WinGate Forums

[ngrayson]

Guys,

I raised a question on this earlier but this is follow on which you may oor may not be able to help on.

I'm now running my company laptop over my private LAN through Wingate which works just fine. To access the corporate network, The company has installed Checkpoint Client for this purpose.

My Laptop I set with a fixed IP and I use the wingate machine as a DNS this works fine. I then start the Checkpooint software and it Authenticates me into a corprorate network just fine.

I then have two issues.

I have a problem with the internal resources on the corporate network which indicated that it could not resolve names. We fixed this with a hosts file which works for fixed things but some of the stuff uses active server and we cant apparently get around this. IT suggest that I set my DNS to the corporate DNS which I think wil break things, would it be likely to resolve the issues if I set the primary to the be in my network and the secondary as the corporate.

Second issues, there VPN sort of stops working after a short while. Is this the session timeout freeing up the port and if so perhaps increasing this may help. I'm retisent to increase it to much as it leaves the firewall vunerable for longer periods.

Any suggestions?

[adrien]

Hi

Is this making a NAT UDP connection for the data tunnel?

It should be safe to increase timeouts in the ENS for that port to about 10 minutes. It won't be leaving your firewall open unless an attacker can get all the IPs and ports the same as the connection between you and your corporate VPN server.

As for DNS, it should also be safe to add another DNS entry to your laptop for the corp DNS server... can you make this attached in some way to the VPN connection? I don't know how that Cisco VPN client works...

Adrien

[ngrayson]

Hi adrien,

Yup, it looks like a UDP tunnel so I'll increase the time out and see how I get on. Thanks for that.

New issue.

I paid my $40 and upgraded to V6 6 User pro.

I now get the system shell option CTRL+SHIFT+D on my menu. When I try to use it, its asks for username and password. I am using the wingate database for authenticatioin (NOT NT) and even if I try the administrator login it wont let me run.... even on the wingate machine.

At the moment I feel cheated, any ideas as to why. Does it have to be an NT machine?

[adrien]

Hi

Yep, that one is the NT account that the cmd.exe process will execute in.

We have an updated help file coming out in a maintenance release which covers all that, but in a nutshell, since this is a process, that has access to the local machine, it needs to be run in an NT account, it can't be allowed to run in the system account, because that would be a security risk, so we get you to enter the username and password for the local NT account that you want the cmd.exe process to run in - that then locks down what the cmd.exe process will be able to do, based on local OS security policy.

Adrien

[ngrayson]

Hi Adrien,

Thats not made clear anywhere that this requires NT.

That being the case I have wasted my money on the upgrade since this is the only feature above my 5.2.3 Pro license I found of interest.

The problem is that I'm using a 98 machine for wingate as the technology is less vunerable. That and billy bob wants lots of dosh for an upgrade.

Unless you intend to allow some sort of shell on a 98 machine, its not for me.

[adrien]

Hi

the problem with 9X systems is they only support one single concurrent security context. NT systems can support multiple.

If we were to allow any sort of command shell access to 9X (not even sure if it is possible, since it is a different process on 9X - command.com instead of cmd.exe - I guess it must be), then there would be no way of securing it apart from the authentication mandated by WinGate itself, but anyone using it would get system-wide access to everything.

That may be what you want, but I have other reservations about running shell processes from WinGate on 9X, basically the OS isn't really built for it.

we can look into providing this for non-NT based systems.

I would still recommend an NT-based system though, for starters the multi-threading support is miles better. Even NT4 is fairly impervious (oblivious) to many newer viruses, which target vulnerabilities in later systems.

Apologies for not making it clear about this feature in the documentation, I will update the site to reflect that. If you would like a refund on your upgrade, let me know.

Regards

Adrien

[ngrayson]

Hi Adrien,

Forget the refund, it buys me a years worth of upgrades as well.

I may even swap the server out, I'm just concerned that the hackers seemed to want to concentrate on NT technology and I survived all of the last 12 months worth of attack after attack. Mind you, take a bow because was Wingate doing a lot of the work.

I do think however, you guys need to employ a marketeer. The way V6 was rolled out was a bit misleadinging to say the least. Although I'm a design engineer by proffession, I operate as a product line manager these days. If I rolled out a product in the same way my customers would Lynch me shortly after cutting of the bits which matter.

You should have had a page off the main site which indicated what V6 was about, the fact that after Beta, there were chargeable upgrades and there should have been a version/ feature matrix.

Other than that I still like the product and still think its the best at what it does. It would be even better with a time server built in ;-)