WinGate Forums

[JeremyK]

I've taken over a site and the have an old proxy server running wingate version 6.03. I've been trying to remove the proxy server and the machine is very old but before I do this I want the users to access the internet without the use of the proxy. There is a group policy on the windows 2003 server which pushes the clients to using the proxy server. My problem is when I removed the clients from the group policy or when I untick the proxy settings under the internet options the internet no longer works. However I have discovered that logging in via the administrator account you get access to the internet without the proxy. I've tested this also by removing several pcs from the present domain and putting them in a workgroup and again the internet works no problem without the proxy settings. We run a CISCO ASA 5505 Firewall/router and I have checked and rechecked all the settings and they are fine. I've tested users who are not under any group policies and still no luck accessing the internet until the proxy settings are enabled? I have also found a few pc's that work without the proxy settings however they are all on the same group policies. I have run gpresult, and found that the only policy they are using is the default domain policy and I have checked through this can their is nothing configured. As I dont have much knowlege about Wingate would there be a configuration local to the machine that is causing this?

[adrien]

most likely a default gateway setting in the TCP/IP properties of their network adapter.

If it doesn't point to a router that will give them net access, they would have been relying on the proxy (which they could access since it's on the same LAN) to access the net.

This is commonly done so you can force people to use a proxy for policy control / auditing etc.

[JeremyK]

I've checked this out and they all point to the gateway - ipconfig /all. The problem occurs on all pcs apart from a few and I still cant seem to track why.

[adrien]

so do all machines that use proxy work, and all that don't not work?

If so, is NAT functioning?

Do you see any activity in GateKeeper associated with the machines that aren't working?

[JeremyK]

All machines work with the proxy. So far I have tested a laptop and two spare pc's that work without the proxy.
Yes we have NAT. We run a cisco 5505 ASA firewall. I have had cisco check out the firewall and they have told me the our subnet is all open to the internet so there are no rules forcing through the proxy. My thoughts are that if the laptop and the two other PC's are able to access the internet without going through the proxy then it cant be a ruling on the firewall.
The gateway is fine for traffic when going through the proxy but my problem is I want to get everyone off the proxy while I upgrade but I cant do this because as soon as I take the proxy settings out of IE there is no access to the internet. Sorry I hope I am not confusing the issue.

[adrien]

Hi

OK, if the clients are using WinGate as a default gateway, yet they don't get net access unless they are configured to use a proxy, that implies that NAT is not operational in WinGate. This can be due to several reasons:

1. NAT isn't enabled in the Extended Networking settings in GateKeeper
2. The adapter settings in GateKeeper (adapter usage) is wrong for NAT - 6.0.3 required the clients to be connecting through an adapter marked internal, and that the connection to the internet be on an adapter marked external. 6.0.3 didn't handle NAT with single network cards. Later versions of WinGate don't have this restriction.

If you're looking to remove WinGate however, then fixing NAT in WinGate isn't going to help, you'll instead need to set the default gateways on the client machines to point to your Cisco.

I presume this is what you're trying to do - remove WinGate? Or just no longer use proxying for connectivity?

if you still want to use WinGate, but not as a proxy (e.g. not require setting client config to use a proxy) then depending on your network config you may need to install a later version of WinGate. Your license will continue to work in the latest version still.

how many network adapters does the WinGate machine have? I'm guessing just one?

[JeremyK]

Thanks. I just want to remove the proxing. All clients are pointed at the gateway - check ipconfig /all

The Wingate machine has only one network adapter!

I just cant understand why on these few machines I can remove the proxy settings and they find the internet without a worry. But with everyone elses there is no connection to the internet unless via the proxy. Everyone assumes its a GPO but I have checked and re-checked and this is not the case. The only policy applied is the default domain policy and the local group policy and both have no settings for the proxy. And if this was the case then the other pc's would not be able to access the internet as they aslo apply these policies and are able to access the internet without the proxy. What I want to do is take the proxy server offline as it is really old and upgrade at some stage when we have the finances. We have had the machine go down a few days ago and its just very unreliable.

[adrien]

OK

Sorry, I misunderstood when you said all clients had their default gateway pointing to the gateway - that's the cisco?

So they won't be going anywhere near WinGate at all.

In which case, have you checked DNS on the clients? If they were using a proxy before, they didn't need DNS. If they are going to NAT through the Cisco, they will need DNS.

What error do you get in the browser when you configure it not to use a proxy?

Regards

Adrien

[JeremyK]

Yes all pointing towards the cisco firewall. All clients point at the DNS server. So again not the problem
If I turn the proxy off (this occurs on my pc as well) the IE explorer just sits there and the bar below slowly moves across until it gets the standard message "Internet Explorer can not display page" and it usually take about 5 minutes to get to this point. Then I turn the proxy settings back on and bang its straight there.

[adrien]

are the clients set to use auto proxy discovery?

otherwise if in doubt, a packet capture will show you what's going on

[JeremyK]

Thanks. No not using a auto proxy discovery. I've tired TCPview and when setting are on the clients go to the proxy like expected but when turned off they attempt to go to the web directly but nothing happens it just sits there and the connection times out. Its so frustrating!

[adrien]

so they send a SYN packet to the cisco and get nothing back?

then the problem is in the cisco.

[adrien]

p.s.

Just to narrow it down further...

1. I don't know much about TCPView, does it show you ARP packets, and ICMP? I'd be tempted to use WireShark (it's free).
2. On the client machine, do you get an entry in the arp cache for the cisco? try pinging the cisco then type arp -a from the command line.

Adrien

[JeremyK]

Sorry been sick for a few days.

This is what I get back from an arp -a


Interface: 192.168.0.104 --- 0x2
Internet Address Physical Address Type
192.168.0.4 00-1b-78-d0-f9-b6 dynamic
192.168.0.5 00-10-b5-08-64-43 dynamic
192.168.0.254 00-1a-e2-cc-30-98 dynamic

192.168.0.4 is our file server
192.168.0.5 is the proxy (wingate)
192.168.0.254 is our gateway (CISCO firewall)

I was testing last week (Friday) and found that about half the pc's worked without the proxy on. The other half didnt?

[JeremyK]

On the pcs that work without the proxy the arp - a only has IP's from
192.168.0.4
192.168.0.254

not from the proxy!

[adrien]

I think you'll need to do more captures.

If the clients are resolving the MAC address of the cisco ok (with ARP), then sending TCP packets to the cisco, but not getting packets back, then you need to look in the cisco to see what the problem is. It should log dropped packet count somewhere?

Adrien

[JeremyK]

Yes maybe. I suppose what I dont understand is why is it blocking certain PC's but not others. Like I said about half can access the internet without the proxy and the other half require it otherwise connection drops.

[adrien]

Hard for me to tell from here without knowing how your cisco is configured etc.

Adrien

[JeremyK]

Do you know much about the CISCO ASA 5505?

[adrien]

nothing at all sorry.

do you have a file with the rules it's using?

Do you have anyone that normally helps you out with the cisco?

Regards

Adrien