We want to allow an internal server to offer a web-service through the WinGate firewall. If I set up a WinGate TCP-mapping service that accepts connections and maps them to the server, everything works fine.
However, for security reasons, the server needs to verify the user's IP address. The mapping service all external addresses with that of the firewall, so the server cannot see the real IP address of a client. There appears to be no option in the proxy setup to pass on the real address.
I then tried setting up a redirection using ENS - accept TCP connections and forward them to the specific machine. Unfortunately, I can't get a connection. The server gets a request, but when it tries to send an answer, I get the error "Connection reset by peer". Meanwhile, the client times out.
I am running WinGate 6.0.3 (using a Wingate 4 license). Any suggestions?
Error using ENS redirection
Moderator: Qbik Staff
11 posts
• Page 1 of 1
Error using ENS redirection
by bradley13 » Dec 12 04 11:46 pm
- bradley13
- Posts: 10
- Joined: Dec 04 04 11:19 pm
by Pascal » Dec 13 04 9:26 am
Where is the server connecting back to? Is it the correct ip address?
Secondly, does the Server have a route back out to the Internet? It is possible that when you are using the mapping it knows the route is back to a machine on your local network (And thus reachable) but it might have no way to access an external IP address (As it would have to when you are using the ENS Redirect option)
Secondly, does the Server have a route back out to the Internet? It is possible that when you are using the mapping it knows the route is back to a machine on your local network (And thus reachable) but it might have no way to access an external IP address (As it would have to when you are using the ENS Redirect option)
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
by genie » Dec 13 04 11:23 am
One more thing - when you create the new security action for redirect, there is a checkbox that says "Don't translate source address". If this checkbox is left unckecked, the source address of all packets will be translated into the Wingate machine IP address - you will need to check this checkbox.
- genie
- Qbik Staff
- Posts: 1788
- Joined: Sep 30 03 10:29 am
by bradley13 » Dec 13 04 11:29 pm
What do I need to enter in WinGate to allow the server to actually establish the connection? The server uses a fixed port (currently 50001). But the client machine, of course, may be coming from any port at all.
When the server receives a request, it accepts it. This is basically a passive action - I assumed that it was WinGate's task to rewrite the headers so that the connection would work. What am I missing here?
By the way, while I clearly want to check the box "don't translate source address", I have tried it both ways - neither works. However - in *both* cases the server seems to receive the IP address of the client.
I am clearly misunderstanding something...probably blindingly obvious??
When the server receives a request, it accepts it. This is basically a passive action - I assumed that it was WinGate's task to rewrite the headers so that the connection would work. What am I missing here?
By the way, while I clearly want to check the box "don't translate source address", I have tried it both ways - neither works. However - in *both* cases the server seems to receive the IP address of the client.
I am clearly misunderstanding something...probably blindingly obvious??
- bradley13
- Posts: 10
- Joined: Dec 04 04 11:19 pm
Server has route out
by bradley13 » Dec 14 04 12:19 am
Yes - in fact, for testing purposes, the server is currently running on the my personal machine - where I use browsers, e-mail, etc, etc. So it has the normal sorts of access via WWW-proxy, SMTP, POP, etc.
- bradley13
- Posts: 10
- Joined: Dec 04 04 11:19 pm
by Pascal » Dec 14 04 8:33 am
Ok. The only thing that concerned me was that it sounds as if the server itself had no idea how to get to that remote client. (As the ENS redirect is working). I assume you don't use proxies / WGIC or anything like that, correct? It's NAT based? (You have your default gateway set - and to the WinGate Server)
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
by bradley13 » Dec 14 04 8:50 am
Hi Pascal,
Nope, there are no other proxies involved. I didn't have the Gateway explicitly set (as I tend to enter the proxy address explicitly when necessary), but setting it did not change anything. If you like, I can send you screenshots of all the relevant setting by e-mail. Let me know if that would help.
Thanks,
Brad
Nope, there are no other proxies involved. I didn't have the Gateway explicitly set (as I tend to enter the proxy address explicitly when necessary), but setting it did not change anything. If you like, I can send you screenshots of all the relevant setting by e-mail. Let me know if that would help.
Thanks,
Brad
- bradley13
- Posts: 10
- Joined: Dec 04 04 11:19 pm
by Pascal » Dec 14 04 8:52 am
I think it would. Genie will probably be the best one to look at this (He's the driver guru). You can email them to me. I think the basic list to begin with would be:
(a) Server route table ("route print" from the command line)
(b) Web Server route table (same)
(c) Screenshot of the ENS Redirect you have setup
Thanks!
(a) Server route table ("route print" from the command line)
(b) Web Server route table (same)
(c) Screenshot of the ENS Redirect you have setup
Thanks!
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
by Pascal » Dec 14 04 10:51 am
Thanks, received all that information. I've sent you a reply via email - but will post results here.
When testing a redirect incoming from an external source, it will not function as expected when testing it from an internal source. The problem is this:
1. You make the connection from a client computer to the WinGate Server.
2. The WinGate Server sets up the redirect entry (So it knows the client and server)
3. The Web Server receives the connection, but, because you are using the original source address, it sees another IP on it's local network.
4. It responds directly to that, without sending it back through the WinGate Server.
5. The client sees network traffic coming to a port from a machine it has no connection with. Hence, the errors seen on the server.
When testing a scenario like this either test from an external source (Or get somebody you know to do so if not possible) OR ensure it will translate the source address (So it won't reply directly)
When testing a redirect incoming from an external source, it will not function as expected when testing it from an internal source. The problem is this:
1. You make the connection from a client computer to the WinGate Server.
2. The WinGate Server sets up the redirect entry (So it knows the client and server)
3. The Web Server receives the connection, but, because you are using the original source address, it sees another IP on it's local network.
4. It responds directly to that, without sending it back through the WinGate Server.
5. The client sees network traffic coming to a port from a machine it has no connection with. Hence, the errors seen on the server.
When testing a scenario like this either test from an external source (Or get somebody you know to do so if not possible) OR ensure it will translate the source address (So it won't reply directly)
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
11 posts
• Page 1 of 1
Who is online
Users browsing this forum: Google [Bot] and 1 guest