Use this forum to post questions relating to WinGate, feature requests, technical or configuration problems
Aug 16 21 4:19 am
I have set up a Windows 7 Ultimate 64-bit Dell with 4 Network adapters. 2 are configured for the internal private network. The others are configured as public IP's. I Installed Wingate and set up Web Proxy first (Port 8080). It worked as expected. Then I set up Reverse Proxy (Port 80). It also worked as expected. When I tried to bind pairs of adapters (one internal and one external to each service), I started having problems. It makes sense to bind the services to the explicit IP address of both the Internal and External adapters intended for each service, and to keep the activity separate would be desirable.
As you probably know, when the Web Proxy service is bound to any external adapter, it allows external traffic to access the machine. So I deleted the binding to the external adapter. Also tried binding to the IP address of the router gateway, but that also allows external traffic. The only apparent problem with not binding the external adapters to anything is that it appears that both Proxy and Reverse Proxy are using the same external adapter. IP transmitted to the web from my network shows the IP address of one of the external adapters, never the second. Binding the externals, as I've said, allows external traffic to pour in. Is there any logic in trying to use 2 external adapters with Wingate for different services?
Another issue is that if I use the above configuration (which reports to the internet the same IP as reverse proxy responds to for the target sites), all appears to function well until I do something through the Web Proxy such as an internet speed test. After a run or two, internet speed drops to less than 1/3 of maximum and does not return unless I stop the Web Proxy Service. After stopping Web Proxy, the internet will return to full speed when accessed through the router or our old outbound proxy server.
I've tried binding changes, gateway changes, intercept changes, etc. and nothing seems to make any difference. Is there any way to implement both services and retain bandwidth? Maybe it is some single factor, and both services seemed fine when run by themselves or with unbound external adapters (until the bandwidth disappears, anyway). The problems have nothing to do with number of users. All tests were performed with a single workstation at a time.
One more thing I will try is to delete the NIC gateways from the Win 7 configurations and try to bind a gateway to each service by specifying the IP of the external gateway. I've essentially done that, but when both services are running, each report the same external NIC IP to the internet (What's my IP for Web Proxy, and clients connected to the Reverse Proxy from outside).
Should I just use separate machines for each and have to purchase 2 enterprise licenses to proceed?
Thanks for any suggestions.
Aug 18 21 11:08 am
You'll only run into problems if you try to bind multiple services to the same adapter:port combination.
You don't bind a service to an adapter unless you will receive incoming connections over that adapter. Binding is for incoming to the proxy. For outbound proxy connections, you generally don't bind at all (this binding happens on the gateways tab for the service).
We have numerous setups with both LAN outbound proxy and incoming reverse proxy on the same WinGate install, usually with separate services in WinGate.
Some of the problems sound like you're setting one proxy as the upstream of another? E.g. in the connection tab for a proxy.
Aug 18 21 12:20 pm
Not quite, my friend.
There are 2 internal cards and 2 external cards. I wanted to bind these pairs separately for Inbound and Outbound services. The problem seems to be that both external cards utilize the same router IP as the gateway, and that is the hole in the logic..
I've tried specifying the gateway from windows configuration for each or both of the external interfaces. ANYTHING involving a gateway (either binding the gateway or just specifying it from Windows) results in unwanted traffic allowed into the system while Web Proxy is running. If Web Proxy is then stopped, the traffic also stops.
With no gateway bound or specified in Windows, Reverse Proxy does not function. With a gateway specified from Windows (whether bound from Wingate or not), Reverse Proxy works fine. Web Proxy works with no gateways then, but reports to the internet the address of the public card specified for the Reverse Proxy.
I've tried all combinations of binding to ANY IP on the adapters or to the specific IP of the adapters. They are named ExternalIB, ExternalOB, InternalIB, and InternalOB, with the internals using 10.0.0.xxx and the externals using xxx.xxx.xxx.178 - 190 (190 is the gateway). We can access our sites from the Web Proxy Service, but not directly from our router (same gateway, of course) but that is not a problem. We never could get Proxy 2.0 to use the same gateway for outbound and inbound traffic.
It is usable as it is now, but I worry about the wrong IP being reported to the internet for outbound traffic (it reports the same IP as the target IP of all of our domains, which is on the Reverse Proxy segment, or so I expected).
I guess I just don't understand the way Wingate decides to grab and use an external adapter and expected to be able to force it to use THIS interface with THAT interface for inbound and the other pair for outbound with specific bindings or rules. That is not the case so far.
As I said, it is usable now, not unwanted traffic leaks that I can tell, but just nervous about whether the NIC intended for Web Proxy is even being used. The IP used for Reverse Proxy is the same as the IP reported to the internet for Web Proxy.
I'm still playing with it, but every time I think I have it, the bogus traffic is present. I'll keep trying.....
Aug 18 21 1:20 pm
it should be no problem to bind to 2 adapters on the same subnet with the same router.
Shouldn't need to use gateways. However if the router is just routing (not NAT), then for a connection made on one interface, return packets may go back out the other due to windows routing choosing the outbound interface based on destination address (and ignoring source). However if there's no NAT happening between the external interfaces and the internet this shouldn't break connections.
Outbound traffic you can set the external IP to use but that's in the gateway tab in the proxy. This is for connections made by the proxy out to the internet (usually on behalf of internal LAN clients). One thing to keep in mind is to prevent external users from bouncing off your reverse proxies back out to the internet and using you as an anonymizer for nefarious purposes.
Aug 19 21 5:16 am
Your mention of NAT (which I had not disabled) in your last post seems to be the key. In all proxies I have used over the last 30 years, the NAT was used to define the computers which could use the service(s). Period. If it wasn't in the NAT, it could not play with others. I had wondered why there was no way to just enter new addresses or ranges into the NAT. Now I realize that NAT is probably not necessary to achieve my goals in Wingate. With NAT disabled, I can bind the Web Proxy service to the desired internal interface and add the necessary gateway on the desired external interface from the GATEWAY tab as you suggested without allowing extraneous inbound traffic. If NAT is enabled and Web Proxy running, any reference or binding to any external card or gateway results in the "leak". I'm glad you mentioned NAT, even in passing. Wingate is the only proxy product I have used that really doesn't use a literal NAT table to define users.
I took down my inbound (reverse) proxy server last night just so I can test Wingate in use for the next few days. It had been running continuously since July of 1999 with one NIC failure, running Proxy Server 2.0.
It also appears that we will need at least 12 users to handle the expected traffic. We'll come up with the money somehow. Just hope we don't need to update very often or add many more users. I understand that the Enterprise Edition is the only way to get Reverse Proxy to multiple websites.
Thank you again for your time with my posts.....
Aug 20 21 3:04 am
I waited overnight, and the unwanted activity started again. I cannot find a way to make Web Proxy function on a different interface from Reverse without binding to the external card or adding the external cards gateway, one or the other. If it is bound so it works as intended, the machine leaks inbound activity, even with the NAT disabled. If it is not bound or have a gateway with it, it functions off of the same card as the Reverse Proxy service and reports the IP of that card to the internet. While that is probably OK, it is NOT what I need. I feel that there is some scenario that might work, and I was a lan/wan site services engineer for HP for many years. The results are just not logical with both the instructions and your claims - or I must be the most incapable person to every try Wingate, including the multiple installs without getting the LAN drivers on several identical machines.
If there is any other situation you can think of, please let me know. I am running out of time.
Aug 20 21 11:37 am
in WinGate it's really nothing to do with the NAT.
If you want to receive incoming connections (incoming to WinGate, not necessarily incoming to your LAN) on an interface then a service needs to be bound to that interface.
So yes the reverse proxies would be bound to your internet-facing interfaces and the forward proxies would be bound to your LAN-connected interfaces.
What do you mean by leaking? Do you mean users on the internet are using the reverse proxies as a forward proxy? You need to use rules to prevent this. You can create web access rules to only allow access to the sites you are hosting and deny all others.
Powered by phpBB © phpBB Group.
phpBB Mobile / SEO by Artodia.