I'm thinking or installing WinGate for a client who wants to allow all employees to have email pop/smtp 24/7 without needing to authenticate and those same users must authenticate using generic logins web1, web2, etc to browse the web for work purposes, the boss will configure the passwords or enable / disable the accounts as and when needed. I also don't want the users to be able to use any back door method to get on the web or to able to use ms messenger, yahoo messenger, icq, etc. The boss/his pc will need 100% access to all services and he will be using https sites for banking, etc. They have a Windows 2003 SBS server and XP Pro workstations.
I've been testing on my own network with XP workstations:
cable modem > PC two nics > router/switch > all the other workstations.
I can't get the above to work with WinGate, when I try the users need to authenticate for email and web, please help.
Thanks,
Robert.
Email all the time, no authentication, browsing auth..
Moderator: Qbik Staff
7 posts
• Page 1 of 1
Email all the time, no authentication, browsing auth..
by robinmx » Sep 13 07 9:43 am
- robinmx
- Posts: 7
- Joined: Sep 13 07 9:34 am
- Location: Queretaro, Mexico
by logan » Sep 13 07 3:25 pm
To allow unauthenticated access to a service, the guest account must be enabled in the user database and the policies of that service must be set to allow unauthenticated access. I have written a quick guide to allow unauthenticated access to the SMTP server below. You should then be able to apply this knowledge to the POP3 server.
- Gatekeeper -> System tab -> SMTP Server -> Policies
- Stop the SMTP server from interacting with the System Policies by changing the "default rights" to are ignored.
- Remove any policies that are currently in the list.
- Click Add.
- The default policy settings when you click add allows everyone unauthenticated access, so click OK.
- Click Apply to finalise the change.
Then check that the guest account is enabled.
- Gatekeeper -> Users tab -> Users -> Guest
- Make sure "Account enabled" is selected
That should be all you need to do to allow unauthenticated access to the SMTP Server. Now you can do the same for the POP3 server.
- Gatekeeper -> System tab -> SMTP Server -> Policies
- Stop the SMTP server from interacting with the System Policies by changing the "default rights" to are ignored.
- Remove any policies that are currently in the list.
- Click Add.
- The default policy settings when you click add allows everyone unauthenticated access, so click OK.
- Click Apply to finalise the change.
Then check that the guest account is enabled.
- Gatekeeper -> Users tab -> Users -> Guest
- Make sure "Account enabled" is selected
That should be all you need to do to allow unauthenticated access to the SMTP Server. Now you can do the same for the POP3 server.
- logan
- Qbik Staff
- Posts: 671
- Joined: Oct 19 06 2:49 pm
- Location: Auckland, New Zealand
by robinmx » Sep 13 07 5:57 pm
I'm using external pop/smtp servers for mail. I can solve my problem by turning off NAT and stopping the winsock redirector service. The mail then works fine both ways and I manually edit the proxy settings of the browsers in every workstation and use the java login. Doing it this way is not my preferred choice.
Out of interest why does a WGIC login still remain active after you've finished sending or receiving mail, it takes up a licence? Users are forced to close and open Outlook to break the connection thus freeing a licence for others to use. I can see the logic of some users not wanting to login every X minutes as it's a pain, but equally so for those on a budget needing share the available connections. Maybe you could program an option to release the connection after send / receive are complete when using mail applications.
Thanks,
Robert.
Out of interest why does a WGIC login still remain active after you've finished sending or receiving mail, it takes up a licence? Users are forced to close and open Outlook to break the connection thus freeing a licence for others to use. I can see the logic of some users not wanting to login every X minutes as it's a pain, but equally so for those on a budget needing share the available connections. Maybe you could program an option to release the connection after send / receive are complete when using mail applications.
Thanks,
Robert.
- robinmx
- Posts: 7
- Joined: Sep 13 07 9:34 am
- Location: Queretaro, Mexico
by logan » Sep 14 07 11:45 am
If you were using NAT, allowing unauthenticated access for POP3 and SMTP will be as simple as creating a policy that does not require authenticate but only allows TCP port 25 and 110.
I have included a quick guide to allow unauthenticated access to email through NAT but require authentication for everything else from a default installation,
- Gatekeeper -> System tab -> Extended Networking -> Policies
- Stop the ENS from interacting with the System Policies by changing the default rights to "are ignored"
- Click Add to make a new policy, select "Must be authenticated" and click OK
At this point, noone should have unauthenticated access to the ENS. All you need to do now is create a new policy that overrides the authentication requirement for ports 25 and 110.
- Click Add to make a new policy. Leave this policy as "User may be unknown".
- Goto the Advanced tab of the policy properties.
- Select "Specify which requests this recipient has rights for".
- Click Add Filter
- Click Add Criterion
- Select
- > This criterion is met if
- > Server port number
- > equals
- > 25
-> Click Ok
- Click Add Filter
- Click Add Criterion
- Select
- > This criterion is met if
- > Server port number
- > equals
- > 110
- Click Ok, then OK, then Apply to finalise the change
Now when your client computers connect to a POP3 or SMTP server through NAT while unauthenticated, the request will be allowed rather than denied. If you have already created some policies in your Extended Networking Service, you may need to fiddle with this example a bit to make it work for you.
A very similar logic applies to the WGIC connection method aswell, so if you perfer to use the WGIC on your client computers, you should be able to use the above example in the WinSock redirector service. Require authentication for everything, then create a new policy that allows unauthenticated access to ports 25 and 110.
Note: If your clients are using domain names to connect to their mailservers, they must be able to perform DNS lookups through WinGate, so make sure that the DNS server is allowing unauthenticated access.
I have included a quick guide to allow unauthenticated access to email through NAT but require authentication for everything else from a default installation,
- Gatekeeper -> System tab -> Extended Networking -> Policies
- Stop the ENS from interacting with the System Policies by changing the default rights to "are ignored"
- Click Add to make a new policy, select "Must be authenticated" and click OK
At this point, noone should have unauthenticated access to the ENS. All you need to do now is create a new policy that overrides the authentication requirement for ports 25 and 110.
- Click Add to make a new policy. Leave this policy as "User may be unknown".
- Goto the Advanced tab of the policy properties.
- Select "Specify which requests this recipient has rights for".
- Click Add Filter
- Click Add Criterion
- Select
- > This criterion is met if
- > Server port number
- > equals
- > 25
-> Click Ok
- Click Add Filter
- Click Add Criterion
- Select
- > This criterion is met if
- > Server port number
- > equals
- > 110
- Click Ok, then OK, then Apply to finalise the change
Now when your client computers connect to a POP3 or SMTP server through NAT while unauthenticated, the request will be allowed rather than denied. If you have already created some policies in your Extended Networking Service, you may need to fiddle with this example a bit to make it work for you.
A very similar logic applies to the WGIC connection method aswell, so if you perfer to use the WGIC on your client computers, you should be able to use the above example in the WinSock redirector service. Require authentication for everything, then create a new policy that allows unauthenticated access to ports 25 and 110.
Note: If your clients are using domain names to connect to their mailservers, they must be able to perform DNS lookups through WinGate, so make sure that the DNS server is allowing unauthenticated access.
- logan
- Qbik Staff
- Posts: 671
- Joined: Oct 19 06 2:49 pm
- Location: Auckland, New Zealand
by logan » Sep 14 07 11:54 am
In regards to your other question, by default, computers will remain in WinGate's activity window for 30 seconds after all traffic has ceased. You can shorten this timeout period using the registry.
- Stop the WinGate Engine
- (Windows) Start -> Run -> regedit
- HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\Settings
- Edit -> New -> DWORD Value
- Name the new value "MachineTimeout"(must be exact) and hit enter
- Double-Click on the MachineTimeout value
- Select Decimal
- Enter the length of time that you want the session to remain open for. (this can be 0)
- Click OK
- Start the WinGate Engine
- Stop the WinGate Engine
- (Windows) Start -> Run -> regedit
- HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\Settings
- Edit -> New -> DWORD Value
- Name the new value "MachineTimeout"(must be exact) and hit enter
- Double-Click on the MachineTimeout value
- Select Decimal
- Enter the length of time that you want the session to remain open for. (this can be 0)
- Click OK
- Start the WinGate Engine
- logan
- Qbik Staff
- Posts: 671
- Joined: Oct 19 06 2:49 pm
- Location: Auckland, New Zealand
by robinmx » Sep 17 07 4:28 am
Thanks.
I ended up using NAT with a transparent proxy to force the java login for the browsing and I'll enforce your suggestion for the ENW policies. I'll have to open up a few more ports for updates for anti-virus, anti-spyware, etc.
The only problem now is that the ADSL router has wireless connectivity and Wingate sees a wireless connection as spoofing and blocks the request.
Internet <> ADSL router with access via eth-cable and wireless with dynamic internet I.P. incoming via telco line <> external nic dynamic I.P. 192.168.1.* on Wingate server / internal nic static I.P. 192.168.0.254 on Wingate server <> switch <> users cabled workstations with static I.Ps.
The ADSL router gives a wireless laptop a dynamic I.P normally 192.168.1.70 and then routes the request to the Wingate server which blocks the request as someone spoofing. I don't want to give the laptop a static I.P in the 192.168.0.* range as the owner often uses other wireless hotspots. The only answer I can think of is to turn off wireless connectivity for the ADSL router and then put an additional wireless AP inside the LAN giving out a limited I.P. range 192.168.0.50-65 to not conflict with any static I.P.
Thanks again.
I ended up using NAT with a transparent proxy to force the java login for the browsing and I'll enforce your suggestion for the ENW policies. I'll have to open up a few more ports for updates for anti-virus, anti-spyware, etc.
The only problem now is that the ADSL router has wireless connectivity and Wingate sees a wireless connection as spoofing and blocks the request.
Internet <> ADSL router with access via eth-cable and wireless with dynamic internet I.P. incoming via telco line <> external nic dynamic I.P. 192.168.1.* on Wingate server / internal nic static I.P. 192.168.0.254 on Wingate server <> switch <> users cabled workstations with static I.Ps.
The ADSL router gives a wireless laptop a dynamic I.P normally 192.168.1.70 and then routes the request to the Wingate server which blocks the request as someone spoofing. I don't want to give the laptop a static I.P in the 192.168.0.* range as the owner often uses other wireless hotspots. The only answer I can think of is to turn off wireless connectivity for the ADSL router and then put an additional wireless AP inside the LAN giving out a limited I.P. range 192.168.0.50-65 to not conflict with any static I.P.
Thanks again.
- robinmx
- Posts: 7
- Joined: Sep 13 07 9:34 am
- Location: Queretaro, Mexico
by adrien » Sep 20 07 12:04 pm
You can turn off the check for IP spoofing in the Extended Networking config.
If WinGate is behind another router, this check is not very useful anyway.
As for setting policy. If you are setting policy and it's affecting multiple services, then I presume you're setting system policy? If so, you can always set individual service policy, and control whether or not system policy is also required to be granted etc.
Regards
Adrien
If WinGate is behind another router, this check is not very useful anyway.
As for setting policy. If you are setting policy and it's affecting multiple services, then I presume you're setting system policy? If so, you can always set individual service policy, and control whether or not system policy is also required to be granted etc.
Regards
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
7 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 5 guests