i'm using microsoft windows 2003 server in my office and it connected to the internet. client got their IP automatically, so i suppose i'm using NAT.
Usually a good way to check for NAT is by pinging a domain name, or telnetting to a server:
(Windows) Start menu --> Run --> telnet smtp.qbik.com 25
the client are all connected to the internet, and now the board wanted to limit the internet access to a few users only.
Acknowledged
Somebody told me to use wingate for this purpose, but somebody told me that it's difficult to apply the wingate server for this purpose because of the NAT i'm using.
I know I want instant solutions when learning to use software and do not like going through learning curves - but the fact of the matter is good things can take time.
can you help me ? i'm really new at this..
Sure can.
1. In the context of networks I have dealt with as a system engineer, they always have a testing lab for new software so it does not stop production on the event of a problem.
2. You need to identify software that may cause a problem when you install WinGate. For example:
a) If this computer you propose to install WinGate on has it's own DNS / DHCP Server then there is a good chance you will want to disable WinGate's ones when / after installing.
b) What other third party security suites and networking suites are you running? i.e. be aware of them so you can troubleshoot later in the event of a problem. *Known NAT issue with Kaspersky standalone products - has been fixed and we are waiting for them to release their version 7 line.
c) What Microsoft security / networking suites are you using? Have you disabled the Windows Firewall in the Windows Service? Will you still need to use RRAS after installing WinGate etc...
d) Do you have a web server or another application listening on port 80? The WWW Proxy Server in WinGate will try to bind to that by default – you may need to change the WWW Proxy to listen on a different port after installing WinGate.
3. Will WinGate be using an Active Directory User Database? A briefing is available in the following post:
http://forums.qbik.com/viewtopic.php?p=28904#28904
4. Install WinGate with the Extended Networking Service (ENS) (so to utilise NAT, Firewall, Bandwidth throttler, VPN, Routing etc..) and then reboot when prompted.
5. Reboot so the ENS driver loads.
6. Login to the GateKeeper application so to configure the WinGate engine.
a) If you selected the WinGate User Database on install, then the Username/Password is Administrator/
b) If you selected the Windows User Database on install, then log in with an account that has Windows Administrator privileges.
c) If you logged into the WinGate User Database with no password, then the Remote Control Service will only allow connections from the localhost address. To resolve that you would navigate to the GateKeeper --> Remote Control Service --> Bindings (after putting a password on Administrator account). The Remote Control Service is where the GateKeeper logs into the WinGate engine so it can configure it - it also can authenticate some methods.
7. Confirm your network cards are correctly marked as INTERNAL / EXTERENAL. The network card pointing towards the internet is usually marked as EXTERNAL in WinGate. And the network card pointing towards the LAN is usually marked as INTERNAL in WinGate. If the WinGate server only has one network card, and it has a default gateway set to a hardware router with a firewall, then you can set it as INTERNAL in WinGate - WinGate can do singe NIC NAT.
GateKeeper --> View menu --> Networks --> Network Connections.
*Other WinGate considerations regarding the markings of the network cards:
Two INTERNAL network cards can route between them - same with two EXTERNAL cards. You can turn off routing via ENS.
A network card does not need to be EXTERNAL for WinGate to use the Gateway.
For a network card to NAT, it either needs to be INTERNAL or DMZ.
NAT connection sharing between the two gateways will be controlled by the routes metric in Windows, and the mask length of those routes compared to the destination address (that’s when a mappings intercept is convenient).
NetBIOS broadcasts are disabled out the EXTERENAL adapters unless you switch it on via ENS --> Firewall.
8. Choose a way you are going identify your users via authentication:
WinGate User Database.
WWW Proxy Java Authentication - Secure method - Needs Java (
www.java.com)
WGIC Authentication - Secure method - Client install.
QbikAuth Authentication - Secure method - Client install.
GateKeeper Authentication - Secure method - Client install.
Basic Authentication - Insecure method.
Assumed by IP Address - Insecure method.
Assumed by Computer name - Insecure method and WinGate must be DHCP Server.
Unauthenticated Access - Can be set for different criterions.
Local Windows User Database
WWW Proxy NTLM Authentication - Secure Method - Application must be NTLM compatible.
WGIC NTLM Authentication - Secure method - Client install.
QbikAuth NTLM Authentication - Secure method - Client install.
GateKeeper NTLM Authentication - Secure method - Client install.
Basic Authentication - Insecure method.
Assumed by IP Address - Insecure method.
Assumed by Computer name - Insecure method and WinGate must be DHCP Server.
Unauthenticated Access - Can be set for different criterions.
Domain User Database.
WWW Proxy NTLM Authentication - Secure Method - Application must be NTLM compatible.
WGIC NTLM Authentication - Secure method - Client install.
QbikAuth NTLM Authentication - Secure method - Client install.
GateKeeper NTLM Authentication - Secure method - Client install.
Basic Authentication - Insecure method.
Assumed by IP Address - Insecure method.
Assumed by Computer name - Insecure method and WinGate must be DHCP Server.
Unauthenticated Access - Can be set for different criterions.
*Please note, whether an authentication is secure, insecure or unauthenticated corresponds to the level of authentication you set for your policies – more on this further down – i.e..
User must be authenticated = Secure method
User may be assumed = Insecure method
User may be unknown = Unauthenticated
9. Go to a LAN Client and point Internet Explorer to the WWW Proxy Server and test. (if you have any problems it will either be DNS or a port conflict or you have tried to configure the policies).
10. Go back to the WinGate server and turn on an Intercept for Port 80 within WWW Proxy Server --> Sessions.
11. Go to a LAN Client, remove the WWW Proxy Server, and then try to access the Webpage again – WinGate should now be transparently proxying that connection.
I will do the rest soon. It will be regarding locking down access via proxy and the Extended Networking Service via policies