3. Installation

Creating a USB flash startup disk

Windows

The creation of the ISO image will erase all existing information from the USB drive.

  1. Download Rufus software and open the downloaded file.
  2. Choose the designated USB flash drive in the Device:
    1. Creating a USB flash startup disk.png
  3. Select Disk or ISO image in Boot Selection.
  4. Click on Select and open the downloaded SafeUTM image.
  5. All other settings remain default.
  6. Click on Start.
  7. In the drop-down menu, select Write in DD image mode.
  8. A dialog window will pop up for you to confirm the USB flash drive write.

Further, follow the instructions of the installation wizard. SafeUTM installation steps are described in the Installation Process article.

Linux

In order to create a USB flash startup disk in Linux, all you need is to copy blocks of SafeUTM ISO image to your device. Below two ways to do it are described:

Using the command gnome-disks
2. Creating a USB flash startup disk.png
Manually

1. Check image integrity:

$ md5sum /home/safedns/SafeUTM.iso
8c872cb6b720f6fd6683107681645156 /home/safedns/SafeUTM.iso

The size must be the same as in the account the image was downloaded from. If the number is different, the file is corrupted and needs to be downloaded again.

2. Find the USB flash disk in the system:

$ lsblk --nodeps  -o name,size,fstype,tran,model,mountpoint /dev/sd*
NAME  SIZE FSTYPE TRAN MODEL        MOUNTPOINT 
sdx   7,5G        usb  USB_DISK_3.0 
sdx1  7,5G vfat                     /run/media/safedns/D661-82E2

We can see there is /dev/sdx USB flash disk, as well as the file system mounted on it.

3. Unmount the file system:

sudo umount /run/media/safedns/D661-82E2

4. Write the image to the disk:

$ sudo dd if=/home/safedns/SafeUTM.iso of=/dev/sdx bs=1M oflag=direct status=progress

5. Prepare the disk to be ejected:

$ sudo eject /dev/sdx

Setting up Hypervisors

Necessary conditions for SafeUTM work:
1. UEFI support.
2. Legacy download mode must be turned off (it may also be called CSM - Compatibility Support Module).
3. Turn off Secure Boot in UEFI.

SafeUTM supports the following hypervisors:

In order to work on virtual machines, there is no need to install additional drivers or utilities on SafeUTM. Guest add-ons are included in the distribution package.

General Recommendations

If during the installation of SafeUTM an error "At least 8 GB of RAM is required" appears on the screen, and you specified the recommended amount of RAM, then reduce the size of the resources allocated for video memory to the minimum.

Microsoft Hyper-V

Only the 2nd generation VMs for Windows Server 2012 R2 or higher are supported. It is necessary to turn off Secure Boot.

Always use a regular virtual network adapter.

VMware ESXi

Before SafeUTM installation it is necessary to increase video memory for the virtual machine to 16 Mb (the default is 4 Mb).

Vmxnet3 virtual network adapters are recommended for use.

Citrix XenServer

In case XenServer cannot be downloaded from an ISO file, follow these steps:

  1. Run command xe vm-list. This command will show the list of virtual machines on XenServer.
  2. Select a virtual machine with UTM and memorize its UUID.
  3. Run command xe vm-param-set uuid=<UUID> HVM-boot-policy=BIOS\ order HVM-boot-params:order=dc

These steps should start the installation from the installation medium.

KVM

  1. When installing SafeUTM choose Fedora as the type of operating system.
  2. At Step 5 (virtm-manager) of installation make sure to tick Customize configuration before installation and click Finish.

    1. Setting up Hypervisors.png


  3. For disks and NICs select/change the network interface to virtio.
  4. For disks use writeback cache mode if disks are stored in qcow2 or raw files. If it is not the case, please consult your storage admin or our technical support about the cache mode selection.
  5. In the window, select Overview in the Firmware field and select UEFI x86_64:/usr/share/OVMF/OVMF_CODE.fd. This selection will turn on UEFI and turn off Secure Boot.
    2. Setting up Hypervisors.png
 

If there is no UEFI x86_64:/usr/share/OVMF/OVMF_CODE.fd on the list, you need to install ovmf package. In Ubuntu, this package is installed with the command sudo apt install ovmf.

Installation Process

System Requirements

Mandatory conditions for work with SafeUTM:
1. UEFI support.
2. Turn off Legacy boot mode, it may be called CSM (Compatibility Support Module).
3. Turn off the Secure Boot option in UEFI.

Hardware

Minimum system requirements

Note

Processor

Intel Pentium G/i3/i5/Xeon

E3/Xeon E5 with SSE 4.2 instructions support

Requirements may differ depending on network load and services used, as well as content filtering, antiviruses, and intrusion prevention system. The system requires at least 2 cores; a 4-core processor is better.

RAM

8 Gb (16Gb if the number of users is over 75)

Requirements may differ depending on network load and services used, as well as content filtering, antiviruses, and intrusion prevention system.

Disk subsystem

HDD or SSD, capacity 64 Gb or more, with SATA, SAS. Additional HDD or SSD when using a mail server is required.

Software RAID controllers are not supported (those integrated into the chipset or motherboard). Using hardware RAID controllers is not recommended.

Network adapters

One network adapter

Gigabit (or 10G) Intel network cards are recommended.

Additional

Display and keyboard

No preinstalled OS or additional software is required to install and run SafeUTM. SafeUTM is installed to a dedicated server from an installation USB-flash, a file system is automatically created and all necessary components are installed.

In order to choose the best hardware platform for you please follow the guidelines on equipment choice for SafeUTM. The approximate hard drive capacity to store the information of about 1000 users for 1 year is 10-15 Gb.

Browser support for server administration web interface

All up-to-date versions of Firefox, Chrome, and browsers based on Chromium are supported. Internet Explorer is not supported.

Hypervisor support

Microsoft Hyper-V (2nd generation, Windows 2012R2 or higher), VMware, VirtualBox, KVM, Citrix XenServer. More information can be found here.

Configuration examples

Examples of several types of configurations depending on the number of users can be seen in the table below.

Hardware

25

50-200

200-500

1000

2000

Processor

Intel Pentium Gold G5400 or compatible

Intel i3 8100 or compatible

Intel i5, i7, Xeon E3, 3 GHz and up, or compatible

Intel Xeon E3, E5 or compatible

Intel Xeon or compatible 8-core one

RAM

8 Gb

8 Gb

16 Gb

16 Gb

32 Gb

Storage space

64 Gb

64 Gb

250 Gb

500 Gb

500 Gb

Network adapters

2 pcs.

2 pcs.

2 pcs.

2 pcs.

2 pcs.

Performance data:

Configuration example: Intel Xeon E-2234, 16 GB DDR4, 1 GB LAN.

- Mode L7: IPS modules, content filtering, application control, and antivirus scan are on.

Installation Options

You can install SafeUTM on a dedicated server or a virtual machine. It depends on the expected load and equipment capacity.

SafeUTM installation from a USB flash drive

SafeUTM can be installed from a flash drive by using an installation ISO file. This process is described in the Creation of boot USB flash drive article.

Installation on a dedicated server

In order to install the SafeUTM security gateway you need to follow these steps:

  1. Prepare hardware in accordance with technical requirements.
  2. Prepare a USB-flash drive with a capacity of over 2 Gb.
  3. Receive the ISO file from your manager.
  4. For safety reasons check the downloaded file checksum, which you can find on the SafeUTM downloads page in your personal account.
  5. Create the bootable USB-flash drive using the ISO file.
  6. In the computer’s BIOS settings choose "boot from USB-flash drive" and start the system installation from this USB drive. SafeUTM installer should appear on the screen as seen below.

Installation Process

Stage 1. Start of installation

image-1662310641685.png

Choose a disk for installation. To do this, enter the number of the disk you wish to use and press Enter.
2. Installation Process.png

The system will warn about the loss of all data stored on the disk. We recommend that you make sure the disk does not contain any important information, as it will not be possible to recover it. The data loss alert can be seen in the screenshot below. To continue, type and press Enter.

Now you need to select the time zone. Select the time zone you are in. To do this, type and press Enter.
3. Installation Process.png

In the next dialog box, you need to set up a date and time.  If the settings are correct, type and press Enter.

If the current settings are incorrect, type and put in the correct data, then press Enter.
4. Installation Process.png

Then the system will perform disk subsystem tests necessary for installation:

Don’t forget to eject the USB drive when restarting UTM so that the system doesn’t start booting from the installation drive.

After the server restarts, you will see a window with system info. An example of such a window can be seen below. To continue press any key.
5. Installation Process.png

If you want to configure the server as the second node of the cluster, press y and then Enter. For more information about configuring clustering, see the High Availability article.

If the clustering setup is not required, press n and then Enter.

Stage 2. Creating admin’s account

Create an admin account. After typing in login press Enter and type in a new account password, then press Enter.

Admin password requirements:

6. Installation Process.png

If the password does not pass the security policy requirements, a notification about password unreliability will appear. You need to type in another password taking into consideration password requirements and press Enter.
7. Installation Process.png

When the account has been created, press any key to switch to the local menu and type in data from the newly created admin’s account.
8. Installation Process.png

Stage 3. Network adapter setup

Now the system will suggest that you set up a local network interface. It is the interface to which all your enterprise network will be connected. Type in the network adapter number from the list and press Enter.

During local interface definition, you may encounter difficulties with NIC identification. Sometimes several adapters may have the same manufacturer. In such a case in order to avoid a mistake, you need to identify the device by its MAC address. Do not worry about making a mistake, you can change these settings later.

9. Installation Process.png

Type in the local IP address subnet mask as ip/mask and press Enter.
Next, if necessary, create a VLAN tag or leave the field empty and press Enter.
10. Installation Process.png

After creating a local interface, the server administration menu will open.
11. Installation Process.png

 

The next step is SafeUTM configuration. This process is described in the Initial configuration article.

Initial Configuration

Connection to SafeUTM Web Interface

If you haven’t installed SafeUTM yet, please see the Installation Process article.

After you have successfully installed SafeUTM you can start its initial configuration.

Start an internet browser on any local network computer, for example, Mozilla Firefox or Google Chrome (Internet Explorer is not supported). In the address bar type in the local IP address indicated in the settings during the local network interface installation and port 8443 used by the web interface in the format:

IP-address:port

Example: 192.168.100.2:8443

As encryption is used during connection to the web interface, the internet browser may display an error saying the security certificate was not issued by a trusted certificate authority. In such a case you need to continue to the website by clicking on the corresponding button at the bottom of the window.

Error example in Google Chrome:
1. Initial Configuration.png

When you continued to the website using the IP address, a SafeUTM web interface authorization window will open. Type in the admin account login and password information you used during SafeUTM installation.

In order to avoid the error in the future, import the UTM root certificate into the browser.

There are two ways to download the certificate:

  1. Go to Services -> TLS Certificates, and click on the Download root certificate icon:
    2. Initial Configuration.png
  2. Go to Traffic rules -> Content filter -> Settings:
    3. Initial Configuration.png

After you first log in, you will see a few notifications that will advise you that in order to work correctly SafeUTM needs to set up a connection to the provider and register a server.
5. Initial Configuration.png

Setting up a Connection to the Internet Provider

In order to set up a connection to the provider go to Services -> Network Interfaces.

Ethernet connection setup

This type of connection requires setting up the parameters described in the table below.

Parameter

Note

Network card

It is necessary to identify the network adaptor that will be used to connect to the internet provider. To identify the adaptor, you can use either the manufacturer’s name or MAC address.

IP-address and mask

The network credentials are assigned by the provider. Specify the IP address and netmask as CIDR or a four-octet number.

Default gateway

Specify the internet provider’s IP address that will be used to connect to the internet.

If your provider supports auto-configuration of an external network interface using DHCP protocol, tick Automatic Configuration via DHCP.

In order to set up an Ethernet connection follow these steps:

1. Click on "+ Add" in the upper left corner and select External Ethernet.
6. Initial Configuration.png

Attention!
If you select Local Ethernet and set it up as External Ethernet, internet access will not be possible.

2. Choose the applicable Network card.

3. Fill out the following mandatory fields:

4. Check that all the data are correct and click Save.

Setting up other types of connection

If your provider uses another type of connection, you can see other setup manuals following the links below:

 

After connecting to the internet, it is necessary to register a server.