WinGate Forums

[bench]

This will be a long post so bear with me.

I have been trying to get wingate to work for one of our clients but I can't seem to get gatekeeper to authenticate the users. I will detail the situatiation below.

There are 20 users in this company. The company currently has five servers and one of the is the proxy server, nothing else is running on this server but wingate. The proxy server is running on windows 2000 server.

The company also has the file server which has windows 2000 server as well and it's the main server where users log on to the domain.

The proxy has two NIC's, there are the WAN and LAN, external and internal. We have installed wingate client on all the client PC's and they do see the proxy server and are able to access the internet. Some PC's could not access it at first even though they had wingate client so we went to IE>Tools>Internet options>Connections>Lan settings and typed in the IP of the proxy LAN which is the gateway and also the port, 80. It was able to surf the net no problem.

When I go into gatekeeper I am able to see the names of the workstations in the activity window but not all workstations identify it's user correctly, some have guest or system listed for that workstation and it's incorrect.

I have typed all the users as they exists in active directory in the file server and their respective passwords. I went into users tab and selected assumed users to tell gatekeeper who is who. I entered the name of the workstation and it's user but still gatekeeper would not identify them all correctly.

My main problem is when I try to restrict internet access to certain websites. I go into Services>WWW Proxy server and entered user names in the policies window and specified which websites those users could access and nothing else. I selected system policies to be ignored. I did not select users to be authenticated.

I tried to access the websites I selected in the policies>advanced>specify which requests this user has rights for and created filters with criterions, HTTP URL contains.....

I can't access any website whatsoever. I check gatekeeper and it keeps blocking access saying the user could not be authenticated. I selected to have the users authenticated and it does ask me to enter user ID and password but still it blocks it.

My main question is how can I get wingate to authenticate users when the proxy is not installed on the same server as active directory. Can you have the proxy running on a separate server even though users log on to another server?

I would like to send you the configuration settings so you can see how I have it configured. Mail server is not running and DHCP is disabled as well .

I would really appreciate some quick solutions since right now they all have full rights and the client wants to stop some users from visiting sites that are not work related.

Thank you.

[kgoodknecht]

This will be a long post so bear with me.

I have been trying to get wingate to work for one of our clients but I can't seem to get gatekeeper to authenticate the users. I will detail the situatiation below.

There are 20 users in this company. The company currently has five servers and one of the is the proxy server, nothing else is running on this server but wingate. The proxy server is running on windows 2000 server.

The company also has the file server which has windows 2000 server as well and it's the main server where users log on to the domain.

The proxy has two NIC's, there are the WAN and LAN, external and internal. We have installed wingate client on all the client PC's and they do see the proxy server and are able to access the internet. Some PC's could not access it at first even though they had wingate client so we went to IE>Tools>Internet options>Connections>Lan settings and typed in the IP of the proxy LAN which is the gateway and also the port, 80. It was able to surf the net no problem.

When I go into gatekeeper I am able to see the names of the workstations in the activity window but not all workstations identify it's user correctly, some have guest or system listed for that workstation and it's incorrect.

I have typed all the users as they exists in active directory in the file server and their respective passwords. I went into users tab and selected assumed users to tell gatekeeper who is who. I entered the name of the workstation and it's user but still gatekeeper would not identify them all correctly.

My main problem is when I try to restrict internet access to certain websites. I go into Services>WWW Proxy server and entered user names in the policies window and specified which websites those users could access and nothing else. I selected system policies to be ignored. I did not select users to be authenticated.

I tried to access the websites I selected in the policies>advanced>specify which requests this user has rights for and created filters with criterions, HTTP URL contains.....

I can't access any website whatsoever. I check gatekeeper and it keeps blocking access saying the user could not be authenticated. I selected to have the users authenticated and it does ask me to enter user ID and password but still it blocks it.

My main question is how can I get wingate to authenticate users when the proxy is not installed on the same server as active directory. Can you have the proxy running on a separate server even though users log on to another server?

I would like to send you the configuration settings so you can see how I have it configured. Mail server is not running and DHCP is disabled as well .

I would really appreciate some quick solutions since right now they all have full rights and the client wants to stop some users from visiting sites that are not work related.

Thank you.

Do you have integrated authentication turned on in IE?
Internet options> Advanced tab "Enable integrated Windows authentication"
Also, on the security tab, in the internet zone seetings "Automatic logon in the intranet zone" (at least).

[kgoodknecht]

My main question is how can I get wingate to authenticate users when the proxy is not installed on the same server as active directory. Can you have the proxy running on a separate server even though users log on to another server?


Thank you.

On the Users tab, double-click Database Options. Check the box "Use remote user database (Domain Controller / Active Directory)"
Then type the UNC NetBIOS name of the Domain Controller. (e.g. \\server)

[bench]

OK, just spent about two hours reading up on authentication and policies. I have the standard edition of wingate and it appears that remote authentication is only available in the pro and enterprise version of wingate.

I have not yet tried what you guys suggested but according to instructions enabling the remote authentication in the database window is the way to do it but is not available in the standard version.

OK, I will try what you suggested and post if it worked.

[kgoodknecht]

OK, just spent about two hours reading up on authentication and policies. I have the standard edition of wingate and it appears that remote authentication is only available in the pro and enterprise version of wingate.

I have not yet tried what you guys suggested but according to instructions enabling the remote authentication in the database window is the way to do it but is not available in the standard version.

OK, I will try what you suggested and post if it worked.

You're right remote user database is only available on Pro and Enterprise Licenses

[bench]

OK, so now I know I can't do it without upgrading unless there is another way.

So my question now is if I have to pay the full price for professional licenses or do I just pay the difference since I already paid for the standard. Is there any discount to upgrade?

[kgoodknecht]

OK, so now I know I can't do it without upgrading unless there is another way.

So my question now is if I have to pay the full price for professional licenses or do I just pay the difference since I already paid for the standard. Is there any discount to upgrade?

You get upgrade pricing, which is the difference between what you have and what you need.

[jamesc]

Just adding to kgoodknechts' comments about upgrading.

https://commerce.qbik.com/purchase.php

[bench]

OK, I decided to test that it will work in our office before asking the client to pay the difference.

I have installed wingate with a trial license for testing purposes. I have successfully able to get gatekeeper to remotely access the user database from our server and it's listing all users now.

The problem now is that I can get gatekeeper to authenticate one of the PC's I am using to test. It shows the name of the PC but displays system in brackets. I went and entered the name of the machine and the name of the user under assumed users and rebooted the PC. Once I logged in again it listed the PC name with system in brackets then the username as assumed.

I have the following options in www proxy server. In General I have NTLM for authentication, in Sessions I have to intercept connection port 80 and I have everyone under policies with restrictions to everything but two websites.

First, I am not asked to authenticate myself when I open IE so how does NTLM work? Second, I can't even access the websites I specified in policies and gatekeeper tells me that authentication failed thus the reason I can't access those websites.

How can I get gatekeeper to authenticate users? I have read the authentication help files and done everything as stated but it still fails. Shouldn't it know who the user is if I log in as userx? It's using the active directory data base so why is it not doing it?

[bench]

OK, I have found how NTLM works and I am not able to access the sites I specified in the www proxy server and gatekeeper authenticates the user.

The problem is retrieving the e-mails from the mail server. The mail server is on a different server and when I try to access it from the client PC it tells me it can't connect to the mail server. I can't even ping the mail server from the client machine but I can from the proxy server.

I don't have mail server enabled in the proxy and DHCP is turned off as well. I have tried adding the pop3 and smpt ports in extended networking>port security>Lan connections to wingate PC but still no luck.
I have disabled the firewall altogether and still I can't access the mail server.

I am pretty much burned out at this point so any suggestions would be greatly appreciated.

Thanks.