WinGate Forums

[gsummey]

I've poured over this forum and everywhere else I can find to try to make this work, but I'm at a loss now. I cannot get java auth to work with wg6 (bld 995). I just performed the upgrade today. Found out about the unsupported operation problem when using wg4 key, so I'm using a trial key until the fix comes out... No problem. However I cannot get a java applet to popup the way it should. As far as I know everything is configured correctly.
Here is a brief overview:
-I'm using NAT
-I'm heavily using policies to restrict times
-I have ~15 groups and ~100 users
-With wg5.2.2 java auth worked no problem.
-WWW policy is set to java auth only and ignore system policies.
-If I make myself an assumed user, I get the java applet. This makes me think that under normal circumstances, I don't have permission to access the www server that serves the java applet (that is just a guess). The java folder does exist on the server and if I browse to http://wingate_server/wingate-internal/java/client.htm, I see the login page, so I know that I have permission to see the page. It just seems like I don't have permission to access the service that serves the java page. Then when I am assumed, I do have permission to access this service and I get the applet (I can login and surf).

Sorry if this is not really understandable, but I'm just throwing thoughts out. I consider myself pretty handy with wingate and have it doing alot, but this one has me stumped. Any help???

Thanks,

Garth

[gsummey]

Here is my system report, I hope it helps some...Garth
(Please ignore the "everyone unrestriced" in www policies, that is temporary while java does not work. Usually "everyone" only points to an antivirus update page, time servers, etc.)


1.01 WINGATE CONFIGURATION REPORT

1.02 Sunday, August 29, 2004, 16:00

1.03

1.04 ---------------------------------------------

1.05 WinGate Engine

1.06 ---------------------------------------------

1.07 WinGate 6.0.1 (Build 995)

1.08 Operating System: Windows 2000 (NT 5.1)

1.09 Language: ENU

1.10 User database: WinGate

1.11 Num. users: 172

1.12

1.13

3.01 ---------------------------------------------

3.02 License details

3.03 ---------------------------------------------

3.04 License Key 1

3.05 Version: WinGate 4 Standard 12 concurrent users

3.06 Expiry: None

3.07

3.08 License Key 2

3.09 Version: WinGate 6 Enterprise 250+ concurrent users

3.10 Expiry: 28/Sep/2004

3.11

4.01 ---------------------------------------------

4.02 Dialer information

4.03 ---------------------------------------------

4.04 Dialer is disabled

4.05

5.01 ---------------------------------------------

5.02 Network Interfaces

5.03 ---------------------------------------------

5.04 Local Area Connection (Ethernet) internal

5.05 DIRECWAY Satellite Connection (Ethernet) external

5.06 MS TCP Loopback interface (Loopback)

5.07

6.01 ---------------------------------------------

6.02 Services

6.03 ---------------------------------------------

6.04

6.05 System Policies

6.06 ---------------------------------------------

6.07 Default System Access Rights:

6.08 Everyone - Unrestricted rights

6.09 Default Start/Stop Rights:

6.10 Administrators - Unrestricted rights

6.11 Default Edit Rights:

6.12 Administrators - Unrestricted rights

6.13

6.14 WWW Proxy server (WWW Proxy server)

6.15 ---------------------------------------------

6.16 Session Timeout: 60

6.17 Port: 80

6.18 Startup: Automatic start/stop

6.19 Access Rights: Defaults: are ignored

6.20 Everyone - Unrestricted rights

6.21 TC30 - Restricted by security level, time, request

6.22 Staff - Restricted by security level

6.23 Business - Restricted by security level

6.24 TC15 - Restricted by security level, time, request

6.25 Special Events - Restricted by security level

6.26 Guests - Restricted by security level

6.27 Teachers - Restricted by security level

6.28 Assumed Machines - Restricted by security level

6.29 Administrators - Restricted by security level

6.30 TC60 - Restricted by security level, time, request

6.31 TC120 - Restricted by security level, time, request

6.32 Interns - Restricted by security level, request

6.33 Start/Stop Rights: Defaults: may be used instead

6.34 Edit Rights: Defaults: may be used instead

6.35

6.36 DHCP Service (DHCP Service)

6.37 ---------------------------------------------

6.38 Session Timeout: 60

6.39 Port: 67

6.40 Startup: Automatic start/stop

6.41 Access Rights: Defaults: are ignored

6.42 Everyone - Unrestricted rights

6.43 Start/Stop Rights: Defaults: may be used instead

6.44 Edit Rights: Defaults: may be used instead

6.45

6.46 Winsock Redirector Service (Winsock Redirector Service)

6.47 ---------------------------------------------

6.48 Session Timeout: 600

6.49 Port: 2080

6.50 Startup: Automatic start/stop

6.51 Access Rights: Defaults: may be used instead

6.52 Start/Stop Rights: Defaults: may be used instead

6.53 Edit Rights: Defaults: may be used instead

6.54

6.55 POP3 Server (POP3 Server)

6.56 ---------------------------------------------

6.57 Session Timeout: 120

6.58 Port: 110

6.59 Startup: Manual start/stop

6.60 Access Rights: Defaults: may be used instead

6.61 Start/Stop Rights: Defaults: may be used instead

6.62 Edit Rights: Defaults: may be used instead

6.63

6.64 SMTP Server (SMTP Server)

6.65 ---------------------------------------------

6.66 Session Timeout: 300

6.67 Port: 25

6.68 Startup: Automatic start/stop

6.69 Access Rights: Defaults: may be used instead

6.70 Start/Stop Rights: Defaults: may be used instead

6.71 Edit Rights: Defaults: may be used instead

6.72

6.73 GDP Service (GDP Service)

6.74 ---------------------------------------------

6.75 Session Timeout: 60

6.76 Port: 368

6.77 Startup: Disabled

6.78 Access Rights: Defaults: may be used instead

6.79 Start/Stop Rights: Defaults: may be used instead

6.80 Edit Rights: Defaults: may be used instead

6.81

6.82 DNS Service (DNS Service)

6.83 ---------------------------------------------

6.84 Session Timeout: 60

6.85 Port: 53

6.86 Startup: Disabled

6.87 Access Rights: Defaults: may be used instead

6.88 Start/Stop Rights: Defaults: may be used instead

6.89 Edit Rights: Defaults: may be used instead

6.90

6.91 WWW Server for viewing log files (Logfile Server)

6.92 ---------------------------------------------

6.93 Session Timeout: 60

6.94 Port: 8010

6.95 Startup: Automatic start/stop

6.96 Access Rights: Defaults: may be used instead

6.97 Start/Stop Rights: Defaults: may be used instead

6.98 Edit Rights: Defaults: may be used instead

6.99

6.100 Remote Control Service (Remote Control Service)

6.101 ---------------------------------------------

6.102 Session Timeout: 60

6.103 Port: 808

6.104 Startup: Automatic start/stop

6.105 Access Rights: Defaults: may be used instead

6.106 Start/Stop Rights: Defaults: may be used instead

6.107 Edit Rights: Defaults: may be used instead

6.108

7.01 ---------------------------------------------

7.02 System Route Table

7.03 ---------------------------------------------

7.04 Current Route Table:

7.05 ---------------------------------------------

7.06 Network Mask Gateway Interface Metric

7.07 0.0.0.0 0.0.0.0 195.238.48.3 62.128.180.237 30

7.08 62.128.180.0 255.255.255.0 62.128.180.237 62.128.180.237 30

7.09 62.128.180.237 255.255.255.255 127.0.0.1 127.0.0.1 30

7.10 62.255.255.255 255.255.255.255 62.128.180.237 62.128.180.237 30

7.11 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

7.12 192.168.4.0 255.255.255.0 192.168.4.4 192.168.4.4 20

7.13 192.168.4.4 255.255.255.255 127.0.0.1 127.0.0.1 20

7.14 192.168.4.255 255.255.255.255 192.168.4.4 192.168.4.4 20

7.15 224.0.0.0 240.0.0.0 62.128.180.237 62.128.180.237 30

7.16 224.0.0.0 240.0.0.0 192.168.4.4 192.168.4.4 20

7.17 255.255.255.255 255.255.255.255 62.128.180.237 62.128.180.237 1

7.18 255.255.255.255 255.255.255.255 192.168.4.4 192.168.4.4 1

7.19

8.01 ---------------------------------------------

8.02 Enhanced Network Support

8.03 ---------------------------------------------

8.04 Enhanced Network Support: Qbik NDIS Hook 6.0 - Installed and active

8.05 Driver: Enabled

8.06 NAT: Enabled

8.07 Router: Enabled

8.08 Firewall level: Custom

8.09

8.10 Firewall

8.11 ---------------------------------------------

8.12 Disable network name broadcasts to the Internet: Enabled

8.13 Allow users to ping this machine locally: Enabled

8.14 Allow users to ping this machine from the Internet: Disabled

8.15 Discard spoofed packets: Enabled

8.16

8.17 Routing

8.18 ---------------------------------------------

8.19 Multiple default routes: Enabled

8.20 Relay UDP broadcast packets: Enabled

8.100

8.101 Port Security

8.102 ---------------------------------------------

8.103

8.104 Security for: External TCP

8.105 Action: Allow Port: 113 - AUTH

8.106 Action: Allow Port: 1024 - 4096 - External

8.107

8.108 Security for: External UDP

8.109 Action: Allow Port: 1024 - 4096 - External

8.110

8.111 Security for: Internal TCP

8.112 Action: Allow Port: 25 - Hole for SMTP Server (Auto)

8.113 Action: Allow Port: 80 - Hole for WWW Proxy server (Auto)

8.114 Action: Allow Port: 110 - Hole for POP3 Server (Auto)

8.115 Action: Allow Port: 808 - Hole for Remote Control Service (Auto)

8.116 Action: Allow Port: 2080 - Hole for Winsock Redirector Service (Auto)

8.117 Action: Allow Port: 8010 - Hole for Logfile Server (Auto)

8.118

8.119 Security for: Internal UDP

8.120 Action: Allow Port: 53 - Hole for DNS Service (Auto)

8.121 Action: Allow Port: 67 - Hole for DHCP Service (Auto)

8.122 Action: Allow Port: 368 - Hole for GDP Service (Auto)

8.123

8.124 Security for: NAT TCP

8.125 Action: Redirect Port: 25 - Intercepted by SMTP Server

8.126 Action: Redirect Port: 80 - Intercepted by WWW Proxy server

8.127

8.128 Security for: NAT UDP

8.129

8.130 Security for: DMZ TCP

8.131

8.132 Security for: DMZ UDP

8.133

8.134 Security for: (unknown)

8.135

8.136 Security for: (unknown)

8.500

9.01 ---------------------------------------------

9.02 END OF CONFIGURATION REPORT

[gsummey]

First of all... good job on the interface change, it's much easier to get around now, so thanks for that.

Secondly, I re-read the help file again and caught this
"The WinGate WWW proxy is also a web server."
So that answers one of my first questions of what service is serving the java applet logon.

Now I can plainly say that I think I need some kind of policy for "everyone" that allows them to connect to the internal web server of wingate...

Am I way off here? I have never hear/seen anything about this???

Thanks for any help...

Garth

[erwin]

Hi Garth

Just one thing to check.
You say that you are using NAT for client connections
Do you have Intercepts(transparent redirection turned on in the WWW proxy/under the Sessions config) in Gatekeeper.

These will need to be turned on otherwise NAT sessions will not be intercepted by the WWW proxy and so influenced by the Java Auth.
Check to see if this helps.

Regards
Erwin

[gsummey]

Thanks for the reply erwin,

Yes, transparent redirection is enabled in www proxy;
"Intercept connections.... port 80... started.

If I turn this off, there seems to be no auth at all and all requests are forwarded straight to the internet.

Any more things to look for?

Garth

[erwin]

Hi Garth

This does seem somewhat puzzling.
I saw your note about having "everyone unrestricted".
But basically having this in there is merely going to give everyone unrestricted access as in WinGate it always look for the least restrictive policy when dealing with crossover policy situations.

So having this in there either before or after is going to cancel out any policy you may put in place.

Can you remove the "everyone" entry and see if this helps?

Regards
Erwin

[gsummey]

Removed everyone from the www policies. Same result... Access Denied. I know I have said this before but I really feel that somehow the "Guest" user does not have access to the java auth (because of a wingate policy). I don't know how that can be, but that is what I feel is happening.

Lets try again...

Thanks,

Garth

[Pascal]

Do you have the Remote Control Service bound to your internal adapter ? (Not only to 127.0.0.1) If this is not bound, the Java authentication cannot complete.

[gsummey]

Yes,
Remote Control Service is bound to local loopback and my local area connection...

I'm going to backup my registry settings, uninstall wingate and delete all registry settings. Then reinstall wingate (with default settings) and see if I can get java to work. That will at least tell me if the problem is some setting that I have somewhere.

Any other ideas???

Thanks for the help so far.

Garth

[Pascal]

If you want to, you can send me a copy of your registry settings. It will give more info than the export does and might help to pinpoint the problem. (Worst case is running it in a debugger) Not in front of a PC with WinGate / Source code at the moment though, so best I can do will be to look through it tomorrow morning first thing.

[gsummey]

Ok,

I'll email the reg file to you. I can't bring the server down now to try the reinstall (it's 0900 on Monday) if I can I'll try the reinstall tonight.

Thanks for your help.

Garth

[gsummey]

From the looks of things, I would say that Clifford and I are having the same problem. His post is "Java Applet does not show in ver 6" and from what I've read there it seems like the same thing is happening.

Garth

[Pascal]

Hi Garth,

I haven't received the reg file yet. Do you also have Assumed Users mixed with Authenticated users? If that is the case it sounds fairly similar to a problem another user here had. All of this might not apply to you, however.

1. Go through your users and make sure that every user belongs to the correct group. The case we had before had several users which were used in policies but had no group membership, etc.

2. Then, go through your groups and see that the users there are setup correctly.

3. Open your Assumed Users by IP dialog and verify that you have the correct IP addresses listed against every user - this HAS to be correct, otherwise you will get "internal server 500 errors" or "403 you are not authorised to view this page" errors. Even if a user is required to authenticate - ensure they have an assumption.

4. Then, go through your policies individually and ensure that the users are tagged appropriately for authentication vs assumption.

That was a fairly complex setup, but the idea was to provide management with an assumed status (No login) where everyone else had to authenticate.

[gsummey]

Ok, I re-sent the email. Sorry it didn't get there the first time.

Yes, I have Assumed Users mixed with Authenticated users. And I agree it sounds like two other user here on the forum are having the same problem. But don't want to jump the gun, maybe just a fluke.

I went over all the steps you suggested and everything is perfect, the same as it was before I did the upgrade to 6.0.1

One thing you said interested me though:
"Even if a user is required to authenticate - ensure they have an assumption"

I have never done that before, I think wingate implies that a user is Guest if they are nothing else (assumed or authenticated). So I created a user "Test" made everything on my subnet assumed to be test (by using 192.168.4.*) then in Test's www policy I checked "User must be authenticated". But I still don't get a java applet and I am allowed access to the internet, even though the policy says "User must be authenticated". I think this is wrong. I don't think I should have access if the policy is not set to "User may be assumed".

What do you think about this?

Garth

[Pascal]

That test user scenario sounds wrong. There has been some changes to authentication - mainly a check on the variety of authentication methods (NTLM integration almost everywhere, etc.)

When you say "test" is allowed through, even if only assumed - what is the user in GateKeeper displayed as? Is that also test?

I just need to confirm the email address with you - it's pascalv at qbik dot com (No email yet). If you click the "email" link under my post, it should come up with the right email address in your mail client.

[gsummey]

The user shown in Gatekeeper is (test - Assumed [Assumed])

Other users that have other assumptions show up as what they should be assumed to be. And I have one computer which still had the java login box open from before I did the upgrade and they can login and authenticate with java. They show up as (username - Authenticated[Wingate]). So I know java is working...

I don't know what is up with the email... I'll try again from a different account.

Thanks,

Garth

[adrien]

Hi Garth.

We just made some changes to the way this works to solve problems with mixed policies that require either authenticated or assumed users.

Basically it comes down to the level of confidence that is required, and the level of confidence that a given authentication method provides.

WinGate policies distinguish 3 levels of confidence about whether a user is who they say they are. These are expressed in the policies as:

"user may be unknown" - no knowledge, no confidence, but don't care if it is guest or any user.

"User may be assumed" - means WinGate wants to know who the user is, but allows insecure/plaintext auth methods like telnet or POP3 logins, or HTTP basic method, and also allow assumptions by IP or computer name.

"User must be authenticated" - This means the user must be authenticated with a strong authentication scheme, such as NTLM, CRAM-MD5, or WinGate's challenge response method (used in GateKeeper and Java client).

As for the level of security required by a rule, it is sometimes possible depending on your rule setup for more than one policy to grant access, but with different requirements about level of confidence in who the user should be. When the request is received, and we check policy, we go through all the policies, and return the minimum confidence level required for that request to be granted.

However since during authentication WinGate can learn new information about a username (i.e if you auth you can change from guest, or some assumed name to the name you authenticate with), then different policies can come into play. This means that the policy that may have been used to select the authentication method based on required confidence level can be invalidated when the user actually authenticates, since the different user may not be granted access under that same policy.

To get around this, in the case of WWW proxy, we now use the highest level of auth that is enabled if any sort of authentication (strong or weak) is required. This in effect comes down to using the Java client over HTTP Basic if the Java client is enabled.

This has only really happened in WinGate 6.0 since prior versions didn't support any HTTP authentication methods, so there was no intermediate level available (which there now is - HTTP Basic method).

Hope this helps explain it a bit better!

Cheers

Adrien

[gsummey]

This doesn't give me a warm fuzzy feeling inside, but I came in today... Remove my temporary "Everyone" policy (so that users could access the internet). And java authentication popped up right away. What is going on there? I changed NOTHING. I'm assuming that you cannot push updates or anything like that??? I just don't understand. I thank you all for all your help and I'm really happy that it is working, but I just wish I knew what was going on for the past four days...

Anyway thanks again for all the help.

Garth

[Pascal]

No, we can't push updates. The best we can do is to pop-up a system message (In the syslog window) to tell you when a new version is available - but that's only possible if you've enabled auto-update to keep you informed of new versions.

Glad to hear you got it working, although I'm a bit dumbfounded as to why as well - which is not exactly a warm fuzzy feeling, like you said.

[gsummey]

Edit... Incorret post

[gsummey]

After further investigation... I cannot have ANY user or group set to "May be assumed" along with some other user or group set to "Must be authenticated" in the www policy. I get access denied, everytime. This is not good. I really need to be able to have assumed users AND authenticated users in the www policy. Is this intentional? What can I do? Should I downgrade back to 5.2.2 if I want this functionality? I think I understand what adrien wrote...

"To get around this, in the case of WWW proxy, we now use the highest level of auth that is enabled if any sort of authentication (strong or weak) is required."

...but maybe I'm not understanding what is really going on here. Pascal, did you get my .reg file? Have you tried it out, what can you tell me? Adrien, is my thinking about the policy correct?

Does this mean that the WHOLE www proxy uses the highest level set??? I can't believe that this is what is going on, doesn't that defeat the whole purpose of having "assumed" users in the first place? So that some machines do not have to authenticate?

I really appreciate the help so far, but I've got to get this working...

Thanks,

Garth

[Pascal]

It definately is possible to set this up with 6.0 - I talked a user called Manu through this exact process - and he managed to get his setup running.

The easiest would be to get your registry setup, but that hasn't come through yet. Have you tried the alternative email address I sent you? Last alternative might be for me to give you a login on my personal FTP server.

What I'll do, is I'll send you two messages from two different accounts and servers, then you can simply reply to them.

Edited: Done, you should have those two emails now

[gsummey]

Thanks Pascal,

I sent the reg file to the second account. I'm not sure what's up with this email thing, I've sent it to you four times now and each time I send it, then watch the message leave wingate (successfully) then check out the sent items in the spool directory and the message is there. I know that I was using the correct address... Anyway I hope it gets there this time.

Good news that it is possible in WG6 to do this, I couldn't believe that this functionality would be removed.

Thanks,

Garth

[Pascal]

You won't believe it. I don't have the email yet. It might just be lost in translation and arrive shortly...

But the two servers are worlds apart (One's hosted in the States, the other is in our Office)

From the sound of it, you're sending through WinGate? Are you doing that through Outlook XP? (Or is it possible to use the account I sent to you to - because maybe that makes a difference)

[gsummey]

Have you received my .reg file yet Pascal???

I was gone over the weekend and did not get to play with wingate at all, but I'm hoping to get this resolved.

Thanks,

Garth

[Pascal]

Yup - I've sent you two or three plain text emails to the address you sent me the reg file from. Do you want me to post the replies here, as e-mail clearly seems a bit dodgy between the two of us.

[wyldcyde]

found a similar problem in that i have www proxy policies set to "system rights are ignored"... this is because i use ban lists on the www proxy and since i haven't duplicated the ban lists to system rights then ban lists dont function. So i've set proxy to system rights are ignored.

my new problem is that if i add administrators group to www proxy policies then members of the administrators group and in fact all users are unable to login to java client, but if i add the individual administrator accounts to www proxy policies then users get java login and admins can login also... very strange and i think i've seen another post that mentions something similar. i wont upgrade to wingate6 because of another outstanding issue with that new version.

ELi