Need help configuring authentication for browsing only.

[mattslay]

I need help configuring WinGate 6.2 for the following simple structure:
Email (via POP3 proxy) with *NO* authentication required, *BUT*
Internet Explorer Web Browsing that *DOES* require user authentication.

I'm using the WinGate user database and each user who I wish to give Web Browsing rights to is an a group named WebUsers.

ALL users should get POP Mail without having to authenticate, but some of those users are in the WebUsers group, and they should have to authenticate before Browsing, but not when using Outlook.

I have played with it for HOURS, and I cannot find the right combinations.

I know how to do the POP3 proxy client side setup, I just need help with the setting up the WinGate server the right way to handle the authentication schema I have described above.

[ChrisH]

Hello, I would suggest under the Services tab in GateKeeper selecting the WWW Proxy server , then the Sessions tab, then enabling the Transparent proxy selection box. Then select OK. This then will allow WG to intercept all Web traffic and then you can apply your 'WebUsers' policies and apply authentication only to browsing. Next select the Policies tab, delete the 'Everyone' group and add the 'WebUsers' group by selecting the 'Add' button, then select Specify user or group , then select and choose 'WebUsers', then select User may be assumed. Now OK back out to Policies and select Default rights (System policies) are ignored from the drop down box, then OK back out to GateKeeper. Now only the 'WebUsers' group should be able to browse and they will be presented with a basic login box where they will enter their WG username and password. Let us know if this helps.

[mattslay]

Chris - What you suggested is what I have in place already, which makes the WebUsers authenticate for Web Browing, but it *ALSO* makes them Authenticate for POP3 Proxy mail though Outlook.

So, let's look at the POP3 Server, POP3 Proxy, and Winsock Redirector Service, to see what I need there.

I have 'EVERYONE' on the POP3 Server and POP3 Proxy, with 'may be unknown', and Ignore default System Policies. That sure seems like it should do what I want, but it does not!

I think the biggest problem must be in the way I have 'Winsock Redirector Service' set up. I have tried two things here... If I have WebUsers only in the Policies, then BOTH apps have to authenticate. If I add EVERYONE, then both apps will work *WITHOUT* authentication.

It seems that 'Winsock Redirector Service' is the big boss here, and overrides whatever is in place on the proxy side.

No matter what I try I either get Authentication for Both, or I get No Authentication for both.

[ChrisH]

Ok, I would then suggest that you have both the Everyone and WebUsers group listed in the WRS policies, but add an advanced filter under Everyone that states This Criterion is NOT met if Server port number equals 80. This should stop no authentication required via the Everyone policy when browsing. Lets us know if tthis helps.