Use this forum to post questions relating to WinGate, feature requests, technical or configuration problems
Aug 25 06 4:02 am
Hi,
I've got...
50 x Wingate 6.0 Enterprise License installed on Windows 2000 server.
01 x Windows 2003 Enterprise Terminal Services.
My Wingate setup...
1. All client connect to a www proxy server on port 8080 for internet.
2. They are authenticated via the Java client for all internet connection.
3. Policies are setup to block certain website and content via certain times of the day.
4. Client are allowed to browse certain websites (local net and internet) without having to authenticate.
My goal/problem....
We have started to deploy terminal services for certain clients, and I'm unable to authenticate them via the Java client, and the Wingate client have some limitations.
What I did...
I've added the Terminal Services IP address to the "Multi-user Machines" box.
The problem...
1. When I have TS session open and I open tied to connect to the internet via the Wingate 8080 proxy, the Java client opens and I'm ask to authenticate. When I enter my information it accept it and disconnects me immediately and put the word "guest" in the username field.
2. If I configure Wingate to authenticate via the Wingate client, then I'm able to connect to the internet successfully after I've authenticated. The problem is the client have to authenticate even if it tries to access the local intranet.
My questions....
1. How can I use the Java client with TS users?
2. How can I use the Wingate client, but allow users access to local resources e.g. intranet without having to authenticate?
Hope you can help,
Adriaan
Aug 25 06 12:30 pm
Hi there
The muti-user machines feature was designed to work with NTLM authentication since the primary support was for Windows terminal server.
So, as mentioned at the bottom of the multi-machine users helpfile page
you need to have WinGate set to use the Operating/ Remote userdatabase.
There are two ways that you can auth NTLM clients via the terminal server on your LAN:
1.
Is configuring I.E on the terminal server to use WinGate as its proxy server. This way NTLM auth will only be required when they open the browser and surf the net Internet.
This can be further automated by setting IE (Security/Internet zone/custom) to "automatically logon with current username and password".
This way the user credentials the client used to logon to the terminal server will be used to NTLM auth.
2.
The WinGate Internet Client (WGIC) when using multi-user machines option, is a great alternative in this case since you only need to set Everyone to be authenticated policy in the one place, the Winsock Redirector Service (WRS) in WinGate .
The WRS with an enterprise license apart from offering NTLM auth login, also allows you to control what client exe's have access to the Internet through the Central config.
All of this can be found under the WinGate Security model section in the WinGate helpfile.
Regards
Erwin
Aug 25 06 8:19 pm
Hi Erwin,
Thanks for the feedback, but it does not help me much.
I have already 46 users setup on the system via Java authentication. For me to move the 46 users to NTLM authentication so 10 users can have access to Wingate is not really an option.
Taking into account that we have AD installed on site and we are part of the world wide AD of the company that has 10,000 to 15,000 users in the AD, how well is Wingate going to work with that?
We decided in the beginning to not implement NTLM, but rather the build-in DB, so users have a different username/password to access the internet. We did this because users share there Windows usernames and passwords for work purposes, but they do not want to be held liable for sites visited. So now they can login when I need access to the internet and logoff when they are done.
Now, If I use the WGIC, can I do the following...
1. Users does not have to authenticate to access certain sites.
2. Will all my proxy policies still apply e.g. sites/contents that's denied.
3. I guess I'll have to setup port 80 in the transparent proxy field for the above to work?
Hope this makes more sense.
Regards,
Adriaan
Aug 25 06 11:51 pm
Hi Adriaan
The reason that Java auth doesn't work for Terminal services is because it uses a connection to the Remote Control Service to authenticate, and relies on WinGate assuming that thenceforth anything coming from that IP address is that user. Obviously with Terminal services and multi-user IP in WinGate that's not the case. So WinGate when it gets a connection from a machine marked as multi-user treats it as an individual connection (rather than inheriting credentials for that IP).
So, in short, you can have some sites that require auth or not. Another option for authentication that is compatible with the WinGate user database is HTTP Basic auth. This doesn't raise the security level to "authenticated" thoughj, just "assumed" so you would need to take this into account in your policies.
Also, we tested WinGate with AD user databases of over 80,000 users. There are some known issues with members of global or universal groups that are also groups.
Adrien
Aug 29 06 9:50 pm
Hi Adrien,
Thanks for the feedback.
I guess the only -real- sollution for me with Terminal Services is to use Basic auth, with changed policies.
I have 2 more questions...
1. How do uses logoff with the WGIC?
2. How do you setup WGIC so it does not ask for authenication for certain http requests. As I was not able to find this in the Winsock Redirect Service?
Regards,
Adriaan
Aug 29 06 11:45 pm
Normally with the WinGate client, authentication is taken care of by the Winsock Redirector Service, however with that scenario it doesn't know what URL you are requesting - this is only known by the WWW proxy service.
So if you need to conditionally authenticate based on the URL, you would need to do the authentication in the WWW proxy rather than in the Winsock Redirector Service.
Then to allow some sites to be accessed without authentication would simply be a matter of adding another policy to the WWW proxy which allows unauthenticated access to those sites.
Normally NTLM authentication with WGIC or with the WWW proxy is transparent to the user however - they can be configured to not be required to enter any username and password (it uses their currently logged in credentials). So whether or not authentication is required would no longer be an issue?
Adrien
Aug 30 06 2:14 am
Hi,
So, I need to give "everybody" access to the Winsock Redirector Service and then define port 80 on the sessions page of the proxy server thats listening on port 8080?
What would happen if a client connects to https (port 443) or to another port. Will the WRS still forward the communication to the proxy server?
We do not want to have transparent authentication to the internet. A user needs to enter a username and password before they can access the internet.
How does a user logoff from the WGIC?
Cheers,
Adriaan
Aug 30 06 1:17 pm
Hi
The only ports that will get intercepted are those listed in the sessions tab of a proxy, so if you only add port 80 on the WWW proxy, then it will only get the connections on port 80.
You can't really intercept port 443, since it is encrypted. If you want to limit the sites someone can go to with HTTPS, you'd do that with policy in the Winsock Redirector Service.
As for transparent authentication, I'm not sure I completely understand you. They would still be using a username and password, it's just they wouldn't have to enter it again after logging into windows/your domain. You would still be able to control who can do what in WinGate, but your users wouldn't need to remember another password for WinGate.
As for logging out of WGIC, I think that happens when you log out of Windows, otherwise you can set session timeouts to disconnect the control connection (not really required since the control session doesn't consume a license) . Until they log out of Windows however, the WGIC will cache their credentials, so they won't be re-prompted to log in again anyway.
Adrien
Powered by phpBB © phpBB Group.
phpBB Mobile / SEO by Artodia.