WinGate Forums

[boblowski]

Hi all,

This is probably an absolute beginners question...

Our WinGate server is reverse proxying to several servers. I want to give a specific user SSH access to those servers, so I added a new HTTP service at port 88 with port 22 as allowed SSL port. So far everything works fine and I can use Putty without any problems to SSH to the servers via this proxy service.

Next I wanted to secure the proxy by defining a new user and I added this user to the right 'Users can access this service' on the Policies tab of the HTTP proxy service. I checked 'Users must be authenticated' in the 'Properties for new recipient' dialog and left the other settings as they are. The default right/system policies are set to 'are ignored'.

My thinking was, I just enter the username and password for the new user at the proxy settings in Putty, and everything should work as expected. But connections to the service are refused (403), with an 'Authentication failed' message in WinGate. I tried to to the same with a SOCKS proxy, with the same result.

What am I doing wrong here?

Cheers, Bob

[ChrisH]

Try setting authentication requirements to "Basic" under the General tab in the service and "User may be assumed" in the Properties for the user under the Policies tab.

[boblowski]

Hi Chris,

Thanks for your helpful reply. Authentication now works perfect.

Still, I am somewhat confused. I was under the impression that 'User may be assumed' means that the user's identity may be assumed based on the IP address of the connecting computer. Why does 'User must be authenticated' not work?

And a second security related question. Does every HTTP service I define in WinGate accept all CONNECT requests? Or are CONNECT requests restricted to the SSL-connections I allow for the service?

Cheers, Bob

[logan]

Still, I am somewhat confused. I was under the impression that 'User may be assumed' means that the user's identity may be assumed based on the IP address of the connecting computer. Why does 'User must be authenticated' not work?

The whole assumed versus authenticated thing is very confusing, and will be dropped in the next version of WinGate.

Authenticated users are those who use a secure authentication method, where WinGate can be 100% sure that the user the client has logged in as is in fact the user at that client. Authenticated level is achieved using NTLM, Java auth, GateKeeper, WGIC, or QbikAuth

Assumed users are those who have used an insecure method of authentication, where WinGate can NOT be sure if the user that the client has logged in as is the user at that client. Assumed level is achieved by, IP assumptions, Basic auth, or during the 30 seconds after a user logs out from one of the secure authentication methods above.

The reason user must be authenticated didn't work is because SSH does not support any of WinGate's secure authentication methods. SSH uses plain text, or Basic authentication which only gives it the assumed level.

And a second security related question. Does every HTTP service I define in WinGate accept all CONNECT requests? Or are CONNECT requests restricted to the SSL-connections I allow for the service?

By default, a proxy will accept all connect requests on all ports. You can however use access policies to control which servers requests can be made to, and the HTTPS configuration to control which ports.

[boblowski]

Hi all,

The whole assumed versus authenticated thing is very confusing, and will be dropped in the next version of WinGate.

Authenticated users are those who use a secure authentication method, where WinGate can be 100% sure that the user the client has logged in as is in fact the user at that client. Authenticated level is achieved using NTLM, Java auth, GateKeeper, WGIC, or QbikAuth

Assumed users are those who have used an insecure method of authentication, where WinGate can NOT be sure if the user that the client has logged in as is the user at that client. Assumed level is achieved by, IP assumptions, Basic auth, or during the 30 seconds after a user logs out from one of the secure authentication methods above.

The reason user must be authenticated didn't work is because SSH does not support any of WinGate's secure authentication methods. SSH uses plain text, or Basic authentication which only gives it the assumed level.

Thanks for your explanation, that does clear things up!

By default, a proxy will accept all connect requests on all ports. You can however use access policies to control which servers requests can be made to, and the HTTPS configuration to control which ports.

Okay, I was thinking, if I define a policy for the HTTP proxy which only allows for connect requests, and that only to one specific server over SSL to port 22 of that server, do I actually need any authentication for the proxy then? The user can only connect to this one server via this proxy, and that server handles its own authentication over SSL. Or is there like this still a posibility that WinGate's HTTP proxy is misused for access to other servers?

And for normal HTTP/HTTPS proxies, is it good practise to deny any connect requests if the proxy is only used as reverse proxy or for redirects? Or is the connect request also used for other HTTP purposes?

Thanks again for your help, Bob

[logan]

Okay, I was thinking, if I define a policy for the HTTP proxy which only allows for connect requests, and that only to one specific server over SSL to port 22 of that server, do I actually need any authentication for the proxy then?

I agree with your logic. If you were to restrict this policy to access a specific servers IP address and port 22, you would not need to require authentication as any attempt to misuse the proxy would fail. However, if you are trying to use the proxy to simply redirect connections, would a TCP Mapping meet your requirements instead?

And for normal HTTP/HTTPS proxies, is it good practise to deny any connect requests if the proxy is only used as reverse proxy or for redirects? Or is the connect request also used for other HTTP purposes?

When using a WWW Proxy as a Reverse Proxy Server, it's wise to allow only server requests through that proxy, and deny all proxy requests of any kind. You can do this by using the "Is non-proxy request" criterion.

[adrien]

another option.

If all you are doing is reverse proxying to a specific internal host, why even use an HTTP proxy for this? Unless you are doing HTTP protocol control, you could possibly get the same result with just a TCP mapping service (which will still allow you to use SSL).

Regards

Adrien