User's Guide - Version 5.7.6
Caution: This is an autonomous full OS (Operating System) that requires a dedicated hardware or virtual machine. The full installation program formats all hard drives so all existing data will be erased after a full installation. Please read the CacheGuard license agreement before installing CacheGuard OS on your machine.
CacheGuard OS is a Linux-based OS dedicated to Web traffic security & optimisation. It transforms an x86-based machine into a powerful Web gateway appliance. Web traffic will be completely under your control since they cross the CacheGuard box. Note that CacheGuard is an autonomous Operating System so no other OS is required to install it on your machines.
The installed appliance may be used in forwarding mode to protect Web surfers while a reverse mode allows you to secure and optimise your Web applications.
CacheGuard OS is the result of an aggregation of multiple Open Source software and unrelated non-free programs provided by CacheGuard Technologies Ltd. All Open Source software are distributed under the GNU GPL and similar public licenses. The non-free part of CacheGuard OS is distributed under the CacheGuard License which is a specific Open Source license - Please read the License Agreement carefully before any usage.
To implement the CacheGuard OS in reverse mode (to protect Web servers) you should consider the number of simultaneous Web connections rather than the total number of users. For instance if you plan to implement the CacheGuard OS in front of a Web application to support up to 50 simultaneous users and if your Web application require 3 Web connections per user you have to get a license for 150 (50 x 3) simultaneous Web connections which means a license for 300 (150 / 5 x 10) users.
For 100 users (10 simultaneous users ; 50 simultaneous Web connections), a typical hardware configuration is:
To implement the CacheGuard OS in forwarding mode (to protect Web surfers) the most important factor is the total number of end users. A capacity manager integrated to the OS tunes the appliance during the installation for the given number of users. According to the the capacity management policy all end users are not connected at the same time but just 10 percents of them. Also the consideration is that each user may open up to 5 simultaneous Web connections. For instance a 100 users license allows you to protect 100 not named users. So the appliance is tunned to run for 10 simultaneous users which means 50 simultaneous Web connections. Of course a burst of 500 connections will be granted.
For more users, prefer a server with more RAM and HD Storage Capacity. Normally add 512 MB of RAM and 20 GB of HD Storage Capacity for every 50 users. For instance an appliance tunned for 200 users (4 x 50) requires 2048 MB (4 x 1024) of RAM and 160 GB (4 x 40 GB) of HD Storage Capacity.
A CacheGuard Appliance runs better with several low storage capacity HD compared to a single high storage capacity HD (prefer a server with 4 x 40 GB HD compared to a server with a single 160 GB HD).
With CacheGuard you have the possibility to activate all integrated security and optimization features at the same time. Some features (like the HTTP real time Compression or the Antivirus) are more CPU consuming than others. The above given configuration is required when you intend to activate simultaneously all available features. You probably need less hardware resources if you don't need to activate all available features integrated into the CacheGuard OS.
CacheGuard OS requires at least 2 Ethernet NIC. To use the link bonding feature, add one or two additional Ethernet NIC.
Note that CacheGuard OS may be installed for a minimal number of users on a mini computer that doesn't require a powerful hardware configuration. The minimum hardware configuration for 10 users is as follows:
- x86 Architecture
- Intel Core 2 Duo
- 1024 GB RAM
- 40 GB HD
- 2 x Ethernet 100 Mbps NIC
(*)OS main components are installed on a single Hard Drive called the OS Hard Drive. By default this is the first HD detected during the installation. The minimum capacity required for the OS HD is about one GB. An additional six GB is required for the persistent cache and log files.
- x86 Architecture
- CPU Intel Pentium IV
- 512 MB RAM
- 8 GB HD (*)
- 2 x Ethernet 100 Mbps NIC
RAM vs HD
Note that if your RAM is too small compared to your Hard Drive capacity, you should probably reduce your Hard Drive size by using the option "Limit the Total storage capacity" in the installation menu (This is done using percentage values). Also you can add additional RAM into your machine to match your Hard Drive storage capacity.
CacheGuard supports almost all popular x86-based hardware devices. If your hardware is not detected during the installation, please contact us and we will do our best to integrate adequate drivers into the OS to support your hardware.
The installation procedure tunes the OS according to three major parameters: The users capacity, the guarding capacity and the number of Web sites to cloak.
Users capacity is the total number of installed users. Note that only twenty percent (20%) of these users are considered to be simultaneous users and each user may open 15 simultaneous Web connections. For instance to support 20 simultaneous users, specify 100 for the users capacity.
The guarding record capacity is the maximum number of supported URLs or domain names used for the URL guarding feature.
Finally the number of supported Web sites to cloak is the number of Web sites that will be secured and optimised with CacheGuard. During the installation phase, the tuner module reserves adequate resources for each Web site. Web sites are identified by their full domain names.
- Download our ISO image file.
- Write the ISO image file to a CDROM using your favourite burner tool.
- Boot your target appliance from the CDROM and follow instructions to install CacheGuard OS.
USB memory stick Installation
- Download our ISO image file.
- Write the contents of the ISO image file to a USB memory stick and make it bootable.
- To do the latter operation, we suggest to use UNetbootin - You can download this tool from http://unetbootin.sourceforge.net.
- Boot your target appliance from the USB memory stick and follow instructions.
A Linux installation Server including:
- A DHCP Server
- A TFTP Server
- PXE (SysLinux Package)
VMware (C) Virtual Machine Note
The pre packaged CacheGuard OS for VMware uses 4 network interfaces bridged with the first physical network interface present on your machine. You should probably reconfigure the network connectivity for your Virtual Machine to match your needs.
The pre-packaged VMware version is intended to run under VMware server (or equivalent systems like VMware fusion. for Mac OS). To run under ESX, vmdk files provided by the pre-packaged VM ware version should be converted from the 2gbsparse format to the thin/thick format. Use the ESX command vmkfstools to convert vmdk files (the command should be applied to the main vmdk file only: cacheguard.vmdk).
Also you can install the appliance from the ISO CDROM on a blank Virtual Machine created by yourself (The installation procedure takes only few minutes).
To start, connect to your system using the console port. Your console port is one of the following:
CacheGuard uses two logical network interfaces. The first network interface is named "intern" (for internal) and the second network interface "extern" (for external). Each logical network interface should be associated to at least one physical network interface.
The command "link" without any argument displays all detected physical network interfaces in your system. The command "link bond" displays associations between logical and physical network interfaces. Use these commands to identify your network interfaces. By default the internal network interface is associated to "eth0" and the external network interface to "eth1".
Connect all internal physical interfaces to your internal network and all external physical interfaces to your external network (Usually to your Internet router).
Note: To connect the external network interface directly to a router, use a crossed CAT 5 network cable. To connect it to a switch (or hub), use a straight (classic) CAT 5 network cable.
- Monitor/Keyboard connected to your machine
- RS232 Serial port (The serial port configuration should be as follows: "115200 8N1")
When you first connect to the appliance the command "setup" is automatically executed. This command performs a basic startup configuration. You can use this command at any time even if you are not a confirmed administrator. (je ne sais pas ce que tu veux dire dans la derniere phrase)
When you first connect to the appliance the command "setup" is automatically executed. This command performs a basic startup configuration. You can use this command at any time even you are a confirmed administrator.
CacheGuard is implemented as a filter in your network by dividing the Web access segment into two separated areas: An external non trusted area connected to the Internet and an internal trusted area connected to backend Web servers or Web surfers.
To configure the network connect the console port and follow the following instructions:
The configuration procedure is straightforward: You have to run a set of commands to build a new configuration. During the phase of creating a new configuration the current running configuration is not affected. Once the new configuration is created you apply it to the appliance by invoking the command "apply". This command replaces the current running configuration with the newly built configuration.
The "apply" command runs in background. This means after its invocation you can continue to execute other commands but you can't modify the settings before the termination of the last "apply" command. The command "apply" followed by the keyword "report" print a state report of its execution.
The caching policy and some self-management mechanisms depend on the internal clock of your appliance so setting the right time and date is crucial in running a proper configuration. Use the following command to initialise time & date:
- Login as "admin" (use the given password during the installation)
- Type the following commands:
- ip extern <extern-ip> <extern-mask>
- ip intern <intern-ip> <intern-mask>
- ip route add default <internet-router-ip>
- dns add 127.0.0.1
By default the appliance is in a "transparent" mode. That means no Web navigator (Windows IE, Mozilla...) configuration is required to filter HTTP (port 80) accesses. In this mode the IP configuration of your networks should route all HTTP traffic to your appliance. For a basic implementation, your appliance may be your default gateway to the internet (See Transparent Implementation)
In a non-transparent mode, just configure your Web navigators to use the internal IP address of your CacheGuard appliance as HTTP, HTTPS and FTP proxy.
The rest of the configuration may be done using an SSH client or a Web browser. Only trusted administrators are allowed to remotely manage the appliance. To declare an administrator as trusted add his/her IP address to the list of trusted administrators - Just type the following commands:
- clock <YYYY/MM/DD-hh:mm:ss>
The SSH or HTTPS interfaces should be activated before usage. To activate both use the following commands:
- access admin add <admin-ip>
To connect to a remote appliance under UNIX type "ssh admin@<cacheguard-intern-ip>". Remember that by default only the internal network interface could be used to remotely administrate the appliance (unless you configure the administration topology using the command "admin topology"). To configure a remote appliance using the Web administration GUI you should use a Web browser. Just connect to the URL: "https://<cacheguard-hostname.>. <cacheguard-domainname.>:8090" where <cacheguard-hostname.>. <cacheguard-domainname.> is resolved to the internal IP address of your appliance. The certificate provided by the appliance is self-signed. Before permanently accepting this certificate as a valid certificate compare its fingerprint printed in your Web browser against the fingerprint printed in the console interface (Use the command "admin https fp"). Mind that the protocol used is https and not http. The login name is "admin" and by default the password is the same as the password to login via the console port. Think about setting different passwords for the console/ssh interface and the Web administration GUI (use the command "password").
General features could be activated or deactivated using the command "mode". Keep in mind to always deactivate features that you don't really need. You probably want to activate the caching mode. For this use the following commands:
At this stage, you can use your appliance as a secure Web gateway appliance to connect to the Internet.. However your needs may be to secure your precious Web servers. To do so, activate the reverse mode (Just invoke the command "mode rweb on" followed by the "apply" command as usual) and configure everything using the command "rweb". If you no longer need to browse the Web through your appliance deactivate the forward mode (use the command "mode web off").
An online manual is available at any time. The command "help" gives a brief description of all available commands. To obtain the detail for a specific command, type "help" followed by that command (example: "help access"). A completion facility is available when typing commands in a console interface. At that moment, just type the <TAB> key to complete a command or to obtain a list of available arguments.
- admin ssh on
- admin wadmin on
Copyright (C) 2002-2011 CacheGuard - All rights reserved