WinGate Forums

[serginho]

Hi,

I wonder why does System Policies doesn't include the very useful option "HTTP URL ...." (See http://forums.qbik.com/viewtopic.php?t=5359)

Example: a have a dozen words I don't want ANY user to have access to urls that contain them. My users are divided in groups, with Java authentication. Each group have other specific independent restrictions, like time. If I put the dozen-word list in Everyone, it's not respected, I have to repeat it individually for every user.

Am I doing something wrong, or should HTTP URL reaaly apper as a System Policies' option the make our lives easier?

Thanks

WG 6.1.4 on XP
[/quote]

[ChrisH]

I think part of the reason that system policies don't have the HTTP URL is because the policies here apply to all WG services not just WWW proxy. If the words you want global restriction on are in the Server name you can apply these to the system policy for Everyone (Server name contains...) and apply independent restrictions to groups/users in WWW policy (where, as you know, you can apply HTTP URL....), then make sure that in WWW policy the Default rights (System policies) MUST also be granted. This way both sets of policies are applied.

[serginho]

Hi, thanks for your answer.

I see your point, haven't noticed the fact that system policies would apply to all services. Any way, I cannot agree this is a reason for not having the option (it's better to use it carefully so it won't disrupt other services, than not having it at all)

My problem (and I'm pretty sure it's not exclusively mine as I'm going to point out below) is what I don't want the url to carry, is not in the server name but somewhere in the url. Take this example:

A certain company doesn't want the users to access orkut.com. Eazy, you would say: "just set a policy for the Everyone group banning server names containing 'orkut.com'". Done? Somewhat! Try this: with a browser access www.proxy7.com and in the appropriate text box type http://www.orkut.com. If you take a look at the url in wingate logs/activity/history, you are going to see something like this:
http://www.proxy7.com/something/http/ww ... ethingelse
That requires banning by "http url contains..." unless, of course, there is another option I don't know about. And, of course, it won't certainly go through banning proxy7.com because this is just one anonymizer available

Thanks

Serginho

[ChrisH]

Yes you are right. If it is more than the Server name you can't do it that way. The only way is as you mentioned earlier. You will have to include all the global ban words (HTTP URL contains...) in each WWW group/user as well as the ban words common to each group/user -Not using the Everyone group. This of course isn't the easiest way to do things. If you don't have a great deal of banned words and/or groups/users it is tolerable, but grows exponentially more cumbersome as the words and users grow. I know Qbik is looking at revamping the way WG handles Black and White lists. Hopefully due out in next major release? I will say that some of theses anonymous proxy sites do things differently when it comes to submitting the requested sites. Some seem to encrypt the new URL so I'm not sure if your method would work with them all. But they all work using some sort of submit button. WG can also look at the HTTP Method ie POST or GET so that in your policy may also be beneficial. It seems for every way an administrator tries to lock down policies, another clever user comes up with ways around it. I guess that makes life interesting?

[serginho]

Indeed.

As you say, the more words and users/groups the harder, so besides making things safer, I like things done easier. Since there is no elegant solution, I though of a manual workaround, which

I DO NOT RECOMMEND TO ANY ONE READING THIS TOPIC

especially because I haven't even tested it yet (and when I do, I'll NOT do it in a production machine!), involves copying and pasting some registry keys under RecipientX, replicating the BanFilter setup from one user/group to the others.

What do make of this?

[ChrisH]

This registry approach has been done before by others on this forum. It will work - just that you have to be aware of the dangers of registry editing, thus backups and restore points etc. should be done beforehand.

See these posts:

http://forums.qbik.com/viewtopic.php?t=785

http://forums.qbik.com/viewtopic.php?t=4665

[adrien]

Hi

as chris mentioned, the reason we don't have options for HTTP URL in system policies is because these policies may be used by any service, not just WWW.

there are options for how system policies are combined with those for a service as well which may help as well, but not for HTTP URL, policies for this can only be set in the WWW proxy.

If you have multiple policies in the WWW proxy, and each group needs to share say a banlist, can you combine these groups? Or make the banlist apply to everyone, and have another policy which grants access to those you want to have access to the restricted sites?

Adrien

[ChrisH]

The approach Adrien suggests may, in your case, be the best. Put all your ban words in the Everyone group in WWW proxy, then in each group/user add the right to to use those ban words where you deem appropriate. You would do this in the advanced section of each user/group in WWW proxy. For each ban word from the Everyone policy you want this group/user to be able to use set up a filter & criterion eg;

group1
filter1
http url contains com

filter2
http url contains proxy

This policy will allow only those sites listed to be used by the group specified. The Everyone group, of which all others are a subset, will allow these users to go everywhere else except of course those banned in that policy. Basically WG will use a Boolean .OR. with these polices. If either or both allow a group/user to pass through then they will get access. If both policies deny rights then the group/user will be denied access. Hope this helps.

[serginho]

Hi, and thanks to ChrisH and Adrien for your time.

First of all, I have a few comments:

f you have multiple policies in the WWW proxy, and each group needs to share say a banlist, can you combine these groups? Or make the banlist apply to everyone, and have another policy which grants access to those you want to have access to the restricted sites?

Different groups have different restrictions, mostly time restrictions, so they cannot be merged. I have tried to apply the ban list to the Everyone group, but it only works if the user is not in any other group. Example:
WWW Everyone ban list = server name contains orkut
user serginho is in groups Management and Users: user can access orkut
user serginho is only in group Users: user cannot access orkut.

Perhaps I'm doing something wrong (but here, a little complain - the only one I have about Wingate - the help is vague about something, mostly lacking practical examples)

The approach Adrien suggests may, in your case, be the best. Put all your ban words in the Everyone group in WWW proxy, then in each group/user add the right to to use those ban words where you deem appropriate. You would do this in the advanced section of each user/group in WWW proxy. For each ban word from the Everyone policy you want this group/user to be able to use set up a filter & criterion eg;

I think I did not understand this one. It seems to me the same work of setting up lists for every group in the WWW Proxy Service.

Let me put a clear example:
1. I don't want no user to have access to URLs that contain the words orkut and meebo (... and suppose a dozen more)
2. Suppose 2 groups (but remember I have a lot more): Management and Factory. Management has no restriction on time, location, etc, but cannot access the sites mentioned in 1. Factory has time restrictions besides being unable to access sites mentioned in 1.
3. User serginho is in group Management and zezinho is in group Factory

How do I setup Wingate policies to achieve this situation?

Thanks again

Serginho

[ChrisH]

Serginho,

It can at times be somewhat daunting and confusing to get policies just the way you want them.

Let's try this:

In System policies for the group Everyone, create a Ban List using the words you want using the criteria as follows. Server name contains orkut No other users/groups should be in this System policy.

In the WWW proxy service set up all your groups and users with authentication, time and location policies as required and require that Default rights (System policies) MUST also be granted. The Everyone group should not be listed in this WWW service policy.

Now what we have is the Ban (black) List in System policies and all the other restrictions in the WWW service policy. Since the Everyone group implicitly encompasses all groups/users the black list will apply to them all AND since in the WWW service policy you require that system policies MUST apply, WG will now look at both sets of policies (System & WWW) to decide whether or not to grant access. In your first post you wanted to have HTTP URL contains in system policies. Here is how to accomplish that.

Disclaimer: All methods/procedures listed below must be carefully considered as having the potential to cause injurious effects upon the registry of your computer possibly rendering the computer inoperable and giving you a severe migraine. Creating a registry backup and a system restore point are required before going any further.

Reread the disclaimer

Open up the registry editor and Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\DefaultRights\Access\Recipient0\BanFilter

Below this key are all the Criterian for the words you established earlier

Navigate to the first one, Criterion0, and edit the DataIndex key and enter the value f

Edit the same key for each of the criterion you have listed

Stop the WinGate Engine. Then restart it.

Open up GateKeeper, navigate to System Policies, Ban List and your criteria should show up as HTTP URL contains.....

In my testing this behaved as I expected it should. Hopefully now WG will work the way you want it to. Let us know how you make out. Again, this isn't the most elegant way to achieve this but it can be done. Hopefully you don't have hundreds of Ban criteria.

[serginho]

Hi,

I'm sorry my example did not point a small but important word:

1. I don't want no user to have access to URLs that contain the words orkut and meebo

The keyword here is URL. Not the server name, thus the requirement for "URL contains" in the subject of this topic. So, your first suggestion in the last post was exactly what I had done in the beggining. But then, the users found that they can escape some policies by using proxies/anonymizers. At least those that do not encrypt the request, will show the site in the URL and, of course, not in the server name.

Anyway, I'll give a try to the proposed registry changes. Indeed, I have quite a few banned words, so it looks like cumbersome. I'll see if a script can be written to make things a bit easier.

In the meantime, should anyone have a better idea, a different approach, I antecipate thanks

Regards
Serginho

[ChrisH]

I'm sorry my example did not point a small but important word:

1. I don't want no user to have access to URLs that contain the words orkut and meebo

The keyword here is URL. Not the server name, thus the requirement for "URL contains" in the subject of this topic. So, your first suggestion in the last post was exactly what I had done in the beggining.

Yes, I understand. The registry edit (hack) changes that Server name to HTTP URL . Perhaps I didn't make that clear.

[willtech]

The approach Adrien suggests may, in your case, be the best. Put all your ban words in the Everyone group in WWW proxy, then in each group/user add the right to to use those ban words where you deem appropriate. You would do this in the advanced section of each user/group in WWW proxy. For each ban word from the Everyone policy you want this group/user to be able to use set up a filter & criterion eg;

group1
filter1
http url contains com

filter2
http url contains proxy

This policy will allow only those sites listed to be used by the group specified. The Everyone group, of which all others are a subset, will allow these users to go everywhere else except of course those banned in that policy. Basically WG will use a Boolean .OR. with these polices. If either or both allow a group/user to pass through then they will get access. If both policies deny rights then the group/user will be denied access. Hope this helps.

I often set up just one filter (not that it matters - still works but lets me keep it tidy)

group1
filter1
http url contains . {they all have a .}
NOT http url contains proxy
NOT http url contains p*rn
NOT http url contains etc...

Cheers :)

[ChrisH]

[I often set up just one filter (not that it matters - still works but lets me keep it tidy)

group1
filter1
http url contains . {they all have a .}
NOT http url contains proxy
NOT http url contains p*rn
NOT http url contains etc...

Cheers :)

Very nice!