WinGate Forums

[joelsito]

Am using NAT for access client to internet, i don't use Wingate Cliente, and the policies not blocking programs like messenger, yahoo messenger and others.

How do block this programs.

[Nev]

Am using NAT for access client to internet, i don't use Wingate Cliente, and the policies not blocking programs like messenger, yahoo messenger and others.

How do block this programs.

Hi,

Wonder it this could work.

1. Enable T/r [Transparerent Redirection] for the WWW proxy service by intercepting requests on Port 80.

2. For Policies in the WWW proxy set the System rights to 'MUST also be granted'.

3. Set the WWW Proxy Policies for the 'Everyone' group to at least Must Be Assumed.

4. In the system Policies for the 'Everyone' group try adding a ban on the webservers that the clients will connect to, from memory something linke 'not http url contains yahoo' could be one. Some IP addresses may also need to be added.

5. If you ban some IP addresses, it could be useful to enable the System Rights 'MUST also be granted' for the Extended Networking Service.

From memory if the initial few web servers these clients connect to are banned, users' can tend to give up unless the service can find another combination of port/server to access then you have to try again. ;-(

Report back, I'd be interested to know if this helps.

[joelsito]

Thanks for help, thats settings work, only restrict the port.

Thanks

[jamesc]

Sounds like Nev has sorted you out; here is a reference for others too. In the WWW Proxy you can use the following to block Yahoo / MSN Messenger in the

Advanced tab:
filter 1
This criterion is NOT met if HTTP Resource Contains gateway.dll
This criterion is NOT met if HTTP URL Contains login.yahoo.com


BAN List tab as an alternative to the Advanced tab:
This criterion is met if HTTP URL Contains gateway.dll
This criterion is met if HTTP URL Contains login.yahoo.com


FYI: When using NAT, you need to deny the following in the Port Security section of WinGate’s Extended Networking Service (ENS, aka the driver).
LAN Connections to the Internet.
Yahoo Messenger = Deny TCP Port 5050
MSN Messenger = Deny TCP Port 1863

[Deju]

jamesc,

And Is it possible to restrict Yahoo Messenger, or other application (using ip:port) only for one user or a group of users????? Certanly, they are working by NAT....(not by Proxy)

[jamesc]

Hi Deju,

I find it a bit challenging to interpret your post, so if you need an example, please explain your desired result in more detail. But from what I can interpret:

Yes you can; the only problem is that there are multiple ways to do it and hence can be dependent on what other policies exist in your WinGate setup, what connection methods your LAN Clients are setup for and whether you authenticate your users.


And when you are dealing with policies for NAT there are a few considerations to be made like:

1. NAT does not have a way to authenticate a user; authentication will need to be done some way so that any User / Group polices in ENS will be applied.

2. If you have servers on your network that are accessible from clients on the internet (e.g. web server / RDP / VNC etc...), then those internet clients will connect to WinGate as Guests unless you authenticate them first (which is not practical in some cases). So you may need to create a policy for the Guest user in ENS and put a policy in the Advanced tab that your local network users cannot use the Guest account; i.e. This criterion is NOT met if Client IP address Begins with 192.168.0.* (Presuming your LAN Clients are on that Subnet)

3. You can create policies in ENS to allow connections to server ports 1863 / 5050 for certain groups / users iof needed.


And like all policies, the policy with the most access will override the policy with the least access. So policies need to be planned; you will also want to consider how each Service / Server in WinGate integrates with the Default Rights (System Policies).

"Are Ignored" = Do not check the policies in the Default Rights (System Policies)

"May be used instead" = If the e.g. WWW Proxy Denies access to the request, then check if the System Policies allow it; if it does, grant the user access.

"Must also be granted" = If the e.g. WWW Proxy allows the request, then it must also be allowed in the System Policies.

[Deju]

jamesc ,

Clients working by NAT+Proxy with Internet, users assigned by ip in ENS policy "Are Ignored" and inserted group users to permit working with Internet ports 25,110,21,80. I want to restrict some users access Internet ports 25, 110! How can I do it???? (without SMTP proxy, and POP3 proxy - they are stopped ).

[jamesc]

My interpretation.
1. NAT and Proxy Connection method only.
2. You have setup "Assumed by ip address" authentication method for your users and the authentication level in the ENS policies will / is set to "User may be assumed".
3. First group needs access to server ports 21 / 25 / 80 / 110
4. Second group needs access to server ports 25 / 110

Suggestion.
Create two groups in WinGate: Group1 = Web - Group 2 = Email
Add the users with the required access to each group.

Add the Web group into the ENS policies and then navigate to the Advanced tab.
Filter 1
This criterion is met if Server Port equals 21
Filter 2
This criterion is met if Server Port equals 25
Filter 3
This criterion is met if Server Port equals 80
Filter 4
This criterion is met if Server Port equals 110

Add the Email group into the ENS policies and then navigate to the Advanced tab.

Filter 1
This criterion is met if Server Port equals 25
Filter 2
This criterion is met if Server Port equals 110


*Since you are only using NAT and Proxy, I would recommend stopping the Winsock Redirector Service so a cheeky LAN Client does not install the WinGate Internet Client and bypass those policies.

**If you are not using WinGate’s email server then stop them as well.

[Deju]

jamesc, thanx!!!

*Since you are only using NAT and Proxy, I would recommend stopping the Winsock Redirector Service so a cheeky LAN Client does not install the WinGate Internet Client and bypass those policies.

**If you are not using WinGate’s email server then stop them as well.

I have already done it, thank you!