Disabling any direct access on machine with two NICs

WinGate Proxy Server and other Qbik products

Switch to full style
Use this forum to post questions relating to WinGate, feature requests, technical or configuration problems
Post a reply
Vladimir
  • Vladimir
  • Posts: 3
  • Joined: Oct 01 04 2:47 am

Disabling any direct access on machine with two NICs

Oct 01 04 3:19 am

Hi!

I am trying to use Wingate 6.0.3 (1005) on W2000 Server installed as domain controller. It has two network adapters. Before I installed WinGate it was just set up using Windows installation disk.

The problem is that most of programs which are not manually configured to use WinGate proxy etc try to use direct connection by default. For example, if I write 'ping www.microsoft.com' there is absolutely nothing in Gatekeeper's activity and history pane. The same is true for directly connected ICQ, Opera without a proxy, etc. If I do all this things from a LAN computer behind the WinGate I can monitor its activity via Gatekeeper, update user traffic and so on.

It seems I need to prohibit applications from binding themself to external IP-address at all. So that when they supply internal IP (192.168.1.1 in my server case) it would go to the Wingate router.

I have asked some people what to do. They recommended to use a firewall. But Wingate's firewall even if in most isolated case does not hide external IP from applications.

What should I do? Probably, it is needed to disable Windows routing and to delegate routing to WinGate? How to do it?
Here is a result of route print command:

Code:
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 30 48 70 63 f3 ...... Intel(R) PRO/1000 MT Network Adapter
0x1000004 ...00 30 48 70 63 f2 ...... Intel(R) PRO/1000 MT Network Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   195.201.73.126   195.201.73.82       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0      192.168.1.1     192.168.1.1       1
      192.168.1.1  255.255.255.255        127.0.0.1       127.0.0.1       1
    192.168.1.255  255.255.255.255      192.168.1.1     192.168.1.1       1
     195.201.73.0    255.255.255.0    195.201.73.82   195.201.73.82       1
    195.201.73.82  255.255.255.255        127.0.0.1       127.0.0.1       1
   195.201.73.255  255.255.255.255    195.201.73.82   195.201.73.82       1
        224.0.0.0        224.0.0.0      192.168.1.1     192.168.1.1       1
        224.0.0.0        224.0.0.0    195.201.73.82   195.201.73.82       1
  255.255.255.255  255.255.255.255      192.168.1.1     192.168.1.1       1
Default Gateway:    195.201.73.126
===========================================================================
Persistent Routes:
  None
adrien
  • adrien
  • Posts: 5448
  • Joined: Sep 03 03 2:54 pm
  • Location: Auckland
  • Website

Oct 01 04 1:18 pm

Hi

WinGate doesn't block outbound connections from the local machine (i.e the machine it is running on) unless these connections go through WinGate (i.e. by way of proxy configuration). Sounds like you need a personal firewall if you want to do this, or to set better access-level restrictions on what the user accounts on that machine are able to do.

Adrien
Vladimir
  • Vladimir
  • Posts: 3
  • Joined: Oct 01 04 2:47 am

Oct 05 04 8:17 pm

Hi Adrien,

Thanks for the reply.

My aim is to limit _all_ connections from server to be visible and audible so that it would be easy to check ISP invoices. Any connections that go aside from Wingate are VERY undesirable. Unfortunately, we have to use the machine with WinGate for work so many INET applications produce hidden traffic. This is bad.

Some new questions:
1. Are the WinGate 6.0.3 and Windows 2000 Server network utilities enough tools to set up needed configuration?
2. What third party products (firewall) do we need in case of answer 'no' to the question #1?
3. Can we monitor wingate traffic on user-by-user basis on-line?
Nev
  • Nev
  • Posts: 861
  • Joined: Sep 22 03 11:35 pm
  • Location: Mudgee ~ NSW ~ Australia

Oct 05 04 9:46 pm

Vladimir wrote:Hi Adrien,

Thanks for the reply.

My aim is to limit _all_ connections from server to be visible and audible so that it would be easy to check ISP invoices. Any connections that go aside from Wingate are VERY undesirable. Unfortunately, we have to use the machine with WinGate for work so many INET applications produce hidden traffic. This is bad.

Some new questions:
1. Are the WinGate 6.0.3 and Windows 2000 Server network utilities enough tools to set up needed configuration?
2. What third party products (firewall) do we need in case of answer 'no' to the question #1?
3. Can we monitor wingate traffic on user-by-user basis on-line?


Vladimir what would happen if you configure all connection properties for the Wingate server to point at the localhost: 127.0.0.1:80 [if 80 is the WWW proxy port]?

Next set a group policy to deny access to the properties of network connections / RAS and proxy server configuration.

Have found this removes the risk of users on a server bypassing Wingate and the firewall.

Nev.
Vladimir
  • Vladimir
  • Posts: 3
  • Joined: Oct 01 04 2:47 am

Oct 05 04 10:35 pm

Nev wrote:Vladimir what would happen if you configure all connection properties for the Wingate server to point at the localhost: 127.0.0.1:80 [if 80 is the WWW proxy port]?

Next set a group policy to deny access to the properties of network connections / RAS and proxy server configuration.


Hm, my problem is not to set up proxy but to disable any applications to bind themself to external IP-address. Can you explain me how locahost IP in WWW proxy settings can help to do this?

And what about ping? Can I see pings made from Wingate's machine in Gatekeeper?

What policy do you mean, Windows' or WinGate's? Where to set up these prohibitions?
Nev
  • Nev
  • Posts: 861
  • Joined: Sep 22 03 11:35 pm
  • Location: Mudgee ~ NSW ~ Australia

Oct 06 04 10:49 pm

Vladimir wrote:
Nev wrote:Vladimir what would happen if you configure all connection properties for the Wingate server to point at the localhost: 127.0.0.1:80 [if 80 is the WWW proxy port]?

Next set a group policy to deny access to the properties of network connections / RAS and proxy server configuration.


Hm, my problem is not to set up proxy but to disable any applications to bind themself to external IP-address. Can you explain me how locahost IP in WWW proxy settings can help to do this?


Well for all applications on the server set the IP as above 127.0.0.1:80

And what about ping? Can I see pings made from Wingate's machine in Gatekeeper?


No.

What policy do you mean, Windows' or WinGate's? Where to set up these prohibitions?


Run CMD prompt, type in GPEDIT.MSC here you can configure a Group policy that will restrict *some* areas and deny access to user modified proxy settings.

Hope that helps!

Nev.
Post a reply
Switch to full style

Powered by phpBB © phpBB Group.

phpBB Mobile / SEO by Artodia.

Board index