WinGate Forums

[stevehiner]

I have a client that has authorized me to buy WinGate for them. I want to make sure it's going to meet their needs. From the documentation I've seen on the web site I'm not certain it's going to meet all their needs. I was hoping someone from Qbik can tell me if it sounds like WinGate will meet their needs.

Basically they need to log user's internet access for reasons that should be obvious. Right now their broadband connection is connected to a firewall/router and splits from there to various machines and switches. They have a few users that VNC into the network.

I need to be able to redirect all web access through the server so we'll get a log of all sites visited. Is it going to be a problem that the server only has one ethernet connection? Some of the documentation I saw seems to indicate that the server should have separate internal and external connections.

I'm glad to see that you support remote installations. My client is interested in starting to log web activity without the employee's knowledge. I assume it doesn't change anything obvious on their systems right? I could visit every workstation but I'd really rather not have to do that.

I assume once this is installed I can set up the router to block internet access from all the internal IPs except the server, right? All their traffic will be routed through the server so it's the only system that ever connects. Is that correct? That shouldn't affect VPN because it's an incoming connect.

I assume WinGate can be set up so it doesn't interfere with POP email retrieval, right?

[jamesc]

Hi Steve,

Windows 2003 server has been tested by our QA team. You will need to be aware that SBS also comes with ISA server. Which may mean you will require to either, disable it, or do extra settings to coexist with WinGate (e.g Double port mappings to allow traffic coming in from the internet to reach certain services, like VNC or VPN). We recommend disabling it.

With regards to 2 network cards, you will only require that if NAT is implemented. (but personally I would recommend this option to have the router on a different subnet to the clients.)

The logging of internet access is done with any access to the internet from the client. They are logged to .log files. Currently there is no reporting system bundled into WinGate but it is planned for a future version (But you do have a history / activity window to see what is happening in realtime.). There are third party utilities that can do this for you such as Proxy Inspector for WinGate, Saw Mill, and Internet Access Monitor to name a few.

It does not change anything with their system rights, the way I understand that statement anyway... Thinking deeper about that statement, there are three ways (which can be combined) the clients can connect.
1. NAT, which requires only changes to their default gateway and DNS of there network settings (and if required, configuration of the WinGate server to i.e redirect web requests throught the cache)
2. Using the WiGIC (WinGate Internet Client) which is a client app which runs on each PC. Similar to NAT, because you do not require to make any special proxy settings for individual apps. It sits on the client PC and catches any request that is not on the local network (i.e redirected to the internet). The WGiC is great because a) it can be centrally managed from the WinGate server (depending on your license) and b) you can specify which applications can be used by the client. (Note you can achieve similar things with NAT through services and policies.
3. Proxies. e.g, Opening the Internet applications options (e.g Internet Explorer) and specifying the proxy addresses and port numbers.

With regards to POP retrieval etc, you can set up the individual accounts in WinGate and have it proxy the requests or use your own method.. e.g disable Wingates email functions. (I presume you know its a full featured email server as well.)

A couple of other things.

1. You can have a Virus Scanner plugin sitting on the WinGate server which scans specified services for Viruses before it enters the network.
2. You can use the PureSight plugin to make sure no "objectional material" comes into the site, apart from a few people maybe...
3. A full feature VPN function to allow your users access from home, no special hardware required.

Regards

[MattP]

Hi Steve,

Just something that I'd add to James' comments, if you don't want the clients to know that you're monitoring them you'll probably want to set them up for a NAT connection. This means having two NICs in the WinGate server so that the clients can have their default gateways pointed at the WinGate server.

Making a NAT connection means that you can turn on Transparent Proxy in the WWW proxy service, allowing you to intercept all traffic on port 80, (or other ports) and redirect it through the proxy service. This gives you the ability to restrict access via WWW proxy policies, and to have all WWW traffic logged in the WWW proxy service log.

Regards,

Matt

[stevehiner]

You will need to be aware that SBS also comes with ISA server. Which may mean you will require to either, disable it, or do extra settings to coexist with WinGate (e.g Double port mappings to allow traffic coming in from the internet to reach certain services, like VNC or VPN). We recommend disabling it.

The Standard Edition doesn't come with ISA. If they had ISA I would likely be using it to accomplish this.

With regards to 2 network cards, you will only require that if NAT is implemented. (but personally I would recommend this option to have the router on a different subnet to the clients.)

Ah ha! For some reason I hadn't thought of changing it's subnet. That would certainly restrict everyone's access. Now that I think about it though I might not be able to do that. Right now the router port-forwards the ports used by VNC but it only supports forwarding to IPs within it's own subnet. It would only work if I set up WinGate to handle the port forwarding. I'd rather not do it that way though because it means the server would have to be running for anyone to get VNC access. What if the server wouldn't accept it's own VNC connection and I needed to VNC into a user's machine to reboot the server.

Thank you both for taking the time to respond.

[jamesc]

Right you are Steve, Premium Edition for ISA.

What if the server wouldn't accept it's own VNC connection and I needed to VNC into a user's machine to reboot the server.

I understand you may require more to your solution for the statement above, but I wanted to add this scenario: Instead of having ports forwarding to each VNC client via the router, you could just have a WinGateVPN Gateway into your network. And use VNC as if you were on the internal network; no port-mapping required.

[stevehiner]

Hmmm. Does WinGateVPN come with licenses for the client side software too? I assume it does. They only have a couple users that need VNC access, I could easily have them install VPN software and use it that way.

Great idea. Thanks.

[jamesc]

Yes the client side requires a license, either as an individual user or as a gateway... More information on licensing is available from here. I will try and give a quick briefing for you based off two different scenarios.

1. Two users in different remote locations requiring VNC acceess to work via VPN.

Work License: Gateway license for 3 user LAN
*This allows three computers from the "site" to participate in the VPN at any one time

The two individual licenses: 2 x Single User licenses
*This allows users to connect into the VPN (and hence use VNC)
** Software required on clients as well

2. Two networks VPN'd together

Site 1: Gateway license for 3 user LAN
Site 2: Gateway license for 3 user LAN
*all computers can see others in remote locations, but only three vpn participants can be used concurrently.
**Software only required on WinGateVPN servers

Clients on LANs either need default Gateway pointing to WinGateVPN server, "or" run our Rip2 Client available from here