"No response on port" outside LAN

[ceco]

Hi there,
I'm using wingate to secure accesses to a particular website which itself has a proxy upfront, thus I configured wingate for proxy cascading.

Everything works fine from any workstations within the LAN, I can correctly authenticate and browse that site or the Internet.

LAN Workstation -> Wingate -> ext gateway/router -> ext proxy -> website

On the contrary if I set up a computer outside the LAN (for example my home computer) to go through the same wingate machine (with the corresponding port open on the LAN internet gateway) I correctly get the authentication java applet loaded but when I submit user&password I get a "No response on port" error.

home PC -> LAN router/gateway -> Wingate -> ext router -> ext proxy -> website

Any help would be heartfully appreciated.
thanx

[Pascal]

Java client authentication uses the remote control service. For your internal clients you would have had to bind it to your LAN card as well - for external connections (If you wanted to use Java authentication on them) you'd need to bind it to your external adapter as well.

If you are going to do that I'd recommend that you specify specific locations (Preferably your ip at home / your ISPs range) in the policies, to help secure it against others.

[ceco]

first of all, thank you for the answer!
having read the appropiate section in the helpfile, I had already bound the RCS on "any adapter any IP addr." and opened port 808 on my router but, still, I get the applet loaded and then the authentication ends with "no response on port".
I also tried disabling wingate firewall but didn't help.
any guesses?

regards

[Pascal]

No guesses, that's the correct message for that scenario. I'll have to go through the Java client / RCS source code to check it tomorrow when I'm back in the office. I'll let you know then.

[internet_user]

Java client authentication uses the remote control service. For your internal clients you would have had to bind it to your LAN card as well - for external connections (If you wanted to use Java authentication on them) you'd need to bind it to your external adapter as well.

If you are going to do that I'd recommend that you specify specific locations (Preferably your ip at home / your ISPs range) in the policies, to help secure it against others.

In response to your "solution":

My network is currently configured in the following manner:

[WINGATE System] (192.168.1.2)
............................\
..............................=> Router (WAN 10.1.1.2) > NAT WAN [Many Networked Users (10.1.0.0/16)] => Internet
............................/
[Computer] (192.168.1.3)

All port forwarding and firewall rules have been set up to allow a hole to the Remote Control Service as well as to all the services being provided.

I have my Wingate Remote Control Service currently binding to external IP's. A client on the NAT WAN (let's say 10.1.1.4) wants to use the Wingate proxy located on 10.1.1.2. It connects, opens the JAVA Authentication page, and after a userid/password was submitted, the authentication seems to hang and finally displays "No reponse on port." I snooped the packets on 10.1.1.4 and found that it was trying to connect to 192.168.1.2:[RCS PORT] and not 10.1.1.2:[RCS PORT]. Of course, the computer 192.168.1.3 is able to connect since it's on the same IP Class assignment and can resolve the internal IP. I'm trying to force the Wingate Proxy on 192.168.1.2 to tell computers trying to use the proxy to connect to 10.1.1.2 and I have to admit that I have no idea on how to force the program to do that. I've tried forcing a bind and tried searching for an "Active IP Reporting" function, in which I turned up empty.

Please advise on how I can resolve this issue. Thanks.

[adrien]

Hi

The Java Client tries to connect to the same server as the class file was retrieved from - I think this is due to security restrictions in java.

So the Java Client is going to try and connect to the same server as is specified as being the server to retrieve the java applet from. This is specified in the file:

WinGate\Java\CLIENT.HTM

there is a URL in there for the java client location, with ##WINGATE## in it.

The value for ##wingate## is derived by WinGate itself - it parses this file when it sends it to the client browser. You can however edit this.

try editing it to the token "wingate:80" e.g.

http://##WINGATE##/wingate-internal/Java\

becomes

http://wingate:80/wingate-internal/Java\

Presuming that port 80 is the port that the WWW proxy is running on.

The next link in the chain is that the DNS server must return the correct IP address for the lookup for "wingate". Normally the WinGate DNS server will do this, and return the IP address of the interface that the request was received on.

You can test this by going to that client machine, and from the command line type "ping WinGate". It should return the 10.1.x.x address you need.

So that should get the java client to connect to the correct IP.

Adrien

[internet_user]

Hello adrien, thank you for responding.

I did what you advised to do; I edited the line where it stated ##WINGATE## and changed it to wingate:WWW where WWW is the WWWProxy port.

Upon loading the Java Client, the applet being loaded displayed an 'X' which indicated a no-load. I viewed source and discovered that the literal address for the codebase was "http://wingate:www/wingate-internal/Java" and the "wingate" did not resolve to an IP. Even if I were to put the 10.1.x.x IP in the CLIENT.htm, the same behavior was exhibited. However, if I manually entered the local IP of the wingate server, the authentication java client loads successfully. Conclusion: the client is permanently set to send/receive traffic from 192.168.1.x??

More in details:
In trying to access the the wwwproxy (assuming 10.1.1.1 is the wingate IP and 10.1.1.2 is the client), I entered 10.1.1.1:WWW in a browser located on 10.1.1.2. I opened a page, and the JAVA client comes up.

"ping WinGate" does not resolve to anything. More over, it fails.


-Am I overlooking anything?
-Besides the *proxy ports, what other ports am I "required" to port forward to the computer from my router?

[adrien]

HI

Just re-read your first post.

So you are connecting from the internet, through some router with port forwarding into WinGate, which then proxy-cascades to a proxy to a website.

So, for the Java client to work, the name it thinks it's connecting to must resolve to the IP that you initially connected to from home. Since your homw machine won't be using your work's WinGate as a DNS server, then the name "winGate" won't resolve. You can get around this by adding an entry to the hosts file on your local computer to point "wingate" to the IP address you are connecting to.

then you also need to open port 808 on the router and forward that to WinGate as well, since the Java client connects to the Remote Control Service in WinGate in order to authenticate.

Regards

Adrien

[internet_user]

HI

Just re-read your first post.

So you are connecting from the internet, through some router with port forwarding into WinGate, which then proxy-cascades to a proxy to a website.

So, for the Java client to work, the name it thinks it's connecting to must resolve to the IP that you initially connected to from home. Since your homw machine won't be using your work's WinGate as a DNS server, then the name "winGate" won't resolve. You can get around this by adding an entry to the hosts file on your local computer to point "wingate" to the IP address you are connecting to.

then you also need to open port 808 on the router and forward that to WinGate as well, since the Java client connects to the Remote Control Service in WinGate in order to authenticate.

Regards

Adrien

Hi,

First, does the RCS port have to be 808? If it does, then that is my problem. Otherwise, I changed the port to something greater than 1024, and I port forwarded that same port to the wingate computer.

I was confused how "ping wingate" would work from the internet, but it was just a misunderstanding.

Second, where is the host file that I have to write to? OR, do I have to create my own and put it in the Wingate system directory?

[adrien]

Hi

THe RCS port can be whatever you like - just set the WinGate Remote Control Service to listen on a specified port. It will also need to bind to the interface that is avaialble from the router as well.

the hosts file on NT/2k/XP lives under

System32\Drivers\Etc\hosts

Adrien

[internet_user]

Hello,
After thinking about your suggestion, editting that host file will alter the system hosts. Isn't there a local file to wingate that it depends on or is etc/hosts the only file that it depends on?

Also, your suggestion means that I would have to change the host file on all the clients that want to connect. Is this true? Is there any way I can use a function such as manual IP reporting on the server side?

Thanks

[adrien]

Hi

Sorry what I meant was edit the hosts file on the machine trying to connect to http://wingate:someport/wingate-interna ... ient.class

etc

However if there are a lot of these clients, editing the hosts file on each won't help.

in that case you would need some way of looking up the public IP address.

Since there is only one Client.htm, and you need it to work from the inside and outside, whatever name is used for WinGate needs to resolve to the correct IP address for wherever the client is. For clients on your LAN, do they use WinGate as a DNS server? (or do you have an Active Directory?)

I'm still a bit confused about your layout, since you mention internet users, but also users on a 10.0.X.X subnet which are obviously private LAN/WAN users.

Adrien

[internet_user]

Okay, let me try to achieve this goal by describing the layout that is relevant, and my objective:

[WINGATE] (192.168.1.2)
............................\
..............................<=> (192.168.1.1) Router (10.1.1.2) <=> NAT WAN [ManyUsers (10.1.0.0/16)]
............................/
[Computer] (192.168.1.3)

The Wingate server is currently residing on 192.168.1.2. My goal is to be able to serve the users who are on 10.1.0.0/16 (who are not on the router, thus, not leasing a Class B IP).

[adrien]

OK

What do these users use for a DNS server?

If you can edit records on that, then you can solve their problem of how to find WinGate.

Regards

Adrien

[internet_user]

The DNS server is separate from the subnet, and I cannot modify anything
with the server.

[adrien]

Hi

I'm starting to wonder whether HTTP authentication might be a better option. Have you tried that? It won't have the issues of getting access to the Remote Control Service, or Java applets etc.

Adrien

[internet_user]

Alright, I have resumed my investigation in trying to make this work.

.... No, I have not tried to use HTTP auth. Where would I be able to set it up?

[internet_user]

Alright, I have resumed my investigation in trying to make this work.

.... No, I have not tried to use HTTP auth. Where would I be able to set it up?

Well, I just tried to invoke HTTP auth, by unchecking the Java Auth in www proxy. The user trying to connect to the proxy automatically fails with 403, without being allowed to enter a userid/password.

What do I need to do to set this up properly?

[internet_user]

Alright, I have resumed my investigation in trying to make this work.

.... No, I have not tried to use HTTP auth. Where would I be able to set it up?

Well, I just tried to invoke HTTP auth, by unchecking the Java Auth in www proxy. The user trying to connect to the proxy automatically fails with 403, without being allowed to enter a userid/password.

What do I need to do to set this up properly?

Hello, I'm in a state of confusion as to how I should set up my Wingate for HTTP Authentication to my WWW Proxy. Would you happen to know what I should do in light of the information as stated above? Thanks.

[adrien]

Hi

There are two steps to getting authentication happening.

1. Need to enable authentication
2. need to require authentication in the policies.

for HTTP Basic auth, your policies need to specify "user must be assumed", since Basic auth is not cryptographically strong.

Adrien

[internet_user]

Hi

There are two steps to getting authentication happening.

1. Need to enable authentication
2. need to require authentication in the policies.

for HTTP Basic auth, your policies need to specify "user must be assumed", since Basic auth is not cryptographically strong.

Adrien

So in my WWW Proxy service:

-I have Java unchecked
-Default rights = "Must also be granted"
-In the Policy section:
-Guests = "User may be assumed"

At this time, the results are the same:
-Clients do not get a window/pop-up asking to authenticate
-Clients are given a 403 error.
-Logs keep on saying Authentication failed for guests

Is there anything else I need/should set in order to invoke Basic HTTP Auth? Thank you.

[adrien]

Hi

So "Guests" is a group you have created?

The other thing is that the user accounts need to be enabled. Is the Guest account enabled?

Adrien

[internet_user]

Hi

So "Guests" is a group you have created?

The other thing is that the user accounts need to be enabled. Is the Guest account enabled?

Adrien

Hello,

Guests is not a group. Guests is just the account and yes, it is enabled. Furthermore, guests belong in the "Ordinary Users" group.