Application Firewall

Internet access management policy is a logical continuation of the Application Firewall. With UserGate Server a system administrator can manage Internet access for both users and network applications on a client workstation. To control client workstation applications in a local network, it is necessary to install the App. Firewall Service application. The corresponding MSI package (AuthFwInstall.msi) is located in the “%Usergate %\tools” directory.

Network applications management is performed on basis of the administrator defined rules, applied to a user or to a group of users. There are two types of rules in Application Firewall: default rules and users’ rules. Any workstation with Application Firewall Service installed can get default rules under the following conditions:

a) Application Firewall service detects UserGate Server,

b) A set of default rules was created.

Since all Application Firewall rules should belong to a certain rules group, a special Default rules folder is assigned to store the default rules. A UserGate administrator can also create groups for User rules. Initially, UserGate has only one default rule which allows any user network application to access any IP address using any protocols. This rule is recommended to use at the beginning of Application Firewall setup for gathering application usage statistics.

Application Firewall service obtains the User rules set only after the user authorization on UserGate Server. A user can be authorized using Authorization Client or without it by using the address of its workstation (IP address, MAC address or both). User rules can supplement or forbid the default rules. When Authorization Client is used, Application Firewall creates a logical link between a Windows and UserGate account for the authorized user. Changing the Windows account when Authorization Client is running will cancel all user’s rules operation. Application Firewall does not support HTTP authorization.

Application Firewall policy with default settings is defined as the following:

a) If UserGate Server is unavailable, all the network applications are allowed.

b) If UserGate Server is available, only local access of network applications and services is allowed.

The network application statistics of Application Firewall is stored in the user workstation’s local folder %Program Files%\Entensys\Application Firewall\Cache and it is sent periodically (every 10 minutes approximately) to UserGate Server. The sending time span is defined by the Registry parameter SendStatistics (HKLM\Software\Policies\Entensys\Application Firewall). Also, the proper Caching rules are embedded in the Application Firewall. If UserGate Server is temporarily unavailable, Application Firewall service works according to rules written in the local Cache during the updating time (UpdateRules Registry parameter). The rules updating period averages 5 minutes by default.

User application statistics are available in “Application Firewall – Statistics”. User and workstation information, and network application information is shown on Figure 19.

Figure 19. Network application statistics.

UserGate administrators can create an application rule by double-clicking on the corresponding line on the Application history page.