Wingate 7 Setup Questions

[gwegb]

I'm new to setting up proxies, and also new to using Wingate. So far, I really like Wingate and the features it offers, but I'm having having trouble getting it to work the way I need it to.

First, I work in a school that is part of a large district of schools. However, the school I'm in is different in that the students are doing online learning. That means they are on computers all day. Because of that, they do everything they can to go to websites that they shouldn't, such as Facebook, Youtube, Pandora, etc. Most of these sites chew up a lot of bandwidth, which is taken away from the other schools. There is a LightSpeed web filter in place on the network, but that does no good as the students just use proxies to get around the filter. This is why I wanted to put in place a proxy, to only allow them on certain sites.

This brings me to my other point: I have no control over the network. The school I'm in just sort of borrows the network of the district. I've talked with the network engineers, and they have allowed me to install a proxy server, as long as it does not interfere with the current network. The schools run on a complete network: Active Directory, DHCP, DNS, LightSpeed filtering, and each building has their own gateway which connect to the main gateway in the main office building.

I guess my first question then, is can Wingate run on a network that already has an established gateway, which means the Wingate server cannot be a gateway? I have a static IP address set on the external network card, along with the network's gateway (a Cisco router). The internal NIC is currently set to obtain the information from DHCP. The client computer I am testing with is unable to connect to the internet with this setup (even with using WGIC). So my other question I have is, if running the internal NIC off DHCP is the wrong thing to do, what exactly do I do to set it up right? I still want the clients to get DHCP addresses (there are about 80 total computers, but only around 60 are actually being used at one time), but I would prefer them to go through the Wingate server (I cannot turn on DHCP on the Wingate server).

So, I guess the scenario I'm trying to setup is that the current DHCP stays active, and all the client computers in my school connect through the Wingate server, however, the Wingate server is not the gateway.

I hope that my explanation wasn't too confusing, but I'm just trying to find out if the way I want to set it up is even possible, and let me know if there are any questions. I've already been chewed out about the bandwidth usage, and want to make sure these students stay on task by staying on the websites there are supposed to be on, and not browsing Youtube for 6 hours a day.

Thanks for taking the time to help me out.

- Greg

[adrien]

I guess my first question then, is can Wingate run on a network that already has an established gateway, which means the Wingate server cannot be a gateway?

yes, that's no problem. Clients can still connect to the WWW proxy in WinGate and make requests out via that without having to have their TCP/IP settings use WinGate as a default gateway.

if running the internal NIC off DHCP is the wrong thing to do, what exactly do I do to set it up right?

since the client computers need to be configured to use a proxy, that proxy will normally need to reside at a fixed address. That means DHCP isn't great unless you assign a reservation in your main DHCP server for that NIC. Otherwise set it to use a fixed IP address, and exclude that IP from the pool allocated by your main DHCP server.

How do you have the client (test) computer configured?

Do you need all the buildings to go through WinGate or just some? Depending on the routers in those buildings, they may be able to divert port 80 to WinGate. But that won't catch https, which facebook mainly uses now anyway.

So in the end, I think you need to get the client computers to be configured to use a proxy, and not use proxy auto detect either.

Since you are on an AD, you can

a) use group policy to force use of a proxy
b) use group policy and application control to force use of a particular browser. This one may depend on the OS of the client.

Adrien

[gwegb]

Thanks for the reply.

How do you have the client (test) computer configured?

Originally, the test client was on a LAN by itself, which was connected to the internal network of the Wingate server. I gave it a static address, and tried configuring the computer to make a connection to the proxy, and I also tried using WGIC (with the proxy configuration off). I also plugged the test client into the network and configured it, and again, I tried it with WGIC. Unfortunately, the connection timed out for all the methods I tired.

I guess I am still a little confused on what to do with the IP configuration of the internal NIC. I have a static IP address that I can assign for that NIC, but what I am not sure about is the gateway for that NIC. Do I set the gateway as the IP address of the external card, the building's gateway, or just leave it blank? I think that may be where part of my problems lies. I have seen activity on the Wingate server, but the computer is unable to get onto the Internet.

Do you need all the buildings to go through WinGate or just some?

There is just one building going through Wingate, the one I am working in. I don't have to worry about the other schools/buildings. Also, I was worried about https, as I know many of the web based proxies on the Internet also allow secure connections.

The nice thing about the group policy that is in place right now is that it forces all the students to use Internet Explorer (version 7 on Windows XP machines), as the web site they use for online learning only supports IE. I can have that policy modified to force the use of a proxy.

Again, thanks for the information. Sorry about all the questions, but I'm just trying to wrap my head around all of this, as I was just a tech that was thrown into this position on a last minute decision.

[adrien]

Hi

sounds like you probably can't even ping the WinGate server from your test client. This is usually (99.9%) a routing issue.

Routes are uni-directional. The client needs to know how to send a packet to WinGate, and the WinGate server needs to know how to send a packet back to the client. If for instance you have a default gateway set on the internal NIC of WinGate, pointing to a router that doesn't know how to get to your client, then your client will be unavailable to WinGate.

Your different internal networks - they are on different IP subnets? You probably shouldn't have a default gateway on your internal adapter in WinGate - it has a fixed external IP?

In fact I think I need a network diagram to properly advise you on this.

Regards

Adrien

[gwegb]

Yes, actually, I was able to ping the internal network card, but was unable to ping the external network card. I have a static address of 10.190.162.220 on the external NIC, and I plan to use 10.190.162.221 for the internal NIC, since the computer and both NIC's are on the same physical network, which all are on 255.255.252.0 subnet. I thought that might work, unless I'm wrong.

I can try and work on making a network diagram tomorrow at work, but the problem I'm going to have is the trial period I have of Wingate expires on Monday morning (Eastern Standard Time). Problems at the schools prevented me from being about to work with the software until the last week of the trial, but I'll try and see what can be done with the server before the end of the weekend.

- Greg

[adrien]

Hi Greg

If you've only had 1 trial, you should be able to reactivate that trial key.

As for having both NICs in WinGate on the same subnet, I'm not sure there's any point? Normally that creates problems unless both NICs are plugged into the same switch (possibly still even then).

Did you install the Wingate network driver?

Also, can you make a connection to the web proxy in WinGate? The OS firewall may be blocking this if you haven't enabled WinGate on it (or disabled it)

Regards

Adrien