Setting up WinGate
Dec 16 06 6:08 am
Not as easy as I had hoped, I must say this is the most arkward software I've come across in a while, still there doesn't seem to be much choice for a firewall/url filter that uses Active Directory, so thought I'd give support a go.
Basically, I have a Domain Controller, Windows 2003 Standard, with a LAN connection and a WAN connection. AD, DNS, DHCP are installed on this server and running, onto this server I have installed WinGate and disabled it's own DHCP, DNS etc.
The problem I have is the policies, what I want is to block access to all internet websites, except for a pre-approved list. On top of that, I wish to grant unlimited Access to the Administrator and one or two select users.
I've tried configuring this in the www proxy policies, and YES I've chosen "ignore system policies". However, it always ends up one of two ways:
Full access for all to anything or no access to anything for everyone (and usually it logs everything as "Guest").
I've struggled with this for the best part of a day, the longest it's taken me on any such software.
Can someone explain how I configure this software please.
PS. It would be nice if when someone attempts to visit a website, not allowed and they don't have unlimited access to redirect them to a webpage. I already have one setup that explains the website is blocked and how they go about requesting it be added.
I'm starting to wish they'd have the budget to just pay for MS ISA!
Basically, I have a Domain Controller, Windows 2003 Standard, with a LAN connection and a WAN connection. AD, DNS, DHCP are installed on this server and running, onto this server I have installed WinGate and disabled it's own DHCP, DNS etc.
The problem I have is the policies, what I want is to block access to all internet websites, except for a pre-approved list. On top of that, I wish to grant unlimited Access to the Administrator and one or two select users.
I've tried configuring this in the www proxy policies, and YES I've chosen "ignore system policies". However, it always ends up one of two ways:
Full access for all to anything or no access to anything for everyone (and usually it logs everything as "Guest").
I've struggled with this for the best part of a day, the longest it's taken me on any such software.
Can someone explain how I configure this software please.
PS. It would be nice if when someone attempts to visit a website, not allowed and they don't have unlimited access to redirect them to a webpage. I already have one setup that explains the website is blocked and how they go about requesting it be added.
I'm starting to wish they'd have the budget to just pay for MS ISA!
Re: Setting up WinGate
Dec 16 06 1:22 pm
Hi,
Well I guess one day on new s/w isn't too bad, reckon ISA could take that and more for a newbie!
Wingate will work as you need really well, however there are others on this board better than I to help you, but will have crack at it anyway.
For the filters to work all users should have at least basic authentication.
In the policies make sure they are allowed by assumption by the Database area in the User tab and Assumed users, next:
WWW --> Policies --> Add --> Everyone --> User must be assumed [or higher authentication if required, best to start with assumed for now].
Then, using the 'Ban list' or 'Advanced' tab to configure access for the client base.
Try also a search of the Wingate forum on 'ban site' for some really good examples.
Hope this helps!
Well I guess one day on new s/w isn't too bad, reckon ISA could take that and more for a newbie!
Wingate will work as you need really well, however there are others on this board better than I to help you, but will have crack at it anyway.
For the filters to work all users should have at least basic authentication.
In the policies make sure they are allowed by assumption by the Database area in the User tab and Assumed users, next:
WWW --> Policies --> Add --> Everyone --> User must be assumed [or higher authentication if required, best to start with assumed for now].
Then, using the 'Ban list' or 'Advanced' tab to configure access for the client base.
Try also a search of the Wingate forum on 'ban site' for some really good examples.
Hope this helps!
Dec 16 06 2:25 pm
Just edited some of my previous material, I hope it helps.
Below is an example policy to have everyone restricted to authorized websites but any website at lunchtime. The Administrator, Support Dept. and CEO have full access. You will want to set how the WWW Proxy Server interacts with the System Policies by a small menu at the right of where you add the policies in; more explained below. I need to also acknowledge that this could be done a few ways.
Everyone (first entry in WWW Proxy --> Policies)
Select your authentication level which corresponds to your authentication method.
Navigate to the Advanced tab
Filter 1
This criterion is met if HTTP URL Contains supplier.com
Filter 2
This criterion is met if HTTP URL Contains partner.com
Everyone (Second entry in WWW Proxy --> Policies)
Select your authentication level which corresponds to your authentication method.
Navigate to the Time tab and put in the lunchtime values
Administrator --> (Third entry in WWW --> Policies)
Select your authentication level which corresponds to your authentication method.
Support Group (Fourth entry in WWW --> Policies)
Select your authentication level which corresponds to your authentication method.
CEO (Fifth entry in WWW --> Policies)
Select your authentication level which corresponds to your authentication method.
***Please also remember that the key to policies in WinGate is that the one with the most access will always override one with the least access - and how they interact with the System policies.
So for example, if within the WWW Proxy Server you have two "Everyone groups", and the first one only allows access to wingate.com, and the second Everyone group has no restrictions set, then there will be no restrictions set for Everyone.
Another thing to consider is how each individual Server / Service is setup to interact with the System Policies (can be found via Users tab, far bottom left); they could be set in one of the three following ways:
"Must also be granted": If the e.g. WWW Proxy Server allows access to this service, then it must also be checked in the System Polices before it is allowed.
"May be used instead": If the e.g. WWW Proxy Server denies the request, then check if the System Policies allow it; if it does, allow the user to access.
"Are ignored": Do not check the System Policies to check if this user is allowed to access.
So in the example above in the WWW Proxy Server you could set the System Policies to “Must Also be granted” and then have a base control for their requests. For simplicity to begin with you could just add in Everyone, user may be unknown.
****Since there are a few different ways to connect to the internet with WinGate, please consider the following.
1. The NAT connection method does not always have a way to authenticate and to control it is done via the Extended Networking Service (ENS) in WinGate.
2. The WinGate Internet Client (WGIC) is an optional connection method and the requests are fulfilled by the Winsock Redirector Service (WRS).
3. To allow the WWW Proxy Service in WinGate to also intercept HTTP requests passing through the NAT or WGIC connection method, then you would turn on the transparent proxy for port 80 in WWW Proxy Server --> Sessions
*Edit
So since the ENS and WRS are other main connection methods, you probably want to add in for NAT at least that the Everyone Group can be unknown and set the way they interact with the System Policies to “Must also be granted” and then you can add in *System Policies* to restrict their internet connectivity. I say NAT at least because the WRS takes on a different facet to controlling internet usage, it can also control what applications can do on a network; server / client / both / no networking / not allowed to run - and can be centrally configured from that service.
*End Edit
For example, all users always have access to the ISP’s POP3 / SMTP / Web (although you should use WinGate’s email server so you can potentially create better traffic management policies for the users recreational usage) and the CEO, Administrator and Support always get full access.
Everyone (first entry in System Policies)
Select your authentication level which corresponds to your authentication method. You may want to set it to “User may be unknown” if they will be using NAT because NAT has no default way to authenticate.
Navigate to the Advanced tab
Filter 1
This criterion is met if server port equals 25
Filter 2
This criterion is met if Server port Equals 110
Filter 3
This criterion is met if Server port Equals 80
Filter 4
This criterion is met if Server port Equals 443
Administrator --> (Second entry in System Policies)
Select your authentication level which corresponds to your authentication method.
Support Group (Third entry in WWW --> Policies)
Select your authentication level which corresponds to your authentication method.
CEO (Fourth entry in WWW --> Policies)
Select your authentication level which corresponds to your authentication method.
Guest (Fifth entry in System Policies, used to allow to run servers on your internal network which are accessible to clients on the internet. It is not practical to authenticate random internet clients connecting to your servers, but you don’t want the Guest user to be used by your LAN for any request and presuming your LAN is 192.168.0.x)
Select the Authentication method as “User may be unknown”
Navigate to the advanced tab.
Filter 1
This criterion is not met if Client IP address Begins with 192.168.0
*And remembering the Client or Server criterion is dependent on the direction that the request is coming in.
******And these are the way you can authenticate depending on what user database you are using.
WinGate User Database.
Java Authentication - Secure method.
WGIC Authentication - Secure method.
Qbik Authentication - Secure method.
GateKeeper Authentication - Secure method
Basic Authentication - Insecure method.
Assumed by IP Address - Insecure method.
Assumed by Computer name - Insecure method and WinGate must be DHCP Server.
Unauthenticated Access - Can be set for different connection methods or ports.
Local Windows User Database
WWW Proxy NTLM Authentication - Secure method.
WGIC NTLM Authentication - Secure method.
Qbik NTLM Authentication - Secure method.
GateKeeper NTLM Authentication - Secure method
Basic Authentication - Insecure method.
Assumed by IP Address - Insecure method.
Assumed by Computer name - Insecure method and WinGate must be DHCP Server.
Unauthenticated Access - Can be set for different connection methods or ports.
Domain User Database.
WWW Proxy NTLM Authentication - Secure method.
WGIC NTLM Authentication - Secure method.
Qbik NTLM Authentication - Secure method.
GateKeeper NTLM Authentication - Secure method
Basic Authentication - Insecure method.
Assumed by IP Address - Insecure method.
Assumed by Computer name - Insecure method and WinGate must be DHCP Server.
Unauthenticated Access - Can be set for different connection methods or ports.
******* And when using an AD Database it is desirable to read the section of the Help file labeled “WinGate in an Active Directory”. The key is to avoid DNS loops and have the “Qbik WinGate Engine” start with a Domain Administrator Account in the Windows Services.
Below is an example policy to have everyone restricted to authorized websites but any website at lunchtime. The Administrator, Support Dept. and CEO have full access. You will want to set how the WWW Proxy Server interacts with the System Policies by a small menu at the right of where you add the policies in; more explained below. I need to also acknowledge that this could be done a few ways.
Everyone (first entry in WWW Proxy --> Policies)
Select your authentication level which corresponds to your authentication method.
Navigate to the Advanced tab
Filter 1
This criterion is met if HTTP URL Contains supplier.com
Filter 2
This criterion is met if HTTP URL Contains partner.com
Everyone (Second entry in WWW Proxy --> Policies)
Select your authentication level which corresponds to your authentication method.
Navigate to the Time tab and put in the lunchtime values
Administrator --> (Third entry in WWW --> Policies)
Select your authentication level which corresponds to your authentication method.
Support Group (Fourth entry in WWW --> Policies)
Select your authentication level which corresponds to your authentication method.
CEO (Fifth entry in WWW --> Policies)
Select your authentication level which corresponds to your authentication method.
***Please also remember that the key to policies in WinGate is that the one with the most access will always override one with the least access - and how they interact with the System policies.
So for example, if within the WWW Proxy Server you have two "Everyone groups", and the first one only allows access to wingate.com, and the second Everyone group has no restrictions set, then there will be no restrictions set for Everyone.
Another thing to consider is how each individual Server / Service is setup to interact with the System Policies (can be found via Users tab, far bottom left); they could be set in one of the three following ways:
"Must also be granted": If the e.g. WWW Proxy Server allows access to this service, then it must also be checked in the System Polices before it is allowed.
"May be used instead": If the e.g. WWW Proxy Server denies the request, then check if the System Policies allow it; if it does, allow the user to access.
"Are ignored": Do not check the System Policies to check if this user is allowed to access.
So in the example above in the WWW Proxy Server you could set the System Policies to “Must Also be granted” and then have a base control for their requests. For simplicity to begin with you could just add in Everyone, user may be unknown.
****Since there are a few different ways to connect to the internet with WinGate, please consider the following.
1. The NAT connection method does not always have a way to authenticate and to control it is done via the Extended Networking Service (ENS) in WinGate.
2. The WinGate Internet Client (WGIC) is an optional connection method and the requests are fulfilled by the Winsock Redirector Service (WRS).
3. To allow the WWW Proxy Service in WinGate to also intercept HTTP requests passing through the NAT or WGIC connection method, then you would turn on the transparent proxy for port 80 in WWW Proxy Server --> Sessions
*Edit
So since the ENS and WRS are other main connection methods, you probably want to add in for NAT at least that the Everyone Group can be unknown and set the way they interact with the System Policies to “Must also be granted” and then you can add in *System Policies* to restrict their internet connectivity. I say NAT at least because the WRS takes on a different facet to controlling internet usage, it can also control what applications can do on a network; server / client / both / no networking / not allowed to run - and can be centrally configured from that service.
*End Edit
For example, all users always have access to the ISP’s POP3 / SMTP / Web (although you should use WinGate’s email server so you can potentially create better traffic management policies for the users recreational usage) and the CEO, Administrator and Support always get full access.
Everyone (first entry in System Policies)
Select your authentication level which corresponds to your authentication method. You may want to set it to “User may be unknown” if they will be using NAT because NAT has no default way to authenticate.
Navigate to the Advanced tab
Filter 1
This criterion is met if server port equals 25
Filter 2
This criterion is met if Server port Equals 110
Filter 3
This criterion is met if Server port Equals 80
Filter 4
This criterion is met if Server port Equals 443
Administrator --> (Second entry in System Policies)
Select your authentication level which corresponds to your authentication method.
Support Group (Third entry in WWW --> Policies)
Select your authentication level which corresponds to your authentication method.
CEO (Fourth entry in WWW --> Policies)
Select your authentication level which corresponds to your authentication method.
Guest (Fifth entry in System Policies, used to allow to run servers on your internal network which are accessible to clients on the internet. It is not practical to authenticate random internet clients connecting to your servers, but you don’t want the Guest user to be used by your LAN for any request and presuming your LAN is 192.168.0.x)
Select the Authentication method as “User may be unknown”
Navigate to the advanced tab.
Filter 1
This criterion is not met if Client IP address Begins with 192.168.0
*And remembering the Client or Server criterion is dependent on the direction that the request is coming in.
******And these are the way you can authenticate depending on what user database you are using.
WinGate User Database.
Java Authentication - Secure method.
WGIC Authentication - Secure method.
Qbik Authentication - Secure method.
GateKeeper Authentication - Secure method
Basic Authentication - Insecure method.
Assumed by IP Address - Insecure method.
Assumed by Computer name - Insecure method and WinGate must be DHCP Server.
Unauthenticated Access - Can be set for different connection methods or ports.
Local Windows User Database
WWW Proxy NTLM Authentication - Secure method.
WGIC NTLM Authentication - Secure method.
Qbik NTLM Authentication - Secure method.
GateKeeper NTLM Authentication - Secure method
Basic Authentication - Insecure method.
Assumed by IP Address - Insecure method.
Assumed by Computer name - Insecure method and WinGate must be DHCP Server.
Unauthenticated Access - Can be set for different connection methods or ports.
Domain User Database.
WWW Proxy NTLM Authentication - Secure method.
WGIC NTLM Authentication - Secure method.
Qbik NTLM Authentication - Secure method.
GateKeeper NTLM Authentication - Secure method
Basic Authentication - Insecure method.
Assumed by IP Address - Insecure method.
Assumed by Computer name - Insecure method and WinGate must be DHCP Server.
Unauthenticated Access - Can be set for different connection methods or ports.
******* And when using an AD Database it is desirable to read the section of the Help file labeled “WinGate in an Active Directory”. The key is to avoid DNS loops and have the “Qbik WinGate Engine” start with a Domain Administrator Account in the Windows Services.
Last edited by jamesc on Dec 16 06 2:50 pm, edited 1 time in total.
Dec 16 06 2:36 pm
PS. It would be nice if when someone attempts to visit a website, not allowed and they don't have unlimited access to redirect them to a webpage. I already have one setup that explains the website is blocked and how they go about requesting it be added.
Windows 2003 Standard
The Windows Firewall is best disabled in the Windows Services for the sake of testing if you deem it safe; confirm WinGate has your network cards detected correctly as Internal / External.