Hello,
we run a network here with wingate internet sharing.
there is a particular computer that i dont want to have access to wingate/internet during the night.
So I basically need to figure out how to automatically stop anyone logging onto the specific machine between certain hours (12am - 6am).
All our users have unique logon names.
If this is not currently a feature of wingate - is there a plan to make it one OR does anyone know a way i can do it without wingate?
thank you
WyldCyde
Restrict by IP AND Time?
Moderator: Qbik Staff
7 posts
• Page 1 of 1
Restrict by IP AND Time?
by wyldcyde » Oct 29 03 7:21 am
- wyldcyde
- Posts: 29
- Joined: Oct 29 03 6:54 am
by MattP » Oct 29 03 2:42 pm
Hi,
You can create a user and then set the time restrictions policy for that user. Then assume that the ip address of the machine you want to ban is the new user and this should take care of your problem.
To do this:
create a new user in WinGate
under www proxy go to the policies tab
click add, select specify user or group and choose your new user, click ok
double click your user to bring up the properties and go to the time tab
select specify time when this recipient has rights, input the times that the user will be able to access and the times when the user will not be able to access, click ok
ensure that default policy rights is set to are ignored and click ok
go to the assumed users tab and select by ip address
enter the ip address of the machine you wish to block and choose the new user as the assumed user, click ok
This should work for you, if you still have troubles let us know.
Matt
You can create a user and then set the time restrictions policy for that user. Then assume that the ip address of the machine you want to ban is the new user and this should take care of your problem.
To do this:
create a new user in WinGate
under www proxy go to the policies tab
click add, select specify user or group and choose your new user, click ok
double click your user to bring up the properties and go to the time tab
select specify time when this recipient has rights, input the times that the user will be able to access and the times when the user will not be able to access, click ok
ensure that default policy rights is set to are ignored and click ok
go to the assumed users tab and select by ip address
enter the ip address of the machine you wish to block and choose the new user as the assumed user, click ok
This should work for you, if you still have troubles let us know.
Matt
- MattP
- Qbik Staff
- Posts: 991
- Joined: Sep 08 03 4:30 pm
by wyldcyde » Oct 30 03 12:02 am
Thanks,
But how will that work in the following setup:
Each user has their own account which they use to logon to different machines on the network.
We use the accounting functionality to charge users by the hour.
Surely if i create an assumed user linked to the specific IP address then wingate will always register that specific user when other users logon to that machine.
Eg. i create user called BOB and setup policies so that 192.168.10.20 is assumed to be BOB.
MARY comes along and logs on to 192.168.10.20.
What will happen? Will MARY be assumed as BOB?
I will experiment and see what happens.
Thanks
Eli
But how will that work in the following setup:
Each user has their own account which they use to logon to different machines on the network.
We use the accounting functionality to charge users by the hour.
Surely if i create an assumed user linked to the specific IP address then wingate will always register that specific user when other users logon to that machine.
Eg. i create user called BOB and setup policies so that 192.168.10.20 is assumed to be BOB.
MARY comes along and logs on to 192.168.10.20.
What will happen? Will MARY be assumed as BOB?
I will experiment and see what happens.
Thanks
Eli
- wyldcyde
- Posts: 29
- Joined: Oct 29 03 6:54 am
by MattP » Oct 30 03 1:05 pm
ok, try using the WGIC, as this will send the nt user name to the WinGate machine, you will need to use the NT database to make this work.
Also, if you want to be more secure, you can apply this policy to the WRP proxy instead of the WWW proxy and this will block all access, not just WWW.
Also, if you want to be more secure, you can apply this policy to the WRP proxy instead of the WWW proxy and this will block all access, not just WWW.
- MattP
- Qbik Staff
- Posts: 991
- Joined: Sep 08 03 4:30 pm
by ChrisH » Oct 31 03 1:59 pm
Hello,
I had a similar type of issue that I solved by using a technique I call "Policy Twinning" that applies only when when you have Authenticated users. What I do is create another identical policy for each user or group that I want to restrict. Then on this new policy add or vary the restriction to the area you want to control.
In your case, I would modify each existing user or group policy so that the Location tab, under the service you want to restrict (eg WWW proxy),specifies that the user has rights from the following included locations (127.0.0.1 and 192.168.10.* e.g. everywhere) but is excluded from 192.168.10.20 ( which is the IP of the restricted machine)
Then create a new policy with exactly same ban lists,advanced policies, authentication level, etc except that the Time tab would have the following Excluded time 12:00 AM to 6:00 AM and the Location tab would not have the Excluded address of 192.168.10.20.
WinGate will logically "OR" these two policies. So that if User A wants to use 192.168.10.20 after midnight, the first policy doesn't allow it because the IP is restricted, plus the second policy doesn't allow it because of time, so therefore access is denied. Similarily, after 6:00 AM the first policy would deny right because of IP restriction but second policy allows it, therefore access is granted. At any other machine after midnight the first policy would be valid (unless of course there is some other time restriction there) and second wouldn't apply, but access would be granted. During the day at any other machines both policies would be valid and access granted(this is why you have to have the exact same restrictions for each policy - eg ban list- or problems will occur).
If you have a great number of individual users or groups this method could be cumbersome, one could copy registry keys to save reentering extensive lists, but it seems to work.
I had a similar type of issue that I solved by using a technique I call "Policy Twinning" that applies only when when you have Authenticated users. What I do is create another identical policy for each user or group that I want to restrict. Then on this new policy add or vary the restriction to the area you want to control.
In your case, I would modify each existing user or group policy so that the Location tab, under the service you want to restrict (eg WWW proxy),specifies that the user has rights from the following included locations (127.0.0.1 and 192.168.10.* e.g. everywhere) but is excluded from 192.168.10.20 ( which is the IP of the restricted machine)
Then create a new policy with exactly same ban lists,advanced policies, authentication level, etc except that the Time tab would have the following Excluded time 12:00 AM to 6:00 AM and the Location tab would not have the Excluded address of 192.168.10.20.
WinGate will logically "OR" these two policies. So that if User A wants to use 192.168.10.20 after midnight, the first policy doesn't allow it because the IP is restricted, plus the second policy doesn't allow it because of time, so therefore access is denied. Similarily, after 6:00 AM the first policy would deny right because of IP restriction but second policy allows it, therefore access is granted. At any other machine after midnight the first policy would be valid (unless of course there is some other time restriction there) and second wouldn't apply, but access would be granted. During the day at any other machines both policies would be valid and access granted(this is why you have to have the exact same restrictions for each policy - eg ban list- or problems will occur).
If you have a great number of individual users or groups this method could be cumbersome, one could copy registry keys to save reentering extensive lists, but it seems to work.
Chris H.
- ChrisH
- WinGate Master
- Posts: 388
- Joined: Sep 13 03 1:38 am
- Location: Canada
by wyldcyde » Nov 01 03 10:46 pm
Hi Chris.
THANK YOU!!
I really appreciate the time taken to answer.
I was sure there must be a way... I just didn't want to experiement too much because we have quite a few users here who get v.frustrated when things aren't working right.
Even if it doesn't work, it was excellent advice.
I'll let you know how it goes... I'll start off by setting it up with free pc i have here in the office.
WyldCyde
THANK YOU!!
I really appreciate the time taken to answer.
I was sure there must be a way... I just didn't want to experiement too much because we have quite a few users here who get v.frustrated when things aren't working right.
Even if it doesn't work, it was excellent advice.
I'll let you know how it goes... I'll start off by setting it up with free pc i have here in the office.
WyldCyde
- wyldcyde
- Posts: 29
- Joined: Oct 29 03 6:54 am
7 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 178 guests