WinGate Forums

[neujron]

Hi!

Why is it that we can't ban a URL or an outside server name where clients are browsing? We use Right-click then Ban Server or Copy URL to Clipboard then define on the policies of respective users on the Ban List and put the URL's there, same result, clients can still browse or go to those pages. This is happening before already and also with our new server where we are going to move Wingate. How are we going to BAN specific URL's or server name? It doesn't work here. Are we going to define same Policies within WWW Proxy server and on the Users tab->System Policies? Must they have same Ban List?

And also because of the popularity of texting (SMS) from PC to a mobile phone here in our country, those servers providing this doesn't care about the bandwidth or network traffic they cause in our server. So, I've been trying to deny or ban the port these services are using (for example port 6301) in the ENS but still it can go thru the server and users are still enjoying their stuff. I even ban the URL or server name but it still it's functioning. How can we "firewall" the port?

[n0ticer]

hi there,

you can try restricting sites under WWW Proxy server properties > Policies > Select [Recipent e.g Everyone] > Ban list [enabled] > Add a criterion... HTTP URL contains "chikka" or "javalite" (as a sample)

for the port thing... go to Extended Networking > Port Security > Select LAN connections to internet [TCP] > Click Add > go to Ports.. add 6301 to 6301 then select Drop packet.

:)

[neujron]

Thanks but I've done this process already before many times and I tested it again today to see if there's an improvement but same result, it still doesn't block the URL or the site or the port it's using.

Any other help is greatly appreciated

[Nev]

Thanks but I've done this process already before many times and I tested it again today to see if there's an improvement but same result, it still doesn't block the URL or the site or the port it's using.

Any other help is greatly appreciated

Hi,

Just out of interest how does the responsible proxy or service [WWW or NAT] deal with the System policies? I have found that I am asked to block access to a range of sites and set the policy to ignore the System rights but then apply bans say for yahoo.com or msn etc that work well in the proxy or service.

Nev.

[neujron]

Hey,

Any suggestion on this one?

Thanks

[Pascal]

Like Nev asked, how are the policies in the service configured to hook up to the system policies? Must they also be granted, are they ignored, etc.?

Banning by URL should not be difficult. However, what exact criterion are you using in the ban list? I.e. can you give us an example of how it is configured, please?

An alternative would be for you to email me a copy of your WinGate configuration then I can import it here and try to see where the policies are not configured properly and post back to you here.

[neujron]

It's "(system policies) maybe use instead", but I have tested "are ignored" but suddenly we can't access internet anymore. Maybe there are some things I've configured incorrectly on banning URL's, maybe on the policies, but how come denying ports like port 6301 on Extended Networking -> Port Security doesn't work? I put "Deny" and "Drop packets" but still the users can access the port.

For Ban List, for example, it was enabled and some sample list:
1. HTTP URL contains "chikka"
2. HTTP URL contains "SSL://ctp-a.chikka.com:6301"
3. HTTP URL equals "www.chikka.com"
4. HTTP URL equals "photomodels.tv"

By the way, we only use "Everyone" user on the policies which is restricted by location because when I tried adding other user name and use it on the policies, it doesn't work also, it can browse sites which is banned for him.

Just to confirm, is it the Wingate Registry that you need for your testing?

Thanks a lot.

[Pascal]

Yes, the WinGate registry. If you can email me that, along with a description of what you want to achieve, etc. I can give you some advice / guidelines / etc. for it.

come denying ports like port 6301 on Extended Networking -> Port Security doesn't work? I put "Deny" and "Drop packets" but still the users can access the port.

When banning ports you need to be sure that you (a) chose the correct direction and (b) chose the appropriate protocol. When I say direction I'm talking about the "Connections from the Internet" / "LAN connections to the Internet" / "LAN connections to the WinGate PC", etc. dropdown.

That tells WinGate which security table to use and to which types of network communication to block. If you want to block from your local network out, you need to make sure you pick the LAN -> Internet and LAN -> WinGate PC.

t on the policies, it doesn't work also, it can browse sites which is banned for him

That depends. I'd need to see the entirety of the policy to see where we might need to tweak the configuration. Policies look for something to grant access. So, if "Everyone"'s policy would have granted that user access, he'd have been able to access the internet. Policies do take a bit of tweaking.

However, how were you authenticating the user?

[neujron]

Okay, I'll send the registry (off-list) on your e-mail.

Well, I have configured everything in the drop-down, i.e., LAN->Internet, LAN->Wingate PC, Connections from the Internet, etc., already just to make sure whichever connection/access this port 6301 is trying to connect but same result I've got.

For your last question, in the Policies for "Everyone" user, the "user may be unknown" but it's restricted by location. Is this the one you're asking or something else?

Thanks Pascal.

[Pascal]

That was roughly what I was referring to, yes. So, in that case, unless the location had tied the user down (So it couldn't be under that policy) it's possible that "Everyone" might have granted access. Anyway, I'll check the registry and get back to you.

[neujron]

Pascal,

I have sent already the registry configuration. Please check your mail.

Thanks.

[Pascal]

Got it. I'll send you an email + forum response once it's done.

[Pascal]

Allright, first - the policies. (Haven't done ports yet)

The way you have it setup can be made to work fairly easily. You can either ignore system policies in the WWW Proxy Service (By saying that "Ignore System Policies"). In that case, all access to www.chikka.com is blocked.

Alternatively, you can include the System Policies (System Policies may be used instead) but then you have to add "Server Name contains 'chikka'" to the ban list on the System Policies.

See the policies as a form of 'grant' for the users. If anything gives a user the right, even if something else subsequently denies it, the user has the right to view / use that resource. So, in your case, because the WWW Proxy Service may use system policies as well and because they allow access, even though the WWW Proxy Service explicitly blocks the site, the user is granted access. (That's a bit of a mouthful, but I think you'll get the idea)

[Pascal]

Secondly, the firewall configuration.

That looks correct, to me. You've blocked 6301 in all cases for all protocols, so to the best of my knowledge it should not get out anywhere.

I've looked at their website, but they are a bit sparse on details as to how it works. Can you monitor the activity (From the WinGate server, you can watch in GateKeeper) to see which ports they are using. Look for alternative protocols as well - perhaps they are using SOCKS or an HTTP connection to send this information out. (They do make claims about being able to traverse firewalls, etc.)

[neujron]

OK 1st, I have added on Users tab->System Policies on Ban List the entry "Server name contains chikka" then suddenly some of the users who are using the messaging got an error on System Messages as soon as I save it and terminated their session. It says "Authentication failed - user Guest on 192.x.x.x requested http://http.chikka.com/wtw/". I think it's blocking already by the way it states on the message, am I right? That's the only modification I have from the previous config.

2nd, when users are connected to chikka they are connected to one URL with port and that is "SSL://ctp-a.chikka.com:6301", so they are using port 6301 (or it's only for display) and also an SSL and that's the only thing I can see in the Activity tab.

Thank you so much for the help.

[Pascal]

Sounds like you got the first one fixed. (Yes, it's already blocking)

The second one, what type of sessions are they? Are they basic NAT sessions?

[neujron]

Well, from the way users connection are configured they're not NAT, it's Proxy because that's the only connection they have on Wingate. Browsing the internet is using port 80 (WWW proxy default). How about Socks proxy, do you think there's also a connection there?

Thanks.

[Pascal]

Not sure. That's why it would be interesting to see the type of session that it is. The easiest way to discover that is to right-click on one of the sessions when the user is busy. That gives you a popup menu which will normally have a command available to stop the appropriate service. That will tell you what kind of session it is - so that should help us discover where we need to adjust the rules to block that. (Or you could check in history / log files to see what it matches)

The icon of the session will also give you an indication. If you can describe the icon to me, I'll be able to match it up to a service (Or at least a place to begin looking)

If it is showing as an HTTP session (Like a web-page icon) then it can be either through the web-proxy OR through WGIC (As a session identified with the data spy). Then the right click is the only way to know for sure.

[neujron]

From the look of it, I think it's like HTTP session but as I've stated in my previous post it's using SSL in the prefix not HTTP.

Definitely it's not WGIC because clients are using proxy and I haven't installed WGIC on them.

For now, we can't see the activity anymore because I banned already the URL for chikka which is using the port 6301 and users can't access it anymore.