WGIC Slow and "Black Hole" Configuration

[Bob Andersson]

It's day six of my trial licence and the Wingate 6.0.3 engine and mail server appears to be running fine - shame the Scheduler doesn't have a "Run POP3 Mail Collection" option. Even so, I have two questions which I would be grateful if some kind soul could help me with. First, the background...

The network is as follows - I have Wingate on a dedicated XP Pro SP2 PC (600 MHz VIA processor + 512MB of RAM with the XP Firewall and ICS off), the "external" Ethernet port is connected to an ISDN router and the "internal" port is connected to a switch. The external port is in the "168.192.1.*" range and the internal network is in the "10.0.*.*" range. Also connected to the switch are other XP Pro PCs and a Network Attached Storage device (made by Lacie) which runs XP Embedded. This NAS acts as a repository for the Windows Backup files (.bkf) for ALL the PCs on the network, including the one which hosts WinGate. The network is essentially "peer to peer" with each PC logging on to the appropriate NAS device folders via mapped drive letters (Windows reconnects at logon with the required name and password).

The first problem is that I want the ability to block a PC (the NAS device) from accessing the Internet via the "external" network. Assigning an IP address to the Black Hole list works TOO well as that PC then becomes invisible to other software on the Wingate Server. How do I set the firewall up so that "internal to external" access is blocked while still permitting my backup software on the WinGate machine to access the NAS decice?

The second and major problem is with the WGIC software. If I install it on a client PC all appears to be fine until I need to copy a large file across to the NAS. A file transfer which normally takes 30 seconds over the 100Mbs network has a predicted time to competion of 30 minutes when the WinGate client, WGIC, is installed. Telling WGIC to ignore the application makes no difference, turning WGIC off makes no difference but uninstalling WGIC solves the problem. Just to be sure I re-installed WGIC and the problem returned so off it came again. Why should WGIC interfere with network traffic not bound for the WinGate server PC? Even if it must why should it slow the network traffic to a crawl?

Thanks in advance for any help.

Bob Andersson.

[Nev]

It's day six of my trial licence and the Wingate 6.0.3 engine and mail server appears to be running fine - shame the Scheduler doesn't have a "Run POP3 Mail Collection" option. Even so, I have two questions which I would be grateful if some kind soul could help me with. First, the background...

The network is as follows - I have Wingate on a dedicated XP Pro SP2 PC (600 MHz VIA processor + 512MB of RAM with the XP Firewall and ICS off), the "external" Ethernet port is connected to an ISDN router and the "internal" port is connected to a switch. The external port is in the "168.192.1.*" range and the internal network is in the "10.0.*.*" range. Also connected to the switch are other XP Pro PCs and a Network Attached Storage device (made by Lacie) which runs XP Embedded. This NAS acts as a repository for the Windows Backup files (.bkf) for ALL the PCs on the network, including the one which hosts WinGate. The network is essentially "peer to peer" with each PC logging on to the appropriate NAS device folders via mapped drive letters (Windows reconnects at logon with the required name and password).

The first problem is that I want the ability to block a PC (the NAS device) from accessing the Internet via the "external" network. Assigning an IP address to the Black Hole list works TOO well as that PC then becomes invisible to other software on the Wingate Server. How do I set the firewall up so that "internal to external" access is blocked while still permitting my backup software on the WinGate machine to access the NAS decice?

The second and major problem is with the WGIC software. If I install it on a client PC all appears to be fine until I need to copy a large file across to the NAS. A file transfer which normally takes 30 seconds over the 100Mbs network has a predicted time to competion of 30 minutes when the WinGate client, WGIC, is installed. Telling WGIC to ignore the application makes no difference, turning WGIC off makes no difference but uninstalling WGIC solves the problem. Just to be sure I re-installed WGIC and the problem returned so off it came again. Why should WGIC interfere with network traffic not bound for the WinGate server PC? Even if it must why should it slow the network traffic to a crawl?


Thanks in advance for any help.

Bob Andersson.

Ok Hi Bob,

Will have a tackle at those issues!

With POP Collection I guess scheduling is not necessary because a time frequency can be specified in each profile set to access eMail for clients.

What would happen if you created a policy specific to that machine's IP.

In my own instance one client 192.168.0.111 is denied access by a System policy Filter in the advanced tab which Criterion reads: Not client IP address equals 192.168.0.111

Then all relevant proxies and services are set to have a System Policy: That must also be granted.

This scheme may not suit you or others, but it works well for me.

What most people do is to Ignore the system rights in a Service or Proxy and create a new Filter / Criterion that could disallow access to a specific PC. You could apply this to the advanced tab of the Services [NAT] and Proxies [WWW, POP3, FTP etc] that you wish to deny this PC access to.

As for WGIC, I never use it, others will have to comment here but due to issues with it years ago, it is an area I have never revisited to see the refinements Qbik have implemented. Basically are you trying to lock down internet access using WGIC, if not can you configure the clients to use NAT or Proxies and be free of the latency apparently associated with WGIC.

Hope this helps, report back and someone will take it further.

Nev.

[Bob Andersson]

Nev,

Thanks for both your replies. You are right, the POP3 scheduling is fine unless you are on a dial up connection. When ADSL arrives here next Spring then automated collection every few minutes is perfect.

I had a look at your suggestion regarding System Policy Filters. Thank you for pointing out how to accomplish the task. I am still left wondering why the WinGate team couldn't have made the Black Hole feature more configurable. After all, black holes do emit Hawking radiation (and may even be hairy if String Theory is correct) and so aren't completely black after all.

Regarding WGIC, looks like I am in good company in removing it. I had hoped to use it instead of the XP SP2 Firewall or a paid for client side firewall.

Bob

[Pascal]

Regarding WGIC, looks like I am in good company in removing it. I had hoped to use it instead of the XP SP2 Firewall or a paid for client side firewall.

WGIC is significantly better than it was. In fact, the type of scenario you are describing here is part of the improvements we've begun making (And which will continue over future WinGate releases).

With WGIC and an Enterprise license you are getting the ability to control which applications are allowed to run on your network. (Providing they use the Internet, which in most cases the restriction would be useful). This means, from your WinGate server you can restrict the internet enabled applications your client PCs are allowed to run. Moreover, you can send back customised messages telling the users why certain applications are allowed / not allowed to run.

It does mean a bit more configuration and WGIC can sometimes be a bit tougher to setup but it still does provide some very good functionality which will only get better.

However, the slow speed should not be happening, especially if you've told it to ignore the application. How did you do that, through the Central Config on the Server or by editing the client's setup? In either case, what did you have it set to?

[Bob Andersson]

Pascal,

Thanks for the input. I wanted to use WGIC precisely so that I COULD control which applications could access the Internet.

The slow speed was apparent with no user configuration at all. ZoneAlarm had already been uninstalled before the WGIC installation. The problem occurred both with and without the Windows Firewall turned on.

I told WGIC client setup (not the server) to ignore the application doing the file transfer. The file transfer was directly between two machines connected to the switch.

The PC on which WGIC was running and which was initiating the file transfer is a dual 550MHz Xeon. The Ethernet port uses Client for Microsoft Networks, QoS packet Scheduler, File and Printer Sharing for Microsoft Networks and Internet Protocol (TCP/IP). The only oddity I can spot is a lack of the ICS settings options on the Ethernet card's Properties dialog box's Advanced tab. Odd, because it is present on a "1394 Connection" Properties.

Late breaking news! This evening I saw for the first time the slow network file transfer problem and WGIC was nowhere in sight. I removed TCP/IP6 and "Peer to Peer" networking and rebooted and all is now hunky dory! However...

Before we all rush off down to the pub in a celebratory mood it might be worth remembering that I DID see a connection between WGIC and the slow file transfer and verified this by uninstalling WGIC, seeing the problem go away, installing WGIC and seeing the problem return. Finally uninstalling WGIC made the problem go away again (or so I thought!). Maybe there is some side effect going on here such that when WGIC was installed it brought to the surface an already existant but latent problem?

Hope this helps although I suspect all it does is muddy the waters!

Bob

[Pascal]

No, that might be a step in the right direction. Earlier releases of WinGate (I believe around 5.0.2 or there) had problems with QoS Packet Scheduler, so when you said that it was as if the name was printed there with lights and flashing arrows.

What I suspect is that some of the options in use for the sockets (Such as introduced by QoS or perhaps by the TCP/IP6 / Peer to Peer system) is not supported in WGIC and that denying access (I'll have to check the code to be sure) to those flags might have resulted in odd behavior (Especially if the requesting app doesn't handle failures gracefully) We'll have to test it this side though, but it will be interesting trying to replicate the setup you have there.

Would it be possible for you to either take a screen shot of the list of entries you have on "Local Area Network Properties" OR to write them down in a forum post, please? (This is QoS, Client for Microsoft Networks, etc.) Also, any other applications which could potentially load a Layered Service Provider / provide a network level driver?

If you put WGIC on again now, do you see the same behavior?

[Bob Andersson]

Pascal,

Not sure this adds anything as I have changed the system since the last post but here goes with the current configuration:

Client for Microsoft Networks (uses Windows Locator for the RPC service)
QoS Packet Scheduler
File and Printer Sharing for Microsoft Networks
Internet Protocol (TCP/IP) (standard configuration settings but see the previous post about the lack of ICS option setting/disabling for this adaptor)

To the best of my knowledge this is how it looked when the WGIC problem first appeared. I believe the "Peer to Peer" component was added (together with TCP/IP6) as I was blundering around trying to see if the problem was related to something missing on my setup.

As best as I can tell there are no other Layered Service Providers running. If there is a command line tool to display the chain I am afraid I can't remember the name.

The machine also hosts IIS (purely for internal use) and Visual Studio 2003.

That reminds me - I must discontinue and get some work done as I have spent nearly 2 hours on this and the WinGate email collection problems already today. Grrrr.

Thanks for your input so far.

Bob.