WinGate Forums

[criRV]

Hi,
actually we have this config:

Router
Server Win 2000 with 2 ethernet port
Switch
10 client - access to local network with active directory (with SO - win XP, mac osX)

Router (cable lan1) -> Server Win 2000 with a Proxy Open Source(cable lan 2)-> Switch -> client

This solution is nice because our lan is not directly connected to the Internet. BUT this open source proxy has limit, and we are looking for a new solution for our lan.

The target is to implement security and control, allowing multiple users to simultaneously surf the web, retrieve email, use internet programs, not directly connected to the Internet.
We need to use a variety of Internet protocols and applications: Web browsers, messaging software, FTP SFTP and SSL we need also supports for DirectPlay Internet games, Java application and Real Time Streaming Audio/Video.

We are oriented to your standard or pro product, but we don't know if this is the ideal solution for our need... and which is the correct product to buy.
Can you help us in our choice?

Thanks in advance
Cri

[MattP]

Hi Cri,

It sounds like WinGate will be perfect for you, and you're already set up in the optimum "gateway" configuration where all of your LAN Internet access must pass through the proxy, so that's great. Have you installed WinGate yet? During the installation you can activate a free 30 day trial license and we'll help you with any questions that you have during the trial period.

As far as Standard, Professional or Enterprise license requirements, have a look at the following page and see what your requirements are:
http://www.wingate.com/products/wingate/licensing.php

You're welcome to submit a support ticket for any questions/issues that you may have, just go here:
http://support.qbik.com/index.php?_m=tickets&_a=submit

Regards,

Matt

[criRV]

Hi,
I downloaded WinGate and I installed it with this option:
Wingate server
Use the operating system (windows) user database
Install NES + Protect server to bootup prior to wingate services starting
Enable auto update

Then I activated the product and finished the installation.

Finally I restarted the server.

I see that the trial version is enterprise 250 user... is it correct?

GateKeper Config:

In the services TAB ----

1) I setup the WWW proxy to enable access to everyone, and then the client to access trought the port 80.
But, on client, I get the message: You don't have right to access to this service.
So I setup the Assumed Users on the local IP of client: now it works correctly.

2) I setup the ftp proxy to enable access to 2 users, and then the client to access trought the port 21 (ftp)
But I see that client cannot access trought the ftp port, so I set the client to access trought the port 80 (HTTP1.1) and it works.

3) I setup the telnet proxy to enable access to 2 users, and then the client to access trought the port 23 (telnet).
But I see that client cannot access trought the telnet port, so I set the client to access trought the port 80 (HTTP1.1) and it works.

I would like to know if this is the correct way to configure GateKeeper, or if I did something wrong ...

Right now I have some problem setting up the email service.

I would like this configuration:
client -> proxy (wingate) -> router -> server pop3 or imap
I don't want to store email on local server or on wingate.

Should I configure email on Services or the System TAB?
ie: I see I have proxy config in service TAB for pop3 and I can create a service olso for smtp... what about the imap?

Thanks for your help and sorry for this newby questions.
Cri

[criRV]

Hi again,
I'm testing Wingate configuration for email.

Usually I need the following to configure email through proxy:
Server -> setup the domains (ie: www.mydomain.com) for POP3, SMTP, IMAP
Client -> setup the client (ie: outlook) with IP of Server Proxy for POP3, SMTP, IMAP + username + password

But I don't understand (sorry!) where to put this information on Gatekeeper

I have STOPPED all services (POP3, SMTP and IMAP on System TAB and POP3 on Services) and I have the following results:

POP3
using the www.mydomain.com -> error "impossible to find host"
using the IP of mydomain -> OK we receive email correctly
IMAP
using the www.mydomain.com -> error "impossible to find host"
using the IP of mydomain -> OK we receive email correctly

I don't understand this event...
Are we under proxy?

I try also the configuration described in this guide (scenario 1 - Using Wingate as the main Mail Server on the network):
http://downloads.qbik.com/qbiknz2/downl ... ations.pdf

But the result is the same.. it doesn't work:

POP3
using the www.mydomain.com -> error "impossible to find host"
using the IP of mydomain -> OK we receive email correctly
using the IP of server -> error "Authentication failed"
IMAP
using the www.mydomain.com -> error "impossible to find host"
using the IP of mydomain -> OK we receive email correctly
using the IP of server -> error "Authentication failed"

I see that there is a warning in the System TAB -> DNS server
Don't know if this is the problem...but it seems to be...
So I try to insert in the System TAB -> DNS/WINS resolver the IP of my ISP
I get same problem and same errors....

Thanks
Cri

[MattP]

Hi Cri,

I see that the trial version is enterprise 250 user... is it correct?

that's correct

1) I setup the WWW proxy to enable access to everyone, and then the client to access trought the port 80.
But, on client, I get the message: You don't have right to access to this service.
So I setup the Assumed Users on the local IP of client: now it works correctly.

That sounds like you've created an access restriction policy that is denying access. Can you start off with no policies and verify that connection is ok? If you have created a policy that requires authentication then you must also select some form of authentication from the General tab.

For your services, when you say that you set up the proxy (FTP and Telnet) to enable access for two users, did you create a location based policy, or a user based policy? Can you try authenticating with Internet Explorer and then connecting via Telnet on port 23?

I would like this configuration:
client -> proxy (wingate) -> router -> server pop3 or imap
I don't want to store email on local server or on wingate.

It sounds like you don't want to use the WinGate mail services, so you should stop them.

using the http://www.mydomain.com -> error "impossible to find host"
using the IP of mydomain -> OK we receive email correctly

This sounds like you have a DNS/NAT error, are your LAN clients able to resolve any domain names from the command line? If WinGate is in a gateway scenario, then we would suggest that you set your LAN clients' default gateway and DNS server settings to point at the WinGate server, this way, DNS resolution requests will work. The exception is if you're running an AD and your AD DNS server is a different machine to the WinGate server, in which case you will point your clients at that machine and then set a forward zone in your AD DNS server. You'll also want to add the IP address of the AD DNS server to the list of DNS servers in Start::Programs::WinGate::Advanced Options to avoid a DNS loop.

Regards,

Matt

[criRV]

Hi thanks for your help and reply :-)

This sounds like you have a DNS/NAT error, are your LAN clients able to resolve any domain names from the command line? If WinGate is in a gateway scenario, then we would suggest that you set your LAN clients' default gateway and DNS server settings to point at the WinGate server, this way, DNS resolution requests will work. The exception is if you're running an AD and your AD DNS server is a different machine to the WinGate server, in which case you will point your clients at that machine and then set a forward zone in your AD DNS server. You'll also want to add the IP address of the AD DNS server to the list of DNS servers in Start::Programs::WinGate::Advanced Options to avoid a DNS loop.

Today I check if client can ping internet domain names using
ping www.mydomain.com
and the response is impossible to find host! as you say.. there is a problem with DNS/NAT
So I change the client DNS in the network properties FROM Server IP TO Isp DNS IP and all work!!!!!! Thats great!

It sounds like you don't want to use the WinGate mail services, so you should stop them.

As you say I stop in the System Tab POP3, SMTP, IMAP and in Service Tab POP3 (because I don't want to store mail on server or wingate).

That sounds like you've created an access restriction policy that is denying access. Can you start off with no policies and verify that connection is ok? If you have created a policy that requires authentication then you must also select some form of authentication from the General tab.

Sorry, I don't know what you are talking about.... I'm new to your program(what's General tab?)

Once installed Wingate I open browser on client and the error message appear.
So I was gone on Service Tab -> WWW Proxy server -> Policies -> and set User can access service + I add "Everyone".
I try again to open browser on client and the error message appear.
So I was gone to User Tab - > Assumed User -> and I add Name and IP for my active directory users.
I try again to open browser on client and all works fine! :-)

For your services, when you say that you set up the proxy (FTP and Telnet) to enable access for two users, did you create a location based policy, or a user based policy? Can you try authenticating with Internet Explorer and then connecting via Telnet on port 23?

Sorry I don't expose well what I did....
When I say " set up the proxy (FTP and Telnet) I mean:
I was gone on Service Tab -> FTP Service (or Telnet) -> Policies -> and set User can access service + I add 2 users.

Now I would like to know if I set correctly Wingate and clients, which is the correct Wingate to buy (I think We need Professional because we use active directory... isn't it?), and I would like to know if I'm behind a proxy or what...

this is the config of my lan
Router
Server Win 2000 with 2 ethernet port and Active Directory -> this is the wingate server
Switch
10 client - access to local network with active directory (with SO - win XP, mac osX)

Internet ISP -> Router (cable lan1) -> Server Win 2000 with a Wingate (cable lan 2)-> Switch -> client

I disable in the System Tab POP3, SMTP, IMAP and in Service Tab POP3.
I disable also DNS Service in the System Tab, cause I don't use it.

I set client to access trought the port 80 (HTTP1.1) for all progs/services I need (FTP, TELNET, WWW).
I set email normally, as client are directly connect to internet (POP3, SMTP, IMAP with www.mydomain.com, user and password etc)

The last questions....
Is there something to do to secure Wingate? Or my actual config it's ok?
If I buy ie. wingate professional can I, after, upgrade to enterprise?
I see you are working on Wingate 7... what about if I want to upgrade from ie: Wingate 6 standard to Wingate 7?
Can we buy from your site or have we to buy from a national reseller?

Thanks for all :-)
Cri

[criRV]

Hi again,
sorry but I have a strange scenario here...

So I change the client DNS in the network properties FROM Server IP TO Isp DNS IP and all work

I see that after this change now I'm no more behind a proxy....
Now I can do any operation without proxy settings on my client..... This is nice but I don't want it... it's seams I'm directly connected to internet.....

Can you please help me to understand?
Thanks
Cri

[MattP]

Hi,

I'd like to get some information from you to help sort out your configuration, can you send an email to support at qbik dot com with the following:
1. WinGate Registry
GateKeeper --> Options menu --> Advanced --> Save Registry

2. WinGate Config Report
GateKeeper --> Options menu --> Advanced --> Save Config Report

3. ipconfig/all from one LAN Client
(Windows) Start menu --> Run --> cmd --> ipconfig/all >> C:\ipa-client.txt

4. ipconfig/all from the WinGate Server
(Windows) Start menu --> Run --> cmd --> ipconfig/all >> C:\ipa-server.txt

Thanks,

Matt

[criRV]

Hi,
Files send.
Thanks
Cri

[criRV]

Hi,
how can I access to your ticket system? (my forum email and password don't work).
Thanks
Cri

[MattP]

Hi,

how can I access to your ticket system? (my forum email and password don't work).

You'll need to create a new username for the support system, unfortunately they're different systems and the login is not transferable.

Thanks for sending those files in. From what I can see you have not made many changes to the default installation, so I would expect everything to be working well for you.

Can you please remove the DNS settings from the LAN adapter on your WinGate server? If you are using Active Directory then the DNS settings on your clients will need to point at the AD DNS server. You should also re-enable the DNS service in WinGate.

Now I can do any operation without proxy settings on my client..... This is nice but I don't want it... it's seams I'm directly connected to internet.....

If you want to be able to access your external email directly, without using WinGate, then you'll have to allow your clients to resolve DNS requests. I suppose that you could use IP addresses in the Email settings, but it would be easier to just allow DNS requests by setting the DNS on the clients to point at the WinGate server. The clients are not connected directly to the Internet as they have to connect through WinGate to reach the Internet, which means that you can block access to all ports if you want to, and only allow connections on specific ports.

Is there something to do to secure Wingate? Or my actual config it's ok?

By default the firewall is enabled, so you're protected from external connections.

If I buy ie. wingate professional can I, after, upgrade to enterprise?

Yes, you can always upgrade at a later date, but you cannot downgrade.

I see you are working on Wingate 7... what about if I want to upgrade from ie: Wingate 6 standard to Wingate 7?

When you purchase your license you will receive one year of version protection free of charge. Valid version protection is required to update your license when we release version 7, as long as yours is still valid then you will be able to update your license at no extra charge.

Can we buy from your site or have we to buy from a national reseller?

You can purchase directly from our site, but if you purchase from a local reseller then you get support in your own time-zone/language, so if that is important to you, you may wish to contact a local reseller.

Regards,

Matt

[criRV]

HI,
sorry but I was been out of office and I could not test your solution.

I'll be back at work in few days.
Thanks for reply and Happy New Year
Cri

[criRV]

Hi,
I reply also on your ticket sytem ...

Can you please remove the DNS settings from the LAN adapter on your WinGate server? If you are using Active Directory then the DNS settings on your clients will need to point at the AD DNS server. You should also re-enable the DNS service in WinGate.

All done... but the problem is the same.... :-(
1) I can use browser using proxy -> IP of Wingate Server + port 80
2) I can use ftp using proxy http 1.1 -> IP of Wingate Server + port 80
3) I CANNOT use ftp using proxy sock or using port 21
4) I CANNOT receive mail using
POP3
www.myexternaldomain.com -> error "impossible to find host"
IP of mydomain -> OK we receive email correctly
IMAP
www.myexternaldomain.com -> error "impossible to find host"
IP of mydomain -> OK we receive email correctly

Now I can do any operation without proxy settings on my client..... This is nice but I don't want it... it's seams I'm directly connected to internet.....

..... The clients are not connected directly to the Internet as they have to connect through WinGate to reach the Internet, which means that you can block access to all ports if you want to, and only allow connections on specific ports.

1) So if I understand well... I'm behind a wingate (so I'm protect) also if I setup the clients dns with the IP of my ISP??????
But in this scenario (Client with ISP DNS), I see that in the history panel of wingate I have
NAT: TCP Connection to [IP of the site]
instead of (as in the proxy one (Client with DNS of wingate server))
http://www.externalsite.com - HTTP 1.1 200 OK
Is this correct?

2) How can I block access a port or allow connections on specific ports???

If you want to be able to access your external email directly, without using WinGate, then you'll have to allow your clients to resolve DNS requests. I suppose that you could use IP addresses in the Email settings, but it would be easier to just allow DNS requests by setting the DNS on the clients to point at the WinGate server.

I do it (in the client DNS I have the server IP)... but this don't solve the problem.
Probably there is something I don't setup.... or I don't know why DNS cannot resolve name....

Thanks
Cri