WinGate Forums

[Bill.Bowen]

After our daily reboot, Wingate has stopped authenticating my users via the Java applet! GateKeeper & WGIC authenticate so the Java appears to be the culprit. Any ideas? I've scoured Wingate's configuration til I see double trying to figure out what has changed but nothing stands out.

[Pascal]

After our daily reboot, Wingate has stopped authenticating my users via the Java applet! GateKeeper & WGIC authenticate so the Java appears to be the culprit. Any ideas? I've scoured Wingate's configuration til I see double trying to figure out what has changed but nothing stands out.

Does a reboot of the client machine help at all ?

[Bill.Bowen]

Rebooting (server or client) has no effect. I have WWW Proxies on ports 80 & 85. Java client authentication and Transparent Redirection are selected. I've attached a System Config report for your viewing pleasure. Thanks Pascal!


1.01 WINGATE CONFIGURATION REPORT
1.02 Monday, January 05, 2004, 14:57
1.03
1.04 ---------------------------------------------
1.05 WinGate Engine
1.06 ---------------------------------------------
1.07 WinGate 5.2.2 (Build 892)
1.08 Operating System: Windows 2000 (NT 5.0)
1.09 Language: ENU
1.10
3.01 ---------------------------------------------
3.02 License details
3.03 ---------------------------------------------
3.04 Version: WinGate 5 Professional
3.05 Expiry: Does not expire
3.06 Num. users: 253
3.07 Max. users: Unlimited users
3.08 User database: NT
3.09
4.01 ---------------------------------------------
4.02 Dialer information
4.03 ---------------------------------------------
4.04 Dialer is disabled
4.05
5.01 ---------------------------------------------
5.02 Network Interfaces
5.03 ---------------------------------------------
5.04 ##.###.###.### (LAN) [External] [Unsecure]
5.05 192.168.0.1 (LAN) [Internal] [Secure]
5.06 127.0.0.1 (LOOPBACK) [Internal] [Secure]
5.07
6.01 ---------------------------------------------
6.02 Services
6.03 ---------------------------------------------
6.04
6.05 System Policies
6.06 ---------------------------------------------
6.07 Default System Access Rights:
6.08 Administrators - Restricted by security level
6.09 Proxy Users - Restricted by security level, location, ban list
6.10 Backbone - Restricted by security level, location
6.11 Default Start/Stop Rights:
6.12 Administrators - Unrestricted rights
6.13 Default Edit Rights:
6.14 Administrators - Unrestricted rights
6.15
6.16 DHCP Service (DHCP Service)
6.17 ---------------------------------------------
6.18 Session Timeout: 60
6.19 Port: 67
6.20 Startup: Automatic start/stop
6.21 Binding 1: 192.168.0.1
6.22 Access Rights: Defaults: are ignored
6.23 Everyone - Unrestricted rights
6.24 Start/Stop Rights: Defaults: may be used instead
6.25 Edit Rights: Defaults: may be used instead
6.26
6.27 LogFile Server (LogFile Server)
6.28 ---------------------------------------------
6.29 Session Timeout: 60
6.30 Port: 8010
6.31 Startup: Automatic start/stop
6.32 Bindings: ANY interface
6.33 Access Rights: Defaults: must be granted
6.34 Administrators - Restricted by security level
6.35 Start/Stop Rights: Defaults: may be used instead
6.36 Edit Rights: Defaults: may be used instead
6.37
6.38 Winsock Redirector Service (Winsock Redirector Service)
6.39 ---------------------------------------------
6.40 Session Timeout: 20
6.41 Port: 2080
6.42 Startup: Automatic start/stop
6.43 Binding 1: 192.168.0.1
6.44 Binding 2: 127.0.0.1
6.45 Access Rights: Defaults: must be granted
6.46 Everyone - Restricted by security level, ban list
6.47 Start/Stop Rights: Defaults: may be used instead
6.48 Edit Rights: Defaults: may be used instead
6.49
6.50 News Proxy (News Proxy)
6.51 ---------------------------------------------
6.52 Session Timeout: 60
6.53 Port: 119
6.54 Startup: Automatic start/stop
6.55 Binding 1: 192.168.0.1
6.56 Binding 2: 127.0.0.1
6.57 Access Rights: Defaults: must be granted
6.58 Everyone - Restricted by security level
6.59 Start/Stop Rights: Defaults: may be used instead
6.60 Edit Rights: Defaults: may be used instead
6.61
6.62 POP3 Server (POP3 Server)
6.63 ---------------------------------------------
6.64 Session Timeout: 120
6.65 Port: 110
6.66 Startup: Disabled
6.67 Access Rights: Defaults: are ignored
6.68 Start/Stop Rights: Defaults: may be used instead
6.69 Edit Rights: Defaults: may be used instead
6.70
6.71 SMTP Server & Proxy (SMTP Server)
6.72 ---------------------------------------------
6.73 Session Timeout: 300
6.74 Port: 25
6.75 Startup: Disabled
6.76 Bindings: ANY interface
6.77 Access Rights: Defaults: are ignored
6.78 Everyone - Unrestricted rights
6.79 Start/Stop Rights: Defaults: may be used instead
6.80 Edit Rights: Defaults: may be used instead
6.81
6.82 GDP Service (GDP Service)
6.83 ---------------------------------------------
6.84 Session Timeout: 60
6.85 Port: 368
6.86 Startup: Automatic start/stop
6.87 Binding 1: 192.168.0.1
6.88 Binding 2: 127.0.0.1
6.89 Access Rights: Defaults: are ignored
6.90 Everyone - Unrestricted rights
6.91 Start/Stop Rights: Defaults: may be used instead
6.92 Edit Rights: Defaults: may be used instead
6.93
6.94 IMAP Server (IMAP Server)
6.95 ---------------------------------------------
6.96 Session Timeout: 60
6.97 Port: 143
6.98 Startup: Automatic start/stop
6.99 Bindings: ANY interface
6.100 Access Rights: Defaults: are ignored
6.101 Everyone - Unrestricted rights
6.102 Start/Stop Rights: Defaults: may be used instead
6.103 Edit Rights: Defaults: may be used instead
6.104
6.105 SMTP Server (TCP Map) (SMTP Server (TCP Map))
6.106 ---------------------------------------------
6.107 Session Timeout: 60
6.108 Port: 2525
6.109 Startup: Automatic start/stop
6.110 Bindings: ANY interface
6.111 Access Rights: Defaults: are ignored
6.112 Everyone - Unrestricted rights
6.113 Start/Stop Rights: Defaults: may be used instead
6.114 Edit Rights: Defaults: may be used instead
6.115
6.116 SMTP Proxy (SMTP Proxy)
6.117 ---------------------------------------------
6.118 Session Timeout: 60
6.119 Port: 25
6.120 Startup: Automatic start/stop
6.121 Bindings: ANY interface
6.122 Access Rights: Defaults: are ignored
6.123 Everyone - Restricted by ban list
6.124 Start/Stop Rights: Defaults: may be used instead
6.125 Edit Rights: Defaults: may be used instead
6.126
6.127 WWW Proxy (WWW Proxy)
6.128 ---------------------------------------------
6.129 Session Timeout: 60
6.130 Port: 85
6.131 Startup: Automatic start/stop
6.132 Binding 1: 192.168.0.1
6.133 Binding 2: 127.0.0.1
6.134 Access Rights: Defaults: must be granted
6.135 Everyone - Restricted by security level
6.136 Start/Stop Rights: Defaults: may be used instead
6.137 Edit Rights: Defaults: may be used instead
6.138
6.139 WWW Server & Proxy (WWW Server & Proxy)
6.140 ---------------------------------------------
6.141 Session Timeout: 60
6.142 Port: 80
6.143 Startup: Automatic start/stop
6.144 Binding 1: 192.168.0.1
6.145 Binding 2: 127.0.0.1
6.146 Access Rights: Defaults: must be granted
6.147 Everyone - Restricted by security level
6.148 Start/Stop Rights: Defaults: may be used instead
6.149 Edit Rights: Defaults: may be used instead
6.150
6.151 DNS Service (DNS Service)
6.152 ---------------------------------------------
6.153 Session Timeout: 60
6.154 Port: 53
6.155 Startup: Automatic start/stop
6.156 Binding 1: 192.168.0.1
6.157 Access Rights: Defaults: are ignored
6.158 Everyone - Restricted by security level
6.159 Start/Stop Rights: Defaults: may be used instead
6.160 Edit Rights: Defaults: may be used instead
6.161
6.162 Remote Control Service (Remote Control Service)
6.163 ---------------------------------------------
6.164 Session Timeout: 900
6.165 Port: 808
6.166 Startup: Automatic start/stop
6.167 Bindings: ANY interface
6.168 Access Rights: Defaults: must be granted
6.169 Everyone - Restricted by security level
6.170 Start/Stop Rights: Defaults: may be used instead
6.171 Edit Rights: Defaults: may be used instead
6.172
7.01 ---------------------------------------------
7.02 System Route Table
7.03 ---------------------------------------------
7.04 Current Route Table:
7.05 ---------------------------------------------
7.06 Network Mask Gateway Interface Metric
7.07
7.08 Removed for security reasons...
7.09
7.10
7.11
7.12
7.13
7.14
7.15
7.16
7.17
7.18
8.01 ---------------------------------------------
8.02 Enhanced Network Support
8.03 ---------------------------------------------
8.04 Enhanced Network Support: 5.10 Syz - Installed and active
8.05 Driver: Enabled
8.06 NAT: Enabled
8.07 Router: Enabled
8.08 Firewall level: Custom
8.09
8.10 Firewall
8.11 ---------------------------------------------
8.12 Disable network name broadcasts to the Internet: Enabled
8.13 Allow users to ping this machine locally: Enabled
8.14 Allow users to ping this machine from the Internet: Disabled
8.15 Discard spoofed packets: Enabled
8.16
8.17 Routing
8.18 ---------------------------------------------
8.19 Multiple default routes: Enabled
8.20 Relay UDP broadcast packets: Enabled
8.100
8.101 Port Security
8.102 ---------------------------------------------
8.103
8.104 Security for: External TCP
8.105 Action: Allow Port: 20 - 21 - Hole for FTP Server
8.106 Action: Allow Port: 25 - Hole for SMTP Server
8.107 Action: Allow Port: 80 - Hole for Web Server
8.108 Action: Allow Port: 113 - AUTH
8.109 Action: Allow Port: 143 - Hole for IMAP Server
8.110 Action: Allow Port: 808 - Hole for Remote Control Service
8.111 Action: Allow Port: 1024 - 6144 - External
8.112 Action: Allow Port: 8010 - Hole for LogFile Server
8.113
8.114 Security for: External UDP
8.115 Action: Allow Port: 20 - 21 - Hole for FTP Server
8.116 Action: Allow Port: 80 - Hole for Web Server
8.117 Action: Allow Port: 1024 - 6144 - External
8.118
8.119 Security for: Internal TCP
8.120 Action: Allow Port: 25 - Hole for SMTP Server
8.121
8.122 Security for: Internal UDP
8.123
8.124 Security for: NAT TCP
8.125 Action: Allow Port: 25 - Hole for SMTP Server
8.126 Action: Redirect Port: 80 - Transparent Redirect
8.127 Action: Redirect Port: 85 - Transparent Redirect
8.128 Action: Redirect Port: 8010 - Transparent Redirect
8.129
8.130 Security for: NAT UDP
8.500
9.01 ---------------------------------------------
9.02 END OF CONFIGURATION REPORT

[Pascal]

Rebooting (server or client) has no effect. I have WWW Proxies on ports 80 & 85. Java client authentication and Transparent Redirection are selected. I've attached a System Config report for your viewing pleasure. Thanks Pascal!

That all looks relatively fine. Erwin glanced through it as well, he's just going to see if he can duplicate the problem.

It seems mightily strange though, because your machine is rebooted on a daily basis.

Can you describe the point of failure more ? Do you see the session in GateKeeper when you attempt to log in and are server the java applet ?

Do you see the Java applet on the client machine ?

What happens if you point the IE proxy on the server to the loopback address, close GateKeeper and then attempt to surf - can you then authenticate ?

[Bill.Bowen]

Apparently it started this morning but I'm a bit hesitant to believe that since the majority of my users just got back from Xmas vacation today. Most were out of the office for a few weeks.

Yes, I do see the Java client on the client. When I enter a valid username and password, even administrator, I get "log in failed". I can reproduce this on 98, NT, & 2000 clients.

I get a message complaining about "needing a Java browser" when using the loopback address on the IE on the server. Haven't installed Java on that server but it's browser definitely wants to use Java to authenticate...

[Pascal]

username and password, even administrator, I get "log in failed". I can reproduce this on 98, NT, & 2000 clients.

Ah yes, IE6 on the server, I forgot. Erwin is looking into this one - will ask some more questions later. However, if you ignore the NAT/TR system and just connect to the proxy directly from the client, does that make a difference ?

[Bill.Bowen]

Ok. I have installed Java on the server. Yes, it will authenticate via the applet when using the loopback address. No, clients will not authenticate when connected to the proxy and using Java. Will keep investigating. Anxiously awaiting Erwin's input. Thanks.

[erwin]

Hi Bill

I have just tried the Java client scenario on A Win2000 server running WinGate 5.2.2 . I have a Win98se and Winnt4 Workstation client using proxy and Java authentication.

I must say firstly that by setting the bindings in the Remote Control service to "allowing incoming connections on any interface" is a bit of a security risk (including the external IP interface), however as long as the loopback and Internal Ip of the machine are set as the interfaces to be used, then this should work no worries.

Of course I dont want you to see double Bill, :-) but could you recheck these bindings, as there may have been a network configuration change and it has unbound itself from the internal IP.

I also note that you have 2 WWW proxy services on ports 80 and 85.
I am presuming that clients IE is set to use Proxy server on the approriate ports. Unless required, I would suggest trying Restriction policies for each of these WWW services (by setting the default rights system policy option to "Are ignored") This way we can determine if the policy on the WWW is broken rather then it possibly failing due to a System policy which requires authentication for general access.

Sorry I cant be any more help at this stage Bill, but let us know how you get on.

Regards

Erwin

[Bill.Bowen]

I do realize there are some security risks with the exposed Remote Control Service but external connections are limited to Administrators with strong passwords. We've got to have some method of monitoring the Wingate Server while ironing out it's persistent problems. Does GateKeeper pass the username & password as clear-text? If so, I'll disable it once we're stable.

I have checked and rechecked those #$@% bindings! Please read today's "Wingate Hangs". The engine would not start for a couple of hours today. I've scrutinized those GateKeeper settings countless times. Am now seeing double. :-)

I have two WWW Proxies because originally we were using a proxy on port 85 (Users) and NAT (Servers) for Internet access. Then I got this ambitious idea to implement PureSight & KAV. After discussing the intricacies of transparent redirection with Adrien, we determined a WWW Proxy at port 80 was necessary to insure all web traffic was driven through the plug-ins. The rest is history. I intend to remove the port 85 proxy once we've completed installing Win2K & WGIC on all clients (100+). Via AD, I have a domain policy that sets all users IE proxy setting to port 80 of the Wingate box. Seems to work very well when Wingate cooperates.

[Pascal]

> 3.07 Max. users: Unlimited users
> 3.08 User database: NT

Try one thing for me, please. Use the username and password you assigned to the WG User (Not the NT user) The Java applet does not support NT authentication.


From the helpfile:

"The Java Client, Telnet and SOCKS5 authentication can not be integrated with NT. This is because they rely on sending passwords in clear text (unencrypted or with minimal encryption). These methods will still work with WinGate, but you must have "Either WinGate or NT passwords (any match)" selected."

[Bill.Bowen]

I was aware that Java didn't authenticate with NT but you got me pointed in the right direction though. For some reason, my Wingate accounts passwords have all been cleared! And, to think, the System log was complaining about "No Administrator password, binding Remote Control Service to localhost" or some near fascimile after each restart. I should have figured this one out sooner but have been spoiled by WGIC. Also, when running GateKeeper, I was logging on with the normal Administrator credentials (username/password) so I didn't think the password was clear. Forgot GateKeeper was authenticating with the DC. Thanks for that localhost binding security feature. Could have had bigger problems with the external exposure.

Why did the IE Java test ran on the Wingate server work? I used the normal Administrator credentials and logged right on.