Imposible to block gmail, yahoo mail, wetransfer etc

Use this forum to post questions relating to WinGate, feature requests, technical or configuration problems

Moderator: Qbik Staff

Imposible to block gmail, yahoo mail, wetransfer etc

Postby Radu75 » May 12 17 8:38 pm

Hello,

I've just downloaded trial version of latest wingate - 9.0.5.5926, got it running on a fully updated W2012R2. The server is a vm with one net card, connected to internal network/LAN. I plan to use it as a web access and logging device, LAN computers are blocked from direct connection to external IPs, I want to filter their access thru this Wingate box. All client computers connecting thru this machine has this machine on their proxy settings, with proper IP and port 8080. I plan to replace an older ISA 2006 machine with Wingate Enterprise, running in a similar configuration.
Without any further ado, here is my problem:
I've got all the installation working ok, sites are blocked when added to an "blacklist" - a text file added as a source for a manual classifier on which an access rule is configured. My problem is I cannot block gmail for example, or mail.yahoo.com, or wetransfer.com, all running on https://, by any combination of entries in "blacklist" file. For google I added the following:
*.gmail.com
gmail.com
mail.google*
*mail.google*
accounts.google
*gmail*
mail.google.*
http://www.google.com/gmail
accounts.google.com

For wetransfer.com, I tried to no avail the following:
wetransfer.com
wetransfer.net
*.wetransfer.com
*.wetransfer.net
*wetransfer*
we.tl

Please do help with advice, wingate is useless for us if we cannot restrict access to gmail, wetransfer etc based on rules.
Radu75
 
Posts: 3
Joined: May 12 17 8:15 pm
Location: Romania

Re: Imposible to block gmail, yahoo mail, wetransfer etc

Postby adrien » May 15 17 4:43 pm

Hi

Web access rules only block traffic that goes via the proxy.

If you set the proxy to intercept port 80, it will intercept http, and put that via the proxy as well.

for https though, if the browsers aren't configured to use the proxy for https, or you're not intercepting port 443, then the https won't go via the proxy and so won't be blocked.

We recommend that browsers should be configured to use the proxy. Especially if you will want the proxy to authenticate users. If you're not going to get the proxy to authenticate users, you can intercept port 443. In this case, the server name won't be known unless you either enable SSL inspection, or you enable SNI snooping in the SSL Inspection tab.

Regards

Adrien de Croy
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Imposible to block gmail, yahoo mail, wetransfer etc

Postby Radu75 » May 15 17 11:30 pm

Hello,

Thank you for your reply.
Yes, I am aware of that, all computers are configured to use the wingate machine as a proxy for all protocols. All machines are denied direct internet access on 80 or 443 to outside, they can reach these ports only through the proxy machine.

http://imgur.com/a/XdC3A

It works for some https sites, for others does not. For some https sites it goes directly to default - allow all traffic.
Here it is the way I've defined the deny rule:
http://imgur.com/a/FD26n
In category Banned I've included gmail, wetransfer etc, should not allow traffic for anyone.


Thank you,
Radu75
 
Posts: 3
Joined: May 12 17 8:15 pm
Location: Romania

Re: Imposible to block gmail, yahoo mail, wetransfer etc

Postby adrien » May 16 17 12:26 am

Hi

I'd suggest a remote desktop support session to get to the bottom of why its not classifying the sites properly as banned or allowed.

You can also bypass the requirement to classify sites first, and just set sites or lists of sites to block or allow in the Web access rules themselves (rather than the manual classifier rules).

The manual classifier rules can have issues when there are several rules that match a request, the first matching rule encountered stops checking the other (manual classifier) rules.

So people typically run into trouble when they have another manual classifier rule that is evaluated prior to the one they want that is matching the requests also.

Regards

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Imposible to block gmail, yahoo mail, wetransfer etc

Postby Radu75 » May 16 17 1:27 am

Hello again,

Thank you, it worked. I created web access rules targeted against specific sites, not with classifications. Everything is ok now, will continue testing.

Thank you,
Radu75
 
Posts: 3
Joined: May 12 17 8:15 pm
Location: Romania


Return to WinGate

Who is online

Users browsing this forum: Google [Bot] and 31 guests

cron