WinGate Forums

[dfehse]

I'm testing WG because these product seems to handel the following scenario:

I have client-pcs in a subnet 172.20.0.0 how need access to a about 20 Trerminalserver in Subnet 10.0.0.0. The Firewall only allows traffic throug one System (lets call it Gatway on IP 172.29.11.45) in another Subnet 172.29.0.0. For Security Reasons the users starts a RDP Session in the Gateway und the starts a second RDP-Session in the RDP-Session to connect to these Termials Services. For different Reasons (Printin, Hot-Key Function) a want to Replace the Gateway TerminalServer with WinGate. The TCP Mapping works fine, I can start my RDP-Client 172.29.11.45:9999 an it conects me to the Mapped Terminalserver in Subnet 10.0.0.0.

The Problem is the security. The Clients always arrives the credential Guest and not with his Windows-Account. So as soon as I restrict the Access to that Service to a specific Windows Group the connection will be refused.

I have WG running with a Domain Admin account and the User-DB is set to use to the Domain. I can see my Windows Groups and can use it in the policies, but as long as all users arrives as Guest in WG these windows groups have no effects.

Can anyone help me?

Thx Daniel

[adrien]

Hi Daniel

See you posted this to our help desk as well, which I answered, but for the benefits of others here, shall include previous reply:-

No TCP mapping service ever provides authentication - it's just a plug through to another service, so it has no protocol support, and therefore no authentication provisions (as this requires a protocol).

If you want your users to have authenticated access, they will need to authenticate with something else. I would suggest using the WinGate client, since that will allow you to authenticate for protocols that don't actually support authentication, or that aren't specifically supported by a proxy in WinGate (i.e. for your RDP connection).

Regards

Adrien de Croy

[dfehse]

Thx for your anwser. I tested that with the wingate-client an that way it works. But my problem is that the software will be used in a very restricted environement. That means every software hast to be tested, then repacked or installed silently via SW-Distribution. Its not allowed to install Software manualy on a PC.

So my next question is: Is there a way that the user will authenticate on WinGate server via a Webpage or Popup? Someting similer that exist on a lot or firewall products (called Policie-Passwort) where the user enter his credential, and then can access the resources?

And if that is not possible: Where ist that client installed and how deep does it go in the system? Is there a way to silently install the client with all setting needed?

Thx Daniel

[adrien]

Hi Daniel

It is loaded as a Winsock 2 Layered Service Provider DLL.

If all you need is authentication, then you could force users to manually authenticate first using a client authentication application we have.

It is then just a small application rather than intercepting all windows sockets calls on the system, so will be much less intrusive into the client systems.

Regards

Adrien

[dfehse]

Hello Adrien,

and thx for your answer, but sorry i do not understand in detail what you mean. I know that you have a client (WGIC.msi) that can be installed on the PCs. I have tested that and it works, users will be authenticaded with thier windows accounts and can use this TCP Mapping Service.

So is there another Client-Software for authentication?

Regards

[adrien]

Yes, there is another one.

It's called QbikAuth.exe.

It does only authentication (nothing else), whereas the WinGate client also intercepts connections.

You can get it from

http://www.wingate.com/downloads/QbikAuth.exe

Regards

Adrien

[dfehse]

Hi Adrian,

this Client doesn't work. It always says that there is a Error Connection t the server. Whats could be wrong? And I also think that Client help me because a need these RDP Portmapping after Authentication.

And my second question is: How can the WGIC.msi be installed with the correct Settings eg. Servername with IP-Adress etc. etc?

Regards Daniel

.. some add ons: I tried to tune the msi with Installed Shield, but that didn't work. The registry settings under hklm\qbik sw\gdp can't be integreted in a mst file. And even if I enter them manualy (via Applet in System Settings) as a Admin a normaler user can't read these settings. And the funny thing is that a normal user can't even enter a wingate server, the settings are discared because he is not able to write in the registry at hklm\qbik sw\gdp!

If we can not debploy the client without userinteraction we have to cancel the procject.

Thx for any help !

Daniel

[adrien]

Hi daniel

The QbikAuth.exe connects to the Remote Control Service. So that service needs to be bound to your LAN adapter (by default it is only bound to localhost interface). Also you need to have an Administrator password assigned if you are using the WinGate user database, else the Remote Control service will lock itself down to localhost only again to prevent people getting in from externally when there is no password.

Regards

Adrien

[dfehse]

.. you still didn't answer my second question: How can the WGIC be installed silently with all setting needed?

Thx Daniel

... by the way: Is there a offical documentation about these things with silent install an these qbikauth tool?

[adrien]

Hi Daniel

If you are looking to create an installer to roll out WGIC over your LAN, just to handle authentication for a TCP mapping for access to RDP, I would strongly advise reconsidering.

The WGIC will intercept most of the apps on all your machines, and try and redirect them through WinGate. So, not just RDP access, but browsers, email etc etc etc. I think unless you are planning to use WinGate to serve these applications, this will create major headaches for you, and you would be better off just using an authentication tool.

In fact I still don't really understand why you don't just rely on the authentication built into Terminal Server for access control.

As for a silent install for WGIC, I'm not sure if there is one. I'll have to check with the guy that looks after the installer for it.

Adrien

[dfehse]

Hi Adrian and James,

first thx for the patient you have with me ..

James recomanded me to use the www-proxy service to authenticate. So I configured this service to use port 81 becaue I will use the IIS TSWeb-Site. Next I set NTLM under Authentication where required by policies and gave the user Group GgWinGate the right to use this Proxy-Service.

When I enter http://wingatesrv:81 in the Internet Explorer nothing happens, accept that i can see under Activity "clientname" and on the next line "http://". When I open then the RDP-Client an try to connect the connection is refused because I arrive as guest.

Is there something else that hase to configured?

Thx for any help

Daniel

[adrien]

Hi

I think James must have misunderstood what you were trying to do. It doesn't make any sense to authenticate with HTTP, since to do so in the way you are would require you to

1. set up WinGate as a web server
2. get authentication working on it
3. keep on authenticating over and over, since as soon as the connection is dropped, the authentication is lost.

Have you tried QbikAuth.exe?

It sits in the system tray and is very easy to use.

Adrien

[dfehse]

Hi and thank you very much .. it works with this qbikauth!!

I'd like to but it on my connection webpage, so the user can execute it form there. Is there a way the fillout server and portinformtion? Our servers have very complicated names like vkcc6st032 and I think some users will mistakenly enter a wrong name or so.

Today I installed WG in our Domain ( There are about 5000 objects in our AD). After I set to UserDB to NT-Users, entered our DC as Remote System and restarted the Wingate I have a empty WinGate Console. It seems that I don't have any rights anymore. But my User is in a Group that gives me full adminright on the Server. Any Idee?

Thx again ..

Daniel