WinGate Forums

[geoffmgreen]

Hello.

W2k3 Server- domain controller with Wingate 50 user installed.

Internal NIC binded with these parameters:
10.10.10.4
255.255.255.0
10.10.10.199

DNS: Verizon values

Wingate DNS/ DHCP disabled...Wingate firewall disabled. DNS Resolver config has 10.10.10.4 and Verizon values for Name Server...using OS domain database.

Whenever I set a policy and use "User assumed" or "Must be authenticated- NTLM" it causes problems with clients resolving certain web URLs.

Namely, we have web app that can't run because their domain name is not resolved and can't be pinged (diagnostic tests showed).

Oddly every other site works and is restricted / allowed per policy yet if I try to say ping microsoft.com or yahoo.com it fails, but the pages open up from Win XP Pro clients.

Right now had to set policy back to "user can be unknown" and the webapp works fine and I can ping URLs from clients getting resolved.

Clients have Gateway and DNS set to that of internal NIC (10.10.10.4).

Using proxy server in IE v7.

Transparent redirection disabled...makes no difference.

Any ideas appreciated.

Thanks.

[adrien]

Hi

Are you using the WinGate Client?

I can't see how enabling NTLM in the WWW proxy would stop DNS lookups from working, especially since you aren't even using WinGate's DNS server (but the OS one I take it).

Are the clients configured to connect to WinGate as a proxy?

In that case, they won't do DNS lookups at the client - they just send the full URL to the proxy and it does the DNS lookups. So if only every second one works, then that indicates something in WinGate DNS resolver configuration. Can you turn on debug logging for the DNS resolver and see if that sheds any light on it?

Regards

Adrien

[geoffmgreen]

Hi.

Using LAN connection proxy to point to 10.10.0.4 Port 80 in IE v7. We need to keep simple to avoid client config of LAN PCs.

Here are the DNS settings and policy settings, etc.

The Server NIC only has 127.0.0.1

The scope of DHCP set so all the clients have only 10.10.0.4 as gateway and DNS server (which is the WINGATE Server and W2k3 domain controller)

The policy: User unknown and Everyone with a ban list only
under System Policies..nothing under any services. No problem connecting at all with this arrangement but need to authenticate to make granular policy for Internet. Can ping sites fine, access everything OK.

If I change the authentication to NTLM under WWW Proxy (System policy
ignored), I can browse the web from clients but an SQL web app fails to
connect.

My feeling is the web app is trying to authenticate on its own (aside from OS credentials) as there is username/ password from the initial screen to log in to an SQL server (although there is an install on each client PC so it is a client-server relationship via Internet with data (I imagine on server side).

Will try the DNS resolver log.

Thanks.

[adrien]

Hi

The web app may not support NTLM.

You can allow this app to do it's work without any authentication if you add another right in the WWW proxy policies for unrestricted access to the site(s) that the web app uses.

e.g, say it needed google.com, you would

1. open gatekeeper, go to the policies on the WWW proxy
2. click add
3. select "everyone", and "user may be unknown".
4. select the advanced tab
5. add a filter, and add a criterion. Select "server name contains google".
6. Hit OK, then OK.

That then allows unauthenticated access to that site.

Regards

Adrien

[geoffmgreen]

I found some clients that use static IP addresses that go out thru router to fix that issue (so I am trying those and they seem to fix for now anyway), while still preserving proxy LAN setting for regular web access out thru DNS server / domain controller).

Perhaps it is as you say for that SQL web app being unsupported, because if I log in first, then enable NTLM, I can navigate around app still (not sure if I should be stopping/ starting the Wingate engine or not).

What I can't figure out is if I point the internal NIC IP address to itself as 127.0.0.1 or 10.10.10.4 (which it should be per MS DNS config rules), WG DNS Resolver has no IP address listed, clients have 10.10.10.4 for Gateway/ DNS, DNS Forwarder set to ISP DNS values, and root hints correct, I get a socket error with Proxy enabled to 10.10.0.4 Port 80 on clients (take off Proxy and I connect to everyday websites...put ISP value in server NIC card as primary DNS & client proxy enabled works and no socket error.

For example:

04/15/07 18:51:48 Request: request [0296ebdc] A lookup "urs.microsoft.com."
04/15/07 18:51:48 Debug: bounce request [0296ebdc]<0> to try 1 (nothing useful in cache)
04/15/07 18:51:48 Error: bounce request [0296ebdc]<1> to try 3 (no specific and cannot select)
04/15/07 18:51:48 Error: bounce request [0296ebdc]<3> to try 4 (no known servers)

04/15/07 18:51:52 Request: request [0286e60c] A lookup "www.nbc.com."
04/15/07 18:51:52 Debug: bounce request [0286e60c]<0> to try 1 (nothing useful in cache)
04/15/07 18:51:52 Error: bounce request [0286e60c]<1> to try 3 (no specific and cannot select)
04/15/07 18:51:52 Error: bounce request [0286e60c]<3> to try 4 (no known servers)

Thanks.

[adrien]

hmm

that looks like WinGate doesn't know of any DNS servers. Normally it enumerates them from the network adapters (and doesn't show those ones) - the ones you see are the ones manually added.

I think it rejects using 127.0.0.1 as well due to a lot of loop problems, but that shouldn't apply in this case since you aren't using the WinGate DNS server.

Anyway, it should accept the IP address of your LAN adapter in the DNS resolver configuration.

Adrien