WinGate Forums

[trace]

hi let's say i have a network with 5 computer who are conected to my wingate server with nat connection ! how do i restrict all the internet for 3 users and live only 2 ? or if is posible to restrict all the internet and then to give acces per mac for that 2 ussers ! i have wingate 6.0.4, win2000! pls help !

[Pascal]

Yes, but the setup depends on how your clients connect out through WinGate. How do you go out through WinGate?

[trace]

in wingate all the proxy stuff is off so i only share the internet with nat system but it's easy for an usser in the lan who don't have internet to connect,if i set the asume users and set i right , the users change the ip or netbios name verry easy and still connect to the internet ! sorry fot the english :P

[Pascal]

Try using then"Client MAC" criterion under Extended Networking's advanced filters and criterion. You might want to exclude default policies from use to prevent that from granting everybody access.

[trace]

hi Pascal ! i delete the default system policies recipient and i set in extended networking policies advances client per mac like u told me and it's working ! thx for the help ! a lot of thx :)

[Pascal]

Erm. No, you do not want to delete the default policies recipient. that controls access to Gatekeeper, something you definately do not want to lose. I said "exclude", so simply set the value of "Default rights" to "are ignored" in the extended networking policies and re-add the Everyone user to system policies.

[trace]

If i set that way dosen't work :) ! there is no sense if i delete the system policies or if i set in extended networking to ignore them in any case must work but if i delete the system policies and i set in E.N client mac is ok but if i don't delete the system policies and i set in E.N the default rights to ignore the system policies wingate don't let anyone to connect ! i can't understant why is not working if i set to ignore the s.p and if i delete s.p is working perfectily.

[Pascal]

Would it be possible for you to send me a copy of the policies? I'm curious to see what this looks like.

[Pascal]

If i set that way dosen't work :) ! there is no sense if i delete the system policies or if i set in extended networking to ignore them in any case must work but if i delete the system policies and i set in E.N client mac is ok but if i don't delete the system policies and i set in E.N the default rights to ignore the system policies wingate don't let anyone to connect ! i can't understant why is not working if i set to ignore the s.p and if i delete s.p is working perfectily.

I can't see how that is allowing you to login to GateKeeper. I assume from your description that you have set your Remote Control Session to ignore system policies and have some way to allow access into GateKeeper. (Or, perhaps you have a system policy that allows "userX" access, but not one for "Everyone". (The registry will tell)

I've just tried this on one of our setups here. Open Extended Networking, switch to "Policies". By default there is no recipient in there, and access is granted through the "Default Rights (Sytem Policies)" setting which is "may be used instead". So I added "Everyone" and switched to the "Advanced" tab where I added one Filter and one Criterion. The criterion was: "This right is granted if the Client MAC address equals "00-10-fa-64-8e-76" which is the MAC of the client I am using. There were no other restrictions placed on it.

Then, the client can access the internet. Client IP was allocated via DHCP which also set the default gateway and DNS servers then. I went back into the policy and changed the mac (Replacing the 76 with a 75) and hit refresh. This time it failed to display the page and I got a stream of "Authention failed" messages in GateKeeper's syslog window.

During this test the System Policies (GateKeeper -> Users -> System Policies) for the "Users can access services" had an Everyone User with Unrestricted rights.

[trace]

i set like in that screeshots ! here is teh links to the screenshots :
http://www.localsource.3x.ro/1.jpg
http://www.localsource.3x.ro/2.jpg

[trace]

teh second link have some problems this i hope is set right : http://www.localsource.3x.ro/2.jpg

[Pascal]

All three links seem to be dead. Can you email me the files?

[trace]

i sent an email to pascalv@qbik.com with 2 pictures ! in that pictures is set what i understant u told me to do ! if is set like in does pictures the wingate don't allow anybody to connect ! :P sorry for my english and low iq :)

[Pascal]

That is strange. Those pictures look correct (I assume the Client MAC specified is one that you want to allow through) and that is exactly the way I have things setup on the machines I were using.

Do you allocate IP addresses to your clients or do you use static IPs on the LAN?

[trace]

everybody has set an ip , and the mac adres is corect and in wingate is no modification only what u tolld me to set !

[trace]

i don't connect wingate remotely ! and what can happen if i delete the contain of system polices ?

[Pascal]

Weird, because that is the exact same (Barring different MAC) setup that we had here and that still works. I just tried it with a static IP (Rather than DHCP allocated) and it still behaves the exact same.

Would it be possible for you to save the settings (When it's not working and when it is working) to a .reg file and email them to me? You can easily save your current WinGate settings from GateKeeper in Options -> Advanced -> Save registry settings.

[trace]

it's strange.... if i set to ignore the s.p dosen't work but if i delete the s.p work perfecily ! :(

[Pascal]

i don't connect wingate remotely ! and what can happen if i delete the contain of system polices ?

Remotely? Even logging in locally uses the policies specified in Remote Control Service (That's just a different name for "GateKeeper". If you remove "Everyone" from System Policies, then, unless you have an explicit policy that will grant access set in other services which have "May be used instead" you will be denied access to those services.

Normally, Remote Control uses that setting. So, I still don't understand how you are able to login if you've removed all System Policies that grant access and have not created anything to explicitly grant access in Remote Control (GateKeeper - doesn't have to be remote)

[trace]

from one week i do all the same stuff and i don't know if u belive me but now it works i delete te "everyone...." from E.N and the i add again ! i don't understand.... i do this for 500 times and nothing :P like the program scareds of u :) ! and one more thong when i remove the S.P it works but i never logout from gatekkeper :)

[trace]

lol that's to much for me :) i hate when things fix without an logical reason but is good if it works :)) ! thx very much for your time pascal and if the problem reapear i save the regs and send it to you !

[Pascal]

and one more thong when i remove the S.P it works but i never logout from gatekkeper :)

Actually, I find thongs scarier. But that's just me. So I'm a bit confused at the moment - what is the exact status of this at the moment? Are you happy that everything is working as expected and that you can log in and out of GateKeeper safely?

[Pascal]

Ah, okay, we're typing too fast for eachother. Glad you've got it going happily then.

[trace]

yes i'm happy ! enyway i use wingate is the best :) thx for makeing this program ! i have one question : is possible to se the nat clients actiity like the proxy clients ? i meen in the futures versions of wingate, or this in inposible to translate ?

[Pascal]

How do you mean, see their activity? If you want to see the actual URL you should simply be able to turn on "Intercepts" in the WWW Proxy Service (Sessions page). That will also allow you to use data scanning plugins and so forth.

However, the policies in Extended Networking will then no-longer be applicable. You will need to follow one of two routes then.

1. Use System Policies to restrict access in that way. Either as an exclusive, "may be used Instead" option OR as an inclusive "Must also be granted" setup.

In this instance I would strongly recommend setting up a non-system-policy using policy for Remote Control to ensure that you can always login.

2. Configure each mechanism (Intercepted vs ENS) individually. This has the overhead of having to add the MAC address per intercepted service as well as to ENS.

[trace]

Hi Pascal ! The problem reapear ! i do't know how but now wingate ban all the ussers again :(( ! i save the registry file and i whait your post and tell me what to do :) !

[Pascal]

1. Email the registry to me.
2. Explain what has changed since you had it working before. (Something must have changed...)

[trace]

I sent the email !

[Pascal]

I received the email ! Will respond shortly when I've looked through the setup.

[Pascal]

Overview
Policies are currently the most intricate part of any WinGate setup (My opinion). However, once you have the basic concepts firmly in hand it becomes very very easy.

The first thing to know is that there are two distinct groups of policies that can act together. The first is the Default (System) Policies. You will find them on the "Users" tab in GateKeeper. Those policies are used if no others are available. By default, they freely grant access.

The second set is the per service policies. They are usually more specific as they have inherently more infomration about the protocol they are working with. You will find these on the policy tab in each service.

Those two policies 'groups' can interact with eachother in three different ways from a Service perspective. For system policies:

Code: Select all

May be used instead - either version of the policy can grant access
MUST also be granted - the system policies and the service policies must grant access
Are ignored - the system policies are ignored. Only the service policies apply

Now, to implement a policy you must first determine where you want to implement it. For example - some policies you might want to apply irrespective of the service that is in use. (Traffic limits for a user, for example). Others, you might want to block specific URLs, in which case the Web Proxy is the best place to do so. This is sometimes a bit tricky, and I've found that a rough flow diagram helps here sometimes; especially when you are dealing with a very complex setup.

The next thing to know is that the policies are permissive. If any policy grants the user the right to use / do something - even if another policy later denies it the user will have the right to access that resource. This becomes very important when you consider the interaction between Service Policies and System Policies.

Advanced Filters and Criterion seem complicated, but in truth that is the way to get the most out of policies. It's very easy as well, though.

Filters are OR statements. So, if you read them top to bottom they will say

Code: Select all

Code:
if Filter1 is granted or if Filter2 is granted or if Filter3 is granted then the user has rights to this resource.

When you delve a bit deeper, Criterion within a filter are AND statements.

Code: Select all

Code:
 if (Filter1.Criterion1 is granted and Filter1.Criterion2 is granted and Filter1.Criterion3 is granted ) OR (Filter2.Criterion1 is granted) OR (Filter3.Criterion1 is granted) then the user has rights to this resource.

Tips
Alright. Armed with all of that there are a few tips to setting them up. First, try to ensure that your traffic is going through the most appropriate service. That gives you the most control over your policies. As you are using WGIC, redirecting that through your webproxy (By setting Intercepts on the WWW Proxy Service) gives you access to the proxy's policies. You can then define your policies there.

Secondly, you can have the same user in a policy multiple times with different types of rights granted. For example - if I want all my users to authenticate when visiting the entire web except for the Qbik webpages I would create two policies for the "Everyone" user.

The first would be:

Code: Select all

Code:
Everyone: User must be authenticated

The second would be:

Code: Select all

Code:
Everyone: User may be unknown
Advanced Filter + Criterion: Right is granted if HTTP URL contains "qbik.com"

That is an overview of how the Advanced Filters and Criterion can be used. What is most imporant in that is the AND and OR nature of Criterion (AND) and Filters (OR). In your registry, you have one Filter with several criterion. Which means, for that to work the client traffic must come from all those different MAC addresses. Try it with each MAC address under it's own filter and let me know how that goes.