WinGate Forums

[javila]

Hi, I was wondering how to ban ALL aplications except the outlook express that one of my users uses to check his hotmail account?
I was tryin the WRP service policies and was working fine until I go to check the acount (http://services.msn.com/svcs/hotmail/httpmail.asp) there was a problem and the gatekeeper shows me a message that user "A" requested an TCPLink obviously not valid.
After I tried the IP ban, but there are so many IP's to ban that it is not too usefull.
Any help? thanks!

Javier

[ChrisH]

Hello,

I would say you are on the right track that the WRP service is the place to ban client applications. How have you got policies for this user setup in WRP? What about System policies? Are you authenticating? Using POP3 or WWW proxies? Transparent Redirection in POP3?

[javila]

Ok, the configuration is:

WRP service policies:
User CONTABILIDAD must be authentificated, an in the specified right for:
"client aplication name contains msimn.exe"
"server port number equals to 110"
"server port number equals to 80"

Default rights are ignored

Basically works because i have 'opened' the port 80 giving CONTABILIDAD access to the msn web based email (hotmail.com) and I would like to make it more accurate, I have tried the next policy:
"server name contains 'msn.com' "

But the gatekeeper shows me an autentication message about the TCPLink , also shows me an ID 0301 authentication failed but from another user (me :D) and I dont have any other Policiy mounted for this user.

Hope this works, thanks in advance!

Javier

[ChrisH]

Javier,

Do you have each of those criterion listed separately with their own filter or all under one filter? Separately they are ORed, together all criteria are ANDed. So it will make a difference on how your policy will ultimately work.

[javila]

According to your pruposal, I got an AND filter configuration, becasu I got 3 filters confiurated each one with one specific rule.

Regards,

Javier

[ChrisH]

Javier,

Here is what I did with one of my users. He is authenticated using WGIC. He can now check his Hotmail account (port 80)- but not ISP POP3 mail - using only Outlook Express. He can use no other applications through WRS. The WRS Advanced Policy for this user is this:


Specify which requests this recipient has rights for

Filter 1
Not Client application name contains "msimn"
Server port number equals 80

Try this and see if it works for you.

[javila]

Chris:
Thanks for your attention, I have divided this message in 3 parts:


PART1
Pointing to "the way" that you put the policy (Not Client application name contains "msimn") I dont really understand it . I got 5 filters on the WRS Advaced Policy for this user:
Filter 1
Client application name contains "msimn.exe"
Filter 2
Server port number equals 80
Filter 3
Server port number equals 110

And these Filter allows the client to connect the POP3 ISP mail and his hotmail account, please explainme your first filter 1 criterion.

I got no ban list.



PART2
Also I would like to allow this same client to check only one specific web site called www.impuestos.gov.bo in order to do this I added 2 more filters:
Filter 4
Client application name equals "explorer.exe"
Filter 5
Server name contains "impuestos.gov.bo"

But this last 2 filters does not worked well because the client was allowed to use the internet explorer (explorer.exe) to browse the impuestos.gov.bo but also any other site with any other extension (.com, .net, etc)



PART3
How can I ban all the sites (something like *.*... it is just an idea) and also put a "hole" for browse only one site called e.g. www.cnn.com. This with the idea of backwards of going banning every new site that my nossy client discovers, I preffer ban all and only give access to some sites, it is this possible?

Hope you understan my english

Javier

[ChrisH]

Javier,

Seperate filters as you have are all ORed together, so only one of the criteria has to be true for right to be granted.

Do you want user to check both POP3 and Hotmail? or just Hotmail?

If you want to use both I would suggest two filters as follows:

Filter 1

Client application name contains "msimn.exe"
Server port number equals 80

Filter 2

Client application name contains "msimn.exe"
Server port number equals 110

The filter you have for browsing change to:

Filter 3

Client application name equals "explorer.exe"
Server name contains "impuestos.gov.bo"

Just click on the Add Criterion button again to add to the same filter. Should that be iexplore instead of explorer?

WG will now check each filter to see if it is true. Only one of the filters has to be true for right to be granted. So, if user is running msimn AND connecting to server port 80 (Hotmail) he can connect. OR if he is using msimn AND connecting to server port 110 he can connect. OR if he is browsing using explorer AND wants to view impuestos.gov.bo he can. These are the only combinations that will work.

What version of WinGate are you using? I am using 5.22. The only way I can ban all applications except the one(s) I want to allow is to use the NOT. It seems backwards to me. But when I use NOT only msimn is allowed. If I don't use NOT then msimn is only application that can't be used. So that is why I said NOT Client App.... in my last post. Ver. 5.1 and 5.2 also behaved the same way for me. I haven't had time to check previous versions. Perhaps you don't have this problem. Hope this all helps.

[javila]

I was working on the configurations that you propose me, but does not seems to work.
Correct me if I am wrong. When you set the Specify wich request this recipient has rights for: radio button, you are telling to wingate that only those filters will be taked as TRUE isn't it?, if I am correct then when you set (a double negation) the operator NOT for the criterion then the wingate make a second filtration to only let the application called iexplore.exe to access internet... right?.
Well then if that proceduture works (see example in filter 1 a below) why does not works when I do the same with the NOT Server name contains "impuestos.gov.bo", in this case the explorer just browse everything if it is there is no second criterion. But if I put the Server name contains "impuestos.gov.bo" as 2nd criteria then stops browsing everyting.

for example:

filter 1 A
not client application name equals IEXPLORE.EXE
this one works fine for the application called iexplore.exe (outlook.exe, etc)

When I add a seccond criteria for example:

Filter 1 B
not client application name equals IEXPLORE.EXE (note that I always put the app name in CAPS because the wingate TAKES differences between "iexplore.exe" and "IEXPLORE.EXE")
server name contains "impuestos.gov.bo"

In the case of the filter 1B the internet explorer was unable to browse any web page and the gatekeeper showed me the system message AUTENTICATION FAILURE.

I am using the 5.2 (885 Build) version, got an win2000 server and I am trying this configuration on an windows 98 and winXP both.

I was wondering if you can export your wingate setting... and just cut the part of the WRP policies to compare because it is really fustrating to keep tryin an see how others can make the control easily and I can't.

I hope you keep helping me I will appreciate a lot, thanks.

Javier

[ChrisH]

Javier,

My user can't seem to connect to www.impuestos.gov.bo either with policy in place. I put in several others including cnn.com and they all worked. If I take out policy user can connect to www.impuestos.gov.bo
So there must be something about that site. Why it won't connect is beyond my expertise here. Perhaps someone from QBik might help out here. The policy works but there is something else not allowing this site. So in theory it should work.

The Client Application name is the only criterion in my experience that behaves this way. All others seem to work the "right" way.

[adrien]

Hi

Are you using Transparent Redirection for the HTTP proxy with the client?

In this case, the application name is not available, since this parameter is only available for WRP control sessions.

So, mixing criteria in a single rule which contain the app name and say a URL or server won't work, since the data won't be there.

If you need to block IEXPLORE.exe you would need to put that rule in the WRP server.

I can see how this confuision arose, since in theory if a connection is intercepted by the HTTP proxy, from WRP, then the application name should be available, and in use.

So I guess that is a bug we should fix!

[ChrisH]

Hi Adrien,

In my case TR was not enabled. It seems to me to be something about this site www.impuestos.gov.bo and how WG reacts to it, not the policy that is causing it not to display. Any other site I have put in policy works OK for me. WG server machine displays it OK. Also client machine will display it as well if no restrictions in place.

Edited: I also found other sites that would not work as well. I can't figure out what the common link between them is though.

[javila]

My Transparent Redirection also it is turned off.

About the site/application blocking it may be that in some instance the site (that is the only one allowed to pass) call anothers site link (an macromedia plug in for example) and then the hole site is banned because do not accomplish with the full requisite that is server name contains "impuestos.gov.bo"
In other aspect, thinking in bug and wish lists... it is possible that in the windows taskbar, add a menu that turns always on top (on/off) the gatekeeper windows? it is for improve the testing operation ;)

[ChrisH]

Javier,

If I set up WRS filter as follows www.impuestos.gov.bo will work for user:

Filter 3

NOT Client application name equals "iexplore.exe"
Server IP equals "63.99.224.52" (IP address of www.impuestos.gov.bo)

If I set WRS policy as before:

Filter 3

NOT Client application name equals "iexplore.exe"
Server name contains "impuestos.gov.bo" (or any combination thereof: eg. gov or bo or impuestos)

end user cannot connect.

Adrien, perhaps you can look into this further?

[javila]

Works perfect if it is the only filter on the specified requests.

If I add a second filter:
NOT Client name equals "msimn.exe"
Server port number equals 110
It keeps working fine...

Till I add:
NOT client name equals "msinm.exe"
Server port number equals 80
It looks like we got it at last, finally fonuded the conflict came when I 'let' the port 80 (normally used to browse) access to internet, no matter the application (msimn.exe or explorer.exe (yes, my internet explorer application's name is explorer.exe)) and there all starts to override the rules/policies.

Chris can you make that config and try it for me? I am semi-paranoid ;)

Filter 1
NOT Client name equals "explorer.exe"
Server IP address equals "63.99.224.52"

Filter 2
NOT Client name equals "msimn.exe"
Server port number equals 110

Filter 3
NOT Client name equals "msimn.exe"
Server port number equals 80

Thanks again for the help, it looks like we were close to the solution.
Chris, Adrien.

Javier

[ChrisH]

Javier,

I can't get it to work. But it should! Something is not right. The criteria, IMHO, are not behaving the way they should be. This certainly has to be something that WG is doing incorrectly. I hope that Adrien and crew will have a look at the code to see what is up. I can't get any closer than you could to getting this to work. Unfortunately, at this time I don't think you can do what you want. I have tried many combinations but to no avail :( We were close but...

[javila]

OK Chris, thanks for your time and effort, I hope that WG staff take note at this problem in the future.
At least wue found a bug :-)

Javier

[ChrisH]

Javier,

One more try. This isn't perfect or look pretty but it does work (for me). My approach was that if user could browse he could then check Hotmail from browser. Here is what I did. It hopefully will work for you.

POP3 Filter

Not Client application name equals "msimn"
Server port number equals 110

impuestos Filter

Not Client application name equals "iexplore"
Server IP address equals "63.99.224.52"

Hotmail1 Filter

Server IP address contains "207.68.17"
Not server IP address equals "207.68.176.190"
Not server IP address equals "207.68.179.219"

Hotmail2 Filter

Server IP address equals "64.4.33.7"

Hotmail3 Filter

Server IP address contains "65.54.2"


Hotmail4 Filter

Server IP address equals "65.54.192.248"


Hotmail5 Filter

Server IP address contains "64.4."


Hotmail6 Filter

Server IP address equals "207.68.162.250"


User can browse to http://sea1fd.sea1.hotmail.msn.com and then login. However, there is a range of addresses that user could still browse to. I think that the user would have to stumble across them accidentally though. Try it if you like and see what happens.