WinGate Forums

[srr2]

Hi all. I'm another potential user facing the demise of Winproxy. It's had a good run in my home and I'm generally a satisfied user. After browsing the Wingate documentation and this forum, I think I have the idea of what's in Wingate and how it works, but would like to post a couple of questions for comments:

1) Banner blocking -- I love the banner blocking in Winproxy. It's not only effective at spiking advertising before wasting bandwidth on it, but it can kill all kinds of other undesirable content too. It's implemented as a filter that matches URLs against a character string, for example "/ads/" that will kill any URL that contains that pattern anywhere. I see no evidence that Wingate has this feature. If not, can I expect that it will be implemented at some time in a future release? Absence of this capability is very nearly a deal-killer for me.

2) Kaspersky A/V -- The Panda engine in Winproxy works very well and is fast and unobtrusive. Can anyone comment on the relative performance of Kaspersky? Also, how often are the A/V definitions updated? How long does it take to accomplish an update, and while it's updating, does it consume a "user" channel. i.e. Assuming a 3-user license of Wingate, does an A/V update occupy one of those "users" making the system only "2-user" capable while the update is running?

3) How well does Wingate work with Usenet? I was never able to get Winproxy 6 to work with newsreaders (timeouts on header retrieval) and consequently stayed with Winproxy 5r1d. Can someone tell me how well Wingate behaves with newsreaders? And especially with Newsplex perhaps?

4) For a home network with a three-user license, and absent any need for elaborate site/user/time/bandwidth/content restrictions, is there another product besides Wingate that's similar to Winproxy that I ought to look at? Frankly, Wingate looks like overkill for my application in many respects.

Thanks for your help.
Steve

[Charles Silvia]

As another Winproxy/Wingate evaluator my experience with Wingate is so far limited. But, for what its worth...

1. Re banner blocking: I believe thatPuresight has a manual setings feature that will allow the blocking of a URL that "contains" a string fragment. I don't know how this might be done in Wingate proper absent Puresight.

2. Based upon the system messages, Kaspersky updates daily. I have not noticed any issues with updates. My only issue with Kasperski is covered on a previous post "Download Problems" 11/5.

3. No knowledge.

4. Google Windows "Proxy Server". The Tucows site lists a number of shareware (free trial) proxy servers ranging from free on up. You should look, especially if you are not interested in site filtering, which I found to be the deficit on most of the reasonably priced offerings.

[Randy Baker]

I have used WinProxy for probably nearly 10 years now, and I am re-evaluating WinGate due to the demise of WinProxy. If memory serves me correctly, I first looked at WinGate in 2001, and a couple of times since then.

1: Banners. I have not been bothered by them using WinProxy or WinGate. That might just be nature of the sites I visit though.

2: Kaspersky. It seems that data is dripped through to the client. If I go with WinGate, I will not be going with Kaspersky. The same issue exists with Puresight. Refer to post "WinGate appears to block downloads without notice."

3: Not using Usenet or newsgroups.

4: Sounds like you might just want to enable Windows Internet Connection Sharing.

RB

[adrien]

just a note

dripping data through to the client is an option that you can turn off, in which case the entire file will be downloaded by the proxy and scanned before any is sent through to the client.

This can cause some users to become frustrated and hit the reload button many times. Most browsers themselves don't time out quickly though.

Problem with drip-feeding is it's not guaranteed to be safe to send any amount of a file to a client if it hasn't been scanned (since virus authors could pad out their viruses to get around this). we would love to deprecate dripfeeding, and I've even written and submitted an Internet Draft to the IETF to get around this issue.

Sounds like I may need to look at WinProxy and Panda to see what it does in the case of large files. does it drip-feed, or pend everything until scanned, or does it redirect you to another status page or something?

Adrien

[adrien]

also, re blocking sites, you can block URLs containing things in WinGate policies for the WWW proxy, so you don't need PureSight for that.

Regards

Adrien

[srr2]

Thanks to all for the replies. I got a chuckle out of the suggestion to use ICS -- if that were a realistic option, I'd have stuck a $50 router in there a long time ago. If you want a reason why ICS isn't worth the room it takes up, have a look at a recent article at Cnet describing how malware authors have invaded hundreds of legitimate sites through cross-site sourced ads. Killing ads might be the most effective thing you can do to protect your network.

Adrien -- could you please give me an example of how you'd implement your equivalent of "banner blocking", perhaps using the string I gave above? I'd like to see exactly where/how to do it. There are probably others who'd like to see it too. One property of Winproxy's banner blocking is that the "banner" size is detected and replaced with a transparent gif of the same size, so that page composition isn't affected. I suspect that your technique doesn't do that. I hope you can see the usefulness of this capability and will consider it for incorporation.

Better yet, why doesn't Wingate buy the Winproxy product from Blue Coat and incorporate its user base and best features into your product? I'd jump at the chance to send you money for that, as would probably 90+% of current Winproxy users.

Thanks again.
Steve

[Randy Baker]

Steve:

My statement about ICS was more rhetroical than anything. However, from your original post, item 4, you stated you did not need a significant amount of functionality that WinGate offers. Your $50.00 router solution is no better than ICS at addressing your banner issue, especially when you consider that you can at least install an A/V solution on the system that has ICS installed. One benefit of the router that will either comfort you or scare you, is that firware updates are less frequent on routers, when compared to security patches released by Microsoft.

You suggested that WinGate should buy WinProxy to get its customer base. Blue Coat wants to move its customers away from their WinProxy solution to their Proxy line of hardware devices. This is a good move for many SMB's and large corporations. The complete responsibility of the software co-operating with the OS becomes Blue Coat's issue, not some tech or consultants issue to make WinProxy work with the latest breaking Microsoft patches. If Blue Coat did their homework, I truly doubt they will lose 50% of their install base to a competitors product. I suspect Blue Coat is abandoning a small portion of their low end client base that is not very profitable when the cost of maintaining a separate product and providing customer support is factored in.

As for your concern about WinGate needing to improve it's Banner blocking capability, I whole heartedly agree with you. Maybe this is better addressed in the new version?

[labull]

Steve;

Describe the "best features" of WinProxy for us. Those of us who are long time users of WinGate and aren't familiar with the WinProxy would be interested in what we may be missing.

Thanks!

[Randy Baker]

I am not saying WinProxy was the perfect solution, as there were some frustrating limitations to that product. Here are some things that I am finding frustrating with WinGate:

- Lack of configuration options, or at least obvious configuration. Refer to my post "Missing configuration options for DHCP?"

- I like how WinGate presents specific configuration options for firewall rules. However, they are referred to as services and seem to be limited to port mapping. Refer to my frustrations with my post "Configuring WinGate for Cisco VPN Client".

- One feature that I cannot find that is also a problem for Steve, is that WinGate does not support Banner Blocking. I think Steve articulated well enough what functionality found in WinProxy would be of great benefit to WinGate users. I am getting frustrated with the number of banner pages I have to put up with under WinGate. However, I think PureSight may be the proper application to manage the banner issue.

- There are at least two posts from WinProxy users who are evaluating WinGate regarding downloads. Refer to Charles Silvia's "Download Problems" post, and my post "WinGate appears to block downloads without notice."

I have reinstalled Windows XP Pro from scratch to ensure no legacy hangovers from WinProxy was interfereing with WinGate. But I still cannot download my Ubuntu ISO files from any site as long as PureSight and/or Kaspersky is installed. This problem is the most serious in my opinion, and it would likely be the deciding factor should I not go with WinGate.

Now before anyone accuses me of bashing WinGate, that is not my intention. WinGate is looking like a viable replacement for WinProxy in many applications. But I am not an O/S bigot either, and I plan to be evaluating Dan's Guardian on a Linux server in the near future.

One thing that seems promising in the next release of WinGate is related to my post on "URL rewrites". The feature I am looking for is not available in WinProxy, but it is a feature I use on F5 load balancers. You have to understand that WinProxy is a $100 product where F5 products are $30,000 and up solutions. I am not sure to what extent we will be able to perform URL rewrites in the next release, but I can assure you I am looking forward to this functionality.

Another thing that was a very pleasant surprise on my home network evaluation, is that my son discovered his Nintendo Wii works 100% on the Internet without having knowingly made any allowances on WinGate for the Wii. Under WinProxy, I could not get the Wii to work reliably on the Internet, and this was an issue that was never fully resolved through their tech support. For example, for my son was never able to download Wii updates through WinProxy. I gathered session information with WireShark on both sides of the firewall, and we never did figure out why updates would consistently fail. The workaround was to shutdown my WinProxy server, and connect my wireless broadband router to the Internet every time my son wanted to update the Wii.

I hope this helps.
Randy

[adrien]

Hi

Hopefully the first few issues have been resolved now in those other posts. What I see as remaining are

* Banner blocking
* Download issues
* URL re-writes.

Banner blocking is something that should be possible in WinGate policy, by banning the common ad-serving sites. It's not as good as replacing gifs with a blank one of the same size though.

Download issues. This looks to be some sort of bug in PureSight if it is still causing WinGate to spool non html downloads. We're still looking into this. The way all these plugins function is being totally changed for WinGate 7 though so this problem should disappear.

URL-rewrites. The policy framework in WinGate 7 has support for scripting in it, you can rewrite pretty much anything, and access ODBC databases as well, so you can store rewrites in a database and use a query and WinGate script to replace parameters in a session. The range of parameters you can mess with is pretty large. And you can also index on any of these parameter. So, you can use pretty much any session variable or combination thereof (i.e. username, time of day, URL requested, browser type etc etc) to select what to modify (such as gateway to use, proxy connection method, URL to go to etc).

[Randy Baker]

I have cleared up most of the issues in the previous posts, and I found a few other things.

In regards to some benefits of WinProxy vs. WinGate, the plugins could use some work.

Kaspkersky. The opening screen states it was last update "Thursday, October 6, 2005". I suspect this refers to the AV engine, but 2 years since it was last updated??? You also have to enable "Scan for possible virus signatures or dangerous code." WinProxy allowed for forced updates, so if you wanted to ensure the A/V file was current, you could click a button to update it if it wasn't current. Kasperky could at least identify on the Info page when the next scheduled update is.

PureSight. Automatic updates are not enabled by default, and there is no mechanism available to force an update without messing with the "Check every" x minutes values. An update now button would be really nice.

One clarification would be good though. I reported an issue to WinGate support that if PureSight blocks a page, refreshing the page will eventually allow you to access the blocked content. They acknowledged this is a bug and that it will be fixed for the next update. When the bugfix is released, will PureSight automatcally download the fix as part of the Automatic Updates I have now enabled? Or will I have to download it separatly and apply it?

[adrien]

Hi

Automatic updates for PureSight refers to list classification updates from PureSight's servers, rather than program updates. The next version of PureSight has been written to a different plugin API for WinGate 7, so you'll need to download and install it.

There is an update now button on the plugins dialog (click the plugins button on the main GateKeeper screen, and choose the plugin, and hit update). You can also schedule updates for Kaspersky using the scheduler.

Unfortunately the update API for PureSight is pretty inflexible, if we want to change the way it works, they force us to write our own updater and host the updates ourselves.

Regards

Adrien

[labull]

Now before anyone accuses me of bashing WinGate

Be assured that no one here will do that.

On the contrary you'll find the folks at Qbik are quite open to suggestions. They have always counted on the user community for feedback about new features and improvements - that's why I asked for input about WinProxy.

You'll also find the Qbik folks patient, friendly and they're generally a handsome lot too. They do, however, speak English with a strange accent.

[Randy Baker]

I am impressed with the quality of the WinGate forums.

As for the Qbik folks, I can usually understand the written Ausie and Kiwi variations of the English language as well. I was in Washington DC about a month ago, didn't have any problems there either. ;-)

[George in Seattle]

Interesting topic as I have also jumped from Winproxy last summer (sooner rather than later) when I first read the announcement. What I found in my shopping was there were firewalls, and then to a lesser extent proxies, but few products that did both well. Wingate was the first one I stumbled upon that did both fairly well. Since my ADD was kicking in and I was tired of looking, I bought a license.

I'm already starting to forget things about Winproxy but here is my 2 cents on the pros and cons...

Winproxy was easier with regard to setting up ports and redirecting traffic to various machines than Wingate, but that ease came with limitations. Wingate is rather cryptic in this setup process. And in certain places in WG you cannot specify a port range where you would expect to.

WG has a better NAT.. it has more visibility than WP. And clients where you cannot specify a proxy connect more reliably. It was sort of hit or miss with WP, that is, most things eventually connected, but not all the time.

WG's DHCP works great (for my wireless) even though I had no idea how to configure it much less the terminology being used therein... I think I got lucky. I just set the IP range and it worked. The documentation could be better describing some of the DHCP settings.

In WG for the life of me I have never gotten incoming proxies to be viewable from within my network. I have to call external people up to make sure things are working. I think I am the only one having this problem however, because there is nothing in the forum on this.

WP has better filtering of various types, such as with RBLs and the like. Turn on too much and it slows down however.

* Banner blocking

I found that a dozen or so key URLs put in the ban list blocks 90% of third party ads and trackers. I haven't updated my original list in 6 months and its still working at a sufficient level.

That's all I can think of at the moment..

[labull]

George,

Could you post your list for banner blocking?

Thanks!

[George in Seattle]

George,

Could you post your list for banner blocking?

Thanks!

Server name contains:
about.com
adjuggler
advertising
atdmt
break.com
casalemedia
coolmyspacecomments
coremetrics
doubleclick
dw-eu
edgesuite
fastclick
frappr
googlesyndication
hitbox
imageshack
insightexpressai
llnwd
pointroll.com
postroller
precisionclick
primeq.com
realmedia
revsci
siteparker
slide.com
tacoda
theplanet.com
tribalfusion
twitter.com
userplane
eajmp.com
yieldmanager

Edit: Some of these are only "borderline" annoying and you may need to remove one or two of them from the list if a favorite site fails to open. But I've been running this list for a half year without having to do that.

[labull]

Thanks!