WinGate Forums

[adrien]

- Citate: “…if you have a domain name, you will need to run a third party DNS Server”.
Isn’t it possible and enough to ask provider to register required addresses on his DNS server for our web and mail servers? Why is own DNS server use mandatory (if we have own web and other servers)?

You're correct. You don't need to run it yourself if your provider will set up the records you need.

DNS is essential for providing name lookup ability for the PCs on your network. While it is recommended that you use the DNS in WinGate, there are other options. Various methods are detailed below, with their pros and cons.
1. Wingate DNS server
...
2. Mapped Link method
This method is detailed in Adding a Mapped Link. The UDP Mapped link on port 53 allows all DNS requests to be mapped to an external DNS server. It is usually that of your ISP.
...
3. Third party DNS server
...

Why should we use mapped link? We can use NAT + restriction by white list with provider's DNS server in it for clients "direct" DNS requests!?

You can use a UDP mapping or just NAT if you like. It just affects what DNS servers you specify for your clients to use.

- What size to set for a cache size limit? (~ 20 users).
I am afraid setting too large size will result in too much data to become out-of-date. If you only have an option to delete files older than x days, this would be quite useful. I know I can purge or clean (?) cache by scheduler, but this not the same...

There are quite a few criteria you can use in your cache purge rules.

- What is the max size for logs and audit files?

There's no maximum.

- Routing -> Relay UDP broadcast packets.
Does Relay broadcast packets function relay only packets for the ports, listed and choosen in Advanced broadcast port settings?!

yes.

- Firewall -> Discard spoofed packets

If this option is enabled, WinGate will check to ensure that the source IP address in the packet header is really the computer that made the request. If it is not, the packet will be discarded

How does it work? How Wingate can check that the source IP is really the computer that made the request?

Hmmm, that's bad writing in the help file. It simply checks to see if the interface the packet is received on "seems" to be correct for the source address. e.g. if you receive a packet with a private source IP on an external interface, it will be dropped. We normally turn this option off actually.

Can this anyhow conflict with ARP Responder function activated on Wingate WAN interface? I think not, but want to check.

No it won't affect it.

- What if we open some Internet 2 LAN or 2 DMZ ports and does not check Notify on access box, does this prevent any logging of "outsiders" connections to LAN|DMZ?
I mean, when LAN users access any WIngate service we can log it either as service sessions, or user activity audit, which is good. What about logging facilities of the connections from Internet (to Wingate or through Wingate to DMZ or LAN)?

They are still logged, in the WinGate NAT log files.

Cheers

Adrien

[adrien]

One "big" question:
We have 5 connection types\directions in Wingate Firewall window and in fact the following actual settings (as I understand):
Deny: Internet 2 LAN|DMZ,
Allow: LAN|DMZ 2 Internet, LAN|DMZ 2 Wingate, LAN 2 DMZ.

What about DMZ 2 LAN traffic?

Good question. There probably should be a table for this. Basically for it to work, the DMZ machines would need a route to the internal network (but their default route would probably cover that already).

In the meantime, if the DMZ machines need to connect through to your LAN directly, you would need to map ports, and you could then only have one dest IP per port mapping.

This is actual question for me. Because of the following task, we will
1. Install a web server in DMZ zone to which clients from outside have to connect requesting data the web server has to obtain from the DB server inside my LAN.

OK, you can do this with a mapping, since it's a connection to your DB server only on a certain port (rather than ability to connect to any LAN machine on that port).

2. Install an e-mail server in DMZ to serve clients inside and outside my LAN.

that should be no problem, since the LAN users can access the server, and so can the DMZ. Will it forward mail to an internal mail server? If so, mapped port again...

As I understand the most convenient and quite secure variant is to place those servers into DMZ zone. This way outside clients will make direct requests to the servers but the latters will be secured by Wingate firewall.
There are also other variants, like placing servers inside LAN and make port forwarding, etc.
Which one to prefer? (for now, as you understand, I am inclined to the DMZ variant)

I don't really have a preference. The reason for the DMZ is to allow restricted access to a server from the outside, and also protect your LAN in case that server is compromised.

In case we choose DMZ creation, I need to clarify the following:
- is it possible to open\close ports to each server inside DMZ individually (e.g. open only 80 and 443 for webserver, 25 for e-mail server, etc.)? /As I understand I can do it by adding port range for Internet to DMZ direction and redirect traffic to the corresponding server.

You could do it that way. Or use a firewall on those DMZ machines as well. Even NT port filtering would do that (prevent say port 80 on non HTTP server machines).

You can also use ENS policy.

- is it possible to allow incoming traffic from DMZ to LAN only (I can’t see neither Connections from DMZ to LAN nor from LAN to DMZ in the Port security window! As I understand LAN connections to the Internet is LAN 2 Internet and LAN 2 DMZ. But I cann't see anything which could be used for DMZ 2 LAN setup)?

correct - see my first answer

- how will servers inside DMZ serve LAN clients? Is any mechanism forseen for it?

The clients normally will connect to the server, this uses the LAN to Internet table.

- is it possible to open only necessary ports from the web server (on DMZone) to DB server (on LAN) only?

you mean source ports from the web server connecting to a dest port on the DB server? You can't control source port (except with ENS policy). An ENS redirect will allow your DMZ machines to access your DB.

[Alen]

Alen wrote:
In some proxies properties (Server requests tab) we have the Server requests option and its default value is “Reject requests”. Is this about internal requests – requests made by LAN users or it’s about requests from the Internet?

adrien wrote:
This is requests that are not in the form required for a proxy server. E.g. if a web client treats WinGate as a web server rather than a proxy. This is used for instance in the WWW proxy to handle reverse proxying. Default is to reject the request.

Alen wrote:
This is not what I was asking about, but anyway I read Wingate firewall has all incoming ports closed by default and I conclude "Server requests" option concerns to LAN users only.

adrien wrote:
No. You're talking about the Server requests tab (that was in your post). This is not interface-specific. It's to do with the form / nature of the request itself. There are proxy requests, and other requests (ones that don't fit the requirements of a proxy request).

I know it.
I was asking about another thing. It seems to me I can answer the question myself now: "It depends what bindings you have for the Proxy. The option just provide Server requests processing and possible users are decided by the service binding".
It's clear now.

[Alen]

- What size to set for a cache size limit? (~ 20 users).
I am afraid setting too large size will result in too much data to become out-of-date. If you only have an option to delete files older than x days, this would be quite useful. I know I can purge or clean (?) cache by scheduler, but this not the same...

- There are quite a few criteria you can use in your cache purge rules.

No, you did not understand my question.
Look, all these are purge rules, wich means, cache size has to become out of the limit and only then a part of old, big, etc. cached files will be deleted. => Until cache size limit is not reached, nothing will be purged! And I am worrying, setting too large size limit will result in too much data to become out-of-date.
Is the question clear now?


- What is the max size for logs and audit files?
- There's no maximum.
Ok, clear. Another question, what does the task "Roll over Log files" in scheduler? Clean gathered data and start again?
I prefer to copy and archive logs once per month (it's according to my data backup policy). And if the task creates 30 files each month (which is inconvenient), then I'll change it to roll back logs Monthly on the first day at 00:01.

[adrien]

- What size to set for a cache size limit? (~ 20 users).
I am afraid setting too large size will result in too much data to become out-of-date. If you only have an option to delete files older than x days, this would be quite useful. I know I can purge or clean (?) cache by scheduler, but this not the same...

- There are quite a few criteria you can use in your cache purge rules.

No, you did not understand my question.
Look, all these are purge rules, wich means, cache size has to become out of the limit and only then a part of old, big, etc. cached files will be deleted. => Until cache size limit is not reached, nothing will be purged! And I am worrying, setting too large size limit will result in too much data to become out-of-date.
Is the question clear now?

OK, you can also schedule a purge, which doesn't require the cache to be full. By default I think we set a scheduled task each day to purge the cache, which will use whichever rules you specify.

- What is the max size for logs and audit files?
- There's no maximum.
Ok, clear. Another question, what does the task "Roll over Log files" in scheduler? Clean gathered data and start again?
I prefer to copy and archive logs once per month (it's according to my data backup policy). And if the task creates 30 files each month (which is inconvenient), then I'll change it to roll back logs Monthly on the first day at 00:01.

All it does is rename the files to a name that includes the date, and creates new ones. So the old ones can then be moved, deleted, archived etc since WinGate doesn't have them open.

[Alen]

OK, you can also schedule a purge, which doesn't require the cache to be full.

So in this case purging will mean cleaning (all cache will be deleted)?
And if it is just cache deletion, do the filters work for the scheduled tasks?

By default I think we set a scheduled task each day to purge the cache, which will use whichever rules you specify.

I can't see any tasks in the schedular for cache purging.


P.S. Going back to my questions about mapped links description, pros and cons, etc. I have finished reading my conspect and found that there is a very nice, full and detailed explanation of mapped links in the help (and I already read it when was reading the help first time, but totally forgot everything ;-(. My fault. => Conclusion: read TFM twice at least! ;-)).

I don't want to post here the most interesting moments, just wanted to mention this fact. (Mapped links was the only question in this topic I did not understand even after your explanations and already submit I will not, until read about it in the help again). I want to mention that mapped links could be very useful in some situations and it is very flexible, as you can set rules, and for some users you will have mapping to one server:port, for anothers - another! Very good instrument.

But after reading, I want to check my "feelings": as I understand, mapped links are like ("single server" individual) Proxy (clent connection to Wingate + Wingate connection to the end point), but from the other side, Wingate doesn't know anything about transfered data formats, there is no special proxy requests, etc. => Wingate just repackages transfered packets and changes (for outgoing packets) source ip to its own (and port, if requiered), and destionation ip (and port, if requiered). This is not usual proxy connection.
Am I right?

[adrien]

OK, you can also schedule a purge, which doesn't require the cache to be full.

So in this case purging will mean cleaning (all cache will be deleted)?
And if it is just cache deletion, do the filters work for the scheduled tasks?

By default I think we set a scheduled task each day to purge the cache, which will use whichever rules you specify.

I can't see any tasks in the schedular for cache purging.

Purging always applies the rules. Never just empties. So whether the purge is initiated by the cache becoming full, or you press the purge button, or you schedule a purge (there is an action option for purge cache, but it looks like we don't set one up by default - but it's easy to do so - either just add a new action to the WinGate internal maintenance event, or create a new schedule event and add the action).

P.S. Going back to my questions about mapped links description, pros and cons, etc. I have finished reading my conspect and found that there is a very nice, full and detailed explanation of mapped links in the help (and I already read it when was reading the help first time, but totally forgot everything ;-(. My fault. => Conclusion: read TFM twice at least! ;-)).

I don't want to post here the most interesting moments, just wanted to mention this fact. (Mapped links was the only question in this topic I did not understand even after your explanations and already submit I will not, until read about it in the help again). I want to mention that mapped links could be very useful in some situations and it is very flexible, as you can set rules, and for some users you will have mapping to one server:port, for anothers - another! Very good instrument.

But after reading, I want to check my "feelings": as I understand, mapped links are like ("single server" individual) Proxy (clent connection to Wingate + Wingate connection to the end point), but from the other side, Wingate doesn't know anything about transfered data formats, there is no special proxy requests, etc. => Wingate just repackages transfered packets and changes (for outgoing packets) source ip to its own (and port, if requiered), and destionation ip (and port, if requiered). This is not usual proxy connection.
Am I right?

WinGate actually accepts the connection on the port of the mapping proxy, and makes a new connection to the specified server. It then relays data on these connections, so it's not re-writing addresses, it's actually 2 socket connections that it relays the data between.

Some of the most useful things of mapped links are when you don't specify any mapping or default mapping and you get it to intercept a connection. Then it connects to the original destination and port that it intercepted, but gives you control over policy, gateway to use etc.

It does also do some basic protocol analysis. It can recognise SMTP, HTTP, FTP, NNTP, POP3, and IMAP. So if you say set up a TCP mapping on any port, and get it to intercept port 143, you get to see that the client is making an IMAP connection etc. Because of when the protocol is snooped, it's too late for policy though, so it's only for informational / display purposes.

Adrien

[Alen]

WinGate actually accepts the connection on the port of the mapping proxy, and makes a new connection to the specified server. It then relays data on these connections, so it's not re-writing addresses, it's actually 2 socket connections that it relays the data between.
Some of the most useful things of mapped links are when you don't specify any mapping or default mapping and you get it to intercept a connection. Then it connects to the original destination and port that it intercepted, but gives you control over policy, gateway to use etc.
It does also do some basic protocol analysis. It can recognise SMTP, HTTP, FTP, NNTP, POP3, and IMAP. So if you say set up a TCP mapping on any port, and get it to intercept port 143, you get to see that the client is making an IMAP connection etc. Because of when the protocol is snooped, it's too late for policy though, so it's only for informational / display purposes.

Adrien

Thank you for the info, it was usefull and interesting. It should be added to the help.

[Alen]

Hi, Adrien.

I am going to post the last part of my questions on the help, meanwhile I'll ask a couple of "practical" questions:

1. What is the good of PureSight (v. 3) if I can open porno.com?!

2. Why I don't see PureSight in plugins tab of any service? (As I understand, it's ok, it's how it was intended to work, but why there is no any single word about it in the help?)

3. Does KAV for Wingate check also "usual PC activity"? If not, then can we install Symantec Antivirus 10 on Wingate machine? (usually it's bad idea to install two AV or firewalls on one PC...)

4. Netwrok Patrol is not working on my PC (XP Pro SP3). Particularly, after Network Patrol installation my PC does not start in normal mode. It starts in safe mode only, but after disabling the respective service PC is starting in normal mode too. Is it a well known problem?
Previously on the same PC I had Wingate and many other soft for test purposes (Wireshark, Bandwidth Controller, etc.), part of which were uninstalled (including Wingate). May the problem be in here?

5. Just installed NetPatrol on another PC. A new question: how to understand the program is successfully activated?

[adrien]

Hi, Adrien.

I am going to post the last part of my questions on the help, meanwhile I'll ask a couple of "practical" questions:

1. What is the good of PureSight (v. 3) if I can open porno.com?!

2. Why I don't see PureSight in plugins tab of any service? (As I understand, it's ok, it's how it was intended to work, but why there is no any single word about it in the help?)

Possibly related issues. If you don't see PureSight on the plugins tab of the WWW proxy, then it's not hooked into it, and won't be doing any filtering. Hit the refresh button and if it doesn't show up still, there's another problem.

3. Does KAV for Wingate check also "usual PC activity"? If not, then can we install Symantec Antivirus 10 on Wingate machine? (usually it's bad idea to install two AV or firewalls on one PC...)

It's really designed for filtering traffic on certain proxies through WinGate only. So it's not unusual to have another AV product installed to scan the WinGate machine itself, but we recommend some things be turned off such as:

* filtering port 25, 110, 80 (e.g ports already handled and filtered by WinGate)
* Scanning of changed files in the WinGate folder or temp folder.

For instance if each time a log file is written to, some AV scans it, then the system will slow to a crawl.

4. Netwrok Patrol is not working on my PC (XP Pro SP3). Particularly, after Network Patrol installation my PC does not start in normal mode. It starts in safe mode only, but after disabling the respective service PC is starting in normal mode too. Is it a well known problem?
Previously on the same PC I had Wingate and many other soft for test purposes (Wireshark, Bandwidth Controller, etc.), part of which were uninstalled (including Wingate). May the problem be in here?

There have been known issues relating to running NetPatrol and WinGate on the same computer. At various points in time it has worked or not. I'm not clear what the current status is unfortunately - I'll need to check with the NetPatrol devs.

5. Just installed NetPatrol on another PC. A new question: how to understand the program is successfully activated?

I'll have to look into that as well - I haven't looked in NetPatrol for a long time!

[Alen]

Possibly related issues. If you don't see PureSight on the plugins tab of the WWW proxy, then it's not hooked into it, and won't be doing any filtering. Hit the refresh button and if it doesn't show up still, there's another problem.

But I see it is activated, besides I can open it in the Options - Plug-ins menu (I see there "Enabled for all users" checkbox is checked)! What should I do? Reinstall it (with uninstallation or not, deactivation or not)?

it's not unusual to have another AV product installed to scan the WinGate machine itself, but we recommend some things be turned off such as:
* filtering port 25, 110, 80 (e.g ports already handled and filtered by WinGate)
* Scanning of changed files in the WinGate folder or temp folder.

Ok, thank you for the info (and again: you must include it in the help file as recommendations or just notes).

5. Just installed NetPatrol on another PC. A new question: how to understand the program is successfully activated?
I'll have to look into that as well - I haven't looked in NetPatrol for a long time!

Please, do it, because I can't understand if it is activated, and only 2-3 days left till its activation window ends.

[Alen]

Adrien, please answer my last questions about PureSight and NetPatrol.

[logan]

Hi Alen,

But I see it is activated, besides I can open it in the Options - Plug-ins menu (I see there "Enabled for all users" checkbox is checked)! What should I do? Reinstall it (with uninstallation or not, deactivation or not)?

Is the plugin hooked up with the Proxy Service that your clients are connecting through? Check in: GateKeeper -> WWW Proxy server -> Plugins. PureSight should be listed here and enabled. If it is not, click the 'Refresh' button. Does it appear?

As for NetPatrol, I'm pretty sure you can find the license info under help -> about, but will have to double check that for you.

[logan]

Correction, it's under Help -> Licensing in the NP Console.
Note: You must be connected to the NP Engine to access the licensing info.

[Alen]

Is the plugin hooked up with the Proxy Service that your clients are connecting through? Check in: GateKeeper -> WWW Proxy server -> Plugins. PureSight should be listed here and enabled. If it is not, click the 'Refresh' button. Does it appear?

No Logan, there is only KAV in there, no PureSight, refresh doesn't help. Besides I have restarted the server many times. But (again), I can see it is activated (in Gatekeeper -> Help -> License management), besides I can open it in the Options - Plug-ins menu (I see there "Enabled for all users" checkbox is checked)!

What should I do? Reinstall it (with uninstallation or not, deactivation or not)?

Correction, it's under Help -> Licensing in the NP Console.
Note: You must be connected to the NP Engine to access the licensing info.

Ok, I'll check it.

[Alen]

Logan!
I checked it: there is no activation details on the Help -> Licensing window (which I can see now after connecting to the local host, as you said) and I can't activate the program! The time is over!

What to do now?
Please help me.
If only you or Adrien answer my question in 4 days...

P.S. During the program installation I provided activation details! This is for 100%...

[logan]

No Logan, there is only KAV in there, no PureSight, refresh doesn't help.

Thanks. That means that PureSight is not hooked into the WWW Proxy, so will not be receiving any of the WWW traffic for filtering. This is why PureSight is not working. Try reinstalling the plugin (uninstall/reinstall, or install over the top). If the problem still exists after reinstalling, create a new WWW Proxy server and check if the PureSight plugin successfully hooks to the new proxy service.

there is no activation details on the Help -> Licensing window

The option appears only after connecting to the NetPatrol engine. Licensing is handled on the engine side.

(which I can see now after connecting to the local host, as you said) and I can't activate the program!

So does that mean that you are in fact seeing the help -> licensing settings. What happens when you try to activate your license then?

The time is over!

This will not prevent you from connecting to the engine and activating a purchased license.

[Alen]

That means that PureSight is not hooked into the WWW Proxy, so will not be receiving any of the WWW traffic for filtering. This is why PureSight is not working. Try reinstalling the plugin (uninstall/reinstall, or install over the top). If the problem still exists after reinstalling, create a new WWW Proxy server and check if the PureSight plugin successfully hooks to the new proxy service.

Ok, I'll try to reinstall it on the top of previous installation. Just in case, I remind you I am trying version 3 of the program.

Addition: Done.
After I mentioned my license is for version 2., I decided to install it instead of v.3 after the latter's uninstallation. It is working now and it is presented in the web-proxy plug-ins tab. (I remind you, version 3 was correctly activated but was not "picked up", as you say, by Wingate proxy.)
Funny thing is even now when it's working it is not blocking www.porno.com site, as it counts it contains only 58% of "sexual content", but by default the threshold is 60%. I am begining to doubt it was rational to buy this plug-in.
(Of course I decreased the threshold. Till 40%).

So does that mean that you are in fact seeing the help -> licensing settings. What happens when you try to activate your license then?

Yes, after your explanation I made connection to the local loop address and was able to open help -> licensing window. I saw no activation details there. I tryied to activate using my activation ID and key, but there is no reaction: after I enter details and push ok nothing happens!?

This will not prevent you from connecting to the engine and activating a purchased license.

Are you sure? The license was bought in 2007 and 06.12.2009 is 30 months term end.

Anyway, I'll try now some more times and let you now.


BTW, one more issue, sometimes we send confidential data by email and use WinRar with archive encryption (it uses AES 256 bit, which is very strong).
Recently I mention KAV is blocking rared files protected with passwords (as it can not check them, as I understand). How can this be solved (I mean just switching off blocking of encrypted archives, if possible)?

[Alen]

Well, tried again with the same result.
Particularly: in activation window I press add button -> provide activation details -> press ok -> "Do you want to add\update license" -> Yes - Nothing is happening.

Addition: my admin noticed in NetPatrol main window the following messages:
- Date\time 0.0.0.0 Remote control connection initiated from 127.0.0.1
- Date\time 0.0.0.0 License is not accepted (invalid or expired)
- Date\time 0.0.0.0 Remote control connection from 127.0.0.1 terminated

But the same time I don't see NP is trying to check anything. No network activity is mentioned during the activation procedure.
Could the reason be in NP PC has no NAT connection to Internet, only web proxy is allowed? (browsing is working fine on it, checked)


Addition: NAT access was granted, result - no changes. I can't even see (from GK) the respective PC is trying to go out to Internet for activation code checking!?

[logan]

NP doesn't use online activation like our other products. It still uses the older v5 key types.

Can you send your license name and key that you are using to sales@qbik.com. There have been a couple of occasions in the past where a license key combination just doesn't get recognised by NP. We can test the license here and if that's the case, generate a new license name/key combination for you.

[Alen]

Ok, thank you.

[Alen]

Logan,
Is it possible to provide resume support for download managers when using Proxies (with drip-feed option)?
All sites which support resume during download, now do not (I mean they still do, but downlad managers "think" they don't.)

It is very important because our Internet connection is quite faulty and resume support is very usefull.

[adrien]

Hi

KAV scanning relies on getting the whole file. If we allow downloading in pieces, then it can't get the whole file to scan. So the KAV component blocks partial downloads, which download managers rely on for resuming failed downloads.

If you have a particular troublesome URL or site, you can whitelist it in KAV, then it won't scan it, but more importantly won't prevent partial requests.

[Alen]

If you have a particular troublesome URL or site, you can whitelist it in KAV, then it won't scan it, but more importantly won't prevent partial requests.

Yes, and already done. It does not help.
Here is the link http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=savce, the whole symantec.com is in the KAV whitelist, but DAP says resume is not supported. DAP has proxy settings and uses pure proxy service.

When downloading using pure NAT connection resume is supported!?

[logan]

Yes, and already done. It does not help.
Here is the link http://www.symantec.com/business/securi ... ?gid=savce, the whole symantec.com is in the KAV whitelist, but DAP says resume is not supported. DAP has proxy settings and uses pure proxy service.

Do you have PureSight installed as well? That also prevents the use of range headers for the same reason, so URLs must be overridden in both plugins.

When downloading using pure NAT connection resume is supported!?

NAT simply rewrites source/dest IPs and ports before forwarding packets. It doesn't do anything with the actual content of the packets, so it won't strip out the range headers.

[Alen]

Do you have PureSight installed as well? That also prevents the use of range headers for the same reason, so URLs must be overridden in both plugins.

Yes as you probably remember. Understood, I'll do it now.

NAT simply rewrites source/dest IPs and ports before forwarding packets. It doesn't do anything with the actual content of the packets, so it won't strip out the range headers.

I know it, it was for demonstration of the fact sites support resume, the problem is not outside.


P.S. BTW, I am still waiting for a message from your sales division concerning NetPatrol issue.

[logan]

P.S. BTW, I am still waiting for a message from your sales division concerning NetPatrol issue.

What is the ticket ID that you were issued? I'll take a look now.

[Alen]

I added "symantec.com" in PureSight as allowed url. It does not help.
I restarted DAP several times, no good.


Another question: how to check PureSight is updating its DB regularly? In KAV I see its DB date, but can't find the same for PS.


Concerning NP: [#SPN-344386]: License key for NP is not workable.

[logan]

Can you resend that email? I can't find it on the support desk.

[Alen]

Can you resend that email? I

Done.

Please answer the question about PureSight.