We've got the current policy set up on the www service so that users must be authenticated via NTLM - default system policies are ignored. This works a treat with Internet Explorer and the user's name shows up fine.
However, we use WebEx a lot for meetings and this is having trouble with the proxy. WebEx connects via SSL but doesn't appear to authenticate correctly - the system window has errors listed against the guest user associated with the web.com domain. I assume this is because WebEx is not using NTLM in the same way as IE.
I thought I'd relax the ignored default system policies and this does indeed allow WebEx to connect. However, with this option on, nobody seems to bother authenticating anymore and all activity is recorded against guest. I kind of expected the Everyone policy explicitly listed to have some sort of priority over the default system policy but it doesn't seem so.
What we need is for the user to authenticate if they use NTLM but then appear as a guest if they don't authenticate.
We currently don't have the WinGate client installed (we're a terminal server environment so don't just throw things on there :-) but would that maybe help in that we'd not have to use NTLM authentication.
Thanks, Rob.
WebEx problem
Moderator: Qbik Staff
4 posts
• Page 1 of 1
by adrien » Apr 26 06 11:53 pm
Hi Rob
Policies are additive. That means if you have one policy that grants all authenticated users access, and another that grants anyone access to anything, then the nett combination of these is that anyone can do anything.
WinGate tries to grant access at the lowest level of authentication, so the system policy is making it unnecessary for people to authenticate to meet policy.
The WinGate Client could actually help you out here, since it will auth, and associate connections from whatever apps with an authed user account.
Adrien
Policies are additive. That means if you have one policy that grants all authenticated users access, and another that grants anyone access to anything, then the nett combination of these is that anyone can do anything.
WinGate tries to grant access at the lowest level of authentication, so the system policy is making it unnecessary for people to authenticate to meet policy.
The WinGate Client could actually help you out here, since it will auth, and associate connections from whatever apps with an authed user account.
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
WGIC
by munrobasher » Apr 27 06 3:08 am
Hi Adrien,
I've installed the WGIC client on my own PC and that's working fine with WebEx. I assume this is because it's hooked into winsock and is working at a lower level than NTLM in IE, i.e. all TCP/IP traffic is now going via the client.
Out of interest, concerning the WGIC. If a laptop user boots up not connected to the network with their own dial-up or wireless connection (etc), will WGIC handle the situation cleanly? A problem we have at the moment is that a laptop user has the proxy in the registry so when they connect remotely, they have to remove the proxy by hand.
Thanks, Rob.
I've installed the WGIC client on my own PC and that's working fine with WebEx. I assume this is because it's hooked into winsock and is working at a lower level than NTLM in IE, i.e. all TCP/IP traffic is now going via the client.
Out of interest, concerning the WGIC. If a laptop user boots up not connected to the network with their own dial-up or wireless connection (etc), will WGIC handle the situation cleanly? A problem we have at the moment is that a laptop user has the proxy in the registry so when they connect remotely, they have to remove the proxy by hand.
Thanks, Rob.
- munrobasher
- Posts: 67
- Joined: Apr 22 06 4:20 am
by adrien » Apr 27 06 11:19 am
hi Rob
When you have WGIC installed, and you aren't connected to a network that has WinGate on it, i.e. you're at home with your laptop, then when a client application tries to make a connection, WGIC will try and connect to the last known WinGate server.
When it can't do this, it pops up a dialog box saying it can't access the server, and does the user wish it to try to find other servers. If you click no then, I'm pretty sure that the WGIC will basically take itself out of the loop.
One way to test this on your LAN would be to temporarily disable the GDP and Winsock Redirector Service in WinGate. Shouldn't be an issue if you're the only one using it.
Adrien
When you have WGIC installed, and you aren't connected to a network that has WinGate on it, i.e. you're at home with your laptop, then when a client application tries to make a connection, WGIC will try and connect to the last known WinGate server.
When it can't do this, it pops up a dialog box saying it can't access the server, and does the user wish it to try to find other servers. If you click no then, I'm pretty sure that the WGIC will basically take itself out of the loop.
One way to test this on your LAN would be to temporarily disable the GDP and Winsock Redirector Service in WinGate. Shouldn't be an issue if you're the only one using it.
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
4 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 2 guests