Noobie WinGate questions
Jun 06 07 9:34 am
I'm new to WinGate, and have some issues that need working out.
A short bit about our network: We are running a domain on win2003. We are using WinGate as a proxy server, and it is using the built-in Windows based users/groups. WinGate resides on the same box that is our domain controller.
For some reason, there are several IPs which WinGate is reporting as "Guests," even though those IPs are resolved by the DNS service on the server. For instance, 10.0.0.76 resolves back to 'shipping.xxx.org.' I can ping 'shipping' and it will resolve to 10.0.0.76. Yet, WinGate still reports that IP as "Guest" in the WinGate history viewer. Any ideas on how to fix this?
Another issue is that after installing IE7 on some systems, it will want to go to a MS website to configure. We have WinGate so locked down that that is not possible. Where can I set a global "Everyone always has rights to *microsoft.com/* " rule?
Thanks in advance
A short bit about our network: We are running a domain on win2003. We are using WinGate as a proxy server, and it is using the built-in Windows based users/groups. WinGate resides on the same box that is our domain controller.
For some reason, there are several IPs which WinGate is reporting as "Guests," even though those IPs are resolved by the DNS service on the server. For instance, 10.0.0.76 resolves back to 'shipping.xxx.org.' I can ping 'shipping' and it will resolve to 10.0.0.76. Yet, WinGate still reports that IP as "Guest" in the WinGate history viewer. Any ideas on how to fix this?
Another issue is that after installing IE7 on some systems, it will want to go to a MS website to configure. We have WinGate so locked down that that is not possible. Where can I set a global "Everyone always has rights to *microsoft.com/* " rule?
Thanks in advance
Jun 07 07 3:45 pm
For some reason, there are several IPs which WinGate is reporting as "Guests," even though those IPs are resolved by the DNS service on the server. For instance, 10.0.0.76 resolves back to 'shipping.xxx.org.' I can ping 'shipping' and it will resolve to 10.0.0.76. Yet, WinGate still reports that IP as "Guest" in the WinGate history viewer. Any ideas on how to fix this?
If it is showing as "Guest" then the LAN Client has not authenticated and there is a server / service somewhere that is allowing that unauthenticated access. So the first thing you want to do is identify what kind of connection it is within the History / Activity tab, and if it is:
NAT then review your policies within the Extended Networking Service.
WinGate Internet Client then review your policies within the Winsock Redirector Service.
If it is via the Proxy then review your policies within that.
*WGIC may also show TCPLink
Another issue is that after installing IE7 on some systems, it will want to go to a MS website to configure. We have WinGate so locked down that that is not possible. Where can I set a global "Everyone always has rights to *microsoft.com/* " rule?
Not enough details on how to advise a global setting (You would need to brief the forum on how the WWW Proxy is set to interact with the Default Rights). For the sake of an example, if your LAN Client are configured to use the WWW Proxy Server and the Default Rights are set to "Are ignored" then you would create the following policy - I have also added windowsupdates.com for the sake of an example showing two exceptions.
WWW Proxy Server --> Policies
Add --> Everyone, Select your authentication level
Advanced tab:
Filter 1
This criterion is met if HTTP URL Contains microsoft
Filter 2
This criterion is met if HTTP URL Contains windowsupdates.com
Jun 08 07 10:16 am
jamesc wrote:Not enough details on how to advise a global setting (You would need to brief the forum on how the WWW Proxy is set to interact with the Default Rights). For the sake of an example, if your LAN Client are configured to use the WWW Proxy Server and the Default Rights are set to "Are ignored" then you would create the following policy - I have also added windowsupdates.com for the sake of an example showing two exceptions.
WWW Proxy Server --> Policies
Add --> Everyone, Select your authentication level
Advanced tab:
Filter 1
This criterion is met if HTTP URL Contains microsoft
Filter 2
This criterion is met if HTTP URL Contains windowsupdates.com
Sorry about that... Like I said, I'm fairly new to WinGate. The default is set to "MUST also be granted." There isn't anything set for the Everyone group, yet.
Should I still use the above rule?
Jun 08 07 10:32 am
The default is set to "MUST also be granted." There isn't anything set for the Everyone group, yet.
I interpret that as within the WWW Proxy Server the Default Rights "Must also be granted" and within the System Policies the Everyone group has no restrictions?
If that is the case - go for it. If that is not the case then still do my suggestion but also allow access via the System Policies for that user (you will need to use the Server Name criterion in there due to not having the HTTP URL available as a criterion).
System Policies location:
WWW Proxy Service --> Policies --> Default Rights location / explanation.
"Must also be granted": If the e.g. WWW Proxy Server policy allows access to this service, then it must also be checked in the System Polices before it is allowed.
"May be used instead": If the e.g. WWW Proxy Server policy denies the request, then check if the System Policies allow it; if it does, allow the user to access.
"Are ignored": Do not check the System Policies to check if this user is allowed/denied to access to the WWW Proxy Server.
Jun 09 07 5:02 am
The System Policy is set to "restricted by ban list," with a few entries in the ban list, and "recipients have rights for all requests" under the advanced tab.
In the WWW Proxy Server -> Policies, the default is set to "MUST be granted."
So... If, in the WWW Proxy Server, I add an entry for "EVERYONE," and under WWW Proxy Server -> Policies -> Everyone -> Advanced set it to "Specify the request that the recipient has rights for" and add "windowsupdate.com" & "microsoft.com", this will enable access to Windows / MS-Updates, but will not prohibit them from other sites that they were previously able to access?
The interaction between these different rulesets is... a little confusing.
In the WWW Proxy Server -> Policies, the default is set to "MUST be granted."
So... If, in the WWW Proxy Server, I add an entry for "EVERYONE," and under WWW Proxy Server -> Policies -> Everyone -> Advanced set it to "Specify the request that the recipient has rights for" and add "windowsupdate.com" & "microsoft.com", this will enable access to Windows / MS-Updates, but will not prohibit them from other sites that they were previously able to access?
The interaction between these different rulesets is... a little confusing.
Jun 09 07 1:57 pm
So... If, in the WWW Proxy Server, I add an entry for "EVERYONE," and under WWW Proxy Server -> Policies -> Everyone -> Advanced set it to "Specify the request that the recipient has rights for" and add "windowsupdate.com" & "microsoft.com", this will enable access to Windows / MS-Updates, but will not prohibit them from other sites that they were previously able to access?
Since "Must also be granted" is selected within WWW Proxy Policies then it must also be allowed access in the System Policies. I would not expect that putting a new policy in allowing acess to microsoft.com and windowsupdate.com would affect any of your existing policies.
The main things to remember about WinGate policies are:
1. That when there is more than one policy for a user or group in a particular WinGate Service (e.g. WWW), then the policy with the most access will override the policy with the least access.
2. When a WinGate Service (e.g. WWW) has a the System Policy option set to "may be used instead" then the policy with the most access in those two policies area's will override the policies with the least access.
3. When a WinGate Service (e.g. WWW) has a System Policy set to "Must also be granted" then to have access there must be a policy specified allowing access in the System Policies as well.