transparent proxy - track source IP

Use this forum to post questions relating to WinGate, feature requests, technical or configuration problems

Moderator: Qbik Staff

transparent proxy - track source IP

Postby ik8sqi » Jan 04 19 5:29 am

We implemented WinGate to act as a proxy to some client machines by configuring the Internet Explorer proxy settings to point to Wingate on port 3129. We then added a "WWW Proxy Service" on WinGate listening on port 3129 to handle the traffic.

The issue is that when a client workstation browses the web, our firewall (all client workstations and WinGate are behind a firewall) sees the IP address of the WinGat server as the source IP, not the actual IP address of the workstation. We are thus unable to apply web browsing rules on the firewall based on the IP addresses of the workstations, as the firewall does not see the actual source IP of the workstation.

Is there a way to configure WinGate in some transparent mode so that, when clients browse the web, the firewall sees the actual IP of the workstation and not WinGate?

Thanks!

Roberto
ik8sqi
 
Posts: 4
Joined: Jan 04 19 5:20 am

Re: transparent proxy - track source IP

Postby adrien » Jan 04 19 5:14 pm

Hi Roberto

Normally WinGate is used to provide the web browsing rules, so it's unusual to have an upstream firewall doing this per client IP.

Since WinGate is a proxy, the connections it makes on behalf of clients come from its own IP, there's no way around that. However, you can configure WinGate to connect to an upstream proxy (the firewall) and tag the original client IP in an X-Forwarded-For header.

Would this help - is the firewall able to use XFF?

With flow-chart policy in WinGate you could add other headers as well.

Regards

Adrien de Croy
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: transparent proxy - track source IP

Postby ik8sqi » May 14 21 8:56 am

Hi Adrien,

Sorry for the "late" reply... but at the time there was no urgency for the request and we implemented a workaround. But now we have thousands of client workstations instead of a handful, so this is now again an issue.

Wingate is not suited for enterprise-level internet filtering and reporting - we use PaloAlto firewalls for that purpose. But the issue remains - the paloAlto's cannot see the IPs of the clients that use Wingate as a proxy. I checked the option you refer to, but the PaloAlto's are firewalls, *not* proxies, so Wingate is not able to use the option "Connect via an upstream proxy".

As we don't need Wingate to actually perform any kind of inspection/filtering, I also tried using a SOCKS Service in Wingate instead of the WWW Proxy, but here too the firewalls see Wingate's IPs and not the clients.

Is there any way to add the X-Forwarded-For header even when not configuring the upstream proxy? This would likely require enabling SSL Inspection, and this wold still be another issue as I don't think Wingate is flexible enough in allowing SSL exceptions for sites, IPs and certificates where certificate pinning would prevent applications from working if the certificate is intercepted. But it would be worth a try.
ik8sqi
 
Posts: 4
Joined: Jan 04 19 5:20 am

Re: transparent proxy - track source IP

Postby adrien » May 14 21 1:52 pm

Hi

Yes, whenever you use a proxy, the upstream connection comes from the source IP of the proxy, not the client using the proxy.

It's possible to add a header to any upstream request though. To do this, you would attach some script to the Request event for the proxy (either in a flow-chart policy, or just on the events tab). In that you would have some code like

Code: Select all
//return value is ignored when attached directly to an event
function filter(User, Binding, Session, Request, Event)
{
   Request.Headers.Set("X-Forwarded-For",Session.ClientIp)
   return;
}



Yes you can whitelist sites from https inspection, as you say it simply doesn't work in some sites due to cert pinning etc.

Note also, that having the client IP in the requests this way doesn't necessarily make them visible to the PA firewall unless the PA firewall is also doing https inspection.
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland


Return to WinGate

Who is online

Users browsing this forum: No registered users and 10 guests