WinGate Forums

[ITSN]

Hello everyone,

I'm using Wingate 6.1.2 and the “WWW Proxy server” and I've got two policies defined.

1: Group1 has unlimited Internet access
2: Group2 has limited (between certain hours) Internet access

Now I would like to block an URL by using Wingate. So I've made an new "WWW Proxt server" policy in the following way:

- selected the "User must be authenticated" option
- at the tab "Ban list" enabled the "Enable ban list" and clicked "Add"
- Selected “This criterion is met if”, select “HTTP URL”, selectr “contains” and enterd a part of the URL
- clicked “OK”.

I've tested this on a user, but the user reports that he is still able to browse to that URL.

What have I forgot?

[jamesc]

1: Group1 has unlimited Internet access
2: Group2 has limited (between certain hours) Internet access

---> If the user is in both policies, the least permissive policy is let through.

For Example.
Policy 1 for user James: Must be Authed, BAN List HTTP URL Contains google.
Policy 2 for Everyone: Must be Authed, Full access.

James's access --> Full Access, because he is part of the Everyone Group, and the least permissive policy is let through.

I've tested this on a user, but the user reports that he is still able to browse to that URL.

---> And the user has specified the correct proxy server in their Web Browser?

**You might also want to turn on the Transparent Proxy on in WinGate; also known as "Intercepts". Below is an image of turning on intercepts for Port 80 on the WWW Proxy Server. What that does is:

When someone is using a NAT or WinGate Internet Client connection method, WinGate can detect if those connection methods are trying to access a remote server on port 80, if they are, WinGate will "Intercept" those connections, and push them up through the WWW Proxy Server so the users can get the benefits of caching / gateway rotation / data scanning / policies etc..

[jamesc]

By the way, you should upgrade to 6.1.3.

[ITSN]

In my case I've got an user named Trees.

Trees is a member of the group Group1. Furthermore, I've made a policy stating that user Trees Must be "Authed, BAN List HTTP URL Contains google"

As you recommended, I've turned on "Transparent proxy". Users are using the correct proxy settings. The requests are listed in Wingate logging.

Still, Trees is able to access google. Is this because the "unlimited internet" policy overrules the "BAN" policy?

How should I configure my rules to catch this problem? Should I remove the user from the "unlimited internet" policy and configure Internet access in the BAN policy as well?

[jamesc]

Still, Trees is able to access google. Is this because the "unlimited internet" policy overrules the "BAN" policy?

Can you let me know what your Default Rights are set to in your WWW Proxy Polices?



"Are Ignored" = Do not check the policies in the Default Rights (System Policies)

"May be used instead" = If the WWW Proxy Denies access to the request, then check if the System Policies allow it; if it does, grant the user access.

"Must also be granted" = If the WWW Proxy allows the request, then it must also be allowed in the System Policies.

[ITSN]

The Default is set for "May be used instead".

I conclude from your explanation that I should change the Default Rights to "Must also be granted".

Is this a correct conclusion?

[jamesc]

As a test for the WWW Proxy Server policy, I would set to Ignore.

*How the individual policies interact with the System policies is specific to your desired result; it needs a small amount of consideration and planning; hence setting to ignored for testing purposes is probably the best in this case.

[ITSN]

I've set it to "Ignore" but the user is still able to open the URL.

Switching between the 3 options does not have an impact on the client.

I've also removed the user from Group1. She is still able to op the URL.

[jamesc]

So you can see that the user is authenticating as the correct user in the Activity tab of GateKeeper? If you cannot find the issue, please send in the following:

http://support.qbik.com/index.php?_a=tickets&_m=submit

1. WinGate Registry.
GateKeeper --> Options menu --> Advanced --> Save Registry

2. WinGate Config Report
GateKeeper --> Options menu --> Advanced --> Save Config Report

3. ipconfig/all from the WinGate Server
(Windows) Start menu --> Run --> cmd --> ipconfig/all >> C:\ipa.txt

[ITSN]

I can see that the user is authenticating as the correct user in the Activity tab of GateKeeper.

I've requested a ticket and have attached the

1. WinGate Registry.
2. WinGate Config Report
3. ipconfig/all from the WinGate Server

Thanks for the support so far

[jamesc]

Your Ban List policy should be:

HTTP URL Contains nu.nl

You have HTTP URL Equals nu.nl

[ITSN]

Good morning James,

What an incredible dumb error. I've overlooked that one completely.

After correcting it, the URL is blocked nicely.

Thank you for the quick responce.

[jamesc]

Great to hear!

Let us know if you have any more problems aligning WinGate to your desired result.