Astaro Security Gateway – Inexpensive Software Appliance for Site to Site IPsec endpoint

 Astaro, HP, Internet, Security  No Responses »
Dec 142011
 

Recently I had the task of setting up a Site-to-Site IPSec tunnel between my office and one of my employees home office. At my main business HQ we have an Astaro Security Gateway running inside of a vSphere 4 cluster. However I had to find the cheapest way to get the employee hooked up.

The main tasks of the VPN endpoint at the employee’s site was:

1) Filter web, pop3, and provide security for the devices behind the ASG at the home office (1-3 computers, and other random devices)

2) Provider a Site to Site VPN connection and to allow the user access to internal resources, along with providing access to our VoIP PBX (VoIP phone at employee site)

3) Provide access to other resources such as exchange, CRM, etc… And reverse management of devices at home office from HQ

First I needed to find an affordable computer to install the Astaro Security Gateway V8 software appliance on to. My company is an HP Partner, and we love their products, so I decided to purchase a new computer that would be powerfull enough to host the ASG software, and also be protected under HP’s business warranty. I wanted the system to have enough performance that in the future, if the home office was decommisioned, we would be able to use it still as an ASG device but for something else (let’s say a real remote office).

After taking a look at our distributor to find out what was immediately available (as this was a priority), we deiced to pick up a HP Compaq 4000 Pro Small Form Factor PC. Below are the specs:

HP Compaq 4000 Pro Small Form Factor PC

Part Number: LA072UT (Or LA072UT#ABA for the English version in Canada)

System features
Processor Intel® Core™2 Duo Processor E7500 (2.93 GHz, 3 MB L2 cache, 1066 MHz FSB)
Operating system installed Genuine Windows® 7 Professional 32-bit
Chipset Intel® B43 Express
Form factor Small Form Factor
PC Management Available for free download from www.hp.com/go/easydeploy: HP Client Automation Starter; HP SoftPaq Download Manager; HP Client Catalog for Microsoft SMS; HP Systems Software Manager
Memory
Standard memory 2 GB 1333 MHz DDR3 SDRAM
Memory slots 2 DIMM
Storage
Internal drive bays One 3.5″
External drive bays One 3.5″
One 5.25″
Internal drive 500 GB 7200 rpm SATA 3.0 Gb/s NCQ, Smart IV
Optical drive SATA SuperMulti LightScribe DVD writer
Graphics
Graphic card Integrated Intel Graphics Media Accelerator 4500
Expansion features
I/O ports 8 USB 2.0
1 serial (optional 2nd)
1 parallel (optional)
1 PS/2 keyboard
1 PS/2 mouse
1 VGA
1 DVI-D
1 microphone/headphone jack
1 audio in
1 audio line out
1 RJ-45
Slots 2 low-profile PCI
1 low-profile PCIe x16
1 low-profile PCIe x1
Media devices
Audio Integrated High Definition audio with Realtek 2 channel ALC261 codec
Communication features
Network interface 10/100/1000
Power and operating requirements
Power Requirements 240W power supply – active PFC
Operating Temperature Range 10 to 35°C
Dimensions and Weight
Product weight Starting at 7.6 kg
Dimensions (W x D x H) 33.8 x 37.85 x 10 cm
Security management
Security management Stringent Security (via BIOS)
SATA Port Disablement (via BIOS)
Drive Lock
Serial, Parallel, USB enable/disable (via BIOS)
Optional USB Port Disable at factory (user configurable via BIOS)
Removable Media Write/Boot Control
Power-On Password (via BIOS)
Setup Password (via BIOS)
HP Chassis Security Kit
Support for chassis padlocks and cable lock devices
What’s included
Software included Microsoft Windows Virtual PC
HP Power Assistant
Warranty features Protected by HP Services, including a 3 years parts, 3 years labour, and 3 years onsite service (3/3/3) standard warranty. Terms and conditions vary by country. Certain restrictions and exclusions apply.

This system was spec’d very nicely for the requirements we had. Another huge bonus is that it was covered under a factory 3 year warranty from HP. Which means that if anything failed, we would have next business day replacement (I love this, and so do my clients who all purchase HP). The one downside is that the system shipped with a Windows 7 license which we wouldn’t be using, but for the price of the system, it didn’t really matter.

The system only came standard with one Gigabit NIC (Network card), however we need two since this device is acting as a firewall/router. It’s a Small Form Factor system, so we had to find a second network adapter which was compatible with the computers case form factor. The card which we purchased was:

HP – Intel Gigabit CT Desktop NIC

Part Number: FH969AA

Although the computer above is not in the compatibility list for the network card, the network card still worked perfect. Once received, we simply replace the case bracket on the card with one that shipped with it for small form factor computers.

We then burned the .ISO image of the ASG V8 software appliance, and proceeded to install it on the system. It installed (along with the 64-bit kernel) perfectly on the computer. After the install was completed, we configured it to connect to our main central Astaro Command Center and shipped the device out to the employee’s home office.

Once installed, we logged on to the Astaro Command Center user interface, and created a Site to Site IPsec using the wizard. Within 2-5 seconds the connection was established and everything was working 100%.

After using this for a few days, I checked to make sure the computer was powerful enough to be providing the services required, and it was without any problems.

Just wanted to share my experience in case anyone else is doing something similar to what I did above. If you were to reproduce this, all the hardware should be under $700.00 CAD.

    Astaro Security Gateway v8 installed on v7 VM appliance – Issue with Networking “flexible” adapter

     Astaro, ESXi, Internet, Security, VMware, vSphere  2 Responses »
    Nov 282011
     

    Just thought I’d do up a quick little post about an issue I’ve been having for some time, and just got it all fixed.

    I’ve been running Astaro Security Gateway inside of a VMware environment for a few years. When version 8.x came out, I went ahead and simply attached the ISO to the VM and re-installed over the old v7 and restored the config. This worked great, and for the longest time I had no real issues.

    I noticed from time to time that with packet sniffs, there was quite a few retransmissions and TCP segments lost. This didn’t really pose any issues, and didn’t cause any problems, however it was odd.

    Recently, I had to configure a Site to Site IPsec VPN between my office, and one of my employees to provide exchange, VoIP, etc… With astaro this is fairly easy, few clicks and it should work simple, however I started noticing huge issues with file transfers, whether being transferred over SMB (Windows File Sharing), or SCP/SSH. Transfers would either completely halt when started, transfer a few couple hundred kilobytes, or transfer half of the file until it would simply halt and become unresponsive.

    After 3-4 days of troubleshooting, I went ahead and did a packet sniff, noticed there were numerous TCP segments lost, fragmentation, etc… Initially I beleive that maybe MTU configuration may have had something to do with it, however TCP/IP and the Astaro device should have taken care of properly setting the MTU on the IPsec automatically.

    After trying fresh installs of ASG, etc… and no behaviour change, I finally decided to take a few days away and give it a shot later. I’ve troubleshot this from every avenue and for some reason the issue is still existing. I finally figured that the only thing I haven’t checked was with my VMware vSphere environment. Checked the settings, all was good, however I did notice that the NICs for the ASG vm (which were created by the v7 appliance) were set as flexible, and inside of the VM were detected as some type of AMD network adapter. I found this odd.

    After shutting down the ASG VM, removing the NICs and configuring new ones using E1000, all of a sudden the issue was fixed, the IPsec Site to Site VPN functioned properly, and all the network issues seen in network captures were resolved.

    I hope this helps some other people who may be frustrated dealing with the same issue.

      Astaro Security Gateway 8.2 – E-Mails being rejected due to RDNS

       Astaro  3 Responses »
      Aug 192011
       

      Recently I upgraded a bunch of ASG’s to version 8.2. While most of the upgrades went smoothly, I did have an issue with a specific box at one of my clients offices.

      We had some reports that incomming e-mails were being rejected. After checking the Mail Manager, these e-mails were being rejected due to numerous RDNS failures. While most of the incomming message sources actually didn’t have a properly configured RDNS, I finally noticed in one case that a specific sender actually did have properly configured Reverse DNS…

      Googling this specific issue came up with nothing, however I noticed in the DNS proxy on the ASG box, that since the upgrade numerous errors were going through on a daily basis:

      mail named: Last message ‘unexpected RCODE (RE’ repeated 2 times, supressed by syslog-ng on host.name

      mail named[5466]: lame server resolving ‘X’

      These errors were filling the log. I went ahead and logged into WebAdmin and removed the DNS forwarders, hit apply, flushed DNS cache, then re-inserted the DNS forwarders. This resolved the issue.

        Astaro Security Gateway – SNAT, DNAT, 1-to-1 NAT and Full NAT – HowTo

         Astaro, Internet, Linux  24 Responses »
        Jul 032010
         

        I’ve had my main web server directly on the net for some time now. The box runs CentOS and I always have it fully up to date, with a minimal install just to act as a web server.

        It’s always concerned me a little bit, the fact is I keep the box up to date as much as possible, but it’s still always in the back of my mind.

        This weekend I had some time to mess around with some stuff. I wanted to get it setup behind my Astaro Security Gateway, however I did NOT want it to use the public IP address that it’s setup for as I have numerous static IPs all for different services.

        I spent a good 3-4 hours doing lots of searching on Google, and Astaro.org. I saw a few people that wanted to do the same thing as me, but didn’t really find an explanation for anything.

        Ultimately I wanted to setup another external IP address on the Astaro box, and have that external IP dedicated to JUST the web server. Everything else would continue to run as configured before I started modifying anything.

        I finally got it going, and I thought I would do a little write up on this since I saw a lot of people were curious, however no one was having luck with it. So far I’ve just done it for my main web server, however in the future I’ll be doing this with a few more external IPs and servers of mine. So let’s log into the Astaro web interface and get started!

        PLEASE NOTE: I performed this configuration on Astaro Security Gateway Version 8, this may not work on earlier versions!

        1. Configure the additional IP  -              “Interfaces & Routing”, then choose “Interfaces”. Select the “Additional Addresses” tab on the top of the screen. Hit the “New additional address…” button and configure the additional IP. Please note this worked for me as all my static IPs use the same gateway for the most part, if you have multiple statics that use different gateways this may not work for you. In my case I called this address “DA-Web”. Make sure you enable this afterwards by hitting the green light!
        2. Configure the NAT Rules      -              On the left select “Network Security”, then choose the sub item “NAT”. We do not want to touch anything under “Masquerading” so lets go ahead and select the “DNAT/SNAT” tab. In this section we need to create two rules, one for DNAT, and one for SNAT. Keep in mind that “Full NAT” is available, but due to the setup of the traffic initiation I don’t think we want to touch this at all.
          1. Create the DNAT Rule            -              Hit the “New NAT rule” button. Set “Position” to Top”. “Traffic Source” and “Traffic Service” to “Any”. “Traffic Destination” set to the additional address you created (keep in mind this has the same name as the main external, only with the name of the connection inside of it). Set “NAT mode” to “DNAT”. And finally set Destination to the server you want this going to, or create a new definition for the server. Make sure “Automatic packet filter rule” is NOT checked. See image below for my setup.
          2. Create the SNAT Rule            -              Hit the “New NAT rule” button. Set the “Position” to top. “Traffic Source” should be set to the definition you created for the server you are doing this for. “Traffic Service” should be “Any”. “Traffic Destination” should be “Internet”. Keep in mind this is very important, we want to make sure that if you use multiple subnets inside your network that SNAT is ONLY performed when needed when data gets shipped out to the Internet, and NOT when your internal boxes are accessing it. Set “NAT mode” to SNAT. And finally “Source” being the additional IP you created (again this looks like your normal External IP, but hold the mouse over when selecting the definition to make sure it’s the “additional” IP you created). Make sure “Automatic packet filter rule” is NOT checked. See image below for my setup.
          3. Create Packet Filter Rules    -              Now it’s time to open some ports up so that your server can offer services to the internet. This is fairly standard so I’m sure that you can do it on your own. In my example I created a few rules that allowed HTTP, DNS, and FTP from “any” using the service, to the destination “DA-Webserver” to allow the traffic I needed.

        This should be it, it should be working now. If you don’t want to create the packet filter rules and want ALL traffic allowed, you can simply forget section c above, and when creating the DNAT and SNAT rules check the “Create automatic packet filter rules” box on both rules. Keep in mind this will be opening your box up to the internet!

        If you find this useful, have any questions, or want to comment or tell me how to do it better, please leave me a comment!

        Thanks!

          Astaro Security Gateway Version 8 – 64-Bit Support Information

           Astaro  No Responses »
          Jul 012010
           

          So, ASG 8 was released to partners this morning on July 1st, 2010.

          I was super stoked about this, especially with Astaro announcing that this version will take advantage of 64-bit support. Immediately I went to go download it.

          Since I run a vSphere cluster, I went ahead and downloaded the Virtual Appliance. After installing, restoring the old v7 backup configuration file, I noticed that running “uname –a” didn’t report back that it was running a 64-bit kernel.
          So after some time and a few e-mails to and from my partner rep, I went ahead and downloaded the software appliance .iso hoping that the installation would provide the option and I was correct.
          So as of this article, if you want to get version 8 of ASG setup, do NOT download the virtual appliance. Create your own VM, and use the installation .iso available from Astaro.

          One last note, if you are using a partner license, you may have to contact your partner rep since the partner licenses use the old licensing scheme. You MUST use a new license (that uses the new licensing scheme) to use your partner license on the Astaro Security Gateway Version 8.
          I LOVE Astaro!