HI,
How can i block the sites meebo.com, orkut.com & etc ..., i have tried blocking by htttp url contains meebo.com ,but still users are able to acess these block sites which i have configured under the global as well as service ban list.
regards
D4U
blocking sites
Moderator: Qbik Staff
13 posts
• Page 1 of 1
by jamesc » May 29 07 4:26 am
There are quite a few variables involved in the policies, so I will try to bring you up to speed in an educational sense by creating some scenario and common logic problems, and maybe you can help yourself? If you have any problems then let the forum know.
1. We begin by keeping things very simple, and since you have not told the forum how you authenticate your users (if you even do??), what connection methods you have available, whether the Guest account is enabled and a "grey" area where we do not know if you are using the BAN list tab or the Advanced tab in the WWW Policy as well as System Policies, then I am going to presume you are using the "Assumed by IP Address" authentication method and only have the WWW Proxy Server as access to the internet for web pages; i.e. no NAT or WinGate Internet Client or SOCKS, and you are only using the BAN tab in either policies, and the Guest account is enabled.
(p.s. that information I expect is probably not realistic for most people to details but even just a little bit more extra information helps a lot)
a) Right click the existing WWW Proxy Server, and select New --> WWW Proxy Server. Give it a unique name e.g. WWW Test, and change the port number to one that is not in use.
b) Navigate to WWW Test --> Policies and set the Default Rights (System Policies) drop down menu to "Are ignored".
c) Click Add, Everyone, User may be assumed. OK back to the Gatekeeper interface.
d) Go to a LAN Client, update their proxy server port to this new one you created and confirm it works.
2. Place a restriction on the Everyone group.
a) Navigate to the WWW Test --> Policies and double click the "Everyone" group that you created in 1. above.
b) Navigate to the BAN tab of the Everyone group and enter the following.
This criterion is met if HTTP URL Contains google.com
This criterion is met if HTTP URL Contains microsoft.com
c) OK back to the Gatekeeper interface then go to the LAN Client and confirm they cannot access those sites.
3. Common logic error scenario.
a) Navigate to the WWW Test --> Policies and add in a *second "Everyone" group, User may be unknown.
b) Ok back to the GateKeeper interface.
c) Go to that LAN Client using that proxy port, and test.
RESULT --> Everyone has full access and does not need to be authenticated. Because the second "Everyone" group has full unauthenticated access i.e. The policy with the most access will override the policy with the least access.
4. Test how this WWW Test policy interacts with the Default Rights (System Policies). First I need to cover the three options of how the WWW Proxy Server will interact with the Default Rights (System Policies)
a) Remove the *second Everyone group from WWW Test --> Policies.
b) Set the Default Rights (System Policies) to "May be used instead"
c) OK back to the Gatekeeper interface and then test.
RESULT --> I presume your System Policies will not be banning microsoft.com and google.com, and has the correct authentication level set - hence the user should have full access to those two sites.
5. Test how this WWW Test policy interacts with the Default Rights (System Policies) when "Must also be granted" is used.
a) Within the WWW Test --> Policies, set the Default Rights (System Policies) to "Must also be granted"
b) OK back to the Gatekeeper interface then Test
RESULT --> Since the "Must also be granted" is selected, then as mentioned above if the WWW Proxy Server policy allows access to this service, then it must also be checked in the System Polices before it is allowed. *Hence if it is denied access within the WWW Proxy Server, the System Policies will not even be checked.
Extra information:
I) If you do have the NAT or WinGate Internet Client (WGIC) or SOCKS as connection methods available to LAN Clients, then to have the WWW Proxy to control webpage access through those connection methods then turn on an intercept for port 80 (Regardless to what port the actual WWW Proxy is listening on) in the WWW Proxy Server --> Sessions. That intercept for port 80 will detect any other connection method to the internet passing through WinGate on port 80, and push it up through the WWW Proxy Server so the user get the web page access policies applied, data scanning plugins, selected gateway etc...
II) The authentication methods that can be used in WinGate and the authentication level expected are listed in this post:
http://forums.qbik.com/viewtopic.php?p=28893#28893
1. We begin by keeping things very simple, and since you have not told the forum how you authenticate your users (if you even do??), what connection methods you have available, whether the Guest account is enabled and a "grey" area where we do not know if you are using the BAN list tab or the Advanced tab in the WWW Policy as well as System Policies, then I am going to presume you are using the "Assumed by IP Address" authentication method and only have the WWW Proxy Server as access to the internet for web pages; i.e. no NAT or WinGate Internet Client or SOCKS, and you are only using the BAN tab in either policies, and the Guest account is enabled.
(p.s. that information I expect is probably not realistic for most people to details but even just a little bit more extra information helps a lot)
a) Right click the existing WWW Proxy Server, and select New --> WWW Proxy Server. Give it a unique name e.g. WWW Test, and change the port number to one that is not in use.
b) Navigate to WWW Test --> Policies and set the Default Rights (System Policies) drop down menu to "Are ignored".
c) Click Add, Everyone, User may be assumed. OK back to the Gatekeeper interface.
d) Go to a LAN Client, update their proxy server port to this new one you created and confirm it works.
2. Place a restriction on the Everyone group.
a) Navigate to the WWW Test --> Policies and double click the "Everyone" group that you created in 1. above.
b) Navigate to the BAN tab of the Everyone group and enter the following.
This criterion is met if HTTP URL Contains google.com
This criterion is met if HTTP URL Contains microsoft.com
c) OK back to the Gatekeeper interface then go to the LAN Client and confirm they cannot access those sites.
3. Common logic error scenario.
a) Navigate to the WWW Test --> Policies and add in a *second "Everyone" group, User may be unknown.
b) Ok back to the GateKeeper interface.
c) Go to that LAN Client using that proxy port, and test.
RESULT --> Everyone has full access and does not need to be authenticated. Because the second "Everyone" group has full unauthenticated access i.e. The policy with the most access will override the policy with the least access.
4. Test how this WWW Test policy interacts with the Default Rights (System Policies). First I need to cover the three options of how the WWW Proxy Server will interact with the Default Rights (System Policies)
"Must also be granted": If the e.g. WWW Proxy Server policy allows access to this service, then it must also be checked in the System Polices before it is allowed.
"May be used instead": If the e.g. WWW Proxy Server policy denies the request, then check if the System Policies allow it; if it does, allow the user to access.
"Are ignored": Do not check the System Policies to check if this user is allowed/denied to access to the WWW Proxy Server.
a) Remove the *second Everyone group from WWW Test --> Policies.
b) Set the Default Rights (System Policies) to "May be used instead"
c) OK back to the Gatekeeper interface and then test.
RESULT --> I presume your System Policies will not be banning microsoft.com and google.com, and has the correct authentication level set - hence the user should have full access to those two sites.
5. Test how this WWW Test policy interacts with the Default Rights (System Policies) when "Must also be granted" is used.
a) Within the WWW Test --> Policies, set the Default Rights (System Policies) to "Must also be granted"
b) OK back to the Gatekeeper interface then Test
RESULT --> Since the "Must also be granted" is selected, then as mentioned above if the WWW Proxy Server policy allows access to this service, then it must also be checked in the System Polices before it is allowed. *Hence if it is denied access within the WWW Proxy Server, the System Policies will not even be checked.
Extra information:
I) If you do have the NAT or WinGate Internet Client (WGIC) or SOCKS as connection methods available to LAN Clients, then to have the WWW Proxy to control webpage access through those connection methods then turn on an intercept for port 80 (Regardless to what port the actual WWW Proxy is listening on) in the WWW Proxy Server --> Sessions. That intercept for port 80 will detect any other connection method to the internet passing through WinGate on port 80, and push it up through the WWW Proxy Server so the user get the web page access policies applied, data scanning plugins, selected gateway etc...
II) The authentication methods that can be used in WinGate and the authentication level expected are listed in this post:
http://forums.qbik.com/viewtopic.php?p=28893#28893
- jamesc
- Qbik Staff
- Posts: 928
- Joined: Apr 04 05 2:04 pm
- Location: Auckland, New Zealand
accessing other sites than http 80
by D4U » May 30 07 2:29 am
Hi,
using authentication by Win ADS. how can i restrict access to messenger like yahoo, msn , icq & others, need to allow for a group and deny for some. How can we access secutre sites https .
regards
D4U
using authentication by Win ADS. how can i restrict access to messenger like yahoo, msn , icq & others, need to allow for a group and deny for some. How can we access secutre sites https .
regards
D4U
- D4U
- Posts: 25
- Joined: May 26 07 7:57 pm
by jamesc » May 30 07 4:06 am
Instant messengers:
MSN Messenger:
WWW Proxy --> HTTP Resource equals gateway.dll
NAT or WGIC --> Server port equals 1863
Yahoo Messenger:
WWW Proxy --> HTTP URL contains login.yahoo.com
NAT or WGIC --> Server port equals 5050
ICQ:
NAT or WGIC: --> Server port equals 5190 (if my memory from 10 years ago serves me correctly)
WWW Proxy: See below.
Other:
Check the history windows to see where it connects to or contact their support department or find out through a search engine.
NAT connections are controlled by the Extended Networking Service.
WGIC connections are controlled by the Winsock Redirector Service.
And remember the policy with the most access will override the policy with the least access, so you will initially want to make a policy to deny everyone access, then create a second policy allowing access.
Tips:
1. NAT has no generic way to authenticate a user - so the user will need to be authenticated some how.
2. It is sometimes not practical to authenticate users connecting in from the internet (e.g. to an internal web server), and hence they will connect in as a guest via the Extended Networking Service. I sometimes recommend making a policy in the ENS for the Guest account, and use the Advanced tab of the Guest users policy to not allow connections that originate from you LAN Clients ip addresses.
3. When using the Advanced tab of a groups / users policy, individual filters are "OR'd" and multiple criterions within filters are "AND'd"
If you can access HTTP pages, then you should be able to access HTTPS pages too. If you are using NAT or WGIC then make sure you are not intercepting port 443 in the WWW Proxy Service, you will break the secure connection. Also check the option within WWW Proxy --> HTTPS.
Also confirm that the way you set your ip addresses, dns servers and gateways on your network cards follows best networking practices.
MSN Messenger:
WWW Proxy --> HTTP Resource equals gateway.dll
NAT or WGIC --> Server port equals 1863
Yahoo Messenger:
WWW Proxy --> HTTP URL contains login.yahoo.com
NAT or WGIC --> Server port equals 5050
ICQ:
NAT or WGIC: --> Server port equals 5190 (if my memory from 10 years ago serves me correctly)
WWW Proxy: See below.
Other:
Check the history windows to see where it connects to or contact their support department or find out through a search engine.
need to allow for a group and deny for some
NAT connections are controlled by the Extended Networking Service.
WGIC connections are controlled by the Winsock Redirector Service.
And remember the policy with the most access will override the policy with the least access, so you will initially want to make a policy to deny everyone access, then create a second policy allowing access.
Tips:
1. NAT has no generic way to authenticate a user - so the user will need to be authenticated some how.
2. It is sometimes not practical to authenticate users connecting in from the internet (e.g. to an internal web server), and hence they will connect in as a guest via the Extended Networking Service. I sometimes recommend making a policy in the ENS for the Guest account, and use the Advanced tab of the Guest users policy to not allow connections that originate from you LAN Clients ip addresses.
3. When using the Advanced tab of a groups / users policy, individual filters are "OR'd" and multiple criterions within filters are "AND'd"
How can we access secutre sites https
If you can access HTTP pages, then you should be able to access HTTPS pages too. If you are using NAT or WGIC then make sure you are not intercepting port 443 in the WWW Proxy Service, you will break the secure connection. Also check the option within WWW Proxy --> HTTPS.
Also confirm that the way you set your ip addresses, dns servers and gateways on your network cards follows best networking practices.
- jamesc
- Qbik Staff
- Posts: 928
- Joined: Apr 04 05 2:04 pm
- Location: Auckland, New Zealand
WIngate internet client
by D4U » May 30 07 8:44 pm
Hi,
Is it essential to use Wingate internet client for accessing internet via wingate or else can we use the SOCKS, but using socks shall all the policies be applied(ban list, rstricted access etc..)
regards
d4U
Is it essential to use Wingate internet client for accessing internet via wingate or else can we use the SOCKS, but using socks shall all the policies be applied(ban list, rstricted access etc..)
regards
d4U
- D4U
- Posts: 25
- Joined: May 26 07 7:57 pm
by jamesc » May 30 07 9:02 pm
Is it essential to use Wingate internet client for accessing internet via wingate
No, but I do recommend having the LAN Clients setup for NAT - even if you block it at the WinGate server via the policies in the Extended Networking Service - NAT is the fastest connection method available, and you need it for some specialised applications such as VPN's, some server applications and certain games.
*NAT is when you have the LAN Clients default gateway pointing towards the WinGate servers internal network card. The LAN Clients will also need to have a DNS Server set on their network card that can resolve internet domain names.
**On a LAN Client, you can usually check for NAT by pinging an ip address. You can also check for DNS Resolution by pinging a domain names; for example:
(Windows) Start menu --> run --> cmd --> ping 210.55.214.36
(Windows) Start menu --> run --> cmd --> ping 72.14.253.147
(Windows) Start menu --> run --> cmd --> ping www.wingate.com
(Windows) Start menu --> run --> cmd --> ping www.google.com
or else can we use the SOCKS, but using socks shall all the policies be applied(ban list, rstricted access etc..)
With the SOCKS Proxy Server, you can set your own policies. I also want to mention that if you turn on an intercept for port 80 in the WWW Proxy Server --> Sessions, then any request on port 80 passing through the Socks proxy will be intercepted by the WWW Proxy Server.
- jamesc
- Qbik Staff
- Posts: 928
- Joined: Apr 04 05 2:04 pm
- Location: Auckland, New Zealand
Traffic seggragation between 2 Internet links
by D4U » May 31 07 9:02 pm
unable to post anyting displaying error "you cannot post web sites at this moment"
regards
D4U
regards
D4U
- D4U
- Posts: 25
- Joined: May 26 07 7:57 pm
Segration between 2 internet links
by D4U » May 31 07 9:03 pm
As i am new to Wingate require suggestions to configure the Wingate as below, The following is my network.
Internal----->Wingate----->Internet Cloud2
Clients |
|
|-------------->Watchguard--------> Internet Cloud 1
|
|
|
|
DMZ
After posting the diagram is changing, please note that th DMZ is 3 interface of watchguard and internal clients are not directly linked to DMZ but they are only via Watchguard internal interface
I have Wn2000 domain network , all the internal clients fetch IP from the DHCP server in my ADS and the DDNS server is aslo the domain controller.ON the internal DDNS i have forwarded the internet DNS ips's.
All the clients have default gateway pointing to internal IP of Watchguard.
now i wish to pass some trafic forcibly via the internet cloud2. will this require to change the default gateway pointing to Wingate. In this scenario there are also some servers in my DMZ which i require to access.
I have tried changing the default gateway of my few internal clients pointing to Wingate which succesfully pass outgoing internet trafffic via internet cloud 2 but unable to access the web sites in the DMZ
how can this be acheived by installing WGIC or directly via brwoser pointing the Wingate SOCKS or www service.
regards
D4U
Internal----->Wingate----->Internet Cloud2
Clients |
|
|-------------->Watchguard--------> Internet Cloud 1
|
|
|
|
DMZ
After posting the diagram is changing, please note that th DMZ is 3 interface of watchguard and internal clients are not directly linked to DMZ but they are only via Watchguard internal interface
I have Wn2000 domain network , all the internal clients fetch IP from the DHCP server in my ADS and the DDNS server is aslo the domain controller.ON the internal DDNS i have forwarded the internet DNS ips's.
All the clients have default gateway pointing to internal IP of Watchguard.
now i wish to pass some trafic forcibly via the internet cloud2. will this require to change the default gateway pointing to Wingate. In this scenario there are also some servers in my DMZ which i require to access.
I have tried changing the default gateway of my few internal clients pointing to Wingate which succesfully pass outgoing internet trafffic via internet cloud 2 but unable to access the web sites in the DMZ
how can this be acheived by installing WGIC or directly via brwoser pointing the Wingate SOCKS or www service.
regards
D4U
- D4U
- Posts: 25
- Joined: May 26 07 7:57 pm
by jamesc » May 31 07 9:29 pm
unable to post anyting displaying error "you cannot post web sites at this moment"
I think we should do a discovery of your settings; send these details into sales@qbik.com.
1. WinGate Registry.
GateKeeper --> Options menu --> Advanced --> Save Registry
2. WinGate Config Report
GateKeeper --> Options menu --> Advanced --> Save Config Report
3. ipconfig/all from the WinGate Server
(Windows) Start menu --> Run --> cmd --> ipconfig/all >> C:\ipa.txt
I have tried changing the default gateway of my few internal clients pointing to Wingate which successfully pass outgoing internet trafffic via internet cloud 2 but unable to access the web sites in the DMZ
On the assumption I have interpreted your post correctly, you could add a route on the WinGate server so to send traffic destined for the DMZ back to the Internal side of WatchGuard.
So for example if one of your servers in the DMZ has the IP Address 100.100.100.100, and the internal ip address of WatchGuard is 192.168.0.254, then the command on the WinGate Server to route those packets to the DMZ computer would be:
(Windows) Start menu --> Run --> cmd --> route add 100.100.100.100 MASK 255.255.255.255 192.168.0.254
Test to see if that works - if it does give you your desired result, then do that route add command again with a -p on the end so it will be persistent after the computer reboots.
- jamesc
- Qbik Staff
- Posts: 928
- Joined: Apr 04 05 2:04 pm
- Location: Auckland, New Zealand
Acessing the internet
by D4U » Jun 01 07 4:12 am
As per Quote: given above
"Must also be granted": If the e.g. WWW Proxy Server policy allows access to this service, then it must also be checked in the System Polices before it is allowed.
What must be checked in systems policies for allowing. do we need to modify something in the ENS tab
"May be used instead": If the e.g. WWW Proxy Server policy denies the request, then check if the System Policies allow it; if it does, allow the user to access.
How can we deny as there are 3 options as users can access , users can modify and users can start/stop the service.
"Are ignored": Do not check the System Policies to check if this user is allowed/denied to access to the WWW Proxy Server.
how can we deny user access to www proxy server and where
can you explain in sinple how can the access rights for accessing the proxy server flows.
"Must also be granted": If the e.g. WWW Proxy Server policy allows access to this service, then it must also be checked in the System Polices before it is allowed.
What must be checked in systems policies for allowing. do we need to modify something in the ENS tab
"May be used instead": If the e.g. WWW Proxy Server policy denies the request, then check if the System Policies allow it; if it does, allow the user to access.
How can we deny as there are 3 options as users can access , users can modify and users can start/stop the service.
"Are ignored": Do not check the System Policies to check if this user is allowed/denied to access to the WWW Proxy Server.
how can we deny user access to www proxy server and where
can you explain in sinple how can the access rights for accessing the proxy server flows.
- D4U
- Posts: 25
- Joined: May 26 07 7:57 pm
authentication from 2 domains
by D4U » Jun 04 07 8:34 pm
Hi,
I have 2 domain controllers i.e one parent domain and other a child domain, will wingate take authentication simultaneously from both the domain as i have tried giving the name of the parent domain but it accepts authentication only from that domain but not the child domain.
regards
D4U
I have 2 domain controllers i.e one parent domain and other a child domain, will wingate take authentication simultaneously from both the domain as i have tried giving the name of the parent domain but it accepts authentication only from that domain but not the child domain.
regards
D4U
- D4U
- Posts: 25
- Joined: May 26 07 7:57 pm
13 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 3 guests