Hi
I have got a wingate pro on a DMZ and want my users on the LAN to login or be tracked for their internet usage. The LAN is an nt domain. The DMZ is a nt domain with a trust between them. I can get the LAN database into wingate but all users still connect using the guest account and the router ip address. How do I get them using their nt login accounts?
Ian
Wingate / DMZ / LAN configuration issues
Moderator: Qbik Staff
10 posts
• Page 1 of 1
Wingate / DMZ / LAN configuration issues
by ifenton » Aug 14 06 11:38 pm
- ifenton
- Posts: 13
- Joined: Jul 13 06 1:24 am
- Location: Ireland
by erwin » Aug 15 06 1:18 pm
Hi Ian
I take it the WinGate machine has an IP address to the LAN and one to an Internet router on the DMZ
LAN>>WinGate>>Router>>Internet
If this is the case then you could set all of your LAN clients to use the LAN IP of WinGate as their Gateway and DNS. This way clients will use NAT on WinGate to send their Internet requests.
There are several ways of authenticating clients using NTLM
I'll explain one of the easiest, assuming clients are using NAT described above
1. Select NTLM auth option in the WWW proxy.
2. Set a policy in the WWW proxy ("User can access services" right)
3. Select the users to be affected on the Recipient tab of the policy, and
4. Select User must be authenticated radio button at the bottom.
5. Select the System policies (default rights ) on the General screen of the WWW proxy to Are ignored (so that this policy will not be affected by any System policy that may have been set in WinGate).
6. Turn on transparent proxy for port 80 in the WWW proxy\Sessions config in WinGate, and this will catch all NAT requests and force them to be authenticated by the policy set in WWW proxy.
All clients using an NTLM compatible browser (eg IE) will be able to be authenticated via NTLM, when they attempt to access the Internet through WinGate. The user credentials that the client is logged into their machine will be passed to WinGate automatically. If these are not valid with WinGate then they will be prompted to log in.
With NTLM auth option in WinGate there are several other ways for clients to authenticate themselves which are all explained in the WinGate helpfile, under the WinGate Security Model\Authentication section, so there might be one that suits your needs better.
Hope this helps
Erwin
I take it the WinGate machine has an IP address to the LAN and one to an Internet router on the DMZ
LAN>>WinGate>>Router>>Internet
If this is the case then you could set all of your LAN clients to use the LAN IP of WinGate as their Gateway and DNS. This way clients will use NAT on WinGate to send their Internet requests.
There are several ways of authenticating clients using NTLM
I'll explain one of the easiest, assuming clients are using NAT described above
1. Select NTLM auth option in the WWW proxy.
2. Set a policy in the WWW proxy ("User can access services" right)
3. Select the users to be affected on the Recipient tab of the policy, and
4. Select User must be authenticated radio button at the bottom.
5. Select the System policies (default rights ) on the General screen of the WWW proxy to Are ignored (so that this policy will not be affected by any System policy that may have been set in WinGate).
6. Turn on transparent proxy for port 80 in the WWW proxy\Sessions config in WinGate, and this will catch all NAT requests and force them to be authenticated by the policy set in WWW proxy.
All clients using an NTLM compatible browser (eg IE) will be able to be authenticated via NTLM, when they attempt to access the Internet through WinGate. The user credentials that the client is logged into their machine will be passed to WinGate automatically. If these are not valid with WinGate then they will be prompted to log in.
With NTLM auth option in WinGate there are several other ways for clients to authenticate themselves which are all explained in the WinGate helpfile, under the WinGate Security Model\Authentication section, so there might be one that suits your needs better.
Hope this helps
Erwin
- erwin
- Qbik Staff
- Posts: 408
- Joined: Sep 03 03 2:54 pm
by ifenton » Aug 16 06 8:30 pm
No
The configuration is as follows
LAN - Firewall - DMZ - Wingate - router - Internet
The clients default gateway is the firewall which is connected to the DMZ. The Wingate server sits on the DMZ and connects to the Internet router.
The clients use the LAN default gateway and are directed to the Wingate through internet explorer proxy settings.
Is there another way to force them to connect using NTLM?
Ian
The configuration is as follows
LAN - Firewall - DMZ - Wingate - router - Internet
The clients default gateway is the firewall which is connected to the DMZ. The Wingate server sits on the DMZ and connects to the Internet router.
The clients use the LAN default gateway and are directed to the Wingate through internet explorer proxy settings.
Is there another way to force them to connect using NTLM?
Ian
- ifenton
- Posts: 13
- Joined: Jul 13 06 1:24 am
- Location: Ireland
by adrien » Aug 17 06 12:54 pm
Hi Ian
If all the LAN clients are coming through to the WinGate in your DMZ with the same IP, then that means the gateway they are going through to the DMZ is doing address translation.
In order for all the users to be able to have separate credentials on WinGate from the same IP, this IP (of the gateway) needs to be entered into WinGate as a multi-user IP (on the users tab). Then WinGate will maintain credentials on a per connection basis rather than a per-IP basis.
To then require users to authenticate for web access, the policies in the WWW proxy must require users to be authenticated. For NTLM this means
1. Enable use of NTLM in the WWW proxy (General tab).
2. On the policies tab, at the bottom choose default policies "are ignored"
3. Add another policy for everyone, and select "users must be authenticated".
Adrien
If all the LAN clients are coming through to the WinGate in your DMZ with the same IP, then that means the gateway they are going through to the DMZ is doing address translation.
In order for all the users to be able to have separate credentials on WinGate from the same IP, this IP (of the gateway) needs to be entered into WinGate as a multi-user IP (on the users tab). Then WinGate will maintain credentials on a per connection basis rather than a per-IP basis.
To then require users to authenticate for web access, the policies in the WWW proxy must require users to be authenticated. For NTLM this means
1. Enable use of NTLM in the WWW proxy (General tab).
2. On the policies tab, at the bottom choose default policies "are ignored"
3. Add another policy for everyone, and select "users must be authenticated".
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by jamesc » Aug 18 06 10:54 pm
Multi-User IP is available with the Enterprise license.
https://commerce.qbik.com/wingate-licensing.php
If you would like to evaluate it, then activate a trial license; it can coexist with your other license. If the trial license has expired, then please send in the trial id that is returned by the Activation server, then we can extend it for you.
If you decide you need that feature, then you can consider upgrading your license online, navigate to https://commerce.qbik.com/purchase.php and select "Renewals / Upgrades" at the bottom of the page, and then enter your license key and license name to see what upgrade paths are available.
https://commerce.qbik.com/wingate-licensing.php
If you would like to evaluate it, then activate a trial license; it can coexist with your other license. If the trial license has expired, then please send in the trial id that is returned by the Activation server, then we can extend it for you.
If you decide you need that feature, then you can consider upgrading your license online, navigate to https://commerce.qbik.com/purchase.php and select "Renewals / Upgrades" at the bottom of the page, and then enter your license key and license name to see what upgrade paths are available.
- jamesc
- Qbik Staff
- Posts: 928
- Joined: Apr 04 05 2:04 pm
- Location: Auckland, New Zealand
by ifenton » Aug 30 06 3:55 am
OK I have the trial licence
The problem I have now is that when I access change wwwproxy service to authenticate
the domain users group or a user. It asks for a user name and password and domain. This is fine but the only one that works is the local wingate machine password (wingate server on dmz). This then authenticates me as administrator but the local administrator. Any ideas as I believe we are close to a solution.
Regards
Ian
The problem I have now is that when I access change wwwproxy service to authenticate
the domain users group or a user. It asks for a user name and password and domain. This is fine but the only one that works is the local wingate machine password (wingate server on dmz). This then authenticates me as administrator but the local administrator. Any ideas as I believe we are close to a solution.
Regards
Ian
- ifenton
- Posts: 13
- Joined: Jul 13 06 1:24 am
- Location: Ireland
by ifenton » Sep 01 06 5:08 am
Problem was the Wingate Firewall. Turned it off and presto started logging the users. Problem now is I have a BB connection ip 192.168.1.115 and my default gateway on the wingate server is 192.168.1.113. I cannot change the default gateway for other reasons. Is there a way to redirect all port 80 traffic out 192.168.1.115?
- ifenton
- Posts: 13
- Joined: Jul 13 06 1:24 am
- Location: Ireland
by ImmediateAction » Sep 03 06 2:09 pm
answered here: http://forums.qbik.com/viewtopic.php?p=24179#24179
Every ordinary person is responsible for the rise and fall of his country. - Chinese proverb
- ImmediateAction
- Posts: 58
- Joined: Apr 23 05 11:42 am
10 posts
• Page 1 of 1
Who is online
Users browsing this forum: Google [Bot] and 28 guests