WinGate Forums

[jyedid]

I want to set up Wingate for a test. I want to block all traffic except when the user enters in their user name and password (local Wingate account). I must be doing something wrong. I have made the following changes to the default install.

• Change the default rule to deny access for everyone.
• Create a rule to allow, to www.google.ca and force client to authenticate
• On a second PC, I have manually set the proxy setting within IE10.

When I go to Google, I’m prompted for user name and password, but it uses my AD domain and I can’t seem to change it.

How can I get it IE to logon to wingate? Or how can I force this account to authenticate with wingate?

[adrien]

Hi

if you're using WinGate accounts, on an Active Directory, then the client doesn't know, it will see a auth request advertising the NTLM method, and will try with local domain credentials. These will fail, so the client will see a login dialog.

At that point though, they should be able to enter the WinGate account user/pass.

However, we find it's usually a LOT easier on an Active Directory to just get WinGate to use the AD accounts.

Also, how is your rule set up. If it's set to require auth, (Re-authenticate) then you need to be very careful. Normally for auth, you would just make it an allow rule, which only applies for known users (not everybody).

Re-authentication rules are for cases where someone already authed, and you want them to change credentials. This is used mainly when something auths in a domain computer account (e.g. a system service auths).

If a re-auth rule matches, the result is to send another auth challenge back, never to allow. So only use re-authentication rules if you are limiting the rule in respect of the "who" tab - e.g. if you have a reauthenticate rule set to everybody, it will create an auth loop, and noone will get anything except login dialogs.

Regards

Adrien

[dkosenko]

I have the same issue as the original poster, i.e. I want to require a user to authenticate before accessing any web site. I am not using the commercial version of Wingate 8 at this point, so AD integration is not possible. I want to be able to create a user account in Wingate itself and require the user to enter those credentials. However, although I do get a popup to enter the credentials, nothing I enter seems to work. The prompt appears continuously (with Chrome) until I hit cancel, then I get a message that proxy authentication is required. With IE the prompt appears 3 times then I get the same message. The only options available for the access rule are allow, deny, and force client to (re)authenticate so it seems like that last one is the only option to accomplish what I am after, even though you state that you need to be careful when using this in your response to the OP. Is what I'm trying to do even possible?

Thank you,
Dave

[adrien]

Hi

couple of things. Firstly, if you're getting continual login prompts, that means that either auth is failing (wrong user/pass) or alternatively the rules are set up to always respond with an auth challenge. This would for instance happen if you have a web access control rule that is set to re-authenticate, and doesn't discriminate on who it should ask to re-authenticate (like asks everyone to always reauthenticate).

Is the second of these happening?

Secondly, even with the trial version you can still do AD integration. You get a warning, but it doesn't prevent you accessing the feature - it just warns you that the feature is license-dependent, so you know what may disappear if you get a license that doesn't include that feature.

Regards

Adrien

[dkosenko]

Yes I have a rule set up to reauthenticate but that was the only option I could find that would result in any authentication as the only other options were allow or deny. I want to require the user to authenticate on every http request they initiate - how else could I do that?

Thanks for the detail re: AD integration, but I don't really need that at this point - the user account in Wingate alone will suffice.

Thank you,
Dave

[adrien]

Hi

If a re-authenticate rule matches, it sends an auth challenge back to the client. So you need to make sure the rule only matches on those who you want to re-authenticate (as opposed to authenticate). We didn't have this in WinGate 7, we added it in WinGate 8 to allow rules to force change in user credentials.

If you only want authenticated users to have access, create a rule which is

result: allow
who: authenticated users
where: anywhere
what: anything
when: always

that's all there is to it.

if you want to use a re-authenticate rule, you have to prevent it matching on authenticated users. this means the who should be everyone except authenticated users. Otherwise authenticated users along with everyone else will be asked to RE-authenticate.

Cheers and happy new years

Adrien

[dkosenko]

Thanks again Adrien.

I see what you are talking about and got that working, but it isn't quite what I am after. What I find, using your suggestion, is that the first time I try to go to a site I get asked to authenticate, but all subsequent access to the site, even if I close the browser and restart, is allowed. It seems that upon authenticating once, you are good for some time. What I need to do is to require every new access to require authentication, so if the user closes their browser, when they start it up again they will have to authenticate before they can access any site.

Sorry for the newbie questions. Proxies aren't my speciality at all, but I'm trying to recreate a scenario that one of my customer's has and that is how they have their proxy configured.

Regards,
Dave

[adrien]

Hi Dave

the browser when given the option of NTLM or negotiate methods will normally (default setting on all major browsers) automatically authenticate using current windows credentials.

This is normally desirable behaviour.

In some cases however, e.g. when people aren't logging into windows, or are sharing a computer, you may not want this. In this case, you could try disabling NTLM/Negotiate methods in the WWW proxy.

Regards

Adrien