If TR enabled on Services, WRS & ENS policies not enforc
Moderator: Qbik Staff
3 posts
• Page 1 of 1
If TR enabled on Services, WRS & ENS policies not enforc
by ChrisH » Dec 04 03 4:38 am
If I have clients that connect by NAT or WGIC AND TR is enabled on WWW and POP3 proxy servers, the policies I have set up in WRS and ENS are not enforced IF the client wants to browse or use mail. They are enforced for other activities. So if I set a time (or any other) restriction for any internet use on WRS or NAT, if user wants to browse they can at any time. A time policy now has to be created as well for both WWW and POP3 for time to be enforced. Is there no way around this? TIA
Chris H.
- ChrisH
- WinGate Master
- Posts: 388
- Joined: Sep 13 03 1:38 am
- Location: Canada
by adrien » Dec 08 03 7:41 pm
There is.
It depends on the logic of all the rules you have configured.
the trick to WinGate policies, is that each recipient you grant a right to adds rights.
So, if you want to restrict access to a service by time, you can't have a policy in there that grants access all the time, and another that grants only some of the time, since the one that grants all the time will effectively override the other one.
So for instance in the WWW proxy, you would need to select "default policies are ignored" and only add a recipient that has rights for the times you wish to be allowed.
Adrien
It depends on the logic of all the rules you have configured.
the trick to WinGate policies, is that each recipient you grant a right to adds rights.
So, if you want to restrict access to a service by time, you can't have a policy in there that grants access all the time, and another that grants only some of the time, since the one that grants all the time will effectively override the other one.
So for instance in the WWW proxy, you would need to select "default policies are ignored" and only add a recipient that has rights for the times you wish to be allowed.
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by ChrisH » Dec 09 03 4:00 am
Hi Adrien,
Thanks for reply. I understand about per service policies as you indicate but I was assuming that policies for each individual service were seperate. So, I gather from what you are saying is that policy in WWW proxy is kind of .OR.'ed with ENS or WRS policy IF TR is enabled. If policy in WWW proxy allows it but policy in WRS doesn't, the right is granted, - seems to be the case. But it doesn't work the other way. If policy in ENS allows it and WWW proxy doesn't, then right isn't granted. The only policy that seems to be different is authentication. If WRS wants authentication and WWW proxy doesn't (or vice versa), user must authenticate.
My scenario is that I want to restrict one user from using NAT for anything after a certain time, but if WWW proxy allows it, the user can browse, so I have to have a duplicate time policy for that user created in WWW proxy. OK, so I might be lazy and only want to do things once, but I was hoping I could get away with it. Is it supposed to be this way? If it is, is it possible to add a feature request so that one doesn't have to do things twice? Using 5.2. TIA
Thanks for reply. I understand about per service policies as you indicate but I was assuming that policies for each individual service were seperate. So, I gather from what you are saying is that policy in WWW proxy is kind of .OR.'ed with ENS or WRS policy IF TR is enabled. If policy in WWW proxy allows it but policy in WRS doesn't, the right is granted, - seems to be the case. But it doesn't work the other way. If policy in ENS allows it and WWW proxy doesn't, then right isn't granted. The only policy that seems to be different is authentication. If WRS wants authentication and WWW proxy doesn't (or vice versa), user must authenticate.
My scenario is that I want to restrict one user from using NAT for anything after a certain time, but if WWW proxy allows it, the user can browse, so I have to have a duplicate time policy for that user created in WWW proxy. OK, so I might be lazy and only want to do things once, but I was hoping I could get away with it. Is it supposed to be this way? If it is, is it possible to add a feature request so that one doesn't have to do things twice? Using 5.2. TIA
Chris H.
- ChrisH
- WinGate Master
- Posts: 388
- Joined: Sep 13 03 1:38 am
- Location: Canada
3 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 2 guests