Endian UTM Appliance is an Open Source Unified Threat Management (UTM) appliance software. This document is both an User Manual and a Guide to the configuration of the various part of the Endian UTM Appliance web interface and its functionalities.
The latest updates and corrections to this manual, referred to the latest release of the Endian UTM Appliance, will be available online at http://docs.endian.com/. If you think that you have found any errors, either simple typos or even content errors, feel free to report them using this form on Endian web page.
This section shows at a glance those modules and functionalities of the Endian UTM Appliance which have considerably improved. Minor improvements, addition of features, and changes are pointed out throughout the text by special labels. Many of the features introduced in the 2.5 release have been backported to the 2.4 release.
The major improvements included in the 2.5 release concern the hotspot module, which has been partly rewritten and is now more reliable and offers more functionalities.
E-mail user verification for SmartConnect™
SMS user verification has been supported since the first release of SmartConnect™. Since version 2.5, users can now also choose to verify by e-mail the validity of their Hotspot accounts. In this case a limited ticket is pre-added to the account during its creation to make sure the users can check their registered e-mail account for the verification e-mail, which contains a verification link. Once the link has been clicked, the user is fully activated and can buy tickets and access the hotspot to access the Internet.
Password recovery
It is now possible for a user to request that its password be sent to her, should she forget it. This feature can be configured to work by providing either a phone number or an e-mail address, to receive the password by phone or e-mail respectively. If the phone number or e-mail address are associated with one of the registered accounts, a password reminder will be sent to the provided phone number or e-mail address. Moreover, the interval that must pass between two password recovery requests can be set, to avoid flooding.
Ticket validity
A validity field has been added to ticket rates and individual tickets, to provide an expiry date and time to each ticket, in particular whether it should be valid only for a given time from ticket creation, from the first use of the ticket, until the end of the day, or until a fixed date and time. This new feature integrates seamlessly with SmartConnect™, as tickets will automatically inherit the validity that has been configured for the chosen ticket rate. An administrator can however manually add a ticket and override the ticket rate validity for that ticket.
User-less portal
The new portal allows Internet access without the need to create user accounts at all: Users only need to click on the Surf Now button on the hotspot portal and accept the Terms of Service, if this is required by the hotspot configuration. In user-less mode, each device is automatically recognised by its MAC-address, and a default ticket -which should be defined before activating the user-less mode- is associated to it. Moreover, if the ticket is valid for a certain time only, the user should re-accept the Terms of Service after the expiry date.
Configurable fields for SmartConnect™
The SmartConnect™ user registration GUI has been rewritten. It is now possible from the Hotspot administration GUI to define which input fields should be displayed. For each displayed field it is also possible to choose whether it should be required or optional, though some field is always required. Another configuration option is whether the phone number or e-mail address provided during registration should be confirmed or not.
Administration usability improvements
The administrative interface GUI has been reorganised, due to the myriad of options added and improvements. This is evident in the Main Settings page, which has now been divided into sections: Portal settings, Global settings, Account settings, and Character set for generated passwords. A new widget has been introduced to simplify multiple selections, featuring a built-in filter and the ability to add items with a simple click. It is currently used to select languages, countries and country codes where required.
The documentation itself has been extended and improved, building on the existent documentation for version 2.4 and adding new sections (getting started, glossary, quick-sheet), descriptions of relevant arguments within the text, links to online resources, and various other resources. Part of existent online resources have been gathered and included in this edition of the documentation.
Native VPN support for mobile devices with L2TP/IPsec
In order to provide VPN connectivity for the most recent mobile devices such as the iPad, the iPhone, or Android-based devices, an L2TP server and a new type of IPsec configuration for L2TP tunnels has been added to the Endian UTM Appliance. The combination of L2TP and IPsec gives everyone the possibility to connect to their company VPN by using the native L2TP/IPsec support of their mobile devices.
Unified user management
With the addition of L2TP, a new VPN protocol that supports users has been added. Therefore, the user creation and management process has been centralised by creating one unified VPN user management GUI, in which users can be created and allowed to be using either OpenVPN, L2TP, or both protocols. Protocol-specific options will then show up to tailor the connection to the user’s needs.
Wireless Mini ARM
A new Mini model featuring a wireless module is now available, which is configurable in many ways: To start using it is as easy as to choose the country in which the Mini is used, for the automatic setup of the channels to be employed. Additional settings allow the definition of up to four wireless SSIDs, each mappable to a different zone and configurable for the use with various common encryption standards - WPA, WPA2 Personal or WPA2 Enterprise.
Wireless Integration with RADIUS
The wireless module can also be integrated with the Hotspot’s RADIUS server which results in the user being logged in by the Hotspot once the credentials have been entered to authenticate in a WPA/WPA2 Enterprise encrypted wireless network.
Support for most modern UMTS/3G USB dongles
By adding new drivers, Endian UTM Appliance 2.5 now supports most modern UMTS/3G dongles. Once the device has been plugged in, it appears as a serial devices and can be configured by choosing Analog/UMTS modem as uplink type in the network configuration wizard. The newly created serial devices will then appear in the Serial/USB Port drop-down in the network wizard.
While they may not immediately be visible to the end user, several parts of the modules have been rewritten “under the hood”, to improve performances and reliability, while dozens of bugs have been fixed.
Note
These improvements were initially intended for and implemented on the 2.4 release and then ported to the 2.5.
System - Performance improvements
Two main areas whose performances were not satisfactory have been interested by extensive efforts, resulting in dramatic improvements.
The system startup procedure has been completely rewritten. Endian‘s new jobsengine decreases the time needed to boot up by 50 percent.
The memory usage has been optimised and considerably reduced: A fully configured system now saves 200 megabytes of RAM.
Contentfilter - Configurable update intervals
The contentfilter blacklists can now be updated through the GUI like for any other service, with a variable interval - hourly, daily, weekly, or monthly. Moreover, updates do not rely on the release of new packages anymore.
Dashboard - Customisable through configurable widgets
The new dashboard is now fully customisable through the use of configurable widgets. The update interval for all widgets can now be set individually, while widgets can be placed by drag-and-drop or even deactivated completely.
Trusted timestamping
The functionality of trusted timestamping allows to securely store log files, adding the certainty that nobody has altered them since they were generated from a system and stored.
This section collects all the functionalities added to the Endian UTM Appliance after the initial 2.5 release in January 2012. These later releases are identified with the month and year, since they are only update releases. Note that this section does not include the countless bug fixes implemented in the same period.
During the month of September 2012, Endian released a set of updates which include some new features. Since this release, new features are identified by their internal code. In details, the following parts of the Endian UTM Appliance have been improved:
Proxy - Improved the generation of graphs (CORE-231)
The high load of the CPU and the memory exhaustion occurring during the creation of the proxy graphs with a massive use of the proxy has been eliminated.
Storage - Automatic and redundant backups (UTM-107)
In the Mini ARM, all the settings used by the system and stored on the external SD card are now automatically copied on the internal NAND, making the recovery in case of SD card failure quicker and easier.
Storage - Gathering of information about SD cards (CORE-232)
To improve the lifecycle of SD cards, information about read and write operations on them are gathered.
Networking - Bonding mode. (CORE-240)
Every bonding mode is now supported.
Moreover, the following softwares employed on Endian UTM Appliance have been updated:
Ntop - update to version 4.1.0
The monitoring software ntop has been updated to the latest version in the Endian UTM Appliances featuring it (i.e., Mercury, Macro)
Antivirus - updated Sophos.
The Sophos antivirus is now available in its latest version, 4.80.
The Endian UTM Appliance Reference Manual 2.5 (“this document”) is copyright (c) 2011 Endian S.r.L., Italy (“Endian”). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the GNU Free Documentation License.
This document has been edited and written by Stefano David with the help of the other Endian Team members, building on the previous 2.4 version written by (in alphabetical order) Andreas Ender, Diego Gagliardo, Luca Giovenzana, Christian Graffer, Raphael Lechner, Chris Mair, Raphael Vallazza, and Peter Warasin. Some parts of the 2.4 documentation were based on the IPCop Administrative Guide by Chris Clancey, Harry Goldschmitt, John Kastner, Eric Oberlander, Peter Walker and on the IPCop Advanced Proxy Administrative Guide by Marco Sondermann.
The information contained within this document may change from one version to the next and may also change over time without notice to improve the content, to correct any error or mistake, or to describe new or changed features. The date of the last update is always present at the bottom of every page.
All programs and details contained within this document have been created to the best of our knowledge and tested carefully. However, errors cannot be completely ruled out. Therefore Endian does not express or imply any guarantees for errors within this document or a consequent damage arising from the availability, performance, or use of this or related material.
Endian and the Endian logo are trademarks of Endian S.r.L., Italy.
The use of names in general use, names of firms, trade names, etc. in this document, even without special notation, does not imply that such names can be considered as free in terms of trademark legislation and that they can be used by anyone. All trade names are used without a guarantee of free usage and might be registered trademarks. As a general rule, Endian adheres to the notation of the manufacturer. Other products mentioned here could be trademarks owned by the respective manufacturer.
Without the great work of the Smoothwall and then of the IPCop team, neither Endian UTM Appliance nor this document would exist. Therefore we would like to thank them all for their hard work.
Thanks to Sourceforge for the hosting. Without Sourceforge we would not have the possibility to gain such a huge worldwide visibility. You are really helping us very much!
For more information about Endian S.r.L., Italy and its products, please visit Endian‘s web site at http://www.endian.com.
Many resources (tutorials, how-tos, examples) in this manual are taken from those web sites:
http://help.endian.com. The new support center for the Endian products, that should become the reference site to support customers and users. Several links to howtos on this site are provided on this documentation at the end of the various subsections.
http://kb.endian.com. The old knowledge base of Endian. It stores a lot of example configurations and troubleshooting, many of whom have been included in this guide.
Note
While the kb.endian.com web site will be discontinued in the near future, its content will be improved and moved to the help.endian.com site. Please refer to that site for any help, request, or simply to search for HOW-TOs, tutorials, or additional documentation.
http://bugs.endian.com. The site where to search for bugs or to open new ones. If a fix for a buggy packages exists, but the package has not yet been released, you might also find here some workaround to apply on your system.
Additionally, several forums have been created on the Internet to provide help to the users of the Community Edition. These are not maintained from Endian, but nevertheless they represent a valuable resource for all Endian UTM Appliance users, even for registered appliances:
An updated list with all forums can be found on the Endian Website.
Finally, mailing lists with instruction for subscription can be found on the sourceforge page of the Endian UTM Appliance project.