WinGate Forums

[kiav]

Hello.

Client PC in my net cannot connect to thawte site.

I use WGIC on Windows 98 SE (IP 192.168.1.2), WinGate 6.0.4 (Build 1025) on Windows XP (IP 192.168.1.1).

Server

I did not change from default setting policies in Extended Network Driver, GDP service, Winsock Redirector Service, WWW Proxy Server.

All these services are on. DNS servers are 195.161.113.218 and 217.16.27.36 (these setting are from DNS/WINS Resolver Configuration, DNS pane).

I use KAV for WinGate. This Plugin is activated.

Client

On the client machine WGIC is installed and enabled. TCP/IP settings on the client:

IP: 192.168.1.2, Net Mask: 255.255.255.0

DNS is turned on. Computer name: irina, Domain name: localdomain, DNS Server: 192.168.1.1

WINS is turned off.

Gateway: 192.168.1.1

[adrien]

Hi

We recently started suspecting some broken TCP packets causing this, since we have had reports of systems that worked fine stopping.

If you enable debug logging for the ENS, do you start to get entries in there about TCP checksum failures?

Have you installed any MS hotfixes on the server computer lately?

Adrien

[kiav]

Hi

We recently started suspecting some broken TCP packets causing this, since we have had reports of systems that worked fine stopping.

If you enable debug logging for the ENS, do you start to get entries in there about TCP checksum failures?

I enabled debugging in Extended Network Driver/Logging.

Unfortunatly, I did not find log file for ENS.

My %WinGatePath%\logs\ conaint these files (dirs) only:

<DIR> DHCP Service
<DIR> Dialer
<DIR> DNS Resolver
<DIR> DNS Service
<DIR> FTP Proxy server
<DIR> GDP Service
<DIR> Kaspersky AV for WinGate
<DIR> POP3 Collection
<DIR> POP3 Proxy server
<DIR> POP3 Server
<DIR> Remote Control Service
<DIR> RTSP Streaming Media Proxy
<DIR> Scheduler
<DIR> SMTP Server
<DIR> SOCKS Proxy server
<DIR> System
<DIR> Telnet Proxy server
<DIR> VDOLive Proxy server
<DIR> VPN
<DIR> WinGate NAT
<DIR> WINS Resolver
<DIR> Winsock Redirector Service
<DIR> WWW Proxy server
<DIR> XDMA Proxy service

I tried to use Log File Server but neither http://127.0.0.1:8010/ nor http://192.168.1.1:8010/ work. I disabled use of proxy for local addresses and for 127.0.0.1 and 192.168.1.1 in browser on server PC (I tried to read logs on server PC).

I did not find Logfile Server in GateKeeper!


%WinGatePath%\logs\WWW Proxy server\WWW Proxy server.log contains these lines:

09/20/05 22:23:06 192.168.1.2 irina 0000000567 Requested: http://www.thawte.com/cgi/enroll/personal/step1.exe
09/20/05 22:23:06 192.168.1.2 irina 0000000567 Debug: WWW Session sending server request in thread a60
09/20/05 22:23:07 192.168.1.2 irina 0000000567 Debug: Server response contains 244 bytes of resource data
09/20/05 22:23:07 192.168.1.2 irina 0000000567 Debug: WWW Session processing HTTP response in thread a60 - response code 302
09/20/05 22:23:07 192.168.1.2 irina 0000000567 Debug: Unintercepted Server Response code 302
09/20/05 22:23:07 192.168.1.2 irina 0000000567 Debug: Server closed connection in thread a60

How can I read logs for ENS?

Hi
Have you installed any MS hotfixes on the server computer lately?

Adrien

No.

[jamesc]

The ENS log is called WinGate NAT.

The Log File Server location in Wingate is shown in the image below



If you cannot see it, then you can easily make it!

[kiav]

Hi

We recently started suspecting some broken TCP packets causing this, since we have had reports of systems that worked fine stopping.

If you enable debug logging for the ENS, do you start to get entries in there about TCP checksum failures?

No.

I found in logs only this ...

http://127.0.0.1:8010/logs/wingate%20nat/wingate%20nat.log
09/21/05 20:47:23 Authorisation failure: NAT STATUS: firewall block: UDP src 218.92.13.147:32819 dst 83.138.49.44:1026
09/21/05 20:47:40 Debug: Sent route table with 8 entries, return status 0
09/21/05 20:49:38 Debug: Sent route table with 3 entries, return sta

http://127.0.0.1:8010/logs/www%20proxy%20server/www%20proxy%20server.log
09/21/05 20:47:21 192.168.1.2 irina 0000000070 Requested: http://www.thawte.com/cgi/enroll/personal/step1.exe
09/21/05 20:47:21 192.168.1.2 irina 0000000070 Debug: WWW Session sending server request in thread 6e8
09/21/05 20:47:22 192.168.1.2 irina 0000000070 Debug: Server response contains 244 bytes of resource data
09/21/05 20:47:22 192.168.1.2 irina 0000000070 Debug: WWW Session processing HTTP response in thread 6e8 - response code 302
09/21/05 20:47:22 192.168.1.2 irina 0000000070 Debug: Unintercepted Server Response code 302
09/21/05 20:47:22 192.168.1.2 irina 0000000070 Debug: Server closed connection in threa

Have you installed any MS hotfixes on the server computer lately?

Adrien

No

[adrien]

Hi

can you check in the adapters in GateKeeper what the MTU is for each adapter (it shows this in the details tab for the adapter).

We have seen recently sometimes the MTU of adapters is reducing by itself (still debugging why). The normal number there is 1500

Adrien

[kiav]

Hi

can you check in the adapters in GateKeeper what the MTU is for each adapter (it shows this in the details tab for the adapter).

We have seen recently sometimes the MTU of adapters is reducing by itself (still debugging why). The normal number there is 1500

Adrien

My MTUs are:

1. Local Area Connection (Net Card, Intel 8255x PCI Based Ethernet Adapter) - 1500
2. Ip-Tel (Dial-Up, Rockwell External V.90 K56 Voice Modem) - 0/1500 (Disconnected/Connected)
3. Relkom (Dial-Up, Rockwell External V.90 K56 Voice Modem) - 0/1500 (Disconnected/Connected)

[adrien]

OK, that looks normal.

You don't know if the thawte site uses client certificates do you?

Do you have an account you log into their site with?

Adrien

[kiav]

OK, that looks normal.

You don't know if the thawte site uses client certificates do you?

Do you have an account you log into their site with?

Adrien

Thawte's server is not enabled for client authentication (this is Thawte support answer on my question).

Yes, I already have an account on Thawte. But a user in my network (irina) - don't. She wants to get it, but can not join because of https trouble.

[adrien]

You could try using NAT for HTTPS - to do this, you would remove the "secure" proxy settings in Internet explorer.

Adrien

[kiav]

You could try using NAT for HTTPS - to do this, you would remove the "secure" proxy settings in Internet explorer.

Adrien

I am using WGIC.
How can I disable secure proxy? I did not use it at all.

[jamesc]

1. Do you have any proxy settings placed in Internet Explorer?



2. Can you try clearing the following check boxes, reboot and test. If it makes no difference, please check again and reboot.
(Windows) Start menu --> Programs --> WinGate --> Advanced Options -- >Protocol Handling
Clear (uncheck) Use MSS checks and reductions
Clear (uncheck) Analyse MSS

[adrien]

You could try using NAT for HTTPS - to do this, you would remove the "secure" proxy settings in Internet explorer.

Adrien

I am using WGIC.
How can I disable secure proxy? I did not use it at all.

Ah ok. You would need to set the application mode for iexplore.exe to 'local" in the applications tab of the WinGate Internet Client settings in Control Panel.

That stops WGIC from hooking into Internet Explorer. Then if you have installed ENS in WinGate (which it does by default), and your client machines have their TCP/IP default gateway settings set to the IP address of WinGate, then Internet Explorer would then use NAT for all connections, most likely (default setting) HTTP would still be transparently intercepted by the WWW proxy anyway, so you would still have control over that.

Adrien

[kiav]

You could try using NAT for HTTPS - to do this, you would remove the "secure" proxy settings in Internet explorer.

Adrien

I am using WGIC.
How can I disable secure proxy? I did not use it at all.

Ah ok. You would need to set the application mode for iexplore.exe to 'local" in the applications tab of the WinGate Internet Client settings in Control Panel.

That stops WGIC from hooking into Internet Explorer. Then if you have installed ENS in WinGate (which it does by default), and your client machines have their TCP/IP default gateway settings set to the IP address of WinGate, then Internet Explorer would then use NAT for all connections, most likely (default setting) HTTP would still be transparently intercepted by the WWW proxy anyway, so you would still have control over that.

Adrien

It does not help.

After that I upgraded my WinGate 6.0.4 to WinGate 6.1 and KAV 1 to KAV 2. The problem is the same - nothing changed.

[kiav]

Wingate is OK, the problem was in IE and Thawte.

On Win98 PC was installed Internet Explorer 5 with 56 bit encryption (only 3 base cryptographic providers were installed - Microsoft Base DSS Cryptographic Provider, Microsoft Base DSS and Diffe-Hellman Cryptographic Provider, Microsoft Base Cryptographic Provider v 1.0).

I upgraded IE 5 to fresh Internet Explorere with 128 bit encryption (IE 6, SP 1). In system appeared new cryptographic provider - Microsoft Enhanced Cryptographic Provider v 1.0.

Now, user on Win98 PC can use Thawte site without any troubles.