WinGate Forums

[behnam]

hi all

according to my last topic about facebook & twitter
it seems to, https websites are bypassing upstream proxy(they don't use proxy for connecting to internet and they connect directly )
what should i do for it?
how to force https websites to pass from proxy for connecting to the internet ? (force them use proxy)

any help will be appreciated.

thanks

Behnam

[adrien]

Hi

how do you configure your clients on the LAN to use a proxy?

There are only a few options.

1. Manually configure them
2. use active directory GPOI
3. use web proxy auto-detect

or none of the above?

If you want to prevent users from using NAT, you can disable it, or block port 443. Then people will have to use the proxy, and then the rules will apply.

to block port 443 for NAT, you can do it in Port Security in Extended Networking.

Choose the table for "LAN connections to Internet" and "TCP", add an entry for port 443-443, and choose deny.

Adrien

[behnam]

hi dear Adrien

i want to be honest with you,i have no clients but one samsung smart tv and samsung smart tv has no option to set a proxy in it(it should use NAT)


another thing is, just i said before THE GOVERNMENT IS BLOCKING FACEBOOK & TWITTER
for bypassing these filtration we use proxifier on our computers in iran (we can access these two websites by proxifier)
and now i want to use facebook app of my samsung smart tv

SO

what i've done is , use wingate to turn my pc to a proxy server for my tv
and wingate should use proxifier that it can ferry its clients from iran filtration to FREEDOM
the problem is wingate and proxifier can't deal with each other so i forced to use ccproxy between them.


remember , my tv can only connect by NAT to wingate(i can't set proxy in it - it hasn't this option)
but port 443 connects to the internet directly in NAT mode(it should pass from proxifier)
if it doesn't,it will be knock out by iran filtration

now what i can do for it for use my facebook app of my tv.(please tell me honestly if my explains are confusing)

thanks

Behnam



now what can i do

[adrien]

Hi

in your proxifier setup, what type of proxy is it configured to connect to? SOCKS? or maybe HTTP tunneling?

WinGate services have SOCKS client and HTTP tunneling client support built in, so they can connect directly to an upstream proxy.

But I think a bigger problem is using NAT for https. With https, if the client isn't using a proxy, then it expects to make a connection (usually port 443), then send a TLS/SSL client helo packet. This is not http, it's TLS/SSL first and after that http.

Due to the encryption, you can't intercept this, unless you use https inspection, and can install a trusted cert on the device? Probably not an option?

But you can use a TCP mapping proxy, intercept port 443, get it to connect out via a proxy using SOCKS or http tunneling upstream.

So I still think you don't need proxifier. Proxifier only supports SOCKS and HTTP tunneling as well. WinGate already has this, unless you are required to use SOCKS5 with auth.

Adrien

[behnam]

HI Adrien

thanks for your replay

i did just you said about TCP mapping service and i test it with my another pc on the network
and the confusing point is: sometimes https websites pass from upstream proxy(for example:facebook bypass government blocking and load on the client browser) and sometimes not (it stopped by government blocking)
some other websites such as twitter.com will ALWAYS bopped with government blocking

should i do some special configuration on TCP mapping service or not ?

thanks

Behnam