WinGate Forums

[chloh]

Hi, am using WinGate 8.0.5. I did these:
1. Enabled the "Web: Force proxy" policy
2. Set WWW Proxy to intercept port 443.

Now clients will see the reject page if they do not use proxy when accessing HTTP sites.
But they can still access HTTPS sites without proxy, reject page won't be shown.

What am I missing? Thanks.

[MattP]

Hi,

Did you enable the Web: Request handler policy as well? The Web: Force proxy policy is called from the Web: Request handler policy so they both need to be enabled.

Matt

[chloh]

Thanks, after I enable "Web: Request handler", clients can connect to both HTTP and HTTPS without proxy and without seeing the reject page. What am I doing wrong?

Policy.jpg (119.87 KiB) Viewed 6275 times

Web-Force proxy.jpg (33.19 KiB) Viewed 6275 times

Web-Request handler.jpg (47.88 KiB) Viewed 6275 times

[adrien]

Hi

when the client is accessing the web, does anything show up for that client in the WinGate activity screen?

If not, then the clients aren't even going via the proxy. Depending on your network layout, if for instance you only have 1 LAN card on the proxy, and the clients are not FORCED to go via the proxy, then you may need to do things like banning port 80 / 443 on your external router for all internal IPs except the proxy. Then the proxy will be the only way to the net.

For connection interception to work, the WinGate Network driver is required which is installed by default, but if you unselected that option, or unchecked the WinGate Network Driver entry in the network adapter properties that would prevent it working,

Finally, it's possible for a browser to specify a proxy for http, but not https. So the browser will try to connect directly for https. To stop this, you can block port 443 in the Extended Networking > Port security section under "LAN connections to the Internet / TCP". So in this case,

* http will be intercepted to the proxy and denied with a message about using the proxy.
* https will be blocked unless the client connects to the proxy
* only the proxy can access the net

Regards

Adrien

[chloh]

when the client is accessing the web, does anything show up for that client in the WinGate activity screen?

If not, then the clients aren't even going via the proxy. Depending on your network layout, if for instance you only have 1 LAN card on the proxy, and the clients are not FORCED to go via the proxy, then you may need to do things like banning port 80 / 443 on your external router for all internal IPs except the proxy. Then the proxy will be the only way to the net.

Yes, the Activity screen shows their connections. For clients not using proxy, "http: Intercepted connection to <IP>" are shown.

For connection interception to work, the WinGate Network driver is required which is installed by default, but if you unselected that option, or unchecked the WinGate Network Driver entry in the network adapter properties that would prevent it working,

"WinGate Network driver" is installed and enabled in both network cards.

Finally, it's possible for a browser to specify a proxy for http, but not https. So the browser will try to connect directly for https.

That's exactly what I want to prevent clients from doing :), hence this question of how to force proxy HTTPS.

To stop this, you can block port 443 in the Extended Networking > Port security section under "LAN connections to the Internet / TCP". So in this case,
* http will be intercepted to the proxy and denied with a message about using the proxy.
* https will be blocked unless the client connects to the proxy
* only the proxy can access the net

OK, blocking through Extended Networking is working, not good enough though, since browser will wait until timeout without a proper reject page.

I wonder why the "Web: Force proxy" policy is not intercepting port 443. I have already added 443 in "WWW Proxy Server" properties, and Extended Networking has this entry in "LAN connections to Internet":

Code: Select all

Action: Redirect
Port: 443
Description: Intercepted by WWW Proxy


[adrien]

Hi

you can't really do a proper reject page when it's intercepted https.

That's because the client is expecting to talk SSL/TLS to an end server. To send an http error response would require WinGate to set up a spoofed TLS/SSL connection with the client first. This would result in certificate warnings if the client was not configured to trust the proxy https inspection signer certificate.

Normally clients don't go straight to https sites though. If they are going to mess with their config to try to get around security, should they really be surprised when nothing works?

We find in a company, when it's employees using the system, if they do bad things, it's maybe more useful to resolve that not technically, but as part of the employment relationship.

Adrien

[chloh]

Hi

you can't really do a proper reject page when it's intercepted https.

That's because the client is expecting to talk SSL/TLS to an end server. To send an http error response would require WinGate to set up a spoofed TLS/SSL connection with the client first. This would result in certificate warnings if the client was not configured to trust the proxy https inspection signer certificate.

Normally clients don't go straight to https sites though. If they are going to mess with their config to try to get around security, should they really be surprised when nothing works?

We find in a company, when it's employees using the system, if they do bad things, it's maybe more useful to resolve that not technically, but as part of the employment relationship.

Adrien

Thanks, I guess blocking through Extended Networking is the only way for our Pro version!