Hi,
I'm using wingate on windows 2003 server with two nics, one for internet and one for LAN. All proxies are disabled, Winsock Redirector Service also i don't use WGIC.
What i try is to restrict access from my LAN-Computers to my Wingate-Machine.
Example: 2 of 19 LAN-Computers should not be able to connect to web server running on port 7999 (intranet) and they should not be able to use Intranet-IP-Telephone (port 11001).
In other words, how to block connections (ports) to wingate pc from one machine or group of machines, which belongs to my internal network.
Is there a way to do this?
Thanks
restrict access to wingate machine
Moderator: Qbik Staff
6 posts
• Page 1 of 1
restrict access to wingate machine
by barricade » Jul 26 05 8:15 am
- barricade
- Posts: 4
- Joined: Apr 16 05 11:33 am
by MattP » Jul 26 05 11:37 am
Hi,
It sounds like you're using NAT only, so you could create a policy in the Extended Networking menu to allow access to a certain range of IPs, or deny acces to certain IPs.
If you open Extended Networking and go to policies, create a new policy and specify the group everyone, then choose the location tab, you can specify which IP addresses are permitted to connect.
Make sure that you add the Administrators group as a separate policy and grant it access to avoid locking yourself out.
It sounds like you're using NAT only, so you could create a policy in the Extended Networking menu to allow access to a certain range of IPs, or deny acces to certain IPs.
If you open Extended Networking and go to policies, create a new policy and specify the group everyone, then choose the location tab, you can specify which IP addresses are permitted to connect.
Make sure that you add the Administrators group as a separate policy and grant it access to avoid locking yourself out.
- MattP
- Qbik Staff
- Posts: 991
- Joined: Sep 08 03 4:30 pm
by barricade » Jul 27 05 4:01 am
I tried this allready:
EXTENDED NETWORKING; POLICIES:
Recipient everyone
excluded locations: 192.168.100.12
(taking all other ip-s to included locations, without this one, should be the same)
Default rights are ignored.
This policy should completly restrict access from 192.168.100.12 (tell me if i m wrong) but there is still access to the wingate machine, where my internal web server is running. Only connections to external networks (internet) are restricted with this rule.
What i'm doing wrong???
EXTENDED NETWORKING; POLICIES:
Recipient everyone
excluded locations: 192.168.100.12
(taking all other ip-s to included locations, without this one, should be the same)
Default rights are ignored.
This policy should completly restrict access from 192.168.100.12 (tell me if i m wrong) but there is still access to the wingate machine, where my internal web server is running. Only connections to external networks (internet) are restricted with this rule.
What i'm doing wrong???
- barricade
- Posts: 4
- Joined: Apr 16 05 11:33 am
by MattP » Jul 27 05 12:16 pm
If you don't want to grant that machine any rights to the WinGate server at all then you can black-hole the IP address. Just right click it in the activity screen and select black-hole IP. Now any communication from that machine will be blocked.
Is this what you wanted to do?
Is this what you wanted to do?
- MattP
- Qbik Staff
- Posts: 991
- Joined: Sep 08 03 4:30 pm
by ChrisH » Jul 27 05 2:28 pm
barricade,
What I'm interpreting you want to do with the internal webserver should be able to be accomplished by opening WWW Proxy Server->Server Requests ->Click Pipe request through to predetermined server and enter your WG machines' IP or name and put 7999 in port number . Then set up policy in WWW service as you did in ENS wrt restricting location by IP. Perhaps a TCP or UDP MApping service could be set up in WG to redirect to your IP telephone server in the same way as WWW proxy and similar restriction? Let us know if this helps.
What I'm interpreting you want to do with the internal webserver should be able to be accomplished by opening WWW Proxy Server->Server Requests ->Click Pipe request through to predetermined server and enter your WG machines' IP or name and put 7999 in port number . Then set up policy in WWW service as you did in ENS wrt restricting location by IP. Perhaps a TCP or UDP MApping service could be set up in WG to redirect to your IP telephone server in the same way as WWW proxy and similar restriction? Let us know if this helps.
Chris H.
- ChrisH
- WinGate Master
- Posts: 388
- Joined: Sep 13 03 1:38 am
- Location: Canada
by barricade » Jul 28 05 10:10 am
To MattP:
I don't want to block this machines completely. some ports should be accessible.
To ChrisH:
I will try your suggestion but it can't be the end-solution for my problem.
Let describe you this scenario:
For some machines from my LAN I want to allow ping to my wingate machine. DNS-services should also be allowed. Anything else should be restricted.
So using TCP and UDP Mapping service i could probably block some special services. Anything else would be permited. But like you can see i want to block all ports with few exceptions.
All i want is something like this:
BLOCK all TCP, UDP ports for 192.168.100.12 excepting ICMP and DNS.
is there a way to do this?
I don't want to block this machines completely. some ports should be accessible.
To ChrisH:
I will try your suggestion but it can't be the end-solution for my problem.
Let describe you this scenario:
For some machines from my LAN I want to allow ping to my wingate machine. DNS-services should also be allowed. Anything else should be restricted.
So using TCP and UDP Mapping service i could probably block some special services. Anything else would be permited. But like you can see i want to block all ports with few exceptions.
All i want is something like this:
BLOCK all TCP, UDP ports for 192.168.100.12 excepting ICMP and DNS.
is there a way to do this?
- barricade
- Posts: 4
- Joined: Apr 16 05 11:33 am
6 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 20 guests