Preface

Endian UTM Appliance is an Open Source Unified Threat Management (UTM) appliance software. This document is both an User Manual and a Guide to the configuration of the various part of the Endian UTM Appliance web interface and its functionalities.

The latest updates and corrections to this manual, referred to the latest release of the Endian UTM Appliance, will be available online at http://docs.endian.com/. If you think that you have found any errors, either simple typos or even content errors, feel free to report them using this form on Endian web page.

Features and enhancements from the 2.4 release

This section shows at a glance those modules and functionalities of the Endian UTM Appliance which have considerably improved. Minor improvements, addition of features, and changes are pointed out throughout the text by special labels. Many of the features introduced in the 2.5 release have been backported to the 2.4 release.

Hotspot

The major improvements included in the 2.5 release concern the hotspot module, which has been partly rewritten and is now more reliable and offers more functionalities.

  • E-mail user verification for SmartConnect™

    SMS user verification has been supported since the first release of SmartConnect™. Since version 2.5, users can now also choose to verify by e-mail the validity of their Hotspot accounts. In this case a limited ticket is pre-added to the account during its creation to make sure the users can check their registered e-mail account for the verification e-mail, which contains a verification link. Once the link has been clicked, the user is fully activated and can buy tickets and access the hotspot to access the Internet.

  • Password recovery

    It is now possible for a user to request that its password be sent to her, should she forget it. This feature can be configured to work by providing either a phone number or an e-mail address, to receive the password by phone or e-mail respectively. If the phone number or e-mail address are associated with one of the registered accounts, a password reminder will be sent to the provided phone number or e-mail address. Moreover, the interval that must pass between two password recovery requests can be set, to avoid flooding.

  • Ticket validity

    A validity field has been added to ticket rates and individual tickets, to provide an expiry date and time to each ticket, in particular whether it should be valid only for a given time from ticket creation, from the first use of the ticket, until the end of the day, or until a fixed date and time. This new feature integrates seamlessly with SmartConnect™, as tickets will automatically inherit the validity that has been configured for the chosen ticket rate. An administrator can however manually add a ticket and override the ticket rate validity for that ticket.

  • User-less portal

    The new portal allows Internet access without the need to create user accounts at all: Users only need to click on the Surf Now button on the hotspot portal and accept the Terms of Service, if this is required by the hotspot configuration. In user-less mode, each device is automatically recognised by its MAC-address, and a default ticket -which should be defined before activating the user-less mode- is associated to it. Moreover, if the ticket is valid for a certain time only, the user should re-accept the Terms of Service after the expiry date.

  • Configurable fields for SmartConnect™

    The SmartConnect™ user registration GUI has been rewritten. It is now possible from the Hotspot administration GUI to define which input fields should be displayed. For each displayed field it is also possible to choose whether it should be required or optional, though some field is always required. Another configuration option is whether the phone number or e-mail address provided during registration should be confirmed or not.

  • Administration usability improvements

    The administrative interface GUI has been reorganised, due to the myriad of options added and improvements. This is evident in the Main Settings page, which has now been divided into sections: Portal settings, Global settings, Account settings, and Character set for generated passwords. A new widget has been introduced to simplify multiple selections, featuring a built-in filter and the ability to add items with a simple click. It is currently used to select languages, countries and country codes where required.

Documentation

The documentation itself has been extended and improved, building on the existent documentation for version 2.4 and adding new sections (getting started, glossary, quick-sheet), descriptions of relevant arguments within the text, links to online resources, and various other resources. Part of existent online resources have been gathered and included in this edition of the documentation.

VPN

  • Native VPN support for mobile devices with L2TP/IPsec

    In order to provide VPN connectivity for the most recent mobile devices such as the iPad, the iPhone, or Android-based devices, an L2TP server and a new type of IPsec configuration for L2TP tunnels has been added to the Endian UTM Appliance. The combination of L2TP and IPsec gives everyone the possibility to connect to their company VPN by using the native L2TP/IPsec support of their mobile devices.

  • Unified user management

    With the addition of L2TP, a new VPN protocol that supports users has been added. Therefore, the user creation and management process has been centralised by creating one unified VPN user management GUI, in which users can be created and allowed to be using either OpenVPN, L2TP, or both protocols. Protocol-specific options will then show up to tailor the connection to the user’s needs.

Connectivity

  • Wireless Mini ARM

    A new Mini model featuring a wireless module is now available, which is configurable in many ways: To start using it is as easy as to choose the country in which the Mini is used, for the automatic setup of the channels to be employed. Additional settings allow the definition of up to four wireless SSIDs, each mappable to a different zone and configurable for the use with various common encryption standards - WPA, WPA2 Personal or WPA2 Enterprise.

  • Wireless Integration with RADIUS

    The wireless module can also be integrated with the Hotspot’s RADIUS server which results in the user being logged in by the Hotspot once the credentials have been entered to authenticate in a WPA/WPA2 Enterprise encrypted wireless network.

  • Support for most modern UMTS/3G USB dongles

    By adding new drivers, Endian UTM Appliance 2.5 now supports most modern UMTS/3G dongles. Once the device has been plugged in, it appears as a serial devices and can be configured by choosing Analog/UMTS modem as uplink type in the network configuration wizard. The newly created serial devices will then appear in the Serial/USB Port drop-down in the network wizard.

Miscellaneous

While they may not immediately be visible to the end user, several parts of the modules have been rewritten “under the hood”, to improve performances and reliability, while dozens of bugs have been fixed.

Note

These improvements were initially intended for and implemented on the 2.4 release and then ported to the 2.5.

  • System - Performance improvements

    Two main areas whose performances were not satisfactory have been interested by extensive efforts, resulting in dramatic improvements.

    The system startup procedure has been completely rewritten. Endian‘s new jobsengine decreases the time needed to boot up by 50 percent.

    The memory usage has been optimised and considerably reduced: A fully configured system now saves 200 megabytes of RAM.

  • Contentfilter - Configurable update intervals

    The contentfilter blacklists can now be updated through the GUI like for any other service, with a variable interval - hourly, daily, weekly, or monthly. Moreover, updates do not rely on the release of new packages anymore.

  • Dashboard - Customisable through configurable widgets

    The new dashboard is now fully customisable through the use of configurable widgets. The update interval for all widgets can now be set individually, while widgets can be placed by drag-and-drop or even deactivated completely.

  • Trusted timestamping

    The functionality of trusted timestamping allows to securely store log files, adding the certainty that nobody has altered them since they were generated from a system and stored.

Functionalities added after the 2.5 release

This section collects all the functionalities added to the Endian UTM Appliance after the initial 2.5 release in January 2012. These later releases are identified with the month and year, since they are only update releases. Note that this section does not include the countless bug fixes implemented in the same period.

September 2012 releases

During the month of September 2012, Endian released a set of updates which include some new features. Since this release, new features are identified by their internal code. In details, the following parts of the Endian UTM Appliance have been improved:

  • Proxy - Improved the generation of graphs (CORE-231)

    The high load of the CPU and the memory exhaustion occurring during the creation of the proxy graphs with a massive use of the proxy has been eliminated.

  • Storage - Automatic and redundant backups (UTM-107)

    In the Mini ARM, all the settings used by the system and stored on the external SD card are now automatically copied on the internal NAND, making the recovery in case of SD card failure quicker and easier.

  • Storage - Gathering of information about SD cards (CORE-232)

    To improve the lifecycle of SD cards, information about read and write operations on them are gathered.

  • Networking - Bonding mode. (CORE-240)

    Every bonding mode is now supported.

Moreover, the following softwares employed on Endian UTM Appliance have been updated:

  • Ntop - update to version 4.1.0

    The monitoring software ntop has been updated to the latest version in the Endian UTM Appliances featuring it (i.e., Mercury, Macro)

  • Antivirus - updated Sophos.

    The Sophos antivirus is now available in its latest version, 4.80.

November 2012 release

  • Endian Network (UTM-287). Error messages for a failed registration have been improved and made more intuitive.

December 2012 release

  • Antivirus. The Sophos antivirus is now available in its latest version, 4.82.

January 2013 releases

  • Antimalware (UTM-250). Endian UTM Appliance now uses DNS blacklists from http://www.phistank.com/ to avoid connections to known unreliable domains. Whenever one of these domains is accessed, the user is redirect to a local error page.
  • Antivirus. The Sophos antivirus is now available in its latest version, 4.84.

Acknowledgments

Without the great work of the Smoothwall and then of the IPCop team, neither Endian UTM Appliance nor this document would exist. Therefore we would like to thank them all for their hard work.

Thanks to Sourceforge for the hosting. Without Sourceforge we would not have the possibility to gain such a huge worldwide visibility. You are really helping us very much!

Endian web sites

For more information about Endian S.r.L., Italy and its products, please visit Endian‘s web site at http://www.endian.com.

Many resources (tutorials, how-tos, examples) in this manual are taken from those web sites:

  • http://help.endian.com. The new support center for the Endian products, that should become the reference site to support customers and users. Several links to howtos on this site are provided on this documentation at the end of the various subsections.

  • http://kb.endian.com. The old knowledge base of Endian. It stores a lot of example configurations and troubleshooting, many of whom have been included in this guide.

    Note

    While the kb.endian.com web site will be discontinued in the near future, its content will be improved and moved to the help.endian.com site. Please refer to that site for any help, request, or simply to search for HOW-TOs, tutorials, or additional documentation.

  • http://bugs.endian.com. The site where to search for bugs or to open new ones. If a fix for a buggy packages exists, but the package has not yet been released, you might also find here some workaround to apply on your system.

Additionally, several forums have been created on the Internet to provide help to the users of the Community Edition. These are not maintained from Endian, but nevertheless they represent a valuable resource for all Endian UTM Appliance users, even for registered appliances:

An updated list with all forums can be found on the Endian Website.

Finally, mailing lists with instruction for subscription can be found on the sourceforge page of the Endian UTM Appliance project.