Hi,
I'm trying to set up Wingate 6.2 to let me access the Internet from my Palm TX PDA, connecting through a Wireless Access Point.
My current configuration always requires authentication with the WGIC, so I realize that this won't be possible from the PDA and I'm trying to open other routes by allowing an assumed user by IP address, or adding permissions based on MAC address.
The problem is that, no matter how many config changes I try, I keep getting "access denied" errors on my PDA, while Wingate messages show "user pgr is requesting www.google.com", which is the correct (assumed) user.
I tried opening up permissions on System Policies, on Extended networking policies, on WWW Proxy policies, ... I'm a bit lost. Is there a way to trace WHY a particular "access denied" error occurs? Exactly which rule or policy is blocking it? The logs don't seem to contain any helpful info...
Thanks for any help.
Access denied - why?
Moderator: Qbik Staff
8 posts
• Page 1 of 1
by adrien » Jan 11 07 2:11 am
Hi
Need to reverse the way you think about policies.
In all cases in WinGate there's only ever one reason access isn't granted . It's not because one or other policy is blocking it, but because no policy is granting it.
So to allow this PDA access, you need to add another recipient for access rights relating to the PDA, allowing it assumed-level access.
Adrien
Need to reverse the way you think about policies.
In all cases in WinGate there's only ever one reason access isn't granted . It's not because one or other policy is blocking it, but because no policy is granting it.
So to allow this PDA access, you need to add another recipient for access rights relating to the PDA, allowing it assumed-level access.
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by pgr » Jan 11 07 3:15 am
Thanks for your answer, ... I probably have to explain better.
It's possible that there are policies blocking access because I do have such policies in place, controlling several aspects that are important in my network (certain groups have can only access from certain locations, others have a quota limit).
This user pgr I think should be getting access by now, I gave it assumed access and I think Wingate is recognizing this, since it says that user pgr is requesting access (based on the IP address I specified).
I must be doing something contradictory (giving access on one place and denying it elsewhere), but I can't figure out where.
By the way, in which services should it be necessary to grant access? Would system Policies suffice? Or would the PDA have problems if I have restrictions in WWW Proxy, etc.?
Thanks again.
It's possible that there are policies blocking access because I do have such policies in place, controlling several aspects that are important in my network (certain groups have can only access from certain locations, others have a quota limit).
This user pgr I think should be getting access by now, I gave it assumed access and I think Wingate is recognizing this, since it says that user pgr is requesting access (based on the IP address I specified).
I must be doing something contradictory (giving access on one place and denying it elsewhere), but I can't figure out where.
By the way, in which services should it be necessary to grant access? Would system Policies suffice? Or would the PDA have problems if I have restrictions in WWW Proxy, etc.?
Thanks again.
- pgr
- Posts: 84
- Joined: Dec 07 03 8:27 am
by adrien » Jan 11 07 3:34 am
Hi
even though you can add entries to a banlist in a policy etc, what this does internally is prevent that recipient from granting access, so it's still not actually internally blocking it. Just not granting it.
When I talk about a recipient, I'm talking about the thing in the policies tab that shows the username and the restrictions. That's the granting of a right to a specified (or unspecified) user. That's why we called it a recipient. I guess we should call it a recipient policy. Anyway...
The access system goes through all recipients in there, and if any one of them grants access, then access is granted. It might just seem like a semantic issue, but there are subtle differences between this way and for instance a mechanism that stops evaluating policies once it finds something blocking (which WinGate doesn't do) and/or relies on order of evaluation of policy elements.
This is what makes it tough for us to put custom responses back on a per policy basis (but we're working on that). Cos each recipient policy doesn't know about any others that may exist, only about itself. WinGate asks each one "will you grant access for this session", and the recipient policy says yea or nay.
So in theory, it should be possible to get your user pgr working simply by adding a recipient where the user is pgr, may be assumed. You'll need an IP assumption as well.
even though you can add entries to a banlist in a policy etc, what this does internally is prevent that recipient from granting access, so it's still not actually internally blocking it. Just not granting it.
When I talk about a recipient, I'm talking about the thing in the policies tab that shows the username and the restrictions. That's the granting of a right to a specified (or unspecified) user. That's why we called it a recipient. I guess we should call it a recipient policy. Anyway...
The access system goes through all recipients in there, and if any one of them grants access, then access is granted. It might just seem like a semantic issue, but there are subtle differences between this way and for instance a mechanism that stops evaluating policies once it finds something blocking (which WinGate doesn't do) and/or relies on order of evaluation of policy elements.
This is what makes it tough for us to put custom responses back on a per policy basis (but we're working on that). Cos each recipient policy doesn't know about any others that may exist, only about itself. WinGate asks each one "will you grant access for this session", and the recipient policy says yea or nay.
So in theory, it should be possible to get your user pgr working simply by adding a recipient where the user is pgr, may be assumed. You'll need an IP assumption as well.
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by adrien » Jan 11 07 3:41 am
we did also use to have a bug relating to policies where there were more than one recipient specified for specific users and user level may be assumed.
I'm hoping that hasn't crept back in. Do you have other recipients in there that may be assumed? If they are using the Java login, you can bump them up to "authenticated" and that should solve it if this is what's happening.
Adrien
I'm hoping that hasn't crept back in. Do you have other recipients in there that may be assumed? If they are using the Java login, you can bump them up to "authenticated" and that should solve it if this is what's happening.
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by pgr » Jan 11 07 4:53 am
I don't suppose the bug you describe applies to my case: basically, until now I had everything set up so that that no user can be assumed, and no service can be used by assumed users.
And all my recipients are groups, not individual users, except "Guest", which I would gladly leave out but it seems to be necessary for Wingate to work (most of my problems with Wingate are when some unidentified process starts accessing the Net, gets recognized as Guest, and no authentication box pops up in WGIC - then it gets no traffic because it's unauthenticated).
Thanks for your help, anyway I think I understand the logic a bit better now, I'll have to try it but I can only do it tomorrow. I can create a new user or a new group just for this purpose, that won't be a problem. I promise to post back my findings. Thanks.
And all my recipients are groups, not individual users, except "Guest", which I would gladly leave out but it seems to be necessary for Wingate to work (most of my problems with Wingate are when some unidentified process starts accessing the Net, gets recognized as Guest, and no authentication box pops up in WGIC - then it gets no traffic because it's unauthenticated).
Thanks for your help, anyway I think I understand the logic a bit better now, I'll have to try it but I can only do it tomorrow. I can create a new user or a new group just for this purpose, that won't be a problem. I promise to post back my findings. Thanks.
- pgr
- Posts: 84
- Joined: Dec 07 03 8:27 am
by pgr » Jan 12 07 12:24 am
Ok, it's working now... here's a summary of configurations used, for future reference:
I set up the assumed user 'pgr' for a particular IP address.
I added a recipient to System policies specifying this user, with the following options:
-may be assumed
-advanced filter for requests only from a particular MAC address (the specific PDA I'm using).
Then I added this recipient also in WWW Proxy Service.
Finally, I had to add access also for the DNS service. Somehow (I didn't quite understand it) it worked erratically until I changed access for this service to allow 'Everyone'. It seems allowing user 'pgr' wasn't quite enough. I wonder if some DNS requests get sent as 'Guest', or if user assumption doesn't always work for DNS.
Is this a security problem, I mean, allowing everyone DNS access?
I set up the assumed user 'pgr' for a particular IP address.
I added a recipient to System policies specifying this user, with the following options:
-may be assumed
-advanced filter for requests only from a particular MAC address (the specific PDA I'm using).
Then I added this recipient also in WWW Proxy Service.
Finally, I had to add access also for the DNS service. Somehow (I didn't quite understand it) it worked erratically until I changed access for this service to allow 'Everyone'. It seems allowing user 'pgr' wasn't quite enough. I wonder if some DNS requests get sent as 'Guest', or if user assumption doesn't always work for DNS.
Is this a security problem, I mean, allowing everyone DNS access?
- pgr
- Posts: 84
- Joined: Dec 07 03 8:27 am
8 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 0 guests