Migrate to Wingate from ISA 2000

[D4U]

Hi,
I am newbie to Wingate and planning to procure it, currently using ISA2000 which i wish to migrate it to wingate. If you are unaware of how ISA works i shall list you my requirements as i know it may not be possible to map 100% with ISA.
Having a Win 2000 Domain controllers DC1, DC2(child domain of DC1) and ISA Enterprise is running with authentication from AD.

1) There are ready made prorocols in ISA such as http, https, icq, rdp, ldap & for accessing outbound in ISA i just have to select the required protocol and assign it to the desired user. How can we do it in Wingate.

2) How can i allow or disallow user to access yahoo messenger, msn, meebo, orkut and other web based chat.

3) how shall i be able to Authenticate in Wingate from DC1 and DC2

the following is my network

Internal
LAN----------> ISA1---------> Internet Link 1
^ |
| to |
| Switch |
| | Internal LAN to Switch
v | |
Internal | |
LAN------------>ISA2----------| WatchGuard-------->Internet Link2
| |
|---------->|
|
DMZ

The ISA1 & ISA2 are in proxy array they are doing the traffic balancig i.e some outbound traffic goes via ISA1 & some via ISA2, can i configure wingate in array or some kind of load distribution of the outbound traffic.
DNS server is on the Active directory and forwarded to external DNS ip of both the internet Links. All the clients, servers,DC1, DC2 ISA1, ISA2, DNS server, and DHCP server had default gateway of the Internal interface of Watchguard.

How will i have to config the Wingate as applying 2 deafault gateway may not be feasible.

If there is no solution at hand can you assure that after purcahsing Wingate you shall solve my problems.

[adrien]

Hi

You've listed a lot of questions, but I'll go through the ones I can quickly answer.

Also, we recommend you trial WinGate before purchasing to ascertain it will meet your requirements.

1. Active Directory.

WinGate can synchronise with an active directory / Domain. The domain controllers / AD controllers are then used for authentication whenever the NTLM authentication method is used (i.e. for POP3, SMTP, IMAP, HTTP, GateKeeper login, WGIC etc).

2. Protocols

Not sure what you mean by the ready-made ones, or how they are implemented. WinGate has multiple built-in proxies, which each cope with one or more protocol. You can set per user policies per proxy. WinGate also has a NAT component which you can also set per port and per user policies on.

So for controlling access to things like HTTP per user, you would create user policies in the WWW proxy.

For limiting access to things like msn, you would need to create policies for NAT blocking access outbound on certain ports.

3. Load balancing

How is this currently operating? There are a number of ways of allocating load across multiple gateways, e.g.

* allocate different clients different gateways with DHCP
* some sort of load-balancing device (i.e intermediary router with NLB)

Or is ISA server doing this load-balancing itself? This may be being performed independently of ISA server.

We'll certainly work with you to go through any problems you may encounter, and will happily do that even in a trial phase before you would need to commit to any purchasing, this way if you can't get WinGate to do what you want there is no transaction to deal with.

Regards

Adrien

[D4U]

HI,
I have disable ftp proxy server but still i am able to access the ftp , installed the WGIC on th client machine, how can i restrict ftp for desired users.

regards
D4U

[MattP]

Hi,

If you only want selected users to access FTP then you should enable the proxy and create a policy restricting access to the appropriate group. Make sure that you are intercepting traffic on port 21 (on the sessions tab in the FTP proxy) to capture all FTP connections and apply your policy.

Matt

[D4U]

HI,
As posted earlier that the ISA1 & ISA2 were in proxy array, there was a logical name of that array and all clients were configured with that logical name i.e the outbound traffic was distributed between the 2 proxy servers, can we do this in Wingate automated else manually and how can thisbe achieved.

regards
Darshan

[adrien]

Hi Darshan

when you say the clients were configured with the logical name, do you mean you were running some special ISA client software? Or was this the web browsers etc?

The name, was it a DNS name?

I'm just trying to figure out if it was a round-robin DNS allocation that did the load balancing.

Regards

Adrien

[D4U]

Hi,
The ISA1 & ISA2 were installed as enterprise in Win 2000 ADS environment ant the application ISA(Microsoft Internet security accleration server) in proxy array called PROXY(2 pyhsical ISA servers were installed in a logical array which was named as PROXY as there is an option in the MSISA server to install the ISA server in array)
2 DNS entries ISA1 & ISA2 is created during the Win2000 server installation in the Domain. no need to create DNS entry for PROXY. Just install the MS ISA clients on the users machine and update the client. IN your browser lan settings give PROXY and this will be automaticcaly reflected by ISA1 or ISA2 whenever you update the MSISA client.this way traffice distributin of the users were done. how can this be acheived in Wingate.

regards

[adrien]

I see, so there is ISA client software that manages this.

the WinGate Client software uses the GDP service in WinGate to find a WinGate server to use.

You can set policy in the GDP service to allow only ranges of IPs to access it. this will mean clients using the WinGate client in those ranges will use the winGate server which grants access to the GDP service for their IP.

This would be one way to centrally assign groups of users to one WinGate server or another. Otherwise you would need to manually set the required server to use in each client individually.

Regards

Adrien