Wingate / DMZ / LAN configuration issues
Aug 14 06 11:38 pm
Hi
I have got a wingate pro on a DMZ and want my users on the LAN to login or be tracked for their internet usage. The LAN is an nt domain. The DMZ is a nt domain with a trust between them. I can get the LAN database into wingate but all users still connect using the guest account and the router ip address. How do I get them using their nt login accounts?
Ian
I have got a wingate pro on a DMZ and want my users on the LAN to login or be tracked for their internet usage. The LAN is an nt domain. The DMZ is a nt domain with a trust between them. I can get the LAN database into wingate but all users still connect using the guest account and the router ip address. How do I get them using their nt login accounts?
Ian
Aug 15 06 1:18 pm
Hi Ian
I take it the WinGate machine has an IP address to the LAN and one to an Internet router on the DMZ
LAN>>WinGate>>Router>>Internet
If this is the case then you could set all of your LAN clients to use the LAN IP of WinGate as their Gateway and DNS. This way clients will use NAT on WinGate to send their Internet requests.
There are several ways of authenticating clients using NTLM
I'll explain one of the easiest, assuming clients are using NAT described above
1. Select NTLM auth option in the WWW proxy.
2. Set a policy in the WWW proxy ("User can access services" right)
3. Select the users to be affected on the Recipient tab of the policy, and
4. Select User must be authenticated radio button at the bottom.
5. Select the System policies (default rights ) on the General screen of the WWW proxy to Are ignored (so that this policy will not be affected by any System policy that may have been set in WinGate).
6. Turn on transparent proxy for port 80 in the WWW proxy\Sessions config in WinGate, and this will catch all NAT requests and force them to be authenticated by the policy set in WWW proxy.
All clients using an NTLM compatible browser (eg IE) will be able to be authenticated via NTLM, when they attempt to access the Internet through WinGate. The user credentials that the client is logged into their machine will be passed to WinGate automatically. If these are not valid with WinGate then they will be prompted to log in.
With NTLM auth option in WinGate there are several other ways for clients to authenticate themselves which are all explained in the WinGate helpfile, under the WinGate Security Model\Authentication section, so there might be one that suits your needs better.
Hope this helps
Erwin
I take it the WinGate machine has an IP address to the LAN and one to an Internet router on the DMZ
LAN>>WinGate>>Router>>Internet
If this is the case then you could set all of your LAN clients to use the LAN IP of WinGate as their Gateway and DNS. This way clients will use NAT on WinGate to send their Internet requests.
There are several ways of authenticating clients using NTLM
I'll explain one of the easiest, assuming clients are using NAT described above
1. Select NTLM auth option in the WWW proxy.
2. Set a policy in the WWW proxy ("User can access services" right)
3. Select the users to be affected on the Recipient tab of the policy, and
4. Select User must be authenticated radio button at the bottom.
5. Select the System policies (default rights ) on the General screen of the WWW proxy to Are ignored (so that this policy will not be affected by any System policy that may have been set in WinGate).
6. Turn on transparent proxy for port 80 in the WWW proxy\Sessions config in WinGate, and this will catch all NAT requests and force them to be authenticated by the policy set in WWW proxy.
All clients using an NTLM compatible browser (eg IE) will be able to be authenticated via NTLM, when they attempt to access the Internet through WinGate. The user credentials that the client is logged into their machine will be passed to WinGate automatically. If these are not valid with WinGate then they will be prompted to log in.
With NTLM auth option in WinGate there are several other ways for clients to authenticate themselves which are all explained in the WinGate helpfile, under the WinGate Security Model\Authentication section, so there might be one that suits your needs better.
Hope this helps
Erwin
Aug 16 06 8:30 pm
No
The configuration is as follows
LAN - Firewall - DMZ - Wingate - router - Internet
The clients default gateway is the firewall which is connected to the DMZ. The Wingate server sits on the DMZ and connects to the Internet router.
The clients use the LAN default gateway and are directed to the Wingate through internet explorer proxy settings.
Is there another way to force them to connect using NTLM?
Ian
The configuration is as follows
LAN - Firewall - DMZ - Wingate - router - Internet
The clients default gateway is the firewall which is connected to the DMZ. The Wingate server sits on the DMZ and connects to the Internet router.
The clients use the LAN default gateway and are directed to the Wingate through internet explorer proxy settings.
Is there another way to force them to connect using NTLM?
Ian
Aug 17 06 12:54 pm
Hi Ian
If all the LAN clients are coming through to the WinGate in your DMZ with the same IP, then that means the gateway they are going through to the DMZ is doing address translation.
In order for all the users to be able to have separate credentials on WinGate from the same IP, this IP (of the gateway) needs to be entered into WinGate as a multi-user IP (on the users tab). Then WinGate will maintain credentials on a per connection basis rather than a per-IP basis.
To then require users to authenticate for web access, the policies in the WWW proxy must require users to be authenticated. For NTLM this means
1. Enable use of NTLM in the WWW proxy (General tab).
2. On the policies tab, at the bottom choose default policies "are ignored"
3. Add another policy for everyone, and select "users must be authenticated".
Adrien
If all the LAN clients are coming through to the WinGate in your DMZ with the same IP, then that means the gateway they are going through to the DMZ is doing address translation.
In order for all the users to be able to have separate credentials on WinGate from the same IP, this IP (of the gateway) needs to be entered into WinGate as a multi-user IP (on the users tab). Then WinGate will maintain credentials on a per connection basis rather than a per-IP basis.
To then require users to authenticate for web access, the policies in the WWW proxy must require users to be authenticated. For NTLM this means
1. Enable use of NTLM in the WWW proxy (General tab).
2. On the policies tab, at the bottom choose default policies "are ignored"
3. Add another policy for everyone, and select "users must be authenticated".
Adrien
Aug 17 06 11:37 pm
Where exactly do I need to enter this multi user IP address as I cannot if it. I am using Wingate 6.1.4 and a Wingate Pro licence. Is it under the assumed users?
Aug 18 06 10:54 pm
Multi-User IP is available with the Enterprise license.
https://commerce.qbik.com/wingate-licensing.php
If you would like to evaluate it, then activate a trial license; it can coexist with your other license. If the trial license has expired, then please send in the trial id that is returned by the Activation server, then we can extend it for you.
If you decide you need that feature, then you can consider upgrading your license online, navigate to https://commerce.qbik.com/purchase.php and select "Renewals / Upgrades" at the bottom of the page, and then enter your license key and license name to see what upgrade paths are available.
https://commerce.qbik.com/wingate-licensing.php
If you would like to evaluate it, then activate a trial license; it can coexist with your other license. If the trial license has expired, then please send in the trial id that is returned by the Activation server, then we can extend it for you.
If you decide you need that feature, then you can consider upgrading your license online, navigate to https://commerce.qbik.com/purchase.php and select "Renewals / Upgrades" at the bottom of the page, and then enter your license key and license name to see what upgrade paths are available.
Aug 30 06 3:55 am
OK I have the trial licence
The problem I have now is that when I access change wwwproxy service to authenticate
the domain users group or a user. It asks for a user name and password and domain. This is fine but the only one that works is the local wingate machine password (wingate server on dmz). This then authenticates me as administrator but the local administrator. Any ideas as I believe we are close to a solution.
Regards
Ian
The problem I have now is that when I access change wwwproxy service to authenticate
the domain users group or a user. It asks for a user name and password and domain. This is fine but the only one that works is the local wingate machine password (wingate server on dmz). This then authenticates me as administrator but the local administrator. Any ideas as I believe we are close to a solution.
Regards
Ian
Aug 31 06 2:44 pm
Can you check what account the Qbik WinGate engine is logging on as in the Windows Services? Does it have access to the domain user database?
Sep 01 06 5:08 am
Problem was the Wingate Firewall. Turned it off and presto started logging the users. Problem now is I have a BB connection ip 192.168.1.115 and my default gateway on the wingate server is 192.168.1.113. I cannot change the default gateway for other reasons. Is there a way to redirect all port 80 traffic out 192.168.1.115?