Hi,
I have WinGate 5.2.3 (not interested in upgrading to 6.x) and I'm trying to restrict certain groups to only view select web pages.
Currently, my www proxy service gives "Everyone" full access. Then, in system policies, I have GROUP_A with "recipients have rights for all requests" and I have GROUP_B recipients setup to recieve requests for select "server names" that contains my strings.
For some reason, GROUP_B users are still being denied access to those select sites. If I change GROUP_B to "recipients have rights for all requests," then they all get full internet access. But when I try to change them back to selective sites, they get denied for everything. Why?
Thanks
Restricting web browsing by groups in system policies
Moderator: Qbik Staff
17 posts
• Page 1 of 1
Restricting web browsing by groups in system policies
by mharabedian » Mar 09 06 10:58 am
- mharabedian
- Posts: 8
- Joined: Mar 09 06 10:28 am
by ChrisH » Mar 11 06 2:32 am
How do you have the criteria setup for Group_B users? If you are setting the policy up in the Advanced section you need to enter a separate filter and criteria for each site. IMHO it is easier to do this strictly from the WWW Proxy service. Ignore the system policy in WWW Proxy and you can select sites based on URL rather than server name.
Chris H.
- ChrisH
- WinGate Master
- Posts: 388
- Joined: Sep 13 03 1:38 am
- Location: Canada
by mharabedian » Mar 11 06 9:09 am
Group_A and Group_B are both Active Directory groups.
What does IMHO mean?
How does the Gatekeeper handle www requests? Does it hit the www proxy service first or does it hit the system policies first? If I tweak the policies for Group_A and Group_B in www proxy service to be similar to how I currently have the system policies setup, would I want to change my system policies back to allowing everyone? (The only thing I use Wingate for is to manage the web browsing of employees).
Thanks
What does IMHO mean?
How does the Gatekeeper handle www requests? Does it hit the www proxy service first or does it hit the system policies first? If I tweak the policies for Group_A and Group_B in www proxy service to be similar to how I currently have the system policies setup, would I want to change my system policies back to allowing everyone? (The only thing I use Wingate for is to manage the web browsing of employees).
Thanks
- mharabedian
- Posts: 8
- Joined: Mar 09 06 10:28 am
by ChrisH » Mar 11 06 11:00 am
IMHO = in my humble opinion
Technically, GateKeeper is the User interface to the WinGate engine - it allows you to adjust the WG engine to your individual needs. But to answer your question, it depends on whether or not you specify in the WWW proxy that the System policies apply. You have a choice under the WWW proxy policy to set the Default rights (System policies) to;
1.) are ignored
2.) may be used instead
3.) MUST also be granted
If you set it to are ignored WG will only look at the policies in the WWW Proxy when it comes to web browsing, provided all web traffic goes through the WWW proxy. You can ensure this by checking the Transparent Redirection box on the Sessions configuration Tab (I think - my memory is getting a little fuzzy on WG 5.2.3) or by having all client machines point their browser to the WG machine.
I would. But it shouldn't be absolutely necessary if you are just using WG for browsing.
mharabedian wrote:How does the Gatekeeper handle www requests?Does it hit the www proxy service first or does it hit the system policies first?
Technically, GateKeeper is the User interface to the WinGate engine - it allows you to adjust the WG engine to your individual needs. But to answer your question, it depends on whether or not you specify in the WWW proxy that the System policies apply. You have a choice under the WWW proxy policy to set the Default rights (System policies) to;
1.) are ignored
2.) may be used instead
3.) MUST also be granted
If you set it to are ignored WG will only look at the policies in the WWW Proxy when it comes to web browsing, provided all web traffic goes through the WWW proxy. You can ensure this by checking the Transparent Redirection box on the Sessions configuration Tab (I think - my memory is getting a little fuzzy on WG 5.2.3) or by having all client machines point their browser to the WG machine.
mharabedian wrote:...would I want to change my system policies back to allowing everyone?
I would. But it shouldn't be absolutely necessary if you are just using WG for browsing.
Chris H.
- ChrisH
- WinGate Master
- Posts: 388
- Joined: Sep 13 03 1:38 am
- Location: Canada
by mharabedian » Mar 11 06 1:06 pm
Well, I tried what you said to try...
First, I left my system policies in place (Group_A with full rights, Group_B with select rights to certain sites [however this doesn't seem to work]). Per your recommendation, I tweaked the www proxy service policy and set it up in a similar manner. I also selected the option to ignore the system policies. Result: Didn't work! Group_B still was unable to browse any servers nor any http url's that contain my strings.
Secondly, I went back into system policies (which are supposed to be ignored when making www proxy requests) and I changed GROUP_B to have full rights just like GROUP_A. Result: Both groups had full access. In other words, the policy settings in www proxy service apparently meant nothing.
It seems that the only settings that effect a change are the system policy policy changes. However, that doesn't even seem to work properly... Groups are either given full permission or they're given no permission even if specific rules are created to allow traffic with server names containing my strings.
All of my workstations have been using the WGIC 5.2.3 and it used to work before I attempted upgrading the server and select workstations. Every upgrade Wingate version 3 screws things up and I'm tired of troubleshooting new iterations of this software! I've now attempted to revert back to 5.2.3 to get this basic functionality working again.
Now what?
First, I left my system policies in place (Group_A with full rights, Group_B with select rights to certain sites [however this doesn't seem to work]). Per your recommendation, I tweaked the www proxy service policy and set it up in a similar manner. I also selected the option to ignore the system policies. Result: Didn't work! Group_B still was unable to browse any servers nor any http url's that contain my strings.
Secondly, I went back into system policies (which are supposed to be ignored when making www proxy requests) and I changed GROUP_B to have full rights just like GROUP_A. Result: Both groups had full access. In other words, the policy settings in www proxy service apparently meant nothing.
It seems that the only settings that effect a change are the system policy policy changes. However, that doesn't even seem to work properly... Groups are either given full permission or they're given no permission even if specific rules are created to allow traffic with server names containing my strings.
All of my workstations have been using the WGIC 5.2.3 and it used to work before I attempted upgrading the server and select workstations. Every upgrade Wingate version 3 screws things up and I'm tired of troubleshooting new iterations of this software! I've now attempted to revert back to 5.2.3 to get this basic functionality working again.
Now what?
- mharabedian
- Posts: 8
- Joined: Mar 09 06 10:28 am
by ChrisH » Mar 11 06 3:49 pm
Are workstation machines still running WGIC? DO you have Transparent redirection enabled in WWW proxy service? I'm wondering if WWW proxy service is being used. What if you enabled logging on the WWW service. Do you see any entries in in the WWW log file? You still should be able to do this in System Policies however. Can you write down what you did to set up the policy for Group_B eg - Filter 1 Server name equals www.wingate.com, Filter 2 Server name contains microsoft, etc etc
Chris H.
- ChrisH
- WinGate Master
- Posts: 388
- Joined: Sep 13 03 1:38 am
- Location: Canada
by mharabedian » Mar 15 06 5:10 pm
Yes, workstations are currently running WGIC v.5.2.3 and a few of them still have the 6.0.3 WGIC client on them.
You never actually answered my question before about how the wingate engine works. My understanding is that it first hits the WWW Proxy service and then it hits the System Policies before being granted access (understanding of course that there is a setting that allegedly allows you to skip the system policies, use the system policies as an "OR" rule, and use the system policies as an "AND" rule). Is that correct?
Well, when I try to use the WWW Proxy server service for Wingate 5.2.3 it does absolutely nothing!... It has no effect! I doesn't matter if I choose "recipients have rights for all requests" or if I choose "specify which requests this recipient has rights for" and select some sites... still nothing! It doesn't matter if I set the Default rights (system policies) as "are ignored", "may be used instead", or "MUST also be granted"... still nothing.
Where do I specify the settings for transparent redirection in 5.2.3? I don't see that listed as an option for the WWW Proxy server service.
All that seems to matter are the settings for system policies:
--------------------------------------------------------------
If I want to allow a group to have full permissions for web viewing, then I must allow that group in system policies -> double-click [group selection] -> advanced -> recipients have rights for all requests.
If I want to allow a group to only view certain web pages, then I must start by restricting that group in system policies -> double-click [group selection] -> advanced -> specify which requests this recipient has rights for.
However, after disregarding all settings from the WWW Proxy server service (I've now set it to "recipients have rights for all requests") and after selecting various websites to have permission, only some sites work... others do not. The ones that work aren't just running off of local browser cache because you can follow links within the site.
Here are some examples of my sites that work/don't work:
--------------------------------------------------------
server name contains "cnb.com" - works
server name contains "dynaweather.com" - doesn't work
server name contains "grc.com" - works
server name contains "usps.com" - works
server name contains "tann.net" - doesn't work
server name contains "wingate.com" - doesn't work
server name contains "ikon.com" - works
server name contains "dell.com" - works
server name contains "google.com" - doesn't work
server name contains "msn.com" - doesn't work
server name contains "yahoo.com" - works, no pictures load
server name contains "myspace.com" - doesn't work
You never actually answered my question before about how the wingate engine works. My understanding is that it first hits the WWW Proxy service and then it hits the System Policies before being granted access (understanding of course that there is a setting that allegedly allows you to skip the system policies, use the system policies as an "OR" rule, and use the system policies as an "AND" rule). Is that correct?
Well, when I try to use the WWW Proxy server service for Wingate 5.2.3 it does absolutely nothing!... It has no effect! I doesn't matter if I choose "recipients have rights for all requests" or if I choose "specify which requests this recipient has rights for" and select some sites... still nothing! It doesn't matter if I set the Default rights (system policies) as "are ignored", "may be used instead", or "MUST also be granted"... still nothing.
Where do I specify the settings for transparent redirection in 5.2.3? I don't see that listed as an option for the WWW Proxy server service.
All that seems to matter are the settings for system policies:
--------------------------------------------------------------
If I want to allow a group to have full permissions for web viewing, then I must allow that group in system policies -> double-click [group selection] -> advanced -> recipients have rights for all requests.
If I want to allow a group to only view certain web pages, then I must start by restricting that group in system policies -> double-click [group selection] -> advanced -> specify which requests this recipient has rights for.
However, after disregarding all settings from the WWW Proxy server service (I've now set it to "recipients have rights for all requests") and after selecting various websites to have permission, only some sites work... others do not. The ones that work aren't just running off of local browser cache because you can follow links within the site.
Here are some examples of my sites that work/don't work:
--------------------------------------------------------
server name contains "cnb.com" - works
server name contains "dynaweather.com" - doesn't work
server name contains "grc.com" - works
server name contains "usps.com" - works
server name contains "tann.net" - doesn't work
server name contains "wingate.com" - doesn't work
server name contains "ikon.com" - works
server name contains "dell.com" - works
server name contains "google.com" - doesn't work
server name contains "msn.com" - doesn't work
server name contains "yahoo.com" - works, no pictures load
server name contains "myspace.com" - doesn't work
- mharabedian
- Posts: 8
- Joined: Mar 09 06 10:28 am
by ChrisH » Mar 16 06 3:41 am
OK, I would think then that your workstation traffic is being directed either through the WRP service, or depending on how the WGIC is setup on workstations (which programs have local,mixed or global access modes), through NAT and not through the WWW proxy. Having said that though you still should be able to do what you want in system polices. However, what are the policies of the NAT(ENS) service and WRP service. Do they have policy restrictions on Group_B?Are they set to ignore or must use system polices? To ensure that all web traffic goes through the WWW PRoxy you must enable Transparent Redirection- see below.
There must be some other policy in place (ENS or WRP service) that is causing you the grief. I set up similar policy to yours - albeit in WG ver 6.11- and it worked as I expected. Also, I think I remember seeing a posting in this forum about using different versions of WGIC with the WG engine and some incompatibilites - but I couldn't find it - again, developers would know for sure. Just a side thought - are they any users in Group_A that are in Group_B?
That's my understanding - but only the developers could answer that with certainty. The catch is though, that there has to be traffic through the WWW service for rules to apply and that can't be happening in your case.mharabedian wrote:You never actually answered my question before about how the wingate engine works. My understanding is that it first hits the WWW Proxy service and then it hits the System Policies before being granted access (understanding of course that there is a setting that allegedly allows you to skip the system policies, use the system policies as an "OR" rule, and use the system policies as an "AND" rule). Is that correct?
There must be some other policy in place (ENS or WRP service) that is causing you the grief. I set up similar policy to yours - albeit in WG ver 6.11- and it worked as I expected. Also, I think I remember seeing a posting in this forum about using different versions of WGIC with the WG engine and some incompatibilites - but I couldn't find it - again, developers would know for sure. Just a side thought - are they any users in Group_A that are in Group_B?
Chris H.
- ChrisH
- WinGate Master
- Posts: 388
- Joined: Sep 13 03 1:38 am
- Location: Canada
by mharabedian » Mar 16 06 11:16 am
Everytime I've installed Wingate, I have intentionally not installed ENS because I didn't want to add more complexity to a product that already has trouble operating with basic settings. The only service that is listed in my "services" control panel is WWW Proxy Server service. No others are listed and therefore should not be affecting GROUP_A nor GROUP_B.
As a side note, users in GROUP_B that have select permissions to certain sites have been complaining that the only way their site will open is if they close Microsoft Outlook. Why should that matter?
Thanks for the screenshot. My "transparent redirection" option was not checked... I have now have it checked and will see if any changes for the better take place.
As a side note, users in GROUP_B that have select permissions to certain sites have been complaining that the only way their site will open is if they close Microsoft Outlook. Why should that matter?
Thanks for the screenshot. My "transparent redirection" option was not checked... I have now have it checked and will see if any changes for the better take place.
- mharabedian
- Posts: 8
- Joined: Mar 09 06 10:28 am
by mharabedian » Mar 21 06 8:08 pm
The Winsock Redirector Service is not listed under the Services tab in the Gatekeeper... Am I to assume that that also means that it does not have any restrictions on it? (When I right-click to add a new service, WRP is not even listed as a service to add).
- mharabedian
- Posts: 8
- Joined: Mar 09 06 10:28 am
by mharabedian » Mar 22 06 3:08 pm
Right: Users can access this service
Is granted to:
[no one]
Default rights (system policies) may be used instead.
There don't appear to be any policy restrictions here... I suppose I could add users/groups here, do I really need to?... what does this have to do with the fact that users with select permissions [GROUP_B] have access to some sites but don't have access to other sites?
Is granted to:
[no one]
Default rights (system policies) may be used instead.
There don't appear to be any policy restrictions here... I suppose I could add users/groups here, do I really need to?... what does this have to do with the fact that users with select permissions [GROUP_B] have access to some sites but don't have access to other sites?
- mharabedian
- Posts: 8
- Joined: Mar 09 06 10:28 am
by ChrisH » Mar 22 06 4:53 pm
No you don't need to add policies to WRP service - if there is none there now it shouldn't have any bearing on what happens. Those sites that work and don't work - is that true for every user of Group_B? Just to be sure - now that you have Transparent Redirection enabled have you been able to get your policy to work in WWW proxy service with system rights set to are ignored? If not then it would probably be best for you to send in a support ticket to get QBik staff to assist you directly with this. I'm sure you'd like to get this resolved sooner rather than later. If they could remote into your system they could probably solve it qucikly. But if you wish we can still plug away at it.
Chris H.
- ChrisH
- WinGate Master
- Posts: 388
- Joined: Sep 13 03 1:38 am
- Location: Canada
by mharabedian » Mar 23 06 8:45 am
Well, I'm pretty tired of dealing with this software and having to go to such great lengths to troubleshoot every little problem that arises. If this software was engineered in a more logical fashion and had some decent modular documentation on how it works (flow charts on the order of events?), then I don't think this would be such an issue. They should spend more time developing the technologies that they already have in their products so that they work properly and have a more friendly graphical user interface, rather than rapidly trying to expand their feature sets. I can't think of too many similar products out there that have to dedicate so much of their resources to providing their support for free because their product is so bad. That has got to be a significant loss for Qbik. I don't think I've ever seen such a well traveled support forum as Wingate has (as of today they have 3609 topics with 16873 posts and growing rapidly... that's ridiculous!). If you started out with a well designed software product in the first place, you wouldn't have this trouble...
I think it's time for me to start shopping for some new software.
I think it's time for me to start shopping for some new software.
- mharabedian
- Posts: 8
- Joined: Mar 09 06 10:28 am
by Pascal » Mar 23 06 10:12 am
Qbik provides free support for one reason - it's customers. The same reason that we allow people using license keys as far back as version 2.1 in the latest releases and will continue to do so in future. That is why you have the option of upgrading to 6.1.1 for free from 5.2.3. We have faith in our product and will continue to support it to the level we feel that any and every product should be supported. And no, that is not a loss for us.
Having an active community is a very good thing. Considering that WinGate fulfulls a variety of roles on the Windows platform on a large variety of hardware and software combinations and considering the large userbase the number of topics and posts are small.
All that highlights for me is that we have an active community and that they are well supported. Those are good things.
The policies in WinGate is complex. Part of that is a trade off for the power of them. You will find many topics on this forum as well dealing with policies with some fairly lengthy explanations on how they work and what to do with them. Now, if you would like help with your problem, I'm always happy to take registry exports from customers experiencing problems with policies. If you would like, you can export your WinGate registry (The setup portion) using the export button in Advanced Options (GateKeeper) and email it to the address listed in my profile, preferably with a brief explanation of what you would like to achieve. Then I can load it here and point out where things need to change.
Having an active community is a very good thing. Considering that WinGate fulfulls a variety of roles on the Windows platform on a large variety of hardware and software combinations and considering the large userbase the number of topics and posts are small.
All that highlights for me is that we have an active community and that they are well supported. Those are good things.
The policies in WinGate is complex. Part of that is a trade off for the power of them. You will find many topics on this forum as well dealing with policies with some fairly lengthy explanations on how they work and what to do with them. Now, if you would like help with your problem, I'm always happy to take registry exports from customers experiencing problems with policies. If you would like, you can export your WinGate registry (The setup portion) using the export button in Advanced Options (GateKeeper) and email it to the address listed in my profile, preferably with a brief explanation of what you would like to achieve. Then I can load it here and point out where things need to change.
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
by ChrisH » Mar 24 06 2:40 am
It's too bad you have had some frustrations with WG. I believe it is a very good product, albeit not perfect. Many. many end users have had no difficulty setting up and administering WG. I don't know of too many forums where the people who actually write the code for the product are active and problem solve for the end user. I think it's a great two way street. They can quickly see if there are issues cropping up and we as end users can directly suggest enhancements/improvements to the product -much like you suggested with the documentation and GUI. By and large many of the postings in this forum are of the How do I...? type and I feel that is because there are so many variables in end user setups and the capability, adaptability and power of WG. Pascal has offered to look at your registry setting. Take him up on his offer! Maybe the best things in life are free (support).
Chris H.
- ChrisH
- WinGate Master
- Posts: 388
- Joined: Sep 13 03 1:38 am
- Location: Canada
17 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 3 guests