Several questions about supported functionality

Use this forum to post questions relating to WinGate, feature requests, technical or configuration problems

Moderator: Qbik Staff

Several questions about supported functionality

Postby AlenDV » Jan 15 17 11:33 pm

Hello,

We are interested in Wingate (Pro) and need to clarify supported functionality.

Our environment currently contains Mikrotik router as an Internet connection device, making NAT and firewalling. We have a task to log HTTP and HTTPS Internet connections (just log) and be able to easily read logs in a convenient format. But we need a transparent proxy, so no configuration is required to be done on servers and computers.

What we want is to redirect all HTTP and HTTPS (!) traffic from Mikrotik to a proxy VM to log them.
We don't need to log incoming connections (I mean outside initiated), only outgoing. We can redirect only required traffic to the proxy. The question is: will Wingate provide required transparent proxy and logging functionality in this scenario?
And will it work for HTTPS as well? (I know, we will have problems with HTTPS, where mutual certificate based authentication is involved, let's count we don't have such connections. Just web-browsing using HTTPS, i.e. only server authentication).

P.S. Authentication will be used source IP-based.

Thank you.
Alen
AlenDV
 

Re: Several questions about supported functionality

Postby adrien » Jan 16 17 7:42 pm

Hi

If

a) the client's are not configure to use a proxy
b) the router will be diverting connections to the proxy (rewriting the destination IP of the TCP connection to WinGate's IP),

then WinGate will see the request as a server request. To get WinGate to process this as a forward proxy request, it uses the host header, if you specify (in the Web Server tab) to Proxy the request. With the Pro license you can't add any more "sites" in the web server tab, but you may not need to (this is generally for reverse proxy).

My advice would be to try it before making a decision.

For https, Wingate can also use the SNI extension in the TLS handshake to determine the destination, so you should be able to do this for HTTPs as well, whether or not you MitM the traffic or not.

If you want to inspect the traffic, which would be required to log URL-level rather than connection-level details, then you would need to use HTTPS inspection, which requires an enterprise license, but you may get sufficient logging from just forwarding the connections.

Regards

Adrien de Croy
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Several questions about supported functionality

Postby AlenDV » Jan 17 17 3:41 am

Hello Adrien,

Thanks for the answer. Can you please clarify, why WinGate will see the request as a server request and what does that mean?

I understand, the router can make DST-NAT, but I it's not how it is supposed to work. There is a functionality in Miktorik router, which allows you to mark some packets\connections (e.g. by proto:port) and then manipulate it (e.g. redirect). The router will simply use different default gateway for the connections and redirect connections to the proxy server. So the task then is to make the proxy to process requests, like if client machines directly send their web-traffic to the proxy and it does transparent proxy-ing. Now, when I explained this to you, I realized, there is nothing special in it, if Wingate supports transparent proxy mode (and I remember it does), then it should work!?
So I think I don't need any additional functionality, right?


Concerning HTTPS, to prevent any possible issues, I would like to simply log the destination server (exact URL does not matter, it's enough to see the web-server name), no need to inspect it for now. What do I need for that? How do you control SNI only based detection vs full inspection?
(I had long experience with Wingate 5 and 6, but not later releases. I'll look in the manual).


P.S. Adrien, I am an old forum member, my username is "Alen", but the e-mail I used when registered does not work anymore. Can you please assist me to recover my old account? I would like to change the e-mail to the one, used for account I am currently using.

Thank you.
AlenDV
 

Re: Several questions about supported functionality

Postby adrien » Jan 17 17 9:10 am

Hi Alen, I wondered if it was you, welcome back!

the difference between a proxy request and a server request is basically the form that the request line in the HTTP request message takes. For a proxy request the request line includes what they call in the RFC the full authority (scheme://server[:port]) and in a server request only the path and resource are requested, e.g.

GET http://www.wingate.com/ HTTP/1,1
Host: www.wingate.com

vs

GET / HTTP/1.1
Host: www.wingate.com

WinGate does intercept connections, so if the router can divert those connections via a different upstream router, then WinGate can be that router, intercept the connections (get the proxy to intercept port 80 and 443) and for http, it will see the host header and for https it will still inspect the first packet for SNI so it will see the server name rather than just an IP address for logging.

Regards

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Several questions about supported functionality

Postby adrien » Jan 17 17 9:13 am

Hi Alen

phpbb doesn't let me update your email to the same as another account, so I'd need to delete the AlenDV (or change its email to something else) in order to set your other account to your gmail address.

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Several questions about supported functionality

Postby AlenDV » Jan 17 17 9:13 pm

Hello Adrien,

I did not realized you meant server request as opposite to the proxy request, I know the difference. :-) Thought you are talking about something different. Clear now, thanks.

Concerning account deletion, yes please, go ahead, delete this one.

Thank you!


P.S. Adrien, can you send me the latest manual in pdf format (if you have it), I would like to print it.
AlenDV
 

Re: Several questions about supported functionality

Postby adrien » Jan 18 17 12:55 pm

ok, it's done.

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Several questions about supported functionality

Postby Alen » Jan 18 17 8:41 pm

Thank you very much Adrien!
Alen
WinGate Master
 
Posts: 217
Joined: Sep 21 09 7:50 pm

Re: Several questions about supported functionality

Postby Alen » Jan 22 17 11:55 pm

Hello Adrien,

To be able just to log web-activity of several users, do we need Pro version or Standard is ok?

Also, I am installing the proxy on a VM, so I would like to keep it simple and use only one subnet (probably one NIC, but that's not important). Is it possible?
(In the previous version you should have precise selection for WAN\LAN interfaces, as I remember, so 1 NIC was impossible. Not sure about a single subnet).
Alen
WinGate Master
 
Posts: 217
Joined: Sep 21 09 7:50 pm

Re: Several questions about supported functionality

Postby adrien » Jan 23 17 11:32 pm

Hi

actually even WinGate 6 allowed single NIC operation, even for NAT.

To get W3C logging you need a pro or standard license. You can still log all requests with a standard license in diagnostic logs.

Regards

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Several questions about supported functionality

Postby Alen » Jan 24 17 7:23 am

Thank you Adrien, I'll try free edition then.
Alen
WinGate Master
 
Posts: 217
Joined: Sep 21 09 7:50 pm

Re: Several questions about supported functionality

Postby Alen » Jan 24 17 7:26 am

Adrien, I can't download the help file. Export to chm goes well, but download link does not work (404 - File or directory not found.)
Please assist.
Alen
WinGate Master
 
Posts: 217
Joined: Sep 21 09 7:50 pm

Re: Several questions about supported functionality

Postby adrien » Jan 24 17 9:35 am

Hi Alen

which link were you using for download? In our download page or our help site?

Regards

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Several questions about supported functionality

Postby Alen » Jan 24 17 8:19 pm

On the help.qbik.com, I click on the "Download helpfile", check everything and click "Download my selected topics". It compiles the file successfully, but then when I click on the proposed link to download it I get the error.

P.S. Looked at downloads, on the Wingate download page the "WinGate documentation online" link sends me to the same help site. I don't see any other links or sections to download help\manual. Please try yourself.
Alen
WinGate Master
 
Posts: 217
Joined: Sep 21 09 7:50 pm

Re: Several questions about supported functionality

Postby Alen » Jan 26 17 12:04 am

Adrien, I installed Wingate on a VM with a single NIC, disabled NAT, created several users and credential rules for assumptions by IP addresses.

I configured my PC to use the proxy and I can get Internet and see activity on the Activity pane. So seems this part is working fine.
Now I need to know where are the web requests being logged and how should I access that data.

Thank you.
Alen
WinGate Master
 
Posts: 217
Joined: Sep 21 09 7:50 pm

Re: Several questions about supported functionality

Postby Alen » Jan 27 17 10:20 pm

Hello Adrien,

Had some free time yesterday, opened chm files in Wingate folder and start reading. Have read certificates, credentials and ENS files. Have some questions:

1. Can we import a 3-rd party trusted root CA issued certificate into OS and use for Wingate services? Will certificates in the Machine store be visible in Wingate Certificates panel and be usable for bindings?

2. Are routing and UDP broadcast packets relay functionalities working only for subnets of interfaces marked as internal or for any interfaces subnets?
(Even the firewall option "Disable network name broadcasts to the Internet" does not answer the question, as it's only about NetBIOS name broadcasts traffic, not just any UDP broadcast trafic.)

3. "Indicate UDP traffic (Ports < 1024)" feature is explained a little unclear within the second paragraph. Need some clarifications.
Particularly you have:
When this option is ticked, all UDP traffic will be shown if it is being intercepted by a Intercepting Proxy that may have been configured on a network service, or if it remains active for a longer time frame.

The written does not correspond the first paragraph, for my opinion:
The default behavior for the WinGate NAT is to notify the WinGate Engine of any UDP traffic below port 1024 as soon as it occurs. UDP traffic above port 1024 is only shown on the Activity panel (located in the Monitoring section of the WinGate Management console) if it remains active for a longer time frame (20 seconds, with at least 10 seconds since the last activity). On systems that have extensive UDP traffic over NAT (such as a DNS redirect) the volume of traffic could cause an increase in memory usage. This switch allows you to control the display of UDP sessions instigated on port 1024 and lower.


As I understand the main part says, that when the checkbox is checked, the all UDP traffic for ports lower, than 1024, will be immediately and certainly (unconditionally) shown on Activity panel. The second part talks about some conditions, one of which is longer time, when before it says immediately!? Please clarify.

4. Where are NAT permissions configured?
I just started reading, so obviously I'll find it later, but want to ask this question.
Where is this done now? E.g. permitting a user to send\receive non TCP\UDP traffic, e.g. ICMP, ESP, etc.

5. Why do we need default rules, which allow TCP traffic on ports 113, 1024-4096 from Internet?!
I don't understand this. This makes the WIngate machine unprotected. Why!? Am I missing anything?

6. (In bandwidth control rule configuration) Does "Apply to traffic to\from the local machine" setting control bandwidth between Wingate and the user's computer?
If the option is not checked, but "Rule is bi-directional" option is checked, does it mean the traffic in both directions between Wingate and remote computer will be restricted, but between Wingate and local computer - not.
E.g. download speed for cached content will utilize full LAN connection speed between Wingate and user's computer.

7. In Wingate 6 I was asking you to make an easy way to configure even distribution of available bandwidth between all host computers in a particular subnet or IP range. Did you realize it?
Or we still need to create 253 unrestricted rules for a typical subnet with equal priorities to achieve that!? (I hope you won't say "yes". :-))

That's all for now, hopefully I will have more time to read more and ask more.
P.S. Hope you will make additions\clarifications to the documentation whenever reasonable, so next time meticulous users like me don't spend your time. :-)

Adrien, and please answer my questions from the 2 previous posts as well.

Thank you very much!
Alen
WinGate Master
 
Posts: 217
Joined: Sep 21 09 7:50 pm

Re: Several questions about supported functionality

Postby Alen » Jan 28 17 12:08 am

Alen wrote:Now I need to know where are the web requests being logged and how should I access that data.


Seems it's in ...\WinGate\Logs\Global and I should use any txt editor to view it.

Adrien, does Pro or Ent license give any convenient way to view and analyze logs? (E.g. search, filter and sort (by date, by most visited, etc.))
And do I need Ent license to be able to log exact URLs intercepted by HTTPS proxy?
Alen
WinGate Master
 
Posts: 217
Joined: Sep 21 09 7:50 pm

Re: Several questions about supported functionality

Postby adrien » Jan 30 17 10:29 am

Hi Alen

I think for requests to be logged in diagnostic logs, you need to set log level to info. The default is warning, which won't log requests. I would also recommend setting the WWW proxy to log to its own file, else the log entries will go into the global log. You can view from within WinGate Management, which also has a search facility. WinGate Management can easily handle a file of many GB, unlike most text editors. It doesn't do sorting since there can be millions of records, and they are not all loaded into the UI, just requested as required, otherwise handling large files would be too slow. You can select all matching rows, which allows you to copy into say notepad, I often do that to narrow down searches.

As for importing certs and using them for services, that's an enterprise feature, and you can't do that with the free version.

Also https inspection is an enterprise feature.

Routing doesn't mind what type of interface, since the route table determines which interface a packet must be forwarded onto.

UDP broadcast relay is done only over internal interfaces, and VPN tunnels.

Indicate UDP traffic, means tell the engine about it (shows up in activity screen). There can be a lot of this and it normally doesn't indicate so much client activity to the internet, except perhaps DNS.

Time-related indication. I think it's not immediate, it's notified periodically (within 2s)

Nat permissions are now done in flow-chart policy.

Default open ports, probably not required. 113 is identity, a long time ago many servers would test this when you connected, if the connection was ignored, this would cause delays. As for the other ports, that may originally have been for FTP.

Bandwidth control didn't change since WinGate 6. MS is making it even more difficult to make network drivers with Windows 10, as they now must be signed by MS HCL, which requires them now to pass all HQL testing. We don't recommend people to use WinGate bandwidth control any more, and few people ask about it. There are other options for bandwidth control.

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Several questions about supported functionality

Postby Alen » Jan 31 17 11:15 pm

Thank you for the answers, Adrien.
Alen
WinGate Master
 
Posts: 217
Joined: Sep 21 09 7:50 pm


Return to WinGate

Who is online

Users browsing this forum: No registered users and 25 guests