NAT Policy
Moderator: Qbik Staff
7 posts
• Page 1 of 1
NAT Policy
by rebelldtu » Jan 23 12 11:06 pm
Hi I am trying to implement a basic NAT policy to only allow access to certain machines in AD. Attached is an image of a simple policy I have made to acheive this but It does not work? If anybody could throw some suggestions my way on how to acheive this it would be gratefully received. Many Thanks Paul
- Attachments
-
- Wingate.jpg (86.47 KiB) Viewed 7291 times
- rebelldtu
- Posts: 44
- Joined: Mar 31 09 12:04 am
Re: NAT Policy
by rebelldtu » Jan 24 12 7:26 am
Hi All,
Sorted this policy and works well by substituting User/Group Check with the Switch Option and using session.clientip and adding IP addresses to Matching Value. Maybe this will be of some use to others? Cheers
Sorted this policy and works well by substituting User/Group Check with the Switch Option and using session.clientip and adding IP addresses to Matching Value. Maybe this will be of some use to others? Cheers
- rebelldtu
- Posts: 44
- Joined: Mar 31 09 12:04 am
Re: NAT Policy
by adrien » Jan 24 12 9:42 am
Hi Paul
the problem with checking username in NAT policy, is that the username would have needed to be established by some other mechanism, since there's no auth for NAT.
This can be either
a) credential rules, where you map IP / MAC / computername to an account. MAC / computername not particularly reliable, except on small single subnet LANs, where WinGate is DHCP server.
b) auth to some other service, e.g. web, mail, remote control etc.
Regards
Adrien
the problem with checking username in NAT policy, is that the username would have needed to be established by some other mechanism, since there's no auth for NAT.
This can be either
a) credential rules, where you map IP / MAC / computername to an account. MAC / computername not particularly reliable, except on small single subnet LANs, where WinGate is DHCP server.
b) auth to some other service, e.g. web, mail, remote control etc.
Regards
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
Re: NAT Policy
by pacllera » Mar 09 12 7:02 am
Hi all.
I have just readed this post and feel it is very similar to what I am searching for.
I want to implement something like a NAT policy in which I can do a time-schedule for my son's favourite Internet online Java-based game (Minecraft) which uses port 25565. Using the above propossed "NAT policy" I could control the times at which my son is allowed to connect to Minecraft servers, BUT... what happens once the connection have been stablished?, how can I CLOSE that stablished connection at the end of the scheduled allowed time-window?.
Do you think better idea is to use "Transparent Redirection" for intercepting NAT communications on the specified port and schedule like normal proxy traffic?. I tried this approach a couple of times and when I intercept port 25565 the game never works. Any ideas here?
Any Ideas wellcome.
next 14th my evaluation will expire! ;-)
Congrats for Wingate 7; EXCELLENT!
I have just readed this post and feel it is very similar to what I am searching for.
I want to implement something like a NAT policy in which I can do a time-schedule for my son's favourite Internet online Java-based game (Minecraft) which uses port 25565. Using the above propossed "NAT policy" I could control the times at which my son is allowed to connect to Minecraft servers, BUT... what happens once the connection have been stablished?, how can I CLOSE that stablished connection at the end of the scheduled allowed time-window?.
Do you think better idea is to use "Transparent Redirection" for intercepting NAT communications on the specified port and schedule like normal proxy traffic?. I tried this approach a couple of times and when I intercept port 25565 the game never works. Any ideas here?
Any Ideas wellcome.
next 14th my evaluation will expire! ;-)
Congrats for Wingate 7; EXCELLENT!
- pacllera
- Posts: 2
- Joined: Mar 09 12 5:30 am
Re: NAT Policy
by adrien » Mar 09 12 3:51 pm
Hi
I just added a new variable to Session you will be able to use to specify an expiry time for any session.
in a expression evaluator, or Jscript or LuaScript item you can do e.g.
Session.ExpiryTime = "15:45:00"
or
Session.ExpiryTime = "2012-03-17 02:00:00"
To set a time it must die.
We couldn't really set the time from within the schedule item, since
a) you can have any number of schedule items that the event passes through in a policy
b) the schedule item doesn't know what will be the eventual outcome of the policy evaluation
So this new member allows you to set the expiry explicitly.
I think I will make it so when you set it, it must be in the future, to save issues wrapping around midnight (which would require you to know the date).
Adrien
I just added a new variable to Session you will be able to use to specify an expiry time for any session.
in a expression evaluator, or Jscript or LuaScript item you can do e.g.
Session.ExpiryTime = "15:45:00"
or
Session.ExpiryTime = "2012-03-17 02:00:00"
To set a time it must die.
We couldn't really set the time from within the schedule item, since
a) you can have any number of schedule items that the event passes through in a policy
b) the schedule item doesn't know what will be the eventual outcome of the policy evaluation
So this new member allows you to set the expiry explicitly.
I think I will make it so when you set it, it must be in the future, to save issues wrapping around midnight (which would require you to know the date).
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
Re: NAT Policy
by pacllera » Mar 09 12 6:32 pm
Hi adrien.
I am IMPRESSED by your FASSST and EFECTIVE support.
Thank you VERY MUCH !!!.
QUESTION-1:
You added that new variable "Session.ExpiryTime", OK, but I wish to know when next release containing that improvement will be released?
QUESTION-2:
Using Session.ExpiryTime = "15:45:00", will also terminate inmediately all sessions initiated after "15:45:00"?. Please confirm this point.
SUGGESTION-1:
perhaps it could be a good idea the implementation of some kind of "Session.QuotaTime" which provides a daily/weekly, Etc. quota time. This way Wingate users could enjoy "Flexible Quota Times" for different services allowing for example things like: "you are allowed 30 mins per day using port 25565", or if you implement this idea also for http, you could make possible things like "you are allowed free http navigation 30 minutes per day, no matter when or how many times you connect/disconnect. Once your quota time is consumed, you don't have more quota until next day/week, Etc. This way users are provided with "Flexiblle Quota Times" for different services, so they can use his allowed services Timing freely. I hope you like the idea. In my opinion it could be a great and cool new feature for next versions.... forgot rigid, fixed and predefined schedules for Wingate users... welcome to "Flexible Quota Times"!!
Congrats again for Wingate!
I am IMPRESSED by your FASSST and EFECTIVE support.
Thank you VERY MUCH !!!.
QUESTION-1:
You added that new variable "Session.ExpiryTime", OK, but I wish to know when next release containing that improvement will be released?
QUESTION-2:
Using Session.ExpiryTime = "15:45:00", will also terminate inmediately all sessions initiated after "15:45:00"?. Please confirm this point.
SUGGESTION-1:
perhaps it could be a good idea the implementation of some kind of "Session.QuotaTime" which provides a daily/weekly, Etc. quota time. This way Wingate users could enjoy "Flexible Quota Times" for different services allowing for example things like: "you are allowed 30 mins per day using port 25565", or if you implement this idea also for http, you could make possible things like "you are allowed free http navigation 30 minutes per day, no matter when or how many times you connect/disconnect. Once your quota time is consumed, you don't have more quota until next day/week, Etc. This way users are provided with "Flexiblle Quota Times" for different services, so they can use his allowed services Timing freely. I hope you like the idea. In my opinion it could be a great and cool new feature for next versions.... forgot rigid, fixed and predefined schedules for Wingate users... welcome to "Flexible Quota Times"!!
Congrats again for Wingate!
- pacllera
- Posts: 2
- Joined: Mar 09 12 5:30 am
Re: NAT Policy
by adrien » Mar 09 12 7:32 pm
Hi
1. I can send you a link if you like - just send an email to support@qbik.com and we can send you the build that has this feature.
Can also do things like
Session.ExpiryTime += 0.5
where 0.5 is days, this will mean the session will live for 12 hours. 1 minute is 0.0007
2. Confirm this is correct. Probably not that useful, but maybe in some cases.. for instance if you have only a window when the session can be started, then you know what expiry time should work (as long as it's the same day).
3. we have plans for a quota system, it's quite a complicated problem though, being able to define hierarchies of restricted resource etc.
Thanks for your kind comments!
Regards
Adrien
1. I can send you a link if you like - just send an email to support@qbik.com and we can send you the build that has this feature.
Can also do things like
Session.ExpiryTime += 0.5
where 0.5 is days, this will mean the session will live for 12 hours. 1 minute is 0.0007
2. Confirm this is correct. Probably not that useful, but maybe in some cases.. for instance if you have only a window when the session can be started, then you know what expiry time should work (as long as it's the same day).
3. we have plans for a quota system, it's quite a complicated problem though, being able to define hierarchies of restricted resource etc.
Thanks for your kind comments!
Regards
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
7 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 3 guests