WinGate Forums

[Surfer]

Hello!

I got a strange problem.
Wingate server have a standart WWW proxy service, where users are surfing in the Web. Ok.
There are several users which using Web without proxy. They have real IP addresses. Ok.
First users cannot open a page from the Web which second users can.
I check it and see the following:
ftp://ftp.somesite.com/help/index.html
Uhm, i'm not a novice in Wingate but i'm stuck. How can I allow this type of requests by Wingate? FTP service is not applicable as I think. He allow one selected ftp. But I can predict which request will take place tomorrow.
TCP mapping on 21... be in conflict with ftp. Uhm, really stuck. :(

[Pascal]

Why not just use NAT? You can intercept the appropriate ports (80, etc.)

Any chance you could post / email me the real URL - then I can test it out on Monday for you. What application were they using when they saw that?

[Surfer]

Any chance you could post / email me the real URL - then I can test it out on Monday for you. What application were they using when they saw that?

http://www.postfix.org/download.html
and click on any link beginning from "ftp".
They use MS IE 6.0 and 5.0.

[Pascal]

How are the proxy using users configured? Have you made any changes to WinGate's proxy configuration?

[Surfer]

How are the proxy using users configured? Have you made any changes to WinGate's proxy configuration?

WWW Proxy binded into internal LAN card. Interface is external card.
Port is 8010. Timeout 60 sec. Puresight installed (this requests are out of filters). Connection directly. SSL 443 allowed.
Users configured in IE as "connection via proxy. IP *.*.*.* port 8010".
So, all WWW is ok.
I still not understand which port requests like "ftp://ftp.somesite.com/index.html" are using? 80 or 21?

[Pascal]

Very odd. I'm currently proxying through WinGate and can see those requests going through the HTTP Proxy on our main gateway.

The port depends on the browser and the exact setup, client side. (IE6, mainly). For example, when set to "use the same proxy for all protocols" it goes through port 80 - but when that is not set, it goes through port 21.

First thing I'd recommend is to ensure that the "use the same proxy for all protocols" checkbox is ticked. Then, which version of WinGate are you using? It should be 6, but you mentioned "Interfaces" tab which makes me think it's 5 or earlier.

[Surfer]

Very odd. I'm currently proxying through WinGate and
The port depends on the browser and the exact setup, client side. (IE6, mainly). For example, when set to "use the same proxy for all protocols" it goes through port 80 - but when that is not set, it goes through port 21.

First thing I'd recommend is to ensure that the "use the same proxy for all protocols" checkbox is ticked. Then, which version of WinGate are you using? It should be 6, but you mentioned "Interfaces" tab which makes me think it's 5 or earlier.

I use 6.0.3. Saying "interfaces" by tradition. :)
Client with IE6 ticked the "same proxy for all protocols" option. Result is the same. Browser show HTTP 500 error.
Wingate log shows this request as normal. He dropped in log as usual but with extremely low size (5-6 bytes for upload & download).
Your suggestion was in NAT activation. Should I try this? Is it not a possible security decrease?

[Pascal]

Does that (client) machine currently have a default gateway set? If it does not, try setting one to the WinGate machine's internal IP - just to see what happens.

Depends on what you mean with a security decrease. You do not have the same depth of policy available as you do in the Web Proxy, for example. (If you're comparing port 80 traffic in both cases). Simply because NAT only needs to know about the source and destinations - it does not analyse the higher level protocol, like HTTP.


So, if you extensively use advanced filters + criterion in the WWW Proxy Service to restrict where your users can go, then yes, that functionality will be lost if you go through NAT. However, using Intercepts then covers for that again.

Also, traffic that would normally not be able to go through because there is no service / proxy listening for it, will be able to reach the Internet. (So filesharing, etc. applications can suddenly be used by your users) You would need to monitor traffic at that time to check what is happening.