''
| The action, ''login'' is assumed if no action is specified. ''login'' with associate the username and hostname of the specified client IP. ''logout'' will unset the client IP's associated username.
|-
| secretKey
| foobarsecret
| If this argument does not match the specified secretKey the call will be ignored.
|}

For example, If the NGFW internal IP is 192.168.1.1 without a secretKey, to associate user "foobar" on machine "foobarpc" to 192.168.1.100 you would call visit this URL:

''http://192.168.1.1/userapi/registration?action=login&clientIP=192.168.1.100&username=foobar&hostname=foobarpc''

To unset that username mapping when the client logs out simply visit this URL:

''http://192.168.1.1/userapi/registration?action=logout&clientIP=192.168.1.100''

Obviously visiting these URLs manually each time a user logs in or out of a machine is not realistic.
Typically this process is automated in one of two ways described below or using a custom script.

{{ServiceAppScreenshot|directory-connector|user-notification-api}}

==== User Notification Login Script ====

The ''User Notification Login Script'' or ''UNLS'' which is a small script that runs at login on each machine to notify the NGFW when a user logs in. This script can be pushed out to all the machines in a domain via a group policy object. This is useful in cases where you want to set the username in the [[Host Viewer]] without having users manually log into the [[Captive Portal]].

Once installed, the script starts each time a user logs on to the network and immediately notifies Untangle of the username and IP address. Once this process is finished, any activity for that IP address will be automatically mapped to the username. This scripts runs on login and periodically in the background to keep the Directory Connector Username Map updated with any current information on your network users.

To download the User Notification Login Script, click on the '''Download User Notification Login Script''' button and download the script. The script will be configured for your environment but may require further customization. Review the script and make changes as needed.

Now that you have the UNLS on your Domain Controller, you need to decide if you want it run for [[#UNLS for the entire domain | all domain users]] or [[#UNLS for specific users | only for specific users]].

----

===== UNLS for the entire domain =====

To apply UNLS to the your entire domain you'll need to set up a new [http://en.wikipedia.org/wiki/Group_policies Group Policy Object] - please follow the instructions below.

# Click on the ''Download User Notification Login Script'' and save the <tt>user_notification.vbs</tt> file to <tt>\\localhost\\NETLOGON</tt>.
# Log on to the Domain Controller, then launch the Group Policy Management Console ('''Start > Run''': <tt>gpmc.msc</tt>).
# From the Group Policy Management Console, right-click on the domain and select '''Create and Link a GPO here'''.
# Specify a name for the Group Policy.
# Right-click on the group policy that you just created and click Edit.
# Go to '''User Configuration > Windows Settings > Scripts (Logon/Logoff)'''.
# Click on the '''Logon''' icon, then '''Show Files'''. Windows Explorer will launch into the correct directory.
# Copy the <tt>user_notification.vbs</tt> file that you downloaded to this location.
# Click the '''Add''' button, browse for the script, then click '''OK'''.
# In the Logon Properties window, click Add , type a descriptive script name, then click ok.
# In the '''Select User, Computer or Group''' window, select the OU or Group to which you want to apply this GPO.
# From a command prompt, activate the group policy that you just created: <tt>gpupdate /force</tt>.

You can verify it is working by looking in the Event Log for login/logout events.

----

===== UNLS for specific users =====

If you only want to use the UNLS for a few users, you can use these instructions:

# Click on the ''Download User Notification Login Script'' and save the <tt>user_notification.vbs</tt> file to <tt>\\localhost\\NETLOGON</tt>.
# Using a text editor, create a <tt>local.bat</tt> file that has the following lines:
<pre>
@ echo off
\\ADServerIPAddress\netlogon\user_notification.vbs
</pre>
# Save the <tt>local.bat</tt> file to <tt>\\localhost\\NETLOGON</tt>.
# From the domain, go to the '''Users''' folder, right-click the user and go to Properties.
# On the Profile tab, type the filename of the UNLS (probably <tt>user_notification.vbs</tt>) in the Logon script field.
# Launch the Group Policy Management Console, then launch the [http://technet.microsoft.com/en-us/library/cc736591(v=WS.10).aspx Group Policy Object Editor] ('''Start > Run''': <tt>gpedit.msc</tt>).
# Copy the <tt>user_notification.vbs</tt> file that you downloaded in the first step to this location.

----

==== Active Directory Server Login Monitor Agent ====

The other way to call the User Notification API is by running an agent/monitor on the Active Directory Server. The agent monitors the server's login events and updates the Untangle NGFW when a user logs to a computer.
This has several advantages over the UNLS.

'''NOTE''' - To use the Active Directory Login Monitor a Secret Key must be specified.

# It allows you to set a secretKey that only the agent knows, so only the AD server itself can update the username mapping. (users have no way of overriding changing the information)
# It is not necessary to run a login/logout script on all machines. No GPO is necessary.

First download and install the agent on the Active Directory server. and configure it so that it updates the Untangle NGFW server when it sees user login events.

[https://support.untangle.com/hc/en-us/articles/201885626-Active-Directory-Login-Monitor-Installation Installation Guide]

[http://download.untangle.com/UntangleActiveDirectoryMonitorSetup.exe Download]

Configure the ''NGFW Settings'' in Login Monitor so it updates your Untangle NGFW event when login events occur.

[[Image:ADServerLoginMonitor.png|center|frame|The AD Server Login Monitor]]

*'''Secret Key''': The Secret Key if there is a ''Secret Key'' configured on the NGFW [[#User_Notification_API]]. User Notification must be enabled on the NGFW. If no ''Secret Key'' is configured leave it blank.
*'''Prefix''': The protocol to use to communicate with the NGFW Untangle Server.
*'''Port''': The port to use to communicate with the NGFW Untangle Server The default is port 80 for HTTP and 443 for HTTPS.
*'''IP Addresses''': The IP addresses to reach your NGFW Untangle Servers. Generally this should be the LAN addresses of your NGFW Untangle Servers. By default HTTP and HTTPS is closed on the WAN side of NGFW Untangle Server. If the Login Monitor Agent cannot reach the NGFW, an error icon is shown next to the NGFW IP address entry.

[[Image:ADServerLoginMonitorError.png|center|frame|Error reaching NGFW Untangle Server]]

The Exempt IP Addresses tab is a list of IP addresses which Login Monitor should ignore for login events. IP addresses are accepted in the following format:

*Single IP address (192.168.2.2)
*Wildcard IP address (192.168.3.*)
*CIDR (192.168.4.0/24)
*Range (192.168.5.5-192.168.5.102)

[[Image:ADServerLoginMonitorIPAddresses.png|center|frame|Exempt IP Address Tab]]

The Exempt Users tab is a list of AD users which Login show ignore for login events.

----

=== Active Directory ===

The Active Directory Connector allows Untangle to communicate with the Active Directory server. This is useful for two things:

# Allowing users to login to [[Captive Portal]] using their AD login/password. The [[Captive Portal]] will verify the authentication information directly with the AD server.
# Allow Untangle to query the groups so the it knows which groups a user belongs to. If this is configured the [[Rules#Condition_List|User in Group]] matcher in [[Rules]] will correctly match.

Before configuring the ''Active Directory Connector'' here are a few important steps:

#Ensure that your Active Directory users are in one domain. Users can be in multiple Active Directory Organizational Units (OUs), but must be under one domain - multiple domains are not supported at this time.
#Check to see if you have the [http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=21895 Group Policy Management Console] installed; if not, install it.
#If you're running Active Directory on Windows Server 2008, please see this [[#Is this supported with all versions of Active Directory? | FAQ]] entry on disabling the Signed LDAP requirement if you have installed with the strictest security settings.

The Active Directory Connector tab contains settings for connecting and communicating with a Domain Controller. Other applications such as [[Captive_Portal| Captive Portal]] can use Directory Connector to authenticate and identify users against an existing Domain Controller.

*'''AD Server IP or Hostname''': The IP or hostname of the AD server - we recommend using the IP to prevent DNS issues.
*'''Secure''': Enable SSL for the connection to the AD server.
*'''Port''': The port to use when connecting to the AD server. The default is 389.
*'''Authentication Login''': Enter an Active Directory Administrator login.
*'''Authentication Password''': Enter an Active Directory Administrator password.
*'''Active Directory Domain''': Your domain, (e.g. mycompany.local).
*'''Active Directory Organization''': The Active Directory organization unit (OU) that contains the users. If you want the Untangle Server to find all users, leave this blank.
:If for some reason you want to limit the users to a specific part of the domain tree, specify the OU path in the format of <tt>OU=ouName</tt>. Only one OU can be entered.

You can use the test tools to verify your settings and view an ''incomplete'' user list. After Active Directory is configured, you can configure Captive Portal to use it for authenticating users if you wish.

{{ServiceAppScreenshot|directory-connector|active-directory}}

=== RADIUS ===

The RADIUS Connector allows Untangle to communicate with a RADIUS server. This is useful for:

# Allowing users to login to [[Captive Portal]] using their RADIUS login/password. The [[Captive Portal]] will verify the authentication information directly with the AD server.

The RADIUS tab contains settings to configure communication with the RADIUS server.

*'''RADIUS Server IP or Hostname''': The IP or hostname of the RADIUS server - we recommend using the IP to prevent DNS issues.
*'''Port''': The port to use when connecting to the RADIUS server. The default is 1812.
*'''Shared Secret''': This must match the shared secret set on the RADIUS server.
*'''Authentication Method''': This must match the authentication method used by the RADIUS server.

You can use the test tool to verify your settings. After RADIUS is configured, you can configure Captive Portal to use it for authenticating users if you wish.

{{ServiceAppScreenshot|directory-connector|radius}}

=== Google ===

The Google Connector allows Untangle to communicate and link with your Google account, specifically to upload data to your Google Drive.

To enable Untangle to connect to Google Drive, click the ''Configure Google Drive'' button. It will open a window to google where you have to grant Untangle permission to connect to your google drive account.

If you click ''Allow'' Untangle will be able to access the Google Drive API for your account.

Allow Untangle to connect to Google Drive enables [[Reports]] to upload reporting CSVs and reporting data to Google Drive, and enables [[Configuration Backup]] to backup to Google Drive. To configure that functionality edit the settings of the respective app.

The Google Connector also allows Untangle to authenticate against google accounts.
This is experimental and is not suggested for deployments.

{{ServiceAppScreenshot|directory-connector|google}}

=== Facebook ===

The Facebook Connector allows Untangle to authenticate against facebook.
This is experimental and is not suggested for deployments.

{{ServiceAppScreenshot|directory-connector|facebook}}

== Reports ==

{{:Directory Connector Reports}}

== Related Topics ==

[[Policy Manager]]

[[Captive Portal]]

[http://en.wikipedia.org/wiki/Active_Directory Active Directory]

== Directory Connector FAQs ==

{{:Directory Connector FAQs}}

Directory Connector

2017-10-18T17:19:48Z

Cknickerbocker: /* Active Directory Server Login Monitor Agent */

Directory Connector

2017-10-18T17:19:38Z

Cknickerbocker: /* Active Directory Server Login Monitor Agent */

[[Category:Applications]]
Directory_Connector
Directory_Connector#Status
Directory_Connector#User_Notification_API
Directory_Connector#Active_Directory
Directory_Connector#RADIUS
Directory_Connector#Google
Directory_Connector#Facebook
Directory_Connector#Reports

{| width='100%'
|-
| align="center" | [[Image:DirectoryConnector_128x128.png]]     '''Directory Connector'''
| align="center" |
{|
|-
| Other Links:
|-
|[http://www.untangle.com/store/directory-connector-conf.html Directory Connector Description Page]
|-
|[http://demo.untangle.com/admin/index.do#service/directory-connector Directory Connector Demo]
|-
|[http://forums.untangle.com/directory-connector/ Directory Connector Forums]
|-
|[[Directory Connector Reports]]
|-
|[[Directory Connector FAQs]]
|}
|}
 

----

== About Directory Connector ==

Directory Connector provides functionality to integrate with Microsoft's [http://en.wikipedia.org/wiki/Active_Directory Active Directory] or servers that support [http://en.wikipedia.org/wiki/RADIUS RADIUS], as well as some tools manager the [[Host Viewer]] username mapping for the hosts on the network.

Directory Connector provides many tools to assist with [[User Management]].

== Settings ==

This section reviews the different settings and configuration options available for Directory Connector.

=== Status ===

This displays the current status and some statistics.

{{ServiceAppScreenshot|directory-connector|status}}

=== User Notification API ===

The "User Notification API" is a webapp running on the NGFW that various external scripts can call to notify Untangle that a specific user is logged into a specific IP. The userapi webapp is used to update and maintain the associated usernames in the [[Host Viewer]] so that [[User Matcher]] in [[Rules]] match correctly. When a username is associated with the ''Username'' in [[Rules#Condition_List|rules conditions]] matches as expected.

This API can be called:

# manually
# via the ''User Notification Login Script''
# via the ''Active Directory Server Login Monitor Agent''
# via any custom script or external program

*'''Enable/Disable''' If enabled the User Notification API is enabled. If disabled, the User Notification is completely disabled.
*'''Secret Key''': If specified, only API calls specifying the correct secret key will be allowed. All other requests are ignored. If not specified, it is not required to use the API however the clientIP argument is ignored to avoid API abuse.

The webapp lives at ''http://SERVERIP/userapi/registration'' on the server and can be called with the following arguments:

{| border="1" cellpadding="2"
|+
! Argument !! Example !! Description
|-
| clientIp
| 192.168.1.100
| The client IP address of the host in question
|-
| username
| foobar
| The username to associate with the client IP.
|-
| hostname
| machinename
| The hostname to associate with the client IP.
|-
| action
| ''login'' or ''logout''
| The action, ''login'' is assumed if no action is specified. ''login'' with associate the username and hostname of the specified client IP. ''logout'' will unset the client IP's associated username.
|-
| secretKey
| foobarsecret
| If this argument does not match the specified secretKey the call will be ignored.
|}

For example, If the NGFW internal IP is 192.168.1.1 without a secretKey, to associate user "foobar" on machine "foobarpc" to 192.168.1.100 you would call visit this URL:

''http://192.168.1.1/userapi/registration?action=login&clientIP=192.168.1.100&username=foobar&hostname=foobarpc''

To unset that username mapping when the client logs out simply visit this URL:

''http://192.168.1.1/userapi/registration?action=logout&clientIP=192.168.1.100''

Obviously visiting these URLs manually each time a user logs in or out of a machine is not realistic.
Typically this process is automated in one of two ways described below or using a custom script.

{{ServiceAppScreenshot|directory-connector|user-notification-api}}

==== User Notification Login Script ====

The ''User Notification Login Script'' or ''UNLS'' which is a small script that runs at login on each machine to notify the NGFW when a user logs in. This script can be pushed out to all the machines in a domain via a group policy object. This is useful in cases where you want to set the username in the [[Host Viewer]] without having users manually log into the [[Captive Portal]].

Once installed, the script starts each time a user logs on to the network and immediately notifies Untangle of the username and IP address. Once this process is finished, any activity for that IP address will be automatically mapped to the username. This scripts runs on login and periodically in the background to keep the Directory Connector Username Map updated with any current information on your network users.

To download the User Notification Login Script, click on the '''Download User Notification Login Script''' button and download the script. The script will be configured for your environment but may require further customization. Review the script and make changes as needed.

Now that you have the UNLS on your Domain Controller, you need to decide if you want it run for [[#UNLS for the entire domain | all domain users]] or [[#UNLS for specific users | only for specific users]].

----

===== UNLS for the entire domain =====

To apply UNLS to the your entire domain you'll need to set up a new [http://en.wikipedia.org/wiki/Group_policies Group Policy Object] - please follow the instructions below.

# Click on the ''Download User Notification Login Script'' and save the <tt>user_notification.vbs</tt> file to <tt>\\localhost\\NETLOGON</tt>.
# Log on to the Domain Controller, then launch the Group Policy Management Console ('''Start > Run''': <tt>gpmc.msc</tt>).
# From the Group Policy Management Console, right-click on the domain and select '''Create and Link a GPO here'''.
# Specify a name for the Group Policy.
# Right-click on the group policy that you just created and click Edit.
# Go to '''User Configuration > Windows Settings > Scripts (Logon/Logoff)'''.
# Click on the '''Logon''' icon, then '''Show Files'''. Windows Explorer will launch into the correct directory.
# Copy the <tt>user_notification.vbs</tt> file that you downloaded to this location.
# Click the '''Add''' button, browse for the script, then click '''OK'''.
# In the Logon Properties window, click Add , type a descriptive script name, then click ok.
# In the '''Select User, Computer or Group''' window, select the OU or Group to which you want to apply this GPO.
# From a command prompt, activate the group policy that you just created: <tt>gpupdate /force</tt>.

You can verify it is working by looking in the Event Log for login/logout events.

----

===== UNLS for specific users =====

If you only want to use the UNLS for a few users, you can use these instructions:

# Click on the ''Download User Notification Login Script'' and save the <tt>user_notification.vbs</tt> file to <tt>\\localhost\\NETLOGON</tt>.
# Using a text editor, create a <tt>local.bat</tt> file that has the following lines:
<pre>
@ echo off
\\ADServerIPAddress\netlogon\user_notification.vbs
</pre>
# Save the <tt>local.bat</tt> file to <tt>\\localhost\\NETLOGON</tt>.
# From the domain, go to the '''Users''' folder, right-click the user and go to Properties.
# On the Profile tab, type the filename of the UNLS (probably <tt>user_notification.vbs</tt>) in the Logon script field.
# Launch the Group Policy Management Console, then launch the [http://technet.microsoft.com/en-us/library/cc736591(v=WS.10).aspx Group Policy Object Editor] ('''Start > Run''': <tt>gpedit.msc</tt>).
# Copy the <tt>user_notification.vbs</tt> file that you downloaded in the first step to this location.

----

==== Active Directory Server Login Monitor Agent ====

The other way to call the User Notification API is by running an agent/monitor on the Active Directory Server. The agent monitors the server's login events and updates the Untangle NGFW when a user logs to a computer.
This has several advantages over the UNLS.

NOTE - To use the Active Directory Login Monitor a Secret Key must be specified.

# It allows you to set a secretKey that only the agent knows, so only the AD server itself can update the username mapping. (users have no way of overriding changing the information)
# It is not necessary to run a login/logout script on all machines. No GPO is necessary.

First download and install the agent on the Active Directory server. and configure it so that it updates the Untangle NGFW server when it sees user login events.

[https://support.untangle.com/hc/en-us/articles/201885626-Active-Directory-Login-Monitor-Installation Installation Guide]

[http://download.untangle.com/UntangleActiveDirectoryMonitorSetup.exe Download]

Configure the ''NGFW Settings'' in Login Monitor so it updates your Untangle NGFW event when login events occur.

[[Image:ADServerLoginMonitor.png|center|frame|The AD Server Login Monitor]]

*'''Secret Key''': The Secret Key if there is a ''Secret Key'' configured on the NGFW [[#User_Notification_API]]. User Notification must be enabled on the NGFW. If no ''Secret Key'' is configured leave it blank.
*'''Prefix''': The protocol to use to communicate with the NGFW Untangle Server.
*'''Port''': The port to use to communicate with the NGFW Untangle Server The default is port 80 for HTTP and 443 for HTTPS.
*'''IP Addresses''': The IP addresses to reach your NGFW Untangle Servers. Generally this should be the LAN addresses of your NGFW Untangle Servers. By default HTTP and HTTPS is closed on the WAN side of NGFW Untangle Server. If the Login Monitor Agent cannot reach the NGFW, an error icon is shown next to the NGFW IP address entry.

[[Image:ADServerLoginMonitorError.png|center|frame|Error reaching NGFW Untangle Server]]

The Exempt IP Addresses tab is a list of IP addresses which Login Monitor should ignore for login events. IP addresses are accepted in the following format:

*Single IP address (192.168.2.2)
*Wildcard IP address (192.168.3.*)
*CIDR (192.168.4.0/24)
*Range (192.168.5.5-192.168.5.102)

[[Image:ADServerLoginMonitorIPAddresses.png|center|frame|Exempt IP Address Tab]]

The Exempt Users tab is a list of AD users which Login show ignore for login events.

----

=== Active Directory ===

The Active Directory Connector allows Untangle to communicate with the Active Directory server. This is useful for two things:

# Allowing users to login to [[Captive Portal]] using their AD login/password. The [[Captive Portal]] will verify the authentication information directly with the AD server.
# Allow Untangle to query the groups so the it knows which groups a user belongs to. If this is configured the [[Rules#Condition_List|User in Group]] matcher in [[Rules]] will correctly match.

Before configuring the ''Active Directory Connector'' here are a few important steps:

#Ensure that your Active Directory users are in one domain. Users can be in multiple Active Directory Organizational Units (OUs), but must be under one domain - multiple domains are not supported at this time.
#Check to see if you have the [http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=21895 Group Policy Management Console] installed; if not, install it.
#If you're running Active Directory on Windows Server 2008, please see this [[#Is this supported with all versions of Active Directory? | FAQ]] entry on disabling the Signed LDAP requirement if you have installed with the strictest security settings.

The Active Directory Connector tab contains settings for connecting and communicating with a Domain Controller. Other applications such as [[Captive_Portal| Captive Portal]] can use Directory Connector to authenticate and identify users against an existing Domain Controller.

*'''AD Server IP or Hostname''': The IP or hostname of the AD server - we recommend using the IP to prevent DNS issues.
*'''Secure''': Enable SSL for the connection to the AD server.
*'''Port''': The port to use when connecting to the AD server. The default is 389.
*'''Authentication Login''': Enter an Active Directory Administrator login.
*'''Authentication Password''': Enter an Active Directory Administrator password.
*'''Active Directory Domain''': Your domain, (e.g. mycompany.local).
*'''Active Directory Organization''': The Active Directory organization unit (OU) that contains the users. If you want the Untangle Server to find all users, leave this blank.
:If for some reason you want to limit the users to a specific part of the domain tree, specify the OU path in the format of <tt>OU=ouName</tt>. Only one OU can be entered.

You can use the test tools to verify your settings and view an ''incomplete'' user list. After Active Directory is configured, you can configure Captive Portal to use it for authenticating users if you wish.

{{ServiceAppScreenshot|directory-connector|active-directory}}

=== RADIUS ===

The RADIUS Connector allows Untangle to communicate with a RADIUS server. This is useful for:

# Allowing users to login to [[Captive Portal]] using their RADIUS login/password. The [[Captive Portal]] will verify the authentication information directly with the AD server.

The RADIUS tab contains settings to configure communication with the RADIUS server.

*'''RADIUS Server IP or Hostname''': The IP or hostname of the RADIUS server - we recommend using the IP to prevent DNS issues.
*'''Port''': The port to use when connecting to the RADIUS server. The default is 1812.
*'''Shared Secret''': This must match the shared secret set on the RADIUS server.
*'''Authentication Method''': This must match the authentication method used by the RADIUS server.

You can use the test tool to verify your settings. After RADIUS is configured, you can configure Captive Portal to use it for authenticating users if you wish.

{{ServiceAppScreenshot|directory-connector|radius}}

=== Google ===

The Google Connector allows Untangle to communicate and link with your Google account, specifically to upload data to your Google Drive.

To enable Untangle to connect to Google Drive, click the ''Configure Google Drive'' button. It will open a window to google where you have to grant Untangle permission to connect to your google drive account.

If you click ''Allow'' Untangle will be able to access the Google Drive API for your account.

Allow Untangle to connect to Google Drive enables [[Reports]] to upload reporting CSVs and reporting data to Google Drive, and enables [[Configuration Backup]] to backup to Google Drive. To configure that functionality edit the settings of the respective app.

The Google Connector also allows Untangle to authenticate against google accounts.
This is experimental and is not suggested for deployments.

{{ServiceAppScreenshot|directory-connector|google}}

=== Facebook ===

The Facebook Connector allows Untangle to authenticate against facebook.
This is experimental and is not suggested for deployments.

{{ServiceAppScreenshot|directory-connector|facebook}}

== Reports ==

{{:Directory Connector Reports}}

== Related Topics ==

[[Policy Manager]]

[[Captive Portal]]

[http://en.wikipedia.org/wiki/Active_Directory Active Directory]

== Directory Connector FAQs ==

{{:Directory Connector FAQs}}

Script - Clear Hosts and Devices

2017-10-05T15:29:44Z