WinGate Forums

[gjethro]

In order to grant different NAT rights to different people, I set 2 groups:
FullAccess and CustomerService

I use wingate 5.2.0 on windows 2000 server sp3 english edition.

The setting is:

System policies:
--Right:Users can access this service
--Is granted to:
FullAccess
--Recipient: User must be authenticated

Extended Network Driver Policies:
--Right:Users can access this service
--Is granted to:
CustomerService
--Recipient: User must be authenticated
--Ban List: Enable ban list
--Server IP address equals "xxx.xxx.xxx.001"
--Advanced:Specify which requests this recipient has rights for
--Customer1
-- Server IP address equals "xxx.xxx.xxx.002"
--Default rights(System policies) may be used instead

The result is:
--users belong to FullAccess group have all access,it's OK.
--users belong to CustomerService group also have all access,even the server who's ip is "xxx.xxx.xxx.001" . it should be wrong.
--after delete CustomerService from Is granted to list, users belong to CustomerService group have no access to NAT,it's OK.

pls help!!!

[adrien]

when you choose default rights "may be used instead", then that is the same as either the rights for the service OR the system rights may be used. Whichever grants access will be used.

Since your system rights for Full access grant unrestricted rights to authenticated users, then that is the rights that will be granted.

If you want to override, you have to not use the default policies as well.

Adrien

[gjethro]

Adrien,

I do know what u said, but u don't read the queation carefully,pls!

I don't want to override, just want to grant different NAT rights to different user groups.

thanks.

[adrien]

I understand that.

A common mistake with WinGate policies is not understanding that rights are granted in parallel. If you create a recipient for a right, if you only want it to apply to certain people, you need to make sure that other recipients don't grant the right to the wrong people.

In your case, your system policies grant access to everything for anyone who is authenticated. So, no matter what, if a proxy can use the system policies, then if a user is authenticated, they can do anything, because you allow them to in the system policies.

One way to do what you want, is set up the WWW proxy policies so that "system rights are ignored", then create 2 recipients in there - one for each group that you wish to control. which limits each group to the access you desire.

Regards

Adrien

[gjethro]

I do know the difference between
Default rights(System policies)
--are ignored
--may be used instead
--Must also be granted
AND
the relationship of System policy and Service policy

"In your case, your system policies grant access to everything for anyone who is authenticated"
is not right, should be
"In your case, your system policies grant access to everything for anyone who is authenticated and belongs to FullAccess group"

Another the same setting for WWW proxy policies is ok,and other proxies also is ok. but, I want to apply it to NAT.,what should I do ?

[ChrisH]

gjethro,

I have found that if Transparent Redirection is enabled on WWW Proxy (or any other proxy) .AND. you want to restrict NAT or WGIC only the Proxy policy is applied not the NAT or WGIC policy (except for authentication). In your case I would suggest that you only apply the policy you have for NAT to the WWW Proxy as long as TR is enabled - it doesn't matter what NAT policy is as WWW Proxy policy takes precedence. If you have other applications that don't use Proxies then NAT policies apply. To me, it seems that WG redirects traffic to Proxy after authentication without first checking NAT or WGIC policy.

[gjethro]

ChrisH,

I don't enable Transparent Redirection on WWW Proxy (or any other proxy) . I just want to use NAT. how to achieve my tartget?

thanks

[adrien]

Hi

You are right, I missed that point. I will check and validate that the system works for server IP in the ban list for NAT sessions.

Adrien

[adrien]

I just checked, and the banlist rule for server ip is honoured correctly.

I think the problem lies in your IP address definition. You probably need to take out the leading zeroes, since the IP is converted to a string, then a string comparison is made with the IP you specify. Since conversion to a string does not include leading zeroes, then the string comparison would fail.

However

policies in the ENS are slightly different to policies in a proxy for instance.

With the ENS, particularly for TCP connections, the way the policies work, is that the initial packet which creates the connection (remembered in the ENS as a "hash entry") is forwarded unless denied by the port security settings.

The policies on the other hand are applied once the connection is notified to the wingate engine, which is after the first packet has been transmitted through the NAT. If the new NAT session (which is created as a result of this notification) fails the policies, then the session is terminated in the engine, and notification sent to the ENS to destroy the hash entry, which sends FIN packets to each end. This closes the connection.

So, what you will see if you ban something in the policies in the ENS, is that the connection will appear to succeed, then be terminated.

The timing between when a connection is set up then torn down again is dependent on loading on the server, so normally this is an effective block over 99% of the time. It would only be under heavily loaded systems on high speed connections talking to servers with low latency that more than a couple of packets would make it through the connection before it was terminated.

This means that some packets will come through.

However I don't think this is significant in your case, since you said when you removed the additional recipient, it behaved as you expected.

That means the problem lies in this additional recipient you created, since with it gone, it behaves as it should, and with it there, it doesn't. So I would check the way you have defined IP addresses.

Adrien

[gjethro]

I use wingate 5.2.2 on windows 2000 server sp3 english edition.

The real setting is:

System policies:
--Right:Users can access this service
--Is granted to:
----FullAccess
--Recipient: User must be authenticated

Extended Network Driver Policies:
--Right:Users can access this service
--Is granted to:
----CustomerService
------Recipient: User must be authenticated
------Ban List: Enable ban list
--------Server IP address equals "203.215.249.198"
------Advanced:Specify which requests this recipient has rights for
--------Customer1Site
---------- Server IP address equals "203.194.181.48"
--Default rights(System policies) may be used instead

In the pre request, the ip only used as a palceholder, i have not used the leading zeroes.

According to the help files shipped with wingate and articles on u support site,I think this setting should work, but I have try from v4.5 to v5.2.2, i failed again and again. because this setting is necessary for me, so pls help.

[adrien]

OK.

You are right, from the look of what you have written, it should work, so there must be something else happening, either a bug in WinGate, or something particular to your configuration.

What sort of access are these people doing? I take it they are not using HTTP for this access? Is it a custom client-server application?

By the way, you should not need to separately specify a banned IP as well as the one and only allowed IP, since an IP can't be both, the if it is not 203.194.181.48 then it will not be allowed.

Do the sessions show up in GateKeeper as NAT connections when the disallowed access occurs?

Adrien

[gjethro]

What sort of access are these people doing? I take it they are not using HTTP for this access? Is it a custom client-server application?

They use remote administrator V2.1 to connect to customers pc(also installed remote administrator V2.1), but want to limit only to those pc.

And Want to use MSN Messenger but want to limit to only message transfer, don't allow file transfer to someone.

By the way, you should not need to separately specify a banned IP as well as the one and only allowed IP, since an IP can't be both, the if it is not 203.194.181.48 then it will not be allowed.

I know, I just try the functions.

Do the sessions show up in GateKeeper as NAT connections when the disallowed access occurs?

Yes, it do show up.

[adrien]

OK.

How do your users authenticate first with WinGate? Do they use the WinGate Internet client, or GateKeeper?

Adrien

[gjethro]

Hi...

They use neither WinGate Internet client nor GateKeeper, they use java client anthentication on IE, then use the network program to connect out.
What's difference between these anthentication methods?

In our LAN
GateKeeper is only assigned to administrator usage.

WinGate Internet client has so many problem, I have used several versiosns, It's nightmare to me,we dare not to install it. Last time,I want to see if the new version is better, but after setup, I find my MS SqlServer not work, Then I uninstall it, MS SqlServer work more strange, even I cannot uninstall and repare it, I have to reinstall the whole computer system, It take me a whole day.

Thanks.

[ChrisH]

gjethro,

You must be using WWW proxy to authenticate users. Is it on standard port 80? You also said in your first post -

.
--after delete CustomerService from Is granted to list, users belong to CustomerService group have no access to NAT,it's OK.

When you say OK do you mean that CustomerService group is now following some policy or that they are able to connect to customers using RAdmin or browse OK or ...? Are you using standard Radmin port 4899? Customers wouldn't be filtering out your IP in Radmin would they? You have no port mappings or redirections in place that might be causing problems?

You also said

They use remote administrator V2.1 to connect to customers pc(also installed remote administrator V2.1), but want to limit only to those pc

Do you mean here only CustomerService group is to use Radmin to contact customer or Radmin is to be used to contact only customers specified in allowed IP or ...? Sorry for all the questions. Just trying to help!

[gjethro]

Hi

I'm using WWW proxy to authenticate users, It's on standard port 80.

When I say OK I mean that CustomerService group have no access to NAT, so they cannot using Radmin connect out. In order to be clear, I don't grant any other access to CustomerService group.

I don't use standard Radmin port 4899. And it work well when use administrator login(Even CustomerService group, but I want to limit this access). there have no port mappings or redirections in place.

Radmin is to be used to contact only customers specified in allowed IP.
In order to Limit MSN Messenger:can send message but transfer files,
The setting should be some ports not allowed on the same server or url.

By the way, I have a question to query:
When I use GateKeeper in pc other than gateway server, how can I see the history content in GateKeeper(now it's blank, when in gateway server, the history content list there)?

Thanks.

[gjethro]

Hi...
Now I give the Configuration Report of gatekeeper to u:

1.01 WINGATE CONFIGURATION REPORT
1.02 Monday, December 15, 2003, 10:31
1.03
1.04 ---------------------------------------------
1.05 WinGate Engine
1.06 ---------------------------------------------
1.07 WinGate 5.2.2 (Build 892)
1.08 Operating System: Windows 2000 (NT 5.0)
1.09 Language:
1.10
4.01 ---------------------------------------------
4.02 Dialer information
4.03 ---------------------------------------------
4.04 Dialer is enabled
4.05 Profiles:
4.06 ADSL Dial (Enabled) 1000 retries
4.07 Overall retries: 1
4.08
5.01 ---------------------------------------------
5.02 Network Interfaces
5.03 ---------------------------------------------
5.04 169.254.147.67 (LAN) [External] [Unsecure]
5.05 127.0.0.1 (LOOPBACK) [Internal] [Secure]
5.06 192.168.1.1 (LAN) [Internal] [Secure]
5.07 ADSL Dial (RAS) [External] [Unsecure]
5.08
6.01 ---------------------------------------------
6.02 Services
6.03 ---------------------------------------------
6.04
6.05 System Policies
6.06 ---------------------------------------------
6.07 Default System Access Rights:
6.08 Full Access - Restricted by security level
6.09 Default Start/Stop Rights:
6.10 Administrators - Unrestricted rights
6.11 Default Edit Rights:
6.12 Administrators - Unrestricted rights
6.13
6.14 POP3 Proxy server (POP3 Proxy server)
6.15 ---------------------------------------------
6.16 Session Timeout: 120
6.17 Port: 8110
6.18 Startup: Automatic start/stop
6.19 Binding 1: 127.0.0.1
6.20 Binding 2: 192.168.1.1
6.21 Access Rights: Defaults: may be used instead
6.22 Start/Stop Rights: Defaults: may be used instead
6.23 Edit Rights: Defaults: may be used instead
6.24
6.25 Telnet Proxy server (Telnet Proxy server)
6.26 ---------------------------------------------
6.27 Session Timeout: 60
6.28 Port: 23
6.29 Startup: Automatic start/stop
6.30 Binding 1: 127.0.0.1
6.31 Binding 2: 192.168.1.1
6.32 Access Rights: Defaults: may be used instead
6.33 Start/Stop Rights: Defaults: may be used instead
6.34 Edit Rights: Defaults: may be used instead
6.35
6.36 WWW Proxy server (WWW Proxy server)
6.37 ---------------------------------------------
6.38 Session Timeout: 60
6.39 Port: 80
6.40 Startup: Automatic start/stop
6.41 Binding 1: 127.0.0.1
6.42 Binding 2: 192.168.1.1
6.43 Access Rights: Defaults: may be used instead
6.44 Half Access - Restricted by security level, ban list, request
6.45 Working Access - Restricted by security level, request
6.46 Start/Stop Rights: Defaults: may be used instead
6.47 Edit Rights: Defaults: may be used instead
6.48
6.49 DHCP Service (DHCP Service)
6.50 ---------------------------------------------
6.51 Session Timeout: 60
6.52 Port: 67
6.53 Startup: Automatic start/stop
6.54 Binding 1: 192.168.1.1
6.55 Access Rights: Defaults: may be used instead
6.56 Everyone - Unrestricted rights
6.57 Start/Stop Rights: Defaults: may be used instead
6.58 Edit Rights: Defaults: may be used instead
6.59
6.60 Winsock Redirector Service (Winsock Redirector Service)
6.61 ---------------------------------------------
6.62 Session Timeout: 20
6.63 Port: 2080
6.64 Startup: Automatic start/stop
6.65 Binding 1: 127.0.0.1
6.66 Binding 2: 192.168.1.1
6.67 Access Rights: Defaults: may be used instead
6.68 Start/Stop Rights: Defaults: may be used instead
6.69 Edit Rights: Defaults: may be used instead
6.70
6.71 FTP Proxy server (FTP Proxy server)
6.72 ---------------------------------------------
6.73 Session Timeout: 60
6.74 Port: 21
6.75 Startup: Automatic start/stop
6.76 Binding 1: 127.0.0.1
6.77 Binding 2: 192.168.1.1
6.78 Access Rights: Defaults: may be used instead
6.79 Start/Stop Rights: Defaults: may be used instead
6.80 Edit Rights: Defaults: may be used instead
6.81
6.82 RTSP Streaming Media Proxy (RTSP Streaming Media Proxy)
6.83 ---------------------------------------------
6.84 Session Timeout: 60
6.85 Port: 554
6.86 Startup: Automatic start/stop
6.87 Binding 1: 127.0.0.1
6.88 Binding 2: 192.168.1.1
6.89 Access Rights: Defaults: may be used instead
6.90 Start/Stop Rights: Defaults: may be used instead
6.91 Edit Rights: Defaults: may be used instead
6.92
6.93 SOCKS Proxy server (SOCKS Proxy server)
6.94 ---------------------------------------------
6.95 Session Timeout: 60
6.96 Port: 1080
6.97 Startup: Automatic start/stop
6.98 Binding 1: 127.0.0.1
6.99 Binding 2: 192.168.1.1
6.100 Access Rights: Defaults: may be used instead
6.101 Start/Stop Rights: Defaults: may be used instead
6.102 Edit Rights: Defaults: may be used instead
6.103
6.104 VDOLive Proxy server (VDOLive Proxy server)
6.105 ---------------------------------------------
6.106 Session Timeout: 60
6.107 Port: 7000
6.108 Startup: Automatic start/stop
6.109 Binding 1: 127.0.0.1
6.110 Binding 2: 192.168.1.1
6.111 Access Rights: Defaults: may be used instead
6.112 Start/Stop Rights: Defaults: may be used instead
6.113 Edit Rights: Defaults: may be used instead
6.114
6.115 POP3 Server (POP3 Server)
6.116 ---------------------------------------------
6.117 Session Timeout: 120
6.118 Port: 110
6.119 Startup: Automatic start/stop
6.120 Binding 1: 127.0.0.1
6.121 Binding 2: 192.168.1.1
6.122 Access Rights: Defaults: may be used instead
6.123 Start/Stop Rights: Defaults: may be used instead
6.124 Edit Rights: Defaults: may be used instead
6.125
6.126 SMTP Proxy server for Netcomputer (SMTP Proxy server for Netcomputer)
6.127 ---------------------------------------------
6.128 Session Timeout: 60
6.129 Port: 29
6.130 Startup: Automatic start/stop
6.131 Binding 1: 127.0.0.1
6.132 Binding 2: 192.168.1.1
6.133 Access Rights: Defaults: may be used instead
6.134 Start/Stop Rights: Defaults: may be used instead
6.135 Edit Rights: Defaults: may be used instead
6.136
6.137 SMTP Server (SMTP Server)
6.138 ---------------------------------------------
6.139 Session Timeout: 300
6.140 Port: 25
6.141 Startup: Automatic start/stop
6.142 Binding 1: 127.0.0.1
6.143 Binding 2: 192.168.1.1
6.144 Access Rights: Defaults: may be used instead
6.145 Start/Stop Rights: Defaults: may be used instead
6.146 Edit Rights: Defaults: may be used instead
6.147
6.148 GDP Service (GDP Service)
6.149 ---------------------------------------------
6.150 Session Timeout: 60
6.151 Port: 368
6.152 Startup: Automatic start/stop
6.153 Binding 1: 127.0.0.1
6.154 Binding 2: 192.168.1.1
6.155 Access Rights: Defaults: may be used instead
6.156 Start/Stop Rights: Defaults: may be used instead
6.157 Edit Rights: Defaults: may be used instead
6.158
6.159 SMTP Proxy server for sohu (SMTP Proxy server for sohu)
6.160 ---------------------------------------------
6.161 Session Timeout: 60
6.162 Port: 27
6.163 Startup: Automatic start/stop
6.164 Binding 1: 127.0.0.1
6.165 Binding 2: 192.168.1.1
6.166 Access Rights: Defaults: may be used instead
6.167 Start/Stop Rights: Defaults: may be used instead
6.168 Edit Rights: Defaults: may be used instead
6.169
6.170 SMTP Proxy server for sina (SMTP Proxy server for sina)
6.171 ---------------------------------------------
6.172 Session Timeout: 60
6.173 Port: 26
6.174 Startup: Automatic start/stop
6.175 Binding 1: 127.0.0.1
6.176 Binding 2: 192.168.1.1
6.177 Access Rights: Defaults: may be used instead
6.178 Start/Stop Rights: Defaults: may be used instead
6.179 Edit Rights: Defaults: may be used instead
6.180
6.181 XDMA Proxy service (XDMA Proxy service)
6.182 ---------------------------------------------
6.183 Session Timeout: 20
6.184 Port: 8000
6.185 Startup: Automatic start/stop
6.186 Binding 1: 127.0.0.1
6.187 Binding 2: 192.168.1.1
6.188 Access Rights: Defaults: may be used instead
6.189 Start/Stop Rights: Defaults: may be used instead
6.190 Edit Rights: Defaults: may be used instead
6.191
6.192 DNS Service (DNS Service)
6.193 ---------------------------------------------
6.194 Session Timeout: 60
6.195 Port: 53
6.196 Startup: Automatic start/stop
6.197 Binding 1: 192.168.1.1
6.198 Access Rights: Defaults: may be used instead
6.199 Start/Stop Rights: Defaults: may be used instead
6.200 Edit Rights: Defaults: may be used instead
6.201
6.202 WWW Server for viewing log files (Logfile Server)
6.203 ---------------------------------------------
6.204 Session Timeout: 60
6.205 Port: 8010
6.206 Startup: Automatic start/stop
6.207 Binding 1: 127.0.0.1
6.208 Binding 2: 192.168.1.1
6.209 Access Rights: Defaults: may be used instead
6.210 Start/Stop Rights: Defaults: may be used instead
6.211 Edit Rights: Defaults: may be used instead
6.212
6.213 SMTP Proxy server for 163 (SMTP Proxy server for 163)
6.214 ---------------------------------------------
6.215 Session Timeout: 60
6.216 Port: 28
6.217 Startup: Automatic start/stop
6.218 Binding 1: 127.0.0.1
6.219 Binding 2: 192.168.1.1
6.220 Access Rights: Defaults: may be used instead
6.221 Start/Stop Rights: Defaults: may be used instead
6.222 Edit Rights: Defaults: may be used instead
6.223
6.224 Remote Control Service (Remote Control Service)
6.225 ---------------------------------------------
6.226 Session Timeout: 60
6.227 Port: 808
6.228 Startup: Automatic start/stop
6.229 Binding 1: 127.0.0.1
6.230 Binding 2: 192.168.1.1
6.231 Access Rights: Defaults: are ignored
6.232 Everyone - Unrestricted rights
6.233 Start/Stop Rights: Defaults: may be used instead
6.234 Edit Rights: Defaults: may be used instead
6.235
7.01 ---------------------------------------------
7.02 System Route Table
7.03 ---------------------------------------------
7.04 Current Route Table:
7.05 ---------------------------------------------
7.06 Network Mask Gateway Interface Metric
7.07 0.0.0.0 0.0.0.0 218.17.90.41 218.17.90.41 1
7.08 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
7.09 169.254.0.0 255.255.0.0 169.254.147.67 169.254.147.67 1
7.10 169.254.147.67 255.255.255.255 127.0.0.1 127.0.0.1 1
7.11 169.254.255.255 255.255.255.255 169.254.147.67 169.254.147.67 1
7.12 192.168.1.0 255.255.255.0 192.168.1.1 192.168.1.1 1
7.13 192.168.1.1 255.255.255.255 127.0.0.1 127.0.0.1 1
7.14 192.168.1.255 255.255.255.255 192.168.1.1 192.168.1.1 1
7.15 218.17.90.1 255.255.255.255 218.17.90.41 218.17.90.41 1
7.16 218.17.90.41 255.255.255.255 127.0.0.1 127.0.0.1 1
7.17 218.17.90.255 255.255.255.255 218.17.90.41 218.17.90.41 1
7.18 224.0.0.0 224.0.0.0 169.254.147.67 169.254.147.67 1
7.19 224.0.0.0 224.0.0.0 192.168.1.1 192.168.1.1 1
7.20 224.0.0.0 224.0.0.0 218.17.90.41 218.17.90.41 1
7.21 255.255.255.255 255.255.255.255 169.254.147.67 169.254.147.67 1
7.22
8.01 ---------------------------------------------
8.02 Enhanced Network Support
8.03 ---------------------------------------------
8.04 Enhanced Network Support: 5.10 Syz - Installed and active
8.05 Driver: Enabled
8.06 NAT: Enabled
8.07 Router: Disabled
8.08 Firewall level: Custom
8.09
8.10 Firewall
8.11 ---------------------------------------------
8.12 Disable network name broadcasts to the Internet: Enabled
8.13 Allow users to ping this machine locally: Enabled
8.14 Allow users to ping this machine from the Internet: Disabled
8.15 Discard spoofed packets: Enabled
8.100
8.101 Port Security
8.102 ---------------------------------------------
8.103
8.104 Security for: External TCP
8.105 Action: Allow Port: 113 - AUTH
8.106
8.107 Security for: External UDP
8.108 Action: Allow Port: 1024 - 65535 - External
8.109
8.110 Security for: Internal TCP
8.111 Action: Allow Port: 21 - Hole for FTP Proxy server
8.112
8.113 Security for: Internal UDP
8.114
8.115 Security for: NAT TCP
8.116 Action: Allow Port: 21 - Hole for FTP Proxy server
8.117
8.118 Security for: NAT UDP
8.500
9.01 ---------------------------------------------
9.02 END OF CONFIGURATION REPORT

[adrien]

that interface 169.254.x.y is an autonet address, are there any clients connected to that interface that you wish to use? Or is it an adapter that is not plugged in.

The Java login uses the Remote Control Service to authenticate, and hence you must be using the WinGate user database, since the Java client cannot do NTLMSSPI authentication which is required for the NT user database authentication.

The problems you describe with the WGIC sound odd. 99% of problems with this are caused by certain services using the WGIC which are best not to (i.e. SQL server). You can exclude a service from using WGIC. We have found this normally solves the problem.

But anyway, back to the problems with WWW policies, I think it might be best if you send me the registry key HKLM\Software\Qbik Software\WinGate and I will try and replicate your problem here, it really should be working!

Adrien

[gjethro]

Hi,

Above ALL, I have a question to query:
When I use GateKeeper in pc other than gateway server, how can I see the history content in GateKeeper(now it's blank, when in gateway server, the history content list there)?

Following is the register Key: (It's too long, can i transfer the file to u?)

edited by adrien for security reasons

[adrien]

Hi

Thanks for your registry settings, it enabled me to find the problem. It was particularly obscure, but is a bug in WinGate related to the migration of some other code.... long story.

The tests I did previously on this parameter were for the ban list for NAT (which works), but not the request filter... I made the (evidently erroneous) assumption that since it was using the same code, it would work the same way, but we had a multiply defined variable in the NAT session class for server ip.

So, you will need a new engine, I can build you one with this fix in it especially if you wish.

Adrien

[gjethro]

Hi,

My email is gjethro@sina.com

Thanks u very very much!!! I will test it and report to u!

Another, I have asked the following question for 3 times, can u give me a answer?

When I run GateKeeper in pc behind gateway server, how can I see the history content in GateKeeper?
(now it's blank, when run GateKeeper in gateway server, the history content list there)

[adrien]

Hi

Regarding GateKeeper viewing history, in order for that to work remotely, you need to run the copy of GateKeeper that is actually on the drive of the WinGate installation, using a mapped drive.

Adrien

[gjethro]

Hi...

The new WinGate Engine do work, thanks!

GateKeeper viewing history remotely also work, thanks
But why do u design it this way, It's very not convenient!!!
I have the administrator right for WinGate, but I must do it in this way???

Thanks!!!

[gkarakas]

Hi,

I also seem to have a similar problem. This is what I would like to achieve:
- the group "NAT users" should always use NAT without any restriction
- the other users should access only specified servers via NAT

User identification is done by IP address (assumption).

I have created the "NAT Users" group and added it to the policies. It works.

Then I created another policy with one restriction: on the "Advanced" tab I specified the server IP address I want to reach.

The result is that everyone can use NAT with no restrictions.

Did I do something wrong or it is a bug?

Gyula

[gkarakas]

is there any hope that someone will reply to this? I had to reinstall wingate since as it took 100% of CPU after playing with NAT settings.

Gyula

[Pascal]

Hi,
User identification is done by IP address (assumption).
I have created the "NAT Users" group and added it to the policies. It works.
Then I created another policy with one restriction: on the "Advanced" tab I specified the server IP address I want to reach.

Two things you can check:

1. Is the authentication working properly ? I.e. when you are logged into GateKeeper, do you see a NAT Session listed against the correct IP + Username combination.

2. When you created the policies, did you set the "System Rights" to be ignored, may be granted or must be granted as well ?

If you like, you can export the WinGate registry / save your configuration and email it to me, then I'll have a look through it for you.

[gkarakas]

Pascal,

thank you for the answer.

1. authentication works OK
2. IIRC it was set to be ignored

I cannot send the registry as I had to fully reinstall wingate (remove/install). I will try to use NAT again and send the results.

Gyula