Fault-Tolerant Wingate Installations

[Bob Tucker]

Hi,

I would like to create a backup Winage server for a customer. And, if possible, I would like to have the client PCs use the backup Wingate server if the DSL connection becomes unavailable on the first Wingate server. I cannot seem to do this. It is possible? I am using the dead gateway option with two connections on the current server, but a second server is required instead. Clients currenty attach via NAT - which is transparently redirected to the WWW proxy. Kaspersky AV is installed. (I am usiing 6.1.3 at this site as 6.1.4, strangely, sometimes stops working after it has been running for a week or so.)

Kindest Regards,

Bob Tucker

[adrien]

Hi Bob

I don't think there's a way to do this with NAT, since the clients are configured to use a specific gateway (which resolves to a specific MAC address), there's no way for another machine to take over ownership of that MAC address, or even the IP address of the gateway.

We have been looking into some funky options for this but we are a way off. Our next major version allows actions such as changing default route based on the result of alerts, which can be set based on results of monitoring links or servers using a variety of methods (i.e. using TTL to probe certain number of hops etc).

This is for a fairly large site?

PS, you still interested in antispam? we are working on a new system for this.

[Bob Tucker]

Hi Adrien,

Thank you very much for your reply!

The site is not big ~ 30 users. There is really no reason that NAT needs to be used - particularly as Kaspersky AV is in use on Wingate. I did not think a fault-tolerant second connection was possible, but I thought I would ask.

Thailand has faily slow and unreliable DSL, so an alternative is required. I would like to move the second connection to the Disaster Recovery server. The site would then have two Wingate servers. That prompted my question.

Per SPAM, at this site, we are using service on the Internet (one that you recommended, as I recall), along with Micrsoft's IMF in Exchange 2003. IMF - with sopme thrid party tools - works OK. I would be happy to consider any alternatives.

Kindest Regards,

Bob Tucker

[adrien]

Hi Bob.

Our WinGate Client will automatically switch to a backup server if one WinGate goes away, but that wouldn't normally be triggered by a link failure. Next version would allow you to turn off the WRP service if a monitored link went down so that would do it, but again that's version 7.

With regard to 6.1.3 working and 6.1.4 sometimes stopping, we're looking into this. there weren't many changes, the main ones in the area of cascaded proxy in the WWW proxy (connections tab), and gateway selection (specifying a gateway in the gateways tab of a service).

Do you use either of these features?

Regards

Adrien

[Bob Tucker]

Hi Adrien,

Thank you very much for your post.

I have not used the Wingate client recently, but using it sounds like the best idea. I can script a process to look for a failed link to the ISP associated with each link and disable the appropraite Wingate server if the the link related to a server is down. I used to use the Wingate client, but long ago when I used it, I sometimes had problems with uninstall of the client. The uninstall sometimes was incomplete - which sometimes left the winsock and TCP/IP on the affected PC in something of an unusable state. XP SP2 was nice in this respect in that I could more easily repair the Winsock.

Per your questions on version 6.1.4 sometimes stopping, this site does not use a cascaded proxy; and I do not specify a gateway in any service. (I just rechecked Wingate on the server to make sure of this as I used to specify gateways, but that was more than a year ago.) But a cascaded proxy may be the issue. Six months or so ago, I noticed the ISP was transparently redirecting browsing through a proxy server. Although that does not seem to be the case today, the Thai government requires all ISPs to filter out pornographic sites and sites otherwise deemed offensive, so the ISP does maintain a mechanism for that. The ISP here uses Nortel routers which I can look at; and it appears that the banned sites are not being filtered in the routers, so that mechanism could well be a proxy server or similar process - and that could be the issue.

Kindest Regards,

Bob Tucker

[ChrisH]

Sorry no solutions but I have questions as it is an interesting scenario.
In general, what happens if in DHCP you add another default Gateway (pointing to a backup server)? As long as its' metric is higher than the main Gateway, the main one should be used for routing, correct? I guess I'm wondering what happens when main Gateway fails in this case. Do clients then use secondary gateway? What happens when main gw comes back up?

[adrien]

Hi

as far as I've ever been able to tell, Windows although it lets you define multiple default gateways, isn't particularly smart about how it uses them. In fact in many cases it is particularly dumb.

Whilst you might expect that the OS would try one maybe, then another if it didn't get a response. It doesn't seem to. Nor does it choose depending on the destination. It seems to choose only on the route metric.

I don't even think windows itself will even notice if a gateway becomes unavailable.

Not sure if there is an advanced TCP/IP reg setting you can use to enable some functionality.

Adrien

[Bob Tucker]

Multiple default gateways. Windows is indeed particularly dumb about this.

I have written a small script. This uses a program that looks for the SMTP server at the local ISP. The SMTP server is a redundant, fault-tolerant server and unlikely to disappear under most condtitons. If that SMTP server disappears, I assume the link is down and the script stops the QBIK Wingate service associated with the link. Adrien, if I use Wingate client software, the clients should then change to the second Wingate server. I will test this on the weekend.

Kindest Regards,

Bob Tucker