WinGate Forums

[simonstringer]

Hi,

We are running Wingate 6.03 (Build 1005) on a Windows 2000 Server SP3
box, which is set up to authenticate any clients that connect through
it against our Active Directory (ie we are not using the wgic).

All of our clients PCs are either running Windows 2000 SP3/4 or
Windows XP.

We are purely using Wingate as a web proxy. Each machine that we want
to put through Wingate has it's Proxy server set in IE6 options to
point to the Wingate server.

This process works really well for all my machines, and has been up
and running successfully since this build of Wingate was released last
year.


However, my company's laptops (about 15 machines) are being moved over
to having Nortons Internet Security (NIS) for their firewall and
anti-virus product, and this is where my problems seem to start!

As soon as NIS is installed, web surfing stops working.

They are using NIS 2005 (although I have tested this with a copy of
NIS 2004 on a fresh machine and had the same problem). I have so far
tried this on four different machines, each with the same problem.

I have tried disabling successively more and more parts of NIS to no
avail. Only totally disabling NIS (by right-clicking it's icon in the
system tray) will allow surfing to happen, and even then it prompts
for a username and password before it will work, which wouldn't
normally happen.

In Gatekeeper, it shows the connection, but doesn't have a user name
by it (and often doesn't even list the web site in question, which it
would normally), so I assume authentication against our domain
controller isn't happening while NIS is active.

NIS shows traffic going to the Wingate server in it's logs and doesn't
report any problems there.

I've searched on the Symantec KB for this, and also on this forum, but
I can't find anyone who is having this problem so I'm guessing I'm
missing something really basic?

Has anyone got any ideas for me to try?

Do I need to supply any more information?

Best regards,

Simon

[jamesc]

I have setup a similar scenario during the day and have not had time to test yet. Will look into this tomorrow.

[simonstringer]

ok thank you i look forward to your reply

Simon

[jamesc]

I notice with Authentication reuqired, it will block. With Authentication Assumed (by IP in my case) it lets it through. I have been through some of the advanced settings in NIS 2005 but have not found a solution yet.

[simonstringer]

ok thank you for that. when you have a solution i would be gratful to hear how.

Simon

[adrien]

Hi

My guess is some tags are getting stripped out by NIS in the HTTP request or response.

WinGate will display the HTTP:// (i.e. empty) if it is expecting an authentication command reponse from a client and doesn't get one.

when using NTLM (which you will be for your AD integration), the client connects, WinGate sends a denial response, requesting auth, and keeps the connection open. this is because NTLM authenticates connections, so the connection needs to be kept open for the challenge and responses to go back and forth for the auth.

If any of this is disrupted, the auth will not work.

If you have access to a packet sniffer, you should be able to see if NIS is removing headers. The Proxy responds with a Proxy-Authenticate tag, and the client is supposed to send a Proxy-Authorization tag back.

It is possible that it may be a security setting in NIS.. according to some people, NTLM is not very secure, so if NIS has a setting to block sending insecure passwords or some such, that may be doing it (clutching at straws here, not having seen NIS).

Adrien

[simonstringer]

so have you had any success in running the two together?
or am I right in assuming that this is a deeper problem then I first thought?

and once again thank you for the sharp responses.

Simon

[adrien]

Just did some research on Norton Internet Security.

Looks like it installs a local proxy server and firewall. If this can't handle NTLM, there may not be much you can do but disable part of NIS.

Check out the link below, you may need to remove the NIS proxy.

http://symantec.atgnow.com/consumer/resultDisplay.do?gotoLink=582&docType=1000&contextId=15231%3A582.739&clusterName=ConsumerCluster&contentId=25d89ade-5f48-435f-abc6-5c2e10bf5932&responseId=a7a613d67668be41%3A1b1fbf4%3A106731c9a74%3A-1359&groupId=1&answerGroup=6&score=536&page=http%3A%2F%2Fservice1.symantec.com%2Fsupport%2Fsharedtech.nsf%2Fpfdocs%2F2005012115575213%2Findex.html&result=5&excerpt=Section+1%3A+Disable+the+Symantec+Network+Proxy+Service++This+problem+can+happen+when+Norton+Internet+Security+is+improperly+configured+to+use+a+proxy+service.&resultType=5000#

[adrien]

see also

http://symantec.atgnow.com/consumer/resultDisplay.do?gotoLink=69&docType=1000&contextId=10286%3A69.161&clusterName=ConsumerCluster&contentId=25d89ade-5f48-435f-abc6-5c2e10bf5932&responseId=a7a613d67668be41%3A1b1fbf4%3A106731c9a74%3A-1296&groupId=1&answerGroup=9&score=328&page=http%3A%2F%2Fservice1.symantec.com%2Fsupport%2Fnip.nsf%2Fpfdocs%2F2003051916120236%2Findex.html&result=8&excerpt=Interdev+6.0+cannot+authenticate+at+the+IIS+Web+Server+with+Norton+Internet+Security+enabled&resultType=5000#

Indicates there are some settings about hiding tags etc.

Adrien