WinGate Forums

[Frank.Merino]

Hello,
Just this week i move my wingate 5.2.3 build 901 on a Win 2k box to 6.2.1 build 1133 win2k3 box.

I recreated the services on the new box and simply took the reg keys from the old box for the AccessRights. Now there is one TCP Mapping Service i have that is for port 81 and i have the default mapping enable and set to go to another server (using ip) and on port 80. so on my windows DNS Server i have an entry for ical.domain.com and when i ping it the IP is set to the Wingate Server IP (like i set it).

The whole thing is that my WWW Proxy is set to 8080 and when i go to the IP that needs port 80 i get a page cannot be displayed. So i have that dns entry to point to WIngate and redirect port 81 to port 80 for me. In 5.2.3 it worked without any isses. However in 6.2.1 it is not working. besides the interfaces the wingate settings are the same. Everything else seems to work but not this.

Any suggestions?

[jamesc]

Having the WWW Proxy on 8080 should be irrelevant - it will still be able to retrieve webpage. I would suggest:

1. Check to see if you can access that web server listening on port 80 from the actual WinGate desktop. If you can't access it, then the proxy/mapping will not be able to too.

2. Confirm your network cards are correctly marked as INTERNAL / EXTERENAL. The network card pointing towards the internet is usually marked as EXTERNAL in WinGate. And the network card pointing towards the LAN is usually marked as INTERNAL in WinGate. If the WinGate server only has one network card, and it has a default gateway set to a hardware router with a firewall, then you can set it as INTERNAL in WinGate - WinGate can do singe NIC NAT.
GateKeeper --> View menu --> Networks --> Network Connections.

3. Check the bindings for that mapping.

4. Check that there are no authentication problems.

5. On the WinGate servers, confirm that default gateways are only set on the network card that can connect to that network - same for DNS.

p.s. I just created a TCP Mapping on port 81, and mapped it to one of Googles ip addresses on port 80: 72.14.253.147
The WinGate Server internal ip address was 172.16.0.1
On a LAN Client I set the web browsers Proxy to 8080, and then typed into the web browser: http://172.16.0.1:81 and it went to google.com as expected.

[Frank.Merino]

Thank you for the reply, i have 2 NICS and both are going to 2 different fireall/routers should i have a 3rd NIC? I have 1 DSL and 1 T1 and the dsl nic is .11 and the t1 is .12.

I have the proxy setting on my desktops to go to .11 and from there it either sends it out through .11 or .12 depending on who and what they are doing. (i.e. FTP goes through T1 along with CEO and VPs, all other web traffic goes through DSL)

I tried the same thing you did and Guest trys to conect for me when i specified port 81 and because my guest account is A) disable and B) has no rights to anything. I have set the Service to all everyone, just my account and nothing seems to work. if you'd like i can sent you screen shots of what i'm seeing if this is not making sense.

Thanks,
Frank

[Frank.Merino]

It seems that all my TCP Mappings are doing the same thing. Even if i create one from scratch. they all try to go out as guest and fail becuase of it.

the service is set to allow everyone go out. am i missing something?

Please help!
Frank

[jamesc]

Hi Frank,

Sorry for the delay, i wrote the following on friday night and then thought it was an over kill, but I think my guest comments may help - you can probably ignore the top, although it should be addressed sometime if I have interpreted your topography correctlly.

James

Thank you for the reply, i have 2 NICS and both are going to 2 different fireall/routers should i have a 3rd NIC? I have 1 DSL and 1 T1 and the dsl nic is .11 and the t1 is .12.

.11 and .12 - sounds like they are on the same subnetwork - i.e. 192.168.0.11 / 192.168.0.12 / 255.255.255.0 - you don't really want to have two physical network cards on the same subnet. You have a few options (I believe - and disclaimer to say its up to you to keep the VP and CEO happy):

1. Add a route to that network card connected to this webserver e.g if connected through .12 interface and .13 is webserver -
route add 192.168.0.13 MASK 255.255.255.255 192.168.0.12
*add a -p after it to make it persistent after reboot.

2. You could change one subnet to be different from the other and leave the network cards as INTERNAL.

3. On the presumption your T1/ADSL boxes are connected in the same switch, you could just have one network card pointing towards them with two gateways. And put the other network card as INTERNAL and point towards the LAN - it may be easier to change subnet pointing towards routers.

4. Or of course you could add a third NIC instead, make sure each is on a different subnet, and have the network card pointing towards the LAN marked as INTERNAL in WinGate.

Other WinGate considerations regarding the markings of the network cards:
Two INTERNAL network cards can route between them - same with two EXTERNAL cards. You can turn off routing via ENS.
A network card does not need to be EXTERNAL for WinGate to use the Gateway.
For a network card to NAT, it either needs to be INTERNAL or DMZ.
NAT connection sharing between the two gateways will be controlled by the routes metric in Windows, and the mask length of those routes compared to the destination address (thats when a mappings intercept is convenient).
NetBIOS broadcasts are disabled out the EXTERENAL adapters unless you switch it on via ENS --> Firewall.

I tried the same thing you did and Guest trys to conect for me when i specified port 81 and because my guest account is A) disable and B) has no rights to anything. I have set the Service to all everyone, just my account and nothing seems to work. if you'd like i can sent you screen shots of what i'm seeing if this is not making sense.

I consider the Guest account to be a good thing to have enabled in WinGate for the context of networks I deal with.

The first reason would be that sometimes it is not practical to authenticate users coming in from the internet - i.e. to an internally hosted webserver / a third party vpn connection - if you really wanted to authenticate those Internet Clients, they could do it via an externally bound proxy server taking care not to leave it open for anyone to bounce web requests off. Or you could bind the Remote Control Service so people could authenticate via JAVA Applet for www proxy/webserver, GateKeeper and QbikAuth (which are all secure methods but of course knowing the Admin password via GateKeeper would give full control). And IP Address.

The second reason would be when you do not have an authentication method installed on the LAN Client; i.e. you are relying on WWW Proxy Authentication - some applications don't know how to authenticate with the WWW Proxy, so you would create a policy allowing the Guest account to have unauthenticated access for that update server or special tool needed by staff members etc... To control Guest NAT connections for your INTERNAL network you could create a policy in the Extended Networking Service that a Guest account cannot be use with client ip addresses beginning with e.g. 192.168.0 - if you need to open a hole for unauthenticated access, you could add a second Guest account saying This criterion is met if server port equals 123 (UDP - time update) - The policy with the most access will override the policy with the least access.

So TCP Mappings as well as connections passing through the Extended Networking Service do not present a way to authenticate to the user, the mapping or NAT/Route/Internet Client could be for any application and WinGate would not know how to send the authentication challenge back for every application that exists, hence when you are creating policies on those mappings/ENS that are requiring authentication, you need to beware of the step your clients need to do to authenticate.

[Frank.Merino]

the reason for .11 and .12 is that they each point to two different firewalls/routers.

.11 points to .13 which is the firewall/router with the DSL
.12 points to .17 whihc is the firewall/router with the T1

Everyone internally connects via .11 and generally will go out via .11 to .13 for the DSL
some users user the proxy port 8081 which then take them through .12 and out the .17 T1.

if this is not how it should work can you please recommend a proper setup

[jamesc]

Can you post an ipconfig/all in the forum, remembering to mask any public ip addresses or any information you deem private? Alternatively you could send it into sales@wingate.com and reference this forum post.

(Windows) Start menu --> Run --> cmd --> ipconfig/all > C:\ipa.txt


I also presume your Guest account issue is now under control?

[Frank.Merino]

I haven't tried the Guest thing yet so i'll do that now and try. Below is the Ipfonfig you asked about.

Code: Select all


Windows IP Configuration

   Host Name . . . . . . . . . . . . : proxy
   Primary Dns Suffix  . . . . . . . : DOMAIN.com
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : DOMAIN.com


Ethernet adapter X.X.0.11:


   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Net Adapter
   Physical Address. . . . . . . . . : MAC
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : X.X.0.11
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : X.X.1.12
   DNS Servers . . . . . . . . . . . : 4.2.2.1
                                       4.2.2.2
                                       65.106.1.196
                                       65.106.7.196


Ethernet adapter X.X.0.12:


   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Net Adapter
   Physical Address. . . . . . . . . : MAC
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : X.X.0.12
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : X.X.1.17
   DNS Servers . . . . . . . . . . . : 192.6.1.218
                                       4.2.2.2
                                       4.2.2.1


[jamesc]

With regards to Ethernet adapter X.X.0.11 and Ethernet adapter X.X.0.12, I presume the X.X's are the same

[Frank.Merino]

correct i.e 192.168.0.11 and 192.168.0.12

[jamesc]

I will update this post when our lead network engineer arrives at work, shouldn't be too long - I just want to get a second opinion on the sugestion I will give.

[jamesc]

It has been recommended that you change one of your subnets, and keep your network adapters marked as INTERNAL (presuming your internet connection have firewalls). One of the hardware routers will need the subnet changed too.

If you are running DHCP on the network, then that may need to be configured as well.

[Frank.Merino]

Why would i need to do that now when everything worked just fine on 5.23?

Also i cannot enable the guest account because when people try to access the internet even if it is set that they need to authenticate, the guest user will be used.

[jamesc]

Why would i need to do that now when everything worked just fine on 5.23?

The Extended Networking Service driver is different.

Also i cannot enable the guest account because when people try to access the internet even if it is set that they need to authenticate, the guest user will be used.

Are you familiar with the way different server / services in WinGate can work in conjunction with the Default Rights (System Policies)? In the image below, we can see there is a policy that is requiring authentication on that service and the Default Rights are set to "Are ignored" - it could also be set to "May be used instead" and "Must also be granted".



"Must also be granted": If the e.g. WWW Proxy Server policy allows access to this service, then it must also be checked in the System Polices before it is allowed.

"May be used instead": If the e.g. WWW Proxy Server policy denies the request, then check if the System Policies allow it; if it does, allow the user to access.

"Are ignored": Do not check the System Policies to check if this user is allowed/denied to access to the WWW Proxy Server.



Another concept to be aware of is the policy with the most access will override the policy with the least access. So in the example above, there is one Everyone group requiring authentication. If I was to add a second Everyone group in there with the authentication level set to "User may be unknown", then no once would need to authenticate to get to the internet (Assuming the Guest account is enabled)

[Frank.Merino]

so have everyone set to "User must be authenticated" and the default rights set to "MUST also be granted" that would force everyone to authenticate?

And i can leave the guest use enable.

[jamesc]

so have everyone set to "User must be authenticated" and the default rights set to "MUST also be granted" that would force everyone to authenticate?

Yes.

And i can leave the guest use enable.

Yes.


Tips:

The Winsock Redirector Service processes WinGate Internet Client requests, so if you have that connection method available then review the policy for guest access.

The Extended Networking Service processes LAN Clients NAT connections, and connections from Internet Clients into your network; e.g. to an Internal web server – so as mentioned earlier, please remember that sometime it is not practical to authenticate Internet Clients, so an example policy in the ENS to restrict the LAN Clients for Guest NAT access, but leave it open for unauthenticated access for any firewall hole you expose to the internet:

ENS --> Policies.
Set the Default Right = Must also be granted.

Add --> Your Users Group (Not Everyone, because Everyone includes Guest), select your authentication level relevant to your connection method.
Ok back to ENS --> Policies.

Add --> Guest, then set the authentication level to "User may be unknown"
Advanced tab:
Filter 1
This criterion is not met if Client IP Address begins with 192.168.0


You may want to lock down the SOCKS proxy too.

[jamesc]

p.s.

When I talk about "Authentication levels" in the polices, the setting to choose is specfic to the Authentication method used. There are three authentication levels:

User must be authenticated = Secure
User may be assumed = Insecure
User may be unknown = Unauthenticated (i.e. Guest)


WinGate User Database.
WWW Proxy Java Authentication - Secure method - Needs Java (www.java.com)
WGIC Authentication - Secure method - Client install.
QbikAuth Authentication - Secure method - Client install.
GateKeeper Authentication - Secure method - Client install.
Basic Authentication - Insecure method.
Assumed by IP Address - Insecure method.
Assumed by Computer name - Insecure method and WinGate must be DHCP Server.
Unauthenticated Access - Can be set for different criterions.

Local Windows User Database
WWW Proxy NTLM Authentication - Secure Method - Application must be NTLM compatible.
WGIC NTLM Authentication - Secure method - Client install.
QbikAuth NTLM Authentication - Secure method - Client install.
GateKeeper NTLM Authentication - Secure method - Client install.
Basic Authentication - Insecure method.
Assumed by IP Address - Insecure method.
Assumed by Computer name - Insecure method and WinGate must be DHCP Server.
Unauthenticated Access - Can be set for different criterions.

Domain User Database.
WWW Proxy NTLM Authentication - Secure Method - Application must be NTLM compatible.
WGIC NTLM Authentication - Secure method - Client install.
QbikAuth NTLM Authentication - Secure method - Client install.
GateKeeper NTLM Authentication - Secure method - Client install.
Basic Authentication - Insecure method.
Assumed by IP Address - Insecure method.
Assumed by Computer name - Insecure method and WinGate must be DHCP Server.
Unauthenticated Access - Can be set for different criterions.

[Frank.Merino]

We only use Wingate for internet contect filter of internal users out. when external users come in they go through a different method.

does that change anything?


Also what is the filter of 192.168.0. suppose to do?

[jamesc]

does that change anything?

No.

Also what is the filter of 192.168.0. suppose to do?

If your LAN Clients were on a subnet beginning with 192.168.0, then that policy is to say that LAN Clients cannot use the Guest account for NAT, but Internet Clients can connect in through any firewall hole you expose to the internet - it was just a tip.

[Frank.Merino]

ok giving it a shot now. is there a way to have the SOCKS service refer to the WWW service like it did in 5.23? and my mapping problem still doesn't work.

[jamesc]

is there a way to have the SOCKS service refer to the WWW service like it did in 5.23

Yes any connection via SOCKS to port 80 on the internet can be intercepted with the following setting in the WWW Proxy Server.

and my mapping problem still doesn't work.

If you would like to send me your phone number then I can give you a call and we will nail this is real-time. sales@qbik.com Alternatively my Skype nickname is wingatejames

[Frank.Merino]

Just sent sales and email. let me know if you get it if not you can get me on live s/n edited@edited.edited

[jamesc]

Hi Frank,

Thought I would cover the last two things we discussed in the forum:


1. Setting up WinGate to use an Active Directory.

a) Create a user in the AD called "wingate"
b) Add it to the "Domain Admins" group in the AD UserDatabase.
c) Set the Windows Service called the Qbik WinGate Engine to logon with that account.
d) Since it is a MS requirement for LAN Clients in an AD to have the AD DNS Server set as its DNS Server, then you need to make sure that the AD DNS Server is forwarding to an DNS Server that can resolve internet domain names - If the AD DNS Server is set to forward to the WinGate DNS Server, then you need to do a setting in WinGate to make sure WinGate will not send the request back (looping); this is done via:
(Windows) Start menu --> Programs --> WinGate --> Advanced Options --> DNS.
e) To change WinGate over to use the AD User Database you would navigate to the Database Options - as shown below.

*To set WinGate application to use a certain DNS Server before using the ones listed on its network cards, then you would override them via:
GateKeeper --> DNS / WINS Resolver --> DNS.

**Internet Explorer can log the user in automatically via the:
Tools menu --> Internet Options --> Security --> Custom Level --> Then scroll to the very bottom (IE6)




2. Mappings.

a) A new TCP Mapping (or any service) can be created by right clicking anywhere in the Services tab.
b) The "Default Mapping" on the General tab, is used when WinGate does not have an individual mapping setup for that user.
c) The "Mapping" option is where you can create a different mapping based off who the user is that connecting.
d) The "Encryption" option is when you want to create a secure mapping between two WinGate servers.
e) You can leave the "Default Mapping" blank, and turn on an Intercept for a port, and then that mapping will intercept that connection - this is handy when you want to choose a Gateway to be used for a particular port.





Bindings:

a) Each service/server has a binding option. I noticed you were manually specifying the ip address instead of using "Any Internal" - that is fine, but the advantage to "Any Internal" would mean if an extra NIC was added to that server with a private ip address, it will automatically bind to it so it can serve.
b) In the bindings interface, the bottom pane indicates how you would like to bind that service, and the top pane shows whether it is actually binded.





System Policies.

a) Please remember that you can also give out power user priviliges to other user who use the GateKeeper, and other restrictions from the following menu:

[Frank.Merino]

thank you, you have been very helpful. When do you say Wingate 2007 would be available?

[jamesc]

Hi Frank,

In the latter half of this year - I would expect the Beta program to start soon so you may want to signup to that to stay in the loop.

http://www.wingate.com/wingate-2007.php