WinGate Forums

[Jamie]

i will first try and give you a brief outline of my setup.

I am currently in a school which sits behind a proxy server. We use Windows 2003 servers and XP Clients.

We have got installed a managed wireless network system and one of the features we have is to allow guest computers to attach to a unsecured wireless SSID within the school, (domain approved computers automatically attach via another SSID)these guest computers should then browse the Internet but are not allow access to the school network servers.

The Wireless controller does NAT and forwards all the guest computers internet requests onto a gateway address, however because we are behind a firewall supplied by the coucil and have to use thier proxy server It means guest users have to enter proxy settings in thier browsers, which I would like to try and avoid.

This brings me onto Wingate which I am evaluating, I have set this up on a computer with two network cards, installed Wingate and have enabled transparent proxy. I have got the wireless controller to forward all requests to the wingate server and for normal browsing the guest computers can now get onto the internet with out having to put in proxy settings. The only issue I am having is accessing anything that uses https/SLL. Anything that uses SSL does not get forwarded.

I have searched around for answers and I seem to get the impression that SSL will not work over Transparent proxy, am I correct on this. Is there anyway i can get SSL to work through Wingate without having to set Proxy settings in each client browser?

Hope someone can help. Many thanks.

[jasona]

Can you make sure you are not intercepting port 443 on the WWW proxy as this will cause SSL to fail. You cannot intercept SSL as it is seen as a man-in-the-middle attack. As long as you are not intercepting port 443 (and have configured NAT correctly) clients should be able to use plain NAT for https pages.

[logan]

The reason SSL can't be intercepted is because the content of an SSL packet is encrypted. This includes the hostname which a proxy needs to know in order to be able to proxy the request to an upstream host. Since the proxy cannot see this information, it does not know what to do with the connection and it fails.

If you set the HTTPS proxy setting manually in the client, then the client will leave the hostname unencrypted which is why an HTTPS proxy can be set in the client, but HTTPS sessions cannot be intercepted.

As Jason suggested, you can either disable the port 443 intercept and let the connections out on plain nat, or if you need some form of control over HTTPS, you could intercept port 443 in a TCP mapping service rather than a WWW proxy service. Or you can set the HTTPS proxy setting manually on the clients.