WinGate Forums

[bench]

I installed wingate yesterday at a clients without a problem. I created a username for the proxy in the domain controller server with admin rights. I am using the domain controller's user database for authentication and it synchronized all users well.

I tested each client PC and it authenticated them without a problem. I opened port 6129 for dameware so I can log in to the proxy server using the static IP but I did not test this while there.

Today I tried to log in directly to the proxy and I could not. I logged in to the domain controller and then from there to the proxy and I noticed that the firewall blocked my attempt to log in. I went to see if I had configured the ports correctly and I found that they were not listed. I entered them again and closed it. Opened it again and found that again it was not listed. I don't know why it's not saving them.

I closed gatekeeper and attempted to open it again using the same log in password I use to log on to the server but it told me the proxy could not connect to the server to check password and port. I was logging in fine yesterday but now it won't let me. I tried loggin in to the local machine and didn't let me either, same error.

I don't know what could be the cause of this. Wingate's engine is still running but it won't let me in to make modification. I can ping the domain controller and mail server but I don't know why it tells me it can't connect to the file server.

Any help would be appreciate it as my client has yet to have problems but I know they will call soon.

[MattP]

Is auto-save enabled? If it is not then you'll have to click the save button when you make changes.

Could you copy the exact error message that you see when you try to log in to GateKeeper?

[adrien]

Hi

Is WinGate using the user database on a remote domain controller?

If so, then the user account that the WinGate service runs in must be a member of the domain administrators group. Normally the WinGate service runs in the LocalSystem account, which won't give WinGate sufficient privileges to access the domain controller user database.

Regards

Adrien

[bench]

I rebooted the proxy server since it would not even save any of the changes I made even after clicking on the save button. Once it rebooted I was able to log on using the administrator password without a problem and it connected, synchronized the user database.

Yes, it's using a remote database and the wingate user does have domain admin rights.

So far it's been working well but I don't know why it gave me that problem.

[adrien]

let us know if it gives you any more problems.

Regards

Adrien

[bench]

OK, this morning I wanted to see that wingate is running fine when I tried to log in to gatekeeper it gave me the same error. Here's what the error reads:

There was a problem connecting to the server. No data was received from the server during authentication. Check spelling of your username.

In the Online Options window this is how I log in.

Use current windows login

Wingate location>Log on to local machine.

Do I need to login to remote server even though wingate is not running on a remote server? I don't know what the problem is. I can ping the IP of the domain controller and every other server and client machine. Any help would be appreciate it. I don't want to have to reboot the proxy every other day.

[bench]

OK, I am now getting a different error when I tried to login again.

Connection refused by the server. Check your server name and port number.

I tried login in with the username and password I created for wingate in active directory. I tried the domain administrator password and user as well but for some reason the server is refusing connection.

I checked active directory and I don't know what could be causing the rejection. Here's the scenario:

ISP>switch>proxy and watchguard.

Behind the watchguard are the 3 other servers, mail, domain controller and warehouse server. The proxy is not behind the watchguard but the LAN card on the proxy is configured with the local network scope and has the domain controller IP as it's primary and only DNS. The WAN is configured with the ISP's IP,SM,GW and DNS. DHCP is disabled in wingate and enabled in domain controller.

Client PC's have wingate client installed and they only use it to access the internet but they access their e-mail from the local mail server. What could be causing domain controller to refuse connection by wingate? Should the LAN have a secondary DNS? The LAN does not have a gateway only a local IP and Subnet.

[MattP]

Connection refused by the server. Check your server name and port number.

Are you seeing this error when you try to log in to GateKeeper? This error inidcates that you have a WinGate policy that is denying access to the user that you are trying to log in as.

If you remove the everyone group from system policies and forget to add the administrator back in you can see this problem. We recommend creating a policy in the Remote Control service that grants the administrator unrestricted rights and ignores default rights. This will stop this from happening in the future.

You can download a registry file here that will create this policy for you. You will need to import it into your registry file and restart the WinGate engine.

[bench]

Yes, I get that message when I am trying to log in to gatekeeper. Wingate is installed on a server by itself and it accesses the user database remotely from the domain controller server. I yet do not know if there is problem with gatekeeper not letting me log in because it can't access the domain controller and therefore can't authenticate the administrator password or it's just gatekeeper not letting log in.

I noticed that during the time when I could not log in to gatekeeper users called me to tell me that they could not access the internet. It looks like even though the gatekeeper icon says wingate engine is running it's not connecting to the domain controller to authenticate users.

So far I have scheduled a task to reboot the server at 7:00 AM every day so wingate can connect to the domain controller server. I will have to do it this way until I can figure out why it loses connection to it.

If there is an alternative way to login to gatekeeper when it loses connection to the domain server I would like to know it.

Thanks.

[adrien]

Hi

Actually when you see the error "no data was received..." when logging onto GateKeeper, it means the engine has hung for some reason. Normally after about 5 attempts you then get the error "connection refused".

You would need to restart the engine, but obviously we are interested in why it hung. Which version of Wingate are you running? Do you have any plugins (i.e. Kaspersky antivirus, or PureSight for WinGate) installed?

Were people surfing the web at the time?

We have seen issues with other AV software running on the WinGate machine (i.e. if it is scanning WinGate directories), are you running any AV software on this machine? We recommend configuring it to not scan any files or subfolders in the WinGate folder.

Adrien

[bench]

Yes, we have AVG antivirus installed on the server and it is scheduled to run a daily scan of the entire system. I don't believe there were any people surfing the net at the time of the lockout since it appears it does it early in morning or late at night.

Could someone surfing cause the engine to shut down? So would you recommend the kaspersky antivirus instead of the AVG? Does the kaspersky work like any other AV or does it just scan the wingate folder?

We are planning to activate the mail server service in wingate once we test it in our lab but we want to make sure we have the proxy portion working perfectly before making any changes.

I have removed the everyone group from the system policies and added administrators only with unrestricted rights.

[adrien]

Hi

I would definitely stop AVG from scanning WinGate folders. Things like log files and the history file are very frequently accessed by WinGate. I think AV scanning of the history file could cause it to be corrupted, which can cause WinGate to freeze.

Kaspersky AV for WinGate scans data going through WinGate on the following services:

FTP, HTTP, POP3 proxy, SMTP server.

So, for instance FTP downloads and uploads, POP3 retrieval through the proxy, and received and sent email through WinGate's SMTP service will be scanned. It doesn't scan anything else though, so if you are concerned about viruses on that machine, you should still run AVG (just not on the wingate folders).

regards

Adrien

[bench]

OK I have disabled AVG to scan the wingate folders yesterday and today the wingate engine locked up again. This time instead of rebooting the server I went to the system manager under services for the qbik service and restarted it. Well, I tried to restart it once and it got stuck then clicked the cancel button and saw that it was stopped so I clicked on the start button and it connected.

I was then able to log in to gatekeeper and everything was back to normal. During the lockup time users reported that they could not connect to the file server or internet.

Something is happening with the service that it's locking up by itself and AVG is not scanning anymore. Any other advise would be appreciate it since I can't be monitoring the proxy every hour or have the client call everyday that they can't surf the internet or access the local services.

[adrien]

One more thing

What size are the history files on that machine? History.dbz and History.cdx, and in the history properties, what size do you have it limited to?

We have had corruption problems with history logging, which is more prevalent when the file gets large.

You could try either disabling history logging, or deleting the history files (you need to stop WinGate first).

Know what you mean about babysitting the service - it's not an option.

Adrien

[adrien]

PS - are there any services that are logging much more than you would expect?

This could indicate somewhere to look.

Also, we have a diagnostic mode in WinGate for deadlock detection.

If you run Start->Programs->Wingate->Advanced Options, check in the debugging page, select "use deadlock detection", and "check lock precedence", that will create a file called LockDumpAnalysisEng.txt in the WinGate directory whenever there are any locking issues. Any entries in there of "lock failure" are especially significant, or large numbers of "lock age warning".

Regards

Adrien

[bench]

OK, I will check and trim all log files to see if that eliminates the problem.
Just a few minutes ago I added a user to active directory and I tried to synchronize in gatekeeper but got the access denied message. I tried it twice with the same result.

I then went to the domain controller server and from there ran gatekeeper.exe and was able to log in to gatekeeper with login username and password which is the same for all servers. I tried to sychronize from there and it did it without a problem.

There must be an issue of rights with the account I created for wingate which is wingate. I have added full administrator rights and domain admin rights but still the problem persists. I really don't know why domain controller blocks the proxy server, they are both on the LAN.

[bench]

I noticed that some of the clients are not being routed to the proxy for access to the internet. Today I was told by two users that they could access the internet all the while I could not see them being on in gatekeeper. How can I force wingate client to be the default gateway for internet use?

I did an ipconfig and it has the gateway for the local router on all the client PC's. I think WIC takes priority over the default gateway but not always. How can I prevent that from happening?

Another thing, I am seeing messages in gatekeeper of users being denied of an internet service, mainly peachtree updates, and the cause is authentication even though it lists the username and it shows as authenticated in the history tab?

[adrien]

Hi

OK, you raise a couple of issues here. I'll tackle the one about forcing users to go through WinGate first.

Basically, this one depends on how your LAN is configured. If your users have direct access to a gateway which provides say NAT to the internet, then there are several options.

1. If WinGate machine has 2 NICs

Force all traffic to go through WinGate by placing it in between the LAN and the internet gateway.

2. If the WinGate machine has only one NIC, and is basically just another machine on the LAN with the gateway on it.

a) If the gateway has MAC filtering, turn it on and only allow the WinGate machine access to the gateway.

b) turn off DHCP on the gateway device, and turn it on on WinGate.

WGIC can be disabled by a user locally, in which case the routing of that machine will take over, so your clients that had net connectivity not going through WinGate must have had the WGIC turned off, or the app they were running set to local mode. Using Central Config on the Winsock Redirector Service can override user settings, soyou can force settings on the clients from a central location. This requires an enterprise license (which the trial license is).

the next issue is relating to users being asked for authentication.

We show usernames in the history tab, but this does not necessarily mean the user was authenticated - it's possible they were assumed. depending on the policy you have set, if you say require users to be authenticated, and they authenticate, then when all sessions disconnect, the user associated with that machine will revert to an assumed state. This was so things like POP3 before SMTP could work.

Is this for HTTP? Or some other protocol. I'm not familiar with peachtree - does it use HTTP to get updates? If so, what policy do you have set for your WWW Proxy?

Regards

Adrien

[bench]

Thanks for the detailed reply adrien, BTW we have a tech in our company with the same name.

The proxy server has two nic cards, WAN and LAN. The WAN is configured with the info from the ISP and connected to a switch. There is another connection to the switch and that is the firewall, watchguard, which protects the other 4 server including the domain controller. The switch is serviced by the Internet provider. Both the WAN card and watchguard have different public IP's.

One question, how do you configure the LAN card in wingate to be in the middle of the LAN and Gateway?
The policies in the WWW Proxy are set to everyone need to be authenticated and system policies are ignored. There are no bans or restrictions at the moment for internet use.

Here's something I found in the event viewer of the proxy server over the weekend. I think it may help narrow down why the proxy loses connection with the domain controller server.

Bear with me as I am desperately trying to figure out how to make wingate work properly for the client.


Event Type: Warning
Event Source: DnsApi
Event Category: None
Event ID: 11151
Date: 10/16/2005
Time: 6:54:10 PM
User: N/A
Computer: W2KPRXYSVR
Description:
The system failed to register network adapter with settings:

Adapter Name : {AF834563-7256-4EF3-B57B-371CEC1CF3AD}
Host Name : w2kprxysvr
Adapter-specific Domain Suffix : ARIAS.LOCAL
DNS server list :
65.183.217.253, 65.183.217.254
Sent update to server : None
IP Address(es) :
65.183.223.245

The cause of this DNS registration failure was because of DNS server failure. This may be due to a zone transfer that has locked the DNS server for the applicable zone that your computer needs to register itself with.

(The applicable zone should typically correspond to the Adapter-specific Domain Suffix that was indicated above.) You can manually retry registration of the network adapter and its settings by typing "ipconfig /registerdns" at the command prompt. If problems still persist, contact your network systems administrator to verify network conditions.


Here's the second one.

Event Type: Warning
Event Source: DnsApi
Event Category: None
Event ID: 11151
Date: 10/16/2005
Time: 6:54:10 PM
User: N/A
Computer: W2KPRXYSVR
Description:
The system failed to register network adapter with settings:

Adapter Name : {AF834563-7256-4EF3-B57B-371CEC1CF3AD}
Host Name : w2kprxysvr
Adapter-specific Domain Suffix : ARIAS.LOCAL
DNS server list :
65.183.217.253, 65.183.217.254
Sent update to server : None
IP Address(es) :
65.183.223.245


The cause of this DNS registration failure was because of DNS server failure. This may be due to a zone transfer that has locked the DNS server for the applicable zone that your computer needs to register itself with.

(The applicable zone should typically correspond to the Adapter-specific Domain Suffix that was indicated above.) You can manually retry registration of the network adapter and its settings by typing "ipconfig /registerdns" at the command prompt. If problems still persist, contact your network systems administrator to verify network conditions.


I will do some research on those errors but if any of you has seen it before I would appreciate your help.

Thanks.

[bench]

Just to be sure I have setup the NIC cards correctly here's how I have them.

WAN
IP- Public Static IP
Subnet: Provided by ISP
Gateway: Provided by ISP
DSN1&2: Provided by ISP

LAN
IP: 192.168.0.251
Subnet:255.255.255.0
Gateway: none
DNS1: 192.168.0.254 (this is the domain controller IP)
DNS2: none

The errors in event viewer are with the WAN card. The LAN is the onboard card and the WAN is a PCI card.

DHCP is disabled in wingate and enabled in domain controller.

[adrien]

Hi

Where does the domain controller forward DNS queries to? If the WinGate machine (rather than say through it to a DNS server at your ISP), then you would need to make sure WinGate does not use your internal DNS server. Actually you should probably do this anyway. If you run

Start->Programs->WinGate->Advanced Options, select DNS, and enter the IP of your domain controller in there, then WinGate won't use that IP for its DNS, and will only use the external one. WinGate doesn't do any Active Directory lookups, so only wants an external DNS server.

That DNS error means that the proxy server was unable to register itself with the domain. This is done using dynamic DNS, which a 2000 or 2003 server provides.

Are you running MS DNS server on this domain controller?
Do any other computers get this error?
Do you get any event log warnings on the domain controller about this?
Do you see any entries in WinGate's firewall window for UDP on port 53?

The IP addresses etc look ok.

As for the other issue, if WinGate lies between the LAN and the WAN, you should set the default route settings in the DHCP server on your domain controller to allocate WinGate's IP as the default route. You will also need to make sure that no other machine that bridges between the LAN and the WAN will act as a gateway.

Adrien

[bench]

One question about using external DNS. The mail server is not running on the proxy server but on a separate server. How will the wingate client know to direct outlook to the mail server and not the proxy server.
I had this problem before, if I don't use the domain controller IP as the LAN's primary DNS in the proxy then it won't know where to look and outlook will simply fail to retrieve any e-mail.

Here's another event warning that has been coming up frequently everyday at different hours of the day.

Event Type: Warning
Event Source: BROWSER
Event Category: None
Event ID: 8021
Date: 10/19/2005
Time: 2:05:36 PM
User: N/A
Computer: W2KPRXYSVR
Description:
The browser was unable to retrieve a list of servers from the browser master \\W2KFP01 on the network \Device\NetBT_Tcpip_{08A8E2C1-1846-402C-B426-CBAE46721BC0}. The data is the error code.


I starting to think wingate it's not setup right. Is there a scenario on how to setup wingate with an existing firewall and domain controller server, mail server and web server? How to allow clients to not use wingate for local services and only for access outside the LAN.

[adrien]

Are you seeing any entries in the firewall log for ports 137 - 139 UDP?

I'm wondering if it is firewalling some LAN traffic.

It should be ok to set the WinGate machine to use the AD server for DNS, however you need to stop WinGate itself from using the AD server for DNS

1. Start->Programs->WinGate->Advanced Options
2. Select DNS tab
3. Enter the IP of your AD server.
4. Restart WinGate

That will stop WinGate using that DNS server.

As for Outlook using the AD server DNS to find Exchange, that's new to me - must be doing some sort of DNS-based active directory lookup.

Are you using WinGate's DHCP server or the AD server one? There should only be one running (probably the AD server one is best), but get it to set the default gateway to the IP of WinGate, and the DNS server to the AD server.

then all your clients will use the AD server for DNS, and it can refer to WinGate for Internet name lookups.

Adrien

[bench]

OK, I have done what you suggested in putting the AD IP in the advanced options of wingate. DHCP is disabled in wingate and enabled in AD.

No entries for any of those ports only port 1080 so far.

Will make the change in the AD machine to assign wingate as the gateway and then test. Looks like we may be finally narrowing down the problem and finding a solution.

thanks.

[adrien]

Ok

Those hits on port 1080 - are they from the Internet I take it?

if so that's a port scan for an open SOCKS server, so those are well to be blocked.

Adrien

[bench]

OK, I have yet to change the gateway in AD but I have assigned the proxy and it's IP in wingate client as the one to use at all times when before it was set to automatically detect it.

One thing I have noticed is that sometimes when a user log on to the domain with their assigned user name and password the wingate client window pops up asking them for a username and password. The default name in username is system.
I tell them to put their username and password but it keeps asking them for it over and over again until they just click cancel and it goes away. If they try to surf the net it work fine but why does the window come up at startup? Shouldn't it be authenticating the users when they log on to the domain?

I also noticed in gatekeeper in the activity tab that some users are listed as authenticated but the word system is next to the PC name and not their username as it's the case with some other users.

One last question, some users log on to more than one machine with their username and passsword, does this have any effect in wingate?