Dear All,
Our current Wingate server provides internet connection to all the workstation. On the same LAN is configured a PC with Windows 2000 server with all the shared folders. This means that anybody who has access to internet can also access the server with the data (provided of course it has the privileges - i.e. correct username and password)
Sometime however we host guests in the company who would like to have an internet access and this is generally provided by connecting them to the main LAN. This would mean however that provided they can get the credentials they could access to all the data on the server (and in any case they can see all the PCs connected to our office LAN).
Is it possible by setting up a secondary guest LAN card (only for internet access) on the Wingate server to decouple the internet connection from the other LAN which is also connected to the data server? How this can be done in practice? Installing a second LAN card is easy, but how then to configure Wingate and the LAN card to avoid that the guest will not have any possibility to access the data server, i.e. to have the two LAN cards completely decoupled beside from internet access?
Thank you for your help
Best regards
Davide - DTM
Configure Wingate for a secondary guest LAN for internet onl
Moderator: Qbik Staff
2 posts
• Page 1 of 1
Configure Wingate for a secondary guest LAN for internet onl
by dsantachiara » Feb 10 11 4:52 am
- dsantachiara
- Posts: 24
- Joined: Mar 11 04 5:27 am
Re: Configure Wingate for a secondary guest LAN for internet
by adrien » Feb 10 11 12:41 pm
Hi Davide
This should be fairly straight-forward.
Just set up another network card on a different IP subnet, and ensure that WinGate or the WinGate host OS won't route between these 2 subnets. This involves making sure IP forwarding is not enabled in the OS (I think whether it is on by default or not depends on the OS).
You can disable support for routing in WinGate by unchecking the option in Extended networking called "Support for multiple subnetworks (router)".
Then to make sure, try pinging one computer on the other subnet - it should fail.
Computers on this untrusted network could conceivably use a WinGate proxy to try and access back into the other LAN if they know which IP addresses to target. To prevent this, you would need to use policy. It might pay to restrict services for this other network. For instance you can use a different WWW proxy for this subnet (just need to set up binding policy to bind to specific interfaces rather than any internal adapter, or you will get port conflicts between 2 WWW proxies). Then you can more easily set WWW proxy policy for users of this subnet as they will have their own proxy.
Regards
Adrien
This should be fairly straight-forward.
Just set up another network card on a different IP subnet, and ensure that WinGate or the WinGate host OS won't route between these 2 subnets. This involves making sure IP forwarding is not enabled in the OS (I think whether it is on by default or not depends on the OS).
You can disable support for routing in WinGate by unchecking the option in Extended networking called "Support for multiple subnetworks (router)".
Then to make sure, try pinging one computer on the other subnet - it should fail.
Computers on this untrusted network could conceivably use a WinGate proxy to try and access back into the other LAN if they know which IP addresses to target. To prevent this, you would need to use policy. It might pay to restrict services for this other network. For instance you can use a different WWW proxy for this subnet (just need to set up binding policy to bind to specific interfaces rather than any internal adapter, or you will get port conflicts between 2 WWW proxies). Then you can more easily set WWW proxy policy for users of this subnet as they will have their own proxy.
Regards
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
2 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 11 guests