How allow connection via NAT?

Discussion for beta versions of WinGate

How allow connection via NAT?

Postby Dubovsky1 » Nov 26 11 1:54 am

Hello!

In Wingate 6 I could add a user in the list on the page "Policies" in "Extending Networking" and that user can connect to Internet via NAT from any program without configuring proxy server, tcp maping, etc.
In Wingate 7, I can't find how give a similar functionality. Only intercept port is working via WWW Proxy without configuring proxy on the client.

I think, that I need to use new policy system, but I don't khow how do it.
Dubovsky1
 
Posts: 5
Joined: Nov 23 11 2:50 am

Re: How allow connection via NAT?

Postby adrien » Nov 26 11 7:55 pm

HI

by default NAT will be allowed for all users.

We don't generally recommend intercepting connections any more, although this feature is available. Mainly for issues around authentication and caching, and behaviour of browsers when they don't know they are being intercepted. Basically everything works a bit better when the clients know about the proxy.

But anyway, to get policy on NAT, you create a policy (new policy task in policies pane)

Source type: "Any NAT controller"
Event Type: "ClientConnect"

in the policy, drag the ClientConnect event onto the worksheet, and connect it to a list check. In the list, check the value of {{Session.ClientIp}} - click the § button, and browse to Session.ClientIp. It will be wrapped in {{ }} (converts it to text/string). The values in the list are then the allowed IPs.

This list, hook the yes connector to a result set to allow, and the no connector to a result set to deny.

NATPolicy.png


I've attached a zipped policy file which demonstrates this.

NAT policy.zip
You do not have the required permissions to view the files attached to this post.
adrien
Qbik Staff
 
Posts: 5191
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: How allow connection via NAT?

Postby Dubovsky1 » Nov 29 11 4:40 am

Hi!
Thanks for you answer and sorry for my English!

adrien wrote:HI
by default NAT will be allowed for all users.


I can't confirm this words...
What I am doing:

Server:
1) Clean install Windows (I tried Windows Server 2008r2, Windows Server 2003r2, Windows XP, all of this with SPs & updates)
2) Configure two network interfaces - local & external, all IP static,
on external interface configure ip,mask,DNS and gateway, on local configure ip&mask only.
3) Disable Windows Firewall
4) Clean install Wingate (release)
5) In Wingate:
5a) Install trial license
5b) Install DNS service
5c) Disable Wingate Firewall
5d) add credential rule - assume user to be Administrator by IP (client IP)

Client:
1) Clean install Windows XP
2) Configure network interfaces - ip,mask,
DNS and gateway = server local IP.
3) Disable Windows Firewall
4) Try to open some site in IE
Nothing

If I configure proxy in IE, all works, but in Wingate 6 with policy for Administrator in Extended Networking all works without proxy setting in IE.

What am I doing wrong? And what do you mean "NAT will be allowed"?
May be, I don't understand something...
Dubovsky1
 
Posts: 5
Joined: Nov 23 11 2:50 am

Re: How allow connection via NAT?

Postby adrien » Nov 29 11 10:19 am

Hi

By "NAT will be allowed" I mean that policy won't deny NAT from clients.

Does DNS resolution work on the clients = e.g. if you ping a sitename, do you get an IP address?

Your configuration sounds correct, but DNS is potentially an issue. NAT relies on clients being able to look up names. If you're not using DHCP, you'd need to manually configure the client computers with a DNS service as well. depending on your network setup (e.g. if you have an Active directory) this varies. Basically

a) with AD

* Set clients to use AD server for DNS
* set forwarders in AD DNS server to use WinGate

b) without AD

* Set clients to use WinGate for DNS

In general also, NAT will work regardless of Windows firewall settings, since it sits lower in the network stack and therefore sees and can relay packets before they can be blocked by the windows firewall.

Regards

Adrien
adrien
Qbik Staff
 
Posts: 5191
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: How allow connection via NAT?

Postby Dubovsky1 » Nov 29 11 8:53 pm

My test network don't contain AD.
Yes, DNS works fine, so when I
ping www.wingate.com, i see ip 210.55.214.36 and timeouts, followed after that.

Windows firewals are disabled on server and client, and Wingate firewall is also disabled.

With wingate 6 this configuration works fine.
In my network exist another wingate 6 server, so if i set dns and gateway on client to ip of wingate6 server - all ok.

So, problem with setting of Wingate 7, not with client...
Dubovsky1
 
Posts: 5
Joined: Nov 23 11 2:50 am

Re: How allow connection via NAT?

Postby adrien » Nov 29 11 10:12 pm

OK

what OS is this on? If win 7 or 2k8, check that the WinGate Network Driver is installed on your network adapters.

Regards

Adrien
adrien
Qbik Staff
 
Posts: 5191
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: How allow connection via NAT?

Postby Dubovsky1 » Nov 29 11 10:51 pm

Now my test server on Windows XP.

Driver seems to be installed.
I check system drivers in Sysinternals Autoruns.
I can see Extended Networking in Wingate console,
and
when I set Wingate firewall to High mode, I can't ping server from client,
when I disable it again - ping ok

So, I think, that driver works ok
Dubovsky1
 
Posts: 5
Joined: Nov 23 11 2:50 am

Re: How allow connection via NAT?

Postby adrien » Nov 29 11 11:02 pm

OK

all that is generally required then is that some adapter on your WinGate server has a working default gateway (and no bad ones).

have you tried tracert?

Adrien
adrien
Qbik Staff
 
Posts: 5191
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: How allow connection via NAT?

Postby Dubovsky1 » Nov 30 11 12:07 am

Opps.
I've installed wingate 6 on that server, and have had similar problem.
Something wrong with that computer...

So, I'l took timeout and may be ask for your adviсe some time later.

Thanks a lot!
Dubovsky1
 
Posts: 5
Joined: Nov 23 11 2:50 am


Return to WinGate Beta

Who is online

Users browsing this forum: No registered users and 1 guest

cron