Hi there.
I am currently trialling Wingate 9 running in a Microsoft Azure virtual network environment.
I have two subnets - internal (subnet 172.16.0.0/24) which has two AD Domain Controllers (DC1 and DC2) and another server (PROXY1), running Wingate.
I have configured a site-to-site VPN, so that I am connected to the Azure virtual network via VPN. All works well - it all works as expected.
I also have Wingate running on the server PROXY1 and my client PCs have their proxy server setting set to point at PROXY1. This works as expected too.
However, I've read a lot about segregating subnets in Azure so that the internal network is separated from internet facing stuff. To that end, I've created a second subnet (172.16.200.0/24) and have added a second NIC to PROXY1 using this subnet. I have added a route on PROXY1 (add route -p 0.0.0.0 MASK 0.0.0.0 172.16.200.0 IF 2) so that the new NIC has a default gateway for internet traffic. I can ping the internet using both NICs.
I have set Wingate so that the NIC on subnet 172.16.0.0/24 is INTERNAL and the NIC on 172.16.200.0/24 is EXTERNAL.
I assumed that Wingate would therefore expect to receive requests from clients on the INTERNAL NIC, and would use the EXTERNAL NIC to go out to the internet.
However, when I add a rule in to the Network Security Group (firewall in Azure) on the internal 172.16.0.0 subnet to deny outgoing internet traffic, Wingate stops functioning. The Wingate activity monitor still shows the request coming in from the client PCs, but I don't see the acknowledgement "HTTP/1.1 200 Connection Established". As soon as I allow outgoing internet traffic on the internal subnet, everything starts working again.
Am I doing this all wrong? Is there a need to have two separate subnets? Is there something in the Wingate configuration I have forgotten about/missed?