Nov 15 09 5:13 am
This is because the default policies grant access to everyone for NAT, and all proxies. So regardless of how a user connects, there have been no restrictions applied by default. You will need to edit policy to apply restrictions. We strongly recommend against disabling the Guest account, as some internal functions require it to be enabled. If you're using the Windows user database, you can disable Guest in the OS, but have it enabled in WinGate. If you don't want guest access to say a proxy, set rules to require authentication, or use groups and/or policy to specify who can use the system.
If you disable Guest, the access won't be granted to users which are using the Guest account for services. However this can have other undesired issues. You can prevent Guest account from using the WWW proxy (say) without having to disable the account. You need to make the policy not grant access to Guest.
You can also use the policies in the Extended Networking section. This allows you more control. Be aware however, that the connection is reported to WinGate after the first packet has been sent through. WinGate then evaluates the policy and decides if the connection can be allowed to live. If policy blocks the connection, the connection is terminated. This means there can be the odd packet sneak through.
You need to decide whether the users will authenticate, or be assumed. You can set up policy so that an authenticated user can only access from a certain IP, by setting their IP in the locations tab for the policy that applies only to that user. You would need to set up a policy for each user for this though, or at least for each user that you wish to control in this way.
Nov 15 09 5:23 am
.“We strongly recommend against disabling the Guest account, as some internal functions require it to be enabled”
Nov 15 09 5:24 am
Nov 15 09 5:24 am
Nov 15 09 7:13 am
Alen wrote:2. As is known from documentation in Wingate we have System Policy (also called Default rights) and Services Policies, which can be mixed to get desired results of access rights and restrictions. Important is that default System policy is Everyone “Can access services” with “User may be unknown” option, all other services (including Proxies, WRS and NAT (!), which is part of ENS) have no rights assigned to any user, but have Default rights = May be used instead. Plus all services by default have binding policy, which automatically binds services to all internal network interfaces!
3. If you delete from System policies Everyone “Can access services” you will not be able to access RCS service used by Gatekeeper for Wingate configuration.
Alen wrote:4. The address *.*.*.* corresponds to assumed user Guest (!) and this user by default is a member of Wingate built-in Users group!
5. Qbic says you should not disable Guest account:.“We strongly recommend against disabling the Guest account, as some internal functions require it to be enabled”
Consequences:
=> By default All users, including unknown will have access to Internet (they just need to make necessary settings or instal WGIC).
Alen wrote:=> Even if you set “User may be assumed” in the default System policy instead of “User may be unknown”, Guest account (which includes any anknown user) will still be granted access to all the services!!!
Alen wrote:Moreover, even if you also change recipient in the default policy from Everyone to Users group - Guest will still preserve his rights!
Alen wrote:=> If you want to make default settings to deny all users (except Wingate Admin) any access untill specifically granted, then you can try any of the following recepts:
- Delete the default right “Can access services” for Everyone from System policies (by previously adding such right for Administrators group. Nevertheless all services have Default rights option “May be used instead”, as they do not contain any rights for any recipients yet, the effective right will be only for Administrators - “Can access services”, i.e. they will be able to access all services.).
Alen wrote: Or
- Delete Guest account (which is not recommended by Qbic). Or
Alen wrote:- Keep the default System policy, but change its authentication requirement to “User must be authenticated”. Or
- Keep the default policy, but in all enabled services policies change Default rights option to “MUST also be granted” from the default “May be used instead” (The issue with Administrators is also actual in this case. – You should grant them necessary rights for RCS and GDP services).
- Keep the default policy, but change binding policies for all enabled services to unbind all interfaces (except Local Loop for RCS and GDP services at least).
Obviously it’s possible to think out even some more variants, but these ones are the fastest (especially first three of them).
Nov 15 09 7:26 am
Alen wrote:Additional questions:
1. If I run Gatekeeper from the remote PC and authorize as Admin, then access the Internet, will I get Wingate Admin rights or the appropriate assumed user rights according to my PC ip in my above described scenario (Wingate user DB, No authentication with assumed users)?
Alen wrote:2. If I have “User may be assumed” already choosen in System policy for a group and Default rights option is set to “MUST also be granted” in a service settings, is it important what to choose in the service policy rights for the same recipient: “User may be unknown” or “User may be assumed”? As I understand, it does not matter, user has to be assumed as it is required by the System policy, which must also be satisfied!?
Alen wrote:3. You mentioned that (Wingate’s) Guest user account should not be disabled. What if delete it from Users built-in group?
Alen wrote:4. I Need a user, with “read only” rights for security officer, who have to be able to monitor current activities (=> access Gatekeeper -> Activity and Firewall tabs), plus it is desirable for SO to see all (security related) Wingate options, but this is not so necessary. What can be done?
I mention one System policy right: “Users can monitor activity on this server”. Is this what I need?
Nov 16 09 7:36 pm
Alen wrote:
=> Even if you set “User may be assumed” in the default System policy instead of “User may be unknown”, Guest account (which includes any anknown user) will still be granted access to all the services!!!
adrien wrote:
This should not be the case. There are 3 levels in WinGate. Unknown (default, user Guest), Assumed (either by manual IP assumption, or by using an insecure auth method, or cached from a previous authentication session), and Authenticated.
So, when someone connects, yes the username showing will be Guest, but they should not have access to rights that require the user to be assumed.
Alen wrote:
=> If you want to make default settings to deny all users (except Wingate Admin) any access untill specifically granted, then you can try any of the following recepts:
- Delete the default right “Can access services” for Everyone from System policies (by previously adding such right for Administrators group. Nevertheless all services have Default rights option “May be used instead”, as they do not contain any rights for any recipients yet, the effective right will be only for Administrators - “Can access services”, i.e. they will be able to access all services.).
adrien wrote:
Actually no, if you delete all the recipients of the default rights, and have no other grants of rights in any service, then nobody (not even Administrators) will get access. WinGate doesn't grant rights unless there's a configured policy to do so.
Alen wrote:
Or
- Delete Guest account (which is not recommended by Qbic). Or
adrien wrote:
You can't delete the Guest account. You can disable it, but there are problems with that.
So are you saying it's a problem that by default on install access is granted, and that you need to quickly shut it off?
Nov 16 09 9:54 pm
Nov 17 09 7:19 am
Alen wrote:Disagree. Look, I am talking about the default System policy: Everyone “Can access services” with “User may be unknown” option. It is said in the help, that Guest is assumed with *.*.*.* address, which means any non-specified address. As Guest is a member of Everyone group and is assumed, I conclude he will preserve his access even if we switch to “User may be assumed” in the default System policy.
Moreover, with the same logic I can conclude, that as Guest is a member of Users group, anonymous (=all) users will have accesses whenever we grant rights to the Users group with “User may be assumed” option. Have'nt they?
Alen wrote:This is important, because one could think that it is enough just to modify default System policy and change Everyone to Users and “User may be unknown” to “User may be assumed” to prevent Guest users from accessing services (as in Windows OS family Users group by default does not contain Guest or any unauthorised users).
Alen wrote:Exactly! Yes, that is the problem.
Today, when even MS started to think about security ;-) and disables\does not install non-necessary services, does not grant unnecessary rights to users by default as it was in the past, it is strange to see such an approach in a security providing system.
I think this is wrong for such program, unless it is positioned at first as Internet sharing tool, but not security system, or is positioned for SOHO users. I don't know, may be it is positioned for SOHO segment and it was my mistake to choose it for company needs...
But yes, as best practices says, better to deny access for all and then grant only required access to only required persons. So this is my target.
Nov 17 09 7:26 am
Alen wrote:Two small additional comments:
1. If someone leaves "User may be unknown" option in any policy then it is useless to choose specific user or group as recipient of that policy, as the effective recipient will be Everyone!
This is obvious, but not mentioned with "right" words in the help. It should be writtent by large red font as caution. :-)
Alen wrote:2. In fact the option (could be found in all services Policy tab) Default rights = "Are ignored" is more secure than "May be used instead"! Don't look at their succession in drop down window, the criterion there is not security, but just common logic:
Only this one (Are ignored) - Any of the two (May be used instead) - Both of them (Must also be granted).
If we choose security as succession criterion we get this succession:
May be used instead - Are ignored - Must also be granted.
Alen wrote:A question:
When by mistake the rights for RCS is deleted, but the binding to Local Loop for that service is in place, isn't it possible for Admin to login into Wingate locally on the server?
Nov 17 09 8:41 pm
If the help file says that it is wrong.
Notes:
Only WinGate DHCP clients can use computer name-based assumptions.
When you set up IP assumptions (locations) you can use the wild card * to mean ‘any’.
IP Assumptions are read from the top down. They will associate with the first match.
e.g.:
192.168.0.1 john
192.168.0.3 alf
192.168.*.* fred
192.168.0.* cilla
The problem here is that Cilla will never be reached because line 3 - fred, covers anything that is not 192.168.0.1 or 192.168.0.3.
If Cilla was promoted like this:
192.168.0.1 john
192.168.0.3 alf
192.168.0.* cilla
192.168.*.* fred
Then Cilla would be assumed for any connection from the 192.168.0.* range of IPs except 192.168.0.1 and 192.168.0.3, and if someone connected from the IP address 192.168.1.12, it would be associated with Fred.
There is an implicit assumption of *.*.*.* ? Guest, as anyone who has not logged in, and has no assumption, is in fact a Guest. This is logically at the bottom of the list, as it will associate with any IP.
that's how it is intended to work.
we haven't had any other complaints about that, but we have had many complaints when people can't get access working, whether they are home users, or corporates. By default we only grant access to the internal networks, which is 99.9% of the time what customers want to do. So we save them configuration, and more importantly learning how to configure it.
Sorry, I'm missing your point - are you saying the sequence of options in the drop-list is illogical?
Nov 18 09 11:12 am
Alen wrote:If the help file says that it is wrong.
Here is the exact citate (may be I understand it incorrectly, I am not sure.):Notes:
Only WinGate DHCP clients can use computer name-based assumptions.
When you set up IP assumptions (locations) you can use the wild card * to mean ‘any’.
IP Assumptions are read from the top down. They will associate with the first match.
e.g.:
192.168.0.1 john
192.168.0.3 alf
192.168.*.* fred
192.168.0.* cilla
The problem here is that Cilla will never be reached because line 3 - fred, covers anything that is not 192.168.0.1 or 192.168.0.3.
If Cilla was promoted like this:
192.168.0.1 john
192.168.0.3 alf
192.168.0.* cilla
192.168.*.* fred
Then Cilla would be assumed for any connection from the 192.168.0.* range of IPs except 192.168.0.1 and 192.168.0.3, and if someone connected from the IP address 192.168.1.12, it would be associated with Fred.
There is an implicit assumption of *.*.*.* ? Guest, as anyone who has not logged in, and has no assumption, is in fact a Guest. This is logically at the bottom of the list, as it will associate with any IP.
Alen wrote:that's how it is intended to work.
Of course. I am just saying it differs from what we are accustomed as Windows OS users (begining from XP MS even does not include Anonymous into Everyone by default. In Wingate the role of Anonymous is playing Guest, which is not just a member of Everyone, which is quite logical though, but even "Users" group). Just unusual for me. And in my Wingate conspect ;-) I mark this fact as important.
Alen wrote:we haven't had any other complaints about that, but we have had many complaints when people can't get access working, whether they are home users, or corporates. By default we only grant access to the internal networks, which is 99.9% of the time what customers want to do. So we save them configuration, and more importantly learning how to configure it.
Let me wrote some notes on the marked part as offtopic.
If admin and/or security officer are deploying security system without previously and totally learning its features, nuances (like I found for me in Wingate) and configuration tricks they should be fired. This is my principal position, and I am uncompromising here. Myself I read the whole help file of Wingate once and wrote a conspect. Now I am reading my conspect and clarifying ALL unclear questions. This takes about 2 months from me (because I have too much work and I am reading mainly in my free time) and I have not have a single thought to deploy it without being fully ready for it. And this is the only way for responsible and professional staff. IMHO. (The way of samurai ;-)).
Anyway, I don't want to dispute on the defaults you choose. You decide. I just like and is accustomed with the approach of no rights by default, only for Admin to configure (if we talk about security or financial systems, not internal standard application server)...
Alen wrote:Sorry, I'm missing your point - are you saying the sequence of options in the drop-list is illogical?
No, not of course. I am saying, that for my opinion their sequence logic is not based on the security level they provide, because Default rights = "Are ignored" is more secure than "May be used instead". That's all.
Alen wrote:Depending the RCS service, I was just asking, is it necessary to use this service, when you try to login locally!? To all appearances it is necessary (regardless it is called Remote CS).
Nov 18 09 7:53 pm
OK, I can see what the help file is getting at, but the key point to remember is that even though we consider any unknown user to be "Guest", they don't get the elevated security privileges associated with being "assumed". They are still considered unknown.
Don't get me wrong - I think it's great you are spending so much time researching first. It's a big help file though. I'd also recommend setting up a test rig though, because some of these things can be clarified quickly with a test where the help file may not be clear.
I kinda see your point, but actually no method is any more secure than any other. They are just different methods of combining the policy logic. The security comes down to the actual logic in the end.
Since our policy system is a system of granting access (rather than denying it), the "may be used instead" can be used to grant access in a service where it wouldn't otherwise be granted by system policy. So it's a convenience thing.
So it's a convenience thing.
So yes, you do need it always, which is why
* it can't be deleted
* if you clear all the bindings and restart, it will recreate bindings
Nov 18 09 8:08 pm
Nov 19 09 12:45 am
Alen wrote:OK, I can see what the help file is getting at, but the key point to remember is that even though we consider any unknown user to be "Guest", they don't get the elevated security privileges associated with being "assumed". They are still considered unknown.
Ok, clear. This means Guest is not an assumed user and if we choose "User may be assumed" Guest is excluded from users who pretend to the rights.
But one question still is not clear: if the same time Guest is a member of the Users group, then what will happen if we grant rights to that group, but with "User may be assumed" option?
Any answer here will be partially illogical. ;-)
Nov 19 09 12:50 am
Alen wrote:I am reading about filters and criterions in Ban and Advanced tabs of the Recipient properties. Have 2 questions:
1. What is the difference between these two tabs? As I understand the first is convenient for creating bans (black list), the second - permissions (white list). The same time as I can understand, only one can be used for both tasks, it's just a matter of convenience. Is it? Or there are also important differences between them?
2. If a filter contains two criterions for only one of which “Criterion is NOT met if” option is chosen, then will the filter come into force in the case of at least one criterion is satisfied =>
Any case, which satisfy to the terms set for “Criterion is met if” and\or
Any case, except that which satisfy to the terms set for “Criterion is NOT met if”?
Nov 19 09 1:21 am
So, your unknown Guest will still fail policy if your policy only grants access to users assumed or higher.
It is actually possible to have Guest be elevated above unknown, but it requires either
a) the user Guest to be assigned a password, and someone actually authenticate with the username Guest and the password.
b) if you set up an assumed user and assign it to Guest I think it becomes assumed.
The ban-list is a list of exclusions from granting the right.
What this means is that if the request matches ANY entry in the banlist, the right won't be granted by that policy.
The advanced tab (if you use it) must match in order to grant rights.
The structure of policy with the advanced tab is that
ANY filter can match to grant rights (filters are ORed)
ALL criteria in a filter must match for the filter to match (criteria are ANDed)
1. All access methods in Wingate (NAT, Proxy and WGIC) are introduced and working as services, particularly: WRS for WGIC method, NAT method as part of ENS service and Proxies as user services.
2. For users to connect to the Internet we have to assign to a recipient (user or group) a right to access a specific service(s) in the Service policy or all services in System policy (effective rights depend on the option “Default Right” found for each service policy window). Then we can set conditions on which recipient will use the right in the recipient properties window: allowed or forbidden location from where recipient is trying to use the right (Location), time right is granted or taken (Time tab), sites and servers allowed or forbidden under certain circumstances which depend on the filters (i.e. rules) created (Ban and Advanced tabs).
Each filters contains one or more criterions. Essentially, all filters in a policy are joined with Boolean/conditional ORs. This means that if either filter evaluates to true, then the activity is restricted/allowed (depending on how you have configured it). On the other hand, the rules criterion within filters are joined with Boolean/conditional ANDs, which means that they must all evaluate to true for the specific filter to apply.
In criterions you use variables. The variable type determines what comparisons you can make with that variable: if the variable is a number, you can check whether a number you specify is greater than, less than, or equal to the variable you select; and if the variable is a string then you can apply comparisons such as "contains", "begins with", "ends with" or is "empty".
A right in Advanced tab is granted or prohibition in Ban tab is applied if at least one of its rules (filters) comes into force.
A rule comes into force if all of its criterions are satisfied at once.
Note: If “Criterion is NOT met if” option is chosen, then the criterion is satisfied in all cases except those which satisfy to the term set for the option.
Nov 19 09 1:30 am
What this means is that if the request matches ANY entry in the banlist, the right won't be granted by that policy.
Nov 19 09 1:51 am
Alen wrote:The ban-list is a list of exclusions from granting the right.
So it is used to create black lists. Ok.
Alen wrote:What this means is that if the request matches ANY entry in the banlist, the right won't be granted by that policy.
Let's call things by their names (you make it difficult to understand when use common terms or phrases): entry here is a filter!? => If the request matches ANY filter in the banlist, the right won't be granted by that policy!
Ok, clear.
Alen wrote:The advanced tab (if you use it) must match in order to grant rights.
So this is used to create white lists. And to make full analogy with the Ban list definition you gave it's better to say: The Advanced tab is a list of permissions for granting the right.
I think it's even better to say:
Ban tab is a tool to create exclusions from granting the rights, while Advanced tab is a tool to create permissions for granting the right.
Sorry for my annoyance.
Alen wrote:The structure of policy with the advanced tab is that
ANY filter can match to grant rights (filters are ORed)
ALL criteria in a filter must match for the filter to match (criteria are ANDed)
Clear.
Now please check this small text I wrote for myself to quickly switch to Wingate logic in future (it's just a part of the whole text):1. All access methods in Wingate (NAT, Proxy and WGIC) are introduced and working as services, particularly: WRS for WGIC method, NAT method as part of ENS service and Proxies as user services.
2. For users to connect to the Internet we have to assign to a recipient (user or group) a right to access a specific service(s) in the Service policy or all services in System policy (effective rights depend on the option “Default Right” found for each service policy window). Then we can set conditions on which recipient will use the right in the recipient properties window: allowed or forbidden location from where recipient is trying to use the right (Location), time right is granted or taken (Time tab), sites and servers allowed or forbidden under certain circumstances which depend on the filters (i.e. rules) created (Ban and Advanced tabs).
Each filters contains one or more criterions. Essentially, all filters in a policy are joined with Boolean/conditional ORs. This means that if either filter evaluates to true, then the activity is restricted/allowed (depending on how you have configured it). On the other hand, the rules criterion within filters are joined with Boolean/conditional ANDs, which means that they must all evaluate to true for the specific filter to apply.
In criterions you use variables. The variable type determines what comparisons you can make with that variable: if the variable is a number, you can check whether a number you specify is greater than, less than, or equal to the variable you select; and if the variable is a string then you can apply comparisons such as "contains", "begins with", "ends with" or is "empty".
A right in Advanced tab is granted or prohibition in Ban tab is applied if at least one of its rules (filters) comes into force.
A rule comes into force if all of its criterions are satisfied at once.
Note: If “Criterion is NOT met if” option is chosen, then the criterion is satisfied in all cases except those which satisfy to the term set for the option.
Is this correct?
P.S. I am happy you answered my questions the same day this time (I have only 3 days till deployment and waiting a whole day for answers is very "expensive" for me...)
Nov 19 09 2:07 am
the thing to remember is it's a blacklist only for that particular recipient. If there are multiple recipients defined in policy (e.g multiple entries in a proxy service under "user can access services"), then if any grants access to a request, it will be granted. Therefore the recipients aren't all necessarily independent.
The filter is evaluated differently from filters in the advanced tab though in that criteria are ORed for the banlist filter to match, and right is not granted if banlist filter matches.
But I think you understand
Nov 19 09 2:11 am
I must get you to write the next WinGate helpfile :)
Nov 19 09 10:02 pm
Alen wrote:the thing to remember is it's a blacklist only for that particular recipient. If there are multiple recipients defined in policy (e.g multiple entries in a proxy service under "user can access services"), then if any grants access to a request, it will be granted. Therefore the recipients aren't all necessarily independent.
This clear.
But the last sentence gave birth to a new question: if we have restricted rights for a recipient, but we have the same rights unrestricted (let's suppose for example) for another recipient - group, which contains the first recipient. What will be the effective rights for the first recipient?
I hope restricted right!?
Alen wrote:And if multiple restrictions for the same rights exists for the same recipient (through his "parents") do all restriction work on him?The filter is evaluated differently from filters in the advanced tab though in that criteria are ORed for the banlist filter to match, and right is not granted if banlist filter matches.
But I think you understand
No Adrien, I didn't, but I was beware of it, that's why I asked you to pay high attention to the marked sentences. Now I have to change it to this (the second sentence was changed):
A right in Advanced tab is granted or prohibition in Ban tab is applied if at least one of its rules (filters) comes into force.
A rule (filter) of Ban tab comes into force if any of its criterions are satisfied, while for Advanced tab it comes into force if all of its criterions are satisfied at once.
Nov 20 09 1:27 am
the restrictions don't accumulate, the grants do. Each policy you add, adds a little bit more to what users can do.
So logically all the policy definitions (need a good name for the thing you are editing when you edit "properties for recipient XXX") are ORed. If ANY grants access, then access is granted. When you think about it, it must be this way otherwise how could you have a recipient of rights for Bob, and Jim. A user cannot be both Bob and Jim.
It does make it a bit trickier sometimes to figure out the complete policy logic. this is another reason why we re-wrote policy in WinGate 7. You might like to take a look at that
Nov 20 09 9:25 am
Alen wrote:the restrictions don't accumulate, the grants do. Each policy you add, adds a little bit more to what users can do.
Ok, let's write this way:
If a user is recipient (through membership in different groups) of many “instances” for the same policy right, then restrictions defined in the recipient properties for all instances of the right do not accumulate, but permissions do.
Thus each new policy you add (for the existing right of some recipient), can add a little bit more to what respective users can do by extinguishing existing restrictions and never add new restrictions. Simply saying: in Wingate permission overwrites restriction.
But, wait a moment, it is hard to believe it.
Let's suppose a user, member of the Users group has a personal right to use web proxy and the only restriction is http://www.ms.com banned. Then we create new policy and grant Users group a right to use web proxy with the only restriction: http://www.int.com banned.
What we get as resulting policy for the user? He can go everywhere or everywhere except the two sites?!
Alen wrote:So logically all the policy definitions (need a good name for the thing you are editing when you edit "properties for recipient XXX") are ORed. If ANY grants access, then access is granted. When you think about it, it must be this way otherwise how could you have a recipient of rights for Bob, and Jim. A user cannot be both Bob and Jim.
I did not understand what you say.
But I can say that the problem obviously is again in the fact for me it's usual that "Deny" overwrites permission, but as I understand in Wingate we have reverse situation: permission overwrites restriction! And that's why we have what we have...
Alen wrote:It does make it a bit trickier sometimes to figure out the complete policy logic. this is another reason why we re-wrote policy in WinGate 7. You might like to take a look at that
Thank's, but no, I have so much to do, you even could not believe (finish corporate network infrastructure upgrade and finally create intranet, provide branches Internet via central point - head office, finish corporate IS Policy documents "infrastructure", migrate domain to AD and include all branches into one domain, consolidate all servers in head office, create warm back-up site, deploy IP telephony over intranet and many others. And this is global tasks, I am not talking about everyday routine...
Hope i'll finish all during my life :-)).
So I hope I'll install and tune Wingate one time and then it will work stable almost without any changes for a long time (only periodical OS and Wingate updates and new users registration).
Alen wrote:New question:
What if I make settings to allow for only assumed users to get access to the Internet and make no assumption for Wingate server ip? WIll Internet work on the Wingate machine?
What about the same situation, but immediately after Admin loges into Wingate? Or it (credentials caching) does not matter here?
Nov 20 09 9:38 pm
if you think of each thing as a permission (perhaps with restrictions), with WinGate 6.x you are only adding permission. Denial results only when no permission is granted (rather than other systems which explicitly deny).
I understand. So you don't foresee a need to do things like maintain a whitelist of sites? This can be difficult in WinGate 6. In WinGate 7 you can have your site whitelist in a DB.
Thats why I suggested you take a quick look at WinGate 7. I think it could well be worth spending 30min to look at it. Many things are the same, so you don't need to relearn everything, but policy will allow you to do what you want.
Alen wrote:
New question:
What if I make settings to allow for only assumed users to get access to the Internet and make no assumption for Wingate server ip? WIll Internet work on the Wingate machine?
What about the same situation, but immediately after Admin loges into Wingate? Or it (credentials caching) does not matter here?
adrien wrote:
Unless the software you are using is configured to connect to the proxy on the WinGate machine, then it's not restricted. It's common for instance to set the proxy configuration for the browser on the WinGate machine to locahost and go out through WinGate. In this case, it's treated like any LAN user (except it doesn't affect license count). If you log in with GateKeeper, you'll associate credentials for that IP, which will be cached.
Nov 21 09 12:51 am
Nov 23 09 5:30 pm
Alen wrote:I'll have whitelist (as you remember I want to allow NAT only for a couple of addresses and sites, which does\will not work via Proxy), and I am going to realize it as one filter in the Ban list with "This crirerion is NOT met if" type criterions with all the sites from the white list (e.g. wingate.com, ms.com).
As I understand this will mean: Ban all NOT equal to wingate.com and ms.com.
Or this will not work properly as criterions in Ban list are joined with logical OR, not AND? And the result will be only first site is allowed?
Alen wrote:If so, then I'll use Advanced tab and create individual filters with single criterion for each white site\address. This will work for sure.
Alen wrote:Thats why I suggested you take a quick look at WinGate 7. I think it could well be worth spending 30min to look at it. Many things are the same, so you don't need to relearn everything, but policy will allow you to do what you want.
Let me deploy 6-th first, then one sunny day, I'll look at 7-th.Alen wrote:
New question:
What if I make settings to allow for only assumed users to get access to the Internet and make no assumption for Wingate server ip? WIll Internet work on the Wingate machine?
What about the same situation, but immediately after Admin loges into Wingate? Or it (credentials caching) does not matter here?
adrien wrote:
Unless the software you are using is configured to connect to the proxy on the WinGate machine, then it's not restricted. It's common for instance to set the proxy configuration for the browser on the WinGate machine to locahost and go out through WinGate. In this case, it's treated like any LAN user (except it doesn't affect license count). If you log in with GateKeeper, you'll associate credentials for that IP, which will be cached.
Wait a moment. All my services, including NAT will be available for use for Assumed users only, why should it work?!
I am seriously thinking about preventing Internet to work on Wingate itself by default, because my admins periodically install some apps on it, which is inadmissible for my opinion...
Nov 23 09 5:39 pm
Alen wrote:Adrien, yesterday night I went deep with filters and criterions (only logical experiment on paper, I did not try it on Wingate), and here is what I found out for Advanced tab, this is also applicable to the Cache filters (for better understanding it is supposed we are granting service access right and the recipient is Everyone group).
I looked at:
1. one filter with a couple of the same criterions: both criterions positive, both negative, mixed
2. one filter with a couple of different criterions: both criterions positive, both negative, mixed
3. two filters each with a single and of the same type criterions: both criterions positive, both negative, mixed
4. two filters each with a single, but different between each other criterions: both criterions positive, both negative, mixed.
Positive here means criterions in “Criterion is met if” kind, Negative - “Criterion is Not met if” kind.
For example, let's take 2 criterions Username equals one to Bob (Criterion X), the second to John (Criterion Y), and another criterion Session description contains wingate.com (Criterion A).
(It is supposed X neither equal, nor contains, nor is contained into Y. This is important.)
1. Filter contains two criterions of the same type:
1.1 [X and Y] = empty variety => No one will be granted the right.
1.2 [(Not X) and (Not Y)] => everyone, except Bob and John, will be granted the right.
1.3 [X and (Not Y)] = X => the right will be granted to Bob only.
2. Filter contains two criterions of different types:
2.1 [X and A] => Bob (and only him) will be granted the right to visit *wingate.com* sites only
2.2 [(Not X) and (Not A)] => Everyone can access everything, except Bob, who cann't access *wingate.com* sites (others can)
Alen wrote:2.3 [X and (Not A)] => the right will be granted to Bob only to visit any sites, except *wingate.com* sites
3. Two filters each with one, but of the same type criterion:
3.1 [X or Y] => Bob and John both will be granted the access
3.2 [(Not X) or (Not Y)] => Everyone will get access for everything, no effective restrictions
3.3 [X or (Not Y)] = Not Y => the right will be granted to Everyone except John
Two filters each with one (but different between each other) criterions, the first - X, the second - A
4.1 [X or A] => Bob will be granted the right to visit anything, while all others *wingate.com* sites only
4.2 [(Not X) or (Not A)] => Everyone can access everything, except Bob, who cann't access *wingate.com* sites (others can) (the same result as for 2.2!?)
4.3 [X or (Not A)] => Bob is allowed everything, all others - everything, except *wingate.com* sites.
And the most important results (for when we suppose X neither equal, nor contains, nor is contained into Y):
When creating filters for a Recipient to grant him an access right:
Don’t use two or more “positive” and independent (non-overlapping) criterions of the same type in one filter! As Recipient would not be granted any access at all (by this filter)!
E.g. if you use filter with 2 criterions: “Username” equal to Bob and “Username” equal to John, then as Username can not be Bob and John simultaneously, noone will be granted the right by this filter!
Alen wrote:Don’t use two or more “negative” and independent (non-overlapping) criterions of the same type in different filters! As Recipient would not be restricted at all by the filters and all members of the Recipient will be granted full access!
E.g. if you use 2 filters with 1 criterion in each: I - “Username” Not equal to Bob, II - “Username” Not equal to John, then every member of the respective Recipient, including both Bob and John, will be granted the right by this filters. This is because filters are applied with logical OR, and thus John will be granted the right as one of the users who satisfy to the first filter (Not Bob), and Bob – the second (not John)!
In case criterions are not independant, i.e. X contains or is contained into Y these nuances went away.
And one very usefull sentence form the help:
If you want multiple filters, but disallow some specific criterion (i.e. use "negative criterion"), make sure you include this disallowed criterion in every filter! This applies to all rules in WinGate (including rules for caching and service access)!
Nov 23 09 10:05 pm
Alen wrote:
...
2. Filter contains two criterions of different types:
...
2.2 [(Not X) and (Not A)] => Everyone can access everything, except Bob, who cann't access *wingate.com* sites (others can)
adrien wrote:
actually others can't either. No-one can visit wingate.com if Not A is set. Bob can't go anywhere.
It's important to realise the logically incorrect usage of the english language. We say John AND Bob are allowed access. Really the correct logic is John OR Bob, since the check is "is the user John, or Bob? if so allow". Since the user can't be both John and Bob, requiring both makes the grant impossible to match.
Nov 23 09 10:42 pm
Alen wrote:
I'll have whitelist (as you remember I want to allow NAT only for a couple of addresses and sites, which does\will not work via Proxy), and I am going to realize it as one filter in the Ban list with "This crirerion is NOT met if" type criterions with all the sites from the white list (e.g. wingate.com, ms.com).
As I understand this will mean: Ban all NOT equal to wingate.com and ms.com.
Or this will not work properly as criterions in Ban list are joined with logical OR, not AND? And the result will be only first site is allowed?
adrien wrote:
that won't work, as the request will be blocked if
site NOT A OR
site NOT B OR
etc
since site cannot be both A and B, this will block everything.
Alen wrote: If so, then I'll use Advanced tab and create individual filters with single criterion for each white site\address. This will work for sure.
adrien wrote:
Yes, the only way to do a whitelist is with an individual filter and criterion for each whitelisted site.
A right in Advanced tab is granted or prohibition in Ban tab is applied if at least one of its rules (filters) comes into force.
A rule of Ban tab (filter, which is not visible in Ban tab) can contain only one criterion and thus comes into force anyway, while for Advanced tab whcih has not such limitation it comes into force if all of its criterions are satisfied at once.
Note: In fact there are no filters found in the Ban tab, only criterions. But logically there are "invisible" filters there (it's convenient to think so to preserve the common logic), which contain only one criterion. And thus any criterion in the Ban tab belongs to its individual filter!
=> As in Wingate filters are joined with logical OR, criterions in the Ban tab are also joined with logical OR (and the reason of this is simply the fact each of them represents a separate filter!)!
If you connect to localhost (127.0.0.1), this does not affect NAT, since the localhost interface is not visible to NAT / NDIS. It's implemented in a higher layer in the stack, and doesn't go down that far.
You never actually do NAT from the WinGate machine anyway, since it will always bind to the external interface to connect to the internet, and no translation is required.