SSL logging when in transparent mode

[SpareRib]

Hi,

I'm evaluating using Wingate for a medium sized organisation (~800 staff). So far i'm quite impressed with the setup of the WinGate product. We're currently running ISA 2004 and looking for a replacement. it was going to be a no brainer to TMG until Microsoft discontinued that product :(
So far WinGate appears to be able to replace our ISA servers from an explicit proxy point of view, and is a lot cheaper than the appliances I've looked at so far.

We also have a parallel project looking at tracking usage within a wifi network provided for staff to use with their own devices. At this stage we're not looking to require authorisation, however we would like to be able to track the volume of traffic per device to help track down abusers of the system. This would ideally be through a transparent proxy.

At this stage I have a couple of questions for each project i was hoping to enquire about. Please forgive me if these are answered elsewhere in the forums or help files.

• As I'm not yet able to load test the product, do you have any estimates on maximum users per server/cpu? or just any performance metrics in general?
  I understand this would be impacted by the rules in place and user's browsing habits.
• If I was to deploy multiple WinGate servers, is there any way to syncronise the configuration of them all? eg to keep data lists and rules/policies consistent
• When an SSL connection is made, i know you can't inspect the URL etc (without providing a signing certificate), but is there any way to capture the amount of traffic for volume/bandwidth per source IP/MAC tracking?
• I've found the IP black hole feature, is there a similar MAC/Physical Address blackhole? Or should this be implemented as a new policy performing a data list lookup?
• What support options are offered by qbik? As we would rely somewhat on the ability to browse through the proxy, downtime would not be favourable :)

Thanks,
Ribs.

(edit - changed subject to remove intercept reference)

[adrien]

Hi

Yes we were quite perplexed but by no means unhappy when MS announced sunsetting TMG.

For a modern processor (e.g. current and last gen Intel Xeons) we've seen several hundred users per core. Load can be greatly affected by things like as you say policy, but also things like logging, AV scanning or content analysis.

One customer I know the metrics of had 4000 users (2500 concurrent) going through 8 cores (hyperthreaded to 16 kernel threads) at 2.4 GHz (Xeon E5620 x 2), and only loading it about 5%. They had WinGate pared right back though. In some cases, the bottleneck can be upstream bandwidth rather than number of users.

For 800 users though, especially those relying on internet access, I would recommend some kind of hot standby or NLB setup. It should be possible to use Hyper-V or VMware for HA as well, and I know of some users using replication to synchronise config between primary and backup installs.

It's also possible to synch settings by way of registry export and import, although this requires a WinGate restart. Otherwise 2 WinGate Management apps (1 connected to each WinGate server) can be used side by side, and some things can be drag / dropped between, or export / import (such as policies). We have plans to improve this to make things a lot easier for multiple installs to be synchronised automatically.

For SSL connections, the logging associated with that should be logging the traffic as well. In the WWW proxy usage logs, it will show up as a CONNECT request, and log data usage. In the diagnostic logs this is also logged at info level.

MAC filtering... Access to the MAC address isn't reliable unless your clients are on the same ethernet segment - routers rewrite the source and dest MAC address when they forward a packet, so we don't have MAC filtering, although we have plans for it, as it's useful for smaller networks or WiFi especially.

Support. We do mostly remote electronic, e.g. email, skype, chat, or remote desktop support, and have extended hours (6.00am until about midnight NZST and Sat mornings). But we are based in New Zealand. Depending on where you're based, you may have a local dealer who can provide support, although they will generally revert to us for any sticky issues. We could look at more urgent access regimes if required.

Regards

Adrien

[SpareRib]

Hi Adrien,

Thanks for the response. A small bit of background, we're based in New South Wales, Australia. If you'd like more info I'm happy to take the discussion offline.

I'll try to split my questions per project if i can. As they will have different setups, it might get confusing if it looks like i'm asking competing questions.

Project 1 is ISA replacement

• Explicit proxy setup
• Domain joined machines
• Mostly hard wired. Some wireless but still domain joined with internal LAN access
• AV scanning enabled
• Content scanning to be evaluated

Project 2 is tracking usage of "hotspot" style WiFi - the goal is to minimise the chance of abuse of the service by over-downloading.

• Transparent proxy
• Personal Devices - smart phones, laptops etc owned by staff, directors, contractors etc
• MAC based usage tracking if possible
• We'd prefer not to require any authentication (captive portal etc)

Project 1
Since we have two main data centre sites (<1 ms latency cross site), the plan would be to install WinGate on at least 2 servers with a load balancer sharing the love around.
This is where the query regarding configuration syncing comes from. As we currently use ISA standard, we already have to make config changes on 2 servers manually. It's a pain and i'd like to avoid that with whatever replacement we choose if possible.
I've seen that WinGate has the ability to load lists from files. Is this done real time (on file change) or only at service start? if it's realtime, i could probably engineer my own solution for the majority of config changes...

At the moment, it appears WinGate is a suitable replacement of our explicit proxies. The Configuration syncing would have been the icing on the cake.

In terms of the AV scanning, I can see the pricing per 2 yrs. is this the total cost? No more hidden per user costs that we need to pay for definitions etc?

Project 2
This is the project for which i was asking about the SSL tracking. I've done some basic testing using WinGate as a Transparent proxy, but I'm unable to obtain SSL session usage information. It just doesn't seem to show up in either the NAT logs or the WWW Proxy logs. Again, i'm not looking for URL information or domain names, simply source ip, destination ip and bytes sent/rec. I've tried with and without intercepting port 443.
I can see the sessions appear in the Activity monitor but not in the logs. Do i need to enable something to log this information? The NAT log only seems to log Denied connections.
Normal http traffic shows up as expected in the WWW proxy logs.

Ideally we'll be setting up a proxy (wingate hopefully) between our clients and the main gateway in the wifi network. this should place it on the same subnet and allow reliable MAC address capturing.

I found the support options not long after I posted, wasn't hard really i just hadn't looked before posting. Lazy me.

Cheers,
Brendon

On an unrelated note, any idea why the ordered list doesn't work in the forum? maybe i'm using it wrong. I didn't submit any posts with it, but the preview doesn't seem to work.

Code:

[list=]
[*]item 1[/*]
[*]item 2[/*]
[/list]

results in:-
[list=]
[*]item 1[*]item 2[/list]

[adrien]

HI

data lists linked to files check the file timestamp each time, so will notice if a file changes, and reload it. So you could use directory replication for this.

As for AV, the only cost is the annual license fee, which covers signature updates. You can get 1yr or 2yr terms and renewals.

For NATed SSL connections, there are several options, but if you want to get data usage logged without configuring clients to use the proxy, you would need to intercept port 443 either to

• a WWW proxy, but not enable https inspection, as this only really works for explicit proxy configurations where the client initially talks http to the proxy (to set up a tunnel for SSL->https)
• a TCP mapping proxy. In this case, disable the default mapping, and don't create any mappings, then the destination will be the originally intercepted one.

I'd probably go with the former, since it has usage logging.

looks like for the list, you need to remove the = in the list tag

Regards

Adrien

[adrien]

p.s. if you intercept port 443, the client expects to be talking TLS/SSL.

So you can't cause WinGate to send back things like http error messages, which means doing things like:

* requiring auth
* blocking sites

There's not really any great solution for this, since to send a response back that the client will swallow requires setup of a TLS layer, which requires the client to swallow the certificate WinGate uses for signing, which will only happen if the client has that certificate installed and trusted

Have you checked into WPAD? That can work quite well, to get mobile and casual users to explicitly use the proxy after discovering it. Proxy auto-detect is commonly enabled by default.

Regards

Adrien

[SpareRib]

Hi Adrien,

It sounds like the explicit proxy to replace ISA 2004 will do what i want...However I've noticed two strange things so far.
1. YouTube clips stream ok, but some of them stop streaming after about 5 mins. Eventually they start playing again after some time. At one point I noticed in the activity monitor "No Content" or something like that. I'll keep an eye on it again today if i can. It shouldn't be a lack of bandwidth as all clips buffer without issue. unfortunately the buffering stops completely and the clip catches up to it.
2. iTunes frequently asks for the proxy credentials, despite me allowing it to save the credentials. When the prompt comes up, it indicates that the authentication failed, altho resubmitting the same credentials (which were saved) works straight away. This doesn't seem to occur with ISA.


As for the WiFi tracking, I've asked the other engineer working on that project to consider the WPAD option.
The first issue he had with this option is the use of gmail accounts, which use IMAP/s, which apparently doesn't use proxies. He'd still like to track this usage somehow.

For tracking usage against MAC addresses, I thought about the possiblity of automatically creating a user account the first time a new MAC is used (detected as not authenticated), and then creating a credential rule to associate the physical address with the new user account. However I can't easily see a way to script the creation of an account nor the credential rule. is this possible within the policy system? or maybe even calling an external process that interacts with the WinGate system?

I think we're trying to over engineer this solution but i still have to ask these things :)

Cheers,
Brendon

with the list not working, it's the ordered list i'm referring to. the one without the = is the unordered list and works fine, but the ordered list appears broken... anyway. no biggy.

[adrien]

Hi

1. are you using AV plugin with WinGate? It can mess with buffering of streamed content, as it needs to accumulate the entire resource before it can scan it, and it lets only a certain amount through to stop clients from timing out.

2. Is itunes configured to use the proxy? This is normal behaviour if the connection is intercepted. it's possible to log this flag (intercepted or not) in WWW proxy usage logging.

What email clients are being used for gmail? I think outlook uses system proxy settings. I'd need to check if it uses http tunneling (CONNECT method).

As for MAC-based policy... are you preferring MAC to IP or Computer name for any particular reason? E.g. clients can change IP or computername? WinGate consults the arp cache when it gets a connection in, which should contain a mapping for the client IP to its MAC. We don't have a way to script creation of credential rules. I guess we could add a flow-chart policy item to assume the current user to be someone...

Regards

Adrien

[SpareRib]

Sorry it has taken me so long. I've been distracted with other work.. ugh...

I am trialling the AV plugin at the moment. I haven't experienced the same issue for a while now, which is strange as it was consistent before. I'm happy enough to deal with this at a later time if it poses a problem.
I'm assuming there's an easy way to whitelist domains from virus scanning...

again i haven't noticed the issue quite so much recently, and i haven't been explicitly testing the proxy due to other work. I'll try to check this one out further going forward.

The MAC-based policy was chosen as the IP addresses are assigned from a pool and have short lease periods so IP addresses aren't really tied to a device or user. I'm not sure if computer name would be resolvable in all cases as i don't think we'd be registering the device in any DNS within this wifi hotspot network. MAC was really the first that stuck out as a unique identifier that would stick with the device and is difficult to change (for a normal user).

[adrien]

Hi

Kaspersky AV for WinGate has an option to not scan any sites contained in a list, so you can use a list (can be in a file) from WinGate > Control Panel > Data : Global Data to store a list of sitenames and anything you add to the list won't be scanned.

As for MAC-based filtering. Is there any possibility of maybe using the WinGate DHCP server? If you use that, then WinGate learns the MAC:IP mappings of DHCP clients, so can do rules based on computername and MAC more reliably.

Regards

Adrien