CacheGuard-OS
User's Guide - Version UF-2.0.2


Using a Manager

If you need to deploy several Gateways in your organisation, you have the possibility to install and configure them separately one by one. Most of the time deployed Gateways in the same organisation have similar configurations and you are required to repeat the same configuration process as many times as you have installed Gateways. A Manager system gives you the possibility to centrally configure and manage several remote gateways from a single point. With a manager you have the possibility to create configuration templates and build Gateway configurations based on that templates. Built configurations on a Manager system can then be pushed in parallel to several gateways with just a couple of clicks or commands. This way you can manage your Gateways in a uniform and optimised way.
Also if you need to automatically update data like URL lists, the Manager allows you to download them only once and push them in parallel to all managed gateways.Note that this feature is only available on commercial installations of CacheGuard-OS.

Gateway Access

Before being able to manage a Gateway from a Manager, the Gateway should allow the Manager’s IP address to have a management access to it. As the Manager uses the SSH protocol to connect to Gateways, the Gateway should also authorise the Manager to access to it at the SSH protocol level. This is achieved by importing the Manager's SSH public key on the Gateway. A Gateway can be managed by one and optionally a second Manager. The first Manager is called the master Manager while the second Manager is called the backup Manager. To allow a master Manager having the IP address 192.168.1.22 and the SSH public key 'ssh-rsa AAAAB3Nza...' to have a management access on a Gateway system via its external NIC use the following commands on the Gateway: To get the Manager's IP address and SSH public key you can use the following commands on the Manager: Note that a Manager system has only one logical network interface called internal.

Gateway Enrolment

Once a Manager is allowed to access a Gateway, the first step is to enrol the Gateway on the Manager and optionally pull the Gateway's current configuration and save it on the Manager. Each Gateway on the Manager system is identified by a unique identifier that you can choose during its enrolment. In addition Gateways on the Manager are organised by groups called domains. This means that each Gateway should belong to a domain. This way, you can perform different operations (like push or pull) in parallel on all Gateways belonging to the same domain. To enrol and pull the configuration of a Gateway having the IP address 10.0.10.254 use the following commands on the Manager: Note that in this example, my-company and gateway-1 are respectively the identifier and domain name selected for the enrolled Gateway. The pull operation is performed in background. To get a report on the latest pull operation you can use the following command:

Gateway Configuration

Gateway configurations can be modified on the Manager and then be pushed to remote Gateways by the Manager. To begin editing a Gateway configuration you can use the following command: This command takes you inside the Gateway configuration context where you can use commands that you normally use on Gateway system. Once you finished configuring the Gateway, you can use the apply command to verify and validate its integrity and then use the end command go back to the Manager configuration level. At this stage you have the possibility to push the new Gateway configuration to the remote Gateway by using the following command: The push operation is performed in background. To get a report on the latest push operation you can use the following command:

Working with Templates

A particular strength of the Manager is the possibility to work with templates. A template is a particular Gateway configuration that you can apply to Gateways. This way you can quickly configure multiple Gateway systems that have almost the same configuration. You will just need to customise what should be different on a Gateway compared to another (its IP addresses for instance). To create a template called my-template on a Manager system and then begin to configure it use the following commands: Once you finished configuring the template, you can use the apply command to verify and validate its integrity and then use the end command go back to the Manager configuration level. Now that you have a template, you can apply it to a Gateway configuration. To achieve that, you should be inside a Gateway configuration context. To configure a managed Gateway using a template called my-template use the following command:

Master and Slave Managers

In order to offer an acceptable level of availability, a slave Manage can be configured to have a hot copy of all data on the master Manager. This way, in case of a failure on a master Manager, the slave Manager can be activated in order to offer service continuity in handling managed Gateways. To allow a master and slave Managers to communicate each with other, both Managers should know the IP address of the other. In addition the slave Manager should be know the SSH public key of the master Manger to allow it to connect using SSH. Assuming that the master Manager has the 192.168.1.22 IP address and the slave Manager the 192.168.1.33 IP address, use the following commands on the master Manager: And the following commands on the slave Manager: Where 'ssh-rsa AAAAB3Nza...' is the SSH public key of the master Manager.