[Yandex Cloud documentation](../../index.md) > [Tutorials](../index.md) > Basic infrastructure > VPNs > Setting up a UserGate proxy server

# Setting up a UserGate proxy server


[UserGate](https://www.usergate.com/products/enterprise-firewall) is a next-generation firewall from a Russia-based company UserGate.

In this tutorial, we will create a Yandex Cloud UserGate VM configured as a proxy server. This configuration will give your employees secure internet access from the office or anywhere else, like home or public places. To learn more about UserGate, sign up to our free course [UserGate Getting Started](https://university.tssolution.ru/usergate-getting-started-v6).

The diagram below shows a Yandex Cloud network configuration with UserGate acting as a proxy server.

![image](../../_assets/tutorials/usergate-proxy-mode.svg)

To set up a UserGate gateway:

1. [Get your cloud ready](#before-you-begin).
1. [Create a cloud network with a subnet](#create-network).
1. [Reserve a static public IP address](#get-static-ip).
1. [Create a UserGate VM](#create-vm).
1. [Set up the UserGate NGFW](#admin-console).

If you no longer need the resources you created, [delete them](#clear-out).

## Getting started {#before-you-begin}

Sign up for Yandex Cloud and create a [billing account](../../billing/concepts/billing-account.md):
1. Navigate to the [management console](https://console.yandex.cloud) and log in to Yandex Cloud or create a new account.
1. On the **[Yandex Cloud Billing](https://center.yandex.cloud/billing/accounts)** page, make sure you have a billing account linked and it has the `ACTIVE` or `TRIAL_ACTIVE` [status](../../billing/concepts/billing-account-statuses.md). If you do not have a billing account, [create one](../../billing/quickstart/index.md) and [link](../../billing/operations/pin-cloud.md) a cloud to it.

If you have an active billing account, you can create or select a [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) for your infrastructure on the [cloud page](https://console.yandex.cloud/cloud).

[Learn more about clouds and folders here](../../resource-manager/concepts/resources-hierarchy.md).

### Required paid resources {#paid-resources}

The cost of the UserGate gateway infrastructure includes:

* Fee for a continuously running VM (see [Yandex Compute Cloud pricing](../../compute/pricing.md)).
* Fee for using [UserGate NGFW](https://yandex.cloud/en/marketplace/products/usergate/ngfw).
* Fee for a public static IP address (see [Yandex Virtual Private Cloud pricing](../../vpc/pricing.md)).

## Create a cloud network with a subnet {#create-network}

Create a cloud [network](../../vpc/concepts/network.md#network) with a [subnet](../../vpc/concepts/network.md#subnet) in the [availability zone](../../overview/concepts/geo-scope.md) where your VM will reside.

{% list tabs group=instructions %}

- Management console {#console}

  1. On the folder dashboard in the [management console](https://console.yandex.cloud), click **Create resource** in the top-right corner and select **Network**.
  1. Specify the network name: `usergate-network`.
  1. In the **Advanced** field, enable **Create subnets**.
  1. Click **Create network**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. Create a network named `usergate-network`:
  
     ```bash
     yc vpc network create usergate-network
     ```

     Result:
       
     ```text
     id: enptrcle5q3d********
     folder_id: b1g9hv2loamq********
     created_at: "2022-06-08T09:25:03Z"
     name: usergate-network
     default_security_group_id: enpbsnnop4ak********
     ```

     For more information about the `yc vpc network create` command, see the [CLI reference](../../cli/cli-ref/vpc/cli-ref/network/create.md).
     
  1. Create the `usergate-subnet-ru-central1-d` subnet in the `ru-central1-d` availability zone:
  
     ```bash
     yc vpc subnet create usergate-subnet-ru-central1-d \
       --zone ru-central1-d \
       --network-name usergate-network \
       --range 10.1.0.0/16
     ```

     Result:
    
     ```text
     id: e9bnnssj8sc8********
     folder_id: b1g9hv2loamq********
     created_at: "2022-06-08T09:27:00Z"
     name: usergate-subnet-ru-central1-d
     network_id: enptrcle5q3d********
     zone_id: ru-central1-d
     v4_cidr_blocks:
     - 10.1.0.0/16
     ```

     For more information about the `yc vpc subnet create` command, see the [CLI reference](../../cli/cli-ref/vpc/cli-ref/subnet/create.md).

- Terraform {#tf}

  1. Describe `usergate-network` and the `usergate-subnet-ru-central1-d` subnet in the terraform configuration file:

     ```hcl
     resource "yandex_vpc_network" "usergate-network" {
       name = "usergate-network"
     }

     resource "yandex_vpc_subnet" "usergate-subnet" {
       name           = "usergate-subnet-ru-central1-d"
       zone           = "ru-central1-d"
       network_id     = "${yandex_vpc_network.usergate-network.id}"
       v4_cidr_blocks = ["10.1.0.0/16"]
     }
     ```

     For more information, see the [yandex_vpc_network](../../terraform/resources/vpc_network.md) and [yandex_vpc_subnet](../../terraform/resources/vpc_subnet.md) descriptions in the Terraform provider documentation.
     
  1. Make sure the configuration files are correct.

     1. In the terminal, navigate to the directory where you created your configuration file.
     1. Run a check using this command:

        ```bash
        terraform plan
        ```

     If the configuration is correct, the terminal will display a list of the resources and their settings. Otherwise, Terraform will show any detected errors. 

  1. Deploy the cloud resources.
  
     1. If the configuration is correct, run this command:

        ```bash
        terraform apply
        ```

     1. To confirm resource creation, type `yes` and press **Enter**.

- API {#api}

  1. To create `usergate-network`, use the [NetworkService/Create](../../vpc/api-ref/grpc/Network/create.md) gRPC API call or the [create](../../vpc/api-ref/Network/create.md) REST API method for the Network resource.
  1. To create the `usergate-subnet-ru-central1-d` subnet, use the [SubnetService/Create](../../vpc/api-ref/grpc/Subnet/create.md) gRPC API call or the [create](../../vpc/api-ref/Subnet/create.md) REST API method for the Subnet resource.

{% endlist %}

## Create a security group {#create-security-group}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), navigate to the folder where you want to create a group.
  1. Navigate to **Virtual Private Cloud**.
  1. In the left-hand panel, select ![image](../../_assets/console-icons/shield.svg) **Security groups**.
  1. Click **Create security group**.
  1. Specify the security group name: `usergate-sg`.
  1. In the **Network** field, select `usergate-network`.
  1. Under **Rules**, create the following rules using the instructions below the table:
   
     | Traffic<br/>direction | Description | Port range | Protocol | Destination name /<br/>Source | CIDR blocks |
     | --- | --- | --- | --- | --- | --- |
     | Outbound | `any` | `All` | `Any` | `CIDR` | `0.0.0.0/0` |
     | Inbound | `icmp` | `All` | `ICMPv6` | `CIDR` | `0.0.0.0/0` |
     | Inbound | `rdp` | `3389` | `TCP` | `CIDR` | `0.0.0.0/0` |
     | Inbound | `ssh` | `22` | `TCP` | `CIDR` | `0.0.0.0/0` |
     | Inbound | `usergate 8001` | `8001` | `TCP` | `CIDR` | `0.0.0.0/0` |
     | Inbound | `usergate 8090` | `8090` | `TCP` | `CIDR` | `0.0.0.0/0` |
      
     1. Navigate to the **Egress** or **Ingress** tab for outbound or inbound rule, respectively.
     1. Click **Add**. In the window that opens:
        1. In the **Port range** field, specify a single port or a range of ports open for inbound or outbound traffic.
        1. In the **Protocol** field, specify the required protocol or leave **Any** to allow traffic over any protocol.
        1. In the **Destination name** or **Source** field, select the purpose of the rule:
            * **CIDR**: Rule will apply to the range of IP addresses. In the **CIDR blocks** field, specify the CIDRs and masks of subnets traffic will move to/from. To add multiple CIDRs, click **Add**.
            * **Security group**: The rule will apply to the current or selected security group VMs.
         
        1. Click **Save**.
   
  1. Click **Save**.

- CLI {#cli}

  Run this command:

  ```bash
  yc vpc security-group create usergate-sg \
    --network-name usergate-network \
    --rule direction=egress,port=any,protocol=any,v4-cidrs=[0.0.0.0/0] \
    --rule direction=ingress,protocol=icmp,v4-cidrs=[0.0.0.0/0] \
    --rule direction=ingress,port=3389,protocol=tcp,v4-cidrs=[0.0.0.0/0] \
    --rule direction=ingress,port=22,protocol=tcp,v4-cidrs=[0.0.0.0/0] \
    --rule direction=ingress,port=8001,protocol=tcp,v4-cidrs=[0.0.0.0/0] \
    --rule direction=ingress,port=8090,protocol=tcp,v4-cidrs=[0.0.0.0/0]
  ```

  Result:
  
  ```text
  id: enpu0e0nrqdn********
  folder_id: b1g86q4m5vej********
  created_at: "2022-06-29T09:38:40Z"
  name: usergate-sg
  network_id: enp3srbi9u49********
  status: ACTIVE
  rules:
  - id: enpdp9d0ping********
    direction: EGRESS
    protocol_name: ANY
    protocol_number: "-1"
    cidr_blocks:
      v4_cidr_blocks:
      - 0.0.0.0/0
  - id: enps2r5ru3s1********
    direction: INGRESS
    protocol_name: ICMP
    protocol_number: "1"
    cidr_blocks:
      v4_cidr_blocks:
      - 0.0.0.0/0
  - id: enpgonbui61a********
    direction: INGRESS
    ports:
      from_port: "3389"
      to_port: "3389"
    protocol_name: TCP
    protocol_number: "6"
    cidr_blocks:
      v4_cidr_blocks:
      - 0.0.0.0/0
  - id: enpbg1jh11hv********
    direction: INGRESS
    ports:
      from_port: "22"
      to_port: "22"
    protocol_name: TCP
    protocol_number: "6"
    cidr_blocks:
      v4_cidr_blocks:
      - 0.0.0.0/0
  - id: enpgdavevku7********
    direction: INGRESS
    ports:
      from_port: "8001"
      to_port: "8001"
    protocol_name: TCP
    protocol_number: "6"
    cidr_blocks:
      v4_cidr_blocks:
      - 0.0.0.0/0
  - id: enp335ibig9k********
    direction: INGRESS
    ports:
      from_port: "8090"
      to_port: "8090"
    protocol_name: TCP
    protocol_number: "6"
    cidr_blocks:
      v4_cidr_blocks:
      - 0.0.0.0/0
  ```

  For more information about the `yc vpc security-group create` command, see the [CLI reference](../../cli/cli-ref/vpc/cli-ref/security-group/create.md).

- Terraform {#tf}

  1. Add the `usergate-sg` security group description to the terraform configuration file:
  
     ```hcl
     resource "yandex_vpc_security_group" "usergate-sg" {
       name       = "usergate-sg"
       network_id = "${yandex_vpc_network.usergate-network.id}"
     
       egress {
         protocol       = "ANY"
         port           = "ANY"
         v4_cidr_blocks = ["0.0.0.0/0"]
       }
     
       ingress {
         protocol       = "ICMP"
         port           = "ANY"
         v4_cidr_blocks = ["0.0.0.0/0"]
       }

       ingress {
         protocol       = "TCP"
         port           = 3389
         v4_cidr_blocks = ["0.0.0.0/0"]
       }
     
       ingress {
         protocol       = "TCP"
         port           = 22
         v4_cidr_blocks = ["0.0.0.0/0"]
       }

       ingress {
         protocol       = "TCP"
         port           = 8001
         v4_cidr_blocks = ["0.0.0.0/0"]
       }

       ingress {
         protocol       = "TCP"
         port           = 8090
         v4_cidr_blocks = ["0.0.0.0/0"]
       }
     }
     ```

     For more information about the `yandex_vpc_security_group` resource, see [this Terraform provider guide](../../terraform/resources/vpc_security_group.md).
     
  1. Make sure the configuration files are correct.

     1. In the terminal, navigate to the directory where you created your configuration file.
     1. Run a check using this command:

        ```bash
        terraform plan
        ```

     If the configuration is correct, the terminal will display a list of the resources and their settings. Otherwise, Terraform will show any detected errors.

  1. Deploy the cloud resources.
  
     1. If the configuration is correct, run this command:

        ```bash
        terraform apply
        ```

     1. To confirm resource creation, type `yes` and press **Enter**.

- API {#api}

  Use the [SecurityGroupService/Create](../../vpc/api-ref/grpc/SecurityGroup/create.md) gRPC API call or the [create](../../vpc/api-ref/SecurityGroup/create.md) REST API method.
     
{% endlist %}

## Reserve a static public IP address {#get-static-ip}

Your gateway will need a static [public IP address](../../vpc/concepts/address.md#public-addresses).

{% list tabs group=instructions %}

- Management console {#console}
  
  1. In the [management console](https://console.yandex.cloud), navigate to the folder where you want to reserve an IP address.
  1. Navigate to **Virtual Private Cloud**.
  1. In the left-hand panel, select ![image](../../_assets/console-icons/map-pin.svg) **Public IP addresses**.
  1. Click **Reserve public IP address**.
  1. In the window that opens, select [`ru-central1-d`](../../overview/concepts/geo-scope.md) in the **Availability zone** field.
  1. Click ** Reserve**.
  
- CLI {#cli}

  Run this command:

  ```bash
  yc vpc address create --external-ipv4 zone=ru-central1-d
  ```

  Result:

  ```text
  id: e9b6un9gkso6********
  folder_id: b1g7gvsi89m3********
  created_at: "2022-06-08T17:52:42Z"
  external_ipv4_address:
    address: 178.154.253.52
    zone_id: ru-central1-d
    requirements: {}
  reserved: true
  ```

  For more information about the `yc vpc address create` command, see the [CLI reference](../../cli/cli-ref/vpc/cli-ref/address/create.md).

{% endlist %}

## Create a UserGate VM {#create-vm}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), navigate to the [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) dashboard, click **Create resource**, and select `Virtual machine instance`.
  1. Under **Boot disk image**, in the **Product search** field, type `UserGate NGFW` and select a public [UserGate NGFW](https://yandex.cloud/en/marketplace/products/usergate/ngfw) image.
  1. Under **Location**, select the `ru-central1-d` [availability zone](../../overview/concepts/geo-scope.md).
  1. Under **Computing resources**, switch to the `Custom` tab and specify the [platform](../../compute/concepts/vm-platforms.md), number of vCPUs, and amount of RAM:

      * **Platform**: `Intel Ice Lake`
      * **vCPU**: `4`
      * **Guaranteed vCPU performance**: `100%`
      * **RAM**: `8 GB`

      {% note info %}

      These settings will suffice for the gateway functional testing. For the production environment, use the UserGate [official recommendations](https://www.usergate.com/products/usergate-vm).

      {% endnote %}

  1. Under **Network settings**:

      * In the **Subnet** field, select `usergate-network` and `usergate-subnet-ru-central1-d`.
      * In the **Public IP address** field, select `List` and then select the previously reserved IP address from the list that opens.
      * In the **Security groups** field, select the `usergate-sg` group from the list.

  1. Under **Access**, select the **SSH key** option, and specify the VM access credentials:

      * In the **Login** field, enter a username. Do not use `root` or other reserved usernames. To perform operations requiring root privileges, use the `sudo` command.
      * In the **SSH key** field, select the SSH key saved in your [organization user](../../organization/concepts/membership.md) profile.
        
        If there are no SSH keys in your profile or you want to add a new key:
        
        1. Click **Add key**.
        1. Enter a name for the SSH key.
        1. Select one of the following:
        
            * `Enter manually`: Paste the contents of the public SSH key. You need to [create](../../compute/operations/vm-connect/ssh.md#creating-ssh-keys) an SSH key pair on your own.
            * `Load from file`: Upload the public part of the SSH key. You need to create an SSH key pair on your own.
            * `Generate key`: Automatically create an SSH key pair.
            
              When adding a new SSH key, an archive containing the key pair will be created and downloaded. In Linux or macOS-based operating systems, unpack the archive to the `/home/<user_name>/.ssh` directory. In Windows, unpack the archive to the `C:\Users\<user_name>/.ssh` directory. You do not need additionally enter the public key in the management console.
        
        1. Click **Add**.
        
        The system will add the SSH key to your organization user profile. If the organization has [disabled](../../organization/operations/os-login-access.md) the ability for users to add SSH keys to their profiles, the added public SSH key will only be saved in the user profile inside the newly created resource.

  1. Under **General information**, specify the VM name: `usergate-proxy`.
  1. Click **Create VM**.

- CLI {#cli}
  
  1. [Create](../../compute/operations/vm-connect/ssh.md#creating-ssh-keys) an SSH key pair.
  1. Get the `usergate-sg` security group ID:

     ```bash
     yc vpc security-group get usergate-sg | grep "^id"
     ```

     For more information about the `yc vpc security-group get` command, see the [CLI reference](../../cli/cli-ref/vpc/cli-ref/security-group/get.md).

  1. Run this command:

     ```bash
     yc compute instance create \
       --name usergate-proxy \
       --memory 8 \
       --cores 4 \
       --zone ru-central1-d \
       --network-interface subnet-name=usergate-subnet-ru-central1-d,nat-ip-version=ipv4,security-group-ids=<usergate-sg_security_group_ID> \
       --create-boot-disk image-folder-id=standard-images,image-family=usergate-ngfw \
       --ssh-key <path_to_public_part_of_SSH_key> \
     ```

     Result:

     ```text
     id: fhm2na1siftp********
     folder_id: b1g86q4m5vej********
     created_at: "2022-06-09T11:15:52Z"
     name: usergate-proxy
     zone_id: ru-central1-d
     platform_id: standard-v2
     resources:
       memory: "8589934592"
       cores: "4"
       core_fraction: "100"
     status: RUNNING
     boot_disk:
       mode: READ_WRITE
       device_name: fhmiq60rni2t********
       auto_delete: true
       disk_id: fhmiq60rni2t********
     network_interfaces:
     - index: "0"
       mac_address: d0:0d:2b:a8:3c:93
       subnet_id: e9bqlr188as7********
       primary_v4_address:
         address: 10.1.0.27
         one_to_one_nat:
           address: 51.250.72.1
           ip_version: IPV4
     fqdn: fhm2na1siftp********.auto.internal
     scheduling_policy: {}
     network_settings:
       type: STANDARD
     placement_policy: {}
     ```

     For more information about the `yc compute instance create` command, see the [CLI reference](../../cli/cli-ref/compute/cli-ref/instance/create.md).

- Terraform {#tf}

  1. In the list of public images, find the latest version of the UserGate NGFW and [get](../../compute/operations/images-with-pre-installed-software/get-list.md) its ID.
  1. Describe the `usergate-proxy` VM settings in the terraform configuration file:

     ```hcl
     resource "yandex_compute_disk" "boot-disk" {
       name     = "boot-disk"
       type     = "network-hdd"
       zone     = "ru-central1-d"
       size     = "110"
       image_id = "<UserGate_NGFW_image_ID>"
     }

     resource "yandex_compute_instance" "usergate-proxy" {
       name        = "usergate-proxy"
       platform_id = "standard-v3"
       zone        = "ru-central1-d"
       hostname    = "usergate"
       resources {
         cores         = 4
         core_fraction = 100
         memory        = 8
       }

       boot_disk {
         disk_id = yandex_compute_disk.boot-disk.id
       }

       network_interface {
         subnet_id          = "${yandex_vpc_subnet.usergate-subnet.id}"
         nat                = true
         security_group_ids = <usergate-sg_security_group_ID>
       }
     }
     ```

     For more information, see the [yandex_compute_instance](../../terraform/resources/compute_instance.md) resource description in the Terraform provider documentation.
     
  1. Make sure the configuration files are correct.

     1. In the terminal, navigate to the directory where you created your configuration file.
     1. Run a check using this command:

        ```bash
        terraform plan
        ```

     If the configuration is correct, the terminal will display a list of the resources and their settings. Otherwise, Terraform will show any detected errors. 

  1. Deploy the cloud resources.
  
     1. If the configuration is correct, run this command:

        ```bash
        terraform apply
        ```

     1. To confirm resource creation, type `yes` and press **Enter**.

- API {#api}

  To create the `usergate-proxy` VM, use the [create](../../compute/api-ref/Instance/create.md) REST API method for the Instance resource.

{% endlist %}

## Set up the UserGate NGFW {#admin-console}

Open the UserGate NGFW admin web UI at `https://<VM_public_IP>:8001` and log in with the default credentials: `Admin` / `utm`.

Once you log in, the system will prompt you to change the default password and update the OS.

### Configure your gateway as a proxy server {#proxy-setup}

Set up the UserGate NGFW as a proxy server:

1. In the top menu, select **Settings**.
1. In the left menu, navigate to **Network** ⟶ **Zones**.
1. Click the `Trusted` zone.
1. Click **Access control**, enable **Administration console**, and click **Save**.
1. In the left menu, navigate to **Network** ⟶ **Interfaces**.
1. Click the `port0` network interface.
1. On the **General** tab, select `Trusted` in the **Zone** field and click **Save**.
1. In the left menu, click **Network policies** ⟶ **Firewall**.
1. Click the `Allow trusted to untrusted` preset rule.
1. Navigate to the **Destination** tab and disable the `Untrusted` zone. click **Save**.
1. Enable the `Allow trusted to untrusted` rule by selecting it and clicking **Enable** at the top of the screen.
1. In the left menu, click **Network policies** ⟶ **NAT and routing**.
1. Click the `NAT from Trusted to Untrusted` preset rule.
1. Navigate to the **Destination** tab and change the destination zone from `Untrusted` to `Trusted`. Click **Save**.
1. Enable the `NAT from Trusted to Untrusted` rule by selecting it and clicking **Enable** at the top of the screen.
 
Now once you configured the UserGate gateway, you can use it as a proxy server by specifying its public IP address and the `8090` port in the browser settings.

### Set up traffic filtering rules {#traffic-rules}

We recommend using the `Block to botnets`, `Block from botnets`, and `Example block RU RKN by IP list` default policies with customized settings:

1. Click **Network policies** ⟶ **Firewall**.
1. Click the name of the preset default policy from the list above.
1. Navigate to the **Source** tab and change the source zone from `Untrusted` to `Trusted`. 
1. Navigate to the **Destination** tab and disable the `Untrusted` zone.
1. Click **Save**.
1. Enable the selected rule by selecting it and clicking **Enable** at the top of the screen.

Add more rules to enhance security:

1. Click **Network policies** ⟶ **Firewall**.
1. Add the first blocking rule:
   
   1. At the top of the screen, click **Add**.
   1. Specify the rule settings:
      
      * **Name**: `Block QUIC protocol`
      * **Action**: Deny

   1. Navigate to the **Source** tab and select `Trusted`.
   1. Click **Service**.
   1. Click **Add**.
   1. Select `Quick UDP Internet Connections`, click **Add**, and then **Close**.
   1. Click **Save**.

1. Add the second blocking rule:
   
   1. At the top of the screen, click **Add**.
   1. Specify the rule settings:

      * **Name**: `Block Windows updates`
      * **Action**: Deny
   
   1. Navigate to the **Source** tab and select `Trusted`.
   1. Click **Applications**.
   1. Click **Add** ⟶ **Add applications**.
   1. Select the `Microsoft Update` app and click **Add**.
   1. Select the `WinUpdate` app, click **Add**, and then **Close**.
   1. Click **Save**.

You can also add more traffic filtering rules. Avoid combining services and applications in the same rule. Doing so may make the rule inoperable.

### Set up content filtering rules {#content-rules}

We recommend you to use the `Example black list`, `Example threats sites`, and `Example AV check` default policies:

1. Navigate to the **Security policies** ⟶ **Content filtering** section.
1. Enable the rules listed above by selecting them and clicking **Enable** at the top of the screen.

You can add more rules to enhance security:

1. Navigate to the **Security policies** ⟶ **Content filtering** section.
1. Add the content filtering rule:

   1. At the top of the screen, click **Add**.
   1. Specify the rule settings:
      
      * **Name**: `Block social media`
      * **Actions**: Deny

   1. Navigate to the **Source** tab and select `Trusted`.
   1. Click **Categories**.
   1. Click **Add**.
   1. Type `Social media` in the search bar, click **Add**, and then **Close**.
   1. Click **Save**.

You can also add more content filtering rules. Avoid combining multiple parameters in the same rule. Doing so may make the rule inoperable.

### Set up SSL inspection {#ssl}

By default to decrypt traffic, UserGate uses the `CA (Default)` certificate but you can also add your own certificate.

To add a certificate:

1. Click **UserGate** ⟶ **Certificates**.
1. At the top of the screen, click **Import**.
1. Fill out the certificate information:

   * **Name**: Certificate name of your choice.
   * **Certificate file**: Certificate file in DER, PEM, or PKCS12 format.
   * **Private key**: Optional, certificate private key.
   * **Password**: Optional, private key or PKCS12 container password.
   * **Certificate chain**: Optional, certificate chain file.

1. Click **Save**.
1. Click the name of the new certificate.
1. In the **Used** field, select **SSL inspection**.
1. Click **Save**.
1. Add an SSL inspection rule:

   1. Navigate to the **Security policies** ⟶ **SSL inspection** section.
   1. At the top of the screen, click **Add**.
   1. Specify the rule settings and click **Save**.

      Alternatively, you can use the `Decrypt all for unknown users` default SSL inspection rule.

## How to delete the resources you created {#clear-out}

To stop paying for the resources you created:

1. [Delete the `usergate-proxy` VM](../../compute/operations/vm-control/vm-delete.md).
1. [Delete the static public IP address](../../vpc/operations/address-delete.md).