Dear All,
I am having difficulty understanding how wingate policy works.
Just to list one of them, setting System Policy to
Server name = MailServer AND server port = 110.
When I do "telnet MailServer 110", it fail to connect to the port.
When I change the server name to its IP by setting System Policy to
Server IP = xxx.xxx.xxx.xxx AND server port = 110.
I can connect to the port using "telnet MailServer 110"
P/S: I only set policy using system policy except DNS & DHCP which is set to everyone unrestricted rights.
Pls kindly advise.
Regards,
CL
Policy Logic
Moderator: Qbik Staff
21 posts
• Page 1 of 1
by jamesc » Jun 20 06 7:19 pm
Is this with the NAT or WinGate Internet Client connection method?
The DNS is resolved on the LAN Client, and then the IP Address is sent to the WinGate server; hence the IP Address policy worked, but the server name does not. *You also need to be careful when using "Equals" server name as you have mentioned in your post; I usually use "Contains" unless I am absolutely certain.
*If you were to use the Proxy connection method, it would work, because the DNS is resolved on the WinGate server.
The DNS is resolved on the LAN Client, and then the IP Address is sent to the WinGate server; hence the IP Address policy worked, but the server name does not. *You also need to be careful when using "Equals" server name as you have mentioned in your post; I usually use "Contains" unless I am absolutely certain.
*If you were to use the Proxy connection method, it would work, because the DNS is resolved on the WinGate server.
- jamesc
- Qbik Staff
- Posts: 928
- Joined: Apr 04 05 2:04 pm
- Location: Auckland, New Zealand
by jamesc » Jun 23 06 7:48 pm
1. Do you have any other policies in your system policies; the least permissive policy will be allowed through.
2. How did you create the policy to only allow access from DHCP Clients?
3. Is WinGate the DHCP server?
4. Is the server / service the clients are connecting to with static ip addresses, are they set to check the default rights? Below is an example WWW Proxy Service, and the setting that can be changed regarding the Default Rights (System Policies)
"Are Ignored" = Do not check the policies in the Default Rights (System Policies)
"May be used instead" = If the WWW Proxy Denies access to the request, then check if the System Policies allow it; if it does, grant the user access.
"Must also be granted" = If the WWW Proxy allows the request, then it must also be allowed in the System Policies.
2. How did you create the policy to only allow access from DHCP Clients?
3. Is WinGate the DHCP server?
4. Is the server / service the clients are connecting to with static ip addresses, are they set to check the default rights? Below is an example WWW Proxy Service, and the setting that can be changed regarding the Default Rights (System Policies)
"Are Ignored" = Do not check the policies in the Default Rights (System Policies)
"May be used instead" = If the WWW Proxy Denies access to the request, then check if the System Policies allow it; if it does, grant the user access.
"Must also be granted" = If the WWW Proxy allows the request, then it must also be allowed in the System Policies.
- jamesc
- Qbik Staff
- Posts: 928
- Joined: Apr 04 05 2:04 pm
- Location: Auckland, New Zealand
by ngtech » Jun 23 06 9:52 pm
A1. Other than DHCP, DNS & Remote Control, all set to follow system policy. (No one is granted in service policy with default rights may be used instead.)
A2. In system policy, properties for recipients, under specify which requests this recipient has rights for, Client is a DHCP client is TRUE. This is the only rules.
A3. Yes
A4. I think A1 is the answer you ask.
P/S: I assign the policy by group, each user only assigned to 1 group.
A2. In system policy, properties for recipients, under specify which requests this recipient has rights for, Client is a DHCP client is TRUE. This is the only rules.
A3. Yes
A4. I think A1 is the answer you ask.
P/S: I assign the policy by group, each user only assigned to 1 group.
- ngtech
- Posts: 42
- Joined: Jun 20 06 3:11 pm
by jamesc » Jun 23 06 10:14 pm
Thanks for the details.
---> Ok, thanks for that. Just confirming you have the correct policies / system policy usage for these services:
(NAT) GateKeeper --> Extended Networking Service --> Policies:
(WGIC) GateKeeper --> Winsock Redirector Service --> Policies:
(Proxy) GateKeeper --> WWW Proxy Server --> Policies:
(Socks) GateKeeper --> Socks Proxy Server --> Policies:
Has the default rights to "May be used instead", and there are no Groups or users policies in those particular services/servers.
So your policy looks like this.
If you cannot resolve, then I think we will need to look at your settings; I just created the policy on WinGate 6.1.3 shown above and it worked as expected.
1. WinGate Registry.
GateKeeper --> Options menu --> Advanced --> Save Registry
2. WinGate Config Report
GateKeeper --> Options menu --> Advanced --> Save Config Report
3. ipconfig/all from the WinGate Server
(Windows) Start menu --> Run --> cmd --> ipconfig/all >> C:\ipa.txt
A1. Other than DHCP, DNS & Remote Control, all set to follow system policy. (No one is granted in service policy with default rights may be used instead.)
---> Ok, thanks for that. Just confirming you have the correct policies / system policy usage for these services:
(NAT) GateKeeper --> Extended Networking Service --> Policies:
(WGIC) GateKeeper --> Winsock Redirector Service --> Policies:
(Proxy) GateKeeper --> WWW Proxy Server --> Policies:
(Socks) GateKeeper --> Socks Proxy Server --> Policies:
Has the default rights to "May be used instead", and there are no Groups or users policies in those particular services/servers.
A2. In system policy, properties for recipients, under specify which requests this recipient has rights for, Client is a DHCP client is TRUE. This is the only rules.
So your policy looks like this.
If you cannot resolve, then I think we will need to look at your settings; I just created the policy on WinGate 6.1.3 shown above and it worked as expected.
1. WinGate Registry.
GateKeeper --> Options menu --> Advanced --> Save Registry
2. WinGate Config Report
GateKeeper --> Options menu --> Advanced --> Save Config Report
3. ipconfig/all from the WinGate Server
(Windows) Start menu --> Run --> cmd --> ipconfig/all >> C:\ipa.txt
- jamesc
- Qbik Staff
- Posts: 928
- Joined: Apr 04 05 2:04 pm
- Location: Auckland, New Zealand
by jamesc » Jun 23 06 10:24 pm
If you use Windows DHCP, then you will not be able to use the following policies:
1. DHCP Client policies
2. MAC Address policies
3. Computer name policies
With regards to DNS:
If you are in an Active Directory network, it is a MS Requirement for the LAN Clients to have their DNS pointing towards the AD DNS server. If WinGate has the AD DNS Address on its network card as well, then we usually recommend excluding that from WinGate’s DNS lookup process; to do that you add the AD DNS address into:
(Windows) Start menu --> Programs --> WinGate --> Advanced Options --> DNS
When using an AD DNS for internet resolution, usually you need to forward it to another DNS server; it could be WinGate’s DNS, the Hardware routers DNS or the ISPs DNS.
1. DHCP Client policies
2. MAC Address policies
3. Computer name policies
With regards to DNS:
If you are in an Active Directory network, it is a MS Requirement for the LAN Clients to have their DNS pointing towards the AD DNS server. If WinGate has the AD DNS Address on its network card as well, then we usually recommend excluding that from WinGate’s DNS lookup process; to do that you add the AD DNS address into:
(Windows) Start menu --> Programs --> WinGate --> Advanced Options --> DNS
When using an AD DNS for internet resolution, usually you need to forward it to another DNS server; it could be WinGate’s DNS, the Hardware routers DNS or the ISPs DNS.
- jamesc
- Qbik Staff
- Posts: 928
- Joined: Apr 04 05 2:04 pm
- Location: Auckland, New Zealand
by jamesc » Jun 23 06 10:32 pm
Sure, I believe you can see the email button below my post?
Actually, t is probably best to send to our support desk, so if I am not available, my other colleagues can answer.
http://support.qbik.com/index.php?_a=tickets&_m=submit
Actually, t is probably best to send to our support desk, so if I am not available, my other colleagues can answer.
http://support.qbik.com/index.php?_a=tickets&_m=submit
- jamesc
- Qbik Staff
- Posts: 928
- Joined: Apr 04 05 2:04 pm
- Location: Auckland, New Zealand
by jamesc » Jun 24 06 3:17 pm
WWW Proxy. No users in policies and the default rights may be used instead.
Extended Networking Service. No users in policies and the default rights may be used instead.
So you have four different policies in the default rights.
1. Admin Group, full access. Must be Authed
2. Group1 Must Be DHCP Client. May be Authed
3. Group2 Must Be DHCP Client. May be Authed
4. Guests, limited access. May be unknown
a) Are the people with static’s just testing with the addresses that the guests can access?
b) Are the static ip addresses logged in with the Administrator user?
c) What user is shown in the Activity tab of GateKeeper when the Static IP Addresses connects?
Extended Networking Service. No users in policies and the default rights may be used instead.
So you have four different policies in the default rights.
1. Admin Group, full access. Must be Authed
2. Group1 Must Be DHCP Client. May be Authed
3. Group2 Must Be DHCP Client. May be Authed
4. Guests, limited access. May be unknown
a) Are the people with static’s just testing with the addresses that the guests can access?
b) Are the static ip addresses logged in with the Administrator user?
c) What user is shown in the Activity tab of GateKeeper when the Static IP Addresses connects?
- jamesc
- Qbik Staff
- Posts: 928
- Joined: Apr 04 05 2:04 pm
- Location: Auckland, New Zealand
by ngtech » Jun 24 06 4:14 pm
a. Actually I am testing if the policy is functioning. I assigned a range of IPs that can access internet. (Assumed Users). So I want to make sure user that manually assigned themselves these range of IPs won't granted access.
b. They are logged in as a user under Group1.
c. It shown the static IP as a user that is under group1(Assume).
b. They are logged in as a user under Group1.
c. It shown the static IP as a user that is under group1(Assume).
- ngtech
- Posts: 42
- Joined: Jun 20 06 3:11 pm
by jamesc » Jul 03 06 4:53 pm
Client is a DHCP Client = True.
This is based off what IP Addresses have been previously distributed by WinGate’s DHCP Server; not who it had been distributed to.
*I also thought it worked as you expected, sorry for my mistake and delay.
**Also, I noticed that in some of your BAN Lists, you are using "Equals windowsupdates.com"; I would suggest using "Contains windowsupdate.com"
This is based off what IP Addresses have been previously distributed by WinGate’s DHCP Server; not who it had been distributed to.
*I also thought it worked as you expected, sorry for my mistake and delay.
**Also, I noticed that in some of your BAN Lists, you are using "Equals windowsupdates.com"; I would suggest using "Contains windowsupdate.com"
- jamesc
- Qbik Staff
- Posts: 928
- Joined: Apr 04 05 2:04 pm
- Location: Auckland, New Zealand
by ngtech » Jul 03 06 10:31 pm
Hi, that means it is not possible to make it like only PCs that are using DHCP granted the permission? I think it is a quite useful condition to have.
jamesc wrote:Client is a DHCP Client = True.
This is based off what IP Addresses have been previously distributed by WinGate’s DHCP Server; not who it had been distributed to.
- ngtech
- Posts: 42
- Joined: Jun 20 06 3:11 pm
21 posts
• Page 1 of 1
Who is online
Users browsing this forum: Google [Bot] and 7 guests