Authentication entries in the System Log

WinGate Proxy Server and other Qbik products

Switch to full style
Use this forum to post questions relating to WinGate, feature requests, technical or configuration problems
Post a reply
ScottW
  • ScottW
  • Posts: 4
  • Joined: Sep 16 04 2:33 am

Authentication entries in the System Log

Oct 12 04 4:48 am

Hi,

We're using Wingate 6.03 running on an W2K Server as a proxy server only.

It's set up to authenticate users against our Active Directory, and it works fine. My IE users are all on W2K Terminal Servers and the terminal servers are all set up in Multi-user Machine tab.

All web sites that my staff access are logged as I expect in the WWWProxy log and our Proxy Inspector does it's reports on web site usage with no problems.

We ban a few web sites in Wingate too, using the Ban List, and that works pretty well too.

But I still have one thing related to the logging of banned sites that I can't work out...

Actually it might be two separate things, they just look very similar in the System Log:-

1) When a blocked web site is seen by Wingate it is reported in the System Log as I expect, but it is often listed as being accessed by the default user GUEST (all normal web site access *is* logged correctly by the actual AD username, in the WWWProxy log as expected).

2) Sometimes the system log also reports on authentication failures for the user GUEST for web sites that are *not* banned in the Ban List.

Here are some examples below.

Item "a" is an example of problem 2, where the Zonealarm update site is not blocked by Wingate's Ban List but is showing an authentication problem.

Item "b" is another example (this time for Symantec LiveUpdate).

Item "c" is an example of problem 1 (i.e. a site that *is* banned but it doesn't say who tried to access it, it only lists them as Guest).

a) 10/11/04 15:01:31 Authentication Authentication failed - user Guest on 192.168.1.127 requested http://update.zonelabs.com/checkupdate.asp

b) 10/11/04 15:02:09 Authentication Authentication failed - user Guest on 192.168.1.127 requested http://liveupdate.symantecliveupdate.com/minitri.flg

c) 10/11/04 15:18:47 Authentication Authentication failed - user Guest on 192.168.1.22 requested http://eur.i1.yimg.com/eur.yimg.com/i/uk/hp/s/ukhp4.gif


1) How can I get Wingate to show which user is accessing the banned sites?

2) Does anyone know why the sites that aren't banned are showing the authentication error?

Am I missing something really obvious here? If anyone has any ideas about this (or if I need to provide some more information) please let me know!

Many thanks in advance,

Scott.
Pascal
  • Pascal
  • Posts: 2623
  • Joined: Sep 08 03 8:19 pm
  • Location: Auckland, New Zealand
  • Website

Re: Authentication entries in the System Log

Oct 12 04 12:54 pm

ScottW wrote:1) When a blocked web site is seen by Wingate it is reported in the System Log as I expect, but it is often listed as being accessed by the default user GUEST (all normal web site access *is* logged correctly by the actual AD username, in the WWWProxy log as expected).


The reason it would show as guest is because the user name has not yet changed. (Not authenticated yet) The configuration could tell us why.

How are you authenticating the users to WinGate? Are you using HTTP NTLM authentication? Which HTTP version is your browsers set to use for proxy connections?

ScottW wrote:2) Sometimes the system log also reports on authentication failures for the user GUEST for web sites that are *not* banned in the Ban List.


This sounds similar to an occasional problem with earlier releases of WinGate (Previous 6.0 builds) and would show up in the browser as an authentication failure or as a broken image. Which build number are you currently running?
ScottW
  • ScottW
  • Posts: 4
  • Joined: Sep 16 04 2:33 am

Oct 12 04 11:59 pm

Thank you for the prompt reply.

1)

> How are you authenticating the users to WinGate? Are you using HTTP NTLM authentication?

The WWW Proxy service has the NTLM option ticked, and in the Database Options dialog the top two boxes are ticked and the name of our AD server is entered.

Is that enough or am I missing it somewhere else?

It seems to authenticate properly for the WWWProxy log anyway, if not the system log.


> Which HTTP version is your browsers set to use for proxy connections?

Can you tell me the easiest way to find that out? Thank you.


2)

> This sounds similar to an occasional problem with earlier releases of WinGate (Previous 6.0 builds) and would show up in the browser as an authentication failure or as a broken image. Which build number are you currently running?

We are running Build 1005 (16th September 2004). Can you think why this might be happening, or is it related to your answer to my question 1 above?

Many thanks again,
Scott.
Pascal
  • Pascal
  • Posts: 2623
  • Joined: Sep 08 03 8:19 pm
  • Location: Auckland, New Zealand
  • Website

Oct 13 04 9:26 am

It would be in settings for your browser. If you're using IE it is under "Internet Properties" -> "Advanced" -> "HTTP 1.1 settings".

If you're running 1005 though that problem is fixed.
ScottW
  • ScottW
  • Posts: 4
  • Joined: Sep 16 04 2:33 am

Oct 13 04 10:43 pm

Hi Pascal,

Does that mean that there is no answer to my problems? Or do I need to email my Wingate settings to someone for them to have a look?

Many thanks,
Scott.
Pascal
  • Pascal
  • Posts: 2623
  • Joined: Sep 08 03 8:19 pm
  • Location: Auckland, New Zealand
  • Website

Oct 13 04 11:03 pm

Not necessarily no answer. Erwin setup this scenario today; he was talking to Adrien about the exact nature of it; however, we ran into close of business before things could be completed.

I have a rough idea what the two of them discussed, but it'll be better if he posts back here tomorrow morning with full details. (I might confuse the issue)

Sending the WinGate settings to me could be potentially helpful - but from the sound of it you have everything setup properly - so I don't think we need to go there yet.
erwin

Oct 14 04 3:45 pm

Hi Scott

Put simply the reason why you are seeing Guest authentication failures, is to do with the order and timing that NTLM authentication happens between IE and WinGate When IE makes it initial Internet request, it makes a DNS query for the URL Wingate which uses Guest(user) for the DNS lookup.

Since your scenario is using straight proxy connection method to WinGate, WinGate will sometimes try to authenticate the DNS lookup resulting in the authorisation failure.

Which is also the reason why you will intermittently see Auth failures for non banned sites as you have mentioned, even though normal access to the URL is subsequently permitted (since Guest is not an authenticated user).

1) How can I get Wingate to show which user is accessing the banned sites?


The only successful way in this particular scenario to get the log to show which users are accessing banned sites is to have the Terminal Services clients use the WinGate Internet Client (WGIC) (single install on the terminal server) to access the Internet.

For this setup you will need to:

Install WGIC on the Terminal Server.
Get clients to use the WGIC
Set transparent redirection(Intercepts) on port 80 in the Sessions configuration of the WWW service in GateKeeper.

This will effectively do the following:

Users and their DNS requests will be authenticated correctly via the WRP service, hopefully eliminating the stray Guest Authentication failures you are seeing, before the request is sent through the WWW proxy where it will be influenced by the policy of banned sites.

Pascal and I have confirmed that this works in the lab today, with the WWW proxy log now showing who is trying to access the banned sites.

Hope this helps

Regards
Erwin
Post a reply
Switch to full style

Powered by phpBB © phpBB Group.

phpBB Mobile / SEO by Artodia.

Board index