WinGate Forums

[talwell]

I have a situation where I have a dedicated server at our host. The server is W2k3 and I have installed Wingate on it. I want to use this public server as a proxy for remote clients - possibly from several remote locations.

My question is - can this be done? Currently the server has one NIC in it on the public side.

If it can be done, what are the specific configurations that will be needed?

[jamesc]

I want to use this public server as a proxy for remote clients - possibly from several remote locations.

My interpretation: You want to have a *WWW Proxy Service* available for remote internet clients. They only need to access web pages and not capture all application calls (becuase you would use the WinGate Internet Client (WGIC) for that).

My question is - can this be done? Currently the server has one NIC in it on the public side.

Yes.

If it can be done, what are the specific configurations that will be needed?

There are a couple of ways this can be envisaged to be done:
a) With the WWW Proxy Exposed to the internet with one of three authentication methods.
b) Or VPN.


WWW Proxy Server:

1. To begin with you will need to decide which user database you are going to use with WinGate because that will effect what authentication methods are available to these remote internet clients. I have listed below.

WinGate User Database.
WWW Proxy Java Authentication - Secure method - Needs Java (www.java.com)
WGIC Authentication - Secure method - Client install.
QbikAuth Authentication - Secure method - Client install.
GateKeeper Authentication - Secure method - Client install.
Basic Authentication - Insecure method.
Assumed by IP Address - Insecure method.
Assumed by Computer name - Insecure method and WinGate must be DHCP Server.
Unauthenticated Access - Can be set for different criterions.

Local Windows User Database
WWW Proxy NTLM Authentication - Secure Method - Application must be NTLM compatible.
WGIC NTLM Authentication - Secure method - Client install.
QbikAuth NTLM Authentication - Secure method - Client install.
GateKeeper NTLM Authentication - Secure method - Client install.
Basic Authentication - Insecure method.
Assumed by IP Address - Insecure method.
Assumed by Computer name - Insecure method and WinGate must be DHCP Server.
Unauthenticated Access - Can be set for different criterions.

Domain User Database.
WWW Proxy NTLM Authentication - Secure Method - Application must be NTLM compatible.
WGIC NTLM Authentication - Secure method - Client install.
QbikAuth NTLM Authentication - Secure method - Client install.
GateKeeper NTLM Authentication - Secure method - Client install.
Basic Authentication - Insecure method.
Assumed by IP Address - Insecure method.
Assumed by Computer name - Insecure method and WinGate must be DHCP Server.
Unauthenticated Access - Can be set for different criterions.

*Secure: Then the authentication level of the policy needs to be set to "User must be authenticated"
Insecure: Then the authentication level of the policy needs to be set to "User may be assumed"
Unauthenticated: Then the authentication level of the policy needs to be set to "User may be unknown"

**Below is the location to set this. To use the WinGate User Database you would not have any of those options ticked.




2. Next you need to identify how your network adapter(s) have been detected by WinGate. Generally the network interface cards can be INTERNAL / EXTERNAL. The network card pointing towards the private network is marked as INTERNAL. And the network card / modem pointing towards the internet is marked as EXTERNAL in WinGate. If the network card pointing towards the internet has a hardware firewall upstream then it can also be set as INTERNAL in WinGate.




3. Creating the WWW Proxy and setting up authentication.

a) Navigate to the WWW Proxy Service, right click it and create a new WWW Proxy Service - name it: WWW Proxy Remote Internet Clients and give it a unique port number (the only reason I say create a new one is I don't know if you have some kind of proxy setup already for your private network).

b) Choose your authentication method as seen in the Blue box - You can only see Java and BASIC because that image is from a WinGate installation that is using the WinGate user database.

*BASIC - Insecure because password is sent in clear text.
*Java - Secure because password is encrypted - must also have java from www.java.com. The Remote Control Service will also need to be open to the internet.
*NTLM - Secure due to NTLM hand shake.




c) Set the authentication policy.

NTLM or JAVA:

WWW Proxy Service --> Policies:
Default Right = Are ignored.
Add --> Everyone, *User must be authenticated.*
OK back to the GateKeeper.

BASIC:

WWW Proxy Service --> Policies:
Default Right = Are ignored.
Add --> Everyone, *User may be assumed*
OK back to the GateKeeper.


d) Confirm that the WWW Proxy Service is bound to an adapter pointing towards the internet. The bottom of that bindings interface shows your desired result, and the top part shows whether it is actually bound to that interface.







Extra information:

Some website may need to have a caching policy made if they are not displaying properly to the Remote internet client. A concept of how to do that is shown below.





VPN:

A lot more secure. Let me know if you would like some more information on this.

[elwill0207]

When Im trying to auth, i get an error. "No response on Port"

Im trying to take the Java Route

[logan]

The Java client uses the "Remote Control Service" in WinGate to authenticate itself. You will need to bind the RCS to the internal network adaptor that your client computers are authenticating through so that the Java clients can connect to the RCS.

-Gatekeeper -> System tab -> Remote Control Service -> Bindings

[elwill0207]

My proxy doesnt seem to be working either.

[Nev]

My proxy doesnt seem to be working either.

Hi,

What you could do in the Network tab is change the NIC 192.168.0.251 to External by clicking on it.

That is if it is your Local Area Connection to your router // ISP // modem?

Does that help?

[logan]

Also, make sure you either disable the Windows Firewall, or open port 8080 in the Windows Firewall.