I tried to find some info on the forum but couldn´t actually find something that can help me solve this.
The network got 50 machines and everything is working ok.
The wingate is working like this:
- intercepting port 80 on the WWW proxy (which is set to port 8080);
- intercepting port 110 on the pop3 proxy;
- SMTP server is intercepting port 25 and using a gateway to send the e-mail out;
- NAT is NOT active;
- Users may be unkown. All rules apply to everybody, so authentication isn´t required.
With this configuration the machines are working perfectly and for the users the internet configuration is transparent, like they´re using it at home.
However the SSL connections aren´t working well.
The HTTPS in the WWW Proxy is set to "Allow ANY port..." like I´ve seen on the posts, but....
- if I use the internet explorer without any changes the SSL pages won´t load;
- if I change the IE to use the proxy server on 10.x.x.x (wingate machine) and port 8080 the SSL sites WORK OK;
I would like to make it work without the need to change the IE to use the proxy server, something like the interception that is happening on port 80 for the regular web access.
Any ideas or links to a possible help?
SSL 443 error without proxy
Moderator: Qbik Staff
4 posts
• Page 1 of 1
SSL 443 error without proxy
by Suporte Casillo » Nov 04 05 6:52 am
- Suporte Casillo
- Posts: 7
- Joined: Nov 04 05 6:04 am
- Location: Brazil
by adrien » Nov 04 05 8:11 am
Hi
You can't intercept SSL connections into any proxy, since these are encrypted, and have end to end security measures that would be broken if they were intercepted.
Since you don't want to modify the client machine settings to configure them to use a proxy for SSL connections, there is only really one alternative, and that is to enable NAT on the server, so that for SSL, the connections can be made directly to the sites.
Otherwise you could try auto-proxy detection on the client machines, that requires that "automatically detect settings" is enabled on the LAN settings in Internet explorer, AND that the LAN machines are also using WinGate as a DNS server. If they aren't using WinGate as a DNS server, your main DNS server needs to serve a record called "WPAD", and resolve it to the IP address of the WinGate machine.
Regards
Adrien
You can't intercept SSL connections into any proxy, since these are encrypted, and have end to end security measures that would be broken if they were intercepted.
Since you don't want to modify the client machine settings to configure them to use a proxy for SSL connections, there is only really one alternative, and that is to enable NAT on the server, so that for SSL, the connections can be made directly to the sites.
Otherwise you could try auto-proxy detection on the client machines, that requires that "automatically detect settings" is enabled on the LAN settings in Internet explorer, AND that the LAN machines are also using WinGate as a DNS server. If they aren't using WinGate as a DNS server, your main DNS server needs to serve a record called "WPAD", and resolve it to the IP address of the WinGate machine.
Regards
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by Suporte Casillo » Nov 04 05 11:48 pm
The WG machine is not the primary DNS server as you said, but I decided to try the WPAD host name with the auto detection and it worked, so I´m sticking with this idea.
I don´t wanna activate NAT because (if I´m not wrong) the ban list won´t work with it.
If I run into any problems I can always switch to the proxy option.
Thx for the reply.
I don´t wanna activate NAT because (if I´m not wrong) the ban list won´t work with it.
If I run into any problems I can always switch to the proxy option.
Thx for the reply.
- Suporte Casillo
- Posts: 7
- Joined: Nov 04 05 6:04 am
- Location: Brazil
by adrien » Nov 05 05 9:21 am
Hi
If you use interception in the proxy, then whether they are using NAT, or the wingate client, or SOCKS, or proxy connection to the WWW proxy, then the ban list will still be applied.
Regards
Adrien
If you use interception in the proxy, then whether they are using NAT, or the wingate client, or SOCKS, or proxy connection to the WWW proxy, then the ban list will still be applied.
Regards
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
4 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 50 guests