CacheGuard OS is a Linux-based OS dedicated to Web traffic security & optimisation. It transforms an x86-based machine into a powerful Web gateway appliance. Web traffic will be completely under your control since they cross the CacheGuard box. Note that CacheGuard is an autonomous Operating System so no other OS is required to install it on your machines.

The installed appliance may be used in forwarding mode to protect Web surfers while a reverse mode allows you to secure and optimise your Web applications.

CacheGuard OS is the result of an aggregation of multiple Open Source software and unrelated non-free programs provided by CacheGuard Technologies Ltd. All Open Source software are distributed under the GNU GPL and similar public licenses. The non-free part of CacheGuard OS is distributed under the CacheGuard License which is a specific Open Source license - Please read the License Agreement carefully before any usage.

Hardware Requirements

To implement the CacheGuard OS in reverse mode (to protect Web servers) you should consider the number of simultaneous Web connections rather than the total number of users. For instance if you plan to implement the CacheGuard OS in front of a Web application to support up to 50 simultaneous users and if your Web application require 3 Web connections per user you have to get a license for 150 (50 x 3) simultaneous Web connections which means a license for 300 (150 / 5 x 10) users.

For 100 users (10 simultaneous users ; 50 simultaneous Web connections), a typical hardware configuration is:

• x86 Architecture
• Intel Core 2 Duo
• 1024 GB RAM
• 40 GB HD
• 2 x Ethernet 100 Mbps NIC

For more users, prefer a server with more RAM and HD Storage Capacity. Normally add 512 MB of RAM and 20 GB of HD Storage Capacity for every 50 users. For instance an appliance tunned for 200 users (4 x 50) requires 2048 MB (4 x 1024) of RAM and 160 GB (4 x 40 GB) of HD Storage Capacity.

A CacheGuard Appliance runs better with several low storage capacity HD compared to a single high storage capacity HD (prefer a server with 4 x 40 GB HD compared to a server with a single 160 GB HD).

With CacheGuard you have the possibility to activate all integrated security and optimization features at the same time. Some features (like the HTTP real time Compression or the Antivirus) are more CPU consuming than others. The above given configuration is required when you intend to activate simultaneously all available features. You probably need less hardware resources if you don't need to activate all available features integrated into the CacheGuard OS.

CacheGuard OS requires at least 2 Ethernet NIC. To use the link bonding feature, add one or two additional Ethernet NIC.

Note that CacheGuard OS may be installed for a minimal number of users on a mini computer that doesn't require a powerful hardware configuration. The minimum hardware configuration for 10 users is as follows:

• x86 Architecture
• CPU Intel Pentium IV
• 512 MB RAM
• 8 GB HD ^(*)
• 2 x Ethernet 100 Mbps NIC

RAM vs HD

Hardware compatibility

OS Installation

Users capacity is the total number of installed users. Note that only twenty percent (20%) of these users are considered to be simultaneous users and each user may open 15 simultaneous Web connections. For instance to support 20 simultaneous users, specify 100 for the users capacity.

The guarding record capacity is the maximum number of supported URLs or domain names used for the URL guarding feature.

Finally the number of supported Web sites to cloak is the number of Web sites that will be secured and optimised with CacheGuard. During the installation phase, the tuner module reserves adequate resources for each Web site. Web sites are identified by their full domain names.

CDROM Installation

• Download our ISO image file.
• Write the ISO image file to a CDROM using your favourite burner tool.
• Boot your target appliance from the CDROM and follow instructions to install CacheGuard OS.

USB memory stick Installation

• Download our ISO image file.
• Write the contents of the ISO image file to a USB memory stick and make it bootable.
• To do the latter operation, we suggest to use UNetbootin - You can download this tool from http://unetbootin.sourceforge.net.
• Boot your target appliance from the USB memory stick and follow instructions.

Network Installation

Required tools

• A DHCP Server
• A TFTP Server
• PXE (SysLinux Package)

Instructions

• Download our ISO image file and burn a CDROM (or just mount the image file as a loop device).
• Copy the required files from the CDROM to the TFTP directory on your installation server (Commonly /tftpboot) - Use the following commands under UNIX:
• cp -rf /mnt/cdrom/cacheguard /tftpboot
• cp /mnt/cdrom/isolinux/install.msg /tftpboot
• cp /mnt/cdrom/isolinux/cg_kernel_lm /tftpboot
• cp /mnt/cdrom/isolinux/cg_kernel_hm /tftpboot
• cp /mnt/cdrom/isolinux/cg_initrd_lm.img /tftpboot
• cp /mnt/cdrom/isolinux/cg_initrd_hm.img /tftpboot
• cp /mnt/cdrom/pxelinux/pxelinux.cfg.default /tftpboot/pxelinux.cfg/default


• The DHCP configuration file should include a section as follows:
  

  	...
  	allow booting;
  	allow bootp;
  	filename "pxelinux.0";
  	next-server <tftp-ip-address>;
  	subnet <network-ip-address> netmask <network-mask> {
          range <first-ip-address> <last-ip-address>;
  	}
  	...
        

  Notes: Refer to your DHCP server documentation for further details. The "pxelinux.0" file is part of your PXE package (commonly located in the "/tftpboot/linux-install" directory on your installation server).

• Now boot the target appliance on its network interface that supports PXE (preferably the first interface) and follow instructions.

The pre-packaged VMware version is intended to run under VMware server (or equivalent systems like VMware fusion. for Mac OS). To run under ESX, vmdk files provided by the pre-packaged VM ware version should be converted from the 2gbsparse format to the thin/thick format. Use the ESX command vmkfstools to convert vmdk files (the command should be applied to the main vmdk file only: cacheguard.vmdk).

Also you can install the appliance from the ISO CDROM on a blank Virtual Machine created by yourself (The installation procedure takes only few minutes).

Connections

• Monitor/Keyboard connected to your machine
• RS232 Serial port (The serial port configuration should be as follows: "115200 8N1")

CacheGuard uses two logical network interfaces. The first network interface is named "intern" (for internal) and the second network interface "extern" (for external). Each logical network interface should be associated to at least one physical network interface.

The command "link" without any argument displays all detected physical network interfaces in your system. The command "link bond" displays associations between logical and physical network interfaces. Use these commands to identify your network interfaces. By default the internal network interface is associated to "eth0" and the external network interface to "eth1".

Connect all internal physical interfaces to your internal network and all external physical interfaces to your external network (Usually to your Internet router).

Note: To connect the external network interface directly to a router, use a crossed CAT 5 network cable. To connect it to a switch (or hub), use a straight (classic) CAT 5 network cable.

Simple Configuration

To configure the network connect the console port and follow the following instructions:

• Login as "admin" (use the given password during the installation)
• Type the following commands:
  
  • ip extern <extern-ip> <extern-mask>
  • ip intern <intern-ip> <intern-mask>
  • ip route add default <internet-router-ip>
  • dns add 127.0.0.1

The caching policy and some self-management mechanisms depend on the internal clock of your appliance so setting the right time and date is crucial in running a proper configuration. Use the following command to initialise time & date:

• clock <YYYY/MM/DD-hh:mm:ss>

In a non-transparent mode, just configure your Web navigators to use the internal IP address of your CacheGuard appliance as HTTP, HTTPS and FTP proxy.

The rest of the configuration may be done using an SSH client or a Web browser. Only trusted administrators are allowed to remotely manage the appliance. To declare an administrator as trusted add his/her IP address to the list of trusted administrators - Just type the following commands:

• access admin add <admin-ip>
• apply

The SSH or HTTPS interfaces should be activated before usage. To activate both use the following commands:

• admin ssh on
• admin wadmin on
• apply

General features could be activated or deactivated using the command "mode". Keep in mind to always deactivate features that you don't really need. You probably want to activate the caching mode. For this use the following commands:

• mode cache on
• apply

At this stage, you can use your appliance as a secure Web gateway appliance to connect to the Internet.. However your needs may be to secure your precious Web servers. To do so, activate the reverse mode (Just invoke the command "mode rweb on" followed by the "apply" command as usual) and configure everything using the command "rweb". If you no longer need to browse the Web through your appliance deactivate the forward mode (use the command "mode web off").

An online manual is available at any time. The command "help" gives a brief description of all available commands. To obtain the detail for a specific command, type "help" followed by that command (example: "help access"). A completion facility is available when typing commands in a console interface. At that moment, just type the <TAB> key to complete a command or to obtain a list of available arguments.