WinGate Forums

[vsam]

i have a blocking policy where i block sites like myspace, hi5 etc for all staff for ALL time
i added this in extended networking > policies > Ban List
this policy works perfectly well
Now i want to add ANOTHER blocking policy which BLOCKS orkut for ALL times except 5 PM to 5:30 PM
(all users can access it only in evening for 30 minutes)

When i added a second policy and added the Time restrictions, it does not work
when i delete the 2nd policy and add orkut (URL contains orkut) in the 1st policy (block for all times) the 1st policy works

how do i make work the 2nd policy along with the 1st one
thanks for your help

ps: i have tried in
extended nw> policies > ban list
also
services > www proxy server > ban list

2 policies does not work in both, and ofcourse the tab called "default rights(system policies) are ignored" is selected

[ChrisH]

It sounds to me that you might have policies in both NAT (extended networking) and WWW proxy services. How are your users connecting through the WG server - NAT, direct proxy or Transparent Proxy (intercepting port 80)? The two policy plan works best if they are located in the same service, otherwise it can get quite confusing. I would suggest, if it would work for your situation, is to use the Transparent Proxy option in the WWW service configuration ( Under the Sessions tab, check the "Intercept connections...." box) and then make your policies in this service. The first policy would be as you had set up with the Ban List detailing the restricted sites (Black List). The second policy would have the same users/groups and authentication requirements as the first, the time restriction in place and under the "Advanced Properties" create a fiter with the criterion "HTTP URL contains orkut". Let us know if this helps.

[vsam]

i have defined policies only www proxy server, and i am intercepting all port 80/8080 traffic thro wwwproxy
1st policy with blocking works perfect (defined in wwwproxy banlist)
problem comes when i add second policy in wwwproxy server, and also defined Time restriction in advanced properties, still the second policy does not work
but when i add orkut.com blocking in the 1st policy, it works perfectly OK (permanently banned)
so definately the 2nd policy is not getting activated
i am confused, what to do

[ChrisH]

I should have mentioned in my first post that "orkut" needs to be added to the ban list in policy 1. If "orkut" is not added to the ban list in policy 1 then policy 2 will have no effect, users will be able to acces "orkut" any time.

Policy 1
Ban List
-orkut
-myspace
-hi5
-etc,etc

Policy 2
Time
5:00pm to 5:30pm
Advanced
HTTP url contains orkut

Does this help?

[adrien]

Hi Chris

You need to keep in mind that WinGate 6 policies are not blocking policies, they are granting policies. Each policy you define grants access under certain circumstances. If any defined policy grants a right, then that access will go through.

So if you had a single policy/recipient that you had working that was blocking a bunch of sites (not granting them because the sites were in the banlist), then if you add another one, you need to be careful to not grant in one policy what you blocked in another.

This is a key reason we completely rewrote policy in WinGate 7.

[vsam]

chrisH
thanks for your descriptive help
i did exact that but unfortulately it didnt worked
mine wingate version is 6.2.3
anybody can help on this
thanks

[ChrisH]

I had set up the policies as a test and it worked as expected for me. I think there must be some other issue and one that comes to mind might be which group or users are you trying to use these policies on? If some users are in more than one group you could run into problems. Would you be willing to post your configuration to this thread? You can do this fairly easily in GateKeeper by Options,Advanced then selecting Service information and then save the report. I would delete the routing information at the end of the file, we don't need to see this here, and then post the data here. Show the configuration you last had wwith the two policies. Hopefully we can sort something out.

[ChrisH]

Adrien, Understood. I believe that is what vsam was wanting to do. Block a site then grant access for a period of time. Cheers.

[vsam]

thanks chrisH
heres my configuration
****************************************************
1.01 WINGATE CONFIGURATION REPORT

1.02 Wednesday, July 16, 2008, 11:36

1.03

1.04 ---------------------------------------------

1.05 WinGate Engine

1.06 ---------------------------------------------

1.07 WinGate 6.2.3 (Build 1139)

1.08 Operating System: Windows 2000 (NT 5.1)

1.09 Language: ENU

1.10 User database: WinGate

1.11 Num. users: 5

1.12

1.13

3.01 ---------------------------------------------

3.02 License details

3.03 ---------------------------------------------

3.04 License Key 1

3.05 Version: WinGate 6 Professional 6 concurrent users

3.06 Expiry: None

3.07

4.01 ---------------------------------------------

4.02 Dialer information

4.03 ---------------------------------------------

4.04 Dialer is disabled

4.05

5.01 ---------------------------------------------

5.02 Network Interfaces

5.03 ---------------------------------------------

5.04 LAN (Ethernet) internal

5.05 TATA (Ethernet) external

5.06 RELIANCE (Ethernet) external

5.07 MS TCP Loopback interface (Loopback)

5.08

6.01 ---------------------------------------------

6.02 Services

6.03 ---------------------------------------------

6.04

6.05 System Policies

6.06 ---------------------------------------------

6.07 Default System Access Rights:

6.08 Everyone - Unrestricted rights

6.09 Default Start/Stop Rights:

6.10 Administrators - Unrestricted rights

6.11 Default Edit Rights:

6.12 Administrators - Unrestricted rights

6.13

6.14 POP3 Proxy server (POP3 Proxy server)

6.15 ---------------------------------------------

6.16 Session Timeout: 120

6.17 Port: 8110

6.18 Startup: Disabled

6.19 Access Rights: Defaults: may be used instead

6.20 Start/Stop Rights: Defaults: may be used instead

6.21 Edit Rights: Defaults: may be used instead

6.22

6.23 Telnet Proxy server (Telnet Proxy server)

6.24 ---------------------------------------------

6.25 Session Timeout: 180

6.26 Port: 23

6.27 Startup: Disabled

6.28 Access Rights: Defaults: may be used instead

6.29 Start/Stop Rights: Defaults: may be used instead

6.30 Edit Rights: Defaults: may be used instead

6.31

6.32 WWW Proxy server (WWW Proxy server)

6.33 ---------------------------------------------

6.34 Session Timeout: 180

6.35 Port: 80

6.36 Startup: Automatic start/stop

6.37 Access Rights: Defaults: are ignored

6.38 Everyone - Restricted by security level, ban list

6.39 Start/Stop Rights: Defaults: may be used instead

6.40 Edit Rights: Defaults: may be used instead

6.41

6.42 DHCP Service (DHCP Service)

6.43 ---------------------------------------------

6.44 Session Timeout: 180

6.45 Port: 67

6.46 Startup: Automatic start/stop

6.47 Access Rights: Defaults: are ignored

6.48 Everyone - Unrestricted rights

6.49 Start/Stop Rights: Defaults: may be used instead

6.50 Edit Rights: Defaults: may be used instead

6.51

6.52 Winsock Redirector Service (Winsock Redirector Service)

6.53 ---------------------------------------------

6.54 Session Timeout: 600

6.55 Port: 2080

6.56 Startup: Automatic start/stop

6.57 Access Rights: Defaults: may be used instead

6.58 Start/Stop Rights: Defaults: may be used instead

6.59 Edit Rights: Defaults: may be used instead

6.60

6.61 FTP Proxy server (FTP Proxy server)

6.62 ---------------------------------------------

6.63 Session Timeout: 180

6.64 Port: 21

6.65 Startup: Automatic start/stop

6.66 Access Rights: Defaults: may be used instead

6.67 Start/Stop Rights: Defaults: may be used instead

6.68 Edit Rights: Defaults: may be used instead

6.69

6.70 IMAP4 Server (IMAP4 Server)

6.71 ---------------------------------------------

6.72 Session Timeout: 1800

6.73 Port: 143

6.74 Startup: Disabled

6.75 Access Rights: Defaults: may be used instead

6.76 Everyone - Restricted by security level

6.77 Start/Stop Rights: Defaults: may be used instead

6.78 Edit Rights: Defaults: may be used instead

6.79

6.80 RTSP Streaming Media Proxy (RTSP Streaming Media Proxy)

6.81 ---------------------------------------------

6.82 Session Timeout: 180

6.83 Port: 554

6.84 Startup: Automatic start/stop

6.85 Access Rights: Defaults: may be used instead

6.86 Start/Stop Rights: Defaults: may be used instead

6.87 Edit Rights: Defaults: may be used instead

6.88

6.89 SOCKS Proxy server (SOCKS Proxy server)

6.90 ---------------------------------------------

6.91 Session Timeout: 180

6.92 Port: 1080

6.93 Startup: Disabled

6.94 Access Rights: Defaults: may be used instead

6.95 Start/Stop Rights: Defaults: may be used instead

6.96 Edit Rights: Defaults: may be used instead

6.97

6.98 VDOLive Proxy server (VDOLive Proxy server)

6.99 ---------------------------------------------

6.100 Session Timeout: 180

6.101 Port: 7000

6.102 Startup: Automatic start/stop

6.103 Access Rights: Defaults: may be used instead

6.104 Start/Stop Rights: Defaults: may be used instead

6.105 Edit Rights: Defaults: may be used instead

6.106

6.107 POP3 Server (POP3 Server)

6.108 ---------------------------------------------

6.109 Session Timeout: 120

6.110 Port: 110

6.111 Startup: Disabled

6.112 Access Rights: Defaults: may be used instead

6.113 Everyone - Restricted by security level

6.114 Start/Stop Rights: Defaults: may be used instead

6.115 Edit Rights: Defaults: may be used instead

6.116

6.117 SMTP Server (SMTP Server)

6.118 ---------------------------------------------

6.119 Session Timeout: 300

6.120 Port: 25

6.121 Startup: Disabled

6.122 Access Rights: Defaults: may be used instead

6.123 Everyone - Restricted by security level

6.124 Start/Stop Rights: Defaults: may be used instead

6.125 Edit Rights: Defaults: may be used instead

6.126

6.127 GDP Service (GDP Service)

6.128 ---------------------------------------------

6.129 Session Timeout: 180

6.130 Port: 368

6.131 Startup: Automatic start/stop

6.132 Access Rights: Defaults: may be used instead

6.133 Start/Stop Rights: Defaults: may be used instead

6.134 Edit Rights: Defaults: may be used instead

6.135

6.136 XDMA Proxy service (XDMA Proxy service)

6.137 ---------------------------------------------

6.138 Session Timeout: 20

6.139 Port: 8000

6.140 Startup: Automatic start/stop

6.141 Access Rights: Defaults: may be used instead

6.142 Start/Stop Rights: Defaults: may be used instead

6.143 Edit Rights: Defaults: may be used instead

6.144

6.145 DNS Service (DNS Service)

6.146 ---------------------------------------------

6.147 Session Timeout: 180

6.148 Port: 53

6.149 Startup: Automatic start/stop

6.150 Access Rights: Defaults: may be used instead

6.151 Start/Stop Rights: Defaults: may be used instead

6.152 Edit Rights: Defaults: may be used instead

6.153

6.154 WWW Server for viewing log files (Logfile Server)

6.155 ---------------------------------------------

6.156 Session Timeout: 180

6.157 Port: 8010

6.158 Startup: Automatic start/stop

6.159 Access Rights: Defaults: may be used instead

6.160 Start/Stop Rights: Defaults: may be used instead

6.161 Edit Rights: Defaults: may be used instead

6.162

6.163 Remote Control Service (Remote Control Service)

6.164 ---------------------------------------------

6.165 Session Timeout: 180

6.166 Port: 808

6.167 Startup: Automatic start/stop

6.168 Access Rights: Defaults: are ignored

6.169 Everyone - Unrestricted rights

6.170 Start/Stop Rights: Defaults: may be used instead

6.171 Edit Rights: Defaults: may be used instead

6.172

7.01 ---------------------------------------------

7.02 System Route Table

7.03 ---------------------------------------------

7.04 Current Route Table:

7.05 ---------------------------------------------

7.06 Network Mask Gateway Interface Metric



7.19

8.01 ---------------------------------------------

8.02 Enhanced Network Support

8.03 ---------------------------------------------

8.04 Enhanced Network Support: Qbik NDIS Hook 6.0 - Installed and active

8.05 Driver: Enabled

8.06 NAT: Enabled

8.07 Router: Enabled

8.08 Firewall level: Custom

8.09

8.10 Firewall

8.11 ---------------------------------------------

8.12 Disable network name broadcasts to the Internet: Enabled

8.13 Allow users to ping this machine locally: Enabled

8.14 Allow users to ping this machine from the Internet: Disabled

8.15 Discard spoofed packets: Enabled

8.16

8.17 Routing

8.18 ---------------------------------------------

8.19 Multiple default routes: Enabled

8.20 Relay UDP broadcast packets: Enabled

8.100

8.101 Port Security

8.102 ---------------------------------------------

8.103

8.104 Security for: External TCP

8.105 Action: Allow Port: 113 - AUTH

8.106 Action: Allow Port: 1024 - 4096 - External

8.107

8.108 Security for: External UDP

8.109

8.110 Security for: Internal TCP

8.111 Action: Allow Port: 21 - Hole for FTP Proxy server (Auto)

8.112 Action: Allow Port: 80 - Hole for WWW Proxy server (Auto)

8.113 Action: Allow Port: 808 - Hole for Remote Control Service (Auto)

8.114 Action: Deny Port: 5222 - nimbooda

8.115

8.116 Security for: Internal UDP

8.117 Action: Allow Port: 53 - Hole for DNS Service (Auto)

8.118 Action: Allow Port: 67 - Hole for DHCP Service (Auto)

8.119

8.120 Security for: NAT TCP

8.121 Action: Redirect Port: 80 - Intercepted by WWW Proxy server

8.122 Action: Deny Port: 5222 - nimbooda

8.123 Action: Redirect Port: 8080 - Intercepted by WWW Proxy server

8.124

8.125 Security for: NAT UDP

8.126 Action: Deny Port: 5222 - nimbooda

8.127

8.128 Security for: DMZ TCP

8.129

8.130 Security for: DMZ UDP

8.131

8.132 Security for: (unknown)

8.133

8.134 Security for: (unknown)

8.500

9.01 ---------------------------------------------

9.02 END OF CONFIGURATION REPORT

[ChrisH]

vsam, everything looks straightforward with that config.

Is this how you tried to get things to work?

Add "orkut" to your first policy for "Everyone" as below:

wg1stpolicy.GIF (64.83 KiB) Viewed 6424 times

Create a new policy , again for "Everyone" using same authentication requirements as first policy and with time slice and advanced policies as listed below:

wgtime.GIF (60.91 KiB) Viewed 6424 times

wgadv.GIF (61.7 KiB) Viewed 6424 times

This new policy works as expected for me.

[vsam]

thanks chrisH for excellent screenshots, i did exactly as per your SS's and yes it DID work :-)
i got my mistake ...
i was doing everything OK until the last screenshot, where i was adding the HTTP block rule in "Ban List" Tab, now i found out it was to added to "Advanced" Tab = Filter > Criterion
thanks