WinGate Forums

[ChrisH]

Hello,

I have a user that is allowed to use only Internet Explorer (iexplore.exe) and Outlook Express (msimn.exe). This user connects using the WGIC. I can't seem to get a policy in WRS to allow only those two apps.

I am using WG ver 5.22 on a XP Pro box with WGIC 5.22 on a Win98 box. System policies are set to are ignored. Users must authenticate using WG database. No TR is enabled on any proxy.

Here is what I have tried:

OK, I started off in the advanced section. No Ban list. My assumption was that if I Specify which requests this recipient has rights for Filter 1 - Client application name contains explore that this would give user right to only use an application that contained "explore" in it's name. However, what happened was that no applications worked. So I reversed things so that Specify which requests this recipient has rights for Filter 1 - Not Client application name contains explore and all applications worked. I would have thought that only apps. with "explore" in the name wouldn't work.

In advanced policies, Recipient has rights for all requests was set. Then, next on to the Ban list. I set one filter, Client application name contains explore. All applications worked. Changed to Not Client application name contains explore and no applications worked! So I gave up at this point :(

Something is not right - my logic or some code. I'm hoping it's some code or my brain is going flakey. Is anyone else able to duplicate this (I'm hoping some Qbik staff will)? This used to work in previous versions but I can't say how far back that something changed 5.07 -5.08 maybe?TIA

[neil]

Well i've just tried this here and i get the expected results. I created a policy in WRP where 'This criterion is met if' and set it to 'Client application name contains explore'. Then on a client machine (admittedly 2k not 98) tried IE, and i could access everything, and then i tried ftp and telneting to a pop server and these were both blocked. I also had WRP policies set to ignore system policies. Which sounds exactly like your set up, so i'm not sure why it worked for me and not you. Theres no other policies set in WRP is there?! Have you tried using 'begins with' or one of the other options instead of 'contains' (although this should work anyway!).

Regards

Neil

[ChrisH]

Neil,

Thanks for the prompt reply. I had no other WRS policies other than application ones - ie no time or location restrictions. After reading your post, I thought perhaps something was out of whack or corrupted with my WG installation. I downloaded again WG 5.22, uninstalled old version and installed newest downloaded file. Same thing happened when I set WRS policies as before. I am now installing XP on one of the client machines to see if there is any change. Will let you know if something changes.

[ChrisH]

Neil,

No luck with client XP machine either. Same thing happens. I'm looking for suggestions on what to try next! I would like to get this resolved as user can utilise other apps. that we don't want him to use. TIA

[neil]

Ah, many apologies Chris! I was actually using 5.2.3 for that test i did previously. When i went back to 5.2.2 it indeed stopped workign correctly. So yes it is a bug in the current version, but it has been fixed, so hopefully you can take some solace from the fact that it will be sorted out for the next version; which should be available in the next week or so.

Regards

Neil

[ChrisH]

Neil,

Thanks for the info. I was pulling out what was left of my hair there for a while, trying to get this sorted out. I kinda resolved it somewhat by using NAT for that user and allowing only certain ports to be used (80, 110 & 25). It is not quite want I wanted to do, but works for now 'til next version.

Could you check for me on this new version if this scenario works (as I can't get it to work in 5.22 or lower). If you have TR enabled, have WWW proxy not require authentication, but have WRS require authentication and ban application name equals iexplore can you still browse from client using Internet Explorer? What happens to me is client must authenticate but is able to browse. In fact no WRS policies except authentication seem to be applied if TR is enabled. TIA

[neil]

I get the correct blocking here happening but only if i put:

application name equals iexplore.exe

rather than just application name equals iexplore . Or you could trying changing it to 'contains' instead of equals?

Regards

Neil

[ChrisH]

Neil,

Sorry. I should have said application name contains iexplore. That's what I tried with ver. 5.2.2 and it didn't work. Just to clarify it for me you got my last question to work correctly with 5.2.3? Or 5.2.2? TIA

[neil]

Ah ok gotcha. Well i've just tried having the filter set to 'NOT Client Applicaiton Name Contains iexplore' with 5.2.2 and it indeeds blocks IE. Infact i don't even have the oppurtunity to login, just blocks me straight away; irrespective of whether or not WWW TR's are turned on. It also worked with 5.2.3. Do you have any assumptions or any other policies set up anywhere that may interfere with this?

Regards

Neil

[ChrisH]

Neil,

Thanks for continuing to look at this. But I am puzzled. Are you saying at the client machine you didn't even get asked to authenticate through WRS when NOT Client Application name contains iexplore and the WRS policy was to set to User must be authenticated? Was criterion in Ban list or Advanced policies? I see authentication happening first thing through WRS no matter what the policy (except of course authentication). Could I ask you to check this again, please?

Version 5.2.2
1) WG Client must authenticate through WRS.
2) Advanced policy - Specify which requests this recipient has rights for is set to: Filter1 - Client Application name contains iexplore. No other restrictions in place.

As you found out above, 5.2.2 now bans all applications, but if I add TR enabled on WWW proxy to this scenario this same WG client can now browse.
Are you able to duplicate this? I sure hope so.

There are no other restrictions in place for this user. System policy is set to ignored for both WRS and WWW policies.

[ChrisH]

Neil,

Once again I must apologise. I left out one detail in my last scenario. That is, WG user has access rights in the WWW proxy with System policies set to are ignored. The only restriction in WWW proxy is that User may be assumed. I'm not sure if you had included this last bit in your test. So with TR enabled and WRS policies set as previous post, WG user can browse. Should they be able to? Does this mean WWW proxy policy have precedence over WRS policy? TIA

[neil]

Unfortunately Chris, I still cant reproduce this prob. With my WRP policies set to ignore system, must be auth'd, Advanced criterion set to 'Not client application names contains iexplore', and WWW tr's turned on, with a WWW policy of user maybe assumed, and set to ignore system, all using 5.2.2, then open IE on the client, i still get blocked instantly.

Would it be possible for you to send me the HKLM\Software\qbik part of your registry?

also, if you turn on debug logging for WRP and WWW is there anything interesting in the logs?

Regards

Neil

[ChrisH]

Neil,

OK. Will send HKLM\Qbik registry data. I will also turn on debug and log activity while trying this out again. Thanks for assistance thus far.

[garmont]

neil

I've the same problem, like ChrisH.
The same configuration.

Your last post is not

The problem is not with blocking iexplore, but with bloking all applications except iexplore.

Try your last configuration with criterion set to "client application names contains iexplore". I suppose all client applications will be blocked (including iexplore).

Krzysztof Krupnik