WinGate Forums

[bztips]

We are long-time Wingate users, and have gotten away with allowing all users on our network to connect as Guests, so we never bothered to set up any User names or Policies. All client activity currently shows up as “Unknown” users. But lately we are getting lots of unknown remote users utilizing our Wingate connection that we would like to prevent.

Details: We have an internal and external network card attached; ENS is set up; internal users do not use WGIC, and do not see any evidence of Wingate when they connect to the internet. We would like to keep it that way.

All we want to do is allow all connections from local (192.168.*.*) clients, and disallow connections from remote clients. It doesn’t sound hard, and I have tried to read the Help files, but nowhere is there a comprehensive set of instructions on how to accomplish this.

I assume we must first assign Users to our internal client machines; that I think I can do using Assumed users (we don’t want internal clients to have to Authenticate). Then my understanding is that we would set some kind of Policy. Is there a way to set a policy so that Unknown users are banned (or not granted any web access)? Or am I missing the boat entirely on how to do this?

Thanks in advance.

[adrien]

Hi

External users can only access your proxy if you bind proxy services to your external interfaces.

So the normal trick to preventing it is to simply only bind to internal. In fact this is the default binding policy on services, so it's likely your external adapter is viewed by WinGate as internal? Check the usage column in the network connections panel.

If you need to allow some external access, you'd need to use policy to discriminate between authorized and unauthorized users, or require authentication.

Regards

Adrien de Croy

[bztips]

No, external is seen as external, and internal is seen as internal. How would I check the binding policies that are active, and which binding policies are the ones I need to look at?

[adrien]

Hi

What sort of activity are these external users doing? Is it web, how do the sessions show up in the Activity Screen?

Most likely the WWW proxy, but I'd also check the SOCKS service if you have one.

Look in the bindings tab, and see if these services are bound to your external interface.

Adrien

p.s. which version of WinGate is this?

[bztips]

OK, you were correct! WWW proxy service was binding to external card, I turned that off and now all seems to be well. Thanks!

[ALainONE]

Hello!

I have just updated our WinGate to version 7 yesterday. And I'm experiencing the same problem of having all my users show as "unknown" on the activity monitor. I have checked my bindings as per the previous emails, but still no luck.

With this, I am not able to authenticate my users and all my access rules are not being implemented, save for those which applies to everyone.

Please help. I am a bit lost with the new interface. I am sure I will get the hang of it in the coming days, but I need my access rules to be implemented as soon as possible.

Thanks in advance!

By the way, I'm using "Windows Users and Groups Connector" as the User Database Connector on Windows Server 2003 R2, which is not connected to the domain.

Best regards,
Alain Garcia

[adrien]

Hi Alain

Users are unknown until they authenticate, or you apply credential rules to assume their identity based on IP etc.

To make someone authenticate, the easiest way is to use web access control rules - set a rule that only allows access to a specific group or user, or Authenticated users.

Regards

Adrien

[ALainONE]

Hello, Adrien!

I have already created web access rules for users and user groups. But all users are still seen as unknown on my activity window. And user's just by-pass my access rules as they are being authenticated as "unknowns".

I have attached a couple of screen captures for your perusal... If you will notice, I have 0 hits on the "Junior User Access" - this is being by-pass by the users and go directly to the "senior user access" and "special user access", which are rules based on time schedule allowing Junior Users to have internet connection. The "Banned" rule is also being by-passed.

Best regards,
Alain

[adrien]

Hi

the only way I could imagine seeing something like that would be if those groups contain "Everyone"...

Can you check the membership of those groups? Especially PROXYSRV03\Users

Also make sure there are auth methods enabled on the www proxy.

Adrien

[adrien]

Hi Alain

unknown is indeed deemed to be a member of Everyone. So if that Users group contains Everyone, then unknown user will match that group already and auth wouldn't be required.

Regards

Adrien

[ALainONE]

Hello, Adrien!

I've doubled checked my user groups, but "everyone" is not on the list. I don't know what happen after the update to WinGate 7. But while I was on WinGate 6, I never had this problem at all. And I had not change anything on my users/user groups. The only thing new on my Proxy Server is the WinGate 7 installation.

I've enabled all Authentication (Negotiate, NTLM, Basic) on the WWW Proxy Server properties. The binding is set on any ip address on any internal adpater.

Is there any report/log I can send you that might help you on determining the problem?

Also, I'm logged in as administrator but I can not change any User Properties on WinGate 7's Users and Groups Control Panel? Here I've noticed that all users are member of "none" (please see attached). This I want to delete but I'm not able to... And I don't have a "None" group or user on my NTLM!

Best regards,
Alain

[adrien]

Hi

We noticed when using the Windows users and groups, the functions in windows to return groups give one called "None", which doesn't show up in the user interface, and which contains all users.

You should be able to see if it contains the user "Everybody" though?

I can have a look at your server remotely if you like.

Regards

Adrien

[ALainONE]

Hello, Adrien!

I have checked all my user groups in my NTLM but did not find "everyone" as member in any of the groups. I don't know where the user "None" is coming from also.

I would be grateful if you can take a look at my server. Can you please email me (Alain.Garcia@Strabag-Oman.com) for the details and software needed to make possible the remote connection.

By the way, we are at GMT +4. What would be the convinient time to set the remote up?

Best regards,
Alain Garcia

[adrien]

Hi

I sent you an email. Let me know if you didn't receive it.

Failing that, send details to support@wingate.com

we normally recommend Teamviewer, which you can obtain from www.teamviewer.com. We'll need the ID and password to connect.

Regards

Adrien

[ALainONE]

Hello, Adrien!

I have sent you an email regarding the connection details for teamviewer. I will await your connection if you still have the time.

Thank you very much!

Best regards,
Alain Garcia

[adrien]

Hi Alain

I'm coming to the conclusion there must be something about your windows install that is effectively making your groups contain everyone.

The only way a user / request can match on a rule, is if the user matches.

we can however explicitly test this with flow-chart policy, since we can test for an explicit group, and see whether it matched or not. In fact I'm sure we could get your policy working with flow-chart policy, since the test for authenticated user seems to work (checks for a SID in the user token of S-1-5-11).

I can test this for you with remote desktop - is that still available?

Regards

Adrien

[ALainONE]

Hello, Adrien!

I've sent you the email for the connection details...

Thanks!

Best regards,
Alain Garcia

[ALainONE]

Hello, Adrien!

Just want to thank you for all the support you have given us! Our WinGate7 now works as it should.

Best regards,
Alain Garcia