Hi Adrien,
After migrating a client from version 6.x to 8.1 an issue arrises every morning. Users with privilege are being blocked by the proxy service. The message is: "Wingate has blocked [URL] because rule Default Rule denied access to category unknown". A simple restart of Wingate service solves the problem for all connected PC´s. Those PC´s that are not active during the restart procedure will be blocked when active. A further Wingate restart will solve the issue for users that were not connected initially.
We revised a case in particular with granted access to all websites execpt youtube.com. This PC was blocked the next day to ALL websites. A simple restart solved the problem for the day. I am attaching screenshots for your review.
Thank you
Authenticated Users are blocked every Morning
Moderator: Qbik Staff
4 posts
• Page 1 of 1
Authenticated Users are blocked every Morning
by agubaira » Jul 18 14 3:15 am
- Attachments
-
- AD_group.png (132.85 KiB) Viewed 4340 times
-
- access_rules.png (101.89 KiB) Viewed 4340 times
-
- blocked_message.png (86 KiB) Viewed 4340 times
- agubaira
- Posts: 7
- Joined: Oct 19 13 10:16 am
Re: Authenticated Users are blocked every Morning
by adrien » Jul 18 14 4:32 am
HI
this happens when a system service (such as windows updates) connects to WinGate, then auths as the domain computer account. Then keeps the connections open so that when a user tries to use that computer, WinGate thinks they are still trying to use the computer account which does not match your rules, and so falls through to the default rule.
There are a couple of ways to fix this.
1. Find out which sites the services are going to (e.g. windows update and associated) and whitelist them so that authentication is not required to access those sites.
2. Put in a re-auth rule which checks to see if the user is a member of Domain Computers, and if so force re-auth. This will let users re-establish credentials.
If you do 2, you'll still need to allow computer accounts to access the sites they need.
Adrien
this happens when a system service (such as windows updates) connects to WinGate, then auths as the domain computer account. Then keeps the connections open so that when a user tries to use that computer, WinGate thinks they are still trying to use the computer account which does not match your rules, and so falls through to the default rule.
There are a couple of ways to fix this.
1. Find out which sites the services are going to (e.g. windows update and associated) and whitelist them so that authentication is not required to access those sites.
2. Put in a re-auth rule which checks to see if the user is a member of Domain Computers, and if so force re-auth. This will let users re-establish credentials.
If you do 2, you'll still need to allow computer accounts to access the sites they need.
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
Re: Authenticated Users are blocked every Morning
by agubaira » Jul 18 14 6:18 am
Where do I whitelist the sites ?
- agubaira
- Posts: 7
- Joined: Oct 19 13 10:16 am
Re: Authenticated Users are blocked every Morning
by adrien » Jul 18 14 11:06 am
just add a rule at the top of the web access rules, which grants access to those sites to everybody.
Regards
Adrien
Regards
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
4 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 4 guests