WinGate Forums

[rdunn]

I am having trouble accessing my internal web server from the internet, going through my Wingate proxy (IE does not bring up web page). There are actually 2 links in this chain. I am using dns2go to handle the dynamic ip resolution from my cable provider on the same pc that is running Wingate (6.6.3 build 1321). My pc (which hosts both dns2go and Wingate) is a win2k machine. I set dns2go to forward any requests to my pc’s current ip address on port 8085. In Wingate I created a service to monitor port 8085, with a reverse proxy to my internal web server (ip address 192.168.0.6). This proxy service is currently bound to all interfaces (internal and external). I am assuming that the url path and variables get passed along on the reverse proxy.

While I believe that the problem is with dns2go, but, in talking with dns2go tech support, they have hinted that the problem could be in my Wingate setup. I am an apps guy, not a network guy. So I would like to rule out my Wingate configuration as the problem. Does anyone see an obvious issue with my Wingate configuration that would cause this not to work?

[adrien]

Hi

just answered your other post then saw this one sorry.

Try turning off the service on port 8085.

Then if anyone tries to connect to you, it should show up in the WinGate firewall tab as a blocked packet.

If you don't see this, there are 2 options:

a) the packet isn't coming (which means the request wasn't forwarded, or IP lookup failed)
b) some firewall below WinGate blocked it first. If you don't have any other firewall installed, or Windows firewall enabled, or (on 2k) TCP/IP filtering enabled on the adapter, you can rule this one out.

One question - I'm not that familiar with dns2go, I thought it just did DNS resolution, in which case it wouldn't be forwarding connections or ports. Did you try running it on port 80? Otherwise you'll need to specify the urls like

http://mysite.dns2go.com:8085:/home.htm

Regards

Adrien

[rdunn]

Thanks for the reply. dns2go does allow you to point your incoming request to a certain port on the PC, as well as perform dynamic DNS.

Started playing around and configured a duplicate service, this time using ENS (see attached). Request got through to Wingate but errored out in Authentication; "authentication failed - user Guest on 67.165.175.142 requested NAT:TCP connection to 192.168.0.6:8085".

Guest user is enabled. While I would like to be able to configure the TCP/PROXY services to do this sort of thing, ENS seemed simpler to me and I need to get this site out there.

Could you please guide me over this last hump?

Thanks!

[adrien]

Hi

What are your ENS policies like? Do they allow unauthenticated Guest access?

Regards

Adrien

[rdunn]

Hi Adrian-

Am making progress. Granted everyone unrestricted rights and the security message for user guest disappeared. I realize that this is probably not the best security practice, but I am just trying to get the internal web site up to the external users. Will tighten things up after I have something to tighten up!

I can see the redirect happening in the firewall section of Gatekeeper (Wingate), but the external users browser times out and does not display the web page. No messages appear in the system message section of Gatekeeper (Wingate). When I check the error and access logs of my internal webs apache server, I see no evidence that the request made it to the server.

I am close, but am stumped at the moment on what to try next. Again, if I access the external web site from behind the Wingate PC, everything resolves correctly and I can access all pages on the internal webserver.

If you can think of anything I could try, I would greatly appreciate it.

Thanks for your help.

-Bob

[adrien]

HI Bob

If you have "Don't translate source IP" selected in the ENS redirect entry, then the servers behind WinGate you connect through to must use WInGate as their default gateway, else the response packets from those servers won't go back out through WinGate and be properly address translated.

If this isn't an option, just uncheck that option, but it means that the server will then see the connection as coming from WinGate's internal IP address.

As for ENS policy, since you need to allow unknown users from the internet to access, then you need a fairly permissive policy. You can lock it down by port number (but this is also in effect done by the fact that the other ports aren't open through the firewall anyway).

Regards

Adrien

[rdunn]

Hi Adrian-

Thanks for the reply. Cleaned out the cache of the external PC and now hit my internal server, but requests time out and I think I know why. Wingate is handling the inbound request (from the internet) and forwarding it to the internal server correctly. The internal server is just that, internal (192.168.0.6). Any responses from the internal server will have the internal IP address (or name) on the address bar and that will not work on a public internet. Even if the web page reached the end user, the private ip address would not resolve from the internet through Wingate back to the internal server. It would seem that I need to "spoof" the URI back to the public ip address (or name) when outputting the web page, so the next inbound request will resolve through Wingate again or find a way to reverse the incoming request to the original URI automatically in Wingate like I did for the inbound (internet) request.

Does this sound correct? Sorry so many questions, I am a networking newbie.

-Bob.

[adrien]

Hi Bob

WinGate actually does that for you. So it translates the source address on packets back to the internet-based client from the internal LAN IP to the external WinGate IP. That way the client on the internet thinks it's just talking to the WinGate server external IP.

I think you should try disabling the option in the ENS redirect entry "don't translate source IP" and see if that helps.

Also check that there isn't some other firewall on that server blocking requests.

Regards

Adrien