Hi,
Just upgraded to a 6 user Enterprise Licence and have got a strange issue when adding IP addresses on the Multi-User tab.
Our setup is :
1) Users are auto synchronised with our NT domain
2) Using WWW proxy with NTLM authentication
3) Policy set to must authenticate
4) Wingate running on an NT4 PDC
5) Internet connection is a perminant one with the wingate bindings set to use the ethernet adapter out to our router.
Prior to adding the Terminal Server IP addresses all works ok. (Obviously the authentication operates incorrectly as it always has done pre Version 6 ). Once I add our 2 Terminal Server IP addresses, Wingate works ok for a couple of minutes ( authentication works perfectly ), then all clients get an 'Unauthorized access' error ( says HTTP 403 Forbidden error at bottom of web page ). This happens on all web pages.
To fix I stop & start wingate engine and all is ok for a few more minutes, then again error appears on all clients.
If I delete Terminal Server IP addresses from Multi-User tab then everything works ok.
Any input appreciated,
Lee Daniels
Multi User / Terminal Server on Wingate 6 Enterprise
Moderator: Qbik Staff
2 posts
• Page 1 of 1
Multi User / Terminal Server on Wingate 6 Enterprise
by leedaniels » Aug 11 04 3:56 am
- leedaniels
- Posts: 7
- Joined: Oct 21 03 2:57 am
by adrien » Aug 13 04 12:32 am
Hi
The way that multi-user IP works, is that it purposefully breaks the association between an IP address and a user account.
What this means is that every connection requires authentication to be negotiated in order to be able to be attributed to a specific user.
Previous versions of WinGate assumed any traffic from a single IP was the same user, so new sessions inherited the credentials of the IP they were connecting from - so if one session authenticated, then all sessions were deemed authenticated.
Obviously this is no good for terminal services, so we made WinGate not inherit credentials in the case where the IP was marked as multi user.
So, now the way that HTTP is forced to authenticate for each session, is by returning a 403 access denied code, with a header tag in it called Proxy-Authenticate, or WWW-Authenticate.
As for the configuration of the web browsers, we find in this scenario, it works best if they are configured to use a proxy (rather than intercepts).
With Transparent Interception, Internet Explorer can be fooled into authenticating with NTLM. Normally it will refuse to auth through a proxy with NTLM. However I don't particularly trust IE to be consistent doing this, since it accumulates a database of known credentials with every site you visit.
So, my recommendations are:
1. if possible, get the browsers to use proxy configuration. WinGate supports automatic configuration for this.
2. If that fails, and you must use transparent proxy, can you use basic authentication instead of NTLM? It should still be able to auth against the NT user database.
3. actually the easiest and lowest-overhead in terms of protocol overheads, is to use the WinGate Client - are you able to install this on the Terminal Server?
Adrien
The way that multi-user IP works, is that it purposefully breaks the association between an IP address and a user account.
What this means is that every connection requires authentication to be negotiated in order to be able to be attributed to a specific user.
Previous versions of WinGate assumed any traffic from a single IP was the same user, so new sessions inherited the credentials of the IP they were connecting from - so if one session authenticated, then all sessions were deemed authenticated.
Obviously this is no good for terminal services, so we made WinGate not inherit credentials in the case where the IP was marked as multi user.
So, now the way that HTTP is forced to authenticate for each session, is by returning a 403 access denied code, with a header tag in it called Proxy-Authenticate, or WWW-Authenticate.
As for the configuration of the web browsers, we find in this scenario, it works best if they are configured to use a proxy (rather than intercepts).
With Transparent Interception, Internet Explorer can be fooled into authenticating with NTLM. Normally it will refuse to auth through a proxy with NTLM. However I don't particularly trust IE to be consistent doing this, since it accumulates a database of known credentials with every site you visit.
So, my recommendations are:
1. if possible, get the browsers to use proxy configuration. WinGate supports automatic configuration for this.
2. If that fails, and you must use transparent proxy, can you use basic authentication instead of NTLM? It should still be able to auth against the NT user database.
3. actually the easiest and lowest-overhead in terms of protocol overheads, is to use the WinGate Client - are you able to install this on the Terminal Server?
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
2 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 5 guests